Smashing Security podcast #382: CrowdStrike, Dark Wire, and the Paris Olympics

Tonight, the global reboot after a massive computer meltdown.

Tech across the planet slowly coming back online after an outage halted everything from banks to 911 call centers.

Travelers facing 4-hour-long lines at airports.

Smashing Security, episode 382. Ransomware, CrowdStrike, Darkwire, and the Paris Olympics with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 382. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, we are joined this week by a special guest, someone who hasn't been on the show before, but someone whose work I'm sure lots of our listeners will have enjoyed over the years and been edified by. It is cybersecurity investigative journalist and the author of a new book called Darkwire, Joseph Cox. Hello, Joseph.

Hi, thank you very much. Thank you so much for having me. It's great to be here.

We are thrilled that you're here. We are both big admirers of your work. So this is, yeah, it's really, really awesome for us too.

And exciting that your new book, Darkwire, is out. I know you're going to be talking to us a little bit about the story behind Darkwire later on in the podcast, but do you want to give a quick summary for those people who haven't seen the book yet?

Yeah, absolutely. So it came out in June and it's the untold story of how the FBI secretly ran its own encrypted messaging app to wiretap the world, basically. An app that was very popular with drug traffickers and hitmen and money launderers. They used it because they thought it was secure, but it was the FBI basically the entire time. And I think it's especially relevant now because we're all talking about encryption and stuff again in the news that I'm sure we'll get into. But yeah, I hope it's a very entertaining and informative read for your listeners.

When did it hit the shelves, Joseph?

It was June 4th, which funnily enough was just a few days before the third year anniversary of the operation itself. This was all super recent, and the FBI came clean on June 7th, 2021. I don't think my publisher planned that, but that was beneficial.

Let's just thank this week's wonderful sponsors, 1Password, Sysdig, and the M-WISE Conference 2024. Now, coming up on today's show, Graham, what do you got?

Well, surprise, surprise, how could I be talking about anything other than the CrowdStrike catastrophe.

I almost stole it from you this morning just to make you— What about you, Joseph?

I'm going to drill down on what happened when the FBI did run that app and what it means for the going dark debate today, especially when we're all talking about how the Trump shooter used encrypted comms, allegedly.

And I am going to be heading to Paris for the Olympics. All this and much more coming up on this episode of Smashing Security.

Now, chums, extraordinary stories, really. The headlines have been everywhere, haven't they? You can't have avoided missing it when CrowdStrike, a cybersecurity company, of course, which normally stops hackers from bringing down computer systems, pushed out an update which brought down computer systems.

So some of the billboards in Times Square here today went dark because of a global internet outage. It's causing chaos at airports, affecting banks, hospitals, government offices, media outlets, and other businesses all around the world. Tonight, a major IT outage shuts down computer systems worldwide after a day of worldwide IT chaos caused by a global outage. The boss of the cybersecurity firm responsible has said it could be some time before all systems are back up and running. But we begin with that massive Microsoft technology outage. Cybersecurity firm CrowdStrike says it identified a critical problem in its software and is working to fix the issue.

In fact, around about 8.5 million Windows systems worldwide are estimated to have been taken down by a duff update which CrowdStrike pushed out the end of last week. And 8.5 million, it is actually an awful lot. Even though it's less than 1% of all the Windows computers out there worldwide, the impact was significant because of course many large companies use CrowdStrike to protect systems that are essential for critical services.

And it's interesting because we worry so much, don't we, about cyber threats and bad stuff. And in fact, we sometimes forget that we, the good side can make mistakes that can screw stuff up royally.

Well, they can. I mean, Carole, you and I, we worked for a cybersecurity company which pushed out a very, very bad update, not intentionally malicious.

But it detected itself.

So it detected itself. It actually quarantined its own auto update facility, which meant that it couldn't then go and get the fix for itself.

Oh, wow.

Oh yes.

Graham and I were the comms people for it.

We were the people answering the phones.

So when was that? I don't actually remember that. This is news to me.

20 years ago.

I think it's more 15 years ago. Wasn't it something that? I can't remember exactly. We'll put a link in the show notes, some of those news reports from back then. But we remember the chaos within the company and that was a lot smaller than what happened to CrowdStrike. I mean, thankfully we weren't making international news headlines. Thankfully, we weren't knocking out television stations, airlines, and everything. But it took some companies weeks to recover, didn't it? And our support people were working round the clock at the time, and it was horrendous. So we can understand this. Now, this CrowdStrike incident, it was bigger than, for instance, the WannaCry ransomware attack, which impacted the UK's National Health Service. It caused a number of US airlines to ground their flights around the globe for much of Friday. Sky News and CBBC in the UK, they went off the air.

Do you know, I had a friend going in for an operation Friday morning, a big serious operation, and couldn't happen.

Wow.

It's horrendous, isn't it?

Yeah.

I mean, and we hear stories all the time of people whose operations have been disrupted by ransomware attacks at hospitals. It's the same result, isn't it? Computers are down. It's not a deliberate attack. It's an accidental outage which has occurred through the software which is meant to be defending you.

There's a horrible layer of irony to all of it. Not only is it exceptionally disruptive — I mean, I think actually at the time of recording this, there are still disruptions to some airlines. I've seen tweets where people still can't get on flights home because it's been that disruptive. But as you allude to, this is the software that was supposed to protect you in the first place, and it's actually done more damage than you mentioned WannaCry, but I guess NotPetya as well. I mean, it's sort of hard to quantify, but this has been staggering, absolutely.

Yeah, yeah. And one of the victims, I don't think this one made the headlines, but it really should have done, is Barbarito at London Gatwick Airport's North Terminal. Their tills were brought down early Friday morning.

Oh, I thought it was a name. I thought it was someone's name, Barbara.

No, no, no, no, no, Barbarito is, well, there was a lineup of people, including cybersecurity podcaster, Graham Cluley. He was third in line to pay for his early morning breakfast burrito because he was going away on honeymoon to Barcelona. And he very bravely waited a few minutes as he got frustrated that suddenly the tills weren't working before stomping off. Thankfully, my flight wasn't affected, but thousands of other people were, of course, affected by this.

I can't imagine you were grumpy about that.

Come on. Well, you know, it was breakfast. It was very early in the morning. We had to get up about 3 o'clock in the morning in order to get to Gatwick. And a breakfast would have been nice. But anyway, doesn't matter. You know, hey, I'm just reporting what happened. Anyway, affected PCs around the world, they entered this death loop. They were showing the famous or the infamous blue screen of death upon boot up, making them essentially a brick, unusable, tricky to fix. CrowdStrike, to its credit, fixed the issue within about 30 minutes or so. They worked out what it was, what they had to do. But that didn't mean that the affected computers could automatically fix themselves. It's just like the situation we had, Carole, when we worked at that company. Even though you had the fix, getting it to the customer or getting it applied was really tricky.

Well, yeah, not impossible, but not, yeah, close.

The IT teams would physically have to go to the computers, right? If they don't have remote access or a server, and that's just so much labor. That's so much work to do.

Well, it's enormously problematical. And of course there are computers which you don't want to have to reboot. And Microsoft was saying that some computers would need several reboots. In some occasions they're saying it may have to take up to 15 reboots before the actual issue would be fixed. So this was a huge, huge story. And of course, whenever there's a catastrophe in the cybersecurity industry, there will be people thinking, we can maybe make something out of this because CrowdStrike's rivals, some of them couldn't resist going in and putting the boot in. And it was kind of ironic what we saw Kaspersky do. Now, Kaspersky, of course, well, hey, they've been in the headlines quite a lot, particularly in America, where they've shut down their operations now because America's banned them from selling or updating their clients over in the States because of concerns that Russia may have too much influence over them. And Kaspersky, they tweeted a picture of the blue screen of death, which CrowdStrike customers were seeing. And they said, you wouldn't see this with any of our products. They said, just saying.

They don't know that. They don't know that.

That's outrageous, actually, I think of them. I think they should have been supportive rather than— because it is a nightmare scenario. And that's just a bit too cheeky. I wonder if that's just a social media person doing that. I think it must have been, although it's still up there. Hasn't been removed yet. Naughty.

I thought so. And what I loved, though, was that on Twitter, someone— I refuse to call it X— people left a community note. So other people reading the tweet said, "I think we should put some context." And what they did was they said, "Actually, all computer programs can have bugs, including Kaspersky products." And they linked to Kaspersky knowledge base articles talking about blue screens of death it has had in the past on multiple occasions.

As an expert in crisis communications, I imagine there was a meeting about the tweet and someone's like, "No, you can't remove it! You can't remove it, we'll get more headlines!" They should have just posted an apologetic tweet.

I mean, it was— Yeah, and just said sorry. It was a tacky thing to do, but I understand that sometimes cybersecurity vendors, they sometimes can't resist. But it could happen to any of us because cybersecurity products work at such a low level on Windows computers at the kernel level because of course they're trying to get past all the devious tricks that the malware is doing. They're trying to see what's really, really there. And of course, when things go wrong, they can go really, really badly wrong. So it looks bad for the whole industry when one product fails in this way. But to be honest, it could have been just about any of them. It's only proper quality control and testing, which is going to prevent this sort of thing happening on other people's computers.

Agree.

And well, perhaps predictably in this day and age, the conspiracy theories began as well.

This was what I was going to bring up.

Oh, right.

Did you get the same press release that I did?

I don't know.

Tell me, tell me. I'm sure it is.

Well, there were rumours and conspiracy theories saying CrowdStrike was having a go at Microsoft for laying off its diversity, DEI staff. Was it that one?

No, that's not the one I was thinking of.

Was it because of the Donald Trump assassination attempt? There was a theory that CrowdStrike were deliberately trying to wipe some of their customers' PCs of evidence, which would—

Nope.

Which would point towards who was behind the Donald Trump assassination.

No, it's sillier than that.

I hear the sigh from Joseph. He's been on the internet long enough to know all these conspiracy theories begin to weave themselves together, don't they?

Yeah, and it's just everything now. You cannot have basically any cybersecurity story of any sort of significant size without this sort of insane stuff coming up. I swear it wasn't always like this. Obviously social media is still a relatively new technology, I guess I would say, in the grand scheme of things. But it just seems so, so much worse now. Every single story will have something, an angle like this. And I mean, I guess that's a question to, I mean, not us right now because we're mocking it, but you sometimes have journalists who will cover every single conspiracy theory and say, hey, look, this is what the silly people are saying and writing about. I don't know, maybe don't amplify it. I think it's a case-by-case basis, but I don't know.

Don't listen to the episode last week.

Oh yeah.

And sometimes, of course, the journalist or maybe the sub-editor or something will have a headline like, was the CrowdStrike attack an attempt to wipe evidence? And they put a question mark at the end. And of course, it gets them the clicks, doesn't it?

Right. Yeah, don't flirt with the conspiracy theory. Just debunk it, report it as conspiracy theory. But yeah, I hate that question mark stuff totally.

And there was also another conspiracy theory saying CrowdStrike was up to some shenanigans. It's been linked to Ukraine in the past, and at least by far-right conspiracy theories. If you remember when the DNC, the Democrat Party, got hacked in 2016, Hillary Clinton's campaign, and CrowdStrike were one of the companies who came in to help the DNC work out what had happened when they were attacked. And there were links made then. And so again, we're seeing conspiracy theorists saying, "Oh, this must somehow be linked to all of that as well." Carole, what conspiracy theories did you hear about this one?

Something about a filmmaker tying it to— Is that the same one?

You saw that?

Yeah, yeah.

Okay. I didn't know that you'd seen this as well. So I received in my email a press release.

When I knew that you were doing this story, I was I'm gonna steal his story with this. And you had it too, which is so sucky.

I received a press release from a chap called Mark Christopher Lee, who describes himself as an award-winning filmmaker.

Whatever.

Yeah.

I love how you said describes himself. That's some shady caveat. Yeah.

That is me throwing some shade. Whenever I say describes himself, you know that I'm coming to criticise him. But anyway. He says that the outage might be linked to a UFO sighting over his home in St Albans near Luton on the same day.

The centre of the universe, who knew?

But he said he saw this strange orb over his home. He said, it's bizarre, isn't it? It's a weird coincidence, he said. He said, some sort of higher intelligence that's doing this, I don't know. He then puts this shameless plug in for his movie. He says, I've alluded to this in my new film, The Cosmic Joker, which is now streaming.

We are not giving him any— we're censoring the name.

Anyway, he says that possibly the outage ties in with his theory that all of life is a simulation. Sounds like The Matrix to me.

You don't have his quote that I loved. He's like, "It wasn't moving. Planes come towards you or go away. It was just kind of swaying side to side a bit. It wasn't a balloon. There was a bit of breeze, so it would've had more movement. It seems to be blipping in and out." Can't argue with that.

I mean, I know I was saying, don't give these conspiracy theories attention. This one I'm on board with. This one's too entertaining. It goes in the other direction now. I'm, oh, we should— this is true. I don't care. I'm just going to believe it.

So well done to his PR agency for hijacking the hottest story of the day in order to try and plug his movie. But I think possibly not actually what was really behind this. As normal, it's all about the cock-ups. It's never really a conspiracy, is it? It's normally just human failure. Which has actually meant that piece of software has gone wrong.

In my world, it's never about the cock-ups, I'll tell you.

Oh, okay.

Steady.

It's not that kind of podcast. So.

Oh, right. This week.

Joseph, what have you got for us this week?

Yeah, so I'm going to talk about my book, but how it relates to the going dark debate right now. As I said, Darkwire: The Incredible True Story of the Largest Sting Operation Ever. I can never remember that subtitle, so I'm literally reading it because I think it changed a couple of times. I can never remember which one the publisher decided on, but it's Darkwire. That's the important bit. And if you Google that, you find the book. So the SEO worked. So as I said, it's about the FBI running this encrypted app. So I guess what I'll do is I'll give a super streamlined version of that story. So we can then talk about why this matters today. So in 2018, the FBI is approached by somebody who's in the encrypted phone industry. And this industry, they sell these very customized devices to drug traffickers and hitmen. You'll have the microphone taken out, you will have the camera removed, the GPS as well. And they basically become these almost bricks. You know, it barely resembles a normal phone that can send encrypted messages. And it really does annoy law enforcement, especially in Australia. Europe as well. But the FBI is approached by somebody who is in that industry and is making the next generation of encrypted phone called ANOM, A-N-O-M. And they offer it to the FBI and say, would you like to use this in future investigations if you don't prosecute me for charges I may or may not face in the future? So the FBI says, yeah, obviously we would like to do that. I don't think that's a direct quote. I'm paraphrasing slightly. Smashing Security. But they say yes, and they basically do become this incubator for this tech startup for the criminal underground. And it starts in Australia, very, very small, 5 to 10 devices, eventually goes to Europe because one of the key things with encrypted comms and drug trafficking today is they're so globalized. You will have drug traffickers in Australia who are working with people in Turkey or Europe or even South or North America. Crime groups in silos anymore. That's just a very, very old idea, especially not just in the 21st century, but very specifically in 2024 and 2023. So the phones expand, they go to Europe, the FBI is collecting all of these messages. They're not just getting the content of the chats, they're getting the GPS locations, they're getting photos, videos. It is the ultimate backdoor into a consumer tech product. We've never seen the FBI get this before. They've always wanted to do this. You'll all remember San Bernardino, which wasn't Intercept, but it was getting into a phone, and they wanted that. They're always complaining about wiretaps or Signal or whatever. Well, they did get a backdoor, and this was the case. But it keeps growing until eventually, it really does start to get too much to handle. Basically, the sellers of the phones who are real criminals, they're not FBI agents.

Yeah.

They're going out and selling the phones 'cause they're gonna make money off it as well. They get more and more power inside ANOM. They are spreading all over the world and the FBI starts to lose control and they have to shut this thing down. And that's one of the major reasons for it.

Why do they have to shut it down?

Because it gets How was it getting out of control? What was the issue?

There's a couple of things. I mean, the first reason they say they had to shut it down was because the legal court order which allowed the interception was expiring. The DOJ will never acknowledge this, but I found it was Lithuania, and I reported that. That was the country that was intercepting the messages for the FBI, then handing it over with a nice little bow over to the US authorities. Now, they could have just got another court order, I'm pretty sure. So the real reason, to answer your question, why they closed it down is because no longer was the FBI in control of the production of the phones. That is, there were these little computers that would load the software onto Google Pixel 3s and various other Android phones. That was the case at the start of the operation. Then the criminals found out how to make those computers themselves, and they could then create as many phones as they wanted at any speed they wanted and give it to any seller across the world. So it was ballooning to over 12,000 devices at the end, which doesn't sound like a lot, but imagine that's 12,000 probably criminals, and you have to read every single one of their messages. And it got to the point where they were getting 1 million new messages a day that the FBI had to read through. This is not an ordinary wiretap. This is not Sopranos. This is not The Wire. It is those, but on a literal global scale. And they just could not guarantee that they were going to be able to read every single message. And if one fell through the cracks, somebody might die. You know, there's a lot of violence in the underground.

Yeah, yeah, yeah.

I imagine some of it isn't in English either. There's gonna be a variety of languages being used. So things have to be translated.

They were just a few years too early, right?

If they just waited for the AI, you know. Well, yeah, it's funny you bring that up because there are hints of that in there, as in, as you say, plenty of non-English languages. There's Dutch, German, there's Swedish in there. So they do provide the data to those authorities who can then read it through themselves, obviously being native speakers. But AI does get introduced at least a little bit when the Dutch get involved because they've dealt with massive datasets before in similar operations, and they made some sort of tool where the AI would summarize and surface conversations that it thought it was important, such as, "Hey, this person's talking about cocaine," and it would then bring that in front of the analyst. That being said, it still requires human review in some sort of way, right? Because you're going to go out and arrest somebody, or you're going to go out and seize a shipment, or maybe you're going to stop an assassination, which they did every day, basically, for years and years and years.

Yeah.

Wow. Yeah. So I'll sort of bring it to a conclusion as for why this matters now. And I've heard this more and more even since finishing and publishing the book is that the FBI comes clean and it says, we ran a norm the entire time. The reason being is because they wanted to spread paranoia and distrust among organized criminals so they wouldn't trust these encrypted phones anymore. Right. And they've been very, they've been very successful in that. The drug traffickers I speak to and the people who sell the phones I've spoken to as well. They say it's very, very hard to build up a customer base now because all of the drug traffickers are thinking, well, what if the FBI or the Dutch are behind this phone company now? We can't trust anybody. So at least some criminals are moving over to apps we all use, like Signal. And I think that brings up the key question, which is, well, what happens now? I don't think the FBI is going to just pat itself on the back and go, well, we solved crime. Let's go home.

Yeah.

So I mean, well, they do that at first and then they come back the next day and they're, oh, damn, okay, we're going to do it all again. Exactly. But I really think that's a key question right now. And even more so because I feel this actually got buried in some of the coverage and I'm not a political reporter. So I don't really have access to maybe, you know, the people on Capitol Hill and in the US who would be able to leak this information, that sort of thing. So I have to read it from Politico or other outlets, but there were mentions that Thomas Crooks, the would-be assassin of President Trump, did use, I think it was 3 or 4 encrypted messaging programs which are based overseas. They haven't named the apps yet and—

Telegram.

Yeah, I mean, it's going to be Telegram and it'll be Signal. It'll be Signal and maybe it's Threema or something. WhatsApp.

It could be WhatsApp.

Easily, easily. That is also an end-to-end encrypted platform, right?

Club Penguin.

Yeah, Hotel Habbo or whatever it was.

Oh, of course.

Yeah. And, but, well, it's actually funny you bring up those because they did look into his Discord account, but then it turned out to be fake afterwards. It was somebody just pretending to be the shooter. But all of that being said, in the same way in 2016, we had the San Bernardino terrorist attack and that started a whole round of the going dark debate around iPhone encryption. There's a chance that this could trigger a debate around end-to-end encryption, the messaging equivalent. That being said, I mean, they're still trying to find out a motive, and maybe they could argue, well, we would know the motive if we could access his encrypted messages. And I don't know whether they're going to do that or not, but the ANOM operation shows the extreme measures the FBI is willing to go to to get access to encrypted communications. So why wouldn't they try something again, or at least point to its success and then say look, we need to do more.

Well, Joseph, it's a fascinating story, and I'd really recommend Dark Wire to our listeners, people to check it out. So right now it's out as a hardback, isn't it? I imagine a paperback will hopefully come in about it.

What, can't afford it, Graham?

No, I'm lucky enough to have a copy, Carole, of Dark Wire.

Actually, can I ask, I have a question because I've never written a book. Do you get more royalty for a hardback sale than a paperback sale?

All about the money.

I'm just wondering.

I don't think so. What I will say is that the idea that people write a book and then they're rich forever and they can go on to a beach is a complete myth. I won't get into more specifics than that. I will say that if you're going to write a book, you have to care about it and live and breathe that story as I did this one. Yeah.

One final question. I read online that Netflix and Jason Bateman are thinking about making a movie of your book. Is that true or not?

Yeah, that was reported in Deadline, sort of, you know, the Hollywood publication, and they bought the book proposal back when I was starting it because it was already a very, very, very in-depth proposal. I've covered this industry for 10 years, so it was already very clear that I had the sources to do it. So yeah, I mean—

Is Jason Bateman playing you? Is what I'm interested in. Have you?

I hope nobody is playing me. I hope I'm not anywhere near this whatsoever, you know, and I'm just excited to see what they do with it because of course it's going to be a piece of entertainment, right? And that's of course the idea. But if a piece of entertainment gets more people to care about encryption and what that means, I mean, I'm all on board. I'm excited to see what they do with it.

Amazing stuff. Carole, what's your story for us this week?

We are heading to the international athletic sensation known as the Olympics, and I'm going to start with a baby quiz, because I haven't done one in forever. So let's see what you guys know about the Olympics.

Oh God.

No, it's good, it's good. We're techies. What do we know about sport?

Well, no, it's not good, Carole. If we're techies, then chances are we know nothing about athletics.

Own it, own it, right? Paris has hosted the Olympics twice before.

Yes.

What years do you think Paris hosted the Olympics before?

I'm going to say it was in the 1920s.

1924, 100 years ago. That's the second time it hosted the Olympics.

Was that a guess? Was that a complete guess?

Hands off keyboard, Graham. Hands off keyboard.

No, my hands are off. I just had a feeling that it was round about that time. I'm going to say 1890s as well.

1900. You're pretty close. Okay, okay. Number 2: what do you think the ratio of male to female athletes will be at the Olympics in Paris?

65-35, to put in percentages.

Good guess. Yeah, Graham, you want to chip in?

Oh, okay, I'm going to go lower. Okay, I'm going to say 63-37.

You're lame. It's 50-50 for the first time ever.

Oh, wonderful.

Oh, wow. Fantastic.

And the same number of events for males and females.

Oh, brilliant.

Last question. Can Russian athletes compete in the Olympics in Paris?

Yes, but not as Russia.

Correct. They have to present themselves as individual neutral athletes, which is a weird statement in itself, and only provided that they meet the eligibility criteria imposed by the International Olympic Committee.

Maybe the Russian army invading Ukraine should present themselves as independent, neutral invading army.

I'm getting political. You didn't do too bad, guys. You didn't do too bad. But why am I talking about the Olympics? Well, quelle surprise, mes amis, as we say in France. A world event of this caliber is considered a high-stake target when it comes to international threats, right? Longtime listeners might remember that I covered the previous Olympics hosted in Tokyo, and there were a lot of concerns there too. First, the Olympics were pushed back from 2020 to 2021 due to COVID concerns, with locals basically saying not my town, thank you. But on top of that, the Japanese Olympic Consortium was using software as a service, or SaaS software, from Fujitsu, which was evidently infiltrated by attackers and loads of data was hoovered up. So you can see episode 232 for details on that one. But back to the flaky croissant and crusty baguette munching land of France. They have their own security concerns. So according to PCMag and a Fortinet report, French officials have already identified more than 300 fraudulent websites claiming to sell event tickets, which are of course bogus. On top of that, they've seen a significant number of typosquatting domains. So this is almost olympics.com with just a few typos in it, maybe missing the L, maybe missing the Y, maybe spelling it with I's instead of Y, and all kinds of things. And just to be clear, I type very quickly, often make typos when I type. So be careful that you type it in correctly because these sites look exactly like the original and authentic website.

Yeah.

They've seen several Olympic game-themed lottery scams targeting users, particularly in the US, Japan, Germany, France, Australia, and the UK. And these schemes impersonate major brands such as Coca-Cola, Microsoft, Google, and the World Bank. And this is kind of sneaky because these brands tend to use such global events as a springboard for recognition or brand power, that sort of thing. And they have bona fide competitions and giveaways. And of course, you see these bad actors taking advantage of this and trying to dupe you into thinking that you're on a legit site and getting a super big win when you're actually handing over your details and cash to some unknown ne'er-do-well.

Hmm.

We have also seen a few security companies warning of internet and Wi-Fi outage at the event. So Zerofox has seen activity on social media of political groups planning DDoS attacks designed to compromise the network in order to get political messages across. So all this says, yeah, we definitely need adequate security at the games, and I'm sure we all agree, but at what cost? This is the age-old balancing act of security versus privacy. How much surveillance is too much of an intrusion on privacy?

Yeah.

And I can totally understand a country wanting to ensure that everyone enjoys the games without any security hiccups. Perhaps this is why the French government introduced the controversial Article 7 bill. Have you heard of this, either of you?

I don't think so. What's that?

Okay, so this bill allows the use of algorithmic video surveillance, so AI video surveillance, a predictive surveillance technology that attempts to detect predetermined events. So basically, it'll monitor crowds in real time for abnormal behavior and crowd surges, as well as analyzing video data from drones and CCTV cameras.

It's Minority Report, isn't it? Basically, that's what it sounds like, but with a French accent.

Yeah, yeah, which I'm not going to do, to be clear.

But that's not all. The Prime Minister's office in France also negotiated a provisional decree that is classified to permit the government and its chosen tech contractors. So think supply chain here, to steeply ramp up traditional surreptitious surveillance and information gathering tools for the duration of the games. These include wiretapping, collecting geolocation, communications, computer data, and capturing greater amounts of visual and audio data. Hey, wait a minute, maybe the FBI sold their phone software to France. Now, I should mention that the Article 7 bill, which France passed back in March 2024, will last an entire year, way beyond the scope of the games. March 2025? Yeah, yeah. Are they expecting people to take a really, really long time to finish the marathon? Very good question. I don't have an answer for that.

And it'll be renewed. That's the thing. You can bring in legislation like this and extra surveillance and, oh, well, we have to protect you during this, but are they really going to pull it back?

Well, exactly. That's the thing. Whenever you have especially surveillance legislation and you can have these very powerful capabilities like FISA in the US, which is especially useful for counterintelligence and terrorism plots, and it has legitimate use cases there. And recently when US politicians have tried to have it renewed, the conversation shifted to, well, it's not so much terrorism now because of course the threat from ISIS and Al-Qaeda has diminished somewhat. It's now we need this to combat the ransomware actors because we use FISA to go after them. And that may or may not be the case, but it is always interesting that the debate can shift very, very quickly. Whereas here it starts with the Olympics and then we all go home and then a few years later, "Oh, they're still doing that? Oh, okay." Huh.

Yeah, you guys are exactly right. This is what critics are saying. They're saying this is a surveillance power grab and that the government will use this exceptional surveillance justification to normalize society-wide state surveillance. And for me, and I'd like to know what your opinion is, this problem may lie in the nascency of this kind of tech, this surveillance tech, and the lack of regulation or independent testing. You know, once the data is collected by third parties, the potential for further data analysis and privacy invasions, well, is impossible to gauge, but, you know, could be huge, right?

Yeah, I'm always apprehensive of— well, not apprehensive of new technology in and of itself, but it being rolled out at a scale and too quickly, basically, before it's been road tested. And of course, it has to be rolled out at some sort of level so it can be road tested, but the Olympics is the biggest cultural event in humanity's history, basically. And obviously that's also why hackers are trying to jump on it as well, right, as a platform. There could be collateral, basically, and we won't know until it's done. But I really do wish people would just be ever so slightly more cautious when it comes to rolling out tech like this that, as you say, we don't really fully understand yet.

Absolutely. I couldn't agree more. I know this has gotten to be a bit of a bummer, so I'm going to end on one last quiz question for you two.

Okay, excellent.

Okay, there are 32 different sports that will be contested in Paris. Okay. 28 are mandatory core sports and 6 are elect sports decided by the hosts. One of these is a first-timer in the official Olympic Games. Can you guess what that might be?

Is it using a croissant as a boomerang?

No, but it starts with B. Oh, B.

I was going to say parkour, which is P, so I guess not that.

Is it bulls? Bull?

You know what? I'm gonna give you my definition. You can tell me what you think it is. I won't say the word, okay? So athletes need to be able to flip, spin, and balance like gymnasts, but make it all groove to the music.

Fine, it's breakdance.

Yes! Or breaking, actually, as the kids say.

Great. How cool? How cool is that?

And they don't even get to choose their music. Instead, a DJ plays music of their own choosing, and the athletes need to fit in their best tricks to the soundtrack.

1812 Overture.

That's kind of cool. So it's a fair playing field and you have to improvise in response to this. That's cool. Yeah, I'm interested in that.

I know, I went down a rabbit hole today watching all these breaking videos.

I wanna watch that.

Yeah, yeah, right. Anyway, Graham, I was thinking, Graham, you've been to BoxFit and such, so maybe you'd make a play for 2028 Olympics. You know, I'd watch you breaking.

Oh boy.

Modern threat actors have weaponized cloud automation to accelerate, taking only 10 minutes to fully execute an attack in the cloud. As organizations continue to shift into larger and more complex cloud estates, legacy detection and response frameworks are no longer sufficient at stopping cloud attacks. Well, Sysdig delivers fast and effective multi-cloud detection and response, or CDR, capabilities to empower analysts against these accelerated and complex cloud threats. Powered by Falco, analysts gain the visibility, context, and real-time security capabilities traditional EDR and on-prem tooling fail to deliver. Learn more about how to stop advanced attacks at cloud speed. Visit smashingsecurity.com/sysdig SYSDIG for more information. That's smashingsecurity.com SYSDIG. And thanks to SYSDIG for supporting the show.

This September, a tight community of frontline experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-WISE, the unique conference built by practitioners for practitioners, brought to you by Mandiant, now part of Google Cloud. M-WISE features one-to-one access with industry experts and fresh insights into the topics that matter most right now: AI and cloud, intelligence and threats, and beyond. It is a place where real talk and serious knowledge are shared generously, and where the emphasis is on the practical, tactical solutions. M-WISE is vendor-neutral and not sales-focused. And this year, they're taking it up a notch in Denver. So get ready for microbrews, killer views, and serious cyber. Join M-WISE from September 18th to 19th. Get details at smashingsecurity.com/mwise. That's M-W-I-S-E. And thank you to M-WISE for sponsoring the show.

In a perfect world, end users would only work on managed devices with IT-approved apps. But every day, employees use personal devices and unapproved apps that aren't protected by MDM, IAM, or any other security tool. There's a giant gap between the security tools we have and the way we actually work. 1Password calls it the Access Trust Gap, and they've also created the first-ever solution to fill it. 1Password Extended Access Management secures every sign-in for every app on every device. Includes the password manager that you know and love, and the device trust solution you've probably heard of on this podcast, back when it was called Kolide. 1Password Extended Access Management cares about user experience and privacy, which means it can go places other tools can't, like personal and contractor devices. It ensures that every device is known and healthy, and every login is protected. So stop trying to ban BYOD or shadow IT and start protecting them with 1Password Extended Access Management. Check it out at 1password.com/smashing, and thanks to 1Password for supporting the show. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.

Better not be.

Well, my Pick of the Week this week is not security-related. I've just come back 2 o'clock this morning, if I may well sound like it. I got back from Barcelona, and I would say to you, forget the Sagrada Família and all that nonsense. Goodness sake.

Oh, I love that building. Come on.

Well, come on, it's just a building, Carole. The amount of money they charge people to go in, and they still haven't finished it. Quite extraordinary. I was there 15 years ago. Have they really done that much?

Grumpy, grumpy, grump, grump.

Well, the thing is, everyone goes, huge crowds to Sagrada Família, right? I'm saying go somewhere else.

Okay.

I'm saying check out the White Rabbit in Barcelona.

Oh.

Which is what they call an off-museum. I just stumbled across it. It is extraordinary. It's a very immersive experience. It's a bit like going to Alice in Wonderland. Every room you go into is really big. It's weird.

Did you drop acid?

Well, you know what? I think I possibly had my most acid-like experience ever. I've never taken, but I went into this one particular room where they had 360-degree— actually, it's more than 360-degree. It was like everywhere I looked, there were psychedelic things happening, being full screens on all the walls, mirrors everywhere. And you were in the middle of what I can only think is the sort of typical evening Frank Zappa had in 1968. It was like a trip. Much of this museum celebrated Catalan culture, and that was fascinating in itself. But there was one particular room where it was extraordinary. I lay down and it could have been like I'd taken acid. I could have stayed. I was there on my beanbag with my new wife, lovingly suspended in the universe, which appeared to be utterly infinite around us. And it was very, very enjoyable. Impossible to describe. I'll try and find a video to link to in the show notes. But I would recommend if you ever have the chance to be in Barcelona to go and visit the White Rabbit Museum because it was really good fun. So that is my pick of the week. Joseph, what's your pick of the week?

My pick of the week is my cautious dip into Microsoft Flight Simulator. For those who don't know, Flight Simulator is a hyper-realistic video game that tries to emulate every part of the flying experience. So if you are flying an Airbus commercial airliner or whatever, you have to take off the parking brake, you have to do the throttle, you have to do all of this stuff, which sounds really boring, I think, to— well, there's gonna be people who think, wow, that sounds insanely boring. And the other half is gonna be, that sounds like the sickest thing ever and I can't wait to play it. And I fall into the latter mostly because I don't know, I just got access to the game and it's exceptionally calming when I spend all day talking to hackers, writing about CrowdStrike, doing all of this other sort of, you know, pretty stressful stuff sometimes.

Yeah.

Listening to Graham, I get it.

Listen to Graham constantly. And I just want to fly up into the digital clouds and it's very, very peaceful. And I just play it, you know, 30 minutes, maybe 60 minutes if I have time. And I love it. And a new one—

Do you crash?

Oh, constantly. Yes. But I just, you hit the reset button and it's fine. You know, it's a game. I can just go again. But there's a new one coming out in November, which will be all updated. So I'm deciding, do I play a bunch now to get prepared for that? Or do I wait? And I haven't decided yet.

Play. Yeah, probably. And then get sick of it and then don't want to play the next one. Are you addicted?

No, I wouldn't say I have, I have been addicted to games. Absolutely. I've played a lot of video games before, but not with this one. This is a perfect balance of works over time to fly my little aircraft through the sky and then screw it up and it stalls and it crashes, but it's all good. It's all fine.

I think it sounds really, really fun. Do you have a newfound respect to commercial pilots now?

Oh, absolutely. I've actually weirdly been reading a lot more about the airline industry just because I'm trying to find stories in there because I just don't think it's super covered, at least in the tech press. It will be in the trade press. I feel like there's more stuff going on there that I could potentially cover. So that's how I got into it. It was through work basically that I started to explore just more how the industry works and all of the insane systems and people who were behind it all.

And tell me, Joseph, if you were on a flight and all of the crew got hit by food poisoning and were unable to operate the plane, would you be able to bring the jumbo jet down?

Oh yeah, absolutely. Next time I go on a flight, I'm going to go into the cockpit and say, Hey, don't worry about it. I've played Flight Simulator for 7 or 8 hours, so—

I got this. I got this. It can't be that hard, right?

Excellent.

Carole, what's your pick of the week?

So I'm gonna point you to an AI art collaboration project for my pick of the week. Now I feel weird about suggesting this because how can a complex computing program be an artist. I did ask ChatGPT, they said, of course, of course we can be artists. But perhaps it's the person directing AI to build these crazy, wonderful works that may be the secret, because I am smitten with Nice Aunties' work, or Nice Aunties' work if you're in America. So this is a Singaporean artist known as Nice Aunties. Nice Aunties is an art project about aging, beauty, freedom, and fun. And you're basically in the world where glorious aunties rule the world, known as the Auntiverse. And they surround themselves with everything they love: cats, food, bright clothing, big smiles. And I love— it's so surreal. And there's a lot of juxtaposing of different ideas. So, you have a cat inside of a sushi roll. You have aunties partying it up in a hot tub of ramen with their hair coiffed beautiful dumplings. But they also get out a few powerful messages the environmental crisis, loneliness, isolation. My favorite is "Aunt Lantis," which is a set of 3 short videos which takes on the poisoning of our seas and waters. And what a way to get the message across. I asked you guys to check it out before we started recording. Did you get a chance to do that?

Yeah, I did. And I think that it's refreshing to see a piece of AI artwork that actually has some sort of message behind it. Usually it's people who are just hey, look at this crazy thing I made. And it's okay, cool, whatever.

That's most of my art as well, to be honest, let me tell you.

But this one had something to it at least. And I'm actually just flicking through the transcript of the TED Talk now as well. But it was just refreshing to see that somebody was actually engaging with a topic rather than just using AI for the sake of using AI, if you see what I mean.

Yeah, it's very cool.

It is cool. And the project was inspired by the older woman and the artist's own life, including her grandmother, who was born in Singapore in the early '30s. And she didn't have a chance for a proper education and worked in a rubber plantation from an early age before entering an arranged marriage and going on to have 8 children, then ended up with dementia. So, Nice Aunties aspires to imagine a different kind of life of unbridled freedom for that generation of women. So it's just great. So check it out. The website is known as niceaunties.com or niceaunties.com. There's a TED Talk, as Joseph mentioned. There are articles, there are socials. There'll be loads of links in the show notes if you want to go look there and enjoy. And is it art? Do you think it's art? I'd love your opinions, listeners. And that's my pick of the week.

Very cool. Well, that just about wraps up the show for this week, and in fact, it wraps up Smashing Security for the next few weeks because Carole and I are going to go on— Hallelujah! A vacation. So we will be back with Smashing Security in early September, I think we're back, isn't it? So we've got August off. In the meantime, you might want to listen to other podcasts. Carole is, maybe Sticky Pickles people might want to listen to if they want to hear some more from you.

Yes! And Sticky Pickles might just launch during August. We'll see if I can get off my butt and do it.

The AI Fix, I hear, is an excellent podcast as well.

Oh, I haven't heard about it.

Yeah, well, you might want to listen to that one as well. That's a strong recommend. Please, please listen to the AI Fix. And Joseph, I'm sure lots of listeners would love to find out what you're up to and follow you online. What's the best way for folks to do that?

Yeah, well, specifically with podcasts, we do have the 404 Media podcast where we talk about all of our own original reporting each week. Other than that, you can go to our site, 404media.co, not .com. We couldn't afford that at the time. Maybe in the future. And then, you know, I'm on Twitter and Blue Sky and Mastodon and Threads and LinkedIn.

Hotel Habbo.

Yeah, especially Hotel Habbo. I'm there constantly. That's actually the best place to get hold of me.

And you can follow us on Twitter at Smashing Security. Smashing Security, no G, Twitter allows to have a G, and don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

And huge, huge thank you to our episode sponsors, 1Password, Sysdig, and the M-WISE Conference 2024. And of course, to our wonderful Patreon community. It's thanks to all of you that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog, more than 381 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye.

See you in a few weeks. You can say bye too if you want.

I'm so sorry.

Yes.

Just say bye. I've lost it. Okay.

See you.

Perfect. Hey listeners, as Graham mentioned, you can still hear us on other podcasts such as AI Fix, where Graham and regular Smashing Security guests Mark Stockley put the world of AI to rights. But if you need something non-techie, a little lighter, and maybe even a little sillier, check out the Sticky Pickles podcast, which I host with another Smashing Security regular, Maria Vamarsas. Have a brilliant August and catch you back here in September. Now, where did I put my Negroni?