Smashing Security podcast #325: Rick Astley and the little birdie scam

Presumably the Taliban don't show up at the airport with a little piece of paper saying Taliban taxi service. I don't know, I haven't been there.

I think they do get picked up, yes, but I'm—

I'm expecting they're not waiting behind the gate with a sign saying this is who we are with their 15 guns. Yeah, no, if anyone listening is a member of the Taliban taxi service don't get in touch. Smashing Security, episode 325. Rik Astley and the Little Birdies Cam with Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security, episode 325. My name's Graham Cluley.

And I'm Carole Theriault. Carole, how are you doing this week? Well, I'm a little freaked out at the moment.

What's wrong? What's wrong?

Well, you probably, I don't know if you've read, but there's a lot of wildfires in Canada and Quebec, right? This is where I went to school, yada, yada, yada. 160 wildfires. In Quebec? Yeah. So my family who were in Ottawa, which is 100 miles from there, 120 miles, like total noticeable air quality issues, crazy. And Canada's seeking international aid because the fires are raging.

I thought Quebec was just covered in snow permanently, but it's actually alight.

No, it's covered in trees and there's not been a lot of water, I guess. And other than that, I'm great. It's just the poor trees, man. Should we get this show on the road?

Sure me up. First, let's thank this week's wonderful sponsors, Bitwarden, Collide and Centripetal. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got? I'm going to be explaining how Rik Astley has been fighting Islamic State.

Okay, I'm going to talk about how a lady and a bird walk right into a trap. Plus, we have a featured interview with Max Power. Yes, that's his real name. Of Bitwarden, who introduces us to Bitwarden's secrets manager. All this and much more coming up on this episode of Smashing Security.

Now, Chum Chum, I think I've explained before how I have a bit of a penchant for little old ladies. I think it's come up from time to time.

You bend over for them because they're very short? Is that what you're trying to say?

No, no, no, that's not what, no, I just have a fondness. I have a fondness for the elderly lady. I love to hear their stories. I love to hang out with them. I enjoy their company.

You used to want to sleep with Diana Rigg, so.

Well, yeah, not sleep with her so much, Carole. Just be cuddled. I just admired her through the ages, with the help of a time machine, perhaps. But I was reminded of my love for the older lady when I was watching a documentary. A documentary which has come out in Australia called Breaking the Code, Cyber Secrets Revealed.

And you were, I need to see this.

I need to see this, I thought. I'm interested in this because it's all about Australia's signals directorate, also known as the ASD. What do they do? Well, they are a bit like the code breakers. Well, their origins are the code breakers at Bletchley Park. So Bletchley Park in the UK, as we all know, were cracking the Nazi Enigma machine during World War II. At the same time, the ASD in Australia, in some sort of hot garage, the garage girls, as they were called, were working around the clock to crack Japanese messages during World War II. And there are these old biddies, lovely ladies, who are telling tales of what they got up to, and it is covered in this program. The ASD, rather like Bletchley Park eventually became GCHQ, working on signals intelligence for the UK, the ASD from those origins has become an equivalent to that. So in the decades since, obviously, the ASD has been working a lot on military situations. And since September 11th, of course, it's been very much focused on the fight against terror. That's been an additional thing for them to worry about. And they've been looking to invent ways to disrupt terrorist activity. And that's what the documentary is all about. It's all about the ASD and what it gets up to. Now, it doesn't really cover anything super dodgy the ASD might be doing against Australian citizens.

Or what? You know, it is in some ways. I'm sure they wouldn't do that.

Well, you know, GCHQ, I'm sure they probably would. I'm sure these intelligence agencies are used to spy covertly on their own population.

Be detesting, Graham. Be detesting.

Well, maybe. Maybe that is. But that's not what this program is about. This program is all about sorting out Johnny Foreigner and keeping an eye on them and any terrorists and any baddies and anyone who might cause Australia any trouble.

Right. Okay. So they're just a national service.

Exactly. Exactly. It does look at ways in which the ASD has tried to trick would-be Taliban fighters away from the battlefield. So they go through a number of cases which the ASD has worked on over the years, which haven't previously been made public. I found this really interesting. It's a one hour long documentary. And I thought I'd just tell you a couple of the stories which happened during this documentary.

Okay, I want to hear. But I'm just wondering right now why they're sharing it with the world. But anyway, crack on. Let's hear what they've done.

Well, it's propaganda, isn't it? It's a PR stunt. To say what?

For whom? For Australia? Saying we're serious.

To say, isn't this a wonderful department? And isn't it great how they're fighting terror? And shouldn't they be able to listen into our end-to-end encrypted messages and telephone calls? That's what it's actually about. Come on, let's not beat around the bush, it's to present them as really, really good guys who can be trusted. So we're not going to get into that because we've had that discussion many, many times but I thought it was interesting to see what they've done in these particular situations. So they talk about Operation Lost Jackal. Now when I heard about Operation Lost Jackal, I thought, oh, someone's lost his dingo, right? It's someone's lost their dog in Australia. I'm just thinking it's quite clever.

It's Operational Kangaroo. You're like, must be Australia.

Lost Moggy, lost Kat. Who knows what it could be? But on this particular occasion, what it is, is that the ASD, Intelligence Services in Australia found out that a 24-year-old man, who they call Ali, for the purposes of the documentary, he had been radicalised online and was travelling to Afghanistan to join the Taliban. And the problem was they only discovered about this chap once he was already in the air on the plane going to Afghanistan.

I've read a lot about some of these cases. It's just terrifying. So they find out about it and they're, oh shit, if only we were spying on our people, we would have known.

Well, maybe, maybe. And maybe it was his family or someone else who reported or realised, oh, hang on, he's not going to Barbados or Mallorca or wherever on holiday. He's going to Afghanistan. We don't know how they found out, but they found out. And they knew he was going over there, and they were worried that he was going over there to get trained up, and then he might be sent back to Australia on a terrorist mission. He may even be killed by the Taliban. Who knows what's going to happen to him? And so they don't want that to happen. And so the ASD operatives, the sort of code breakers and hackers who work for the Australian services are trying to find a way to get his mission disrupted so that he won't encounter the Taliban. Presumably, the Taliban don't show up at the airport at Kabul with a piece of paper saying, we are the Taliban, Taliban taxi service. Presumably, I don't know. I don't know. I haven't been there.

I think they do get picked up. From the stories I've heard, you do get picked up at the airport. And it's a harrowing mission to get you into the place where you're going to be. Yes, but I'm expecting they're not waiting behind the gate with a sign, are they? This is who we are. We're going to pick you up. I'm just trying to think what would be UK-ish or Canadian-ish? Some sort of an ASCII art of a poutine.

Oh, yes. For Canada. Yes. Possibly. Or you could have a corgi or something.

Or a crest with a corgi. Yes.

Her Majesty's Internet. OK. So they write an email in broken English claiming to be from his Taliban operator and saying to him, watch out, matey boy. That's not actually what they say, but it's along the line. If you watch the documentary, you get special words. They say, watch out, buddy, because your phone number and email address have already been compromised. You need to ditch your phone number and you need to ditch your email address and reply to us telling us what your new phone number and email address are. Because otherwise, intelligence services may work out who you are and what you're up to.

That's quite a clever ruse. So interesting approach. OK, so what happens? What's he do?

Well, it took a couple of months. At first, he didn't reply. And so they had to keep on sending him more messages.

What? A couple of months? What's the next message you say? So you haven't ditched your phone. It's really important.

Well, because they could see he was still communicating with people via his email address because he was sending messages back home, hey, having a lovely time in Mallorca or whatever it was. But they knew he wasn't there. So he was speaking to his family members. They knew he's still there. He hasn't changed his phone number, posting up on Instagram or whatever it is. They think we've got to stop this. We've got to stop this. And so they kept on sending messages. And they said that they made the language simpler and simpler and more direct, saying, look, you aren't listening. This is really important. The Taliban bosses are getting really upset with you.

But presumably he's in with them by then.

Well, this is all the thing. He's coming over there with a vague contact, but he wants to impress the leaders so that he can get a good job. He wants to prove his worth.

And so the ASD, the Australian officers, are sending him messages saying, we're getting really angry with you because we've told you what to do and you haven't done it yet. And eventually he does respond with a new phone number, with a new email address. And they basically put the fear of God into him. And they said, you've done it, good, but our senior officials are so angry that you haven't been serious enough. You should return to Australia right now. Get on the next plane out of here. Because if you don't, if we see you around the place, you're endangering our mission. Because obviously they're on a very important jihad. So that's what he did. He got on the plane back. So they just scared the shit out of him so he flew home. That's right. And who knows what the Australian authorities did when he landed back at Brisbane or Perth or wherever it was that he went back to. They are seven feet tall at the shoulders. Hold the phone. I'm just reading the internet, which is full of crap, right? So give me a second. I know nothing about this. Ladies and gentlemen.

Are you on Wolfopedia at the moment? The Mackenzie Valley Wolf has a specialised body that has made it one of the world's most efficient hunters. It measures 32 to 40 inches tall at the shoulders and has a length of one and a half to 2.1 metres, five to seven feet long. And probably not quite as hairy, I would expect. So the ASD, the cyber operatives, let's face it, they're basically hackers, right? They're hackers who are working for the government. And they are supporting the military operation on the ground in Iraq. And they're supporting Operation Valley Wolf. And they're sometimes camping overnight in their basement office so that they can be available whenever required to help the military operation. And they're working with the NSA in the United States. They're launching cyber attacks at the same time as military manoeuvres. And what they found was that ISIL fighters were using apps that were privacy conscious. They were hiding their location. So they weren't just using the telephone. They were using something called ShoreSpot, Wicr.

I've heard of that.

Which I know is very popular with drug dealers.

I was about to say, I know it's very popular with drug dealers. I've heard of it. Not because I'm a drug lord, Graham. Jesus.

And Telegram, amongst others. And they're thinking, oh, crumbs. All these bloody ISIL soldiers are using all these different apps. How are we going to crack all of those? And they're all encrypted. And they thought, well, hang on. We don't have to crack all of these apps. We don't have to find vulnerabilities in all of these. What we can do instead is target the way that any app works on a smartphone. And all of these apps require internet access. So all we have to do, I say all we have to do, but all we have to do as an ASD hacker, someone working for the Australian authorities, is devise a way to disable the smartphone and prevent it from accessing the internet.

So you just ban it from an area. You could just say anything that's in the Taliban regions of power block, for example.

Oh, what, turn off the internet somehow?

I suppose. So they can only do it within their jurisdiction, turning off the internet. So that's what they think they're going to do. They're going to turn off the internet somehow or stop this phone from contacting. Is that the plan? We could do that, but then you'd also have data signals as well. And clearly, losing all cell coverage in a city when you're trying to take it over yourself could also compromise your own ability to communicate if you're the coalition forces. It's the worst. Yeah, exactly. It's really bad. So it doesn't rely upon the Taliban fighter clicking on a link or opening an attachment or doing anything like that. It instantly activates on their phone. That normally doesn't get rid of malware, just as an FYI. No, it doesn't. But to be honest, most problems are fixed by turning off something and turning it on again, right? So Care Bear was a bit more complicated than that on your smartphone, which meant that you'd have to come out of your bunker as an ISIL warrior and go to ISIL tech support for help, right, to get them to do something with the phone, which was going to be beyond the typical. I mean, it was, you know. Well, your phone was no longer working. That was the thing. So it was quite obvious that your phone could no longer access Wicca and Telegram and all these other things. Your phone is basically just a useless brick. You bring it to the IT guy and he's like, oh, fuck, this is, yeah, this is not...

Yeah. And there was another one called Dark Wall, which apparently couldn't be easily fixed. It was a really destructive payload, which kind of permanently prevented your phone from working, even if you did go to tech support. So if that was coordinated with an attack being launched at you by coalition forces as an ISIL fighter.

You're talking about this very knowledgeably. I feel really out of my depth here talking about ISIL and I'm sitting here pretty.

And there was also, and that's the one I really want to talk to you about, there was an attack called Lightbolt. And what Lightbolt did was it had a fascinating payload with no user interaction on your smartphone at all, no clicking whatsoever. It would launch a Rickroll payload on the smartphone, sent to them by ASD hackers in Canberra. So the Australians were making ISIL fighters' phones play Never Gonna Give You Up by Rik Astley.

So to mindfuck with them. So this would play aloud, embarrassing them. What's the plan? What's the plan? Well, if it was playing, then they couldn't do anything else with their phone. Okay, then in which case we launch Operation Care Bear or Dark Wall or the other attacks. But one of them was this Lightbolt, which got it to play a Rik Astley song instead. Anyway, it was a really interesting program, a good documentary. And should have been your pick of the week, but you didn't want to get told off. No, because it's illegal and don't listen to it. Is it illegal? Is it illegal? Yes. To use a VPN? Is it? No, it's not legal to use a VPN. It's legal to access things that you should not access, Mr. Kroon.

Okay, well then make sure nobody click on the link in the show notes when they've set up their VPN to be in Australia. And wait for the documentary instead to come out in your territory. Carole, what's your story this week?

My story. Graham, we're kicking off my story with a salute to the kinder humans out there. Oh, lovely.

I even have written up on a completely unscientific questionnaire so that we can gauge our own level of kindness. Oh, OK. All right. OK. Yeah. And listeners, why don't you guys play from wherever you are? Right. What do you do? What do I do or what would you do? Yeah. What do you do? Well, I think I'd say, hey, you dropped a sweater. Right? Pick it up maybe. Maybe gently jog after them. Would you jog? Would you? Maybe. Well, how far ahead are they?

Would you actually bend over and pick up someone else's sweater? Maybe with my foot. You know, maybe I could sort of kick it up to hand level so I wouldn't have to bend over. I don't know. You know, something. Or maybe if you're there with me, I could ask you, Carole, could you pick that up so I can present it? No, no, it's not Diana Rigg. It's \\\\.

Better beep that out. Okay. No one's going to touch the sweater in that case. If it belongs to them, no one wants to go near it. Who knows what you could catch?

Okay. Okay. You see an old man, okay? You see an old man walking through a car park, looking lost. Oh. But he hasn't seen you. Right. What do you do?

Ah, so maybe I shouldn't shout out, Oi, missed that! Right? Because it could give him a heart attack or something. He hasn't seen me.

You have things to do. You're a busy man, aren't you? I'm a busy man.

If he's looking lost, maybe he's enjoying, you know, just having a look around all the cars. I don't know. I mean, am I really going to be able to help him if he's looking for his car? I'm not sure. I wouldn't know one car from another. I think he's got it under control. Exactly. Exactly. You just duck your head down, wouldn't you?

I'll duck my head down.

Yeah, I'll do that. Yeah, yeah, yeah. You would. Totally. Okay. And finally, you go crazy one day and you buy six donuts from your local cafe. Okay. They're still warm. Okay. You only need two. You only want two, but you couldn't help yourself because it's such a good deal. Good deal. Yeah. You see a homeless person on your way home sitting in front of the co-op asking for change. You have none. What do you do? The thing is, he might be diabetic. That's the thing. Do I really want to push a donut onto him?

Okay. And finally, you go crazy one day and you buy six donuts from your local cafe. Okay. They're still warm. Okay. You only need two. You only want two, but you couldn't help yourself because it's such a good deal. Good deal. Yeah. You see a homeless person on your way home sitting in front of the co-op asking for change. You have none. What do you do?

The thing is, he might be diabetic. That's the thing. Do I really want to push a donut onto him? You know, that's a really good answer because I have done that exact thing. And the guy was like, oh, man, I wish I could, but my tooth. So the poor fucker had a toothache as well. What floor am I on?

I don't know. Irrelevant.

Oh, okay. So it's not that I'm going out onto a ledge or anything.

No, no, no. Sorry. No, ground level.

Ground level. Okay, okay, okay. So it's a little injured bird out there? I'm not sure what I can do. Maybe I could gently pick it up. I could cradle it in my hands and feed it back to healthiness with a little bit.

You would not dare. You wouldn't. You wouldn't, would you? I love animals. I love them. You'd go pick up a bird.

Yeah, why not? Is it an emu? What kind of bird is it?

Yeah, I didn't mention that. It's an ostrich.

No, I don't want an ostrich. No. No, no. Okay. Well, look, I think you wouldn't, right? Because I don't think you're as kind as Mumbai's very own Duwani Mehta. And you're saying, wow, Carole, you said that strangely, her name. But I have it from Yogi. I got Yogi to tell me how to pronounce it. Our friend Yogi. Do you want to hear it? Do you want to hear Yogi's? Oh, yeah. Yeah. Let's have Yogi on the podcast. Duwani Mehta. Thanks, Yogi. Thanks, Yogi. And then she waits. And what are they going to do? Are they going to send around an emergency van or something to pick up the bird?

Yeah, come pick up the bird, bring it to a shelter, nurture it back to health, do whatever they can. That's the whole plan, right? So she's waiting there. It's the RSPCA that exists in our country as well.

It's Just Eat or Deliveroo, really, isn't it? But for animal welfare. In the opposite direction. Unless you're a vegetarian.

Yeah. So she's waiting. She's waiting. And there's the bird still twitching, right? And sadly, the whole day she waits, no bird rescuers show up to help the poor thing. But then about four days later, she's on the train and she gets a message. Not a note from her mom reminding her to come for dinner that evening and not one from her boss saying she's got a promotion. She gets a text saying that 100,000 rupees have been debited from her account.

Oh, okay. So when she paid the one rupee. What the fuck? Yes, when she paid the one rupee. She gave them enough information for them to extract considerably more.

Exactly, but how would that work, right? So normally the way it worked was they'd give me your credit card number over the phone. And perhaps in this case, it was just put in your card details here on the little form and we're just going to take one rupee. And this, folks, is when she realizes that she's been duped by an opportunistic con, okay? Looking for people who want to help distressed little animals. It feels very niche. It feels very... Well, it's not, actually. It's a toll-free hijacking scam where the scammer gets a phone number that is very similar to a popular toll-free one, perhaps number of the customer support line. And it's a copycat phone number that will have one or two digits, you know, from the official one. Or different toll-free prefix, 888 rather than 800, for example, in the States, if they were there. And then when the customer types in the wrong number, the call goes to the bad guy.

So that's what she did. She went to a legitimate website, which had a legitimate phone number, and she mistyped the number? I think perhaps what might have happened is when she went to Google and typed in, give me the number for the local sanctuary, what came up was a fake ad or a poisoned ad or a poisoned account. Shame on you, Google. Hang on. When she contacted the cybercrime department, did they say we can take your complaint? But you're going to have to pay us one rupee. How did she get the number for the cybercrime? That's the irony. I know, I saw that when I

was writing this. I was like, geez. And she also contacted the Mumbai Central Government Rail Police, perhaps because she received this when she was on the train. Filed the complaint against the fraudsters for impersonation, cheating and forgery under the Indian Penal Code.

Feels a bit random to contact the rail police, just because that's where you were. What if she'd received it at the pizza restaurant? Would she go and send a complaint to them? I'm a little worried that perhaps the story is because the story is basically quoting a member of the central government rail police as their, yeah. But this officer said that they've written to the bank to obtain details about the account where the money was transferred, as well as to the cell phone companies. So they're on it. Do you think the bird was in on it? Do you think it was actually faking that it was hurt?

Centripetal's Clean Internet Service is a revolutionary approach to defending your assets from cyber threats by leveraging dynamic threat intelligence on a mass scale. The addition of AWS Clean Internet Cloud protects your enterprise, whether on premise, remote or in the cloud, removing the need for a more costly cybersecurity infrastructure. Learn more about Centripetal's intelligence-powered cybersecurity solutions at smashingsecurity.com slash centripetal. That's C-E-N-T-R-I-P-E-T-A-L. And thanks to Centripetal for sponsoring the show.

Now there's some big news from our sponsor, Collide. Collide, if you are an Okta user, they can get your entire fleet up to 100% compliance. How do they do that, you're asking yourself? Well, if a device isn't compliant, the user can't log in to your cloud apps until they fix the problem. It's that simple. Collide patches one of the major holes in zero-trust architecture, which is device compliance. Without Collide, IT struggles to solve basic problems like keeping everyone's OS and browser up-to-date. Unsecured devices are logging into your company's apps because there's nothing there to stop them. Collide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta. The moment Collide's agent detects a problem, it alerts the user and gives them instructions on how to fix it. If they don't fix the problem, within a set time, they are blocked. Collide means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Visit collide.com slash smashing to learn more or to book a demo. That's K-O-L-I-D-E dot com slash smashing. Smashing security listeners, did you know that Bitwarden is the only open source cross-platform password manager that can be used at home, on the go, or at work. Bitwarden's password manager securely stores credentials spanning across personal and business worlds. And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access. And welcome back. And you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security-related necessarily. Better not be. Well, my Pick of the Week this week is not security-related. It was recommended to me by an avid listener to the podcast. Thank you to Connor G for dropping me a line. Shout out, Connor. About this series of documentaries on Netflix called Connected, The Hidden Science of Everything. Now, Connected, which is hosted by a chap called Latif Nasser, who listeners may know he's the co-host of Radiolab.

Yes. You know him? Yes, I do. Sorry, I wasn't listening. I was Googling.

You weren't listening. No, I wasn't listening. Latif Nasser, I think his name is.

Oh, I don't know his name. That's okay. I

think he's been the co-host since late last year of Radiolab.

Oh, okay, okay, okay, okay. He's new. Sorry, sorry. I used to listen in the old days. Yeah.

This show is quite interesting. And it looks at the connections between different things from the world of science. So, Connor, who recommended this documentary, which I've watched, he called out a couple of episodes. So I watched one all about nukes, nuclear bombs, and obviously nuclear weapons. Not necessarily a great thing. Right, Carole? Yeah. Wrong, Carole. Wrong, Carole. Apparently they're brilliant. What? They're not brilliant, exactly. Well, there are some benefits. Maybe we should just watch the show. There are some benefits. And the benefits are, for instance, how it pertains to the identification of fake art and how nukes have helped in terms of medicine and all these links. And there's another show. Nukes? Yeah, as in nuclear weapons. Yeah. Okay. And there's another one about excrement. And as Connor says, it's not a shit show. But it's brilliant about, apparently, for instance, Thames Water, the testing that's done on the Thames, is able to determine which day of the week it is by how much cocaine is present in the water supply. For real? We're definitely Sunday morning, kids. Anyway, this series of documentaries, they remind me a little bit of a brilliant 1970s BBC TV series hosted by James Burke called Connections. Have you ever seen Connections, Carole? I don't know. It was shown in the States on PBS. I'm sure they would have shown it in Canada. Oh, I was a PBS watcher. Right. And it was all about the different connections, different people, how they were connected, how, for instance, the opening of the Suez Canal directly links to the writing of the musical Aida and all sorts of things like this. Oh, yes, yes,

yes, yes, yes. I recognise his face completely. You recognise his face? Yeah, I didn't know his name, but yeah. OK, do you think it was the name that gave that away, that gave you that idea?

Well, I think it's just a rip off of the name, to be honest. Obviously, I prefer Connections, the 1970s version more, but I still think a lot of people will enjoy Connected. You can find it on Netflix and it is my pick of the week.

Well I think it sounds very cool because I don't know Latif Nasser but I do love Radiolab and last time I was listening they were repeating old shows so I guess he's come on board so I should go check it out excellent what's

your pick of the week this week bro

Oh god did I go down a wormhole okay so my pick of the week is okay surprise prize podcast but the topic of the podcast is reality tv it's a podcast called unreal a critical history of reality tv I shared it with you earlier midweek did you have a nose did you

I haven't had a listen yet to it no Okay okay well it's hosted by two journalists Pandora Sykes and Sirin Kale okay both have journalistic chops and also they declare a love for reality tv from when they were pre-teens Right. Oh, the first series of Big Brother was quite an event, wasn't it?

I think people coming into work bleary eyed, I didn't go to sleep because they would air it all night, didn't they?

First series where people didn't really know what they were doing, if they're taking part, it was more of a sort of scientific experiment. Later, it became all about people going on because they wanted to be famous. But I think the first series in the UK at least was really quite interesting

Yeah but listening to this show you realize how many societally cringy moments we sat watching right literally it's too much to bear they're talk about one show this is the one that I thought was just the most it's called the swan have you heard of the swan oh

Is that where they did cosmetic surgery on someone yep

A reality show where an average looking person would go and get serious surgery go on extreme diets you know change everything and come out not looking like an ugly duckling but a swan

One of my favorite ones was called there's something about Harry I think it was where they brought over a bunch of American women in their early 20s and they convinced them that this chap who they were meeting was actually Prince Harry and that Prince Harry was trying to find his bride. This was obviously a while ago before he met Meghan Markle, etc. And so they were all being duped. So

gross. You know. Well, it was gross, but. Someone made that show that said, let's just dupe people and film everything because they signed their lives over because they think we're telling them the truth.

Another one. Sorry, I'm enjoying this too much. I saw another one where they took a bunch of people and they told them that they were gonna put them on a space shuttle flight or the Russian shuttle into orbit and they went on astronaut training and then they put them on a plane and flew around the UK for a while landed them and pretended that they were in Russia they changed all the signs and everything and made them think that they were gonna fuck's sake is obviously horrendous but obviously most importantly it was entertaining look away Yes.

Yeah, as long as it makes money for somebody. But yeah, so the swan was pretty gross. It was three months, so some of them would go through something like 10 surgeries. Oh, my God. That's horrible. They weren't allowed to have a family. They would only allow one brief phone call a week. They had to do therapy on TV as part of their contract. And if you were not open enough with your horror or your trauma, your points were against you. They would say you held back. And at the end, the swans come out after they do their pageant. There's a queen swan. It's just — anyway, it's just disgusting. And the worst thing with a lot of this surgery — you don't go on the show because you're loaded and can afford all this. Because you've got some, you know, and you're not good in yourself and you don't have a lot of cash. But there's things that need maintenance. So if you get your lips filled or you get a lot of Botox or shit like that, you need to go and maintain that stuff. Otherwise, it starts sagging. It doesn't work. And it's not like these people were being looked after by the show once they got kicked off. Anyway, fuck me. I don't know. And I'm watching it. I'm listening to this podcast going, how did we let this happen? It found it mind blowing.

Which country was this in? The States. I kind of guessed.

Yeah, but come on, the UK ones are pretty outrageous as well.

It does feel like the UK is just a few years behind. I mean, think of it, Love Island, X Factor, Pop Idol, Made in Chelsea. It's quite interesting because they interview creators and producers and contestants, and you kind of get this cross of what everyone experienced and why they were doing things. Excellent. Well, Carole, you've had a busy week. You've been chatting to the chaps at Bitwarden, I believe.

Yes, I spoke with Bitwarden's Max Power. And let's find out exactly how cool this Bitwarden Secrets Manager is. Listen up. All right, listeners, today we have Max Power, probably the person with the best name I've interviewed on this podcast. He is product lead for Bitwarden's secret manager. Hi, Max. Thanks for coming on the show. SPEAKER_00. Hi, thanks a lot for having me. We've been trying to get together to do this for some time now, and I'm so glad we finally pulled it off. SPEAKER_00. Absolutely. We had a couple of very busy weeks. Yes, didn't we? Well, the password manager kingpin Bitwarden has a brand new product currently in its beta phase. And Max is going to give us the lowdown. But before we get to that, perhaps, Max, you can tell us a little bit about you and your current role at Bitwarden. SPEAKER_00. Absolutely. I'm the product lead for the secrets manager. I've been working in various different product roles over the past couple of years, mostly for open source projects that were somehow related to dev tooling or cybersecurity. And since about one and a half years, we are working on the Secrets Manager, which is super exciting because it's a completely new product and a lot of new stuff we need to conceptualize. I know, and it's got a great name as well. So maybe we should talk about that. So tell me, what is a secret in Bitwarden world? SPEAKER_00. A secret can be pretty much anything. So for a lot of people, it may be confusing because a normal password is also a secret. But for the secrets manager, we're particularly talking about developer secrets. So that may be API keys or anything that is development related, such as database credentials and so on. Right. Let's start with the pain points. So where would a product like this prove to be very useful in your mind? Use cases, maybe. SPEAKER_00. So one of the key benefits of a secrets manager is that you're able to share secrets securely with other team members. So let's say, for instance, you are developing a product, you have multiple secrets, you have a Stripe API key, database credentials, and so on. And in order to operate securely and in order to collaborate securely, you need to share those secrets in some way with your team members. One of the current ways of doing it is that you set up a ENV file and share secrets via Slack or other unencrypted channels. And that's definitely not the ideal way of handling things. So one very common error is that ENV files are not added to a gitignore file and they accidentally get published to GitHub, maybe to a private repo. And then that private repo is open sourced later. This has happened in multiple instances leading to really huge database leaks affecting some of the largest companies in the industry, amongst others Uber. But they had a very massive leak of their drivers' details. There are different reports, but GitGuardian, for instance, publishes a report and they mentioned that around 5 million credentials and other secrets get leaked on GitHub every year. I think every single listener who has worked in an office has used an insecure way to share a sensitive piece of information with a colleague. Like from writing it on a piece of paper to sending it via text, maybe, or email, like we're all guilty of it. And so what you're offering is this tool that is super safe and allows employees to share information, particularly serious information related to infrastructure? SPEAKER_00. Absolutely. And the infrastructure is protecting a lot of additional secrets, right? So it's the one secret to a holy grail of potential secrets. If your database gets leaked, there's much bigger damage than just one secret. So there's a big trail of secrets which need to be protected pretty well. Primary target group is definitely for teams, like for employees. But there may, of course, be use cases where you want to exchange secrets with third-party vendors. There might be some certificates you want to share in a secure way. This is not a primary use case for secrets manager but definitely something that would be possible as well. And do you have any kind of cool config options within this service that might allow it to lend itself to a specific environment better than others, for example? SPEAKER_00. Generally speaking we're building secrets manager to target as many use cases as possible so we're trying to simplify building out various integrations and to cater to pretty much any sort of use case. We have the traditional use cases of development teams that are building a product. But we also have a lot of customers from the IoT and OT space. So, for instance, big factories that have a lot of robots. These robots need secure credentials as well. And the way we're building things is that we try to cater to all of these different use cases. So we have our SDK currently built in Rust. We're working on other languages as well, which make it easy for anyone to build stuff using Secrets Manager. And then we have our CLI, a completely revamped CLI, not based on the existing Bitwarden CLI, which also simplifies a lot of the processes. You know, that was a little bit of a trick question on my part, because hallelujah, that is a simplified system that anyone can use, because it's really complicated when people add so many bells and whistles to different products to make it work for you, but it never works perfectly. And then no one else really understands your use case very well. So that's a good thing. How's the beta been going? So how long has the beta been going so far? And what have you learned from that? SPEAKER_00. We launched the beta in March, and so far we have over 1,200 organizations that signed up. Which is a very big number and much more than what we expected, actually. So we're very positively surprised by that. We have gathered a lot of really valuable feedback. We're aware of a lot of things that we still need to build. Luckily our internal roadmap was very well aligned with what customers during beta requested so a lot of the important requests that customers had already in preparation and already being worked on which is of course great to get this confirmation and feedback but we of course we also got a lot of great ideas that weren't on our roadmap and luckily with Bitwarden we have a super great, very supportive community of people that are contributing either with ideas or contributing actually to our open source repositories. You have a really hard job, Max, because I've worked very closely at this level. And as I remember, you have to manage the ideas that go in and make sure when they go in that they work seamlessly and perfectly and don't blip out in any way. And of course, you've got deadlines from everybody. So it's fantastic if you're able to have the time and flexibility to really test everything. So I love hearing about a long beta phase. I think that's really good. SPEAKER_00. Absolutely. I mean, one thing that is always our primary focus is security. So we don't publish anything without thorough testing, without third-party audits. Before we are sure that we would use it internally, we're not publishing anything. The beta is very useful in determining what features we should prioritize and also, for instance, determining what is the right pricing approach. So that was a very big question for us during beta as well because a lot of the competitors in the landscape have super confusing pricing. That's also something where we wanted to add a little bit more simplification. I love that. What kind of feedback have you received from some beta testers that make you feel like we're really on the right track here? There's lots going on. So how long is your beta scheduled to last? SPEAKER_00. We are planning to launch a general availability version in Q3, mid-July, most likely, yes. Yeah, there's still a couple of factors. There's always the question of how much additional functionality and features do we want to add before we launch general availability. There's still some debate about some minor features that would improve usability. Of course. My personal approach is that it won't hurt to launch GA as long as we follow up with these features very shortly after, which is currently the plan. So there are a lot of features like additional SDK languages, additional integrations, improved documentation, and so on, which of course all takes quite a bit of time to build out. But whether we launched that a couple of weeks after we launched GA or before, it doesn't make a huge difference for users. So are you still taking people in your beta? And I'm sure it's great for people to get a sneak peek at what you guys are working on. SPEAKER_00. Definitely. I mean, that's also one of the beautiful things about Bitwarden is that our users can really drive the direction the product is taking. We're taking our user feedback for anything, also for Password Manager. User feedback is one of the most important things for us. And that is really one of these beautiful things about the general open source community that we're listening to users and users are providing us with great feedback. So there's a very nice symbiosis. Yeah, and you guys are the only open source password manager currently available at any scale. Is that right? That's a very important distinction. Yeah, but your main focus as well is to have serious tech, but overlay it with really simple UI interface and usability to make everyone's lives a bit easier. Absolutely. I was thinking you had a name for an inspirational speaker and look, there's already someone out there with it. Have you seen this? SPEAKER_00. No, I haven't seen that yet. Well, there you go. Max'sIsland.com. You can go have fun and check that out. Thanks for coming on the show, Max. I appreciate it. Well, that just about wraps up the show for this week. You can follow us on Twitter at Smash Insecurity. No G. And huge, huge thank you to this episode's sponsors, Centripetal, Collide, and Bitwarden, and to our wonderful Patreon community. It's thanks to them all that this show is free.

Until next time, cheerio. Bye-bye. Bye. Good pick of the week, Carole. That sounds interesting.

It's freaking fascinating.

Talking of pick of the week, it's been pointed out to me that my pick of the week last week. Yes, I did find it. Which you said, this kind of rings a bell, you said. Maybe I've seen it. Turns out it was your pick of the week back in February.

So you made a comment. Didn't you make a comment like, well, maybe I'm more with Netflix than you are these days? I don't know. Oh, and also not only have we both now recommended it, but on both episodes, Mark Stockley was our special guest. What?

Yeah. Yeah, I enjoyed it.

Good, well, good. Bye.

Bye.