Smashing Security podcast #364: Bing pop-up wars, and the British Library ransomware scandal

So some users thought Microsoft wouldn't be so tacky to use such a technique, little did they know, and they assumed it was malware. So they thought this must be a scam. This must be something malicious was going on. But it wasn't malware. It was just an intrusive, desperate ad. However, Microsoft don't like it to be called an intrusive, desperate ad. They describe it as an opportunity. An intrusive, desperate opportunity.

Yes, probably. Smashing Security, episode 364. Bing pop-up wars and the British Library ransomware scandal with Carole Theriault and Graham Cluley.

Hello, hello and welcome to Smashing Security, episode 364. My name's Graham Cluley. And I'm Carole Theriault. And Carole, I have a little secret to share with you. A secret? Last night I had a dream about you. What? Yes. I don't want to hear this. More specifically it was a dream about your podcast Sticky Pickles. But Sticky Pickles? Because yeah because I heard that you had a special guest on Sticky Pickles a celebrity guest at least in my dream, you had Andy Garcia on the Sticky Pickles podcast. How

did you know I hang out with Andy Garcia?

Well, the funny thing was that you didn't know it was Andy Garcia. You thought it was Jerry Garcia from The Grateful Dead, leaving you in something of a sticky pickle.

Oh, well, you know, maybe you should come on the show sometime and regale all our listeners.

I'm here. I'm available. You know, I'm just saying. Oh, right. Okay. Twiddling my thumbs, waiting for the invite.

You know what? I think it's time to kick the show off. First, let's thank this week's wonderful sponsors, Collide, Kiteworks and Vanta. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got? Oh, I'm going to be talking about being persistent. Being persistent, giving nothing away there. And I'm going to talk about one of the worst cyber incidents in British history. Plus, we have an interview with Collide's founder and CEO, Jason Mellor, and he has some pretty exciting news to share. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, let's hear it one and all for the persistent. Yep, the people who never give up. Did you ever see that movie the John Cusack movie Say Anything where he holds the boombox over his head? Yes. And he plays the girl a Peter Gabriel song you remember that don't

give up is it that one

no no no it was in your eyes in your oh yes so yeah the people who never give up like those people you think you've dumped and they turn up on your doorstep at three o'clock in the morning with a boombox saying let's get back together let's you know the Mormons who ring your doorbell. They might find someone who's prepared to listen to them. Yeah. Or maybe you're more like a dog with your head stuck inside a peanut butter jar, trying to lick out every last morsel. I don't know. What sort of persistence do you show?

I'm still here on this show, week after week. Yes. I show up.

Episode 364. It's unbelievable, isn't it? It is unbelievable. Well, those are the people who never give up. They are wonderful, you know. They are the ancestors, I think, of the first monkeys who came down from the trees to walk on the land. You know, if we didn't have persistence, that would never have happened. We'd still be up in the trees. Maybe we'd still be in the primordial swamp. If one of us hadn't decided to crawl out and take the first brave gasp of air. So, you know, where would we be without them?

I thought you were going to say ancestors of Rik Astley. Rik Astley? Never going to give you up. Oh, right. He's persistent.

Right. Yes. Very good. Right. So well done, Rik. Well done to the primordial gloop and the fish that resided in it. Well done to the monkeys. Well done to everything. Because without them, we wouldn't be here. It's down to their bravery, their persistence. And where, oh, where would we be without Microsoft? Let's be honest. The whole cybersecurity industry relies upon Microsoft, quite frankly, doesn't it? I

would mention Clippy. You wouldn't know what that meant.

Yes. Yes. Macroviruses wouldn't exist without Microsoft.

Nor would Solitaire, probably. It wouldn't have that much popularity. Minesweeper

as well. Ah, the best. Now, Microsoft, they have recently demonstrated their persistence in an act. An act which rivals that of door-to-door encyclopedia salesmen. So they've never faltered in their quest to help us see the light. Because Microsoft believes that our lives would be immeasurably improved if only we were to switch to Bing. Stop using Google as your search engine. Use Bing.

I think anybody that works at any company's job is that, isn't it? They're just trying to get everyone to sign on. To promote Bing? Well, no. To sign on to whatever they're schlepping, whatever they're selling. I suppose, yeah, maybe. I mean, when we worked at a particular company, we often would put out press releases saying, this company is better than other companies. And, you know, was it really 100% true?

Shocked. Shocked I am I am appalled by you Carole and I'm also appalled to discover that staggering 91.62 percent of all search engine queries go through Google. Yeah it's a bit gross. It is really isn't it go through that advertising company. So Google's market share has not actually dipped below 90% for 10 years. However, what's that I see on the horizon? Galloping fast towards the front line. Oh, it's Bing, hot on the heels of Microsoft at a blistering 3.31% of the market share.

Wow. They must have much less malware that's targeting them though, right? We should just be advertising Bing. We should be saying, move to Bing, guys. Bing it up.

I mean, you know, there must be some reason why people aren't using Bing as a search engine. Is it simply because it's easier to google is google a cooler name are people not bothered to change i don't know what it is i mean there are certainly safer privacy more privacy conscious searches and they like duck duck go duck duck go has 0.53 percent of the market wow.

I'm surprised it's so small i'm really i mean i knew that google is the you know the market leader by far but But yeah, I'm surprised at how much. Yeah.

There are some regional differences. If you were to travel over to Russia, you would find that Yandex has 71.5% of the market share in Russia.

Yeah. And what about China, right? They have their own search engine as well.

I think they want you searching the internet at all. I think they're kind of against that idea. Now, it probably wouldn't surprise you much to hear that this Google dominance of search engines, it rankles a little bit. It sort of gets, oh, it's got a little bit of sand in the crevice of Microsoft. You know, it's upset those guys in Redmond. They don't like it.

I'm not surprised. They're thinking, God, we had almost every computer on the planet was running Microsoft for a while. Right. And where are we now?

Why don't we own the search? They're asking themselves.

Well, they kind of own OpenAI, so they're not doing too badly, let's be honest. But anyway.

Well, yeah, they own a lot of stuff. Teams and Microsoft Office and Project, I don't know, Powered Puff. They could try to be a bit more proactive in promoting Bing. And they've spent millions over the years. I've been watching this morning some of the archive of past Bing search engine adverts, like TV adverts.

I've never seen one, I don't think.

Well, they're not very memorable. OK. Even though there is one with Philomena Kunk in it, who we like. Yes, very much. So she's funny. But generally, they're not that great. And it looks like the ads aren't working, judging by the percentages. So what else could they do? Well, I'll tell you what they could do. As you've already alluded to, Carole, Microsoft does control what might be the world's largest number of advertising spaces because they own effectively the desktops of PCs running Windows right which is the the dominant operating system right they could change everyone's wallpaper to say go and run Bing instead of Google they could have done that it'd be a bit like when Apple pushed out that U2 album to everyone's iPod.

You see I seriously I think the ad campaign should be just Bing it up Bing it up Bing it up bin it up TM it Carole otherwise they rip you off don't you want the money tm Carole Theriault done there you are very good.

So in recent days there has been a bit of alarm caused by the display of a pop-up for users of the dominant Google Chrome browser so some of our listeners may have seen this it's been popping up saying hey chat with GPT-4 for free on Chrome Get hundreds of daily chat turns with Bing AI. Just try Bing as your default search. Easy to switch back. Install this service to improve the chat experience. So they are dangling a carrot. Understand. Okay, good. They're enriching their experience. They're fighting back. So as Engadget describes, if you click yes, please, the pop-up will install the Bing search Chrome extension, which makes Microsoft search engine the default. However, clicking yes to change the search engine will also prompt Google Chrome to pop up its own warning message asking you to confirm. Did you really mean, hang on, did you really mean to change your search provider? Please, please stay with Google. Please stay with Google.

So they're politely jostling for our attention. Well, it's more than that, because Microsoft, clearly anticipating that Chrome is going to display a warning, they pop up another notification saying, wait, don't change it back to Google. If you do, you'll turn off Microsoft Bing search for Chrome and lose access to Bing AI with GPT-4 and DALL-E 3 and select Keep it to stay with Microsoft Bing. No, because they may not have ever experienced it. I mean, Google does own all the space.

Why doesn't Microsoft buy some more Google search ads to promote Bing and tell people how fabulous Bing is?

Line Google's pockets even more. They could use a stolen credit card. They could. Right. I would like to know if you know anything about the British Library. Well, I know they've been in the news. But do you know anything about the institution itself? Yes, they have between 170 and 200 million items.

They will have copies of all the Harry Potter novels.

Literary treasures like the Magna Carta, Shakespeare's First Folio, original manuscripts from renowned authors like Jane Austen and Charles Dickens.

Doctor Who and the Wheel in Space which is quite hard to get your hands on, I know, because there was a fire at the distribution plant so I never got to see that one. Well maybe you should go down to the British Library. Yeah, some items are as old as 1300 BC. Oh isn't that lovely. I like the idea. It's cool. Yeah. But late last year on Saturday 28th of October to be exact, it became clear that the British Library had been hit by a significant ransomware cyber attack that compromised the majority of the library's online systems. Yes, not to be confused with Jack Rhysider from the Darknet Diaries podcast. Although I suspect they may have named themselves after him. Isn't a Rhysida, isn't that some kind of caterpillar or cockroach or something? I think. No idea. I'm so educated. It's almost like I've been to a library.

You haven't proved it. Okay. Right. Google. Bing. So these guys, Rhysida group, these guys had exfiltrated data, encrypted or destroyed substantial portions of the server estate and forcibly locked out all users from the network. So based on the analysis from the British Library Cybersecurity Advisors, the belief is that the attackers used three methods of attack to identify and copy these documents. So they first copied records belonging to finance, technology, and people teams on a wholesale basis. So this made up 60% of the content copied during the attack. They think they also launched a keyword attack scanning the networks for any file or folder that use certain sensitive keywords in its naming convention, such as passport or confidential. This is the other 40% of content copied during the attack. And third, they hijacked native utilities. So these are IT tools used to administer the network and use them to forcibly create backup copies of 22 of the databases, which were then subsequently exfiltrated from the network. And they currently believe that several of these databases contain some contact details of external users and customers but they can't be sure until the database's infrastructure capabilities are restored.

Okay this all sounds terribly terribly serious and by the way giant centipede confirmed by the internet, but thank you very much I was close enough. It all sounds very serious but this is a library I mean what sensitive information they're really going to have other than oh you know you're a bit late returning your books I mean you know. Is it that big a deal if a library gets hit? I mean, obviously it's inconvenient. Oh, really? It's a national treasure, do you not think? Well, I've never been to it, so I've never really benefited from it. I

can't believe you. Anyway, whatever. Now, this is a ransomware attack, right? Yes. Right. So the data thieves demanded a payoff to keep the data private. And they wanted to pay out of 20 bitcoins, which is about £600,000, for privileged access to all the personal information. But the British Library refused to pay the ransom. Okay so the hackers then decided to publish close to 500,000 files of what they called exclusive unique and impressive stolen data onto the dark web for anyone to download. All right okay did anyone care? Yeah no one gave a shit no one gave a shit no one gave a shit no one cares about libraries I just oh I'm shocked I I'm almost speechless normally I'm really good at attacks but right now I'm just like what. But that's not all Graham that's not all as well as exfiltrating the data for ransom okay the attackers also encrypted the data in systems and even destroyed some servers to inhibit system recovery and to cover their tracks.

Okay my crass comments let's put those to one side because I'm just saying those trying to get a rise out of you obviously this is terrible you

know what Cluley I agree. So the destruction of these servers is what had the most damaging impact on the library, says the report. They explain that they have secure copies of all their digital collections, both born digital and digitized content, and they have the metadata that describes it. But they've been hampered by the lack of viable infrastructure on which to restore it, because they had legacy systems. And

they were reliant on the little choo-choo train for moving things around, weren't they? Right. And they now have to rebuild, since this has happened, rebuild the infrastructure. This has been months and months and months, hasn't it? Yes. Well, yes, since October last year. No, thank you for explaining what readers are. So readers have been subjected to difficulties and delays as staff have been forced to locate books, manuscripts and other items manually. And this is not just like your typical library in your small town here. Poor old Debbie. Debbie does data breaches. We're a calamity. You make fun of this, but like researchers and academics around the world, Graham, come to the library to see rare and ancient documents and artifacts for their dissertations, for their research. Yeah. get 13 pence every time

your book's taken out of a library. I learned all about this looking into this because it's a little rabbit hole, but there's actually conferences, library conferences, where authors go and, you know, basically tout their book.

Presumably quite quietly. They can't make too much noise.

The Financial Times estimated the attack will cost the library up to 7 million. and they conclude this report with actions the British Library is planning to take in order to withstand any future attack.

Ah, this will be useful to other people.

I think this whole report is really useful for other people. I really, really urge you guys all to read it and I really wish all companies that face some horror show like this would be able to put out a report like this to the public to teach and give all the learnings. We would be much better off.

I haven't read it, but I heard it was really good. So I've been meaning to read it. By me? No, no, no, no. I did just hear you say it, yes. But I've heard other people, other than Carole. Oh, well, who cares? I've had other people recommending it. To be honest, it's a bit like going to the library. I've heard that going to the library is really good as well, and I've been meaning to do it. And I probably should. I think it would probably enhance my life considerably. But seriously, this report I heard was excellent and that they've done a sterling job. And isn't it great that they haven't actually paid their attackers?

Hallelujah, I agree. Now, I just want to share a few of the actions because there's 16 of them, so I'm obviously not going to go through all of them. So number one on my little mini list here is fully implement multi-factor authentication. And not just at the end points, but even on certain supplier end points. So I just think that's very interesting because they didn't have that there. And that's, they think that was one of the reasons why their actions got through. Eliminate legacy technology. Legacy systems are not just hard to maintain and secure, but they're extremely hard to restore, they say. Retain on-call external security expertise. And that's an important one for me to share on the show because they want a specialist external security advisor on retainer to help them improve speed of response. So if any of you are looking for a job, you know, this would be the time to get in touch.

What's one of their recommendations to sponsor a popular cyber security podcast? No,

But you should get in touch with them. You should get in touch with them.

Maybe we should. Maybe we should do a podcast from the library. And I'll then go into a library, which will be fantastic.

Everyone will have to turn up their volume, though. Shh. Legacy managed file transfer tools are dated. They lack the security that today's remote workforce demands. Companies that continue relying on outdated technology put their sensitive data at risk.

Smashing Security is also sponsored by Vanta. Managing the requirements for modern security programs is increasingly challenging and time-consuming. Enter Vanta. Vanta gives you one place to centralize and scale your security program. Quickly access risk, streamline security reviews, and automate compliance for ISO 27001, SOC 2, and more. You can leverage Vanta's market-leading trust management platform to unify risk management and secure the trust of your customers. Plus, use Vanta AI to save time when completing security questionnaires. Smashing security listeners, you get 20% off Vanta. All you lucky sausages have to do is visit vanta.com slash smashing to claim your discount. That's V as in Victor, A-N-T-A dot com slash smashing. And thanks to Vanta for sponsoring the show.

You've probably heard us talk about Collide before, but did you know Collide was just acquired by 1Password? Well, that's pretty big news since these two companies are leading the industry in creating security solutions that put users first. For over a year, Collide Device Trust has helped companies with Okta ensure that only known and secure devices can access their data, and that's what they're still doing but now as part of 1Password. So if you've got Okta and you've been meaning to check out Collide, now's a great time. Collide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of. Plus, you can use Collide on devices without MDM like your Linux fleet, contractor devices, and every BYOD phone and laptop in your company. Now that Collide is part of 1Password, it's only going to get better. Check it out at collide.com slash smashing to learn more and watch the demo today. That's K-O-L-I-D-E dot com slash smashing, and thanks to them for supporting the show. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week is the part of the show where everyone chooses something - could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like. It doesn't have to be security related necessarily. Well, my pick of the week this week is not security related. In fact, it's not a pick of the week, it's a nitpick of the week. The thing I want to have a nitpick about this week is very, very simple: it's people. People specifically who use the word literally to emphasize something. Literally? That bugs you? My head literally explodes at the thought of people using the word literally incorrectly.

Okay, I'm going to stay out of this. I'm beginning to worry about you seriously.

No, no, I'm interested in your point of view. Didn't this bug you?

In Huffington, they always go "to be honest" at every beginning of every sentence. Oh, you know what? Funny you should say that, Carole, because I've made a list of other phrases that annoy me. And one of them is "to be honest" or "if I'm honest." This is pathetic. This is a pathetic pick of the week, and it says more about you than anybody else who has maybe verbal tics because they maybe feel anxious or uneasy, or maybe you make them nervous.

Well, my alarm is caused by the fact that a number of dictionaries are now apparently given the definition of literally to mean not literally. So they've reversed the definition. So "my head literally exploded" apparently is fine.

You know, I've always had a problem with one word, which is completely unrelated but much more interesting: inflammable. Inflammable and flammable. Yeah, inflammable and flammable.

Flammable and inflammable mean the same thing. So what is the word for something which is not flammable? Non-flammable. Correct. But why do we have inflammable and flammable? Yep, listeners, let us know. Anyway, if you're the sort of person who says literally and you want to go into the British Library, I'd be on your guard because it's the sort of thing they may test you for as you enter through the doors.

To be honest, Graham, I basically think this entire pick of the week is a bit lame.

I saw what you did there. You inserted the word basically.

Took you a while. Doesn't bug you that much.

Carole, what's your pick of the week? So we have a friend that is studying psychotherapy. Yes, we do. No, wasn't it? Bing it, bing it.

Okay, okay, it's monstrous. Hang on. Oh dear, Joan Crawford. Joan Crawford, damn it.

No, that's 1981. Is that the version? Is that what you want? Is that the one? That must have been the one I saw. Because I saw it when I was a kid. And I was like, wow, that's a pretty shitty mom, right? Thank God mine doesn't do that. And Good Morning Monster is a scripted drama based on one of five stories in a book by the same name. And the mom in this story makes Mommy Dearest look like Mary Poppins. Fantastic. Now, Carole, you've been busy this week. You were chatting to Jason Mellor at Collide.

Yes, I was talking to Jason all about their next steps because they have some big news to share. Listen up. Listeners, today I am chatting about all things Collide with the company's very own CEO and founder Jason Meller. Welcome to Smashing Security Jason. Thank you so much for having me. I know I should say welcome again, you've been here a few times. I know I'm getting the hang of this. Since we last chatted there has been a pretty huge announcement concerning Collide hasn't there?

Oh just a little bit. Maybe a tiny tweak. Tell us everything. Yeah so if you haven't heard the news, Collide and 1Password are joining forces. You know more specifically we've been acquired by 1Password. This is something that I've been working on with them for a while. Things have been going really well for Collide since we launched our device trust offering last year. And we had started some talks the end of last year around working together in some form of partnership. And when we actually sat down and conveyed our visions, they were so close that we were like, why are we going to just go our separate ways and try to tackle the same problem as separate entities? Let's do this together. And to me as a CEO who's very mission focused, my job and my mission has always been, how can we get end users to be a major part of the security remediation story? That's why I wrote Honest Security. That's why I built Collide. I couldn't think of a better company to work with than 1Password feels so similarly about end users and feels so similarly about honesty. They actually, when we launched Honest Security, the manifesto I wrote, I know some of the 1Password founders, they actually had this chat internally. Why didn't we write this? This sounds like it's coming from our voice. So we're just very in alignment from a cultural perspective. And strategically, we just had a lot of things that we wanted to do that were similar. So it just made sense.

It's really great because I personally am a very huge fan and user of 1Password. I was reading your blog on your announcement, and I'd like to quote you back to you. Sure. You say, it is my belief that every person in the world deserves to use computers with dignity and without fear of being taken advantage of by criminals and bad actors who seek to degrade, deny or destroy the incredible things we all accomplish with the help of these magical devices. Now, I wanted to ask you, do you feel like this new you joining 1Password underpins this belief?

100%. I don't think I could have agreed to any acquisition where I thought the parent company wasn't going to be in perfect alignment with how I feel. I have a very strong sense of right and wrong. And a lot of the things that I've done at Collide were informed by experiences that I had when I was really young. The first of those being just the excitement I had for computers during the dawn of the digital age and the World Wide Web. These are incredible machines. They allow us to extend the essence of ourselves far beyond what was ever possible. And they're incredible, and everybody should feel good about using them. And that is sort of diametrically opposed to other experiences I had when I was starting university and I was doing IT tech support for students. And to see these students that were so sad or so upset because their machines were just loaded with malware. Or I remember this one woman came in and she was crying because she thought this stalker put a Trojan horse on her computer. And she thought that she was afraid of her computer because she thought it was being used against her own interests. And it just really pissed me off because on one hand, these things are incredible. And on the other hand, no one's able to use these devices with any real dignity. And the direction that we're going as an industry, I just never sat well with me. It was always about, all right, we have to solve these problems as an organization. We have to solve a malware problem. We have to solve the compliance problem. So what is the way that we're going to do that? We're going to force the device to behave in a way that benefits the organization, but that wrenches control out of the hands of the end user who's supposed to be productive with it. It just never sat right with me. And it took me many years at Collide to figure out what the answer was. And we found it. It was device trust. It's having a conversation with the user with some actual consequences if they don't listen to the security team's recommendation, but giving them the agency to sometimes break the rules and push back and to create a system in which that's possible. That is so much in the spirit of you think about 1Password, right? 1Password is a company that had to solve a very human problem. Passwords, they are not really a technology problem. They are a problem because human beings cannot remember long, complicated strings of text. We need to put them somewhere. And if you think about the state of passwords 10, 15 years ago, we had all of these experts telling us, hey, you got to use a separate password for all your different services. They need to be complicated. And they weren't providing any tools. So yeah, we heard everybody, but we didn't have the right capabilities to actually listen to the device. And then 1Password comes along, and that whole category was created. And now they're ubiquitous. And we now can listen to the expert's recommendation. We can do it with ease because that's what the software does. And it makes us feel empowered, confident, and we can use our machines with dignity. That's what I've always wanted to do on the device compliance side and protecting devices. And so to me, it's just perfect alignment.

So speaking of device trust, as most of us know, our listeners know, Collide is a huge advocate of the Zero Trust model. And you guys have been providing stellar support for auth provider Okta. Now, will you still be providing support for Collide's device trust Okta integration now that you're a part of 1Password?

Of course, yeah. The goal here with this acquisition is to accelerate my goal, which is to get what we've built at Collide into as many hands as possible. So we are in no way, it's not on the table for us to take what we've built and take it away from people who could have gotten it before. And actually, on the other hand, we want to continue to increase that investment with Okta. The way that I think about it is, if you're looking to buy something like Collide, you really are buying it because you want it to fit into an investment that you've already made. Okta is a major investment for you. When you roll out Okta, it's a huge project. It's really hard to roll back. It becomes part of your company. It's part of almost your authentication culture. So we want to make sure that we are being a good citizen within that ecosystem. So if Okta comes out with a new whiz bang way to do device assurance and stuff we want to be in perfect alignment with that. And that's going to require continuous R&D as they evolve their offering. So shall we to be the best possible way to achieve this within Okta. So that's going to be on the table and it will always be on the table for as long as I'm here.

You know, I can just see listeners that are also customers of yours right now feeling so smug that they made the decision to work with you because it's exactly what everyone wants to hear. Now, this is maybe tricky with this announcement. Will you maybe be considering other auth providers in the near future to integrate with?

Yes, yes. So it is true that, you know, it's great to have focus, but I do have a goal here. And that goal is to get this in the hands of everybody. The thing that we did when we launched Device Trust, we had to start with Okta because quite frankly, they were the only ones that really had the platform where we could build it to our vision. We didn't have to make many compromises on how it worked. And we needed to do that because we wanted to vet out the idea to see if it really was going to work in practice. And boy, did it ever. We understand what are the important pieces of it. And now we can hatch our plans to bring it to folks who have been just begging us. I don't have Okta. I don't have any plans to get Okta. We're a smaller company. We don't even need a really formalized IDP or SSO solution yet. I'm using Google Workspace or I'm using whatever Microsoft's calling it these days. I believe it's Microsoft Entra. We just want to get that rocking and rolling and get Collide on top of it. So yes, we are moving forward with those plans. In fact, if you go to our website today and you try to sign up and you say that you don't have Okta, we'll actually kick you over to a forum where we actually ask you some questions about what you are using. And those are now driving conversations that I'm having with prospects and existing customers on how we can build the version of this that's going to be best suited if you have any other SSO provider, including Microsoft Entra and Google Workspace. So if you are interested in being part of that beta, please reach out. This is something that we're going to be getting done in months, not quarters. So we're really, really excited to talk to folks who are passionate about device trust. They want what Collide is offering, but they don't have any plans to get Okta. And we want to hear from them and understand what their needs are.

So where do they go again? If they really, you know, I'm sure there's listeners that would love to be part of that. Where would you recommend they go?

Yeah, just go to collide.com slash auth dash provider dash survey. Or you can just go to collide.com, K-O-L-I-D-E dot com. And then just click contact sales. Just fill out the form and just say that you don't have Okta. So either way, we'll find you and we'll get you into the right bucket.

Brilliant. Now, Collide at the moment is an independent product. But with this new announcement, do you see it being packaged with 1Password?

Yes and no. So here's my theory around this. And 1Password believes this too, is that when you have products, there are packages of emphasis. So you want to take the different parts of each product and you want to make sure that they can be what they're supposed to be. So you don't want to create these arbitrary, like let's just smash everything together and put it under one giant menu bar item. You want to have these things feel very separate and give customers options of buying them separately. Because we just have very different customers today, right? Today, collide-only is sellable to people who have Okta, and 1Password is even their enterprise password manager is best suited for folks who are still in that part of their journey within their organization, or even they also have a consumer business, which is quite large. So what we want to focus on is what value can we bring to folks who have already deployed 1Password's enterprise password manager, what they call internally EPM? So to me, my vision for this, maybe I'm talking out of school a little bit, but here's what I've started to work on. There's this thing in OnePassword that I love. It's called Watchtower. And what Watchtower is all about is giving end users alerts that help them understand what is the security of their password. So, for example, let's say you've created a password on a website and that website gets compromised and you've never changed your password. Well, it will have an alert for you to look at and say, hey, you need to go back to this website, go reset your password, change it, because that password probably now is in somebody's hands. So the challenge with this, and this is the same challenge we faced in the early days of Collide, is you can tell users about these problems until the cows come home, and only some percentage of them is ever going to actually action them, which makes us sad. These are real problems. Those attackers really do have your password. Now, it may not be a really big deal because you hopefully are not reusing it anywhere, but maybe you are reusing it. So it's like we want people to look at these things and fix them. Well, that's Collide's entire job. We know how to do that now. So in my mind, if I'm a business owner or I'm the IT owner, I can do something in Collide say, hey, if this user is trying to sign into some of our sensitive apps and they have these intense alerts in Watchtower, let's have them just take a beat and go to 1Password and get some of those fixed. Then let's let them through to our most sensitive apps. Let's get them on the bus of fixing really important problems that are putting both them and the company at risk. That's what we've always been about. And that's a great way to get way more value out of Watchtower than it would have been previously possible.

Wow, I love that so much. We're coming to time already, which I hate. Is there anything else that you'd like to add, Jason?

Well, the thing that I'll say is we're going to be at RSA this year, and we're going to be jointly presenting, which is going to be really exciting. Now, here's a little bit of an inside scoop. We're going to be talking about a really grand vision about how we see the zero trust space. So as you said earlier, Kolide has always been a big proponent of zero trust access in that model. But I've always felt that the vision, it's always felt a little bit more of a principle or even a little bit of zealotry rather than a real category. So I'll tease this is that we have a really expansive vision on how to connect the dots between these unmanaged sort of shadow IT things and then getting those things managed and then putting device trust in front of them. So I'll just kind of put that in there as a teaser. We have a really strong vision here and you should come to RSA and learn more about it. And we'll be talking about it a lot after May.

Fantastic. Jason Mellor, CEO and founder of Kolide. Huge congratulations to you. I think your future is very bright. And thank you so much for chatting with us today. Listeners, to learn more about the Kolide and 1Password acquisition, and to check out Kolide's Shadow IT report, go to, simply go to kolide.com slash smashing. That's K-O-L-I-D-E dot com slash smashing.

Fantastic stuff and that just about wraps up the show for this week. You can follow us on Twitter at smashing security. We also have a Mastodon account and don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Spotify, Pocket Casts, and Apple Podcasts.

Huge, huge thank yous to our episode sponsors, Kiteworks, Fanta, and Kolide, and of course to our wonderful Patreon community. Thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalogue of more than 363 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye. Bye. Thank you. Thank you.