Is a deepfake Tom Hanks better than the real thing? Who has been attacking the British Royal Family’s website, and why? And how can you protect your vehicle from the spate of keyless car thefts?
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Plus don’t miss our featured interview with Devo CISO Kayla Williams.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
You know, Graham, I've got to take you to task here because you have an issue with people like Piers Morgan, which, you know, I can sympathize with.
I'd run him over.
Right? But Thom Hanks has done nothing to you. You can just avoid him. He's done nothing. He's just a nice guy. Is he a nice guy? Maybe that's what threatens you.
Is he? I don't know. Smashing Security, episode 342. Ransomware, Ransomware Family Attacked, Keyless Car Theft, and a Deepfake Thom Hanks with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 342. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 342. My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, we are joined this week by a special guest, someone who's been on the show many, many, many, many, many times before. It is, of course, the one, the only Maria Varmazis.
Hi.
Hi.
I'm glad you had to say it in an approximate Greek accent, I think. That was very nice.
I liked it. Hi.
Yasas.
Hi, everybody.
Welcome back. It's been a while.
Yes.
Welcome back.
Thank you. The badass space bitch has returned.
Do you have a t-shirt with that?
No, I should though. I really should.
I like that.
That feels right.
Not just a space bitch, but also you, well, both of you actually have been pickling some stickies lately, haven't you? Your other podcast is back in town.
Yeah, Sticky Flippin' Pickles.
Sticky Pickles, just in case people are trying to Google what it is. It's called Sticky Pickles. It is back.
It is back.
It is back indefinitely, and it's great fun.
So it's not security related necessarily. Definitely the most important.
Better not be. Yeah, sticky pickles. Although, should we kick this show off, people?
Actually, first, maybe we should thank this week's wonderful sponsors: Gigamon, Devo, and Hunters. It's their support that helps us give you this show for free.
Now coming up in today's show, Graham, what do you got?
Now coming up in today's show, Graham, what do you got?
I'm going to be going deep, deep into threat actors.
Oh, okay. What about you, Maria?
A PSA on car hacking.
PSA on car hacking. I don't know what that means. And I'll be looking at a royal mess. Plus, we have a featured interview with DEVO's very own CISO. I love how that sounds.
Kayla Williams. And we're going to talk about all things SOC with security analytics platform ransomware form, Defo.
All this and much more coming up on this episode of Smashing Security.
Kayla Williams. And we're going to talk about all things SOC with security analytics platform ransomware form, Defo.
All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, what is the worst Christmas movie of all time, in your humble opinion?
The worst?
The worst?
You don't really remember the worst?
Oh, I do.
There are a lot of bad ones.
Okay, come on, name one, name one, name one.
I was gonna say The Snowman, but I actually really love that film.
Yeah, I like The Snowman. I think if there were anything with the Chipmunks, I would not be a fan.
Yeah, anything Chipmunks, yeah, agreed.
Wasn't there a Star Wars Holiday Special as well or something?
One doesn't talk about the Star Wars Holiday Special. No, we don't talk about it.
The actual answer is The Polar Express.
Oh, stop.
Oh no, no, no, I'm with you on that actually. Why?
That movie's awful.
Please.
I've seen it. It was all right.
Well, was it all right? Was it all right?
Everybody's kind of rubbery and Gumby-like.
Yes, exactly. Oh, Maria, absolutely correct. Came out in 2004, directed by Robert Zemeckis, who also did the Back to the Future movies, which we like. Yeah.
Yeah.
Yeah.
Polar Express. Polar Express was this computer-animated fantasy movie about this kid making a magical train journey to the North Pole to meet Father Christmas.
And what makes it bad is the uncanny valley. It's a grotesque horror is the reality about The Polar Express, because it's going to give kids nightmares if they watch.
In fact, as an adult, it's going to give you the creeps because you're watching this dead-eyed animated train conductor with the voice of Thom Hanks.
And what makes it bad is the uncanny valley. It's a grotesque horror is the reality about The Polar Express, because it's going to give kids nightmares if they watch.
In fact, as an adult, it's going to give you the creeps because you're watching this dead-eyed animated train conductor with the voice of Thom Hanks.
Yeah. Yeah.
And it's creepy. It is creepy.
I have seen this. I don't remember it. I wouldn't say it's a great film or anything, but—
Your mind blocked it out. The trauma just said no.
It is traumatic. Thom Hanks, he earned $40 million. That's all? No, it wasn't all. He earned $40 million for providing the voice of various characters in the movie.
And he also said, you know what? I want an extra 20% of the gross takings.
And he also said, you know what? I want an extra 20% of the gross takings.
Smart man.
In all. I think this is the way he often does it, actually. He takes a lump sum, but also gets some more as well if it's a success.
Thom, you may want to come on Smashing Security because we get paid a lot better than that over here.
Oh yeah.
Oh, easy peasy.
Easy peasy. Yep. He earned in total over $100 million for that movie. And there's been plenty of other movies where he's done the same as well.
And—
Man, that movie.
Just for doing a bit of voice work. Just for, you know, doing a bit.
And he's kind of shouty in the movie too. Is that my imagination? I remember him being very shouty. And I was sort of like, yo, Thom Hanks, just back off. Yeah, I don't know.
I can say Graham did not research the story properly by watching the film. I assure you of that.
I have seen part of the movie before, then I realized it was Thom Hanks and turned it off. And that's my general approach on—
Yeah, you have a Thom—
Yeah.
I've got a Thom problem.
You're not a fan of Thom Hanks, of America's Uncle?
No, I'm not a fan of Thom Hanks, no. Oh, really? I have a problem.
I have, I have.
Some kind of problem, frankly, when it comes to Thom Hanks. There's something which just simply stops.
Do you mean Cary Grant as well?
No.
Okay.
Cary Grant's great.
Okay.
Jimmy Stewart.
He's all right. All right.
Yeah.
Yeah. I love them.
Love them. Anyway, so you would think after Thom Hanks earned all that money from The Polar Express, that he'd be absolutely fine with people creating animated versions of himself.
But no, he's not happy. He's not happy. He's a big grumpy. He's a grumpy man sitting on top of hundreds of millions of dollars.
But no, he's not happy. He's not happy. He's a big grumpy. He's a grumpy man sitting on top of hundreds of millions of dollars.
Tell me how he feels, because you're closest to him in terms of that.
I am. I am. In terms of age.
And also, you know, deportment. Deportment.
Right.
You look the most like Thom Hanks of the three of us.
How dare you? There's something about Thom Hanks. I'm sorry if there are any Thom Hanks fans out there.
Yeah, there's not going to be one in the thousands and thousands and thousands of listeners we have.
There's not one. There's something about him. I don't want to encourage violence, especially against someone who Trump would— Oh, okay, Trump.
But—
Geez.
Wow, shit just got real. All right.
Anyway, Thom Hanks has just warned his 9.5 million Instagram followers. Who's doing that? Who's following Thom Hanks on Instagram?
I have the one, but anyway— I'm sure loads of people are.
I have the one, but anyway— I'm sure loads of people are.
People follow you, don't they? Apparently 9.5 million people. Yeah. How many do you have on Instagram?
Not as many as 9.5 million.
No, not as many. It's very generous.
It's comparable. Thom Hanks has told everyone, he says, there's, you may have seen an advert, which is using my face. But it's not me who's promoting this dental plan, he says.
There's a video out there promoting some kind of dental plan, he says. And they are using— Dental plan? They are using an AI version of me.
And he says, I've got nothing to do with it.
There's a video out there promoting some kind of dental plan, he says. And they are using— Dental plan? They are using an AI version of me.
And he says, I've got nothing to do with it.
He does have nice chompers, though.
He'd probably been getting 20% of the proceeds, I expect. That's what he's grumpy about.
Anyway, so Thom Hanks, despite appearing in The Polar Express and ruining many children's Christmas and some adults as well.
Anyway, so Thom Hanks, despite appearing in The Polar Express and ruining many children's Christmas and some adults as well.
Some other parents. Yes, yes.
Yep.
I'm sorry, listeners.
He's got an issue with this. And it's not the first time he's had a bit of a whinge about the wonder of artificial intelligence. Earlier this year, he was on the Adam Buxton podcast.
I quite like Adam Buxton. I don't know why he invited Thom Hanks on, but anyway, he was on the Adam Buxton podcast and he said that AI could be used to extend the careers of actors.
Here's what Thom Hanks said. I can't do a Thom Hanks impression.
I quite like Adam Buxton. I don't know why he invited Thom Hanks on, but anyway, he was on the Adam Buxton podcast and he said that AI could be used to extend the careers of actors.
Here's what Thom Hanks said. I can't do a Thom Hanks impression.
Thank God.
You could use AI for this though.
Yeah, you need some acting skills to be able to do that.
'Anybody can now recreate themselves at any age they are by way of AI or deepfake technology,' he said. 'I could be hit by a bus tomorrow, and that's it.
But performances can go on and on and on and on.' And I thought—
But performances can go on and on and on and on.' And I thought—
That's not exactly an endorsement of AI.
No, I don't think it was meant as one. Yeah.
I thought that was a terrible thought. The thought that his performances could go on and on and on and on. Even if I do get a job as a bus driver and one day run him over.
You know, Graham, I've got to take you to task here because you have an issue with people like Piers Morgan, which, you know, I can sympathize with.
I'd run him over.
Right? But Thom Hanks has done nothing to you. You can just avoid him. He's done nothing. He's done— he's just a nice guy.
Is he a nice guy?
Maybe that's what threatens you.
Is he? I don't know. It's a bit like saying, is Carole Theriault a nice guy? I don't know. I mean, a lot of people—
I don't think she is.
I'm not sure. Is she or isn't she? I don't know. I don't know.
I don't know.
In this, in this country, kind of new reality we live in. I just don't know. I don't know what to believe anymore. All I know—
He's a deepfake all the way down.
So all his fakery goes deep is what I'm saying. Because I saw his Oscar acceptance speech all those years ago when he gets all emotional, a bit like Gwyneth Paltrow.
And I think, oh, come on, this is just too much.
And I think, oh, come on, this is just too much.
Was this for Philadelphia?
I can't remember.
That cheery, cheery movie about AIDS?
Well, look, don't make me feel bad because it was a worthy movie.
I think he just needs to step off a little bit. It's just a little bit too cray-cray.
Let's move on from Thom Hanks. Let's go on.
Let's do that.
To Robin Williams. Now—
You better not have a problem with Robin Williams. Just saying.
Okay, look, listen, Zelda Williams, who's the daughter of Robin Williams, she's posted on Instagram in the last week that deepfakes are at their very best a poor facsimile of greater people.
And she says, at worst, they are a horrendous Frankensteinian monster. I think she could just say Frankenstein monster.
Cobbled together from the worst bits of everything this industry is. And I thought, hmm, interesting. The worst bits of the movie industry.
That would be things Flubber, I expect, from Robin Williams. And some of those—
And she says, at worst, they are a horrendous Frankensteinian monster. I think she could just say Frankenstein monster.
Cobbled together from the worst bits of everything this industry is. And I thought, hmm, interesting. The worst bits of the movie industry.
That would be things Flubber, I expect, from Robin Williams. And some of those—
Listen, the man's dead.
Can you leave him alone?
Yes.
Well, no. He was funnier than you. I'm sorry.
Everybody has flops. It happens.
Yeah.
So there's lots of stars, as we know, who are getting upset about the use of AI and deepfakery. Last month, there were reports.
I think The Telegraph reported that Bruce Willis had sold his face. Not Nicolas Cage and John Travolta swapped faces. Face Off.
But apparently they reported that Bruce Willis had sold his face to a deepfake company called Deep Cake, which is a great name.
I think The Telegraph reported that Bruce Willis had sold his face. Not Nicolas Cage and John Travolta swapped faces. Face Off.
But apparently they reported that Bruce Willis had sold his face to a deepfake company called Deep Cake, which is a great name.
And that's really hard because he's not well, right?
Well, he's not well. Anyway, it's been denied. Apparently Bruce hasn't sold his face. So that's good.
But he has recently done an advert with Deep Cake, which uses a deepfake for him for a Russian telecoms company.
So he is doing a bit of acting, as it were, without actually having to do anything because they're just using the— James Earl Jones, the great James Earl Jones.
But he has recently done an advert with Deep Cake, which uses a deepfake for him for a Russian telecoms company.
So he is doing a bit of acting, as it were, without actually having to do anything because they're just using the— James Earl Jones, the great James Earl Jones.
Oh, we him.
We this guy.
Okay. We him because he did Darth Vader's voice.
Yes.
Apparently he's retired now, but they're using tech to keep doing Vader's voice alive and making him sound younger because he obviously is.
Did you see him in that episode of The Big Bang Theory? James Earl Jones. Anyway. No.
Did you see him in that episode of The Big Bang Theory? James Earl Jones. Anyway. No.
Okay.
Didn't miss much. So what's clear is that actors really care about this, right? Thom Hanks, who's the governor, he's the Godfather, he cares about this.
And the current Screen Actors Guild strike, that is in part, not entirely, but in part about the dangers of new technologies AI, digital recreation, leaving them out of pocket.
And I have sympathy for that.
I have sympathy for that because all of us potentially, if there were, for instance, 342 hours worth of me just prattling away into a microphone, or maybe you, Carole, as well.
And the current Screen Actors Guild strike, that is in part, not entirely, but in part about the dangers of new technologies AI, digital recreation, leaving them out of pocket.
And I have sympathy for that.
I have sympathy for that because all of us potentially, if there were, for instance, 342 hours worth of me just prattling away into a microphone, or maybe you, Carole, as well.
I don't prattle.
Who would listen to that though? Honestly.
Who would? They could potentially create new content and that could be used to make all kinds of money for dental plans and things this. What sucks— So I wondered—
Can I just say, sorry, I'm just interrupting for a sec, but what I think really sucks about this is, okay, so there's some people out there doing deepfakes that are not approved, right?
And then deep—
But the way in which you handle it right now is by having to get involved in the foray and actually call attention to it and say, you know that thing that you might have seen, but maybe you didn't, but you might go look for it now, but it's not me, but it looks like me, but it's not me, just letting you know.
And that means the media then gonna write about it if you're famous like Thom Hanks.
And you then cover it on the show, yeah.
Exactly, and people will replay that fake dental ad or whatever it is that uses the AI, giving that particular promotion even more oxygen, right?
It's the Streisand effect.
Thank you very much, Graham.
Yeah, no one could fake— no one could fake Barbra Streisand.
I'm sure someone has tried that.
I love Barbra.
You hate Thom but you love Barbra? Okay. I mean, Barbra's great, don't get me wrong, but yeah, it's a consent issue, is it not?
I mean, really, if Bruce Willis's face— yeah, I mean, yeah, right? It's just a basic thing.
If you say it's okay for you to do it for this one instance, then fine, but if you do it without the other person's permission, you're just stealing someone's essence.
I mean, you're putting words in their mouth, literally you're making their fake mouth say the fake words. Who wants that? Nobody. I mean, that's just creepy.
I mean, really, if Bruce Willis's face— yeah, I mean, yeah, right? It's just a basic thing.
If you say it's okay for you to do it for this one instance, then fine, but if you do it without the other person's permission, you're just stealing someone's essence.
I mean, you're putting words in their mouth, literally you're making their fake mouth say the fake words. Who wants that? Nobody. I mean, that's just creepy.
You got your AI hand up their butt and making them spout out garbage like a little puppet. That's what you're doing.
It sucks.
Beyond the Black Mirror episode. My God, it's creepy beyond all hell. It's gross.
So I'm not sure what the answer is to this, but obviously AI and deepfakes lots of people are talking about it.
So there will be technology companies who are now claiming that they've got the solution. I've seen companies saying what we need to do is proactively tag real genuine content.
So there will be technology companies who are now claiming that they've got the solution. I've seen companies saying what we need to do is proactively tag real genuine content.
Yeah.
Probably involving the blockchain, I'm guessing, as well. They'll introduce that in some way.
Oh boy.
That's okay.
Yep. Maybe. Or maybe the things which generate deepfake, they could embed some sort of signature. But again, people are going to get round this, aren't they?
I can't see how this is going to— Simply detecting it after the fact isn't gonna be strong enough because deepfakes are gonna get more and more convincing and so forth.
I can't see how this is going to— Simply detecting it after the fact isn't gonna be strong enough because deepfakes are gonna get more and more convincing and so forth.
I know some chipmakers are working on that, having real-time deepfake and AI video detection capabilities. It's a thing that many of them are trying to do for this reason.
But I'm just thinking, I'm gonna flip the coin 'cause I completely understand why the actors don't want this and I wouldn't want it either.
I'm thinking of a situation where there's this podcast I listen to sometimes called Doodsie where it's two comedians.
I'm not gonna bother naming them 'cause either you know, you don't, that use AI and they're very explicit about the fact that they are using AI to write these crazy episodes that they are sort of reacting to.
And they actually had AI Thom Hanks, video and audio of AI Thom Hanks saying this crazy pitch for a fake movie like Ghost Train or something really ridiculous.
And it's hilarious because it's obviously a fake version of Thom Hanks. They're very upfront about the fact, hey, this is fake, this is not real, this is AI.
And for that, it's really funny.
But I'm just thinking, I'm gonna flip the coin 'cause I completely understand why the actors don't want this and I wouldn't want it either.
I'm thinking of a situation where there's this podcast I listen to sometimes called Doodsie where it's two comedians.
I'm not gonna bother naming them 'cause either you know, you don't, that use AI and they're very explicit about the fact that they are using AI to write these crazy episodes that they are sort of reacting to.
And they actually had AI Thom Hanks, video and audio of AI Thom Hanks saying this crazy pitch for a fake movie like Ghost Train or something really ridiculous.
And it's hilarious because it's obviously a fake version of Thom Hanks. They're very upfront about the fact, hey, this is fake, this is not real, this is AI.
And for that, it's really funny.
But if it were you, if it were my face being used without my consent to do something super funny in my voice that I didn't—
We would be able to detect it was a deepfake in your case overall if it was being really funny.
Wow.
I think—
I know, and I'm in the same camp, I think, as Thom Hanks at the moment.
Yeah, he's so famous. People have been doing this since before AI, you know, impressions.
And granted, he got $40 million, right, for a job that I'm sure is easier than, you know, packing fruit every day, you know, for 12 hours every day.
So those are your only options.
No, I'm just saying it's a lot of money. Don't you think it's a sexy amount of change for the work? Does that mean we own him completely? That's the correct question.
No. Yeah, no, no, no, definitely not.
So yeah, it is a consent thing in the end, but I'm just thinking of that random podcast where I'm making sure everyone knows that it's fake, but it is an AI version of him.
So I don't know, does that make it okay?
So yeah, it is a consent thing in the end, but I'm just thinking of that random podcast where I'm making sure everyone knows that it's fake, but it is an AI version of him.
So I don't know, does that make it okay?
I want to know what dental company chooses Thom Hanks.
He's got great gnashers.
We talked about that.
Does he? Yes. The best Hollywood can buy. See this Instagram thing. It looks like him from 30 years ago though.
Oh yeah, they de-aged him as well. They de-aged him.
That's almost weirder. It's where did this come from?
And I love that he has to go, "Hey guys, that's not me, by the way." I didn't record this dental plan ad when the internet didn't exist.
Maria, what's your story for us this week?
Well, mine is a bit of a PSA or a public service announcement for our listeners today about a thing that I didn't really know existed or didn't take terribly seriously.
So I'll sort of walk you through my thought process on this. So what do you both think of when you hear the phrase "What is car hacking?"
So I'll sort of walk you through my thought process on this. So what do you both think of when you hear the phrase "What is car hacking?"
Oh, normally I imagine Charlie Miller maybe hacking into a vehicle as it goes down the highway and hijacking its radio or its steering or something.
Something a little bit dangerous.
Something a little bit dangerous.
Something like that. Yes.
Yeah.
Something maybe with Wi-Fi or something like that. What about you, Carole?
Yeah, no, I don't know a lot because I have an old car, right? So I just don't really know a lot about modern fangled stuff.
Carole's got an old car, so it's got a crank at the front and a man running in front of it with a red flag.
And every 30 feet you have to get out and re-crank it.
Oh, when I was hearing the phrase "car hacking," I was thinking it was something basically Wi-Fi-enabled cars, or Graham, sort of along the lines of what you were saying.
But I saw something on X, formerly known as Twitter, and it showed a video of a car being stolen from someone's driveway, and it took just moments, and I was sort of "what the heck is going on here?" So I wanted to read up about it.
So it basically— that one form of car hacking that's really on the rise has been over the past few years, it involves keyless entry systems. So those little key fobs.
And Carole, you sort of mentioned this. So since you don't have a newer car, I don't know if you know how these work.
Oh, when I was hearing the phrase "car hacking," I was thinking it was something basically Wi-Fi-enabled cars, or Graham, sort of along the lines of what you were saying.
But I saw something on X, formerly known as Twitter, and it showed a video of a car being stolen from someone's driveway, and it took just moments, and I was sort of "what the heck is going on here?" So I wanted to read up about it.
So it basically— that one form of car hacking that's really on the rise has been over the past few years, it involves keyless entry systems. So those little key fobs.
And Carole, you sort of mentioned this. So since you don't have a newer car, I don't know if you know how these work.
No, no, explain it to me. Explain it to me. I'm gonna—
I'm gonna ladiesplain it a little bit. So the new keyless entry systems that cars have where you basically don't need to take your key out of your pocket or your purse or whatever.
You just walk up to your car, press a little button, and the car unlocks just by being in proximity to your car with the key.
Well, attackers figured out that's a kind of nifty little attack surface, and maybe we can use it to our advantage to steal a car.
Because essentially, the car and those little keyless entry system key fobs are always talking to each other — even when you're not pressing a button, they're still sort of engaging with each other.
You just walk up to your car, press a little button, and the car unlocks just by being in proximity to your car with the key.
Well, attackers figured out that's a kind of nifty little attack surface, and maybe we can use it to our advantage to steal a car.
Because essentially, the car and those little keyless entry system key fobs are always talking to each other — even when you're not pressing a button, they're still sort of engaging with each other.
"Are you there? Are you there?"
"Are you there? Are you there?" Yeah, essentially, yeah, they're checking for each other all the time. So, okay, second question for you both. Where do you keep your car keys?
Well, I need my car keys in order to start the car.
Because I want to steal them right away, right?
That's how old school I am.
So Maria, I haven't had my car stolen this way. My ex-wife has had her car stolen through this method.
Oh my God.
And as a result, I keep my car keys in a little box, which is basically a Faraday cage.
Oh my goodness, the device to communicate with the outside world, because this is a genuine, really serious problem. So I always put my car keys in one of those.
Oh my goodness, the device to communicate with the outside world, because this is a genuine, really serious problem. So I always put my car keys in one of those.
I didn't know this was a thing. And so essentially, so I'm going to be telling you stuff that you already know, but maybe our listeners don't know.
That's right. I'll act dumb — I'll pretend I don't.
Pretend you didn't know about any of this. Yeah, this is keyless car theft, or relay attacks is apparently the more formal name. There's a couple of different names for this.
It's becoming very popular, very popular way to steal cars. And apparently in the UK it's especially popular, so I was noticing that when I was doing the research on this.
It's becoming very popular, very popular way to steal cars. And apparently in the UK it's especially popular, so I was noticing that when I was doing the research on this.
Seems in the UK this is happening a lot. The UK National Police Chiefs Council says it's been on the rise last several years — they've been doing a lot of studies about it.
Less is known in the US. Essentially the car manufacturers know it's a thing, but I don't think anyone's tracking it aside from AAA.
Less is known in the US. Essentially the car manufacturers know it's a thing, but I don't think anyone's tracking it aside from AAA.
But I couldn't find any numbers — maybe listeners will find it.
But essentially, if you keep your car keys on a hook near your front door, or maybe on a hook near your garage, or on a table near a door or an external wall, that can sort of be a way for a car thief to sort of hijack the signal.
It's an easy way for them to hijack the signal because the key is so close to where they are standing.
So let me walk you through how the attack actually works — it's kind of fun to look at, not so fun to be the receiving end of it, though.
But essentially, if you keep your car keys on a hook near your front door, or maybe on a hook near your garage, or on a table near a door or an external wall, that can sort of be a way for a car thief to sort of hijack the signal.
It's an easy way for them to hijack the signal because the key is so close to where they are standing.
So let me walk you through how the attack actually works — it's kind of fun to look at, not so fun to be the receiving end of it, though.
They use this thing called a frame antenna, and it's super basic. It looks kind of like a square coat hanger.
And the criminal stands outside your front door where they think your key is — in many cases it's a good bet — and they nab the signal from the car key fob that's continuously talking to the car.
And then they've got a second friend who's standing near the car holding a portable device, and then that second friend can then receive the signal from the first guy, unlock the car, and then use that device to start the ignition and drive the car away.
And the criminal stands outside your front door where they think your key is — in many cases it's a good bet — and they nab the signal from the car key fob that's continuously talking to the car.
And then they've got a second friend who's standing near the car holding a portable device, and then that second friend can then receive the signal from the first guy, unlock the car, and then use that device to start the ignition and drive the car away.
That's exactly it.
Yeah, so there's no smashed glass left on your driveway the next morning. There's no car alarms to go off.
All you know when you wake up next morning is your keys are exactly where you left them. You had definitely locked your car, but your car's just gone.
All you know when you wake up next morning is your keys are exactly where you left them. You had definitely locked your car, but your car's just gone.
And then everyone's like, "Did you really lock your car?"
"Are you sure?"
And you're like, I saw— come to percent sure.
Yep.
And you call the police and they ask you that question and they're like, well, there's no evidence of a crime or whatever. And you're just like, what the hell is going on here?
Right, Graham? That's how you guys felt, I'm guessing.
Yeah. It didn't happen on my watch, can I stress? But so happened to my ex-wife. But obviously, you know, she was very shocked by what happened. And it is so easy to do.
And it is very common, at least here in the UK it is. And people are typically stealing cars to order or high-value cars. So she had quite an expensive car, which is what they stole.
And it is as though someone has walked up to a car with the keys in their pocket because it's relaying the signal from the key, which is still inside your house when it happens.
And that's why I keep my key in one of these little special boxes to prevent people from working.
And it is very common, at least here in the UK it is. And people are typically stealing cars to order or high-value cars. So she had quite an expensive car, which is what they stole.
And it is as though someone has walked up to a car with the keys in their pocket because it's relaying the signal from the key, which is still inside your house when it happens.
And that's why I keep my key in one of these little special boxes to prevent people from working.
Would you buy it online or something?
You can buy them online or you can buy them at shops and you can test that they actually work because you can put your keys inside the box, then walk up to your car with the box.
And if your car won't open until you open the box, then you know that the box works.
And if your car won't open until you open the box, then you know that the box works.
Ah, that's a very good way to test it. Yeah, because apparently earlier this year on everyone's favourite social media channel, TikTok, there was a viral car theft challenge.
Oh my goodness. Teaching people how to actually steal cars with this relay attack method.
And if you want to buy the kit online for basically the frame antenna, it's 80 pounds, $100, right? So not expensive.
And the range that these antennas can usually pick up the key fobs from is 5 to 20 meters. So it's actually, that's more than I would have thought.
So I was thinking, man, even if your key's not by the front door, it's 60 feet. Your keys can be pretty far into your house and they could potentially find the signal.
And the UK car security company Tracker said 92% of cars that recovered last year were taken without using the keys.
So I'm not saying it's all with this attack, but this is the problem with this country because very few villages have driveways, right?
Oh my goodness. Teaching people how to actually steal cars with this relay attack method.
And if you want to buy the kit online for basically the frame antenna, it's 80 pounds, $100, right? So not expensive.
And the range that these antennas can usually pick up the key fobs from is 5 to 20 meters. So it's actually, that's more than I would have thought.
So I was thinking, man, even if your key's not by the front door, it's 60 feet. Your keys can be pretty far into your house and they could potentially find the signal.
And the UK car security company Tracker said 92% of cars that recovered last year were taken without using the keys.
So I'm not saying it's all with this attack, but this is the problem with this country because very few villages have driveways, right?
Their houses are right on the roads with a tiny front garden. So we're— No wonder it's going ripe here.
In the States, at least a lot of people live in the, you know, have a bit of front lawn to give them some distance.
In the States, at least a lot of people live in the, you know, have a bit of front lawn to give them some distance.
Well, people just walk up to people's cars and driveways, even in the US. I've seen videos of it here. They'll just walk up at night when people are sleeping.
I think the real problem here is the car companies. Because why do we have this keyless entry to vehicles?
Why, when I walk up to my car, if I've got my keys in my pocket, why does my car start to unlock? And expect me just to press a button?
Why isn't it that I have to press a button on the actual key for it to send the signal to communicate with the car to unlock it?
Why, when I walk up to my car, if I've got my keys in my pocket, why does my car start to unlock? And expect me just to press a button?
Why isn't it that I have to press a button on the actual key for it to send the signal to communicate with the car to unlock it?
Well, that's how it worked when my car was alive and remains alive.
Yeah, yeah, yeah. With your car, absolutely. But what they've done is they've introduced this feature and there's no way to turn the bloody thing off.
Because I, for security reasons, would like to turn that off in my car so that I don't have keyless entry.
Because I, for security reasons, would like to turn that off in my car so that I don't have keyless entry.
Of course.
I want to be— They have to press the button or something.
And they have no other option. They don't have a dumb option.
No. And for several years now, because apparently this started really becoming an issue at the beginning of the pandemic, and it's only gotten worse.
Apparently, several trade groups have written to the car manufacturers, and they've responded, the manufacturers, saying we're aware of the issue, and haven't really promised any action necessarily.
Although, as far as I know, Ford has said that its newer models are going to have the option to put the car into sleep mode.
So essentially to toggle this off, but it sounds like it's not always off. I don't really understand what the sleep mode necessarily, how sustained that is, but it is an option.
But a lot of the other ones are kind of well, the convenience of being able to unlock your car easily without having to rustle your things out of your bag is worth it for our customers.
So when I was trying to figure out what I should do about this, 'cause my cars are very close to the front of my house, I live in a small house. Small driveway, 20 meters.
Apparently, several trade groups have written to the car manufacturers, and they've responded, the manufacturers, saying we're aware of the issue, and haven't really promised any action necessarily.
Although, as far as I know, Ford has said that its newer models are going to have the option to put the car into sleep mode.
So essentially to toggle this off, but it sounds like it's not always off. I don't really understand what the sleep mode necessarily, how sustained that is, but it is an option.
But a lot of the other ones are kind of well, the convenience of being able to unlock your car easily without having to rustle your things out of your bag is worth it for our customers.
So when I was trying to figure out what I should do about this, 'cause my cars are very close to the front of my house, I live in a small house. Small driveway, 20 meters.
Same, same.
Yeah, that's basically the extent of my home. So anywhere I put a key is not going to be terribly safe. I was reading the suggestions online.
Some people were saying put it in a Mylar bag, which I don't think Mylar is really the solution there, but maybe people are it's shiny, so that will do it.
A lot of preppers really love wrapping things in tin foil as their favorite Faraday cage, or lining a shoebox with tin foil completely.
I've heard that as a homemade Faraday cage in the prepper community. I've always thought that was funny, but that doesn't really work either.
Another suggestion was to put your car keys in the refrigerator.
Some people were saying put it in a Mylar bag, which I don't think Mylar is really the solution there, but maybe people are it's shiny, so that will do it.
A lot of preppers really love wrapping things in tin foil as their favorite Faraday cage, or lining a shoebox with tin foil completely.
I've heard that as a homemade Faraday cage in the prepper community. I've always thought that was funny, but that doesn't really work either.
Another suggestion was to put your car keys in the refrigerator.
Oh, that's not— that's not dumb, actually.
It's not. I'm just—
I would never—
I would forget they're in there, and I'd be it's next to the lettuce.
I know, you have to pick them up.
Yeah, cold keys, everybody's favorite, especially winter.
My favorite is put it in a cookie tin, a little metal cookie tin, which historically was what grandmothers would put sewing supplies in.
So I'm just imagining kids looking at the cookie tin and going, "Oh, there's cookies!" And instead of it being sewing supplies.
My favorite is put it in a cookie tin, a little metal cookie tin, which historically was what grandmothers would put sewing supplies in.
So I'm just imagining kids looking at the cookie tin and going, "Oh, there's cookies!" And instead of it being sewing supplies.
Yeah, an old dictionary, you could dig out the middle and—
You can do that. Is that gonna stop— I mean, that's the thing. Whatever you choose, you've got to test that it properly works.
Yep.
And also you've got to make it easy enough that you don't have to always remember, "Oh, gotta get some more tinfoil and wrap it up," because you won't.
So I think just buy yourself a little box and put it somewhere convenient. And just make it a habit of always putting your key in there.
So I think just buy yourself a little box and put it somewhere convenient. And just make it a habit of always putting your key in there.
Good advice.
Yeah, they sell Faraday pouches or wallets that you can use. So they're available.
But you can also just keep— if you have a larger property, I suppose you could keep your car keys away from a front door, especially if your front door is near your car.
I don't know if that'll actually help, but that is an option.
But you can also just keep— if you have a larger property, I suppose you could keep your car keys away from a front door, especially if your front door is near your car.
I don't know if that'll actually help, but that is an option.
Let the air out of your tyres, maybe. There'd be another suggestion.
I've actually read suggestions of literally putting a metal boot on your car when you park it. Oh, clamp it. Yeah, yeah, yeah.
Clamp it. Yeah, yeah.
Literally just make it impossible.
Not inconvenient at all.
I used to have a wheel clamp, a steering wheel clamp. It was a massive thing.
Oh, the club.
Yeah. And I used to have a little fast nippy car for a little while. And yeah, anyway, it was a pain in the ass to use, but no one stole it. I did use it all the time.
I also had a club in the '90s. I drove a little shitbox and that was the only way it never got stolen.
Exactly.
Yup, yup.
Well, FYI for listeners, I didn't know about any of this, so I hope it helps somebody not get their car—
Great story—
Not have their car get stolen.
That is a terrific PSA. Well done.
I thought you were talking about a prostate exam. That's what she said. That's what I did. That's why I was all confused at the beginning when she gave her title. PSA on that.
I'm what do prostates have to do with anything. This show's insane. No, it's just me.
I'm what do prostates have to do with anything. This show's insane. No, it's just me.
That feels a challenge for next time I'm on. I have to make a prostate-related story. I'm not doing that though. I'm not.
Carole, what's your story for us this week?
Do you remember, of course you will remember, the old days when we used to talk about DoS attacks or denial of service attacks or distributed denial of service attacks?
And this is typically when an unauthorized third party or a baddie dings a website over and over and over and over again, you know, effectively flooding the server so it can't deliver actual content to actual visitors.
And this is typically when an unauthorized third party or a baddie dings a website over and over and over and over again, you know, effectively flooding the server so it can't deliver actual content to actual visitors.
Yes. Graham, I think you had a really great way of describing that back in the day of 15 fat men going through a rotating door or something at once.
I think I changed it to hippopotamuses because I didn't want to upset anyone who was large.
It was a very good explainer.
That's perfect. So everything gets squeezed and nothing gets in or out and it's a big old mess. And there are a few better known DDoS attacks.
Do you guys remember February 2020 attack reported by Amazon services, AWS?
Do you guys remember February 2020 attack reported by Amazon services, AWS?
Ah, this was the attack on Dyn, the DNS service or something, was it?
No, no, Dyn's another one. That was another one. Yeah, that was in 2016.
No, this one was known because at its peak, this attack saw incoming traffic at the rate of 2.3 terabits per second. Wow. Now, I have some unreliable visual from Quora.
So this poster claimed to have worked out what a terabyte in terms of Webster Dictionaries. Okay.
No, this one was known because at its peak, this attack saw incoming traffic at the rate of 2.3 terabits per second. Wow. Now, I have some unreliable visual from Quora.
So this poster claimed to have worked out what a terabyte in terms of Webster Dictionaries. Okay.
Okay.
Okay. So he says 100 Webster Dictionaries would fill a gigabyte and 100,000 would fill a single terabyte.
And assuming a dictionary is 5 centimeters thick, 100,000 of them would make the stack approximately 5 kilometers high and weigh 250 metric tons. Dictionaries, paper dictionaries.
And assuming a dictionary is 5 centimeters thick, 100,000 of them would make the stack approximately 5 kilometers high and weigh 250 metric tons. Dictionaries, paper dictionaries.
It's kind of beautiful though. If you were to put badgers on top of each other, how high would that clump of badgers be?
I think that would probably be about similar.
Crystal clear. Crystal clear, yes.
Okay, I think now everyone understands just that this is a big deal is what you're saying, yeah.
And then you were mentioning the DDoS attack. Do you remember it, Graham? What can you tell us about it?
It was a big DDoS attack against lots of websites. Wasn't it the one which exploited IoT devices? Yes.
Right. Mirai, exactly. So the cameras, smart TVs, radios, printers, even baby monitors, they were compromised.
And then these devices were all programmed to send requests to a single victim.
So all the big sites got affected: Airbnb, Netflix, PayPal, Visa, Amazon, New York Times, Reddit, GitHub, on and on and on.
And basically, these type of DDoS attacks at the heart is about rendering a website or service useless, which is the exact opposite of the attacks we see today, where someone's trying to sneak in and take loads of stuff away from you that you own, right?
But there are occasionally motivations for taking down a website, right?
What motivations come to mind if I told you that earlier this week, the Royal Family in the UK, their website was taken down?
And then these devices were all programmed to send requests to a single victim.
So all the big sites got affected: Airbnb, Netflix, PayPal, Visa, Amazon, New York Times, Reddit, GitHub, on and on and on.
And basically, these type of DDoS attacks at the heart is about rendering a website or service useless, which is the exact opposite of the attacks we see today, where someone's trying to sneak in and take loads of stuff away from you that you own, right?
But there are occasionally motivations for taking down a website, right?
What motivations come to mind if I told you that earlier this week, the Royal Family in the UK, their website was taken down?
Was it Harry and Meghan who did it? Was it them who attacked the Royal Family?
Thom Hanks was probably in on it as well.
Yeah, probably. That would figure.
No, no, it turned out there was a distributed denial of service attack targeted at the royal family, flooding the online service with an overflow of, well, fake users, if you want, or fake pings.
And why would anyone want to do that to ready King Charles and plucky Camilla?
And why would anyone want to do that to ready King Charles and plucky Camilla?
Why would anyone be going to the royal family's website anyway?
Can you go there now? Okay.
Yeah. What do they have?
I actually didn't even go and visit the website, which is outrageous. So it's royal.uk. Royal.uk. Which I didn't even know.
Ooh. Nice URL. It's behind Cloudflare. Cloudflare. Yeah, I just got that too.
They must have turned that on. Yes.
Good on. Yeah, maybe they hit it real quick.
Well, you can just turn it on if you're suffering an attack. That's true. So maybe they did that. Anyways, there's some lovely pictures there of the King and Queen Camilla.
Their website's very nice and responsive. Nice design. They put some money into this.
Yes. Some press releases. So a state visit by the President of the Republic of Korea. Excellent. South Korea, I imagine. Excellent. Good, good.
Anything about France?
France, yes. State visit to France. Yes.
They did a visit to France.
Yes. Keep that page. Keep that page. We're going to come back to that. We're going to come back to that.
Okay. There's a picture of President Macron and his old drama teacher there. That's right. Who's— yes.
Kind of a terrifying photo of her.
Anyway, so someone claimed responsibility for the attack, and they go by the name of Killnet. Does that ring any bells? Killnet?
Killnet reportedly heads up the Killnet group, a group that seems has pretty close ties to Russian political agendas. Okay, yep.
So according to the Five Eyes intelligence network— that's, you know, agencies in Canada, Australia, New Zealand, US, UK— they warned last year that Killnet was one of several hacker groups that had pledged to support Russia and threatened to attack anyone who attacked Russia or supported Ukraine.
These are the guys that attacked the Eurovision Song Contest last year. Do you remember that? Because they were in an attempt to stop Ukraine winning.
Killnet reportedly heads up the Killnet group, a group that seems has pretty close ties to Russian political agendas. Okay, yep.
So according to the Five Eyes intelligence network— that's, you know, agencies in Canada, Australia, New Zealand, US, UK— they warned last year that Killnet was one of several hacker groups that had pledged to support Russia and threatened to attack anyone who attacked Russia or supported Ukraine.
These are the guys that attacked the Eurovision Song Contest last year. Do you remember that? Because they were in an attempt to stop Ukraine winning.
Oh yeah, that day will go down in infamy. Yes, yes.
So why would the royal family website royal.uk be taken down last Sunday morning? Turns out just days after King Charles condemned the invasion of Ukraine, the site was taken down.
See, King Charles, in what some are calling a wholly unprecedented move, dished some strong words speaking out against Russia's invasion of Ukraine during his landmark speech in the French Senate last Thursday morning, mere days before the royal family's website was targeted.
See, King Charles, in what some are calling a wholly unprecedented move, dished some strong words speaking out against Russia's invasion of Ukraine during his landmark speech in the French Senate last Thursday morning, mere days before the royal family's website was targeted.
Okay. How scandalous of him to have an opinion and to express it.
He described the war as horrifying.
King Charles also reported saying Ukraine must win its war and invoked the unity of Britain and de Gaulle's Free French movement in the Second World War as an example of the need to stand together against unprovoked aggressions on our continent.
Oh, I was, what are you doing? Because I guess I'm used to the Queen's cool head. His mom had a cool head. You're the only true Brit here, Graham.
King Charles also reported saying Ukraine must win its war and invoked the unity of Britain and de Gaulle's Free French movement in the Second World War as an example of the need to stand together against unprovoked aggressions on our continent.
Oh, I was, what are you doing? Because I guess I'm used to the Queen's cool head. His mom had a cool head. You're the only true Brit here, Graham.
What do you think? Well, I think we need to modernize the royal family. And if that— what he said doesn't seem controversial to me. It seems quite legitimate.
I mean, you wouldn't— you would expect the head of state to probably have that point of view regarding the war in Ukraine. I'd be more surprised if he went the other way.
I mean, you wouldn't— you would expect the head of state to probably have that point of view regarding the war in Ukraine. I'd be more surprised if he went the other way.
Yeah. Goodness.
You were surprised that he had an opinion or that he expressed an opinion. I was surprised that—
No, no, of course I'm not surprised he has an opinion. I'm surprised that he vocalized it. Yes. And in the way that he did.
I guess it sets a precedent and maybe we're going to hear more outpourings of opinions from Charles in the future about other countries too.
I'm reading his— I mean, maybe there was some other statement that he made, but I'm reading his speech and he mentions Ukraine in light passing.
It's not he went on and on about it. But he did enough to upset this Killnet group.
It's not he went on and on about it. But he did enough to upset this Killnet group.
So what a lame thing to do.
It's not even, okay, yeah, you DDoSed a website. Good job. What is it, 1997 all over again?
Big whoop.
The upshot is the site was taken down for 90 minutes, displaying an error message on Sunday morning to those desperate to find out what people were up to on royal.uk, which would be the first place I would go on a Sunday morning.
The upshot is the site was taken down for 90 minutes, displaying an error message on Sunday morning to those desperate to find out what people were up to on royal.uk, which would be the first place I would go on a Sunday morning.
It's my homepage normally. Yeah.
And in a way, you say, it's not a big deal, right? Buckingham Palace did the right thing. They got it back up and running. They told the world in a timely manner. Ransomware.
I would have been more impressed if they'd hacked their social media. DDoSing a website, no. Hacking the social media, okay. Yeah.
Does Prince Charles— or sorry, King Charles— have social media?
Oh yeah, yeah, they're on Twitter and Instagram and all that stuff. I don't know if they're doing TikTok dances yet. They're not twerking? Oh geez, no.
I think you're mixing them up with Fergie now. She's no longer a member of the royal family. @theroyalfamily has 13.1 million followers on Instagram. Wow.
More than Thom Hanks.
If your SIEM is causing an endless cycle of noisy alerts, manually writing generic detection rules, and limited data ingestion and retention, your SOC might need an upgrade.
Well, Hunters is a SaaS platform purpose-built for your security operations team.
With Hunters, you can ingest and normalize as much data as you have at a predictable cost without having to compromise on visibility and retention.
Automatically cross-correlate data logs from your entire security and IT stack to connect and track events throughout your organization without switching screens.
And leverage out-of-the-box SOCs and always up-to-date detections that cover 80% of security use cases.
Solaris Group, a leading German fintech, they implemented Hunter's SOC platform to eliminate the burden of redundant detection engineering and manual event correlation, allowing SOC analysts to focus on higher-value tasks.
Visit hunters.security to learn how your SOC can move beyond SIEM. That's hunters.security, and thanks to Hunters for supporting the show.
If your SIEM is causing an endless cycle of noisy alerts, manually writing generic detection rules, and limited data ingestion and retention, your SOC might need an upgrade.
Well, Hunters is a SaaS platform purpose-built for your security operations team.
With Hunters, you can ingest and normalize as much data as you have at a predictable cost without having to compromise on visibility and retention.
Automatically cross-correlate data logs from your entire security and IT stack to connect and track events throughout your organization without switching screens.
And leverage out-of-the-box SOCs and always up-to-date detections that cover 80% of security use cases.
Solaris Group, a leading German fintech, they implemented Hunter's SOC platform to eliminate the burden of redundant detection engineering and manual event correlation, allowing SOC analysts to focus on higher-value tasks.
Visit hunters.security to learn how your SOC can move beyond SIEM. That's hunters.security, and thanks to Hunters for supporting the show.
And we thank DEVO for sponsoring the show. SOC analysts are often overworked and underappreciated. In fact, many consider leaving their jobs or changing careers altogether.
DEVO is hosting the 3rd annual SOC Analyst Appreciation Day.
This year's program includes presentations and discussions from some of the InfoSec community's most prolific thought leaders, including the likes of YouTube creator Jon Hammond, CISO Olivia Rose, and unpopular opinion guy Joss Copeland.
This event will cover everything from real-life use cases to SOC automation, managing your mental well-being, and more. You won't want to miss it.
Join DEVO and other cybersecurity industry professionals on October 18th, 2023 for sessions and panels focused on destressing, SOC career development, and more.
Visit smashingsecurity.com/devo to register. That's smashingsecurity.com/devo. If you work in security or IT and your company has Okta, this message is for you.
For the past few years, the majority of data breaches and hacks you read about have something in common: It's employees.
Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps.
Here, credentials are useless to hackers, and you can manage every OS—even Linux—from a single dashboard.
Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.
You can just start using Kolide.
Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps.
Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.
DEVO is hosting the 3rd annual SOC Analyst Appreciation Day.
This year's program includes presentations and discussions from some of the InfoSec community's most prolific thought leaders, including the likes of YouTube creator Jon Hammond, CISO Olivia Rose, and unpopular opinion guy Joss Copeland.
This event will cover everything from real-life use cases to SOC automation, managing your mental well-being, and more. You won't want to miss it.
Join DEVO and other cybersecurity industry professionals on October 18th, 2023 for sessions and panels focused on destressing, SOC career development, and more.
Visit smashingsecurity.com/devo to register. That's smashingsecurity.com/devo. If you work in security or IT and your company has Okta, this message is for you.
For the past few years, the majority of data breaches and hacks you read about have something in common: It's employees.
Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps.
Here, credentials are useless to hackers, and you can manage every OS—even Linux—from a single dashboard.
Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.
You can just start using Kolide.
Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps.
Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.
And welcome back and join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security related necessarily. Better not be. Well, I've got a question for both of you. What's the best Christmas movie of all time? Die Hard.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security related necessarily. Better not be. Well, I've got a question for both of you. What's the best Christmas movie of all time? Die Hard.
Polar Bear Express.
Polar Bear Express. A different— Polar Bear Express. That's the porn version, the Polar Bear Express.
My husband's away, I miss him.
I would like to argue that the greatest Christmas movie of all time—
It's a Wonderful Life.
No, it's not It's a Wonderful Life. It is the 1940s rom-com The Shop Around the Corner with James Stewart and Margaret Sullivan.
I don't know if you've— have either of you ever seen it?
I don't know if you've— have either of you ever seen it?
No, I've never even heard of it. I may have.
I gotta look.
It's set in beautiful Budapest, and they work in a shop together, and they're kind of, you know, those rom-coms where they don't get along at first and they're kind of having a go at each other, and then they fall in love right at the end.
You know, those sort of rom-coms which are sweet. Well, in this particular one, they both have an anonymous romantic pen pal.
And what they don't know is the wonderful person who they're chatting to is the other person.
So they're actually secretly— Now, it is a great movie and a wonderful thing, and it has only ever been tarnished by one thing, which is my nitpick of the week.
Because I was recently required to watch a Thom Hanks movie.
You know, those sort of rom-coms which are sweet. Well, in this particular one, they both have an anonymous romantic pen pal.
And what they don't know is the wonderful person who they're chatting to is the other person.
So they're actually secretly— Now, it is a great movie and a wonderful thing, and it has only ever been tarnished by one thing, which is my nitpick of the week.
Because I was recently required to watch a Thom Hanks movie.
It all comes out now. All right.
It all comes out called You've Got Mail.
Oh, for fuck's sake.
You've Got Mail. How can you? Isn't that Nora Ephron?
Yeah, Nora Ephron. That's right. She did Harry Met Sally. We love that one. You've Got Mail is loosely based on The Shop Around the Corner.
In fact, Meg Ryan's shop in You've Got Mail is called The Shop Around the Corner.
Can I tell all of you, go and watch The Shop Around the Corner from the 1940s, which is wonderful and doesn't have Thom Hanks in it, because it is a great, great thing.
So my pick of the week is The Shop Around the Corner, which is a wonderful movie. My nitpick is this constant remaking of perfectly good movies and producing inferior versions.
In fact, Meg Ryan's shop in You've Got Mail is called The Shop Around the Corner.
Can I tell all of you, go and watch The Shop Around the Corner from the 1940s, which is wonderful and doesn't have Thom Hanks in it, because it is a great, great thing.
So my pick of the week is The Shop Around the Corner, which is a wonderful movie. My nitpick is this constant remaking of perfectly good movies and producing inferior versions.
I love that this explains your Thom Hanks animosity. This is great. Came full circle.
Maria, what's your pick of the week?
Okay, I'm gonna do— okay, I'm gonna start with my nitpick. We're going back to naked security again.
Last week we were chatting about it.
Yes, a bunch of names were mentioned and I was not one of them, and I felt sad.
So Maria was a very important part of naked security.
I was not. I just was a small part of it, but I was part of it. I was very unimportant, to be clear. But there were a lot of us who worked on it, but I was— I'm sorry. All good.
I've done my drama. For my pick of the week is something very geeky nerdy because I am in the throes of Halloween season.
Oh yeah, my kid wants to be the Light Dragon from Tears of the Kingdom. I was like, you want to be what for Halloween?
I've done my drama. For my pick of the week is something very geeky nerdy because I am in the throes of Halloween season.
Oh yeah, my kid wants to be the Light Dragon from Tears of the Kingdom. I was like, you want to be what for Halloween?
Oh, for that from the Zelda game?
From the new Zelda game? Yeah, she's obsessed with that Light Dragon, and the Light Dragon glows those, as the name might imply, there are lights.
So I have been learning how to incorporate LEDs into costuming for this costume that I'm making.
And this website I came across to buy the LEDs is called evandesigns.com, and it is very old school in a way that I love, and that it's a little niche part of the internet for hobbyists, and it's full of a lot of good hobbyist information, exactly what you need.
How do I build this thing? Or how, if I'm trying to, I don't even know what I don't know. Can you please walk me through it? A top to bottom guide. Oh, wow.
And it's very competently done. And it's meant for people who do hobby trains, train sets, but he's got a bunch of stuff for people who do costuming.
And for someone who has a very basic understanding of circuitry, but very basic. But even I was reading through this.
I'm like, I can definitely handle making, you know, a string of LEDs, something like this, thanks to his help.
So I'm just giving a shout out to that, evandesigns.com, because I really appreciate their help.
So I have been learning how to incorporate LEDs into costuming for this costume that I'm making.
And this website I came across to buy the LEDs is called evandesigns.com, and it is very old school in a way that I love, and that it's a little niche part of the internet for hobbyists, and it's full of a lot of good hobbyist information, exactly what you need.
How do I build this thing? Or how, if I'm trying to, I don't even know what I don't know. Can you please walk me through it? A top to bottom guide. Oh, wow.
And it's very competently done. And it's meant for people who do hobby trains, train sets, but he's got a bunch of stuff for people who do costuming.
And for someone who has a very basic understanding of circuitry, but very basic. But even I was reading through this.
I'm like, I can definitely handle making, you know, a string of LEDs, something like this, thanks to his help.
So I'm just giving a shout out to that, evandesigns.com, because I really appreciate their help.
Cool. We need pictures. They've got some very cool looking stuff here.
For just $15, the equipment you can, I imagine, put on your car or maybe on your toy car to give it a Knight Rider style LED.
I should do that on my car. That'd look amazing.
And if you want to light up your TARDIS, they have a kit for that as well. Yes, no, yes they do. And they have Geiger counter sounds and, yeah, all sorts of stuff. Yeah, yeah.
So all your LED needs are at Evan Designs, but they also have a lot of resources on how to actually make the stuff work in the way you want it to, which is nice to see that people are still sharing that information.
And it's not video, it's written. God bless it. I can just read it. Beautiful.
So all your LED needs are at Evan Designs, but they also have a lot of resources on how to actually make the stuff work in the way you want it to, which is nice to see that people are still sharing that information.
And it's not video, it's written. God bless it. I can just read it. Beautiful.
Carole, what's your pick of the week?
So mine's a book that I've experienced, right? I love a good whodunit. It's I was looking and someone described a whodunit as a book full of manners and intrigue. And I love that.
That's kind of true. It's your Sherlock Holmes kind of thing. And it's rare that you get a good one. So often they can just be a bit predictable.
And maybe it's great for new readers to the genre. But if you've been around the detective block a lot, it's hard to be surprised.
So my pick of the week is a book I'm enjoying called The Eight Detectives by Alex Pavesi, P-A-V-E-S-I. And I'll quote The Guardian here because they say it so well.
So it is a set of seven Golden Age style mysteries where an abundance of brutal slayings in genteel surroundings are rendered in a heightened pastiche of the form.
So, in my terms, rollicking fun read. And it's surprising how the attacks transpire. There's this one scene where a victim is killed with a detachable tine from a fork. Right? Crazy.
So, all kinds of cute things.
And even better, all of these short stories, these 7 short stories, are nestled within a greater narrative where you have this fictitious author, Grant McAllister, and he's discussing his own set of detective rules for how you write a detective story with an editor.
And this leads to the 8th murder mystery, which I'm getting to this evening. If it sounds like your thing, it's great. I'm enjoying it a lot. Eight Detectives, a novel by Alex Pavesi.
And that is my pick of the week.
That's kind of true. It's your Sherlock Holmes kind of thing. And it's rare that you get a good one. So often they can just be a bit predictable.
And maybe it's great for new readers to the genre. But if you've been around the detective block a lot, it's hard to be surprised.
So my pick of the week is a book I'm enjoying called The Eight Detectives by Alex Pavesi, P-A-V-E-S-I. And I'll quote The Guardian here because they say it so well.
So it is a set of seven Golden Age style mysteries where an abundance of brutal slayings in genteel surroundings are rendered in a heightened pastiche of the form.
So, in my terms, rollicking fun read. And it's surprising how the attacks transpire. There's this one scene where a victim is killed with a detachable tine from a fork. Right? Crazy.
So, all kinds of cute things.
And even better, all of these short stories, these 7 short stories, are nestled within a greater narrative where you have this fictitious author, Grant McAllister, and he's discussing his own set of detective rules for how you write a detective story with an editor.
And this leads to the 8th murder mystery, which I'm getting to this evening. If it sounds like your thing, it's great. I'm enjoying it a lot. Eight Detectives, a novel by Alex Pavesi.
And that is my pick of the week.
No nitpicks. Very good. Well done on no nitpicks. Nope.
Not a single nitpick. Nope. Everything's perfect.
Now, Carole, you've been having fun this week chatting to the guys from DEVO.
Yes, I spoke with Kayla Williams, Devo's very own CISO, and we talk about SOC Analyst Appreciation Day. This is where you'll be appreciated, guys. Listen up, listeners.
Today on Smashing Security, I am chatting about all things SOC with security analytics platform Devo's very own CISO, or I should give the whole title, Chief Information Security Officer, Kayla Williams.
Very warm welcome to you, Kayla. Thanks for coming on the show.
Today on Smashing Security, I am chatting about all things SOC with security analytics platform Devo's very own CISO, or I should give the whole title, Chief Information Security Officer, Kayla Williams.
Very warm welcome to you, Kayla. Thanks for coming on the show.
Thank you so much for having me. I'm really excited to be here.
Cool. Now, Devo Technology is a cloud-native platform designed to defend all the nasty stuff out there.
But more than that, the Devo team are the people behind the SOC Analyst Appreciation Day. But we're going to get to that in a second.
First, Kayla, I would love if you could tell us a little bit about you, your background, and maybe how you ended up at Devo as their CISO.
But more than that, the Devo team are the people behind the SOC Analyst Appreciation Day. But we're going to get to that in a second.
First, Kayla, I would love if you could tell us a little bit about you, your background, and maybe how you ended up at Devo as their CISO.
Yeah, wow, where to start? So I'm Kayla Williams. I have been the CISO here at Devo for a little over a year and a half now. The way I got here is a very curvy road, if you will.
I wouldn't say bumpy, I'll say curvy, because I am not a traditional technology technologically sound CISO. I am what I like to call a GRC CISO because that is my background.
As we all know, the laws and regulations and the privacy, technical privacy landscape, everything is changing so rapidly.
And really, GRC or governance, risk, and compliance is the foothold of a security program because they're able to easily pivot.
So my background, I graduated with a bachelor's degree in accounting. Went on—
I wouldn't say bumpy, I'll say curvy, because I am not a traditional technology technologically sound CISO. I am what I like to call a GRC CISO because that is my background.
As we all know, the laws and regulations and the privacy, technical privacy landscape, everything is changing so rapidly.
And really, GRC or governance, risk, and compliance is the foothold of a security program because they're able to easily pivot.
So my background, I graduated with a bachelor's degree in accounting. Went on—
That's good, you got to know your numbers.
Yeah, I went on to become an external auditor, and I hated it after a while, which I'm sure many of you who are listening have worked with auditors before, and you're like, oh my God, they're driving me crazy.
Try being one.
So I did that for a couple years because my track in my mind was I was going to get my CPA, Certified Public Accountant, certification, and then move on to being a CFO eventually.
And since I didn't like it, I decided to move out of that field into the wildly different field of internal auditing. And I worked at a financial services company for 8 years.
And in that time, I was an internal auditor for 3 years and then moved into security because they were looking for folks who understood process.
And that's something that auditors do very well. You give credit where credit's due.
Yes, I was able to come in and understand process and the risks associated with if a process goes wrong.
And I was in that company for 5 years, moving into various roles doing security consultancy, security program management.
The team acquired the enterprise risk management team and it became a CISO or information security and risk officer organization.
So then I moved into an enterprise risk management role for North America. And after that, I was like, well, there's really nowhere else for me to go here.
So I moved over into a director of GRC role at LogMeIn, which is now GoTo. So GoToMeeting, GoToConnect. They used to have LastPass, that company there. And I did that for 3 years.
And it was great. There was 20— at the time, there were 23 SaaS products in the portfolio.
And that gave me SaaS experience because all the teams are doing something different, right? The CI/CD pipeline was different. The processes were different. The output was different.
I ended up at Devo because our chief operating officer at LogMeIn came over to Devo as the CEO, and I ended up following him here.
Try being one.
So I did that for a couple years because my track in my mind was I was going to get my CPA, Certified Public Accountant, certification, and then move on to being a CFO eventually.
And since I didn't like it, I decided to move out of that field into the wildly different field of internal auditing. And I worked at a financial services company for 8 years.
And in that time, I was an internal auditor for 3 years and then moved into security because they were looking for folks who understood process.
And that's something that auditors do very well. You give credit where credit's due.
Yes, I was able to come in and understand process and the risks associated with if a process goes wrong.
And I was in that company for 5 years, moving into various roles doing security consultancy, security program management.
The team acquired the enterprise risk management team and it became a CISO or information security and risk officer organization.
So then I moved into an enterprise risk management role for North America. And after that, I was like, well, there's really nowhere else for me to go here.
So I moved over into a director of GRC role at LogMeIn, which is now GoTo. So GoToMeeting, GoToConnect. They used to have LastPass, that company there. And I did that for 3 years.
And it was great. There was 20— at the time, there were 23 SaaS products in the portfolio.
And that gave me SaaS experience because all the teams are doing something different, right? The CI/CD pipeline was different. The processes were different. The output was different.
I ended up at Devo because our chief operating officer at LogMeIn came over to Devo as the CEO, and I ended up following him here.
Aha, that is a really interesting background though to a CISO.
I don't think I've heard anything similar, and I can see how those building blocks would help you be such a great asset because you understand risk, you understand process, and you understand security.
I wondered if you could help me understand the role of a security operations analyst because we use this term SOC, right? SOC analysts.
And just for some of our listeners, I know most of them totally know what this is, but there's gonna be some of them that are gonna really appreciate an explanation from you—what's in their day-to-day, what are they responsible for?
I don't think I've heard anything similar, and I can see how those building blocks would help you be such a great asset because you understand risk, you understand process, and you understand security.
I wondered if you could help me understand the role of a security operations analyst because we use this term SOC, right? SOC analysts.
And just for some of our listeners, I know most of them totally know what this is, but there's gonna be some of them that are gonna really appreciate an explanation from you—what's in their day-to-day, what are they responsible for?
You know, it's very much like all the other roles in security. The SOC analyst role can vary depending on the organization or the industry that you're in.
However, you know, the day-to-day is really logging in and checking for any potential incidents or events—anomalies, if you will—that you're not expecting to see.
And then investigating that, each company has their own risk that they're willing to take. You have to take risk just to have a company going, right?
So every company's going to be a little bit different, but logging into your SIEM, which I hope it's Devo, and seeing what's happening, what's been triaged or not triaged yet, and then doing your investigation.
Unfortunately, there is a lot of monotony there, especially for the level 1 SOC analysts who come in typically—the ones that are moving into the field for the first time that are in school or have just graduated and want to get their hands dirty with security.
You're gonna be going through a lot of your alerts, looking to see for any potential indicators of compromise or IOCs, and kicking off your own—I would call it a mini investigation on your own—before you escalate it up your chain of command to say, okay, I've now identified something.
And I think that is exciting when you identify something. It's not always great when you identify something, but for the company, I mean, but for the individual, that's exciting.
It's like, hey, I'm noticing something that's—this is an anomaly. This pattern isn't following patterns. There's maybe some user behavior that isn't expected.
Or one of my favorites that I hear a lot about is the impossible traveler—Kayla logged into Boston, she lives in Boston, that makes sense.
But all of a sudden, 20 minutes later, she's logging in from Alaska.
However, you know, the day-to-day is really logging in and checking for any potential incidents or events—anomalies, if you will—that you're not expecting to see.
And then investigating that, each company has their own risk that they're willing to take. You have to take risk just to have a company going, right?
So every company's going to be a little bit different, but logging into your SIEM, which I hope it's Devo, and seeing what's happening, what's been triaged or not triaged yet, and then doing your investigation.
Unfortunately, there is a lot of monotony there, especially for the level 1 SOC analysts who come in typically—the ones that are moving into the field for the first time that are in school or have just graduated and want to get their hands dirty with security.
You're gonna be going through a lot of your alerts, looking to see for any potential indicators of compromise or IOCs, and kicking off your own—I would call it a mini investigation on your own—before you escalate it up your chain of command to say, okay, I've now identified something.
And I think that is exciting when you identify something. It's not always great when you identify something, but for the company, I mean, but for the individual, that's exciting.
It's like, hey, I'm noticing something that's—this is an anomaly. This pattern isn't following patterns. There's maybe some user behavior that isn't expected.
Or one of my favorites that I hear a lot about is the impossible traveler—Kayla logged into Boston, she lives in Boston, that makes sense.
But all of a sudden, 20 minutes later, she's logging in from Alaska.
You're spotting anomalies. It's almost needle in the haystack work. But when you find that needle, it can be really glorious for the person because, you know, you've done your job.
Exactly. And that gratification of actually finding something and then also helping your organization to reduce its risk.
And that's really where I feel the SOC analyst is underappreciated, which will come into the day that DEVO has to celebrate them.
But this team, the SOC team, is really your first line of defense. They're your eyes on glass.
They are seeing things that it's coming in and out of your environment with precision and accuracy. And are mistakes made? Sure, but mistakes are made in every role.
Things do get by, but they're really the unsung heroes of your corporate defenses and having those folks understand the business, understand what's normal, what's not normal, expected, unexpected, however you want to phrase it, really arms them with the knowledge to reduce your risk profile.
They are essentially preventing financial loss, reputational risk, regulatory risk, obviously information security risk as well.
The branding piece and the reputational risk is something that's often discounted. And that's where people say, oh, security is a cost center. Absolutely not.
In my opinion, maybe I'm the only one that feels that way, but no, security is not a cost center. They're saving your brand. They're saving your customers, saving face, if you will.
And that's really where I feel the SOC analyst is underappreciated, which will come into the day that DEVO has to celebrate them.
But this team, the SOC team, is really your first line of defense. They're your eyes on glass.
They are seeing things that it's coming in and out of your environment with precision and accuracy. And are mistakes made? Sure, but mistakes are made in every role.
Things do get by, but they're really the unsung heroes of your corporate defenses and having those folks understand the business, understand what's normal, what's not normal, expected, unexpected, however you want to phrase it, really arms them with the knowledge to reduce your risk profile.
They are essentially preventing financial loss, reputational risk, regulatory risk, obviously information security risk as well.
The branding piece and the reputational risk is something that's often discounted. And that's where people say, oh, security is a cost center. Absolutely not.
In my opinion, maybe I'm the only one that feels that way, but no, security is not a cost center. They're saving your brand. They're saving your customers, saving face, if you will.
Listeners are going, we're with you, Kayla. We agree.
And you know, when the renewals come up or when new prospects are asking about your defenses, that's your SOC. Number one is your SOC.
And yes, we are a very expensive team to have, but balance that with your brand that you're protecting, whether it's a multi-million, billion-dollar brand, it's well worth the cost to keep that going.
And yes, we are a very expensive team to have, but balance that with your brand that you're protecting, whether it's a multi-million, billion-dollar brand, it's well worth the cost to keep that going.
But, you know, ultimately this isn't an easy job though. Oh, absolutely not.
And because of coming into this role here and now having the SOC Analyst Appreciation Day, I'm very much aware of little in the past where I've worked it's been acknowledged because it is, you're always on.
There's always alerts, there's flooding of alerts, the monotony of having to go through them and make sure that they're, you know, if they're false positive, marking them as that, opening an investigation, writing rule sets to make sure that, you know, if you're seeing patterns that are all false positives, making sure that those are marked as such and removed from your product.
Processes, and it's just constant bombardment of noise.
There's always alerts, there's flooding of alerts, the monotony of having to go through them and make sure that they're, you know, if they're false positive, marking them as that, opening an investigation, writing rule sets to make sure that, you know, if you're seeing patterns that are all false positives, making sure that those are marked as such and removed from your product.
Processes, and it's just constant bombardment of noise.
So tell me a little bit about the upcoming 3rd Annual SOC Analyst Appreciation Day.
So we are hosting it, socanalystday.com. If you have not registered, it's October 18th.
Please do, even if you are not in the SOC and you were just thinking about coming into security.
It is a fantastic way to learn about the field because I think something that's often overlooked is people are, yeah, I want to get into security, there's a lot of jobs.
You have to be mentally tough to be in this field. I think we all deserve credit for that. The event is our third year, as you mentioned.
From year one to year two, we nearly doubled the number of people that attended. So this year we're hoping to have another record-breaking event. It is all online, but it is all day.
So you can come in, you can, you know, obviously being in a SOC, you probably have to have eyes on screen. You can listen to it in the background.
You will hear my voice, unfortunately or fortunately, I don't know.
Please do, even if you are not in the SOC and you were just thinking about coming into security.
It is a fantastic way to learn about the field because I think something that's often overlooked is people are, yeah, I want to get into security, there's a lot of jobs.
You have to be mentally tough to be in this field. I think we all deserve credit for that. The event is our third year, as you mentioned.
From year one to year two, we nearly doubled the number of people that attended. So this year we're hoping to have another record-breaking event. It is all online, but it is all day.
So you can come in, you can, you know, obviously being in a SOC, you probably have to have eyes on screen. You can listen to it in the background.
You will hear my voice, unfortunately or fortunately, I don't know.
You have a great radio voice. I think they're going to be in heaven. But it's a wonderful event.
This is my second year co-hosting it. I'll actually be in the studio recording all day.
But I do have an event that I'm co-hosting, the full event all day, but moderating a panel for There's a Seat for Everyone in Cyber that will touch upon what you and I just discussed a few moments ago around complementary skill sets and being able to transfer people in from other fields because that non-traditional background that I have has really opened up my eyes to how many other people could be in this field but maybe lack a cybersecurity degree or engineering background.
And it's certainly a way to address some of the shortages that we're seeing across the board.
But I do have an event that I'm co-hosting, the full event all day, but moderating a panel for There's a Seat for Everyone in Cyber that will touch upon what you and I just discussed a few moments ago around complementary skill sets and being able to transfer people in from other fields because that non-traditional background that I have has really opened up my eyes to how many other people could be in this field but maybe lack a cybersecurity degree or engineering background.
And it's certainly a way to address some of the shortages that we're seeing across the board.
Absolutely.
And it also gives people out there that maybe are feeling stuck in a rut, maybe you're in accountancy and you're thinking this isn't for me, and you might find that cybersecurity desperately needs your risk assessing and your number crunching, right?
We need all those skills.
And it also gives people out there that maybe are feeling stuck in a rut, maybe you're in accountancy and you're thinking this isn't for me, and you might find that cybersecurity desperately needs your risk assessing and your number crunching, right?
We need all those skills.
I couldn't agree with you more.
And I actually spoke at Blue Team Con in Chicago about a month ago on the non-traditional paths into security, and I did a segment on those complementary skill sets where I put them up on the screen and was drawing arrows between, you know, being an accountant and what kind of skill set is.
So having the attention to detail, being able to quickly analyze two sets of data and having the wherewithal to see those discrepancies that might be there, those patterns that have changed.
And my favorite story is that I talked about it at the event.
A friend of mine hired a former bus driver as an incident response manager because this individual was used to having to write reports, being very detailed, and also de-escalating situations.
Another session that is extremely important to me is the mental health session that Peter will be running from CyberMinds.
I had the pleasure of meeting Peter at RSA and at Black Hat. He came over from Australia, did his US launch back at RSA, and CyberMinds is amazing.
They have a program that is for cybersecurity professionals like all of us, and they come in and they teach you how to be better.
Deal with stress because we have more stress than some people that were on the front lines during the pandemic in our day-to-day.
And 77% of the survey respondents that DEVO did with Wakefield Research have said that their stress levels at work directly affect their ability to keep customer data safe.
They're making mistakes, they're not seeing things, they are so stressed out because they're so afraid they're going to make a mistake, that anxiety.
And as someone who has anxiety, and I talk about it openly, I do take anxiety medication. It is certainly a session that I highly encourage folks to attend.
That's with CyberMindZ, one word with a Z at the end. And then of course, John Hammond has SOC Hacks. So John is on my television screen, on my YouTube every time I turn it on.
My husband's like, who is this guy?
And I actually spoke at Blue Team Con in Chicago about a month ago on the non-traditional paths into security, and I did a segment on those complementary skill sets where I put them up on the screen and was drawing arrows between, you know, being an accountant and what kind of skill set is.
So having the attention to detail, being able to quickly analyze two sets of data and having the wherewithal to see those discrepancies that might be there, those patterns that have changed.
And my favorite story is that I talked about it at the event.
A friend of mine hired a former bus driver as an incident response manager because this individual was used to having to write reports, being very detailed, and also de-escalating situations.
Another session that is extremely important to me is the mental health session that Peter will be running from CyberMinds.
I had the pleasure of meeting Peter at RSA and at Black Hat. He came over from Australia, did his US launch back at RSA, and CyberMinds is amazing.
They have a program that is for cybersecurity professionals like all of us, and they come in and they teach you how to be better.
Deal with stress because we have more stress than some people that were on the front lines during the pandemic in our day-to-day.
And 77% of the survey respondents that DEVO did with Wakefield Research have said that their stress levels at work directly affect their ability to keep customer data safe.
They're making mistakes, they're not seeing things, they are so stressed out because they're so afraid they're going to make a mistake, that anxiety.
And as someone who has anxiety, and I talk about it openly, I do take anxiety medication. It is certainly a session that I highly encourage folks to attend.
That's with CyberMindZ, one word with a Z at the end. And then of course, John Hammond has SOC Hacks. So John is on my television screen, on my YouTube every time I turn it on.
My husband's like, who is this guy?
I'm like, oh, that's John. And this is free to attend, right?
So yes, absolutely, October 18th, 2023, and this is the SOC Analyst Appreciation Day brought to you by DEVO and hosted by our very own Kayla Williams.
So yes, absolutely, October 18th, 2023, and this is the SOC Analyst Appreciation Day brought to you by DEVO and hosted by our very own Kayla Williams.
Yes, very much looking forward to it. I hope everyone can register. Please do. As we said, it's free all day.
You can have it on the background and get some appreciation, much deserved and much needed SOC Analyst Appreciation Day.
You can have it on the background and get some appreciation, much deserved and much needed SOC Analyst Appreciation Day.
If anything ever sounded like a mental health day, this does, because you're going to get all the love that you need.
Now, if you guys want to register, this is where you go: smashingsecurity.com/devo. That's D-E-V-O. So smashingsecurity.com/devo.
And is there anything else you'd like to add, Kayla, before we wrap up?
Now, if you guys want to register, this is where you go: smashingsecurity.com/devo. That's D-E-V-O. So smashingsecurity.com/devo.
And is there anything else you'd like to add, Kayla, before we wrap up?
No, I think this covers everything. Thank you so much for having me. This was a pleasure and such a great time talking to you. Thank you.
Thank you for coming on the show and for talking to us all. It's been amazing. And I think we're going to get lots of signups, right, listeners?
Super stuff. And that just about wraps up the show for this week. Maria, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
Well, if you want to hear my voice in your ear holes every day, and I'm sure—
Of course you do, of course you do—
My very own show, it is called T-Minus Space Daily.
We talk about space, all things space, space industry, commercial space, all the good stuff, and a little bit of space cybersecurity too.
So you find it wherever fine podcasts are purveyed, or at space.n2k.com. And I'm also @mvarmazis on Twitter and @Varmazis on mastodon.social, M-A-S-T-O-D-O-N dot social. Super duper.
We talk about space, all things space, space industry, commercial space, all the good stuff, and a little bit of space cybersecurity too.
So you find it wherever fine podcasts are purveyed, or at space.n2k.com. And I'm also @mvarmazis on Twitter and @Varmazis on mastodon.social, M-A-S-T-O-D-O-N dot social. Super duper.
And you can still follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G, and we have a Mastodon account as well. Look for us up there.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.
And huge, huge thank you to this episode's sponsors, DEVO, Hunters, and Collide, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 341 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 341 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye. Bye-bye. I feel I might have given Thom Hanks a bit of a hard time in here. It was perhaps a little— you definitely did.
You did. You did. You think you ate his guts?
I just— I did see one movie I Thom Hanks in. Well, other than Toy Story. Toy Story's all right.
But— You didn't Castaway or anything that?
I know I can't watch it because it's got Thom Hanks in it. I saw the movie—
That's a tautology though.
Yeah. I saw the movie The Post, which I thought was really good. And it was only three-quarters of the way through when I realized one of the actors was Thom Hanks.
And I thought, oh, this is actually all right. So maybe it's only when I recognise Thom Hanks that I've got a problem. Forrest Gump? Never watched it. It's got Thom Hanks in it. Yeah.
And I thought, oh, this is actually all right. So maybe it's only when I recognise Thom Hanks that I've got a problem. Forrest Gump? Never watched it. It's got Thom Hanks in it. Yeah.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Maria Varmazis:
Episode links:
- The disturbing uncanny valley of Robert Zemeckis film ‘Polar Express’ – Far Out magazine.
- Tom Hanks warns of deepfake video promoting dental plan – Instagram.
- Fuming Tom Hanks says he had nothing to do with that AI dental ad clone of him – The Register.
- Tom Hanks warns dental plan ad image is AI fake – BBC News.
- Robin Williams’ Daughter Zelda Criticizes Use of AI to Re-create His Voice: “I Find It Personally Disturbing” – Hollywood Reporter.
- Bruce Willis denies selling rights to his face – BBC News.
- Deepfake Bruce Willis in Russian telecoms advert – YouTube.
- Could you get “carhacked”? The growing risk of keyless vehicle thefts and how to protect yourself – CBS News.
- Keyless car theft: What is a relay attack, how can you prevent it, and will your car insurance cover it? – Leasing.com.
- Testing Phone-Sized Faraday Bags – Matt Blaze.
- Famous DDoS attacks – Cloudflare.
- The sinister Russian hackers who’ve claimed responsibility for crashing Buckingham Palace website – Daily Mail.
- King Charles rebukes Russia’s ‘horrifying’ invasion of Ukraine in unprecedented speech – Express.
- Visually, how much paper would a GB and a TB of data fill in terms of physical size? – Quora.
- “The shop around the corner” – Wikipedia.
- Evan Designs.
- “Eight Detectives” by Alex Pavesi – Penguin Books.
- Review of “Eight Detectives” – The Guardian.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Hunters – A SOC platform, built to empower your security team to reduce risk, complexity and costs.
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
- Devo – Register now to join Devo and other cybersecurity industry professionals on October 18 for sessions and panels focused on de-stressing, SOC career development, and more!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
