An Italian hacker makes the grade and ends up in choppy waters, and hear true stories of title deed transfer scams.
All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.
Plus – don’t miss our featured interview with Avery Pennarun of Tailscale.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
No, no, I'm not saying that. I'm saying this is a problem for society. Why isn't this kid kicking a ball around or doing something else?
Is he maybe spending too long doing the computers? Should he be doing jigsaws?
Is he maybe spending too long doing the computers? Should he be doing jigsaws?
Tell us, oh wise parent, how is it going there with your kid? Exactly.
Smashing Security, Episode 401: Hacks on the High Seas. And how your home can be stolen under your nose with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 401. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 401. My name's Graham Cluley.
And I'm Carole Theriault.
Carole, what's coming up on the show this week?
Well, first, let's thank this week's wonderful sponsors, 1Password and Tailscale. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm going to be talking about a hacker who found himself in choppy waters.
Okay. And I'm going to be looking at when bad deeds come back to haunt you.
Plus, we have a fabulous featured interview with the zany but oh so brainy Avery Pennarun, co-founder and CEO of Tailscale.
And this is where I sink my teeth into how Tailscale is making secure networking easier, faster, and way safer.
All this and much more coming up on this episode of Smashing Security.
Plus, we have a fabulous featured interview with the zany but oh so brainy Avery Pennarun, co-founder and CEO of Tailscale.
And this is where I sink my teeth into how Tailscale is making secure networking easier, faster, and way safer.
All this and much more coming up on this episode of Smashing Security.
Now, chums, let me first of all take you to the beautiful country of Italy. That is somewhere I would rather be than old Blighty at the moment.
Hopefully it's a little bit— well, it may not be warmer, actually. Maybe in the southern parts of Italy it's warmer. Italy, well, it's given us a lot, hasn't it?
Passionate opera, great artists, It's given us everything.
Hopefully it's a little bit— well, it may not be warmer, actually. Maybe in the southern parts of Italy it's warmer. Italy, well, it's given us a lot, hasn't it?
Passionate opera, great artists, It's given us everything.
Pasta, pizza.
What, pasta, pizza? Hasn't given us pineapple on our pizza, which I think is a shame. I don't know where you stand on that.
I think— Oh, really? Oh. I'm not a cheese pineapple pizza lover.
No. No? Oh, okay. I think Hawaiian pizza, not that bad. But I'm not here to talk about fine dining today. I am here to discuss—
Fine dining.
But what? I am here to discuss cybersecurity, because an Italian government department was recently reported to have suffered a breach.
Okay.
Carole, my question to you is, why would somebody hack an Italian government ministry? Why do you think they would do it?
Well, the obvious answer would be to find out what Berlusconi really did in the hot tub.
Well, hello.
No, no, I don't know. Probably to steal information.
And what would they do with the information?
They would put it on the darkweb for sale.
Yes, that often happens, doesn't it?
Mm-hmm. Or hold them for ransom.
Holding them for ransom. Yes. So again, financial gain. It's all about making money. It may not be about making money though, mightn't it?
It might be an employee that used to work there that was ousted in a way that they didn't think was very cool. So they then decided to show them who was really boss.
Oh yes, someone with a grudge. Yep, yep. Those are always fun. Could be political as well.
It could be some rabid wing of some sort of faction of people who have an opinion about Hawaiian pizza. They could be changing the menus at the Italian ministry, maybe.
It could be some rabid wing of some sort of faction of people who have an opinion about Hawaiian pizza. They could be changing the menus at the Italian ministry, maybe.
I'm not sure if they're the holder of menus in Italy.
No. Well, you don't know how regulations— Espionage, of course. It could be something like that, couldn't it? It could be another country breaking in.
Totally, yep.
Or if you're old school, it could just be hacking because it's possible.
Yeah, to put a payload out to say, "Haha, got you." Right, or just simply to see if you can break in.
That used to be the excuse used by hackers. Like, why do you climb Everest? Because it's there.
And in the days before tough sentences for hackers, it wasn't unusual for people just to go poking around, see where they could get into.
Wouldn't necessarily cause any damage as such deliberately, but were just seeing what they could access.
And in the days before tough sentences for hackers, it wasn't unusual for people just to go poking around, see where they could get into.
Wouldn't necessarily cause any damage as such deliberately, but were just seeing what they could access.
But, you know, hackers are often dogs as well, you know? And if you take a dog to a new park, it's gonna try and pee on most of the trees.
Right.
So I don't think most hackers in that situation would actually go in and just poke around and slip out without having any plan to kind of go, hee hee hee.
Maybe it doesn't happen so much these days because certainly if you did get caught and identified, you'd be in trouble. Even if you didn't cause any damage while you were in there.
Right.
The simple access would be enough. So it wasn't any of those reasons in this instance, it seems, because the government department was Italy's Ministry of Public Education.
That's what the reports claimed.
That's what the reports claimed.
Okay.
And it seems the hacker was interested in compromising a very specific part of the ministry's systems.
So these are the people that decide what kids learn in school.
That kind of thing, yeah. The people in charge of the schools and things. And there has now been an arrest. Someone has been identified.
Somebody comes from the small city of Cesena in Italy.
Somebody comes from the small city of Cesena in Italy.
I need to know what he's done first before I care if he was arrested.
Well, let me tell you what happened.
Okay.
This young chap, 15 years old.
Wow.
It's widely reported to have broken into it in order to change his grades. Which is— it's a bit Ferris Bueller, isn't it, really?
So he basically, he really went into the Ministry of Education. He didn't go in through his school.
That's what the Italian press are reporting.
Okay, the school can't change the grade. He has to go all the way to the top to break in there. Okay, what does he want to change his grade? He had an A, he wanted to go down to D?
No, there is an easier way to go from an A to a D. I exhibited on many occasions when I was doing exams just how to get a very low grade.
No, what he did was, unfortunately, he had F grades.
No, what he did was, unfortunately, he had F grades.
Ah, so he was failing. He was out of there.
Yeah, F's not very good. So, what do you think he did? He changed them to, well, what do you imagine?
Well, if he was smart—
Yeah?
Well, he wouldn't have done this in the first place. But if he was in there and desperate to do this and intelligent, you'd probably maybe a C minus, you know? A low, but not too—
Yeah. You wouldn't want to be an A star. That'd be too obvious, wouldn't it?
Right.
But you would at least try and make it a pass, a C-minus. That would be—
Yeah, you just wanna be with the herd.
He changed his grades to an E. Okay. So much for education.
No, no, no.
I mean, no, but seriously.
I don't think he's dumb yet. I think, 'cause that's a pass.
Is an E a pass?
Yeah, an E's a pass. Well, maybe it's—
Not really, is it?
Maybe it's a pass by the skin of your teeth pass.
It's the kind of pass where people think, well, you didn't really pass. I think you have to have a C grade or better, don't you?
Am I just a tough dad saying you need to get a C or better for it to be a pass? I don't know. But anyway, he changed it from an F to an E. What was the point of that?
Now, the press went bonkers over this, right? And they reported that the ministry got hacked.
And as you've rightly guessed, Krow, that isn't necessarily the real story because the ministry itself is now putting out its own spin on things.
It's keen for everyone to know that it wasn't a part of its systems that were hacked.
Am I just a tough dad saying you need to get a C or better for it to be a pass? I don't know. But anyway, he changed it from an F to an E. What was the point of that?
Now, the press went bonkers over this, right? And they reported that the ministry got hacked.
And as you've rightly guessed, Krow, that isn't necessarily the real story because the ministry itself is now putting out its own spin on things.
It's keen for everyone to know that it wasn't a part of its systems that were hacked.
Well, exactly how embarrassing that a 15-year-old got in there, right?
Well, it would be embarrassing. I mean, that's what companies do, isn't it? When they get hacked, they love to say it's a highly sophisticated attack.
Advanced persistent threat.
It must have been a state-sponsored hacking gang, you know, backed by the Kremlin who were behind this.
You don't want it to be some spotty teenager in their back bedroom who's doing this, who needs a bit more vitamin D in their diet. That's the last thing you want.
But the ministry says that what actually happened was the hacker gained access to an electronic register which stored the grades.
And they say it wasn't managed by the ministry at all. It was an external service contracted by particular schools.
So it looks like maybe this hacker, his school, chose a particular service, some company who were providing this service, maybe as an intermediary for the ministry, and it was them who got hacked.
And so this chap managed to break in and change his grades. So not quite as dramatic as we imagined.
Not as big a deal, despite what the Italian media said about the ministry actually being impacted.
You don't want it to be some spotty teenager in their back bedroom who's doing this, who needs a bit more vitamin D in their diet. That's the last thing you want.
But the ministry says that what actually happened was the hacker gained access to an electronic register which stored the grades.
And they say it wasn't managed by the ministry at all. It was an external service contracted by particular schools.
So it looks like maybe this hacker, his school, chose a particular service, some company who were providing this service, maybe as an intermediary for the ministry, and it was them who got hacked.
And so this chap managed to break in and change his grades. So not quite as dramatic as we imagined.
Not as big a deal, despite what the Italian media said about the ministry actually being impacted.
I wonder though. I'm obsessed with them changing it to an E. 'Cause he's not greedy.
Or maybe he was seeing if it worked. Maybe he was then going to go to his classmates and say, "Hey, would you like your grades changed?
I can provide this service to you." For €100.
Or maybe it was simply because it was there and he's just wondering, "Oh, I wonder if I could, but I don't want to get into any trouble, so I'll just put up the grade a little bit." 'Cause everyone knows I'm shit at school, so maybe I'll put it down again later.
I mean, presumably in his computer lessons, he's not getting an F grade. One would like to think. And so that's the end of the story, Kroll. That's it. There's no more. Oh, hang on.
There is one extra thing.
I can provide this service to you." For €100.
Or maybe it was simply because it was there and he's just wondering, "Oh, I wonder if I could, but I don't want to get into any trouble, so I'll just put up the grade a little bit." 'Cause everyone knows I'm shit at school, so maybe I'll put it down again later.
I mean, presumably in his computer lessons, he's not getting an F grade. One would like to think. And so that's the end of the story, Kroll. That's it. There's no more. Oh, hang on.
There is one extra thing.
Okay, Columbo, hit me.
Just one more thing. I'm sorry, my wife. Because it's been reported he didn't just hack his exam grades. There were some other places where he tried to hack.
He was looking for other systems online to break into. And he managed to break into an online portal that allowed him to alter shipping routes in the Mediterranean.
From the comfort of his bedroom, this youngster, the one who changed his grades from an F to an E, was also able to change scheduled routes of oil tankers, forcing them to divert.
And he didn't have specialist equipment. He just had his computer.
He was looking for other systems online to break into. And he managed to break into an online portal that allowed him to alter shipping routes in the Mediterranean.
From the comfort of his bedroom, this youngster, the one who changed his grades from an F to an E, was also able to change scheduled routes of oil tankers, forcing them to divert.
And he didn't have specialist equipment. He just had his computer.
This is the Ministry of Transport? In Italy?
It hasn't been revealed exactly which portal it was that he managed to break into. I mean, I imagine this is something which isn't widely used by the general public.
You know, it must be.
You know, it must be.
Can you see the statement written by the Education Ministry? It's just going to be crossed out in crayon and added in transport.
And it'll be, supply chain, supply chain, nothing to do with us, gov. We're safe.
And it'll be, supply chain, supply chain, nothing to do with us, gov. We're safe.
And again, people are wondering, well, why did he do this? And the theory is, it's just because he could.
Did he actually change anything there? We don't know. Yes, he did.
He changed maritime routes. Apparently, oil tankers were going off in the wrong direction. So—
Yeah, he's not got to be smart. He deserves less than an E, because that's just crazy.
It's just changing a piece of data, isn't it? As far as he's concerned, he's on a web portal, and he's either changing his grade or he's changing a port name, right?
Not a computer port, but a port where a boat is going to. He's just changing something from a dropdown list, just as he had done with his grades.
And while changing grades hadn't been enough to attract the attention of—
Not a computer port, but a port where a boat is going to. He's just changing something from a dropdown list, just as he had done with his grades.
And while changing grades hadn't been enough to attract the attention of—
Of anybody.
Crime fighters. Yeah, anybody. Suddenly, there are oil tankers going in crazy places, which got the attention.
So the security team responsible for protecting this maritime portal, they obviously thought, "Oh, this is a bit of a problem." They were able to isolate— I'm not sure "Oh" is necessarily Italian.
They were able to isolate the unauthorized logins and determine that they were coming from an IP address in this city of Cesena.
And due to this, this teenager, he's been taken to a juvenile court. His fate is going to be decided. But he's become something of a folk hero now in Italy.
So the security team responsible for protecting this maritime portal, they obviously thought, "Oh, this is a bit of a problem." They were able to isolate— I'm not sure "Oh" is necessarily Italian.
They were able to isolate the unauthorized logins and determine that they were coming from an IP address in this city of Cesena.
And due to this, this teenager, he's been taken to a juvenile court. His fate is going to be decided. But he's become something of a folk hero now in Italy.
Well, more of a folk zero. Come on, I like that.
Folk zero rather than folk hero. Very good.
Thanks.
There is a chap called Antonio Garrado. And he has been writing for the Italian daily newspaper Il Foglio.
And in his piece, he's called on— I apologise for mentioning this person because I'm really trying to mention him less after my recent episodes.
He's called on none other than Elon Musk to hire this 15-year-old immediately. Gerardo says—
And in his piece, he's called on— I apologise for mentioning this person because I'm really trying to mention him less after my recent episodes.
He's called on none other than Elon Musk to hire this 15-year-old immediately. Gerardo says—
Oh, has he not heard about the whole Trump and, you know, Make America Great Again thing?
Yeah, Elon's a bit busy now.
Yeah, yeah, no, but Trump's not into bringing in talent from other parts.
Oh, that's true. Yeah, would he get the right kind of visa? Good point.
So this columnist, Garrado, he says that the 15-year-old, rather than enjoying himself in his bedroom— Garrado used rather fruitier language than that, which I'm not going to repeat.
He had managed to show the Ministry of Education and the Merchant Navy who was boss.
He wrote that he couldn't believe the boy was not being rewarded, whereas of course he's actually being punished. I'm not sure working for Elon Musk would be a reward, to be honest.
And Corrado, who's a philosopher, by the way, as I mentioned, many Italian columnists are, he said that the boy's phone and computer should be returned to him immediately.
The criminal complaint should be withdrawn and turned into a CV instead.
And if the Italian government don't hire him, he should be shoved on the first plane to America where he would surely be employed.
So this columnist, Garrado, he says that the 15-year-old, rather than enjoying himself in his bedroom— Garrado used rather fruitier language than that, which I'm not going to repeat.
He had managed to show the Ministry of Education and the Merchant Navy who was boss.
He wrote that he couldn't believe the boy was not being rewarded, whereas of course he's actually being punished. I'm not sure working for Elon Musk would be a reward, to be honest.
And Corrado, who's a philosopher, by the way, as I mentioned, many Italian columnists are, he said that the boy's phone and computer should be returned to him immediately.
The criminal complaint should be withdrawn and turned into a CV instead.
And if the Italian government don't hire him, he should be shoved on the first plane to America where he would surely be employed.
Okay, so this kid did bad stuff that cost a lot of money and probably pissed off a lot of people.
You can imagine so, certainly with the shipping thing.
Yeah. Well, yeah, I don't care about his grade really, but in both cases, I can see that he's effectively pointed out security flaws in their systems, right? So thank you for that.
However, the only reason rewarding him is because we found him and were able to—
However, the only reason rewarding him is because we found him and were able to—
Yes.
You know, if we hadn't found him, we'd be like, oh, who's this rascal destroying everything in Italy?
You responsibly disclose a vulnerability by sending an email in. You don't send an oil tanker to the wrong port in the Mediterranean to reveal that there's a security problem.
But he is 15. And that is a kid.
It is a kid. But this is the problem. Loads of kids are actually quite adept on the old computers.
And a lot of the systems out there aren't properly secured or protections aren't in place.
And a lot of the systems out there aren't properly secured or protections aren't in place.
You think he should go to jail?
No, no, I'm not saying that. I'm saying this is a problem for society. Why isn't this kid kicking a ball around or doing something else?
Is he maybe spending too long doing the computers? Should he be doing jigsaws?
Is he maybe spending too long doing the computers? Should he be doing jigsaws?
Tell us, tell us, oh wise parent, how is it going there with your kid? Exactly.
Yeah. Carole, what's your story for us this week?
So we have Ray Cortez, and Ray belongs to the Silent Generation. Can you approximate his age from that?
The Silent Generation? Is he a Trappist monk?
No, he's not Gen Z or Gen X or a boomer or a millennial. He's from the Silent Generation.
Ah, does that mean not actually born yet? So not talking?
No, it was during the Great Depression, World War II.
Oh.
They think that as a result of all the horror, they developed a more conformist and cautious attitude compared to generations before or after.
Oh.
In other words, Ray's in his 90s. Okay? That's a lot of life. That's a lot of life.
It is a lot of life.
But sadly, Ray is not having the best of times. And it has nothing to do with his age or his health.
Yeah.
The fact is, is that 90-year-old Ray has been fighting eviction from his family home in Brooklyn. So way back in 1969, he paid just shy of $20,000 for this Brooklyn brownstone.
Those were the days, right, guys? Those were the days.
Those were the days, right, guys? Those were the days.
How lovely. Yeah.
And this is where he was married and raised a family. But in 2006, and by then Ray had lived there almost 40 years and he was age 72.
Yep.
The story goes that Ray was seeking money for some home renovations.
And he was duped into signing over the deeds of his home to another man who pretended that he was going to help them.
So yes, we are talking today on Smashing Security about deed theft, or deed theft scams, or house title scams as they're also known.
This is where some unauthorized ne'er-do-well attempts to steal the ownership of your home. Now, there are two common scenarios, okay? One is the legit homeowner is deceived.
So the scenario might play out: you're behind on your mortgage payments and live in an area with a hot real estate market.
And someone contacts you claiming to be a foreclosure specialist or something.
And scammers will use public records to find homeowners who are in foreclosure or behind on their mortgage. Okay?
And he was duped into signing over the deeds of his home to another man who pretended that he was going to help them.
So yes, we are talking today on Smashing Security about deed theft, or deed theft scams, or house title scams as they're also known.
This is where some unauthorized ne'er-do-well attempts to steal the ownership of your home. Now, there are two common scenarios, okay? One is the legit homeowner is deceived.
So the scenario might play out: you're behind on your mortgage payments and live in an area with a hot real estate market.
And someone contacts you claiming to be a foreclosure specialist or something.
And scammers will use public records to find homeowners who are in foreclosure or behind on their mortgage. Okay?
Right.
So this person then seems trustworthy, empathetic to your financial struggles. And even more importantly, they have a plan to help you keep your home.
But first, you just need to sign a few legal documents.
But first, you just need to sign a few legal documents.
Yeah.
Right? And in there will be the deeds. Or scammers might ask you to directly sign over your home deed for safekeeping.
They might promise that your property will be transferred to a trusted relative so that you can avoid foreclosure until your finances are back in order.
And then, of course, scammers will transfer your home to their name or the name of a shell company.
They might promise that your property will be transferred to a trusted relative so that you can avoid foreclosure until your finances are back in order.
And then, of course, scammers will transfer your home to their name or the name of a shell company.
Right.
And if the document is notarized and filed with the county clerk, the house will technically belong to the scammer.
Yep. Nasty.
And then it gets worse, right? Because once you've signed over your deed, scammers can require you to make lease payments, or they can use your home as collateral for large loans.
Oh, boy.
They can evict you. They can take possession. They can do basically anything a homeowner can do because they are effectively the new homeowner.
And this chap, he's been living there for decades and decades.
Yes.
He's an elderly chap.
This is what happened to Ray, because at the time, Ray thought the transaction was legit.
But no, the scammer allegedly takes out a home equity line of credit against Ray's house to the tune of $700,000. And Ray was not kept in the loop. He had no idea this had happened.
So of course didn't make the payments. And the credit never being paid off, the house was foreclosed, right? And it was foreclosed for a whopping $2 million.
Remember, he paid only $20,000 for it. So thank you, gentrification. Since the foreclosure, the new owner, an LLC, has been working on evicting Ray from his own home.
But no, the scammer allegedly takes out a home equity line of credit against Ray's house to the tune of $700,000. And Ray was not kept in the loop. He had no idea this had happened.
So of course didn't make the payments. And the credit never being paid off, the house was foreclosed, right? And it was foreclosed for a whopping $2 million.
Remember, he paid only $20,000 for it. So thank you, gentrification. Since the foreclosure, the new owner, an LLC, has been working on evicting Ray from his own home.
Right. So that isn't the scammer, is it? That's someone new who's come along and bought the property.
Right. The scammer walked away with $700,000.
Yes.
And then the house was foreclosed by the bank. There's a new buyer, and they're the ones going, hey, get out of there. I want to live there myself. Right? I've paid the money.
You know, the buyer isn't really doing anything wrong there, are they? In a way, it's they've purchased the property in good faith.
Legal quagmire indeed. Exactly.
Yeah.
So that was scenario 1, where the legit owner gets duped by somebody who presents themselves as someone there trying to help you.
Mm-hmm.
And people here seem to be older homeowners because typically they own more equity or the entirety of their homes.
Yeah.
Or maybe Ray, they have expenses or payments they can't afford and they need to release equity from their home. Or they have fewer connections to ask people, is this okay?
Is this legit? So yeah. Now what about scenario 2? This is where a baddie steals your identity and forges a deed that transfers ownership of a property to them, right?
Is this legit? So yeah. Now what about scenario 2? This is where a baddie steals your identity and forges a deed that transfers ownership of a property to them, right?
Yeah.
Of course, they can steal your identity in all manner of ways. Phishing, social engineering, data theft, ransomware, social media scouring, romance scams, you name it.
But once they have what's necessary, they then file the deed with the county clerk who records the sale. Then the property can be quickly sold to an unsuspecting purchaser.
So you're sitting there going, "Yay, I just bought a house and I got such a deal." Two weeks later, someone's knocking on the door going, "Oh, what are you doing in my house?" The Homeowners Alliance in the UK cite this case with Angela Jones.
So she owns a 4-bedroom house in South London, and she returns from a 3-week trip, and she finds a letterbox taped up and a metal postbox is fixed to her front door.
But once they have what's necessary, they then file the deed with the county clerk who records the sale. Then the property can be quickly sold to an unsuspecting purchaser.
So you're sitting there going, "Yay, I just bought a house and I got such a deal." Two weeks later, someone's knocking on the door going, "Oh, what are you doing in my house?" The Homeowners Alliance in the UK cite this case with Angela Jones.
So she owns a 4-bedroom house in South London, and she returns from a 3-week trip, and she finds a letterbox taped up and a metal postbox is fixed to her front door.
Right.
So she calls police, but they don't send anyone over.
And then 2 months later, she receives a letter from Land Registry, and it was entitled Completion of Registration and stated that her property now belonged to someone else.
And then 2 months later, she receives a letter from Land Registry, and it was entitled Completion of Registration and stated that her property now belonged to someone else.
What?
So Angela then contacts the land registry, who tell her that a solicitor had verified a woman as her when she applied to transfer the property, that an application to register the transfer was sent to the land registry, and that a notice of the application was sent to Angela 3 days after.
Oh, right, giving her 3 weeks to respond. But Angela never received it because she was away.
Oh, right, giving her 3 weeks to respond. But Angela never received it because she was away.
She was on holiday, and there was phony mailbox outside.
Exactly.
Oh my goodness.
So the land registry approved the fraudulent application.
And if we go back to the States, so this happened last year, a Missouri woman was arrested on federal charges for reportedly attempting to defraud Elvis Presley's family of millions of dollars and to steal the family's ownership interest in Graceland, Memphis, Tennessee.
And if we go back to the States, so this happened last year, a Missouri woman was arrested on federal charges for reportedly attempting to defraud Elvis Presley's family of millions of dollars and to steal the family's ownership interest in Graceland, Memphis, Tennessee.
Were they caught in a trap? They couldn't get out?
The woman who has too many—
They should have had suspicious minds, really, shouldn't they?
The woman has so many aliases, I couldn't even count them, okay?
But she posed as three individuals representing a fictitious private lender, saying that Presley's daughter borrowed $3.8 million in 2018 from this fictitious private lender and pledged Graceland as collateral.
But she posed as three individuals representing a fictitious private lender, saying that Presley's daughter borrowed $3.8 million in 2018 from this fictitious private lender and pledged Graceland as collateral.
Which scammers have the audacity to do this, to pretend to be the child of Elvis Presley and offer up Graceland as collateral? I mean, surely that would ring some alarm bell.
And I also don't understand, who are these people who are buying properties, which presumably they are never going round to actually view?
If you said there's a 4-bedroom house, but they know— I mean, it would be odd, wouldn't it, if you were in your house and someone went ding dong on your doorbell and said, hi, we're just here for the viewing.
And it's well, our house isn't on the market. You know, sure, come in, come in. Have a look around, you know.
And I also don't understand, who are these people who are buying properties, which presumably they are never going round to actually view?
If you said there's a 4-bedroom house, but they know— I mean, it would be odd, wouldn't it, if you were in your house and someone went ding dong on your doorbell and said, hi, we're just here for the viewing.
And it's well, our house isn't on the market. You know, sure, come in, come in. Have a look around, you know.
They know, but maybe they are taking a look around, but they say, oh yeah, no, we're with the lecky board. We just got to check out your—
Yes, but the people who are innocently buying, they don't pretend to be from the electricity board, do they, Carole? That's true.
That's true.
I've never done that when I've been looking around a house. I've never pretended to be from a utility company.
This woman who tried to get Graceland even published you know, fraudulent foreclosure notice in the local paper announcing that her bogus firm planned to auction Graceland to the highest bidder.
Is this woman insane?
It was a bold move.
Bold.
Did this work? Did this work?
And she did not. She was arrested this past August and is currently charged with mail fraud and aggravated identity theft.
The other thing is the family are now in a quagmire of legal crap, right?
Because they have to go down all the paper trails and sort everything out, even though they're completely innocent.
The other thing is the family are now in a quagmire of legal crap, right?
Because they have to go down all the paper trails and sort everything out, even though they're completely innocent.
There is a lot of identity theft actually with Elvis Presley. You would be surprised how many people impersonate him on a regular basis. So this is an ongoing problem.
There's a guy down the chip shop swears he's Elvis.
There's a guy down the chip shop swears he's Elvis.
I wonder, you know, remember Elvis is alive. That was a big thing when I was a kid. You know, Elvis hasn't died. He's alive at some island or something.
And I just wonder how old Elvis would be today if it, you know, if it's even possible.
And I just wonder how old Elvis would be today if it, you know, if it's even possible.
Oh, he would be about 90, I think, maybe something that.
Yeah. So it's possible he's still alive. We don't have long for that conspiracy theory unless, you know, he's invested in some high-tech drugs.
He's cryogenically suspended next to Disney.
He's like a head in some weird liquid. So to answer, is it really possible for scammers to steal your home? The answer is yes.
And you might not even know they've done it until it's too late. In fact, I think the scam entirely depends on that fact.
But this is a labor-intensive type of scam, and the numbers of reports are on the up, but is by no means a popular way to dupe you out of your assets. There is some advice, right?
There's some interesting advice here.
And you might not even know they've done it until it's too late. In fact, I think the scam entirely depends on that fact.
But this is a labor-intensive type of scam, and the numbers of reports are on the up, but is by no means a popular way to dupe you out of your assets. There is some advice, right?
There's some interesting advice here.
Oh, good.
So make sure the appropriate authorities have your correct mailing address. You know, people move a lot. You need to receive the notices about your property.
Right.
In the USA, you can visit the website of your county recorder of deeds. Okay. Many counties now offer free fraud alert emails. You can consider opting into that.
So if there's any weird activity on your deed, they'll notify you by email.
So if there's any weird activity on your deed, they'll notify you by email.
Yeah.
Keep track of your mail, right? So if you suddenly stop receiving bills or other important mail, it could be a signal that someone has changed your address without your knowledge.
Mm-hmm. Yes. And maybe if someone has actually put a different mailbox on your drive.
That's right. But if you're not home, you wouldn't necessarily notice.
No, you wouldn't, no.
Yeah.
I'll have to tell the neighbours, don't just water the plants and look after the cat, but also keep an eye open for any mailboxes which suddenly appear.
You want to monitor your credit report to help you catch suspicious activity, such as new accounts opened in your name or unauthorized changes to your existing accounts.
Right.
If you go away for an extended period of time— people do go away, especially after they've retired and they have a lot of equity in their homes— have your mail forwarded to somewhere or ask someone you trust to pick up the mail.
And an obvious one for regular listeners, be mindful with your personal info that is often used to identify you legally, like passport numbers, social insurance numbers, date of birth, middle or maiden names, that sort of thing.
And an obvious one for regular listeners, be mindful with your personal info that is often used to identify you legally, like passport numbers, social insurance numbers, date of birth, middle or maiden names, that sort of thing.
Yeah.
One more thing, you want to also look out for your older loved ones, right? Because they're the ones that are often targeted in these things.
And you might want to spare a warm thought for 90-year-old Ray, who was scammed 20 years ago and is still fighting for his right to stay in his home.
And you might want to spare a warm thought for 90-year-old Ray, who was scammed 20 years ago and is still fighting for his right to stay in his home.
Poor fellow.
Actively. Yeah, it's no way to go into your twilight years.
Horrible, horrible.
Everyone these days has a VPN as a sponsor, but Tailscale isn't like those.
This isn't about hiding your browsing habits from coffee shop owners, and it's not about watching Netflix in any other country.
This isn't about hiding your browsing habits from coffee shop owners, and it's not about watching Netflix in any other country.
That's right. Tailscale is a modern networking solution for connecting your applications, your services, and devices securely.
It's great for companies and it's great for self-hosters too. And it's fast, really fast. It's private. It's easy to deploy. Zero config, no fuss VPN. Plus it means zero trust.
Every organization can use this.
It's great for companies and it's great for self-hosters too. And it's fast, really fast. It's private. It's easy to deploy. Zero config, no fuss VPN. Plus it means zero trust.
Every organization can use this.
Thousands of companies already use Tailscale, like Instacart, Hugging Face, Duolingo, and more. So why not try Tailscale for free today?
You'll get 100 devices and 3 users for free with no credit card required. Want to learn more? Visit smashingsecurity.com/tailscale. That's T-A-I-L-S-C-A-L-E.
And thanks to Tailscale for supporting the show.
You'll get 100 devices and 3 users for free with no credit card required. Want to learn more? Visit smashingsecurity.com/tailscale. That's T-A-I-L-S-C-A-L-E.
And thanks to Tailscale for supporting the show.
Now, regular listeners will know that 1Password is a long-term supporter of the Smashing Security podcast.
And this week, we want to tell you about how 1Password's extended access management can help your business.
And this week, we want to tell you about how 1Password's extended access management can help your business.
This is the first security solution that brings all the unmanaged devices, apps, and identities used in your company under your control.
And it ensures that every user credential is strong and protected.
Every device is known and healthy, and every app is visible because 1Password Extended Access Management solves the problems traditional IAM and MDMs can't.
It's security for the way we work today. And it's now generally available to companies with Okta, Microsoft Entra, and in beta for Google Workspace customers.
And it ensures that every user credential is strong and protected.
Every device is known and healthy, and every app is visible because 1Password Extended Access Management solves the problems traditional IAM and MDMs can't.
It's security for the way we work today. And it's now generally available to companies with Okta, Microsoft Entra, and in beta for Google Workspace customers.
1Password's award-winning password manager as well is trusted by millions of users and over 150,000 businesses from IBM to Slack.
And now they're securing more than just passwords with 1Password Extended Access Management. Find out more right now. Go to 1password.com/smashing.
And thanks to 1Password, Smashing Security for supporting the show. And welcome back. Can you join us for our favorite part of the show?
The part of the show that we like to call Pick of the Week.
And now they're securing more than just passwords with 1Password Extended Access Management. Find out more right now. Go to 1password.com/smashing.
And thanks to 1Password, Smashing Security for supporting the show. And welcome back. Can you join us for our favorite part of the show?
The part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
Well, my pick of the week this week is not security related. It is a bit techie and nerdy, if that is allowed. It is a thing called wizardzines.
Now, Carole, you are a bit of an artist. You have a certain style. I've seen many birthday cards and the like, which you've made over the years. You're not just a painter.
You're also a cartoonist. I think it'd be fair to say. And Wizardzines reminded me a little bit of some of your cartoon stick people.
Now, Carole, you are a bit of an artist. You have a certain style. I've seen many birthday cards and the like, which you've made over the years. You're not just a painter.
You're also a cartoonist. I think it'd be fair to say. And Wizardzines reminded me a little bit of some of your cartoon stick people.
Oh.
Because Wizardzines is a collection of terrific programming pamphlets or zines produced by someone called Julia Evans, which cover a wide range of technical topics.
So if you are completely flummoxed by Linux or networking or containers or Git or whatever it may be, and you fancy a comprehensive introduction to the topic, these are for you.
They're all done this lovely simplistic accessible style with stick people. And the thing is, right, there's new technologies which come along, which people begin to use.
You ask someone, you say, "Oh, do you know how to do that?" They go, "Oh, you don't know how to do that?" And it's well, you know, everyone has to start somewhere, right?
So I remember when I first started creating websites, still true to this day, I'm always struggling tweaking my cascading style sheets, right? My CSS. I don't know how to do CSS.
It is a huge amount of fun. You're always just altering it a bit and seeing, oh, does it work? Does it work on mobile? Well, I have bought a Wizardzine for CSS.
It cost me about £10 and it was a really good introduction to the topic of CSS and all the tricks and things which I could do in a way which I could actually understand.
And it's terrific. So they do an amazing job explaining how things work.
Some great examples in there, and there's even a free weekly comic mailing list you can sign up for if you want to give it a try. So go and check it out at wizardzines.com.
So if you are completely flummoxed by Linux or networking or containers or Git or whatever it may be, and you fancy a comprehensive introduction to the topic, these are for you.
They're all done this lovely simplistic accessible style with stick people. And the thing is, right, there's new technologies which come along, which people begin to use.
You ask someone, you say, "Oh, do you know how to do that?" They go, "Oh, you don't know how to do that?" And it's well, you know, everyone has to start somewhere, right?
So I remember when I first started creating websites, still true to this day, I'm always struggling tweaking my cascading style sheets, right? My CSS. I don't know how to do CSS.
It is a huge amount of fun. You're always just altering it a bit and seeing, oh, does it work? Does it work on mobile? Well, I have bought a Wizardzine for CSS.
It cost me about £10 and it was a really good introduction to the topic of CSS and all the tricks and things which I could do in a way which I could actually understand.
And it's terrific. So they do an amazing job explaining how things work.
Some great examples in there, and there's even a free weekly comic mailing list you can sign up for if you want to give it a try. So go and check it out at wizardzines.com.
I'm just looking at it now. It looks quite cool.
They are cool. And there are even ones for dealing with your manager.
Yeah, I just was looking at that one.
Yeah.
I was looking at one for co-hosts, but they didn't have that. Julia, work on that. That's something that we all want now.
Carole, what's your pick of the week?
All righty, for my pick of the week, I am choosing a novel, a thriller called Listen for the Lie by Amy Tintera.
Loosely, the premise is you're following this woman, Lucy Chase, who reluctantly returns to where she grew up, Plumpton, Texas, right, for her grandmother's birthday.
And she's reluctant because the whole town thinks she murdered her best friend 5 years ago when they were both in their early 20s.
Loosely, the premise is you're following this woman, Lucy Chase, who reluctantly returns to where she grew up, Plumpton, Texas, right, for her grandmother's birthday.
And she's reluctant because the whole town thinks she murdered her best friend 5 years ago when they were both in their early 20s.
Bit awkward.
Yeah, yeah. And then cue true crime podcast investigator.
Hang on, this is a novel about someone who hosts a podcast? And is investigating crimes.
Yes.
Isn't that brilliant? This is your dream, isn't it?
I know, it's fantastic. Okay, and Ben Owens, who wants to tell her story and, you know, takes to interviewing people about town.
And so the story is kind of, you hear Lucy's story, you know, and it goes back to the time of the murder near the end, but you're getting her backstory, and she's full of resentment and edge.
And then it's interspersed with pod interviews with locals that reveal a little bit more about what happened on that fateful night. Or are they lying?
And so the story is kind of, you hear Lucy's story, you know, and it goes back to the time of the murder near the end, but you're getting her backstory, and she's full of resentment and edge.
And then it's interspersed with pod interviews with locals that reveal a little bit more about what happened on that fateful night. Or are they lying?
Oh yeah.
So it's perfect fun for a lazy night in, which I've been having lots of because the weather in England is just abysmal this year. But this book has everything.
It has podcasts, small towns, murder, love, friendships, and big fat liars.
It has podcasts, small towns, murder, love, friendships, and big fat liars.
Ooh.
So that's Listen for the Lie by Amy Tintera, my pick of the week.
Terrific stuff. Now, Carole, you had a chat with the folks from Tailscale this week.
Yes, it's a really neat concept. I chat with Avery Pennarun. He's the co-founder and CEO of Tailscale to learn how it all works. Check it out.
So listeners, we have a very special guest today, Avery Pennarun. He's co-founder and CEO of Tailscale, the company revolutionizing secure networking and its zero trust approach.
Avery, welcome so much to Smashing Security. We're happy to have you here.
So listeners, we have a very special guest today, Avery Pennarun. He's co-founder and CEO of Tailscale, the company revolutionizing secure networking and its zero trust approach.
Avery, welcome so much to Smashing Security. We're happy to have you here.
I'm happy to be here.
So maybe we can start with you telling us a little bit about your background and what drove you to co-found and head up Tailscale.
All right. Super short version of my background or semi-short version of my background. I grew up in Thunder Bay, Ontario, in northern Canada.
My first job was working at the very first dial-up internet provider in Thunder Bay. So we brought internet to that city. I went off to University of Waterloo.
I started my first startup while I was in university with my roommate from there, and it got a little, I guess, out of hand. Eventually acquired by IBM.
I then had a brief stint in the banking industry that I don't talk about very often. I went from there to Google where I worked on Google Wallet.
And then Google Fiber, the gigabit internet service, the first people to bring gigabit internet to consumers in North America.
My team was working on the Wi-Fi routers, both the hardware and the firmware that goes into people's homes. So connects to the TV boxes and stuff.
I left from there from Google and decided it's okay, that was great, but I actually preferred the startup life rather than the Google life, the big company life.
And so I decided to start a new startup.
I wasn't exactly sure what I wanted to do, but I knew what I wanted it to be about, which is the opposite of internet-scale stuff that I saw everywhere at Google.
And so the name came before anything else, Tailscale, the opposite of internet scale.
Let's build small things using small networks for people who don't have the problem of needing to serve millions of requests that serves the entire internet in 100 milliseconds.
My first job was working at the very first dial-up internet provider in Thunder Bay. So we brought internet to that city. I went off to University of Waterloo.
I started my first startup while I was in university with my roommate from there, and it got a little, I guess, out of hand. Eventually acquired by IBM.
I then had a brief stint in the banking industry that I don't talk about very often. I went from there to Google where I worked on Google Wallet.
And then Google Fiber, the gigabit internet service, the first people to bring gigabit internet to consumers in North America.
My team was working on the Wi-Fi routers, both the hardware and the firmware that goes into people's homes. So connects to the TV boxes and stuff.
I left from there from Google and decided it's okay, that was great, but I actually preferred the startup life rather than the Google life, the big company life.
And so I decided to start a new startup.
I wasn't exactly sure what I wanted to do, but I knew what I wanted it to be about, which is the opposite of internet-scale stuff that I saw everywhere at Google.
And so the name came before anything else, Tailscale, the opposite of internet scale.
Let's build small things using small networks for people who don't have the problem of needing to serve millions of requests that serves the entire internet in 100 milliseconds.
Yeah.
Yeah.
You went to my alma mater. I'm a Waterloo girl as well.
Ah, smart choice.
Now, when I was researching for this interview, I noticed that you said in a post that things have become much, much worse for developers despite all the technical advancements.
Can you say more about this for me?
Can you say more about this for me?
Sure.
Well, when I was in high school working at this dial-up internet provider, you know, this was in the 1990s, and you would've thought that in the intervening 30 years of technology advancements that it would become easier to write software.
But I was a high school student who had no experience about from anything other than just fiddling with my computer at home.
And I was writing tools and user-facing software at this ISP. And you know, I used Microsoft Access to build the internal accounting system for this ISP that people actually use.
It was running out of a computer store and I was a high school student. They hired me to do this. You didn't need a team of developers. You didn't need people with training.
We ran the whole thing ourselves, just, you know, on a complete shoestring.
And nowadays it's possible to do that, but it's much less likely because you run into just problem after problem after problem.
And most of the problems are not developing the software you wanted to build in the first place.
The problems are portability, upgrades, security, networking, connectivity, and so on.
Well, when I was in high school working at this dial-up internet provider, you know, this was in the 1990s, and you would've thought that in the intervening 30 years of technology advancements that it would become easier to write software.
But I was a high school student who had no experience about from anything other than just fiddling with my computer at home.
And I was writing tools and user-facing software at this ISP. And you know, I used Microsoft Access to build the internal accounting system for this ISP that people actually use.
It was running out of a computer store and I was a high school student. They hired me to do this. You didn't need a team of developers. You didn't need people with training.
We ran the whole thing ourselves, just, you know, on a complete shoestring.
And nowadays it's possible to do that, but it's much less likely because you run into just problem after problem after problem.
And most of the problems are not developing the software you wanted to build in the first place.
The problems are portability, upgrades, security, networking, connectivity, and so on.
Mm-hmm.
And a lot of these problems started happening because we connected everything to the internet.
And now when everything's connected to the internet, you have this need to make everything perfect all the time, because if it's not perfect, some attacker from some foreign country who has no business having any relationship with your computer at all could come in and attack this software your high school student wrote for you.
And create some big problems.
And now when everything's connected to the internet, you have this need to make everything perfect all the time, because if it's not perfect, some attacker from some foreign country who has no business having any relationship with your computer at all could come in and attack this software your high school student wrote for you.
And create some big problems.
Yeah, that's kind of scary when you say it. I would like to understand more about how Tailscale differs from your more traditional VPN.
The majority of people in the world are good people, right? But if you connect billions of them together, then the bottom 0.0001% or whatever are very bad people.
And those people have equal access to get at your servers as all the other people in the world.
And if you could just cut off this bottom group of people and only let your service connect to whoever is supposed to be connected to, everybody else in the world who shouldn't have access to it are the problem.
If your default is just deploy things to an AWS server or whatever and open up some ports and hopefully put in some authentication.
So Tailscale, fundamentally, it happens to be implemented as a VPN. That's the technology that we use, but what it's for is making it easy to build small things for small teams.
And one of the problems we actually, when we were starting is we didn't know that we were gonna make a VPN.
We just knew we wanted to make small things, make it easier to make small things for small teams.
And so we made a list of 100 things that get in your way when you're trying to launch some internal dashboard or internal app or internal tool that some person has built.
And we prioritized it in the top two or what I call connectivity and security.
I need people on my team to be able to connect to my thing, and I need people not on my team to not be able to connect to my thing.
And so we built a VPN-based tool that makes that easy. And we never got to the other 98 things on the list because the VPN tool took off so much.
And those people have equal access to get at your servers as all the other people in the world.
And if you could just cut off this bottom group of people and only let your service connect to whoever is supposed to be connected to, everybody else in the world who shouldn't have access to it are the problem.
If your default is just deploy things to an AWS server or whatever and open up some ports and hopefully put in some authentication.
So Tailscale, fundamentally, it happens to be implemented as a VPN. That's the technology that we use, but what it's for is making it easy to build small things for small teams.
And one of the problems we actually, when we were starting is we didn't know that we were gonna make a VPN.
We just knew we wanted to make small things, make it easier to make small things for small teams.
And so we made a list of 100 things that get in your way when you're trying to launch some internal dashboard or internal app or internal tool that some person has built.
And we prioritized it in the top two or what I call connectivity and security.
I need people on my team to be able to connect to my thing, and I need people not on my team to not be able to connect to my thing.
And so we built a VPN-based tool that makes that easy. And we never got to the other 98 things on the list because the VPN tool took off so much.
So Tailscale is focused on removing many layers of complexity while letting the right people and the right services and the right devices connect securely, right?
And this is all end-to-end encrypted, I'm assuming.
And this is all end-to-end encrypted, I'm assuming.
Yes. So Tailscale, the neat thing about it. So first of all, I guess I should say there's two kinds of VPNs. And the word VPN has sort of changed its definition over time.
So the original definition of VPN is a virtual private network, which means a private network being a literal physical ethernet that back in the day you used to plug your computer into, and nowadays you connect to your wifi.
That's one network. Right. And a virtual private network is one you can access remotely.
So the physical network doesn't matter, it's just you can access this virtual array of your own computers. The more common usage of VPN nowadays is what I call consumer VPN.
Some people call them privacy VPNs, which is kind of ironic, because they're not that great for privacy.
So the original definition of VPN is a virtual private network, which means a private network being a literal physical ethernet that back in the day you used to plug your computer into, and nowadays you connect to your wifi.
That's one network. Right. And a virtual private network is one you can access remotely.
So the physical network doesn't matter, it's just you can access this virtual array of your own computers. The more common usage of VPN nowadays is what I call consumer VPN.
Some people call them privacy VPNs, which is kind of ironic, because they're not that great for privacy.
Mm-hmm.
But those ones, you pay a service and you route all your traffic through this privacy VPN.
And the reason that it's ironic is that this privacy VPN now has access to all of your traffic and can look at it, and then it goes out to the internet.
And the reason that it's ironic is that this privacy VPN now has access to all of your traffic and can look at it, and then it goes out to the internet.
Right.
Right. Tailscale is the first kind, the original kind of VPN.
One of the reasons we don't lead with Tailscale as a VPN very often is that it causes this confusion between the two kinds. Does that make sense?
One of the reasons we don't lead with Tailscale as a VPN very often is that it causes this confusion between the two kinds. Does that make sense?
Yeah. Yeah. Totally makes sense. So, okay. So a company's looking at you and going, okay, I like the way this sounds. What do you say to them then?
Usually I go all the way back to what are you trying to do and what problems are you running into as you try to do those things?
Companies, you know, to some extent are pretty much all the same on the inside anyway. They've got a bunch of internal services that their developers are trying to use.
So for example, there's a little Tailscale open source thing that we made called go-links. You might have heard other people's or seen other people's go-link tools.
It just allows you to go go/name inside your browser and it'll jump to some internal website. It's just basically your own little short link service for inside your company.
Say I made a go-link service. And I want to run it at my company. What do I need to do to make that happen? Well, I need to have a place where I host it, right?
I need to have DNS that's working. I need to have a TLS certificate so that my browser doesn't blame me for having insecure DNS, right?
And I have to make it so everybody at my company is able to get to this service wherever it's located.
And I want to make it so people not at my company can't see where all my Golang code is. So they shouldn't be able to access it. Do all of those things.
Companies, you know, to some extent are pretty much all the same on the inside anyway. They've got a bunch of internal services that their developers are trying to use.
So for example, there's a little Tailscale open source thing that we made called go-links. You might have heard other people's or seen other people's go-link tools.
It just allows you to go go/name inside your browser and it'll jump to some internal website. It's just basically your own little short link service for inside your company.
Say I made a go-link service. And I want to run it at my company. What do I need to do to make that happen? Well, I need to have a place where I host it, right?
I need to have DNS that's working. I need to have a TLS certificate so that my browser doesn't blame me for having insecure DNS, right?
And I have to make it so everybody at my company is able to get to this service wherever it's located.
And I want to make it so people not at my company can't see where all my Golang code is. So they shouldn't be able to access it. Do all of those things.
Mm-hmm.
Is a lot of work, right?
And so many companies are at the level of maturity now where they already set up some internal DNS, they can run internal services, they have an internal network with a firewall behind it.
And so it's not that hard to run new things on the inside network, as long as you're working with the security and IT teams to make sure the right firewall port gets opened at the right time or whatever.
So a traditional corporate VPN would be used for people not in the office to be able to get access to the private network so they can access all these things that have been set up.
But if you're a company that doesn't have all these things, or you don't want to employ this IT/security team for your scale, or your IT and security team would rather be doing something else, Tailscale just sort of fragments it all into okay, I've got a service, I've got people who want to be able to access this service, and Tailscale makes it so it doesn't really matter where in the world or what provider you host that service on.
You don't have to open any firewall ports. You can leave the firewalls all completely closed with no open ports whatsoever.
And everybody in the whole system is authenticated using SSO. So typically Google or Microsoft, Entra or Azure AD, or Okta, or GitHub authentication.
You authenticate to the VPN or the Tailscale system using your regular login you would for any SaaS product, and then you just instantly get access to everything everybody inside your company has published that should be available to you without having to worry about where those things are.
So you could locate them at multiple different cloud providers. You could locate them in multiple different regions of the world.
You could put them behind different firewalls, you can even have you left your laptop back at home behind one firewall.
You can go to a cafe and access your laptop from your phone behind the cafe's firewall, and you get point-to-point direct connections.
It doesn't get relayed through Tailscale, so it minimizes the latency and overhead, and it's end-to-end encrypted because those keys are generated by your own devices and we never see the keys.
And so many companies are at the level of maturity now where they already set up some internal DNS, they can run internal services, they have an internal network with a firewall behind it.
And so it's not that hard to run new things on the inside network, as long as you're working with the security and IT teams to make sure the right firewall port gets opened at the right time or whatever.
So a traditional corporate VPN would be used for people not in the office to be able to get access to the private network so they can access all these things that have been set up.
But if you're a company that doesn't have all these things, or you don't want to employ this IT/security team for your scale, or your IT and security team would rather be doing something else, Tailscale just sort of fragments it all into okay, I've got a service, I've got people who want to be able to access this service, and Tailscale makes it so it doesn't really matter where in the world or what provider you host that service on.
You don't have to open any firewall ports. You can leave the firewalls all completely closed with no open ports whatsoever.
And everybody in the whole system is authenticated using SSO. So typically Google or Microsoft, Entra or Azure AD, or Okta, or GitHub authentication.
You authenticate to the VPN or the Tailscale system using your regular login you would for any SaaS product, and then you just instantly get access to everything everybody inside your company has published that should be available to you without having to worry about where those things are.
So you could locate them at multiple different cloud providers. You could locate them in multiple different regions of the world.
You could put them behind different firewalls, you can even have you left your laptop back at home behind one firewall.
You can go to a cafe and access your laptop from your phone behind the cafe's firewall, and you get point-to-point direct connections.
It doesn't get relayed through Tailscale, so it minimizes the latency and overhead, and it's end-to-end encrypted because those keys are generated by your own devices and we never see the keys.
You make it sound it's super easy, but no, you know, it sounds quite revolutionary. Why has no one thought of this before, Avery?
I guess I have two answers. One is anybody can think, wow, this should have been easier. That doesn't always explain how to build the product.
Mm-hmm.
And secondly, not everybody even thinks about the fact that it actually should be easy.
One of the most common bits of feedback we get about Tailscale is people try it and they're angry for a few minutes, and they're not angry at us.
They're angry at the fact that they've been suffering from this pain for years and they didn't even realize that they were suffering from the pain because they were so used to it.
And they're just like, wait a minute, none of these things needed to be this terrible.
One of the most common bits of feedback we get about Tailscale is people try it and they're angry for a few minutes, and they're not angry at us.
They're angry at the fact that they've been suffering from this pain for years and they didn't even realize that they were suffering from the pain because they were so used to it.
And they're just like, wait a minute, none of these things needed to be this terrible.
Yeah.
How did we get here? I didn't even realize it didn't need to be this terrible. People have stopped even thinking about the fact that DNS sucks, right?
Fundamentally DNS just sucks, right? Setting up DNS sucks. DNS servers suck. DNS security sucks.
You know, if you have a dynamic IP address, maintaining your dynamic IP in DNS, it all sucks.
You've got all these memes about the problem always being DNS and Tailscale just, whoop, what if you didn't have to do all that stuff and the names just showed up, right?
And it works, right? But people have even stopped, you know, people make jokes about how terrible DNS is, but nobody says, oh, if only we just got rid of it.
Fundamentally DNS just sucks, right? Setting up DNS sucks. DNS servers suck. DNS security sucks.
You know, if you have a dynamic IP address, maintaining your dynamic IP in DNS, it all sucks.
You've got all these memes about the problem always being DNS and Tailscale just, whoop, what if you didn't have to do all that stuff and the names just showed up, right?
And it works, right? But people have even stopped, you know, people make jokes about how terrible DNS is, but nobody says, oh, if only we just got rid of it.
And you also share so much information publicly, right? You operate publicly. You share your security policies. You include your SOC 2 report and put that out there.
Even your code is open source. I mean, that's a big decision. A lot of companies don't go down that route. So what attracted you to that?
Even your code is open source. I mean, that's a big decision. A lot of companies don't go down that route. So what attracted you to that?
I mean, first of all, I'm just a big open source fan from the beginning.
When I first got my job in high school, doing this internet service in my city, it was because I had studied up on stuff on the internet and I downloaded Linux on floppy disks and I installed it on my computer.
And all of that stuff was only possible because open source existed. So I very much owe my entire career to open source.
But secondly, Tailscale is trying to improve internet connectivity for everybody.
And I know there's lots of people out there who would not be happy installing this opaque binary on their computer that would otherwise be a completely open source computer just to fix internet connectivity, right?
The internet protocol is open source.
And so it's really important that if we're gonna be improving the way the internet protocol works, we have to build a system that's open source that people can have confidence in.
It's not that hard to understand roughly how it works. It's really hard to put together all the pieces to make them super reliable all the time.
And I think people underestimate the difficulty of just running a network securely and reliably, right?
The most important feature of Tailscale is the one that you never really hear about.
It's just the number of nines of uptime of the network you get when you put all the pieces together.
And if you just take open source, the joke is it's sort of like batteries are not included, right? We've included all the parts. Now you get to assemble them yourself.
You can put in batteries, but now you're the network administrator, which is not the point. The whole point was for you to not have to be the network administrator. We do it for you.
When I first got my job in high school, doing this internet service in my city, it was because I had studied up on stuff on the internet and I downloaded Linux on floppy disks and I installed it on my computer.
And all of that stuff was only possible because open source existed. So I very much owe my entire career to open source.
But secondly, Tailscale is trying to improve internet connectivity for everybody.
And I know there's lots of people out there who would not be happy installing this opaque binary on their computer that would otherwise be a completely open source computer just to fix internet connectivity, right?
The internet protocol is open source.
And so it's really important that if we're gonna be improving the way the internet protocol works, we have to build a system that's open source that people can have confidence in.
It's not that hard to understand roughly how it works. It's really hard to put together all the pieces to make them super reliable all the time.
And I think people underestimate the difficulty of just running a network securely and reliably, right?
The most important feature of Tailscale is the one that you never really hear about.
It's just the number of nines of uptime of the network you get when you put all the pieces together.
And if you just take open source, the joke is it's sort of like batteries are not included, right? We've included all the parts. Now you get to assemble them yourself.
You can put in batteries, but now you're the network administrator, which is not the point. The whole point was for you to not have to be the network administrator. We do it for you.
Wow.
Okay.
Now we have to talk about AI, the huge hungry beast that is on everyone's tip of their tongue and on every marketing blurb and every website that I've seen in the last 6 months.
Takes a lot of gas, right? To run all these things. It's like the Cobra Jet Mustang of the '60s. So how do you cope with the AI world? Does it change anything for you?
Now we have to talk about AI, the huge hungry beast that is on everyone's tip of their tongue and on every marketing blurb and every website that I've seen in the last 6 months.
Takes a lot of gas, right? To run all these things. It's like the Cobra Jet Mustang of the '60s. So how do you cope with the AI world? Does it change anything for you?
So I think the Cobra Jet Mustang is an excellent analogy because my dad had one.
Oh, no way.
Yeah. I never saw it. He had it before I was born.
Wow.
But he was very excited about his Cobra Jet Mustang and he said it was so fast that less than a year after he got it, he sold it because he was terrified at how fast it went.
That pretty much tells the entire story of AI. Yeah, I think there's a lot of potential in AI systems the way they're being built right now.
I think people quite frequently are using them for nonsense that is not gonna be sustainable, and then quite frequently are using them for amazing stuff. That's great.
But what's happened with AI and Tailscale is that almost all of the AI companies out there are using Tailscale as their network backend.
And that includes some very big names that we're not allowed to mention, includes hundreds of much smaller companies that are training AI systems to do all kinds of different things.
I have a blog post about it. It's called AI companies are not that unusual actually, or something like that.
That pretty much tells the entire story of AI. Yeah, I think there's a lot of potential in AI systems the way they're being built right now.
I think people quite frequently are using them for nonsense that is not gonna be sustainable, and then quite frequently are using them for amazing stuff. That's great.
But what's happened with AI and Tailscale is that almost all of the AI companies out there are using Tailscale as their network backend.
And that includes some very big names that we're not allowed to mention, includes hundreds of much smaller companies that are training AI systems to do all kinds of different things.
I have a blog post about it. It's called AI companies are not that unusual actually, or something like that.
Okay, great.
So we recently launched an AI startups program that gives enterprise-level Tailscale. I think it's free for the first year and then discounts and stuff on top of that.
So we just wanna make sure that AI companies are having the maximum level of success and try out all the interesting enterprise features while they have the chance.
So we just wanna make sure that AI companies are having the maximum level of success and try out all the interesting enterprise features while they have the chance.
I think we're out of time, but is there anything that you'd like to add? Anything that you think our listeners would love to hear about?
Well, I think something important to mention is Tailscale is available for free for personal use, up to 3 users on a so-called tailnet, which is your private network.
And so that works great for friends and family kind of use cases. It works great for your own stuff.
So I wasn't kidding about leaving your laptop at home and accessing it from your phone in a cafe or something like that.
We have a tool called Taildrop, which if you used Apple devices, it's sort of like AirDrop, except it doesn't only work on Apple devices.
It works on any kind of device that can run Tailscale, which is almost any kind of device in the world, and it works even when they're not physically right next to each other.
So if you've ever tried to do something that should be simple, like move a photo from your Windows computer to your Apple phone, or vice versa, right? Tailscale works for just that.
You can install Tailscale on both devices in less than 5 minutes, and now you've got this little send to me on this other device, and it's free forever for up to 3 users for personal use.
We have hundreds of thousands of people using that plan.
And so that works great for friends and family kind of use cases. It works great for your own stuff.
So I wasn't kidding about leaving your laptop at home and accessing it from your phone in a cafe or something like that.
We have a tool called Taildrop, which if you used Apple devices, it's sort of like AirDrop, except it doesn't only work on Apple devices.
It works on any kind of device that can run Tailscale, which is almost any kind of device in the world, and it works even when they're not physically right next to each other.
So if you've ever tried to do something that should be simple, like move a photo from your Windows computer to your Apple phone, or vice versa, right? Tailscale works for just that.
You can install Tailscale on both devices in less than 5 minutes, and now you've got this little send to me on this other device, and it's free forever for up to 3 users for personal use.
We have hundreds of thousands of people using that plan.
I know there's going to be tons of listeners whose ears have perked up listening to this and are going to want to learn more about this fascinating technology.
So what you do is you can check out smashingsecurity.com/tailscale. That's smashingsecurity.com/tailscale. And huge thank you to you, Avery Pennarun, CEO of Tailscale.
So what you do is you can check out smashingsecurity.com/tailscale. That's smashingsecurity.com/tailscale. And huge thank you to you, Avery Pennarun, CEO of Tailscale.
You're welcome. Nice talking to you.
Fascinating stuff. And that just about wraps up the show for this week. You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G.
And don't forget to ensure that you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And don't forget to ensure that you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And huge, huge thank you to our episode sponsors, Tailscale and 1Password. And of course, to our wonderful Patreon community.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 400 episodes, check out smashingsecurity.com.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 400 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye.
Bye.
All right, excellent!
Another one bites the dust.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- Report from Corriere Di Bologna newspaper.
- Caro Musk, assumi subito l’hacker quindicenne di Cesena – Il Foglio.
- 15-Year-Old Hacker Diverts Ships in Mediterranean Sea for Fun – Hot for Security.
- 90-year-old immigrant could lose Brooklyn home after deed theft scam, family says – CBS News.
- Protect your home. Spot the signs of deed theft – Better Business Bureau.
- Woman Charged for Scheme to Defraud Elvis Presley’s Family – DOJ.
- Home Title Theft: How To Protect Yourself – Forbes Advisor.
- Here’s How Scammers in America Can Take the Title to Your Home Without You Knowing It – Moneywise.
- Could a Criminal Use Deed Fraud to Steal Your Entire Home? – AARP.
- Could Fraudsters Steal Your Home From Under Your Nose? – HomeOwners Alliance.
- Wizard Zines.
- Listen for the Lie – Amazon.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Tailscale – Tailscale is perfect for work or personal projects, making networking simple. Its free plan covers up to 100 devices and 3 users. Get started at tailscale.com and be up and running in less than 10 minutes!
- 1Password – Secure every app, device, and identity – even the unmanaged ones at 1password.com/smashing.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
