Smashing Security podcast #401: Hacks on the high seas, and how your home can be stolen under your nose

No, no, I'm not saying that. I'm saying this is a problem for society. Why isn't this kid kicking a ball around or doing something else? Is he maybe spending too long doing the computers? Should he be doing jigsaws?

Tell us, oh wise parent, how is it going there with your kid exactly?

Smashing Security, episode 401. Hacks on the high seas and how your home can be stolen under your nose. With Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security, episode 401. My name's Graham Cluley. And I'm Carole Theriault. Carole, what's coming up on the show this week? Well, first, let's thank this week's wonderful sponsors, 1Password and Tailscale. It's their support that help us give you this show for free. I'm going to be talking about a hacker who found himself in choppy waters. OK, and I'm going to be looking at when bad deeds come back to haunt you. Plus, we have a fabulous featured interview with the zany but also brainy Avery Pennerun, co-founder and CEO of Tailscale. And this is where I sink my teeth into how Tailscale is making secure networking easier, faster and way safer. Now chums, let me first of all take you to the beautiful country of Italy. That is somewhere I would rather be than old blighty at the moment. Hopefully it's a little bit, well it may not be warmer actually maybe in the southern parts of Italy it's warmer. Italy, well it's given us a lot isn't it? Passionate opera, great artists, it's given us everything pasta, pizza, pasta, pizza. Hasn't given us pineapple on our pizza, which I think is a shame. I don't know where you stand on that. I think. Oh, really? Oh. I'm not a cheese.

Pineapple pizza lover. No.

No? Oh, okay. I think Hawaiian pizza, not that bad. But I'm not here to talk about fine dining today. Fine dining. I am here to discuss cyber security because an Italian government department was recently reported to have suffered a breach. Carole, my question to you is, why would somebody hack an Italian government ministry? Why do you think they would do it?

Well, the obvious answer would be to find out what Berlusconi really did in the hot tub. Well, hello. No, no, I don't know. Probably to steal information. And what would they do with the information? They would put it on the dark web for sale.

Yes, that often happens, doesn't it?

Or hold them for ransom.

Holding them for ransom, yes. So again, financial gain. It's all about making money. It may not be about making money though, mightn't it?

It might be an employee that used to work there that was ousted in a way that they didn't think was very cool. So they then decided to show them who was really boss. Oh yes, someone with a grudge. Yep, yep. Those are always fun. Could be political as well. It could be some rabid wing of some sort of faction of people who have an opinion about Hawaiian pizza. They could be changing the menus at the Italian ministry, maybe. I'm not sure if they're the holder of menus in Italy. Well, you don't know how regulations... Totally, yeah.

Or if you're old school, it could just be hacking because it's possible.

You had to put a payload out to say, ha ha, got you.

Right. Or just simply to see if you can break in. That used to be the excuse used by hackers. Like, why do you climb Everest? Because it's there. And in the days before tough sentences for hackers, it wasn't unusual for people just to go poking around, see where they could get into, wouldn't necessarily cause any damage as such deliberately, but were just seeing what they could access.

But, you know, hackers are often like dogs as well, you know? And if you take a dog to a new park, it's going to try and pee on most of the trees. So I don't think most hackers in that situation would actually go in and just poke around and slip out without having any plan to kind of go hee hee hee.

Maybe it doesn't happen so much these days because certainly if you did get caught and identified, you'd be in trouble even if you didn't cause any damage while you were in there. Right. The simple access would be enough. So it wasn't any of those reasons in this instance, it seems, because the government department was Italy's Ministry of Public Education. That's what the reports claimed.

OK.

And it seems the hacker was interested in compromising a very specific part of the ministry systems. So these are the people that decide what kids learn in school. That kind of thing. Yeah. The people in charge of the schools and things. And there has now been an arrest. Someone has been identified. Somebody comes from the small city of Cesena in Italy.

I need to know what he's done first before I care if he was arrested.

Well, let me tell you what happened. Okay. This young chap, 15 years old.

Wow.

It's widely reported to have broken into it in order to change his grades. Which is a bit Ferris Bueller, isn't it, really?

So he basically, he really went into the Ministry of Education. He didn't go in through his school.

That's what the Italian press are reporting.

OK, the school can't change the grade. He has to go all the way to the top to break in there. OK, what does he want to change his grade? He had an A and he wanted to go down a D? No, there is an easier way to go from an A to a D. I exhibited on many occasions when I was doing exams just how to get a very low grade. No, what he did was, unfortunately, he had F grades. So he was failing. If he was smart, well, he wouldn't have done this in the first place. But if he was in there and desperate to do this and intelligent, he'd probably maybe a C-, you know, like a low, but not too... Yeah, you wouldn't want to be an A-star. That'd be too obvious, wouldn't it? Right. But you would at least try and make it a pass, a C-. Yeah, you just want to be with the herd. He's dumb yet. I think that's a pass. Is an E a pass? Maybe it's like a pass by the skin of your teeth pass. It's the kind of pass where people think, well, you kind of really didn't pass. I think you have to have a C grade or better, don't you? Am I just a tough dad saying you need to get a C or better for it to be a pass? Well, exactly how embarrassing that a 15-year-old got in there.

Well, it would be embarrassing. I mean, that's what companies do, isn't it? When they get hacked, they love to say it's a highly sophisticated attack. Advanced persistent threat. It must have been a state-sponsored hacking gang, you know, backed by the Kremlin who were behind this. You don't want it to be some spotty teenager in their back bedroom who's doing this and needs a bit more vitamin D in their diet. That's the last thing you want. But the ministry says that what actually happened was the hacker gained access to an electronic register which stored the grades. And they say it wasn't managed by the ministry at all. It was an external service contracted by particular schools. So it looks like maybe this hacker, his school, chose a particular service, some company who were providing this service, maybe as an intermediary for the ministry. And it was them who got hacked. And so this chap managed to break in and change his grades. So not quite as dramatic as we imagined. Not as big a deal, despite what the Italian media said about the ministry actually being impacted.

I wonder, though. I'm obsessed with him changing it to an E. Because he's not greedy. Or maybe he was seeing if it worked. Maybe he was then going to go to his classmates and say, hey, would you like your grades changed? Yeah, because everyone knows I'm shit at school.

Yeah, and maybe I'll put it down again later. I mean, presumably in his computer lessons, he's not getting an F grade. One would like to think. And so that's the end of the story, Carole. That's it. There's no more. Oh, hang on. There is one extra thing. Just one more thing. Because it's been reported he didn't just hack his exam grades. There were some other places where he tried to hack. He was looking for other systems online to break into. And he managed to break into an online portal that allowed him to alter shipping routes in the Mediterranean. From the comfort of his bedroom, this youngster, the one who changed his grades from an F to an E, was also able to change schedule routes of oil tankers, forcing them to divert. And he didn't have specialist equipment, he just had his computer.

This is like the Ministry of Transport in Italy?

It hasn't been revealed exactly which portal it was that he managed to break into. I mean, I imagine this is something which isn't widely used by the general public.

Can you see the statement written by the education ministry? It's just going to be crossed out in crayon and added in transport. And it'll be like, supply chain, supply chain, nothing to do with us, Gov. We're safe.

And again, people are wondering, well, why did he do this? And the theory is it's just because he could. Did he actually change anything there? We don't know. Yes, he did. He changed maritime routes. Apparently, oil tankers were going off in the wrong direction. Yeah, he's not got to be smart. He deserves less than an E because that's just crazy. It's just changing a piece of data, isn't it? As far as he's concerned, he's on a web portal and he's either changing his grade or he's changing a port name, right? Not a computer port, but a port where a boat is going to. He's just changing something from a drop-down list, just as he had done with his grades. And while changing the grades hadn't been enough to attract the attention of anybody, crime fighters, yeah, anybody, suddenly there are oil tankers going in crazy places which got the attention. So the security team responsible for protecting this maritime portal, they obviously thought this is a bit of a problem. They were able to isolate the unauthorized logins and determine that they were coming from an IP address in this city of Cesena. And due to this, this teenager, he's been taken to a juvenile court. His fate is going to be decided. But he's become something of a folk hero now in Italy.

Well, more of a folk zero. Come on. I like that. Folk zero rather than folk hero. Very good. Thanks. Does he? Has he not heard about the whole Trump and, you know, make America great again thing? Yeah.

Elon's a bit busy now. Yeah, yeah.

No, but Trump's not into bringing in talent from other parts. Oh, that's true. Yeah, would he get the right kind of visa? Good point. Okay. So this kid did bad stuff that cost a lot of money and probably pissed off a lot of people.

You can imagine so. Certainly with the shipping thing, yeah. Well, yeah.

I don't care about his grade, really. But in both cases, I can see that he's effectively pointed out security flaws in their systems. Right. So thank you for that. You responsibly disclose a vulnerability by sending an email in. You don't send an oil tanker to the wrong port in the Mediterranean to reveal that there's a security problem.

But he is 15. And that is a kid. It is a kid. But this is the problem. Loads of kids are actually quite adept on the old computers. And a lot of the systems out there aren't properly secured or protections aren't in place. Tell us, oh, wise parent. How is it going there with your kid? Exactly. Yeah.

Carole, what's your story for us this week?

So we have Ray Cortez. And Ray belongs to the silent generation. Can you approximate his age from that?

The silent generation? Is he a Trappist monk? What is—no.

He's not Gen Z or Gen X or a boomer, a millennial. He's from the silent generation.

Oh, does that mean not actually born yet, so not talking?

No. It was during the Great Depression, World War II. They think that as a result of all the horror, they developed a more conformist and cautious attitude compared to generations since, before or after. In other words, Ray is in his 90s. Okay, that's a lot of life. That's a lot of life.

It's a lot of life.

But sadly, Ray is not having the best of times and it has nothing to do with his age or his health. The fact is that 90-year-old Ray has been fighting eviction from his family home in Brooklyn. So way back in 1969, he paid just shy of $20,000 for this Brooklyn brownstone. Those were the days, right guys? And this is where he was married and raised a family. But in 2006, and by then Ray had lived there almost 40 years and he was age 72, the story goes that Ray was seeking money for some home renovations and he was duped into signing over the deeds of his home to another man who pretended that he was going to help him. So yes, we are talking today on Smashing Security about deed theft or deed theft scams or house title scams, as they're also known. This is where some unauthorized ne'er-do-well attempts to steal the ownership of your home. Now, there are two common scenarios. One is the legit homeowner is deceived. So the scenario might play out like this: you're behind on your mortgage payments and live in an area with a hot real estate market, and someone contacts you claiming to be a foreclosure specialist or something like that. And scammers will use public records to find homeowners who are in foreclosure or behind on their mortgage. So this person then seems trustworthy, empathetic to your financial struggles, and even more importantly, they have a plan to help you keep your home. But first, you just need to sign a few legal documents, and then there will be the deeds. Or scammers might ask you to directly sign over your home deed for safekeeping. They might promise that your property will be transferred to a trusted relative so that you can avoid foreclosure until your finances are back in order. And then, of course, scammers will transfer your home to their name or the name of a shell company. And if the document is notarized and filed with the county clerk, the house will technically belong to the scammer. Nasty. And then it gets worse, because once you've signed over your deed, scammers can require you to make lease payments or they can use your home as collateral for large loans. They can evict you. They can take possession. They can do basically anything a homeowner can do because they are effectively the new homeowner.

And this chap, he's been living there for decades and decades. He's an elderly chap.

This is what happened to Ray because at the time, Ray thought the transaction was legit. But no, the scammer allegedly takes out a home equity line of credit against Ray's house to the tune of $700,000. And Ray was not kept in the loop. He had no idea this had happened, so of course didn't make the payments. And the credit never being paid off, the house was foreclosed. And it was foreclosed for a whopping $2 million. Remember, he paid only $20,000 for it, so thank you, gentrification. Since the foreclosure, the new owner, an LLC, has been working on evicting Ray from his own home. So that isn't the scammer, is it? That's someone new who's come along and bought the property. The scammer walked away with $700,000, and then the house was foreclosed by the bank. There's a new buyer and they're the ones going, hey, get out of there. I want to live there myself. I've paid the money. You know, the buyer isn't really doing anything wrong there, are they? In a way, it's they've purchased the property in good faith. Exactly. So that was scenario one, where the legit owner gets duped by somebody who presents themselves as someone trying to help you.

Exactly. Oh, my goodness.

So the land registry approved the fraudulent application. And if we go back to the state, so this happened last year. A Missouri woman was arrested on federal charges for reportedly attempting to defraud Elvis Presley's family of millions of dollars and to steal the family's ownership interest in Graceland, Memphis, Tennessee.

Were they caught in a trap? They couldn't get out?

The woman who has too many should have had

Suspicious minds really shouldn't they

The woman has so many aliases I couldn't even count them, but she posed as three individuals representing for fictitious private lender saying that Presley's daughter borrowed 3.8 million in 2018 from this fictitious private lender and pledged Graceland as collateral. Which would scammers have the audacity to do this, to pretend to be the child of Elvis Presley and offer up Graceland as collateral? I mean, surely that would ring some alarm bells. They know, but maybe they are taking a look around, but they say, oh, yeah, no, we're with a lucky board. We just got to check out your... Yes, but the

People who are innocently buying, they don't pretend to be from the electricity board, do they, Carole? That's true, that's true. I've never done that when I've been looking around the house. I've never pretended to be from a utility company.

This woman who tried to get Graceland, she even published a fraudulent foreclosure notice in the local paper announcing that her bogus firm planned to auction Graceland to the highest bidder.

Is this woman insane? It was a bold move. Did this work? Did this work? No, it did not. She was arrested this past August and is currently charged with mail fraud and aggravated identity theft. There is a lot of identity theft, actually, with Elvis Presley. You would be surprised how many people impersonate him on a regular basis.

I wonder, you know, remember Elvis is alive. That was a big thing when I was a kid. You know, Elvis hasn't died. He's alive at some island or something. And I just wonder how old Elvis would be today if it's even possible.

He would be about 90, I think, maybe something like that.

Yeah, so it's possible he's still going. But we don't have long for that conspiracy theory unless, you know, he's invested in some high-tech

Drugs. He's cryogenically suspended next to Walt Disney. He's like a head in some weird liquid. So to answer, is it really possible for scammers to steal your home? The answer is yes. And you might not even know they've done it until it's too late. In fact, I think the scam entirely depends on that fact. But this is a labor-intensive type of scam. And the numbers of reports are on the up, but is by no means a popular way to dupe you out of your assets. Yes. And maybe if someone has actually put a different mailbox on your drive. That's right.

But if you're not home, you wouldn't necessarily notice.

No, you wouldn't, no. Yeah. I'll have to tell the neighbours, don't just water the plants and look after the cat, but also keep an eye open for any mailboxes which suddenly appear. You want to monitor your credit report to help you catch suspicious activity, such as new accounts opened in your name or unauthorised changes to your existing accounts. Right. If you go away for an extended period of time, people do go away, especially after they've retired and they have a lot of equity in their homes. Have your mail forwarded to somewhere or ask someone you trust to pick up the mail.

That's right. Tailscale is a modern networking solution for connecting your applications, your services and devices securely. It's great for companies and it's great for self-hosters too. And it's fast, like really fast. It's private. It's easy to deploy. Zero config, no fuss VPN. Plus it means zero trust. Every organization can use this.

Thousands of companies already use Tailscale, like Instacart, Hugging Face, Duolingo, and more. So why not try Tailscale for free today? You'll get 100 devices and three users for free with no credit card required. Want to learn more? Visit smashingsecurity.com slash Tailscale. That's T-A-I-L-S-C-A-L-E.

And thanks to Tailscale for supporting the show. Now, regular listeners will know that 1Password is a long-term supporter of the Smashing Security Podcast. And this week, we want to tell you about how 1Password's extended access management can help your business.

This is the first security solution that brings all the unmanaged devices, apps, and identities used in your company under your control. And it ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible. 1Password's award-winning password manager as well is trusted by millions of users, and over 150,000 businesses from IBM to Slack. And now they're securing more than just passwords with 1Password Extended Access Management.

I'm just looking at it now. It looks quite cool.

They are cool. And there are even ones for dealing with your manager.

Yeah, I just was looking at that one. I was looking one for co-host, but they didn't have that. Julia, work on that. That's something that we all want now. Carole, what's your pick of the week? All righty. For my pick of the week, I am choosing a novel, a thriller called Listen for the Lie by Amy Tintera. Loosely the premise is you're following this woman Lucy Chase who reluctantly returns to where she grew up Plumpton Texas for her grandmother's birthday and she's reluctant because the whole town thinks she murdered her best friend five years ago when they were both in their early 20s. Bit awkward. Yeah, and then cue true crime podcast investigator.

Hang on, this is a novel about someone who hosts a podcast and investigating crimes. Isn't that brilliant? This is your dream, isn't it?

I know. It's fantastic. Okay, and Ben Owens, who wants to tell her story, and it takes to interviewing people about town. And so the story is kind of, you hear Lucy's story, and it goes back to the time of the murder near the end, but you're kind of getting her backstory, and she's full of resentment and edge. And then it's interspersed with pod interviews with locals that reveal a little bit more about what happened on that fateful night. Or are they lying? So it's perfect fun for a lazy night in, which I've been having lots of because the weather in England is just abysmal this year. But this book has everything. It has podcasts, small towns, murder, love, friendships, and big fat liars. So that's Listen for the Lie by Amy Tintera, my pick of the week.

Terrific stuff. Now, Carole, you had a chat with the folks from Tailscale this week.

Yes, it's a really neat concept. I chat with Avery Pennerun. He's the co-founder and CEO of Tailscale to learn how it all works. Check it out. So listeners we have a very special guest today Avery Penneran. He's co-founder and CEO of Tailscale, the company revolutionizing secure networking and its zero trust approach. Avery welcome so much to Smashing Security, we're happy to have you here. SPEAKER_00. I'm happy to be here. So maybe we can start with you telling us a little bit about your background and what drove you to co-found and head up Tailscale? SPEAKER_00. All right, super short version of my background or semi-short version of my background. I grew up in Thunder Bay, Ontario, northern Canada. My first job was working at the very first dial-up internet provider in Thunder Bay. So we brought internet to that city. I went off to University of Waterloo. I started my first startup while I was in university with my roommate from there and it got a little, I guess, out of hand, eventually acquired by IBM. I then had a brief stint in the banking industry that I don't talk about very often. I went from there to Google where I worked on Google Wallet and then Google Fiber, the gigabit internet service, the first people to bring gigabit internet to consumers in North America. My team was working on the Wi-Fi routers, both the hardware and the firmware that goes into people's homes. So connects to the TV boxes and stuff like that. I left from there from Google and decided it's like, okay, that was great, but I actually preferred the startup life rather than the Google life, the big company life. And so I decided to start a new startup. I wasn't exactly sure what I wanted to do, but I knew what I wanted it to be about, which is the opposite of internet scale stuff that I saw everywhere at Google. And so the name came before anything else, Tailscale, the opposite of internet scale. Let's build small things using small networks for people who don't have the problem of needing to serve millions of requests that search the entire internet in 100 milliseconds. Yeah, you went to my alma mater. I'm a Waterloo girl as well. Now, when I was researching for this interview, I noticed that you said in a post that things have become much worse for developers despite all the technical advancements. Can you say more about this for me? SPEAKER_00. Sure. Well, when I was in high school working at this dial-up internet provider, you know, this was in the 1990s. And you would have thought that in the intervening 30 years of technology advancements that it would become easier to write software. But I was a high school student who had no experience from anything other than just dealing with my computer at home. And I was writing tools and user-facing software at this ISP. And, you know, I use Microsoft Access to build the internal accounting system for this ISP that people actually use like it was running out of a computer store. And I was a high school student. They hired me to do this. You didn't need a team of developers. You didn't need people with training. We ran the whole thing ourselves just, you know, on a complete shoestring. And nowadays it's possible to do that, but it's much less likely because you run into just problem after problem after problem. And most of the problems are not developing the software you wanted to build in the first place. The problems are portability, upgrades, security, networking, connectivity, and so on. And a lot of these problems started happening because we connected everything to the internet. And now when everything's connected to the internet, you have this need to make everything perfect all the time. Because if it's not perfect, some attacker from some foreign country who has no business having any relationship with your computer at all can come in and attack this software your high school student wrote for you and create some big problems. Yeah, that's kind of scary when you say it like that. I would like to understand more about how Tailscale differs from your more traditional VPN.

The majority of people in the world are good people, right? But if you connect billions of them together, then the bottom 0.0001% or whatever are very bad people. And those people have equal access to get at your servers as all the other people in the world. And if you could just cut off this bottom group of people and only let your service connect to whoever is supposed to be connected to, everybody else in the world who shouldn't have access to it are the problem if your default is just deploy things to an AWS server or whatever and open up some ports and hopefully put in some authentication. So Tailscale fundamentally, it happens to be implemented as a VPN. That's the technology that we use. But what it's for is making it easy to build small things for small teams. And one of the problems we actually, when we were starting, is we didn't know that we're going to make a VPN. We just knew we wanted to make small, make it easier to make small things for small teams. And so we made a list of 100 things that get in your way when you're trying to launch some internal dashboard or internal app or internal tool that some person has built. And we prioritize it in the top two or what I call connectivity and security. I need people on my team to be able to connect to my thing. And I need people not on my team to not be able to connect to my thing. And so we built a VPN-based tool that makes that easy. And we never got to the other 98 things on the list because the VPN tool took off so much.

So Tailscale is focused on removing many layers of complexity while letting the right people and the right services and the right devices connect securely. Right. And this is all end encrypted, I'm assuming.

Yes. So Tailscale, the neat thing about it. So first of all, I guess I should say there's two kinds of VPNs and the word VPN has sort of changed its definition over time. So the original definition of VPN is a virtual private network, which means a private network being a literal physical ethernet that back in the day used to plug your computer into. And nowadays you connect to your Wi-Fi. That's one network, right? And a virtual private network is one you can access remotely. So the physical network doesn't matter. It's just you can access this virtual array of your own computers. The more common usage of VPN nowadays is what I call consumer VPN. Some people call them privacy VPNs, which is kind of ironic because they're not that great for privacy. But those ones, you pay a service and you write all your traffic through this privacy VPN. And the reason that it's ironic is that this privacy VPN now has access to all of your traffic and can look at it. And then it goes out to the Internet. Right. Tailscale is the first kind, the original kind of VPN. One of the reasons we don't lead with Tailscale as a VPN very often is that it causes this confusion between the two kinds. Does that make sense?

Yeah, yeah, totally makes sense. So, okay, so a company is looking at you and going, okay, I like the way this sounds. What do you say to them then? Usually I go all the way back to, okay, what are you trying to do? And what problems are you running into as you try to do those things? So companies, you know, to some extent are pretty much all the same. On the inside, anyway, they've got a bunch of internal services that their developers are trying to use. So for example, there's a little Tailscale open source thing that we made called GoLinks. You might've heard other people's or seen other people's GoLink tools. It just allows you to go like go slash name inside your browser and it'll jump to some internal website. It's just basically your own little short link service for inside your company. Say I made a go link service, and I want to run it at my company. What do I need to do to make that happen? Well, I need to have a place where I host it, right? I need to have DNS that's working. I need to have a TLS certificate so that my browser doesn't blame me for having insecure DNS, right? And I have to make it so everybody at my company is able to get to the service wherever it's located. And I want to make it so people not at my company can't see where all my go links go, so they shouldn't be able to access it. To do all of those things is a lot of work, right? And so many companies are at the level of maturity now where they already set up some internal DNS, they can run internal services, they have an internal network with a firewall behind it. And so it's not that hard to run new things on the inside network, as long as you're working with the security and IT teams to make sure the right firewall port gets opened at the right time or whatever. So a traditional corporate VPN would be used for people not in the office to be able to get access to the private network so they can access all these things to set up. But if you're a company that doesn't have all these things or you don't want to employ this IT slash security team for your scale or your IT and security team would rather be doing something else, Tailscale just sort of fragments it all into, okay, I've got a service. I've got people who want to be able to access this service. And Tailscale makes it so it doesn't really matter where in the world or what provider you host that service on. You don't have to open any firewall ports. You can leave the firewalls all completely closed with no open ports whatsoever. And everybody in the whole system is authenticated using SSO. So typically Google or Microsoft, Entra or Azure ID or Okta or GitHub authentication. You authenticate the VPN or the Tailscale system using your regular login you would for any SaaS product. And then you just instantly get access to everything everybody inside your company has published that should be available to you without having to worry about where those things are. So you could locate them at multiple different cloud providers. You can locate them in multiple different regions of the world. You can put them behind different firewalls. You can even have, you left your laptop back at home behind one firewall. You can go to a cafe and access your laptop from your phone behind the cafe's firewall. And you get point-to-point direct connections. It doesn't get relayed through Tailscale. So it minimizes the latency and overhead. And it's end-to-end encrypted because those keys are generated by your own devices and we never see the keys. You make it sound like it's super easy, but you know, it sounds quite revolutionary. Why has no one thought of this before? I guess I have two answers. One is anybody can think, wow, this should have been easier. That doesn't always explain how to build the product. And secondly, not everybody even thinks about the fact that it actually should be easy. One of the most common bits of feedback we get about Tailscale is people try it and they're, for a few minutes, they're actually angry and they're not angry at us. They're angry at the fact that they've been suffering from this pain for years and they didn't even realize that they were suffering from the pain because they were so used to it. And they're just, wait a minute, none of these things needed to be this terrible. Yeah. How did we get here? I didn't even realize it didn't need to be this terrible. People have stopped even thinking about the fact that DNS sucks, right? Fundamentally, DNS just sucks, right? Setting up DNS sucks, DNS servers suck, DNS security sucks. You know, if you have a dynamic IP address, maintaining your dynamic IP in DNS, it all sucks, right? You've got all these memes about the problem always being DNS. And Tailscale just, whoop, what if you didn't have to do all that stuff? And the names just showed up, right? And it works, right? But people have even stopped, you know, people make jokes about how terrible DNS is, but nobody says, oh, if only we just got rid of it. And you also share so much information publicly, right? You kind of operate publicly. You share your security policies. You include your SOC 2 report and put that out there. Even your code is open source. That's a big decision. A lot of companies don't go down that route. So what attracted you to that?

I mean, first of all, I'm just a big open source fan from the beginning. When I first got my job in high school doing this internet service in my city, it was because I had studied up on stuff on the internet and I downloaded Linux on floppy disks and I installed it on my computer and all of that stuff was only possible because open source existed. So I owe my entire career to open source. But secondly, Tailscale is trying to improve internet connectivity for everybody. And I know there's lots of people out there who would not be happy installing this opaque binary on their computer that would otherwise be a completely open source computer just to fix internet connectivity, right? When the internet protocol is open source. And so it's really important that if we're going to be improving the way the internet protocol works, we have to build a system that's open source that people can have confidence in and look at. It's not that hard to understand roughly how it works. It's really hard to put together all the pieces to make them super reliable all the time. And I think people underestimate the difficulty of just running a network securely and reliably. The most important feature of Tailscale is the one that you never really hear about. It's just the number of nines of uptime of the network you get when you put all the pieces together. And if you just take open source, the joke is sort of like batteries are not included, right? We've included all the parts. Now you get to assemble them yourself. You can put in batteries, but now you're the network administrator, which is not the point. The whole point was for you to not have to be the network administrator. We do it for you.

Okay, now we have to talk about AI, the huge hungry beast that is on everyone's tip of their tongue and on every marketing blurb and every website that I've seen since the last six months. Takes a lot of gas, right, to run all these things. It's like the Cobra Jet Mustang of the 60s. So how do you cope with the AI world? Does it change anything for you?

I think the Cobra Jet Mustang is an excellent analogy because my dad had one growing up. I never saw it. He had it before I was born. But he was very excited about his Cobra Jet Mustang. And he said it was so fast that less than a year after he got it, he sold it because he was terrified at how fast it went. That pretty much tells the entire story of AI. I think there's a lot of potential in AI systems the way they're being built right now. I think people quite frequently are using them for nonsense that is not going to be sustainable, and then quite frequently are using them for amazing stuff that's great. What's happened with AI and Tailscale is that almost all the AI companies out there are using Tailscale as their network backend. And that includes some very big names that we're not allowed to mention. It includes hundreds of much smaller companies that are training AI systems to do all kinds of different things. I have a blog post about it. It's called AI Companies Are Not that Unusual, Actually, or something like that. So we recently launched an AI startups program that gives enterprise-level Tailscale. I think it's free for the first year, and then discounts and stuff on top of that. So we just want to make sure that AI companies are having the maximum level of success and try out all the interesting enterprise-y features while they have the chance.

I think we're out of time, but is there anything that you'd like to add? Anything that you think our listeners would love to hear about? I think something important to mention is Tailscale is available for free for personal use up to three users on a so-called Tailnet which is your private network and so that works great for friends and family kind of use cases, it works great for your own stuff so I wasn't kidding about leaving your laptop at home and accessing it from your phone in a cafe or something like that. We have a tool called TailDrop which if you use Apple devices it's sort of like AirDrop except it doesn't only work on Apple devices, it works on any kind of device that can run Tailscale which is almost any kind of device in the world and it works even though they're not physically right next to each other. I know there's going to be tons of listeners whose ears have perked up listening to this and are going to want to learn more about this fascinating technology. So what you do is you can check out smashingsecurity.com slash tailscale. That's smashingsecurity.com slash T-A-I-L-S-C-A-L-E. And huge thank you to you, Avery Pennerun, co-founder and CEO of Tailscale.

You're welcome. Nice talking to you.

Fascinating stuff. And that just about wraps up the show for this week. You can find Smashing Security on Blue Sky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure that you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Pocket Casts.

Huge thank you to our episode sponsors, Tailscale and 1Password. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest list, and the entire back catalogue of more than 400 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye.

Bye. All right. Excellent. Another one bites the dust. Thank you.