In episode 406 of the “Smashing Security” podcast, we explore how the cryptocurrency exchange Bybit has been hacked to the jaw-dropping tune of $1.5 billion, and we look at what is being done to better defend women and girls’ safety online.
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Kroll would say, "I don't think it's right that we've received 100 million in the Smashing Security cryptocurrency account.
I think we should report it to somebody." Smashing Security, Episode 406: History's Biggest Heist Just Happened, and Online Abuse. With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 406. My name's Graham Cluley.
I think we should report it to somebody." Smashing Security, Episode 406: History's Biggest Heist Just Happened, and Online Abuse. With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 406. My name's Graham Cluley.
And I'm Carole Theriault.
Hello, Carole. Great to be back in the UK. I've just spent a day in Orlando where I was speaking at the ThreatLocker Zero Trust World Conference.
Great to hand out some Smashing Security stickers to the folks there. So thanks to everyone who came along to that.
Great to hand out some Smashing Security stickers to the folks there. So thanks to everyone who came along to that.
That sounds fantastic. How about we get this show on the road? Let's thank this week's wonderful sponsors, 1Password and scanner.dev.
It's their support that helps us give you this show for free. Now coming up on today's show, Graham, what do you got?
It's their support that helps us give you this show for free. Now coming up on today's show, Graham, what do you got?
I'm gonna be talking about what appears to be the biggest theft in history.
Okay, and I'm gonna ask whether this new regulation is gonna test the mettle of the cyber bullies. All this and much more coming up on this episode of Smashing Security.
Now, chums, the world of crime. I don't know how closely you follow that world, Carole.
Not very at all. Although, no, I do, you know—
The true crime podcast?
Yeah, I an occasional one, a limited series, that sort of thing. But I used to listen to a lot of that stuff, and I think I got a bit bored of it.
There's a lot of it out there, isn't there?
There's a lot of it out there, isn't there?
I certainly think true crime can be more interesting sometimes than fictional crime. And going back in history, I was reading today about some of the greatest heists in history.
In 1963, for instance, a gang of men, Ronnie Biggs amongst them, stopped a Royal Mail train travelling from Glasgow to London. Escaped with over £2.6 million.
In today's money, that's around £57 million. They made movies about it. The robbers became celebrities.
In 1963, for instance, a gang of men, Ronnie Biggs amongst them, stopped a Royal Mail train travelling from Glasgow to London. Escaped with over £2.6 million.
In today's money, that's around £57 million. They made movies about it. The robbers became celebrities.
Aren't you loosely related to that incident in some way?
Sorry? What?
No, but are you related to someone or— No, am I making—
Related to a great train robber?
Loosely? No, there's no kind of 7 degrees of separation.
I'm loosely related to '70s singer Leo Sayer.
How did I pick that up?
I don't think he's the sort of chap you want robbing a train.
He'd make a lot of noise singing down the tracks.
Anyway, so in today's money, they made about £57 million. Not really worth getting out of bed for, even if you didn't have to share it amongst 15 other members of your gang.
In 1987, so 24 years later, thieves stole £60 million worth of cash and jewels and bonds in the Knightsbridge Security Deposit robbery. Again, chicken feed, £60 million, big deal.
Not worth putting a stocking over your head. In 2003, a further 16 years later, look at me doing the maths in real time. A group of thieves called the School of Turin.
Now I dunno if they set themselves up as some sort of academic establishment or tried to disguise themselves as a university.
Anyway, this gang, they called themselves the School of Turin. They struck in Antwerp and they stole over $100 million worth of diamonds, gold, and silver.
And that was a high-profile heist because they defeated infrared heat sensors, seismic sensors. Even if a drop of sweat fell on the floor, it could have been picked up.
A Doppler radar they had protecting these things. It was pretty high-tech stuff.
In 1987, so 24 years later, thieves stole £60 million worth of cash and jewels and bonds in the Knightsbridge Security Deposit robbery. Again, chicken feed, £60 million, big deal.
Not worth putting a stocking over your head. In 2003, a further 16 years later, look at me doing the maths in real time. A group of thieves called the School of Turin.
Now I dunno if they set themselves up as some sort of academic establishment or tried to disguise themselves as a university.
Anyway, this gang, they called themselves the School of Turin. They struck in Antwerp and they stole over $100 million worth of diamonds, gold, and silver.
And that was a high-profile heist because they defeated infrared heat sensors, seismic sensors. Even if a drop of sweat fell on the floor, it could have been picked up.
A Doppler radar they had protecting these things. It was pretty high-tech stuff.
It's Thom Cruise action.
It does sound like that. And there was a lock with over 100 million possible combinations. They got past that and they stole $100 million worth. All about—
They got past a lock of 100 million possible combinations.
Yeah, exactly.
But they hang out for quite some time.
And last Friday, another heist took place, which arguably casts all of those into the shadows. It is the biggest theft in history. Have you heard about it?
No, not yet. I'm waiting to know what it is.
Well, it doesn't involve gymnastics, doesn't defeat radar.
They didn't even bother setting a foot in the place that they were robbing because what they did was they hacked a cryptocurrency exchange to the tune of $1.4 billion.
They didn't even bother setting a foot in the place that they were robbing because what they did was they hacked a cryptocurrency exchange to the tune of $1.4 billion.
Okay, that's a lot of wonga.
It's a fair bit, isn't it? Now, like I said, it was a cryptocurrency exchange which they hit.
And if you don't live in the world of cryptocurrency, you may not have heard of Bybit, B-Y-B-I-T. But they are one of the world's largest cryptocurrency exchanges.
And this theft of roundabout, actually, is $1.5 billion.
Doesn't just represent the largest cryptocurrency heist in history, but it's also, it seems, the largest robbery of any kind in history. So take that, Great Train Robbers.
Take that, Belgian School of Turin, or whatever you were stealing the diamonds. Happened last Friday, February 21st.
And I'm going to tell you the story of what happened because we already know some of the details.
And if you don't live in the world of cryptocurrency, you may not have heard of Bybit, B-Y-B-I-T. But they are one of the world's largest cryptocurrency exchanges.
And this theft of roundabout, actually, is $1.5 billion.
Doesn't just represent the largest cryptocurrency heist in history, but it's also, it seems, the largest robbery of any kind in history. So take that, Great Train Robbers.
Take that, Belgian School of Turin, or whatever you were stealing the diamonds. Happened last Friday, February 21st.
And I'm going to tell you the story of what happened because we already know some of the details.
Okay.
Firstly, it's important to understand how cryptocurrency exchanges secure their cryptocurrency, because obviously they've got more cryptocurrency than anybody else, right?
And what they do is they split their cryptocurrency holdings between two kinds of wallet.
And what they do is they split their cryptocurrency holdings between two kinds of wallet.
Okay.
You have a hot wallet and you have a cold wallet.
Is that like one that's being accessed fairly regularly versus one that's kind of dormant?
Absolutely.
Okay.
So the hot wallet, that stores a small percentage of all the cryptocurrency your cryptocurrency exchange has, maybe 5 or 10%, perhaps.
That's stored in a hot wallet, has one big benefit and one big drawback. The big benefit is that because they're connected to the internet, they're faster and easier to access.
That's stored in a hot wallet, has one big benefit and one big drawback. The big benefit is that because they're connected to the internet, they're faster and easier to access.
Mm-hmm.
The big drawback is, of course, that because they're connected to the internet, it makes them much more vulnerable to hackers.
Aha. Interesting.
But what you do is you store most of your cryptocurrency, if you're a cryptocurrency exchange, in the cold wallet, which is not connected to the internet.
It's offline, it may be on a USB drive or a hard drive. It's stored in a secure undisclosed location. It's air-gapped, it's not connected to anything.
And that makes it nearly impossible to remotely hack.
It's offline, it may be on a USB drive or a hard drive. It's stored in a secure undisclosed location. It's air-gapped, it's not connected to anything.
And that makes it nearly impossible to remotely hack.
You'd kind of think that users would do that too. Like lots of people do that in banking, right?
They'll have a bank account where they tap, tap away, you know, to make all kinds of day-to-day payments.
And another one that's kind of more secure and, you know, with more, go through bells and whistles to get it done.
They'll have a bank account where they tap, tap away, you know, to make all kinds of day-to-day payments.
And another one that's kind of more secure and, you know, with more, go through bells and whistles to get it done.
Well, I am looking right now in front of me. I have my cold wallet because I have a cryptocurrency cold wallet.
Hasn't got very much cryptocurrency on it, unfortunately, but it's just a small little USB drive which connects to my computer.
If I do want to access my wallet, I have to plug it in to use it and to access it. So you can do this as an individual as well.
In fact, I would recommend it rather than storing all of your millions of cryptocurrency in a cryptocurrency exchange, which may get hacked or in a software wallet on your mobile phone, which could be more at risk.
Hasn't got very much cryptocurrency on it, unfortunately, but it's just a small little USB drive which connects to my computer.
If I do want to access my wallet, I have to plug it in to use it and to access it. So you can do this as an individual as well.
In fact, I would recommend it rather than storing all of your millions of cryptocurrency in a cryptocurrency exchange, which may get hacked or in a software wallet on your mobile phone, which could be more at risk.
And actually, I would say I don't think just people with millions. I think even if you have tens of thousands, that's still a lot of money, right?
Yes.
Don't keep it just sitting around.
If you're like me and you have £7.24 in cryptocurrency, yes, I'm keeping it.
Though, to be honest, the cold wallet costs much more than the cryptocurrency is containing at the moment.
So it's on a USB drive, it's on a hard drive, it's air-gapped, shouldn't be possible to hack.
And most of a cryptocurrency exchange's assets would be stored in a cold wallet like that.
But every now and then, a cryptocurrency exchange will want to move some funds from its cold wallet to its warm wallet, right?
Or if it gets an awful lot of new cryptocurrency coming in, which is stored on its warm wallet, it may say, well, we don't need all of that in the warm wallet anymore.
Let's move some of that safely back to the cold wallet.
Though, to be honest, the cold wallet costs much more than the cryptocurrency is containing at the moment.
So it's on a USB drive, it's on a hard drive, it's air-gapped, shouldn't be possible to hack.
And most of a cryptocurrency exchange's assets would be stored in a cold wallet like that.
But every now and then, a cryptocurrency exchange will want to move some funds from its cold wallet to its warm wallet, right?
Or if it gets an awful lot of new cryptocurrency coming in, which is stored on its warm wallet, it may say, well, we don't need all of that in the warm wallet anymore.
Let's move some of that safely back to the cold wallet.
Yeah, yeah. They only need about 15% active or 10% active, you said. So yeah, if it gets too fat, chump it off, right?
So what Bybit did was that every 2 to 3 weeks, whenever they felt their warm wallet needed to be topped up with some funds, they would move it from their cold wallet into their warm wallet.
Now, obviously, you want to be really careful when you make a transfer like that.
You don't want anyone who doesn't have proper authority to move the funds, and you want to make sure that they're going from your cold wallet into your warm wallet, not to anyone else's account, right?
You want to make sure any money you take out of the cold wallet really is going into the right warm wallet, the one which is your possession.
Now, obviously, you want to be really careful when you make a transfer like that.
You don't want anyone who doesn't have proper authority to move the funds, and you want to make sure that they're going from your cold wallet into your warm wallet, not to anyone else's account, right?
You want to make sure any money you take out of the cold wallet really is going into the right warm wallet, the one which is your possession.
Okay. Okay. If suddenly $100 million showed up in your little Bitcoin account, would you just shut up about it and keep it, or would you try and find whose it was to return it?
Well, I'll let you know the answer to that if that ever happens to me. I think the thing is these days it would be considered suspicious, wouldn't it?
Well, so what? Just the ethics. I'm just—
Okay, well, you know, I mean, you would hide it.
What?
Well, I don't know where I would hide it. No, I think it would be declared to HMRC anyway.
I think that the cryptocurrency exchange would say, surprisingly, this guy who only had £7.24 now has £107.24 instead. What's he been up to?
How's he managed to make all this money?
I think that the cryptocurrency exchange would say, surprisingly, this guy who only had £7.24 now has £107.24 instead. What's he been up to?
How's he managed to make all this money?
So listeners, don't count on Graham for honesty. That's all I'm saying. Okay, carry on. Sorry.
So the way in which Bybit, like many other exchanges, handles this transfer, and to be really careful of it, is they make use of multi-signature technology.
So that's like having 3 different people holding 3 different keys to unlock a bank vault. No single person can open the vault. They all have to work together in coordination.
So that's like having 3 different people holding 3 different keys to unlock a bank vault. No single person can open the vault. They all have to work together in coordination.
Probably some eye scans, some secret handshakes, all sorts of stuff.
It could be things like that. And the idea is to reduce the chances that one rogue insider can make off with all of the money. You know, you'd all have to be in cahoots to do it.
And hopefully someone would say, I don't think we should be doing this.
Or Carole would say, I don't think it's right that we've received $100 million in the Smashing Security cryptocurrency account. I think we should report it to somebody.
So unfortunately, it appears that hackers broke into Bybit's network, their internal infrastructure at their HQ in Singapore, identified who had signing rights to move the company's funds to fill up the hot wallet, and then infected their devices with malware.
And hopefully someone would say, I don't think we should be doing this.
Or Carole would say, I don't think it's right that we've received $100 million in the Smashing Security cryptocurrency account. I think we should report it to somebody.
So unfortunately, it appears that hackers broke into Bybit's network, their internal infrastructure at their HQ in Singapore, identified who had signing rights to move the company's funds to fill up the hot wallet, and then infected their devices with malware.
Wow.
And according to Bybit CEO and founder Ben Cho, he says when his company tried to top up the Bybit hot wallet on Friday with funds from the cold wallet, the hackers had changed the user interface of the software they were using.
Oh, that's so clever and awful. I'm just picturing it. I'm imagining it, right? You'd just be sitting there and you don't know where anything is. Where's the delete button?
You can imagine it in a Mission: Impossible movie, can't you?
So the user interface, it showed a different legitimate cryptocurrency transaction than the one which multiple staff were unwittingly actually signing.
So it looked all legitimate to the eye. They would've done their checks, they'd have opened the software, say, yep, that's fine, I'm gonna sign off on that.
That is the correct wallet which this money's going to. But actually behind the scenes, the software was actually sending it somewhere else.
And so they did the signing, they weren't suspicious, and it was only a couple of hours later when they realized what they'd done.
So the user interface, it showed a different legitimate cryptocurrency transaction than the one which multiple staff were unwittingly actually signing.
So it looked all legitimate to the eye. They would've done their checks, they'd have opened the software, say, yep, that's fine, I'm gonna sign off on that.
That is the correct wallet which this money's going to. But actually behind the scenes, the software was actually sending it somewhere else.
And so they did the signing, they weren't suspicious, and it was only a couple of hours later when they realized what they'd done.
My first instinct is inside job. It's gotta be somewhere because how could they have access?
It's interesting, isn't it? Maybe someone on the inside could have helped the hackers break in.
I mean, unwittingly, potentially unwittingly, maybe they've been hacked, but it just sounds a bit like they had too much information to go on.
Well, I don't know.
Of course we don't know.
I guess that investigation's gonna take place, but more than $1.5 billion worth of cryptocurrency was transferred to an unidentified address by Bybit.
And that would potentially buy you someone on the inside or get you some inside information with you, that kind of money.
And that would potentially buy you someone on the inside or get you some inside information with you, that kind of money.
And you'd think you'd be able to follow that money trail a bit somehow.
Well, there are tricks to cover your trails and to launder and mix the money when it comes to cryptocurrency.
And sometimes changing the type of cryptocurrency can help with that as well. Now, Ben Cho, the CEO of Bybit, he's reassured users that their funds are safe.
You'd think they weren't, but he says that they were 1-to-1 backed with Bybit's reserves. So Bybit has enough in reserve that it says Don't worry about it, we've got it covered.
We can give you all of your money back.
And sometimes changing the type of cryptocurrency can help with that as well. Now, Ben Cho, the CEO of Bybit, he's reassured users that their funds are safe.
You'd think they weren't, but he says that they were 1-to-1 backed with Bybit's reserves. So Bybit has enough in reserve that it says Don't worry about it, we've got it covered.
We can give you all of your money back.
Well, I think everyone's going to worry about it because it could happen again.
Renowned cryptocurrency investigator Zackxbt, who we've spoken about before, he has linked the hack to the notorious North Korean Lazarus Group.
Aha, we've talked about them many times with Geoff White.
Yes, that's right.
Specifically, a team within the Lazarus Group who are believed to have stolen about $70 million, which seems like small fry now, from another Singaporean cryptocurrency exchange in January.
So some people would say, oh, what does it really matter? Because Bybit says, well, your money's covered. You're not going to lose anything because of this.
You know, we're going to make sure you haven't lost out. But this money is going to North Korea.
And according to the United Nations, money which is stolen by the Lazarus Group ends up in North Korea's nuclear and missile testing program.
And $1.5 billion will be very welcoming received, I suspect, by the powers that be in North Korea to fund that.
Specifically, a team within the Lazarus Group who are believed to have stolen about $70 million, which seems like small fry now, from another Singaporean cryptocurrency exchange in January.
So some people would say, oh, what does it really matter? Because Bybit says, well, your money's covered. You're not going to lose anything because of this.
You know, we're going to make sure you haven't lost out. But this money is going to North Korea.
And according to the United Nations, money which is stolen by the Lazarus Group ends up in North Korea's nuclear and missile testing program.
And $1.5 billion will be very welcoming received, I suspect, by the powers that be in North Korea to fund that.
Yep.
Bybit has now set up a bounty to recover the stolen funds, and it says it is willing to pay out 10% of the stolen funds if you can help recover it. It's a nice little earner.
It's actually the biggest bounty in the history of the world. You can earn $140 million if you can help this.
So Carole, if you've got a theory, go there with your magnifying glass, dust for fingerprints.
It's actually the biggest bounty in the history of the world. You can earn $140 million if you can help this.
So Carole, if you've got a theory, go there with your magnifying glass, dust for fingerprints.
Let me ask you a question. So you have this $1.5 billion in your account and they say they're going to pay 10% to whoever can recover it.
Yeah.
Which would then be legit money, right? Well— Could you— Is that how it works now?
Well, I would imagine you could still be in trouble with the law.
Could you? This is insane. Oh my God. Okay.
Wow. What story have you got for us this week?
Well, I'm talking Ofcom. So Ofcom is the Office of Communications in the UK, and they're basically our safety regulator, right?
I primarily know them as the place to complain if, you know, I don't like something on TV or radio. Okay, have you ever complained to Ofcom about something you've seen on telly?
I primarily know them as the place to complain if, you know, I don't like something on TV or radio. Okay, have you ever complained to Ofcom about something you've seen on telly?
Not to Ofcom. No, I don't think so.
No, me neither. But many people do.
Earlier this month, just before Valentine's Day, the watchdog received more than 1,000 complaints regarding a GB News presenter saying something about the LGBTQ community and pedophiles and some shit nonsense.
Earlier this month, just before Valentine's Day, the watchdog received more than 1,000 complaints regarding a GB News presenter saying something about the LGBTQ community and pedophiles and some shit nonsense.
Right.
Or last week, Ofcom received more than 2,000 complaints about a Love Island scene involving two rowing couples. And I found a top 10 most complained about moments.
Oh, okay.
And it was published last summer. Okay, so it doesn't include anything since then.
How many of them involve Piers Morgan?
At the top of the list is your all-time favorite, Piers Morgan. Do you know why?
Just because he appeared on television.
It was in 2021.
Right.
It was on Good Morning Britain.
He complained about Meghan Markle, didn't he?
Yes.
He had a whinge about her.
Yes, it was the morning Meghan Markle was interviewed by Oprah Winfrey, or that interview aired in the US.
And Morgan cast doubt on the claims that she'd made, including that she'd experienced suicidal thoughts while still a senior member of the royal family.
And Morgan cast doubt on the claims that she'd made, including that she'd experienced suicidal thoughts while still a senior member of the royal family.
Oh, what a lovely gentleman. He was just upset that he didn't get to interview her, let's be honest.
He stormed off air the next day. He made a big song and dance about it. There was 60,000 complaints in total for that.
Oh, I wish I had complained. I wish I had complained.
So yeah, they're— Ofcom are kept pretty busy with overseeing the country's TV and radio broadcasting, but they also oversee the Royal Mail and are responsible for making online services safer for users.
Right.
And let's just think about the story you just said. That's quite a tough ask, don't you think, for an organization that has 1,500 employees?
Oh, what, to look after the TV, to keep an eye on all those online services?
That's social media is safe and that websites are safe and shopping.
But it's not their job to make them safe, is it? They put down the guidelines and then supposedly rap knuckles if rules are breached.
Yes.
It's not that they're doing the actual safety bit of it.
Well, one of the ways Ofcom is doing this is through the implementation of the Online Safety Act, which became law in 2023.
Right.
And GDPR, it has a substantial penalty for non-compliance, up to 10% of the global annual turnover.
That's obviously not in effect yet, but the Online Safety Act is designed to make companies that operate a wide range of online services, make them legally responsible for keeping people, especially children, safe online.
That's obviously not in effect yet, but the Online Safety Act is designed to make companies that operate a wide range of online services, make them legally responsible for keeping people, especially children, safe online.
Ah, yes.
Okay. So last year, Ofcom started its crackdown on Instagram, YouTube, and 150,000 other web services to improve child safety online.
And the internet regulator are to push tech firms to run better age checks. Remember, I think we talked about this on the show.
Filter and downrank content, you know, that's not appropriate, and apply around 40 other steps to assess harmful content around subjects suicide, self-harm, pornography, to reduce under-18s' access to it.
And the internet regulator are to push tech firms to run better age checks. Remember, I think we talked about this on the show.
Filter and downrank content, you know, that's not appropriate, and apply around 40 other steps to assess harmful content around subjects suicide, self-harm, pornography, to reduce under-18s' access to it.
And we've seen a lot of these social networks in the last few months saying they're not going to be moderating as much.
They're claiming they don't seem to care so much about policing the content, do they?
They're claiming they don't seem to care so much about policing the content, do they?
Yeah, that's going to be interesting. So this part of the Safety Act is scheduled to be enforceable by summer 2025, with the child safety regime being fully in effect.
The latest set of recommendations from Ofcom has just been shared, and in it, Ofcom offer guidance on the legal obligations to protect women and girls from online threats harassment, bullying, misogyny, and intimate image abuse.
Yeah, and the government has said that protecting women and girls is a priority with specific abuses.
So things intimate images, sharing those without consent, or using AI tools to create deepfake pornography that targets individuals being explicitly set out in the law as enforcement priorities.
So they're taking this seriously. The language is all, to me, sounds good. And let's be honest here, we all know that the abuse of women and girls online is a huge problem online.
Just last week, as part of Girlguiding research, a charity reported on a survey of 2,000 young people between the ages of 13 and 18 about their online experiences.
The latest set of recommendations from Ofcom has just been shared, and in it, Ofcom offer guidance on the legal obligations to protect women and girls from online threats harassment, bullying, misogyny, and intimate image abuse.
Yeah, and the government has said that protecting women and girls is a priority with specific abuses.
So things intimate images, sharing those without consent, or using AI tools to create deepfake pornography that targets individuals being explicitly set out in the law as enforcement priorities.
So they're taking this seriously. The language is all, to me, sounds good. And let's be honest here, we all know that the abuse of women and girls online is a huge problem online.
Just last week, as part of Girlguiding research, a charity reported on a survey of 2,000 young people between the ages of 13 and 18 about their online experiences.
Right.
And found that 77% of girls aged 7 to 21 have experienced online harm.
And a third of those said that the online harms and misogynistic content made them feel unsafe and/or unable to tell a parent or carer.
And a third of those said that the online harms and misogynistic content made them feel unsafe and/or unable to tell a parent or carer.
Oh dear.
If I think of my nieces or my friend's daughters having this happen to them, it's just so yuck, right?
Yes.
And these numbers suggest that it's likely if things carry on as they are. But I'd say it's also not good for boys.
I mean, I wouldn't want my young nephews or my friend's sons to access violent pornographic content online. You have a son. What do you — you have thoughts on that?
I mean, I wouldn't want my young nephews or my friend's sons to access violent pornographic content online. You have a son. What do you — you have thoughts on that?
I don't want it to be a free-for-all on his devices, what he can or indeed for him to be exposed to unpleasant stuff in his WhatsApp chats and his Snapchats with his friends.
That would be utterly horrible.
That would be utterly horrible.
Exactly. Let me get your thoughts on this.
So this is the good industry practices that Ofcom are advocating, and I want to know if you think they're doable, and if you think they'll help.
So this is the good industry practices that Ofcom are advocating, and I want to know if you think they're doable, and if you think they'll help.
Mm-hmm.
Okay, so one is removing geolocation by default. And that's to shrink privacy and stalking risks, they say.
Oh, I see.
So your phone, for instance, wouldn't automatically track your location, which obviously you want if you're using a Maps app or if you're trying to find your laptop, which you've left lying around somewhere.
So your phone, for instance, wouldn't automatically track your location, which obviously you want if you're using a Maps app or if you're trying to find your laptop, which you've left lying around somewhere.
I wonder if they do it though on social media by default.
Well, to be honest, let's look at it. Social media sites primarily are all about advertising.
One of the things which the advertisers will want to do is target people in particular places. So yes, of course they are. If you log into Facebook, it knows where you are.
One of the things which the advertisers will want to do is target people in particular places. So yes, of course they are. If you log into Facebook, it knows where you are.
Yeah. And they're basically saying we don't want this to happen to kids. Conducting abusability testing to identify how a service could be weaponised and/or misused.
Yes, it's always a good idea to see how something could be misused, I think, to try and work out how to prevent it from being misused.
Yeah, I'd think that these big online services could put resources towards that. Taking steps to boost account security. Of course, we would agree on that.
Designing in-user prompts that are intended to make posters think twice before posting abusive content. What I understand that to be is a pop-up.
Designing in-user prompts that are intended to make posters think twice before posting abusive content. What I understand that to be is a pop-up.
Yes, I guess if you worked for Scunthorpe County Council, for instance, you'd get a pop-up saying, hang on, have you just used a rude word when you publish some story about something which is going on in Scunthorpe?
So yeah, there is the danger of false alarms, I would say.
I don't think there's any harm in something popping up and saying, "Do you really want to do that?" The truth is people are vile on the internet and will say things which they would never say face to face.
So yeah, there is the danger of false alarms, I would say.
I don't think there's any harm in something popping up and saying, "Do you really want to do that?" The truth is people are vile on the internet and will say things which they would never say face to face.
Yeah, unless they're maybe held accountable for it. And the last one was offering accessible reporting tools to let users report issues.
If you have something that you think is abusive, you should be able to report it easily and quickly.
If you have something that you think is abusive, you should be able to report it easily and quickly.
And not just report it, feel some confidence that something's going to be done about it. And it will be properly investigated rather than, oh, well, we've decided that's fine.
And then those reports should be sent over to someone Ofcom, you know, for review so they can see what's going on.
But get this, TechCrunch asked Ofcom if they knew of any firms currently meeting the guideline standards, and they suggested that they had not, adding there's still a lot of work to do across the industry.
But get this, TechCrunch asked Ofcom if they knew of any firms currently meeting the guideline standards, and they suggested that they had not, adding there's still a lot of work to do across the industry.
Yep.
So true that. True that.
Do we know what Ofcom feels about end-to-end encryption?
Not off the top of my head, but there are links in the show notes so you can— first listener to find it, please tell Graham. Here's a shocking reality.
Traditional security tools are completely broken when it comes to managing today's massive log volumes.
Companies are paying millions per year just to keep up, and they're still falling behind. That's why everyone's moving their logs to data lakes. It's just more cost efficient.
But there's a catch. Data lakes are incredibly complex to use, especially when you're dealing with loading dozens of log sources into SQL tables with strict schema requirements.
Traditional security tools are completely broken when it comes to managing today's massive log volumes.
Companies are paying millions per year just to keep up, and they're still falling behind. That's why everyone's moving their logs to data lakes. It's just more cost efficient.
But there's a catch. Data lakes are incredibly complex to use, especially when you're dealing with loading dozens of log sources into SQL tables with strict schema requirements.
And that's where scanner.dev comes in. They've revolutionized security data lakes by making them truly simple to operate.
Their platform offers schemaless log data indexing, which means you can dump in your logs without worrying about structure.
And the best part, your data never leaves your S3 buckets. You maintain complete custody at all times.
Their platform offers schemaless log data indexing, which means you can dump in your logs without worrying about structure.
And the best part, your data never leaves your S3 buckets. You maintain complete custody at all times.
Need to hunt for threats? Scanner lets you search through petabytes of logs in seconds, not hours.
And for your security team, we've made detections as code a breeze with CI/CD that syncs directly with GitHub. No more complex queries or waiting hours for results.
And for your security team, we've made detections as code a breeze with CI/CD that syncs directly with GitHub. No more complex queries or waiting hours for results.
Visit scanner.dev today and try out their interactive playground. That's scanner.dev, where security meets simplicity.
Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.
So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?
So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?
Nice rhetorical question there. Well, 1Password has an answer to it though. It's Extended Access Management.
1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.
1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.
1Password Extended Access Management is the first security solution that brings all these unmanaged devices, apps, and identities under your control.
It ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.
It ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.
So secure every app, device, and identity, even the unmanaged ones. Go to 1password.com/smashing. That is 1password.com/smashing. And welcome back.
Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security-related necessarily.
Better not be.
Well, my Pick of the Week this week is not security-related. My Pick of the Week is a TV show which I've been watching.
Now, once upon a time, there was a hilarious BBC sitcom called Motherland. Did you ever watch that, Carole?
Now, once upon a time, there was a hilarious BBC sitcom called Motherland. Did you ever watch that, Carole?
Yes, I thought it was very funny.
Wasn't it good? It's all about middle-class mothers in West London dealing with their children, getting them to school. It was really good.
And one of the standout characters was a ghastly character called Amanda. And she now has her own spin-off sitcom. I don't know if you've seen it called Amandaland.
And one of the standout characters was a ghastly character called Amanda. And she now has her own spin-off sitcom. I don't know if you've seen it called Amandaland.
No, I mean, I saw it advertised or promoted, but I have not checked it out.
It's just like Motherland, really. So it's set 2 or 3 years later. Poor old Amanda. She's divorced now. She has had to move her teenagers to a new school.
She's downsized to new surroundings. She's no longer living in Chiswick. She's now living in South Harlesden or SoHa as she's rebranded it.
She's a truly terrible human being, in particular to her BFF, Anne. Makes it utterly wonderful to watch.
It's one of those programs where I can imagine you cringing while watching it, Carole. I can imagine you feeling quite uncomfortable.
She's downsized to new surroundings. She's no longer living in Chiswick. She's now living in South Harlesden or SoHa as she's rebranded it.
She's a truly terrible human being, in particular to her BFF, Anne. Makes it utterly wonderful to watch.
It's one of those programs where I can imagine you cringing while watching it, Carole. I can imagine you feeling quite uncomfortable.
I do not do well with those kind of shows where they just kind of push it, push it. I have to hide behind the couch.
I now have a cat, so I just wrap the cat around my face and listen to it purr until it's over.
I now have a cat, so I just wrap the cat around my face and listen to it purr until it's over.
Well, it's very funny. It features Lucy Punch as Amanda. Some listeners may have seen her as Esme Squalor in the Netflix series, A Series of Unfortunate Events.
Philippa Dunne is Anne, and the immortal Joanna Lumley is Amanda's mother. But I've been quite enjoying it. So my pick of the week is Amandaland on BBC iPlayer.
Carole, what's your pick of the week?
Philippa Dunne is Anne, and the immortal Joanna Lumley is Amanda's mother. But I've been quite enjoying it. So my pick of the week is Amandaland on BBC iPlayer.
Carole, what's your pick of the week?
First, I had a bit of a controversial one last week.
Oh, yes, you did.
Yes.
Telepathy types, right?
Yes. So, yeah, I just want to be clear that I'm not advocating it or saying that this is true in any way. I'm sorry if that's how it came across.
We did have some skeptical listeners, didn't we? Who were—
Hey, I agree. I agree with that. I think healthy dose of skepticism is always good.
Maybe we'll rebrand it as a nitpick of the week.
That's a good idea.
How about that? What's your pick of the week this week then?
All right, much less controversial is a Netflix limited series.
Yes.
Hailing from Germany called Cassandra.
Oh.
Now it's a sci-fi limited series. And full disclaimer, I've only seen two episodes so far.
So who knows what it could turn into?
Very clear. Don't know what it'll turn into. I'm just talking about those two. But I'm definitely going to be doing this when I finish all my work today to go watch that.
Okay. All right.
So the gist: Cassandra refers to a smart home robot or a smart home built in the 1970s.
Okay.
The smart home has a robot known as Cassandra. And the owners of the smart home died under mysterious circumstances more than 50 years ago.
And since then, the oldest smart home in Germany has stood abandoned. And today, 50 years on, we have a cute little family moving in.
And soon after, Cassandra awakens like Cinderella, if Cinderella were a smart home robot. And Cassandra will do anything to win over the family.
Everyone except the mom, because she prefers to be the headwoman of the house.
And since then, the oldest smart home in Germany has stood abandoned. And today, 50 years on, we have a cute little family moving in.
And soon after, Cassandra awakens like Cinderella, if Cinderella were a smart home robot. And Cassandra will do anything to win over the family.
Everyone except the mom, because she prefers to be the headwoman of the house.
What does Cassandra look like? I'm trying to visualize.
She's 1950s, '60s kitchen gadget. So think red with chrome around the seams, very thin and kind of one of those little dolls, very thin, long-skirted.
And she has a TV Max Headroom for her head.
And she has a TV Max Headroom for her head.
Oh.
And you have a video of a real human that shows up in the head.
And does she sort of roll around the house or something? Yes. Oh, I see. Okay. Yes.
Yes, it has B-movie charms. You know, if Max Headroom was a female homemaker, that's kind of how I'd put it. It's very fun.
It's got some beautiful shots, and the sets are super stylish because it's mid-century architecture drool fest. Plus, you know, a robot with a goal. What's not to?
It's got some beautiful shots, and the sets are super stylish because it's mid-century architecture drool fest. Plus, you know, a robot with a goal. What's not to?
It sounds frightening, Carole. Is it comedy or is it frightening? It sounds horrific to me.
I think it's trying to be very scary, but it's got a bit of hamminess to it.
Right.
You know, a way Germans can add to their stuff.
German ham.
Yeah. So whatever, if it sounds your thing, feel free to check it out. It's my pick of the week, Cassandra. And there you are.
Terrific. Well, that just about wraps up the show for this week. You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And huge, huge thank you to our episode sponsors, scanner.dev and 1Password. And of course, to our wonderful Patreon community.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 405 episodes, check out smashingsecurity.com.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 405 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
Bye.
Hey, Carole, I forgot to mention I bumped into Dave Bittner and Maria Varmazis in Orlando.
Oh, Maria sent me pics. Yeah, see, word does get around, Graham.
Word gets around. Well, Dave Bittner was feeding me tiramisu. We practically got married.
Oh, did you?
We got this huge portion which for some reason, I think they thought we were a couple. They gave me a portion which was large enough to feed 500 people of tiramisu.
And so Dave and I were feeding it to each other. Anyway, you were missed. All I can say is you could have helped scoff it all.
And so Dave and I were feeding it to each other. Anyway, you were missed. All I can say is you could have helped scoff it all.
No, no, I think I would have just taken pictures that were compromising.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- Incident Update: Unauthorized Activity Involving ETH Cold Wallet – Bybit.
- Bybit Launches Recovery Bounty Program with Rewards up to 10% of Stolen Funds – Bybit.
- ZachXBT links Bybit hack to Lazarus Group – Twitter.
- Online Safety Act: explainer – GOV.UK
- These Are The 10 Most Complained-About TV Moments In Ofcom’s History – Ofcom.
- Ofcom to push for better age verification, filters and 40 other checks in new online child safety code – TechCrunch.
- UK’s internet watchdog toughens approach to deepfake porn – TechCrunch.
- Girlguiding research exposes alarming online harms facing girls – Charity Today News.
- Ofcom’s approach to implementing the Online Safety Act – Ofcom.
- Women’s abuse online: ‘I get trolled every second, every day’ – BBC.
- Amanda’s funniest moments in Motherland – YouTube.
- Amandaland – BBC iPlayer.
- Cassandra Sci-Fi Thriller limited series – Netflix.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- 1Password – Secure every app, device, and identity – even the unmanaged ones at 1password.com/smashing.
- Scanner.dev provides a new technology offering fast search and threat detections for security data in S3 helping teams reduce the total cost of ownership of their SIEM by up to 90%. Try the interactive playground at scanner.dev/demo
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
