Australia’s signal intelligence agency calls upon an Eighties popstar to fight terrorism, and a simple act of kindness leads to a woman being scammed for thousands.
All this and much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Plus don’t miss our featured interview with Max Power of Bitwarden.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Presumably the Taliban don't show up at the airport with a little piece of paper saying "Taliban Taxi Service." Presumably they— I don't know. I don't know. I haven't been there.
I think they do get picked up.
Yes, but I'm expecting they're not waiting behind the gate with a sign, are they, saying this is who we are?
With their 15 guns. Yeah, no.
If anyone listening is a member of the Taliban Taxi Service—
Don't get in touch.
Smashing Security, Episode 325. Rik Astley, and the Little Birdie Scam with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 325.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
Carole, how are you doing this week?
Well, I'm a little freaked out at the moment.
What's wrong? What's wrong?
Well, you probably, I don't know if you've read, but there's a lot of wildfires in Canada, in Quebec, right? This is where I went to school. Yada, yada, yada, 160 wildfires.
In Quebec?
Yeah. So my family who were in Ottawa, which is 100 miles from there, 120 miles, they're noticing total air quality issues.
And Canada's seeking international aid because the fires are raging.
And Canada's seeking international aid because the fires are raging.
I thought Quebec was just covered in snow permanently, but it's actually alight.
No, it's covered in trees and there's not been a lot of water, I guess. But other than that, I'm great. It's just the poor trees, man. Should we get this show on the road? Cheer me up?
Mm-hmm.
First, let's thank this week's wonderful sponsors, Bitwarden, Kolide, and Centripetal. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm going to be explaining how Rik Astley has been fighting Islamic State.
Okay, and I'm going to talk about how a lady and a bird walk right into a trap. Plus, we have a featured interview with Max Power.
Yes, that's his real name, of Bitwarden, who introduces us to Bitwarden's Secrets Manager. All this and much more coming up on this episode of Smashing Security.
Yes, that's his real name, of Bitwarden, who introduces us to Bitwarden's Secrets Manager. All this and much more coming up on this episode of Smashing Security.
Now, Chum Chum, I think I've explained before how I have a bit of a penchant for little old ladies. I think it's come up from time to time.
What, you bend over for them because they're very short? Is that what you're trying to say?
Well, no, no, no, that's not what— No, I just have a fondness. I have a fondness for the elderly lady. I love to hear their stories. I love to hang out with them.
I enjoy their company.
I enjoy their company.
You used to want to sleep with Diana Rigg, so.
Well, yeah, you know, not sleep with her so much, Carole.
Just be cuddled.
I just admired her. Through the ages with the help of a time machine, perhaps.
But I was reminded of my love for the older lady when I was watching a documentary, a documentary which has come out in Australia called Breaking the Code: Cyber Secrets Revealed.
But I was reminded of my love for the older lady when I was watching a documentary, a documentary which has come out in Australia called Breaking the Code: Cyber Secrets Revealed.
And you were like, I need to see this.
I need to see this, I thought. I'm interested in this because it's all about Australia's Signals Directorate. Also known as the ASD.
What do they do?
Well, they are a bit like the codebreakers. Well, their origins are like the codebreakers at Bletchley Park. So Bletchley Park in the UK.
Yeah.
As we all know, were cracking the Nazi Enigma machine during World War II.
At the same time, the ASD in Australia in some sort of hot garage, the Garage Girls, as they were called, were working round the clock to crack Japanese messages during World War II.
And there are these old biddies, lovely ladies, who are telling tales of what they got up to, and it is covered in this programme.
The ASD, rather like Bletchley Park, eventually became GCHQ.
At the same time, the ASD in Australia in some sort of hot garage, the Garage Girls, as they were called, were working round the clock to crack Japanese messages during World War II.
And there are these old biddies, lovely ladies, who are telling tales of what they got up to, and it is covered in this programme.
The ASD, rather like Bletchley Park, eventually became GCHQ.
Yeah.
Working on signals intelligence for the UK.
Mm-hmm.
The ASD from those origins has become an equivalent to that.
So, in the decades since, obviously, the ASD has been working a lot on military situations, and since September 11th, of course, it's been very much focused on the fight against terror.
That's been an additional thing for them to worry about, and they've been looking to invent ways to disrupt terrorist activity. And that's what the documentary is all about.
It's all about the ASD and what it gets up to.
Now, it doesn't really cover anything super dodgy the ASD might be doing against Australian citizens, or what, you know, it is in some ways.
So, in the decades since, obviously, the ASD has been working a lot on military situations, and since September 11th, of course, it's been very much focused on the fight against terror.
That's been an additional thing for them to worry about, and they've been looking to invent ways to disrupt terrorist activity. And that's what the documentary is all about.
It's all about the ASD and what it gets up to.
Now, it doesn't really cover anything super dodgy the ASD might be doing against Australian citizens, or what, you know, it is in some ways.
I'm sure they wouldn't do that.
Well, you know, GCHQ, I'm sure they probably would. I'm sure these intelligence agencies are used to spy covertly on their own population.
Beta testing, Graham. Beta testing.
Well, maybe. Maybe that is. But that's not what this programme is about.
This programme is all about sorting out Johnny Foreigner and keeping an eye on them and any terrorists and any baddies. And anyone who might cause Australia any trouble.
This programme is all about sorting out Johnny Foreigner and keeping an eye on them and any terrorists and any baddies. And anyone who might cause Australia any trouble.
Right, okay. So they're just a national service.
Exactly, exactly. It does look at ways in which the ASD has tried to trick would-be Taliban fighters away from the battlefield.
So they go through a number of cases which the ASD has worked on over the years, which haven't previously been made public. I found this really interesting, this talk.
It's a 1-hour-long documentary, and I thought I'd just tell you a couple of the stories which happened during this documentary.
So they go through a number of cases which the ASD has worked on over the years, which haven't previously been made public. I found this really interesting, this talk.
It's a 1-hour-long documentary, and I thought I'd just tell you a couple of the stories which happened during this documentary.
Okay, I want to hear, but I'm just wondering right now why they are sharing it with the world. But anyway, crack on. Let's hear what they say.
Well, it's propaganda, isn't it? It's a PR stunt.
To say what? For whom?
For Australia saying, "We're serious." To say, "Isn't this a wonderful department? And isn't it great how they're fighting terror?
And shouldn't they be able to listen into our end-to-end encrypted messages and telephone calls and everything." That's what it's actually about is, come on, let's not beat around the bush.
It's to present them as really, really good guys who can be trusted.
And shouldn't they be able to listen into our end-to-end encrypted messages and telephone calls and everything." That's what it's actually about is, come on, let's not beat around the bush.
It's to present them as really, really good guys who can be trusted.
Right.
So we're not going to get into that because we've had that discussion many, many times, but I thought it was interesting. Yeah.
Yeah.
Well, you know, we can do non-fun stuff, but that's true. I thought it'd be interesting to see what they've done in these particular situations.
So they talk about Operation Lost Jackal. Now, when I heard about Operation Lost Jackal, I thought, oh, someone's lost his dingo, right?
It's they've lost their dog in the Australian Outback. I think it's quite clever.
So they talk about Operation Lost Jackal. Now, when I heard about Operation Lost Jackal, I thought, oh, someone's lost his dingo, right?
It's they've lost their dog in the Australian Outback. I think it's quite clever.
It's Operation Kangaroo. You're must be Australia.
Lost moggy, lost cat. Well, who knows what it could be?
But on this particular occasion, what it is is that the ASD, Intelligence Services in Australia, found out that a 24-year-old man who they call Ali for the purposes of the documentary.
He had been radicalised online and was travelling to Afghanistan to join the Taliban.
But on this particular occasion, what it is is that the ASD, Intelligence Services in Australia, found out that a 24-year-old man who they call Ali for the purposes of the documentary.
He had been radicalised online and was travelling to Afghanistan to join the Taliban.
Terrible. Yeah.
And the problem was they only discovered about this chap once he was already in the air on the plane going to Afghanistan.
I've read a lot about some of these cases. It's just terrifying.
Right.
Yeah. Okay. So they find out about it and they're, oh shit. If only we were spying on our people, we would have known.
Well, maybe, maybe. And maybe it was his family or someone else who reported or realised, oh, hang on, he's not going to Barbados or Mallorca or wherever on holiday.
He's going to Afghanistan. We don't know how they found out, but they found out.
And they knew he was going over there and they were worried that he was going over there to get trained up and then he might be sent back to Australia on a terrorist mission or he may even be killed by the Taliban.
Who knows what's going to happen to him? And so they don't want that to happen.
And so the ASD operatives, these sort of codebreakers and hackers who work for the Australian services, are trying to find a way to get his mission disrupted so that he won't encounter the Taliban.
Presumably, the Taliban don't show up at the airport at Kabul with a little piece of paper saying, "We are the Taliban, Taliban Taxi Service." Presumably, I don't know.
I haven't been there.
He's going to Afghanistan. We don't know how they found out, but they found out.
And they knew he was going over there and they were worried that he was going over there to get trained up and then he might be sent back to Australia on a terrorist mission or he may even be killed by the Taliban.
Who knows what's going to happen to him? And so they don't want that to happen.
And so the ASD operatives, these sort of codebreakers and hackers who work for the Australian services, are trying to find a way to get his mission disrupted so that he won't encounter the Taliban.
Presumably, the Taliban don't show up at the airport at Kabul with a little piece of paper saying, "We are the Taliban, Taliban Taxi Service." Presumably, I don't know.
I haven't been there.
I think you do get picked up. From the stories I've heard, you do get picked up at the airport. And it's a harrowing mission to get you into the place where you're going to be.
Yes, but I'm expecting they're not waiting behind the gate with a sign, are they, saying, "This is who we are. We're going to pick you up." Yeah, with their 15 guns.
Yeah, no.
If anyone listening is a member of the Taliban taxi service—
Don't get in touch. Crack on, Graham.
All right. So he's already in the air and the ASD are thinking, "What are we going to do?" And they had access to various cultural and language experts.
And they decided, what we're gonna do is we know his email address because he's in contact with family members. So we're going to write an email to Ali.
And we're not gonna send it from asd.gov.au or whatever their address is. So they created an email address which appeared Taliban-ish.
I don't know if they have their own version of Yahoo or whatever.
And they decided, what we're gonna do is we know his email address because he's in contact with family members. So we're going to write an email to Ali.
And we're not gonna send it from asd.gov.au or whatever their address is. So they created an email address which appeared Taliban-ish.
I don't know if they have their own version of Yahoo or whatever.
I'm just trying to think what would be UK-ish or Canadian-ish?
Some sort of—
They'd have ASCII art of the poutine?
Oh yes, for Canada, yes, possibly. Or you could have a corgi or something for Britain, couldn't you?
Yes, or a crest with a corgi, yeah.
Yes, Her Majesty's internet.
Yeah, okay, interesting.
So they write an email in broken English claiming to be from his Taliban operator and saying to him, "Watch out, matey boy." That's not actually what they say, but it's along the line.
If you watch the documentary, you'll get the actual words.
If you watch the documentary, you'll get the actual words.
You're paraphrasing.
I'm paraphrasing, exactly. They say, "Watch out, buddy, because your phone number and email address have already been compromised.
You need to ditch your phone number and you need to ditch your email address and reply to us telling us what your new phone number and email address are.
Because otherwise, intelligence services may work out who you are and what you're up to." That's quite a clever ruse.
You need to ditch your phone number and you need to ditch your email address and reply to us telling us what your new phone number and email address are.
Because otherwise, intelligence services may work out who you are and what you're up to." That's quite a clever ruse.
I think interesting approach. Okay, so what happens?
What's he do? Well, it took a couple of months. At first he didn't reply, and so they had to keep on sending him more messages.
What?
Couple months? Yeah, apparently. So what do you say?
What's the next message you say? Like, "Okay, so you haven't ditched your phone."
"It's really important." Well, because they could see he was still communicating with people via his email address because he was sending messages back home, "Hey, having a lovely time in Mallorca," or whatever it was.
But they knew he wasn't there.
But they knew he wasn't there.
Yeah.
So he was speaking to his family members. They knew he's still there. He hasn't changed his phone number, posting up on Instagram or whatever it is. I think we've got to stop this.
And so they kept on sending messages, and they said that they made the language simpler and simpler and more direct, saying, look, you aren't obeying us. This is really important.
The Taliban bosses are getting really upset with you.
And so they kept on sending messages, and they said that they made the language simpler and simpler and more direct, saying, look, you aren't obeying us. This is really important.
The Taliban bosses are getting really upset with you.
But presumably he's in with them by then.
Well, this is the thing. He's coming over there with a vague contact, but he wants to impress the leaders so that he can get a good job. He wants to prove his worth.
And so the ASD, the Australian officers are sending him messages saying, we're getting really angry with you because we've told you what to do and you haven't done it yet.
And eventually he does respond with a new phone number, with a new email address, and they basically put the fear of God into him.
And they said, you've done it, good, but our senior officials are so angry that you haven't been serious enough. You should return to Australia right now.
"Get on the next plane out of here, because if you don't, if we see you around the place, you're endangering our mission." Because obviously they're on a very important jihad.
And so that's what he did — he got on the plane back.
And so the ASD, the Australian officers are sending him messages saying, we're getting really angry with you because we've told you what to do and you haven't done it yet.
And eventually he does respond with a new phone number, with a new email address, and they basically put the fear of God into him.
And they said, you've done it, good, but our senior officials are so angry that you haven't been serious enough. You should return to Australia right now.
"Get on the next plane out of here, because if you don't, if we see you around the place, you're endangering our mission." Because obviously they're on a very important jihad.
And so that's what he did — he got on the plane back.
Interesting. Okay, so they just scared the shit out of him so that he flew home.
That's right. And who knows what the Australian authorities did when he landed back at Brisbane or Perth or wherever it was that he went back to.
So that's one of the operations — that was Operation Lost Jackal. And obviously since then, the situation's got even worse.
It's not just the Taliban and things, but there's also Islamic State, or ISIL, who have posed a new challenge to intelligence agencies around the world.
ISIL have embraced technology and social media — they're recruiting, they're raising funds, they're spreading the ideology.
And there was this military operation, Operation Valley Wolf, which was trying to liberate the city of Mosul from ISIL control.
So that's one of the operations — that was Operation Lost Jackal. And obviously since then, the situation's got even worse.
It's not just the Taliban and things, but there's also Islamic State, or ISIL, who have posed a new challenge to intelligence agencies around the world.
ISIL have embraced technology and social media — they're recruiting, they're raising funds, they're spreading the ideology.
And there was this military operation, Operation Valley Wolf, which was trying to liberate the city of Mosul from ISIL control.
Valley wolf.
Valley wolf.
I have to look that up and see if that's actually—
An actual type of animal?
Yeah, yeah, it is. It is.
Right, there you go. It must be so much fun to be in the department which comes up with the names of stuff.
They're 5 to 7 feet tall. So big wolves. What?
7 feet tall? Well, I don't know. Are they standing on their back legs?
Tall at the shoulders. And yeah.
They are 7 feet tall at the shoulders.
Hold the phone. I'm just reading the internet, which is full of crap, right? So give me a second. I know nothing about this, ladies and gentlemen.
Are you on Wolfopedia at the moment?
The McKenzie Valley wolf has a specialized body that has made it one of the world's most efficient hunters.
It measures 32 to 40 inches tall at the shoulders and has a length of 1.5 to 2.1 meters, 5 to 7 feet long. Okay, still freaking big.
It measures 32 to 40 inches tall at the shoulders and has a length of 1.5 to 2.1 meters, 5 to 7 feet long. Okay, still freaking big.
Well, yeah, it's big.
That's as big as my husband. I'm just saying it's big.
And probably not quite as hairy, I would expect. So, the ASD, the cyber operatives, let's face it, they're basically hackers, right?
They're hackers who are working for the government. And they are supporting the military operation on the ground in Iraq, and they're supporting Operation Valley Wolf.
And they're sometimes camping overnight in their basement office so that they can be available whenever required to help the military operation.
And they're working with the NSA in the United States. They're launching cyberattacks at the same time as military maneuvers.
And what they found was that ISIL fighters were using apps that were privacy-conscious. They were hiding their location.
So they weren't, you know, they weren't just using a cell phone. Like WhatsApp?
They're hackers who are working for the government. And they are supporting the military operation on the ground in Iraq, and they're supporting Operation Valley Wolf.
And they're sometimes camping overnight in their basement office so that they can be available whenever required to help the military operation.
And they're working with the NSA in the United States. They're launching cyberattacks at the same time as military maneuvers.
And what they found was that ISIL fighters were using apps that were privacy-conscious. They were hiding their location.
So they weren't, you know, they weren't just using a cell phone. Like WhatsApp?
Okay.
Well, they were using something called ShoreSpots, Wickr.
Right, I've heard of that.
Which I know is very popular with drug dealers. I was about to say, I know it's very popular with drug dealers. Interesting to see. I've heard of it.
Not 'cause I'm a drug lord, Graham.
Jesus.
And Telegram, amongst others. So, and they're thinking, "Oh, crumbs, you know, all these bloody ISIL soldiers are using all these different apps.
How are we going to crack all of them?" And they're all encrypted.
How are we going to crack all of them?" And they're all encrypted.
Yeah, yeah.
Yeah, and they thought, "Well, hang on, hang on. We don't have to crack all of these apps.
We don't have to find vulnerabilities in all of these." What we can do instead is target the way that any app works on a smartphone. And all of these apps require internet access.
So all we have to do— I say all we have to do, but all we have to do as an ASD hacker, someone working for the Australian authorities, is devise a way to disable the smartphone and prevent it from accessing the internet.
We don't have to find vulnerabilities in all of these." What we can do instead is target the way that any app works on a smartphone. And all of these apps require internet access.
So all we have to do— I say all we have to do, but all we have to do as an ASD hacker, someone working for the Australian authorities, is devise a way to disable the smartphone and prevent it from accessing the internet.
And so you just ban it from an area. You could just say anything that's in the Taliban regions of power, block, for example.
Oh, what, turn off the internet somehow?
Oh, I suppose. So they can only do it within their jurisdiction, turning off the internet. So that's what they think they're going to do.
They're going to turn off the internet somehow or stop this phone from contacting. Is that the plan?
They're going to turn off the internet somehow or stop this phone from contacting. Is that the plan?
We could do that, but then you'd also have data signals as well.
And clearly losing all cell coverage in a city when you're trying to take it over yourself could also compromise your own ability to communicate.
And clearly losing all cell coverage in a city when you're trying to take it over yourself could also compromise your own ability to communicate.
100%.
If you're the coalition forces. So what they did was, it sounds like they came up with some rather crafty zero-click exploits.
So a zero-click exploit is something which you can send to a smartphone—
So a zero-click exploit is something which you can send to a smartphone—
It's the worst.
Yeah, exactly. It's really bad. So it doesn't rely upon the Taliban fighter clicking on a link or opening an attachment or doing anything like that.
It instantly activates on their phone. And they came up with a number of attacks. There was, for instance, an attack they wrote called Care Bear.
And Care Bear apparently required some fairly advanced IT sophistication to reverse. It wasn't just a case of turning off and turning on the phone again.
It instantly activates on their phone. And they came up with a number of attacks. There was, for instance, an attack they wrote called Care Bear.
And Care Bear apparently required some fairly advanced IT sophistication to reverse. It wasn't just a case of turning off and turning on the phone again.
That normally doesn't get rid of malware, just as an FYI.
But anyway. No, no, it doesn't. But to be honest, most problems are fixed by turning off something and turning it on again, right?
So Care Bear was a bit more complicated than that on your smartphone, which meant that you'd have to come out of your bunker as an ISIL warrior and go to ISIL tech support for help, right?
To get them to do something with the phone, which, you know, was going to be beyond—
So Care Bear was a bit more complicated than that on your smartphone, which meant that you'd have to come out of your bunker as an ISIL warrior and go to ISIL tech support for help, right?
To get them to do something with the phone, which, you know, was going to be beyond—
And you wouldn't even necessarily know it was there. I mean, it was, you know—
Well, your phone was no longer working. That was the thing. So it was quite obvious that your phone could no longer access Wickr and Telegram and all these other things.
Your phone is basically just a useless brick.
Your phone is basically just a useless brick.
It becomes a brick. You bring it to the IT guy and he's like, oh, fuck, this is— yeah, this is not— yeah.
And there was another one called Darkwall, which apparently couldn't be easily fixed.
It was a really destructive payload, which kind of permanently prevented your phone from working, even if you did go to tech support.
So if that was coordinated with an attack being launched at you by coalition forces as an ISIL fighter—
It was a really destructive payload, which kind of permanently prevented your phone from working, even if you did go to tech support.
So if that was coordinated with an attack being launched at you by coalition forces as an ISIL fighter—
You're talking about this very knowledgeably, I'm feeling really out of my depth here talking about ISIL and— Well, you know, I'm quite an expert.
And there was also, and that's the one I really want to talk to you about, there was an attack called Light Bolt. And what Light Bolt did was it had a fascinating payload.
With no user interaction on your smartphone at all, no clicking whatsoever, it would launch a Rickroll payload on the smartphone sent to them by ASD hackers in Canberra.
So, the Australians were making ISIL fighters' phones play "Never Gonna Give You Up" by Rik Astley.
With no user interaction on your smartphone at all, no clicking whatsoever, it would launch a Rickroll payload on the smartphone sent to them by ASD hackers in Canberra.
So, the Australians were making ISIL fighters' phones play "Never Gonna Give You Up" by Rik Astley.
So, to mindfuck with them. So, this would play aloud, embarrassing them.
Is that what was the plan? What's the plan? Well, if it was playing, then they couldn't do anything else with their phone.
Well, you can text while it's playing.
Okay, then in which case we'd launch Operation Care Bear or Dark Wall or the other attacks. But one of them was this Light Bolt, which got it to play a Rik Astley song instead.
Anyway, it was a really interesting programme, a good documentary.
Anyway, it was a really interesting programme, a good documentary.
And should have been your pick of the week, but you didn't want to get told off.
Well, wait until you hear what a great pick of the week I've got, I'll put in a link in the show notes. Now, this was an Australian documentary shown on the ABC.
It is geofenced, but I'm sure most of our listeners will know how to get round that.
It is geofenced, but I'm sure most of our listeners will know how to get round that.
No, because it's illegal and don't listen to them.
Is it illegal? Is it illegal? Yes. To use a VPN?
Is it? No, it's not legal to use a VPN. It's illegal to access things that are not, you should not access. Mr. Crewel.
Okay, well then make sure nobody click on the link in the show notes when they've set up their VPN to be in Australia and wait for the documentary instead to come out in your territory.
Carole, what's your story this week?
Carole, what's your story this week?
My story, Graham, we're kicking off my story with a salute to the kinder humans out there.
Lovely.
I even have written up a completely unscientific questionnaire so that we can gauge our own level of kindness.
Oh, okay. All right.
Okay.
Yeah.
And listeners, why don't you guys play from wherever you are? So a person is walking in front of you, right, on the sidewalk or wherever, and they drop a sweater.
Right.
What do you do?
What do I do, or what would you do?
Yeah, what do you do?
Well, I think I'd say, "Hey, you dropped a sweater." Right? Pick it up, maybe. Maybe gently jog after them.
Would you jog?
Well—
Would you?
Maybe. Well, how far ahead are they?
Would you actually bend over and pick up someone else's sweater?
Well, maybe with my foot. You know, maybe I could sort of kick it up to hand level, so I wouldn't have to bend over. Kick it up? I don't know. You know, something.
Or maybe if you're there with me, I could ask you, "Carole, could you pick that up so I can present it—" Who's the person who's dropped it? Is it Diana Rigg?
Who's dropped her sweater?
Or maybe if you're there with me, I could ask you, "Carole, could you pick that up so I can present it—" Who's the person who's dropped it? Is it Diana Rigg?
Who's dropped her sweater?
No, no, it's not Diana Rigg. It's—
Better beep that out. Okay, no one's gonna touch the sweater in that case. If it belongs to them, no one wants to go near it. Who knows what you could catch?
Okay, okay, you see an old man, okay? You see an old man walking through a car park, looking lost. Oh. But he hasn't seen you.
Right. What do you do? Ah, so maybe I shouldn't shout out, "Oi, mister!" Right? Because it could give him a heart attack or something. He hasn't seen me.
You have things to do. You're a busy man, aren't you?
I'm a busy man. If he's looking lost, maybe he's enjoying, you know, just having a look around all the cars. I don't know.
I mean, am I really going to be able to help him if he's looking for his car? I'm not sure. I wouldn't know one car from another. I think he's got it under control.
I mean, am I really going to be able to help him if he's looking for his car? I'm not sure. I wouldn't know one car from another. I think he's got it under control.
Exactly, exactly. You just— you duck your head down, wouldn't you?
I'll duck my head down. Yeah, I'll do that. Yeah, yeah, yeah, you would.
Totally. Okay, and finally, you go crazy one day and you buy 6 donuts from your local cafe. Okay, they're still warm.
Okay, you only need 2, you only want 2, but you couldn't help yourself because it's such a good deal. Good deal. Yeah.
You see a homeless person on your way home sitting in front of the co-op asking for change. You have none.
Okay, you only need 2, you only want 2, but you couldn't help yourself because it's such a good deal. Good deal. Yeah.
You see a homeless person on your way home sitting in front of the co-op asking for change. You have none.
What do you do? The thing is, he might be diabetic. That's the thing. Do I really want to push a donut onto him?
You know, that's a really good answer because I have done that exact thing. And the guy was like, oh man, I wish I could, but my tooth. So the poor fucker had a toothache as well.
Oh, oh dear. Okay, last one, last one. You're at work. You have a very big palatial window in front of your desk, and you spot an injured bird outside. What do you do?
What floor am I on? I don't know. Irrelevant.
Oh, oh dear. Okay, last one, last one. You're at work. You have a very big palatial window in front of your desk, and you spot an injured bird outside. What do you do?
What floor am I on? I don't know. Irrelevant.
Oh, okay. So it's not that I'm going out onto a ledge or anything?
No, no, no. Sorry. No, no.
Ground level then. Ground level. Okay, okay, okay. So it's a little injured—
I didn't think about that.
Little injured bird out there. Yeah. I'm not sure what I can do. Maybe I could gently pick it up, I could cradle it in my hands and feed it back to healthiness with a little—
You would not dare. Giving it bird food. You wouldn't, you wouldn't, would you?
I love animals, I love them.
You'd go pick up a bird?
Yeah, why not? What kind of, is it like an emu? What kind of bird is it?
Yeah, I didn't mention that, it's an ostrich.
It's an ostrich.
Oh no, I don't want an ostrich, no. No, no.
Okay, well, look, I think you wouldn't, right? Because I don't think you're as kind as Mumbai's very own Dhwani Mehta.
And you're saying, wow, Carole, you said that strangely, her name. But I have it from Yogi. I got Yogi to tell me how to pronounce it.
And you're saying, wow, Carole, you said that strangely, her name. But I have it from Yogi. I got Yogi to tell me how to pronounce it.
Our friend Yogi? Yeah, okay.
Yeah, do you want to hear it? Do you want to hear Yogi's, uh—
Oh yeah, yeah, let's have Yogi on the podcast.
Dhwani Mehta. Thanks, Yogi.
Thanks, Yogi. Dhwani Mehta.
So Dhwani Mehta works as a manager at Famous Studios. This is a studio that provides video and dubbing services, that sort of thing.
There she was last week, Dhwani's working away and she looks up and she spots an injured bird.
But she doesn't know much about birds, she's not a birder, she doesn't have vet skills or anything like that. But she can tell that the animal's in distress and she wants to help.
But how? Well, she's not an idiot, she's not going to hug it to her breast and feed it with pipettes or whatever. She hits the web to find details of the local bird rescue org.
There she was last week, Dhwani's working away and she looks up and she spots an injured bird.
But she doesn't know much about birds, she's not a birder, she doesn't have vet skills or anything like that. But she can tell that the animal's in distress and she wants to help.
But how? Well, she's not an idiot, she's not going to hug it to her breast and feed it with pipettes or whatever. She hits the web to find details of the local bird rescue org.
Yes.
And with a few tippy taps, she lands on the bird rescue organization with a toll-free number. She calls and explains the situation.
And the responder's waste no time, asks her to send a form. So they ask her if they can send her a form so that she can register the request by email.
So basically saying bird injured, this is the location, this is what I saw, all that stuff. And she needs to pay a nominal fee of 1 rupee, which is just shy of a cent.
And the responder's waste no time, asks her to send a form. So they ask her if they can send her a form so that she can register the request by email.
So basically saying bird injured, this is the location, this is what I saw, all that stuff. And she needs to pay a nominal fee of 1 rupee, which is just shy of a cent.
Or a pence. Yeah.
And then she waits.
And what are they going to do? Are they going to send round an emergency van or something to pick up the bird?
Yeah, come pick up the bird, bring it to a shelter, nurture it back to health, do whatever they can.
Wonderful.
That's the whole plan, right? So she's waiting there. It's the RSPCA that exists in our country as well.
It's Just Eat or Deliveroo really, isn't it? But for animal welfare. In the opposite direction.
Unless you're a vegetarian. So she's waiting. She's waiting.
And there's the bird still twitching, is it?
Exactly. And sadly, the whole day she waits, no bird rescuers show up to help the poor thing. But then about 4 days later, she's on the train and she gets a message.
Not a note from her mom reminding her to come for dinner that evening and not one from her boss saying she's got a promotion.
She gets a text saying that ₹100,000 have been debited from her account.
Not a note from her mom reminding her to come for dinner that evening and not one from her boss saying she's got a promotion.
She gets a text saying that ₹100,000 have been debited from her account.
So when she paid the ₹1— what the fuck?
Yes, when she paid the ₹1, she gave them enough information for them to extract considerably more. But how would that work, right?
So normally the way it worked was they give me your credit card number over the phone, and perhaps in this case it was just put in your card details here on the little form.
And we're just going to take ₹1. And this, folks, is when she realizes that she's been duped by an opportunistic con looking for people who want to help distressed little animals.
Feels very niche.
It's not actually, it's a toll-free hijacking scam where the scammer gets a phone number that is very similar to a popular toll-free one, perhaps number of the customer support line.
And it's a copycat phone number that will have 1 or 2 digits from the official one, or different toll-free prefix, 888 rather than 800, for example, in the States if they were there.
And then when the customer types in the wrong number, the call goes to the bad guy.
So normally the way it worked was they give me your credit card number over the phone, and perhaps in this case it was just put in your card details here on the little form.
And we're just going to take ₹1. And this, folks, is when she realizes that she's been duped by an opportunistic con looking for people who want to help distressed little animals.
Feels very niche.
It's not actually, it's a toll-free hijacking scam where the scammer gets a phone number that is very similar to a popular toll-free one, perhaps number of the customer support line.
And it's a copycat phone number that will have 1 or 2 digits from the official one, or different toll-free prefix, 888 rather than 800, for example, in the States if they were there.
And then when the customer types in the wrong number, the call goes to the bad guy.
So that's what she did. She went to a legitimate website which had a legitimate phone number, and she mistyped the number.
I think perhaps what might have happened is when she went to Google and typed in, give me the number for the local sanctuary, what came up was a fake ad or a poisoned ad or a poisoned account.
Shame on you, Google. But she's no dumb-dumb. So this happens to her. She's £1,000 out of pocket and she's no dumb-dumb.
She immediately takes action, lodging the complaint online with the cybercrime department. And visits her bank to submit a written complaint right away when it happens.
Shame on you, Google. But she's no dumb-dumb. So this happens to her. She's £1,000 out of pocket and she's no dumb-dumb.
She immediately takes action, lodging the complaint online with the cybercrime department. And visits her bank to submit a written complaint right away when it happens.
Hang on, when she contacted the cybercrime department, did they say, "We can take your complaint, but you're gonna have to pay us 1 rupee"?
How did she get the number for the cybercrime? That's the—
How did she get the number for the cybercrime? That's the—
I know, I saw that when I read this.
I was like, "Jeez." So she also contacted the Mumbai Central Government Rail Police, perhaps because she received this when she was on the train.
Filed the complaint against the fraudsters for impersonation, cheating, and forgery under the Indian Penal Code.
I was like, "Jeez." So she also contacted the Mumbai Central Government Rail Police, perhaps because she received this when she was on the train.
Filed the complaint against the fraudsters for impersonation, cheating, and forgery under the Indian Penal Code.
Feels a bit random to contact the Rail Police just because that's where you were when you— What if she'd received it at the pizza restaurant?
Would she go and send a complaint to them?
Would she go and send a complaint to them?
Yeah. I'm a little worried that perhaps the story is— Because the story is basically quoting a member of the Central Government Rail Police as— They're, yeah.
But this officer said, you know, that they've written to the bank to obtain details about the account where the money was transferred, as well as to the cell phone companies.
So they're on it.
But this officer said, you know, that they've written to the bank to obtain details about the account where the money was transferred, as well as to the cell phone companies.
So they're on it.
She hasn't got her money back yet then.
No, no, this is what, remember we talked about this. I think this is what you would call authorized fraud. Oh yes. Right, so it was fraud, but it was instigated by her.
Yeah, she gave the permission.
She handed over the details 'cause she was duped. Yeah, yeah. And not that that's necessarily fair, and not that all banks follow those protocols, but there's a risk there anyway.
So advice for do-gooders like you, Graham, who runs after the Diana Rigg who drops her sweater: yes, be freaking careful when you dial phone numbers.
That's the advice from AT&T, right?
Really, don't dial the wrong toll-free prefix, don't hit a number twice, don't hit an adjacent number because they're all waiting for you to do that apparently. Jeez. And, right?
And you're just trying to do a good thing. You're just like, oh, this poor little animal, I'm gonna go out of my way to do something good.
So advice for do-gooders like you, Graham, who runs after the Diana Rigg who drops her sweater: yes, be freaking careful when you dial phone numbers.
That's the advice from AT&T, right?
Really, don't dial the wrong toll-free prefix, don't hit a number twice, don't hit an adjacent number because they're all waiting for you to do that apparently. Jeez. And, right?
And you're just trying to do a good thing. You're just like, oh, this poor little animal, I'm gonna go out of my way to do something good.
Do you think the bird was in on it? Do you think it was actually faking that it was hurt?
Smashing Security is brought to you by Centripetal. Centripetal is the global leader in intelligence-powered cybersecurity.
Security, the company operationalizes the world's largest collection of threat intelligence in real time to protect your company from every known cyber threat.
Now available as a cloud-based deployment, Centripetal's Clean Internet service is a revolutionary approach to defending your assets from cyber threats by leveraging dynamic threat intelligence on a mass scale.
The addition of AWS Clean Internet Cloud protects your enterprise whether on-premise, remote or in the cloud, removing the need for a more costly cybersecurity infrastructure.
Learn more about Centripetal's intelligence-powered cybersecurity solutions at smashingsecurity.com/centripetal. That's C-E-N-T-R-I-P-E-T-A-L.
And thanks to Centripetal for sponsoring the show.
Security, the company operationalizes the world's largest collection of threat intelligence in real time to protect your company from every known cyber threat.
Now available as a cloud-based deployment, Centripetal's Clean Internet service is a revolutionary approach to defending your assets from cyber threats by leveraging dynamic threat intelligence on a mass scale.
The addition of AWS Clean Internet Cloud protects your enterprise whether on-premise, remote or in the cloud, removing the need for a more costly cybersecurity infrastructure.
Learn more about Centripetal's intelligence-powered cybersecurity solutions at smashingsecurity.com/centripetal. That's C-E-N-T-R-I-P-E-T-A-L.
And thanks to Centripetal for sponsoring the show.
Now there's some big news from our sponsor Kolide. If you are an Okta user, they can get your entire fleet up to 100% compliant. How do they do that, you're asking yourself?
Well, if a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple.
Kolide patches one of the major holes in zero-trust architecture, which is device compliance.
Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date.
Unsecured devices are logging into your company's apps because there's nothing there to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.
The moment Kolide's agent detects a problem, it alerts the user and gives them instructions on how to fix it. If they don't fix the problem within a set time, they are blocked.
Kolide means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Visit kolide.com/smashing to learn more or to book a demo.
That's k-o-l-i-d-e.com/smashing.
Well, if a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple.
Kolide patches one of the major holes in zero-trust architecture, which is device compliance.
Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date.
Unsecured devices are logging into your company's apps because there's nothing there to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.
The moment Kolide's agent detects a problem, it alerts the user and gives them instructions on how to fix it. If they don't fix the problem within a set time, they are blocked.
Kolide means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Visit kolide.com/smashing to learn more or to book a demo.
That's k-o-l-i-d-e.com/smashing.
Smashing Security listeners, did you know that Bitwarden is the only cross-platform password manager that can be used at home, on the go, or at work.
Bitwarden's password manager securely stores credentials spanning across personal and business worlds, and every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials.
These are unique and secure passwords for every single account you access, and it's easy to set up, it's easy to use. I honestly love Bitwarden.
I use it at home, use it at work, use it on the go.
Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user.
Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.
Bitwarden's password manager securely stores credentials spanning across personal and business worlds, and every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials.
These are unique and secure passwords for every single account you access, and it's easy to set up, it's easy to use. I honestly love Bitwarden.
I use it at home, use it at work, use it on the go.
Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user.
Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.
And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Well, my pick of the week this week is not security related. It was recommended to me by an avid listener to the podcast. Thank you to Connor G for dropping me a line.
Shout out Connor. About this series of documentaries on Netflix called Connected: The Hidden Science of Everything.
Now, Connected, which is hosted by a chap called Latif Nasser, who listeners may know, he's the co-host of Radiolab.
Shout out Connor. About this series of documentaries on Netflix called Connected: The Hidden Science of Everything.
Now, Connected, which is hosted by a chap called Latif Nasser, who listeners may know, he's the co-host of Radiolab.
Sorry, I wasn't listening. I was Googling.
You weren't listening? Latif Nasser, I think his name is.
Oh, I don't know his name. That's— okay.
I think he's been the co-host since late last year of Radiolab.
Oh, okay, okay, okay, okay. He's new. Sorry, sorry. I used to listen in the old days.
This show is quite interesting, and it looks at the connections between different things from the world of science.
Connor, who recommended this documentary, which I've watched, he called out a couple of episodes.
So I watched one all about nukes, nuclear bombs, and obviously nuclear weapons, not necessarily a great thing, right, Carole?
Connor, who recommended this documentary, which I've watched, he called out a couple of episodes.
So I watched one all about nukes, nuclear bombs, and obviously nuclear weapons, not necessarily a great thing, right, Carole?
Yeah.
Wrong, Carole. Wrong, Carole. Apparently they're brilliant. Well, not brilliant exactly. Well, there are some benefits. Maybe we should just watch the show.
There are some benefits.
And the benefits are, for instance, how it pertains to the identification of fake art and how nukes have helped in terms of medicine and all these links.
And there's another show— Nukes? Yeah, as in nuclear weapons. Yeah, okay. And there's another one about excrement.
And as Connor says, it's not a shit show, but it's brilliant about apparently, for instance, Thames Water, the testing that's done on the Thames.
It's able to determine which day of the week it is by how much cocaine is present in the water supply. For real?
And there's another show— Nukes? Yeah, as in nuclear weapons. Yeah, okay. And there's another one about excrement.
And as Connor says, it's not a shit show, but it's brilliant about apparently, for instance, Thames Water, the testing that's done on the Thames.
It's able to determine which day of the week it is by how much cocaine is present in the water supply. For real?
We're definitely Sunday morning kids.
Anyway, this series of documentaries, they remind me a little bit of a brilliant 1970s BBC TV series hosted by James Burke called Connections.
Have you ever seen Connections, Carole? It was shown in the States on PBS. I'm sure they would have shown it in Canada.
Have you ever seen Connections, Carole? It was shown in the States on PBS. I'm sure they would have shown it in Canada.
I was a PBS watcher.
Right.
And it was all about the different connections, different people, how they were connected, how, for instance, the opening of the Suez Canal directly links to the writing of the musical Aida, and all sorts of things like that.
And it was all about the different connections, different people, how they were connected, how, for instance, the opening of the Suez Canal directly links to the writing of the musical Aida, and all sorts of things like that.
Anyway— Oh, yes, yes, yes, yes, yes. I recognize his face completely. You recognize his face? Yeah, I don't know his name, but yeah.
James Burke is still alive. He's right up there with David Attenborough and Carl Sagan as an extraordinary communicator. But I love that.
Anyway, this feels to me like a modern version of Connections, this Connected Netflix TV show.
Anyway, this feels to me like a modern version of Connections, this Connected Netflix TV show.
Do you think it was the name that gave that away, that gave you that idea, or?
Well, I think it's just a rip-off of the name, to be honest. Obviously, I prefer Connections, the 1970s version, more. But I still think a lot of people will enjoy Connected.
You can find it on Netflix, and it is my pick of the week.
You can find it on Netflix, and it is my pick of the week.
Well, I think it sounds very cool because I don't know Latif Nasser, but I do love Radiolab. And last time I was listening, they were repeating old shows.
So I guess he's come on board. So I should go check it out, excellent.
So I guess he's come on board. So I should go check it out, excellent.
What's your pick of the week this week?
Oh, God, did I go down a wormhole? Okay, so my pick of the week is— okay, surprise, surprise— podcast. But the topic of the podcast is reality TV.
It's a podcast called Unreal: A Critical History of Reality TV. I shared it with you earlier midweek. Did you have a nose? I haven't had a listen yet to it, no.
Okay, well, it's hosted by two journalists, Pandora Sykes and Siren Kale. Both have journalistic chops.
And also, they declare a love for reality TV from when they were preteens, right? And they watch Big Brother together. You remember watching the first Big Brother. We watched that.
I think we were all hanging out during that time.
It's a podcast called Unreal: A Critical History of Reality TV. I shared it with you earlier midweek. Did you have a nose? I haven't had a listen yet to it, no.
Okay, well, it's hosted by two journalists, Pandora Sykes and Siren Kale. Both have journalistic chops.
And also, they declare a love for reality TV from when they were preteens, right? And they watch Big Brother together. You remember watching the first Big Brother. We watched that.
I think we were all hanging out during that time.
Oh, the first series of Big Brother was quite an event, wasn't it?
Wasn't it? I think people coming into work bleary-eyed, I didn't go to sleep because they would air it all night, didn't they?
First series where people didn't really know what they were doing if they were taking part. It was more of a sort of scientific experiment.
Later, it became all about people going on because they wanted to be famous. But I think the first series, in the UK at least, was really quite interesting.
Later, it became all about people going on because they wanted to be famous. But I think the first series, in the UK at least, was really quite interesting.
Yeah, but there's, listening to this show, you realize how many societally cringey moments we sat watching. Right, it's too much to bear. They talk about one show.
This is the one that I thought was just the most— It's called The Swan. Have you heard of The Swan? Oh.
This is the one that I thought was just the most— It's called The Swan. Have you heard of The Swan? Oh.
Is that where they did cosmetic surgery on someone?
Yep, a reality show where an average-looking person would go and get serious surgery, go on extreme diets, you know, change everything, and come out not looking like an ugly duckling, but a swan.
One of my favourite ones was called "There's Something About Harry," I think it was, where they brought over a bunch of American women in their early 20s and they convinced them that this chap who they were meeting was actually Prince Harry, and that Prince Harry was trying to find his bride.
This was obviously a while ago before he met Meghan Markle, etc. And so they were all being duped. So gross.
This was obviously a while ago before he met Meghan Markle, etc. And so they were all being duped. So gross.
You know, well, it was gross, but also someone made that show.
They said, let's just dupe people and film everything because they signed their lives over because they think we're telling them the truth.
They said, let's just dupe people and film everything because they signed their lives over because they think we're telling them the truth.
Another one, sorry, I'm enjoying this too much.
I saw another one where they took a bunch of people and they told them that they were going to put them on a space shuttle flight or the Russian shuttle into orbit.
And they went on astronaut training and then they put them on a plane and flew around the UK for a while, landed them and pretended that they were in Russia.
They changed all the signs and everything and made them think that they were going to— Fuck's sake.
It is obviously horrendous, but obviously most importantly, it was entertaining. Can't look away.
I saw another one where they took a bunch of people and they told them that they were going to put them on a space shuttle flight or the Russian shuttle into orbit.
And they went on astronaut training and then they put them on a plane and flew around the UK for a while, landed them and pretended that they were in Russia.
They changed all the signs and everything and made them think that they were going to— Fuck's sake.
It is obviously horrendous, but obviously most importantly, it was entertaining. Can't look away.
Yeah, as long as it makes money for somebody. Right. But yeah, so The Swan was pretty gross. It was 3 months, right? So some of them would go through something like 10 surgeries.
Oh, my God, that's horrible. They weren't allowed to have a family. They would only allow one brief phone call a week. They had to do therapy on TV as part of their contract.
And if you were not open enough with your horror or your trauma, you were out. Points were against you. They would say, "You held back." And at the end, the swans come out, right?
After they do their pageant, there's a queen swan. It's just— anyway, it's just disgusting. But the worst, the worst thing was a lot of this surgery.
You don't go on the show because you're loaded and can afford all this. Because you've got some issues, you know, and you're not good in yourself and you don't have a lot of cash.
But there's things that need maintenance, right? So if you get your lips filled, or you get a lot of Botox or shit like that, you need to go and maintain that stuff.
Otherwise, it starts sagging, it doesn't work. And it's not like these people were being looked after by the show once they got kicked off. Anyway, fuck me.
I'm watching it, I'm listening to this podcast going, "How did we let this happen?" I found it mind-blowing.
Oh, my God, that's horrible. They weren't allowed to have a family. They would only allow one brief phone call a week. They had to do therapy on TV as part of their contract.
And if you were not open enough with your horror or your trauma, you were out. Points were against you. They would say, "You held back." And at the end, the swans come out, right?
After they do their pageant, there's a queen swan. It's just— anyway, it's just disgusting. But the worst, the worst thing was a lot of this surgery.
You don't go on the show because you're loaded and can afford all this. Because you've got some issues, you know, and you're not good in yourself and you don't have a lot of cash.
But there's things that need maintenance, right? So if you get your lips filled, or you get a lot of Botox or shit like that, you need to go and maintain that stuff.
Otherwise, it starts sagging, it doesn't work. And it's not like these people were being looked after by the show once they got kicked off. Anyway, fuck me.
I'm watching it, I'm listening to this podcast going, "How did we let this happen?" I found it mind-blowing.
Which country was this in?
This was in the States. Oh, I kind of guessed. Yeah, but come on, the UK ones are pretty outrageous as well.
It does feel like the UK is just a few years behind.
Love Island, X Factor, Pop Idol, Made in Chelsea. It's quite interesting because they interview creators and producers and contestants, right?
And you kind of get this cross of what everyone experienced and why they were doing things.
But anyway, I found it— Basically, Graham, you gleamed at some of these horrible moments, so maybe you should face your reckoning and go listen to it and see if you're embarrassed at what you thought was hilarious not even 15 years ago.
Unreal: A Critical History of Reality TV. It's for BBC Radio 4, and I think they did an excellent job. Find it on BBC Sounds or wherever you get your podcasts.
And you kind of get this cross of what everyone experienced and why they were doing things.
But anyway, I found it— Basically, Graham, you gleamed at some of these horrible moments, so maybe you should face your reckoning and go listen to it and see if you're embarrassed at what you thought was hilarious not even 15 years ago.
Unreal: A Critical History of Reality TV. It's for BBC Radio 4, and I think they did an excellent job. Find it on BBC Sounds or wherever you get your podcasts.
And that is my pick of the week. Excellent. Well, Carole, you've had a busy week. You've been chatting to the chaps at Bitwarden, I believe.
Yes, I spoke with Bitwarden's Max Power, and let's find out exactly how cool this Bitwarden Secrets Manager is. Listen up.
All right, listeners, today we have Max Power, probably the person with the best name I've interviewed on this podcast. He is product lead for Bitwarden's Secret Manager. Hi, Max.
All right, listeners, today we have Max Power, probably the person with the best name I've interviewed on this podcast. He is product lead for Bitwarden's Secret Manager. Hi, Max.
Thanks for coming on the show. Hi, thanks a lot for having me.
We've been trying to get together to do this for some time now, and I'm so glad we finally pulled it off.
Absolutely. We had a couple of very busy weeks, didn't we?
Well, the password manager kingpin Bitwarden has a brand new product currently in its beta phase, and Max is going to give us the lowdown.
But before we get to that, perhaps, Max, you can tell us a little bit about you and your current role at Bitwarden.
But before we get to that, perhaps, Max, you can tell us a little bit about you and your current role at Bitwarden.
Absolutely. I'm the product lead for the Secrets Manager.
I've been working in various different product roles over the past couple of years, mostly in for open source projects that were somehow related to dev tooling or cybersecurity.
And since about 1.5 years, we are working on the Secrets Manager, which is super exciting because it's a completely new product and a lot of new stuff we need to conceptualize.
I've been working in various different product roles over the past couple of years, mostly in for open source projects that were somehow related to dev tooling or cybersecurity.
And since about 1.5 years, we are working on the Secrets Manager, which is super exciting because it's a completely new product and a lot of new stuff we need to conceptualize.
I know, and it's got a great name as well. So maybe we should talk about that. So tell me, what is a secret in Bitwarden world?
A secret can be pretty much anything. So for a lot of people, it may be confusing because a normal password is also a secret.
But for the Secrets Manager, we're particularly talking about developer secrets.
So that may be API keys or anything that is development related, such as database credentials and so on.
But for the Secrets Manager, we're particularly talking about developer secrets.
So that may be API keys or anything that is development related, such as database credentials and so on.
Right. Let's start with the pain points. So where would a product like this prove to be very useful in your mind? Use cases, maybe.
So one of the key benefits of a secrets manager is that you're able to share secrets securely with other team members.
So let's say, for instance, you are developing a product, you have multiple secrets, you have a Stripe API key, database credentials, and so on.
And in order to operate securely and in order to collaborate securely, you need to share those secrets in some way with your team members. Right.
One of the current ways of doing it is that you set up an env file and share secrets via Slack or other unencrypted channels.
And that's definitely not the ideal way of handling things.
So one very common error is that env files are not added to a.gitignore file and they accidentally get published to GitHub, maybe to a private repo, and then that private repo is open sourced later.
This has happened in multiple instances leading to really huge, huge database leaks affecting some of the largest companies in the industry, amongst others Uber.
But they had a very massive leak of their driver's details. That's right.
There are different reports, but GitGuardian, for instance, publishes a report and they mentioned that around 5 million credentials and other secrets get leaked on GitHub every year.
So let's say, for instance, you are developing a product, you have multiple secrets, you have a Stripe API key, database credentials, and so on.
And in order to operate securely and in order to collaborate securely, you need to share those secrets in some way with your team members. Right.
One of the current ways of doing it is that you set up an env file and share secrets via Slack or other unencrypted channels.
And that's definitely not the ideal way of handling things.
So one very common error is that env files are not added to a.gitignore file and they accidentally get published to GitHub, maybe to a private repo, and then that private repo is open sourced later.
This has happened in multiple instances leading to really huge, huge database leaks affecting some of the largest companies in the industry, amongst others Uber.
But they had a very massive leak of their driver's details. That's right.
There are different reports, but GitGuardian, for instance, publishes a report and they mentioned that around 5 million credentials and other secrets get leaked on GitHub every year.
I think every single listener who has worked in an office, right, has used an insecure way to share a sensitive piece of information with a colleague.
From writing it on a piece of paper to sending it via text, maybe, right? Or email. We're all guilty of it.
And so, what you're offering is this tool that is super safe and allows employees to share information, particularly, you know, serious information related to infrastructure, right?
From writing it on a piece of paper to sending it via text, maybe, right? Or email. We're all guilty of it.
And so, what you're offering is this tool that is super safe and allows employees to share information, particularly, you know, serious information related to infrastructure, right?
Absolutely. And the infrastructure is protecting a lot of additional secrets, right?
So, it's the one secret to a holy grail of potential secrets if your database gets leaked, there's much bigger damage than just this one secret.
So there's a big trail of secrets, which need to be protected pretty well.
Primary target group is definitely for teams, for employees, but there may of course be use cases where you want to exchange secrets with third-party vendors.
There might be some certificates you want to share in a secure way. This is not a primary use case for Secrets Manager, but definitely something that would be possible as well.
So, it's the one secret to a holy grail of potential secrets if your database gets leaked, there's much bigger damage than just this one secret.
So there's a big trail of secrets, which need to be protected pretty well.
Primary target group is definitely for teams, for employees, but there may of course be use cases where you want to exchange secrets with third-party vendors.
There might be some certificates you want to share in a secure way. This is not a primary use case for Secrets Manager, but definitely something that would be possible as well.
And do you have any kind of cool config options within this service that might allow it to lend itself to a specific environment better than others, for example?
Generally speaking, we're building Secrets Manager to target as many use cases as possible.
So we're trying to simplify building out various integrations and to cater to pretty much any sort of use case.
We have the traditional use cases of development teams that are building a product, but we also have a lot of customers from the IoT and OT space.
So for instance, big factories that have a lot of robots. These robots need secure credentials as well.
And the way we're building things is that we try to cater to all of these different use cases. So we have our SDK, currently built in Rust.
We're working on other languages as well, which make it easy for anyone to build stuff using Secrets Manager.
And then we have our CLI, a completely revamped CLI, not based on the existing Bitwarden CLI, which also simplifies a lot of the process.
So we're trying to simplify building out various integrations and to cater to pretty much any sort of use case.
We have the traditional use cases of development teams that are building a product, but we also have a lot of customers from the IoT and OT space.
So for instance, big factories that have a lot of robots. These robots need secure credentials as well.
And the way we're building things is that we try to cater to all of these different use cases. So we have our SDK, currently built in Rust.
We're working on other languages as well, which make it easy for anyone to build stuff using Secrets Manager.
And then we have our CLI, a completely revamped CLI, not based on the existing Bitwarden CLI, which also simplifies a lot of the process.
You know, that was a little bit of a trick question on my part because, hallelujah, that is a simplified system that anyone can use because it's really complicated when people add so many bells and whistles to different products to make it work for you, but it never works perfectly.
And then no one else really understands your use case very well. So that's a good thing. How's the beta been going?
So how long has the beta been going so far and what have you learned from that?
And then no one else really understands your use case very well. So that's a good thing. How's the beta been going?
So how long has the beta been going so far and what have you learned from that?
We launched the beta in March. And so far we have over 1,200 organizations that signed up. Wow. Which is a very big number and much more than what we expected actually.
So we're very positively surprised by that. We have gathered a lot of really valuable feedback there. We're aware of a lot of things that we still need to build.
Luckily our internal roadmap was very well aligned with what customers during beta requested.
So a lot of the important requests that customers had are already in preparation and already being worked on, which is of course great to get this confirmation and feedback.
But we of course also got a lot of great ideas that weren't on our roadmap.
And luckily with Bitwarden, we have a super great, very supportive community of people that are contributing either with ideas or contributing actually to our open source repositories.
So we're very positively surprised by that. We have gathered a lot of really valuable feedback there. We're aware of a lot of things that we still need to build.
Luckily our internal roadmap was very well aligned with what customers during beta requested.
So a lot of the important requests that customers had are already in preparation and already being worked on, which is of course great to get this confirmation and feedback.
But we of course also got a lot of great ideas that weren't on our roadmap.
And luckily with Bitwarden, we have a super great, very supportive community of people that are contributing either with ideas or contributing actually to our open source repositories.
You have a really hard job, Max, because I've worked very closely at this level.
And as I remember, you have to kind of manage the ideas that go in and make sure they, when they go in, that they work seamlessly and perfectly and don't blip out in any way.
And of course you've got deadlines from everybody, so it's fantastic if you're able to have the time and flexibility to really test everything.
So I love hearing about a long beta phase. I think that's really good.
And as I remember, you have to kind of manage the ideas that go in and make sure they, when they go in, that they work seamlessly and perfectly and don't blip out in any way.
And of course you've got deadlines from everybody, so it's fantastic if you're able to have the time and flexibility to really test everything.
So I love hearing about a long beta phase. I think that's really good.
Absolutely. I mean, one thing that is always our primary focus is security. So we don't publish anything without thorough testing, without third-party audits and so on.
Before we are sure that we would use it internally, we are not publishing anything.
The beta is very useful in determining what features we should prioritize and also, for instance, determining what is the right pricing approach.
So that was a very big question for us during beta as well, because a lot of the competitors in the landscape have super confusing pricing.
That's also something where we wanted to add a little bit more simplification I love that.
Before we are sure that we would use it internally, we are not publishing anything.
The beta is very useful in determining what features we should prioritize and also, for instance, determining what is the right pricing approach.
So that was a very big question for us during beta as well, because a lot of the competitors in the landscape have super confusing pricing.
That's also something where we wanted to add a little bit more simplification I love that.
What kind of feedback have you received from some beta testers that have made— that make you feel like we're really on the right track here?
Overall, the feedback has been very positive, which is really great.
A lot of the people were very happy to have one place for all of their secrets, for their user credentials, their normal passwords and their developer secrets.
We have received a lot of great feedback surrounding how secrets should be organized and structured, which we already had more or less planned anyways.
So the way that we are resembling, for those that are already using the password manager, resembling collections where we have project, just a very neat way of organizing secrets.
And then we got a lot of great feedback also on how granular the access policies should be surrounding secrets, which was very useful and we were already more or less planning.
So there's lots going on.
A lot of the people were very happy to have one place for all of their secrets, for their user credentials, their normal passwords and their developer secrets.
We have received a lot of great feedback surrounding how secrets should be organized and structured, which we already had more or less planned anyways.
So the way that we are resembling, for those that are already using the password manager, resembling collections where we have project, just a very neat way of organizing secrets.
And then we got a lot of great feedback also on how granular the access policies should be surrounding secrets, which was very useful and we were already more or less planning.
So there's lots going on.
So how long is your beta scheduled to last?
We are planning to launch general availability version in Q3. Mid-July, most likely, yes. Yeah, there's still a couple of factors.
There's always the question of how much additional functionality and features do we want to add before we launch general availability.
There's still some debate about some minor features that would improve usability.
Of course, my personal approach is that it won't hurt to launch GA as long as we follow up with these features very shortly after, which is currently the plan.
So there are a lot of features like additional SDK languages, additional integrations, improved documentation, and so on, which of course all takes quite a bit of time to build out.
But whether we launch that a couple of weeks after we launch GA, or before, it doesn't make a huge difference for users.
There's always the question of how much additional functionality and features do we want to add before we launch general availability.
There's still some debate about some minor features that would improve usability.
Of course, my personal approach is that it won't hurt to launch GA as long as we follow up with these features very shortly after, which is currently the plan.
So there are a lot of features like additional SDK languages, additional integrations, improved documentation, and so on, which of course all takes quite a bit of time to build out.
But whether we launch that a couple of weeks after we launch GA, or before, it doesn't make a huge difference for users.
So are you still taking people in your beta?
Absolutely. The beta is public to anyone. It's free for anyone. And we're always looking forward to additional feedback. It's super helpful for us.
And I'm sure it's great for people to get a sneak peek at what you guys are working on. Definitely.
I mean, that's also one of the beautiful things about Bitwarden is that our users can really drive the direction the product is taking.
We're taking our user feedback for anything, also for password manager. User feedback is one of the most important things for us.
And that is really one of these beautiful things about the general open source community that we're listening to users and users are providing us with great feedback.
So there's a very nice symbiosis. Yeah.
We're taking our user feedback for anything, also for password manager. User feedback is one of the most important things for us.
And that is really one of these beautiful things about the general open source community that we're listening to users and users are providing us with great feedback.
So there's a very nice symbiosis. Yeah.
And you guys are the only open source password manager currently available at any scale. Is that right?
The only really user-friendly security and open source password manager. That's a very important distinction.
Therefore, more tech savvy users, there are some decent alternatives that are from the pure perspective of encryption standards and so on. That are very good as well. Yeah.
Therefore, more tech savvy users, there are some decent alternatives that are from the pure perspective of encryption standards and so on. That are very good as well. Yeah.
But your main focus as well is to have serious tech, but overlay it with really simple UI interface and usability to make everyone's life a bit easier. Absolutely.
Yeah, can't argue with that.
Listeners, if you want to take part in Max's Bitwarden Secret Manager beta test, or if you just want to learn more about this service, may I suggest you go to bitwarden.com/smashing.
That's bitwarden.com/smashing. And Max Power, product lead for Bitwarden Secret Manager. Thank you so much for coming on Smashing Security. Thanks, Carole.
I have to ask you one question before we go. I was doing some research on you and I found a Max Power website, Max's Island. Is that you? No.
I was thinking you had a name for an inspirational speaker and look, there's already someone out there with it. Have you seen this? No, I haven't seen that yet.
Yeah, can't argue with that.
Listeners, if you want to take part in Max's Bitwarden Secret Manager beta test, or if you just want to learn more about this service, may I suggest you go to bitwarden.com/smashing.
That's bitwarden.com/smashing. And Max Power, product lead for Bitwarden Secret Manager. Thank you so much for coming on Smashing Security. Thanks, Carole.
I have to ask you one question before we go. I was doing some research on you and I found a Max Power website, Max's Island. Is that you? No.
I was thinking you had a name for an inspirational speaker and look, there's already someone out there with it. Have you seen this? No, I haven't seen that yet.
Well, there you go.
MaxIsIsland.com. You can go have fun and check that out. Thanks for coming on the show, Max. I appreciate it.
Thanks a lot, Carole.
Well, that just about wraps up the show for this week. You can follow us on Twitter at Smashing smashingsecurity, no G, Twitter won't allow us to have a G.
Smashing Security also has a Mastodon account and you can look up the Smashing Security subreddit on Reddit.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.
Smashing Security also has a Mastodon account and you can look up the Smashing Security subreddit on Reddit.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.
And huge, huge thank you to this episode's sponsors, Centripetal, Kolide, and Bitwarden, and to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 324 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 324 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye, bye! Good Pick of the Week, Carole. That sounds interesting.
It's fricking fascinating.
Talking of Pick of the Week, it's been pointed out to me that my Pick of the Week last week.
Yes, I did find it. Uh-huh.
Which you said, this kind of rings a bell, you said, maybe I've seen it. Turns out it was your Pick of the Week back in February.
You made a comment, didn't you make a comment like, well, maybe I'm more with Netflix than you are these days, or I don't know.
Oh, and also, not only have we both now recommended it, but on both episodes, Mark Stockley was our special guest. What?
It's really his fault for not spotting that we've both recommended the same TV show. Bad Mark. It was a good show though, Black Butterflies. Yeah. Yeah, I enjoyed it.
It's really his fault for not spotting that we've both recommended the same TV show. Bad Mark. It was a good show though, Black Butterflies. Yeah. Yeah, I enjoyed it.
Good. Well, good. Bye. Bye.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- Australian cyber-op attacked ISIL with the terrifying power of Rickrolling – The Register.
- “Breaking the code: Cyber Secrets Revealed” – ABC.
- Scam Alert: Woman tries helping injured bird, ends up losing Rs 1 lakh to cyber criminals – MSN News.
- Toll-free Hijack Alert (misdial scam) – AT&T.
- “Connected: the hidden science of everything” – Netflix.
- “Connections” with James Burke – YouTube.
- “I wanna marry Harry” reality show – Wikipedia.
- “Space cadets” reality show – Wikipedia.
- Unreal: A Critical History of Reality TV – Apple Podcasts.
- Famous Studios – Famous Studios website.
- Unreal: A Critical History of Reality TV – BBC Sounds.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Zero Trust for Okta. Watch a demo today!
- Centripetal – Centripetal’s CleanINTERNET defends your assets from cyber threats by leveraging dynamic threat intelligence on a mass scale.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
