Smashing Security podcast #405: A crypto con exchange, and soaring ticket scams

Don't believe what you've read in the press, he says. They say I was staying at a luxury hotel. I certainly wasn't. It was an ordinary hotel, he said, with no stars. No stars, I think he means no celebrities.

Smashing Security, episode 405.

A cryptocurrency exchange and soaring ticket scams.

With Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security episode 405. My name's Graham Cluley.

And I'm Carole Theriault.

Now, Carole, just you and me this week. I'm heading off to the States for a conference.

Very exciting.

Busy, busy, busy.

Mm-hmm.

Let's kick the show off, shall we?

Yes, but first let's thank this week's wonderful sponsors: 1Password, Harmonic, and scanner.dev. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm gonna be talking about a very different kind of cryptocurrency exchange.

And I'm talking big concert tours, the likes of Ozzy, Beyoncé, and Oasis. Plus, I chat with Cliff Crosland. He's the CEO and co-founder of scanner.dev, and we talk about how to turn raw log data into searchable resources. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, I promised I was going to speak about a very special kind of cryptocurrency exchange.

I think they'd all say that they're pretty special.

Oh, this particular exchange, as you'll find out towards the end of the story, is a little bit different. But anyway, I want to tell you about a cryptocurrency exchange called BTC-e, and it was one of the world's largest and widely used cryptocurrency exchanges, BTC-e, and it processed several billion dollars worth of transactions during its lifetime. And unfortunately, it was also one of the principal exchanges used by hacking gangs and fraudsters and drug lords and the like to launder their criminal proceeds.

They were propping up the exchange, is that what you're saying?

Well, I think they were primary users. So if you were into hacking, if you're into ransoms, if you're into fraud and identity theft and those tax refund fraud emails, quite possible that any money which was being made was going through BTC-e.

Okay.

And perhaps unsurprisingly, the most commonly traded regular currency, so the non-cryptocurrencies. Have you got any ideas what people were paying in in terms of real currencies and what maybe they were taking the money out in?

No, I'm guessing they're getting out some currency, some crypto of some sort.

Yes, those were the digital currencies, but then they were translating them into real-world currencies because you don't want things to permanently be in digital currency, do you?

Well, you could tell that to many, many, many users. No idea.

US dollars and Russian rubles. They were the ones which were ruling the roost. So they've been swapped back and forth with bitcoin and Litecoin.

Yeah, those are pretty big geographies as well with lots of people.

Yes, yes, yes. But it sort of fits into a model, doesn't it, of where a lot of the cryptocurrency bad guys and the cybercriminal bad guys might be based. And like other cryptocurrency exchanges, BTC-E charge transaction fees. I mean, that's the way to make money, isn't it? It's just to have a little bit of a crust which you're scraping off the top. So every time you used BTC-e to exchange your digital currency into regular money, they would take a percentage.

Sure, like every bank in the planet, I'm sure.

It's estimated that they handled over $9 billion. That was the figure by 2017. Absolutely enormous. So why did the cybercriminals love BTC-E so much? Well, it was because it lacked even the most basic anti-money laundering controls. So if you wanted to conceal the money which you'd stolen through an identity theft, for instance, or through a cryptocurrency scam, or through a ransomware attack, you may well have chosen to use BTC-E because it made it more tricky for the police to track and attribute funds and who owned what wallets. Because they weren't finding out anything about you.

So you're basically effectively anonymous in doing these transactions.

Pretty much. So to use BTC-e, you could create an account on their website and you didn't have to provide even the most basic identifying information. You didn't have to give it a name or date of birth or an address. All it required was a username and a password and an email address. And of course that could have been an anonymized email address.

Like the good old days of Reddit. Yeah.

Right. And legitimate payment processors, and legitimate cryptocurrency exchanges, if you create an account with them these days, if you try and do something with them, you have to provide official ID. With BTC-E, nothing at all. And so, as you know, many companies these days have KYC processes, know your customer. So they're required by anti-money laundering measures to know something about their customers. BTC-E, no such measures in place. They collected virtually no customer data at all. So it's no wonder it was so popular with cybercriminals.

It means that they don't get caught in a big leak where they lose lots of information they never collected. You know, there is— I'm just looking at the silver lining. Silver lining. That is the good side. You're absolutely right. We log nothing.

Yes. And if you went to their website, they actually said that clients did have to verify their identity. They said, you will have to scan in your ID documents, you'll have to scan in your utility bills, you'd have to give us a bank statement. That's what they said on their website, like many legitimate cryptocurrency exchanges do. But it seems they didn't actually do that. They were just saying that perhaps to avoid drawing attention from law enforcement agencies. So they appeared to the outside world to be completely legitimate.

And you know, if they're not collecting anything, then even in the T&Cs, they would say any data that we have will do blah, blah, blah, but they don't have any of it, so.

Good point. Yeah, so they could cut and paste terms and conditions from a legitimate site and say, well, we are actually gonna abide by them as well, we. So it was saying that, and the BTC-e website, it advertised that in addition, it wasn't accepting any international wire transfers from US citizens or from US banks. So it was saying this in order to try and reassure people that we are never going to be taking money from Americans for this site. So the US authorities don't have to worry about this. Just pass by us, look at the other sites instead. And again, that was a lie. The truth was it did in fact knowingly accept wire transfers from banks in the States made by US citizens who presumably were paying extortions and ransoms or simply having their bank accounts plundered by criminals who were transferring the money into the cryptocurrency exchange.

And their defense would be, we didn't know, we had no idea. We didn't know what they were doing with the money. We looked the other way, we had no idea, therefore, why are you blaming us?

Yes, I mean, they could have put rules in place and procedures in place to say, hang on, where's this money coming from? Which banks is transferring this? And blocked them. They didn't bother doing any of that. So BTC-e users were creating accounts and they had names like ISIS, Cocaine Cowboys, Black Hat Hackers, Hacker for Hire, DZ Killer Hacker, all these sort of names. And one of the key players within BTC-e was a chap called Alexander Vinnik. He had an account called Vamnedam and from that account, he oversaw BTC-e's administration, its operations, its support accounts. He had his wallet up there, and proceeds from well-known hacks were ending up in his account. So when the notorious hack of Mt. Gox, a huge cryptocurrency exchange, it got hacked in early 2014.

Mm-hmm.

300,000 bitcoins were taken from Mt. Gox, one of the biggest hacks in history in terms of money value, worth $30 billion today. Well, it ended up in the accounts controlled by BTC-e's administrators, including Alexander Vinnik. But this chap Vinnik made a mistake because in July 2017, he thought, oh, you know, it's a bit hard running this cryptocurrency exchange, isn't it? I need a bit of downtime. I think it's time me and the family had a bit of a holiday. And so he thought, I'm going to go to Greece.

As you do.

Yeah. So he left his native Russia. Have you been to Greece?

No. Yes, I have. Yes, I have.

What was it like?

Warm, beautiful.

I've never been there. I hear it's warm and beautiful. A perfect destination for a family vacation. That's what Alexander Vinnik thought as well. He went there, promptly got arrested. US authorities then requested from the Greek authorities his extradition, claiming he had laundered billions of dollars on behalf of cybercriminals.

Was he on his socials going, hey, me and the wife are going to get some R&R in the big GR?

It wouldn't be a surprise, would it? It wouldn't be a surprise.

Okay.

So obviously that caused a few problems, not only for him, but also potentially for some of the hackers who are also using BTC-e. Amongst them, the Russian Fancy Bear hacking group, if you remember them. They are a hacking group who've been closely linked to the Russian Military Intelligence, and they have been separately blamed in the past for stealing and releasing emails from a certain Hillary Clinton when she was running her presidential campaign in 2016. They were using BTC-e. Now, Alexander Vinnik, of course, he said, being persecuted. He spoke to the Russian press from his Greek prison cell and he said, don't believe what you've read in the press. He says, they say I was staying at a luxury hotel. I certainly wasn't. It was an ordinary hotel, he said, with no stars. No star, I think he means.

No celebrities?

Yeah, I don't know if he means celebrities or whether he means it was a zero-star property, which probably means it didn't have.

Not even an ironing board.

Yeah, it didn't have a trouser press. And his wife, he said, had been taken sick. His child was staying with his grandmother because he'd been locked up in this Greek prison cell while they were arguing as to where he's going to end up because three countries wanted him extradited. France wanted him extradited. The United States wanted him extradited. And Russia wanted him extradited as well. They said, look, we think he's guilty of some minor charges. We'd like you to fly him back to us, and he will then see justice in Moscow. And Russia threatened Greece with retaliation. It wasn't completely clear what they would do.

It's a difficult position for Greece. You'd be like, ah, listen, guys.

He just came here on holiday. We've got lovely beaches. We're sorry about the zero-star hotel resorts. Now, he was eventually extradited, but firstly to France.

Right.

Where he was convicted in connection with extortion and ransomware and money laundering tied to things like CryptoLocker and Locky, a couple of big ransomware campaigns. He got five years in prison. And at the end of his five years, the French, of course, chuck him on a plane. They didn't send him on a plane back to Russia. They sent him on a plane back from where they'd got him. So they sent him back to Greece.

Oh, and of course allowing America to grab them.

Exactly. So he arrives in Greece, the Greek police arrest him again because there's an outstanding warrant for his extradition from the US authorities. They're ignoring the Russians still.

Hello, Mr. Vinnik, nice to see you again.

He's like, oh, here I am again. What hotel are you going to put me in this time? And he was then extradited to the United States in 2022, where he pleaded guilty to conspiracy to commit money laundering. Last May, he pleaded guilty. So it's a couple of years he was in the clink and eventually has pleaded guilty. And he's been waiting sentencing since. Sounds like he's going to be sentenced later this year. The schedule is that he's going to be sentenced in— Oh, hang on a minute. Hang on. There's an update to this story. Okay. Because he's not going to be sentenced later this year because something else has just happened just in the last few days.

He's been extradited. Well, I was just thinking as the new political environment that exists, perhaps that's something that the US and Russia might agree to do.

Let me tell you what's happened.

Okay.

Just a few days ago, you may have seen the news reports about a Pennsylvanian schoolteacher called Mark Fogel, who has been held by Russia since 2021.

Yeah, yeah.

He got 14 years behind bars in Moscow. They found a very small amount, I think it's less than an ounce of marijuana. Was found in his luggage at Moscow Airport.

14 years.

That's quite heavy, isn't it?

Do you think?

He claimed it was for medicinal purposes. Presumably he was looking forward to 14 years in a Moscow jail without any marijuana to help him with his medical condition. Now, you may have seen the pictures of Donald Trump greeting Mark Fogel back to the United States, and there were lots of questions in the media saying, so what's the US done in exchange to secure this schoolteacher's release? And now we know, because two days after Fogel's release, the US authorities put Alexander Vinnik back on a plane, not to Greece, not to Paris, but to Moscow. So this man who made billions from cybercrime, from ransomware, from helping drugs gangs and extortionists, is now heading back to Russian soil.

Okay, but this might be good for Mark Fogle because he's going to go back to the States and depending on what state he lives in, he can get back into his little habit.

Yes, he could take up his pastime, and maybe Alexander Vinnik back in Moscow can take up his pastime by setting up a new cryptocurrency exchange and earn himself some cash.

Right, exactly. Well, we'll keep our eyes on that.

What do you think about this? Do you think that's a fair exchange? This is the kind of exchange I was talking about, you see. This is my very clever tie-in to—

They might be making lots of money on the new Trump coin. Don't you worry.

I think the Trump coin has slumped quite a lot in terms of its value. Yes, I know it's a shock. I know it's a shock. Carole, what story have you got for us this week?

Okay, I'm talking big concerts. Do you remember the last concert, big concert you went to? I'm not talking little piddly concert. I'm talking big international.

Oh, like a big concert.

Yeah.

I saw the Red Hot Chili Peppers in Hyde Park.

That's pretty good.

That was pretty enormous. Yes, that was a big one.

Was it expensive? Do you remember?

Oh, I don't remember. But that was an outdoor one. The outdoor ones tend to be bigger than the indoor ones, don't they? And the ones in arenas.

Yeah. Well, I mean, my last one was Nick Cave. I saw him in the O2 in London. What, last year? Late last year.

Oh, yeah.

And we splashed out a bit. It was a bit of a celebration. Not cheap, right?

No, no, it could easily be over £150 or something. I mean—

Oh no, no, way more than that. There— Yes, up to like £1,000 for VIP tickets. Yes, you should look it up. It's unbelievable.

Did you have VIP tickets?

Yes. No, it didn't go up that high.

No. Okay. No, you didn't get a backstage pass?

A few hundred pounds.

Right.

It was— It wasn't— It was a celebration. Yeah. And it was great. But you know, I once saw Radiohead in Ottawa for $6. So those were the days.

Wow.

Uh-huh.

That's something to tell your grandchildren.

The thing is, I shouldn't complain because it turns out I might have actually been lucky to even get seats or tickets at all.

Yeah.

Because say if you were desperate to see rock legend Ozzy Osbourne, how old do you think he is, by the way? How old do you think he is?

Ozzy Osbourne? I would say he is 73.

Oh, you're close. 76.

Okay. He acts as though he's—

He has Parkinson's.

Oh, does he? Oh, now you've made me feel bad. Yes. Oh, okay. Sorry, Ozzy.

So Ozzy is set to reunite with his Black Sabbath mates for one last time to play a charity concert in his hometown of Birmingham on the 5th of July this year.

Ah.

But fans are fuming after tickets for the band's final show ever sold out in just 16 minutes. There were queues to secure presale tickets last Tuesday in the many, many thousands. I saw one report saying there was 125,000 people waiting for tickets. I was like, really?

For Black Sabbath?

For Black Sabbath. It seems Ticketmaster gave precedence to online sales, right? One Black Sabbath fan wrote that if Black Sabbath tickets are fully sold out, why am I still 12,000th in queue? And if you are a diehard Aussie fan, right, who definitely wants to see his last performance, you know, in his hometown.

Yeah, it would be cool. I guess, you know, if you were a big fan, that is the place to see him, isn't it?

Plus proceeds are going to 3 important charities.

Oh, wonderful. Well, that probably bumps up the price a bit. That's fair enough, yeah.

Okay, no, but what do you do? You know, they're sold out, you want to see him. What do you do? You go online, don't you?

Yeah, because there are sites where people can resell their tickets and things.

There are sites, exactly. So you go online and try and find tickets from another way, and you're desperate because this is your band. You know, this is Ozman on stage reminiscing how he once bit off a bat's head. I think he did that. I think he did that. I don't think that's fake news.

It was Freddie Starr with the hamster, and it was Ozzy Osbourne with the bat.

That's right. So you jump online, and it turns out those highways are rife with scams, which may not be surprising to people like you and me, because you have a hot event with a limited amount of tickets.

Yes.

You have people desperate to pay whatever to see their music hero.

Yeah.

It's like a perfect environment for a scammer feeding frenzy.

Yeah.

And you might remember last year Taylor Swift's big world tour became a playground for bad actors to dupe you into thinking that you got real tickets to see the big show.

There was a much easier way to get Taylor Swift tickets than to queue on one of these sites or queue up in person. You know, the easiest way of all was to find yourself elected as a Labour MP and then you would be given Taylor Swift tickets for nothing. That, that I think was people's best approach.

In the UK, even Lloyds Bank got involved. They alerted the public that there were many scam reports made by its very own customers. So because the bank found a surge of fraud cases from those trying to buy tickets for the upcoming Eras Tour, now past Eras Tour. And of course, by then the show was already sold out. And the whole thing was a scam with 90% of the reported concert tickets having first started on Facebook.

Huh.

This is what Lloyd said, right? And in Singapore, they've just sentenced the so-called Ticket Scam Queen, right, who's been jailed for 3 years after successfully conning 76 Taylor Swift fans out of $110K Singapore dollars. But that was then, right? That was last year.

Yeah.

Do you think things have changed?

Yes, I expect everything is much, much better now, and the whole problem's been removed.

Because, you know, there's a lot of upcoming worldwide concerts here.

Yeah, yeah. Good news. Everyone's sorted it out. The industry has moved together as one to fix this problem.

Because for the first time since 2023, right, Beyoncé will perform 6 nights in June in London. Okay, so tickets went on sale on Friday, February 14th, just last week. But way down in South Africa, there have been whispers since December that Beyoncé would be performing at the FNB Stadium in Johannesburg on the 10th of April.

Right.

And excited fans have rushed to social media, some even claiming to have secured tickets for the so-called concert. So-called because Beyoncé is not even scheduled to perform there at all.

Ah, right. Yeah.

And it was such a problem that the official South African minister tried to set the record straight last week in a very clear warning.

Hang on, South Africa has an official Beyoncé minister?

Not a Beyoncé minister, a governmental official minister. He's saying some of you are buying tickets, it's a scam. Beyoncé is coming, but not now. Don't buy tickets for Beyoncé. So I'm not sure that's super clear. But so what do you do? What do you do if you want to see a big band?

Watch it on the telly instead, because you'll get a better view and you can watch it from your sofa and the popcorn costs less. Oh, it's not the same. It was rubbish seeing the Red Hot Chili Peppers. I've got to be honest with you. Oh, I couldn't stand it.

Nick Cave was extraordinary.

Well, Nick Cave is cool. I have to say, much cooler than the Red Hot Chili Peppers. But yeah, okay. So what do you do? I guess you go to official outlets, do you?

Well, but see, I can understand when people— when there's no tickets left on the official platforms, right? That's what happens. So people, they say to avoid things Facebook Marketplace, Instagram, and Craigslist. They're filled with fake ticket sellers. This is according to McAfee. And if you didn't get tickets during the official sale, be cautious about where you're looking, right?

Because I had tickets for a theater show recently, which I was having booked it months in advance. I then found we were unable, our group were unable to go and attend it. And so I had to try and find somewhere to sell them. And it wasn't very easy to do. Or so that's the other problem, I suppose, is if you genuinely do have tickets and you want to sell them to someone, if you can't sell them to somebody you know, where are you meant to go? Because you could get scammed that way too, couldn't you?

You're supposed to go back to the Ticketmaster exchange place or ViaGoGo. Oh, right. You can't do it from those kinds of sites, apparently. Yeah, obviously discounted tickets that seem too cheap are a warning sign. I know it's something that is very delicious to imagine that you've got a few hundred quid off these very extraordinarily expensive tickets, but it's pretty—

Look for the reassuringly expensive ones instead.

Exactly.

The scammers must love you, Carole. This is a bit I'm talking about ransomware last week.

There are duplicate ticket scams. So even if you get a real ticket, that doesn't mean it's yours alone. Some scammers sell the same ticket to multiple people, leading to chaos when all the buyers show up at the event going, "Uh, that's my seat." "No, I'm thinking you'll find that's my seat." "No, I think you'll find—" You have to sit on each other's lap. They also cite ticket takeovers. This is where scammers hack into Ticketmaster accounts and transfer the tickets to themselves. You know, and they can effectively lock out the rightful owner out of their seat. So you might receive a flood of emails including notifications of ticket transfers they've never authorized, and then before they know what's going on, the tickets are gone.

That's bad.

So yeah, in short, buy from official sources. Use a credit card because then there's some recourse to get some of the money back should you get duped. A very obvious one: double-check the URL you're buying from and avoid high-pressure sales tactics. Why would they need you to act fast if Ozzy Osbourne sells out in 16 minutes?

Because Ozzy Osbourne doesn't do anything fast, does he? I just Googled—

I'm Googling while we're talking, and it is true. He literally— he thought the rat was a rubber toy, not a real bat. Oh my goodness. It happened in '82. A fan threw a real bat on the stage. He thought it was fake. And he bit it. But apparently not only was the bat alive, but it managed to bite him and he needed to be treated for rabies. Quite right too.

Imagine what the bat might have caught from Ozzy Osbourne. AI tools are everywhere and employees are feeding them sensitive data, often without realising the risks. And some of these tools train on that data. Others store it insecurely.

And that's where Harmonic Security comes in. They give security teams total visibility into how AI is being used across their orgs while making sure sensitive data never leaks into GenAI or AI-powered SaaS.

Their secret specialized pre-trained small language models that detect sensitive data in real time without the endless false positives of traditional DLP. No complicated regex, no training on customer data, just instant, accurate protection.

Yeah, 'cause with Harmonic, you don't have to hope employees follow your AI policy. You can enforce secure, responsible GenAI use without slowing anyone down. Help your workforce embrace GenAI securely. Visit harmonic.security to learn more. That's harmonic.security. Smashing Security. Here's a shocking reality. Traditional security tools are completely broken when it comes to managing today's massive log volumes. Companies are paying millions per year just to keep up, and they're still falling behind. That's why everyone's moving their logs to data lakes. It's just more cost efficient. But there's a catch. Data lakes are incredibly complex to use, especially when you're dealing with loading dozens of log sources into SQL tables with strict schema requirements.

And that's where scanner.dev comes in. They've revolutionized security data lakes by making them truly simple to operate. Their platform offers schemaless log data indexing, which means you can dump in your logs without worrying about structure. And the best part, your data never leaves your S3 buckets. You maintain complete custody at all times. Need to hunt for threats?

Scanner lets you search through petabytes of logs in seconds, not hours. And for your security team, we've made detections as code a breeze with CI/CD that syncs directly with GitHub.

No more complex queries or waiting hours for results. Visit scanner.dev today and try out their interactive playground. That's scanner.dev, where security meets simplicity.

Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices? Nice rhetorical question there.

Well, 1Password has an answer to it though. It's Extended Access Management. 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.

1Password Extended Access Management is the first security solution that brings all these unmanaged devices, apps, and identities under your control. It ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.

So secure every app, device, and identity, even the unmanaged ones. Go to 1Password.com/Smashing. That is 1Password.com/Smashing. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily. It better not be. Well, my Pick of the Week this week is not security related. My Pick of the Week this week was chosen by me because of something which happened to me this morning. I woke up in bed and my wife said, "Oh, do you fancy going and making me a cup of tea?" And I said, "Of course, that'd be fine." They go on and on and on, and it can be exhausting that I keep on hiccuping. So there I was, lying in the bed, hiccuping away. My wife said to me, haven't you got a way of stopping the hiccups you were telling me about once? I said, yes, I do. And in fact, it was a pick of the week on the show, wasn't it? No, it hasn't been a pick of the week before. I don't think so. Hang on, let's just have a look. Oh God. Okay, hang on. Search. I've gone to the Pick of the Week page. No, we're in the clear. We are in the clear. Okay. So, what you do is you take the thumb on your left hand. Right? And you press down hard on it with your other thumb, the thumb on your right hand, between the right-hand thumb and your right first finger knuckle. Press hard down on the nail, looking all the time, breathing slowly. Go into your Zen mode. And you will find your hiccups disappear. This has worked for me now for years. I do it too. So there you go. There you go. And it really, really does work. I'll put a link in the show notes as well where you can actually see my thumbs in their positions so you can see just how well this actually works. Can I just tell you something?

Because I know you're very upset about hiccups, but Charles Osborne—I know no relation to Ozzy Osbourne—started hiccupping in 1922. He's not still going now, is he? While attempting to weigh a hog before slaughtering. He was unable to find a cure, but led a normal life in which he had two wives and fathered eight children. He continued until a morning on February 1990. This is according to Guinness World Records.

You can't father children while hiccuping. That ruins the mood. 78 years of hiccupping and you would have what, an hour? If only he knew you. Carole, what's your pick of the week?

This is going to be an interesting one. It's a podcast called The Telepathy Tapes. So documentarian host Kai Dickens explores the hidden world of nonverbal autistic kids. And discovers that they may have telepathic abilities. It sounds crazy, bizarre stuff of science fiction.

So kids who have got autism and are nonverbal, so they don't speak at all, but they have another way of communicating. This podcast says it's somehow telepathy that they're using. Right. Bit wacky.

The host, along with a neuroscientist, conduct dozens of tests, right? And becomes ever more convinced that it's true, and says things like, if this research were to be widely accepted rather than disbelieved and derided, then it could change everything. If. Now, it's a fun concept because just the thought that there's a body of people that may have an ability that other people do not have is kind of cool. But it gets difficult. The podcast started last year, 2024. It's trying to get people, listeners, to believe something that apparently the science community is intent on not acknowledging. And I just think it's a difficult message to get across during the time of disinformation because all the things that a scammer would use, they use on this show to try and get you to convince it because they work. We listen in on tests with the host constantly reminding us that it's impossible to cheat. And these kids do these extraordinary things, and the pod producers, their minds are blown.

Are the kids in the same room, or are they separately located? All this stuff.

She's like, I just want you to know right now they're in different rooms. There's no way that they can see the iPad. We have a random generator.

Are you sure this isn't a drama masquerading as a real-life podcast?

No, because I am very, very susceptible to those kind of things and I'm aware of that. So it's just why I'm making a Pick of the Week. I think it is positing to be true and not a drama. It's totally designed to convince because they know that people are going to be skeptical. It seems designed that way. There was even a skeptical member of the podcast crew whose mind is changed. And then there's video evidence on the podcast site. So Lifehacker says, "Okay, despite its captivating production, sincere interviews, and experts with advanced degrees, everything presented in The Telepathy Tapes has a non-supernatural explanation. Nothing here is even new." Okay, it was new to me. "It's all slightly spun versions of claims that were debunked over 100 years ago." So that's what they say.

So you've listened to the show. What kind of things have these kids done?

So they can meet in their minds together on this place called the hill.

Well, like a Zoom call.

Kind of like a Zoom call without video. Well, what does that mean? And they can talk to each other.

But hang on, how does that exhibit itself? Because they're not talking. Are they writing down, "I've just met Brian on a hill and we've had a chat with each other"? How do they—

I think, Graham, you sound skeptical. I would urge you to take a listen. I think you would find it very amusing. You and your other half, you guys should listen into it together, because you'll make some very enjoyable conversations. It's fascinating. The Telepathy Tapes. I have no idea. This is not my area of expertise. Whether it's true or not true did not stop me from enjoying it. So I say check it out. Make your own mind up.

What they need to do is they need to bring in a mentalist. So magicians who actually specialize in these kind of tricks, these conjuring tricks, who know all the tricks to see if they are able to do it as well, to fool the scientists.

One of the tests, for example, would be, "Okay, can you guess? We have a random generator on this iPad. I know what the number is. Can you tell me what the number is?"

Okay, well, what's the range? Let me have a go. From 1 to 10. Oh, it's 4.

Listeners, it's 4. Anyway, there you go.

There you go.

Enjoy it. It's great. My pick of the week, The Telepathy Tapes. Fascinating.

Now, Carole, you've been chatting to the folks at scanner.dev this week, haven't you?

Yes, I have. And I learned all about data lakes and how you can make them work for you. What is a data lake, you ask? Listen up. Today we are chatting with Cliff Crosland. He's CEO and co-founder of scanner.dev. Now scanner.dev have a logging tool called Scanner. Scanner turns raw logging data or raw log data into searchable material, whether it's a critical security event or insights hidden deep within the logs. And we listeners are going to find out how this works from the head honcho. So Cliff Crosland, welcome to Smashing Security. Thank you so much, Carole. Great to be here. Well, thank you for being here. Now, first, maybe we can start with you giving a better introduction about you. So we want to know how you ended up not only co-founding, but heading up Scanner.

Yeah, for sure. So I'm a software engineer. I've worked on a bunch of different things related to data infrastructure at a prior startup. My co-founder and I, we were responsible for the security logs and all of the application debugging logs. And we had a huge amount of pain and suffering when it came to how expensive they got and how challenging it was to derive insights from logs at massive scale. So we just wanted to solve this problem, would just make it easier for people to understand and solve complex security problems using their log data. We jumped in after the startup was acquired by Cisco, and that was fun to be there for a bit. We wanted to solve this problem for ourselves and for other people. So we jumped in and we built out Scanner to make logs way easier and way less expensive. We're passionate about something that is probably a little bit boring to people, is just massive log data. But to us, they're fascinating. You can build a whole view of what's happening inside of an organization, what's happening inside of your app, what's happening across your IT. You're the Wizard of Oz. Yes. Yeah, peeking down and trying to figure out what's really happening behind the curtain. So we love massive amounts of log data. It's rare to find people like that, but that's us for sure.

I have to be honest, I don't know a lot about security logging. I should know a lot more than I do, and I don't know anything about how it's evolved or matured through the years. So this must be weird to you. This must be a word you use about 100 times a day, but maybe you can set the scene for me.

A fun example to maybe start with is a recent story that you and Graham and Dave covered a couple episodes ago about the Path of Exile 2 hack. The game got hacked. People had items stolen, digital goods stolen. And one of the challenges they ran into was they wanted to track down and see what happened, who hacked them, how did this take place, who was affected, but they only had 30 days of log retention. So they could only go back in the past so far. Yeah, everyone was up in arms, right?

The company, the players.

Yeah, yes. And this happens all the time. Okta had a breach, you know, really core identity provider and login service provider. One of the things that security teams really find useful to do forensics and track down what's going on with threat activity is log data. And log data is basically like a surveillance camera recording everything that's going on in your organization, in your servers, in all of your cloud tools, what's happening in Slack, what's happening in Microsoft Teams, in your Google Workspace and who's sharing what documents and so on. Just recording everything that's happening. And then that information is super helpful to dive into as a security team and say, "Okay, there's something weird going on. This one employee is starting to share tons and tons of Google documents outside of the org. Let's double-click into that." People are using more and more tools. They're using multiple cloud providers. Each cloud has a million different services that they provide, and each one of those generates logs. You have all these little log messages with timestamps and information about who's doing what. That can get extremely expensive. So teams like the Path of Exile 2 developers, totally understandable why people only keep 30 days of logs around because once you get to a terabyte of logs a day, which happens quickly, that can cost $1 million a year. That's what happened. That's what happened with our prior startup. We grew quickly. We generated lots of logs and then our logging tool, the license got tripped. We exceeded it and we asked them, "Okay, well, if we were to expand it to cover ourselves, how much would it cost?" And it was, "Well, you're at about a terabyte, so it might be something like $1.2 million a year."

You were, "What? Excuse me? Okay."

That's more than our entire employee budget. What is happening? Yeah, we really think at Scanner that the architecture of traditional logging tools is just broken for modern log volumes. And there's just a very different, really cool new pattern that's emerging to handle logs. It's still early and there's a lot that needs to be built to make the experience better. But yeah, there are new approaches that will reduce the costs by 80 or 90% and make it actually reasonable for teams to keep more than 30 days of logs.

I guess in a security incident or a security event situation, obviously there's huge time constraints. You want to get everything sorted and people want answers quickly. And there's people knocking at the door, both the press, your clients, your partners. How are people dealing with that right now? Generally? Yes, the—

It is really interesting. What often happens is a threat report comes out, like this particular vendor got breached, and here is a list of all of the malicious IP addresses that we detected as part of this breach. And so then they'll publish that to everyone and say, go and look and see if you've been affected by this. And if you find these IP addresses in your logs somewhere, or these domains or these malware file hashes, someone in an organization has downloaded these and running them on their computer, you might be exposed. And so they'll jump in to the traditional log tools. And then they'll be able to run searches over maybe, you know, a couple of weeks or 30 days or something like that. And if they can't find it, they'll then do this really painstaking process of going into their archives. If they have archives, hopefully they do, but often they don't. They have like the 30 days in there and that's it. Other teams who have archives, they can try to pull them in and do this process of rehydrating logs, it's called, but it's like going back and trying to pull in old data, pull them back into their log tool. That can take days. We've talked to folks where it takes weeks and just answering the question from, you know, like your CTO or your CISO or somebody at the organization who said, oh, this threat is something we're scared of. Can you tell us, like, have we ever been exposed to this over the past 6 months? And that question can take like a week to answer or weeks, or maybe you never answer it.

And a very stressful week in some situations in some companies, I imagine. If I can pivot here, this is where I'm guessing this is where Scanner.dev comes in, right? Because as you introed, you wanted to solve this problem and you filled it in really well. I feel it now. So how are you addressing all these pain points?

Anyone who has log data, we think the future is in data lakes. And a data lake is just a funny term that evolved from the term data warehouse. And so I'll start there. A data warehouse is like a giant database where everything is like neatly organized in, you know, rows and shelves and aisles and so on. Data warehouses were designed for business data, like business analytics data that's very well structured. Like, here are the purchases from this customer in this place. And so data warehouses, what you do is you have tons of data, but you do a lot of work to make it super, super structured and organized. A data lake is just this place where you pour in data of many different kinds that's way less organized.

Sounds like my desktop. Yes, yes, exactly.

Yeah, with a million files or screenshots or whatever, or a desktop in real life with papers everywhere. Mine too. I've got a bunch of toddler artwork on my desk at the moment. Anyway, so a data lake, the idea is you can take data from many different sources with many different formats. Some are really structured, some are really messy, some are in between semi-structured data, and you just pour it into this storage location basically. And the cool thing about a data lake is it's a lot easier. You just kind of dump the data in there and you use cloud storage for this, which is so much cheaper. Traditional tools, it will cost a couple of dollars per gigabyte or something, which ends up being way expensive at scale. And cloud storage costs just a few cents per gigabyte per month. And so it's just a very different experience to use a data lake and to store all this data in a big cloud storage that can kind of grow forever. You can put a little bit of data, you can put a ton of data. Because the data's so messy, it can be a huge pain to analyze it. Some teams have to do a huge amount of work to organize the data and kind of turn it into a data warehouse. It's actually called data lakehouse. It's kind of weird, it's in between the two where it's kind of messy, but more structured so that people can analyze it. It's so much data that data lakes are often very slow and very hard to use. And at Scanner, we really want data lakes to be just trivial to use. You just point Scanner at your messy data. It will index it for fast search. It will organize it. It will transform it to make it better for security use cases to point out different users or different IP addresses that are involved in logs. Yes, Scanner, we just wanna make it way, way cheaper and way easier to use logging data at scale. And we think data lakes are the future and we think data lakes need to be easier to use. And that's what Scanner is all about, making data lakes easy and super, super fast to search.

It sounds so good. What is your thing that you think is just so utterly brilliant and you're the proudest of?

Yes, the thing about Scanner that I really am proud of is how fast it is. So data lakes are in their infancy, I would say. And a lot of the time when you do a search for something, it can take hours or days to run a search over all of this data. And in Scanner, we'll have teams jump in and then they'll copy paste in a list of IP addresses, which were just divulged in a threat report. And they'll get an answer in 20 seconds. They can not only just answer one question or a few questions a day, suddenly they're starting to ask dozens of questions and follow many different leads to go and trace through what happened, what a threat did in this case, if there are other threats related to this one, are there other employees that have been impacted, what services did they touch? They can just very rapidly search through data really fast. Yeah, we're kind of obsessed with speed at Scanner.

You know what's good though about that, that you may not have thought of before though, as well as I've had to do searches before BigQuery, and it takes forever and takes forever, takes forever, and it turns out the thing's hung. Right? The thing is hung, and I didn't spot it, and it might have hung 5 hours earlier, and I didn't even notice it happening. So you solved that problem just by being speedy. So I love that. I love it for that as well. Is there anything to add? We're fast running out of time. I'm just fascinated by all this. I'm learning tons. Is there anything you'd like to add before we close?

Yes, I think one thing we're excited about the future of data lakes is how AI is going to be used. AI is really great at taking the mess and making it organized and then also taking custom data and then coming up with a common schema and also just helping you take a bunch of messy logs and just explain them to you and explain alerts and look at high-level patterns. So we're really excited about what's going to happen there in the future to take messy data and just make that easier and easier and easier and more and more trivial to get answers from. The way that this is working with data lakes and the costs are going to come down, it's going to get easier and easier to answer questions and more people beyond security are going to get benefit from all of this data. So it should be pretty cool. It'll be a little while the next couple of years with AI. But yeah, it's going to be really fun to watch this unfold.

Do you know what? I'm going to coin it right now. Data Sea, Data Ocean.

Exactly. Exactly. TM Smashing Security. Yes. Way bigger than a lake. Yeah.

Smashing Security listeners, you can learn loads more about Scanner at the website scanner.dev. That's scanner.dev. And Cliff Crosland, CEO and co-founder of scanner.dev. It's been a joy speaking with you. Thank you so much for making time in your early morning.

Thank you so much for having me.

Thank you. And now I know so much more about security logging and logging in general, and I just feel smart.

Fascinating stuff. And that just about wraps up the show for this week. Don't forget, you can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G. And don't forget as well, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

And huge, huge thank you to our episode sponsor, scanner.dev, 1Password, and Harmonic. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 404 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye. Bye.