Smashing Security podcast #412: Signalgate sucks, and the quandary of quishing

Is it better or worse than having a Facebook group?

I would argue yes, it is better than having a Facebook group. See, are you giving them awards, Crow? Are you saying, well done for not using Facebook for this? Smashing Security, episode 412, SignalGate sucks and the quandary of quishing. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 412. My name's Graham Cluley.

And I'm Carole Theriault.

Carole, what have we got coming up on the show this week?

Before we kick off, let's thank this week's wonderful sponsors, 1Password, Vanta, and Material.security. It's their support that helps us give you this show for free. Now coming up on today's show, Graham, what do you got?

I'm going to be describing how you can get sucked into a Signal chat.

Okay, and I'm talking about the rise of the quiche. Plus, we have a featured interview. I had the pleasure of speaking with Josh Donelson of Material Security and Tony Albano of Google about detection and response in today's AI-driven world. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, and specifically you, Carole, do iPhones suck. No? I think they do, actually. I think in many ways they do. There's all kinds of features built into iPhones that no one asked for, myriad of things that they really should do better than they actually do. Considering the iPhone has been around for almost 20 years, you'd expect it to work a bit better. I mean, for instance, autocorrect, right?

Mm-hmm.

It's a ducking nuisance. Even after years telling it I want to swear, when I type in 4 little letters, it still inserts an amphibious bread addict instead. One of those web-footed creatures quacking around.

I hate to sound like a broken record, Graham, but you sound like a broken record complaining. What would you prefer to use?

I just think they should fix autocorrect. So if I tell it, no, that isn't what I meant. If I type F-U-C-K, I expect it to write that particular word, not D-U-C-K.

I think you can save that word to your dictionary and then it won't recorrect it for you. Oh, you've got a solution for everything. Well, I'll tell you another thing. Because they use the same port.

Because they use the same port, whereas they used to have different ports. I like to listen to podcasts at night on my earphones. And I'd like my phone to charge as well. Why doesn't it do it? Why is it my keyboard cursor, right? You know, the little cursor which appears when you sort of hold down with your finger. Why does it require the precision of a neurosurgeon to find exactly the right point on the screen to get it to edit your words? Also, some people say that iPhones suck in other ways as well. The White House, they say that iPhones suck.

Do they?

Yes, they—

The entirety of the White House, no one has a phone number.

Well, I don't know about the entirety. I don't know if they've gone and asked the chefs and people who mow the lawn and things like that. But I'm saying the people in charge, the press spokespeople, they have said that phone numbers can be unwittingly sucked into an iPhone, meaning that you can accidentally add a journalist to a top-secret Signal chat.

Ah.

Yes, we're going to talk about Signalgate.

Yes, this is not new, Graham.

No, it happened a couple of weeks ago. In fact, some of our listeners contacted us a couple of weeks ago and said, are you going to talk about SignalGate in this week's episode? And I had to say, well, unfortunately, we recorded our podcast that week just before the news broke of SignalGate. And then we didn't talk about it the following week, which was last week, because, well, why would we? It wasn't news anymore. But now is the time to talk about SignalGate again, because there is what appears to be a brand new revelation that I think is of interest.

Okay, I'm all ears.

So let's first of all recap for anyone who is lucky enough not to have already heard about SignalGate— maybe the news of the world stock markets being decimated by tariffs have pushed it out of your brain, I don't know— but anyway, SignalGate, what happened? Well, nothing too serious. It's just Donald Trump's national security adviser, Mike Waltz, accidentally invited the editor-in-chief of The Atlantic into a Signal group chat, where senior officials were casually discussing airstrikes on Houthi insurgents in Yemen. So this Signal chat had people in it like Vice President J.D. Vance, the Defense Secretary Pete Hegseth, Secretary of State Marco Rubio, the CIA's director, the director of national intelligence, Tulsi Gabbard, Homeland Security advisor Stephen Miller, and others as well. Lots of bigwigs.

Lots of bigwigs and perhaps a fly in the ointment in the form of a journalist.

Yes, someone who probably shouldn't have been there if they were going to use that chat not to describe their plans for what to do later that evening, whether they were going to the pizza place or something like that, but instead casually discussing planned airstrikes hours before those airstrikes happened, complete with emojis of fist bumps and all sorts like that.

It's funny because Signal is known as a very secure messaging app. I think it's built that reputation over the last few years. But it does also require one to be careful about who is in a group, doesn't it?

Yes, you need to be competent, right? Well— You and I use Signal all the time, don't we?

I don't think we talk about things that are as important as maybe those in the heads of government, but—

You're not suggesting that our podcast recording plans are less important than airstrikes, are you? Anyway, they were being watched. They were being watched by Jeffrey Goldberg, a Trump-sceptic journalist, shall we say. Someone who's not beloved in the current White House. Editor of The Atlantic, he was present during this chat group during the build-up to the assault and its aftermath. And he has now shared some details of what he saw that I think we can pretty comfortably assume was highly classified military material.

So what, he can share it now because the strike has happened? Is that what you mean?

Well, initially he didn't share it. But then, of course, he was accused of lying and told, well, there was nothing sensitive discussed during the chat. And so he said, well, if you think this wasn't sensitive, why don't I share it? Hegseth, for instance, was saying, Godspeed to our warriors. 12:15 Eastern time, F-18s are going to launch first strike package. 13:45, trigger-based F-18 first strike window starts. Target terrorist is at his known location, so should be on time. They're talking about drones, they're talking about F-18s launching, they're talking about when the first bombs will definitely drop in capital letters. All kinds of information about the missile launches.

Yeah, I'm not an investigative journalist, and this is why, because if I had overheard that kind of stuff, I would be like, hang up, get me outta here.

Log out, log out.

Get out, get out, get out, back away. I'd be like Linda Hamilton in Terminator 2 when she sees Arnold Schwarzenegger for the first time.

Oh! So when contacted by the press, the White House went into emergency damage control. I guess they went into full Brown alert.

They just said, "No, he didn't." Yeah, pretty much.

They argued, "Are these really technically war plans that were discussed in the Signal chat?" So apparently the actual times that US military pilots were due to take off and put themselves in harm's way, that wasn't classified, that wasn't a war plan. They hinted that Jeffrey Goldberg, the journalist, must have somehow got himself onto the chat. How did he break in? Has he committed some kind of offense? And they claimed that nothing illegal had happened at all. No classified information had been shared. They were completely within their rights to use Signal in this way. Now, we are not interested in the politics on this podcast today. What we are interested in is the cybers. And at first, it sounded like this was carelessness. The wrong person had been added to a chat group. Now, I would argue that should have been impossible. If they'd been using their own secure messaging system, there would've been guardrails already in place to ensure only authorized personnel could access the chat. You couldn't add any Thom, Dick, or Harry to an internal messaging system, right?

Yeah, I'm just playing devil's advocate in my head. I'm just thinking an internal messaging system, maintaining that with their very light-on-the-ground staff that they have, as far as I read.

I'm not suggesting Barron Trump knocks it up, you know, as a classroom project. You've got the resources of the entire NSA. You've got all these people who you've fired from CISA in the last few weeks.

Yeah, consultant positions.

They might be looking for a bit of work, right? There's plenty of people. Plus you've got the genius that is Elon Musk, haven't you? He's a wizard. He's able to run umpteen companies all at the same time and do apparently other remarkable things. Couldn't one of those knock one out? Anyway, the point is, the expertise is there, the resources and the money is there. They could have a secure system which only allows approved people to join a chat. But they were using Signal. Now, there may be good reasons why they were using Signal. There may also be bad reasons they were using Signal. But as good as Signal is, and we use it, right, you and I, it's something used by millions of other people around the world. Is it really, though, what politicians and government officials should be using? When exchanging sensitive information, especially when Snapchat and Club Penguin are available. I mean, why not use one of those instead?

Okay. Is it better, in your opinion, is it better or worse than using email, an email client?

Oh, it's definitely better than just using regular email. Yeah, regular email isn't encrypted at all.

Is it better or worse than having a Facebook group? You know? Well, yeah, I would argue, yes, it is better than having a Facebook group. Facebook group. See, are you giving them awards, Carole? No, I'm not. I'm just a little bit uncomfortable. Journalism is a very important thing. I'm a very big fan of journalists. It's just, it's a complicated thing. Part of me wishes that he'd said, do you know I'm here, everybody? Hello? Shut up. But that's not how it works, right? You don't get a story that way.

So I think the question of using Signal is debatable as to whether that was really very sensible.

But better than Facebook group.

Better than Facebook, better than email, yes. But also, what are they using Signal on? Is that on a secure device? Is it a consumer smartphone that may have vulnerabilities, may have zero days? How are the chat participants connecting to the internet to connect to their Signal chat? Apparently, some of these people who were on this call were in Russia, for instance. Do we trust that they necessarily had a secure connection and weren't being snooped upon? So a couple of days after the revelation from The Atlantic, headlines, they weren't going away. It was a bit of a problem. So Mike Waltz went on Fox News and he said that it was his fault. Either he accidentally added Goldberg to the chat or there was, quote, some other explanation. But there was no other explanation. He invited Goldberg to the group. But now there are reports which suggest in a way that monumental goof of him adding a journalist to the group. So there's been a forensic review, they say, by the White House IT team.

Run by an independent group that—

Who knows? Probably run by some 21-year-old these days. But anyway, they have found that Waltz's phone had saved Goldberg's number back in October last year. Now, of course, that was before they were in power, before the presidential election. And apparently, Goldberg, the journalist, had emailed the Trump campaign because Donald Trump had said something. Said something insensitive.

No.

I know, it's not in his character to do that. But apparently he had said something which had caused some offence. Something about wounded soldiers. And the journalist contacted the Trump campaign to ask some questions. And Trump's campaign spokesperson, Brian Hughes, copy and pasted Goldberg's message, including Goldberg's email signature, which had his contact details, and sent it to Michael Waltz. So that he could be briefed about the upcoming story. Now, it seems that at the point Waltz's iPhone— and this, by the way, must have been a move that will really delight Apple's PR team— Waltz's iPhone merged Goldberg's number into the contact card for Trump's campaign spokesman, Brian Hughes. So, Brian sent a message to Mike, and Brian's message, which he sent to Mike, was a copy and paste of the message from the journalist, Geoff.

In short, an error that happens to everybody that uses a phone, right? Probably you'd want to double-check in this instance, I imagine.

But the thing you have to be careful about is if your phone says, oh, I think I've seen a new phone number for them in the context of the message you receive. Do you want me to update their contact details? Don't just blindly say yes.

Well, you know what happened to me the other day on Signal as well? So I responded to someone. I didn't remember who, right? Answered something and then put the phone down. It was still in my hand, but I was answering a question of someone who was talking to me in real life. IRL, I know. And somehow I obviously must have pressed the microphone button. And so whatever I said to the other person got sent over to this third party. And when I noticed, I was so mortified because I didn't know what I'd said. I didn't even want to re-listen because you know what I'm like, right? You know what I'm like. I'm like, delete, delete, delete. Which is what I did. And hopefully the person is never going to bring it up if they listened to it and it was inappropriate. I don't even know. But all I'm saying is that happened just by sending a message and then responding to something, my hand slipping on the screen, it not being locked. And there you go, right? A third party gets a message not intended for them.

So would a goof like that have happened if you'd been using a secure device and hadn't been using Signal? If you hadn't been using an iPhone, if you'd had a special phone which didn't have that, press a button here and we'll start transcribing everything that it hears into a message which we will send to somebody.

Yeah. But you remember the days of trying to do your work with an extremely locked-down device?

Yes.

And yes, we were never head of state. Okay, I understand that.

But, you know, you could have one device for one thing and one device for the top secret conversations.

Yeah. Carry around 8 of them, you know. Private conversations with my wife.

You've got people who can carry phones around for you. So, by the time of the airstrikes, Brian Hughes, he was by now the spokesperson for the National Security Council, right? And so he was invited to the Signal chat, but the invite went to Jeffrey Goldberg at The Atlantic instead. Now, there is a US Department of Defense watchdog which has opened an investigation into its own boss, Secretary of Defense Pete Hegseth, because they're thinking, well, why are you using Signal to discuss government business?

Yeah, my impression of the headlines was that was a big no-no.

I think it should be. That's how I feel about it. Because there seem to be so many politicians— and it's not just a problem in the United States, it's also been a problem in the UK as well— politicians who are using consumer messaging apps to chat to each other. And then when there's an inquiry later as to, well, what happened during, I don't know, the pandemic, for instance, or what happened during this particular controversial political situation, what you find is they say, oh, well, I've lost all my WhatsApps now, or I've lost my phone, I can't access them. And so there's no record. But surely there should always be an audit trail of what is being communicated at the highest level, obviously held securely. So if later you want to find out what people were saying to each other, you do have that record. And I think that's why so many politicians are using the likes of Signal.

It's off the record.

It's off the record.

It's off the record, except this— if you invite a journalist from The Atlantic, mm, difficult.

Well, the good news is, thank goodness for this as well, there are absolutely no governments around the world who are pushing Signal and other end-to-end messaging platforms to incorporate any kind of backdoor through which conversa— Oh, hang on a moment, they are, aren't they? Yeah, because they do want to spy upon people's conversations in these end-to-end messaging platforms. It's funny how sometimes they really are against these systems and encryption, apart from when they really would like them to work as they wish. And the latest of all is that National Security Advisor Michael Waltz is now being accused of using Gmail for work-related communications as well. So again, really seems like a big no-no to me. So everyone be careful. Make sure you're using the right apps and the right messaging systems for appropriate communications. And also be very, very careful if your iPhone tries to get you to suck up someone else's details and add them to an existing contact. Carole, what's your story for us this week?

Okay, so you know how some people love specific words, maybe because the way it feels in the mouth when you say them, or how they sound? Do you have any of those kind of words that you love more than others?

A word that I love more than others?

I love the word somnolent. Oh! Because it just comes off the— you know, it just sounds good. It's nice to say. It's pretty. It's an unusual word, you don't hear it very often. When you do, you're like, "Ah." There's petrichor, isn't there?

Which is the smell of grass after there's been a gentle rainfall, I believe. That's lovely.

The word is not very lovely to say. Oh, all right. Toboggan. Do you like the word toboggan? I just thought you had some good words. I like erasure.

Oiseau. That's a French word. That's a very pretty word. Oiseau. There you go. I like that one. Oh dear.

I actually even prefer quish. It's almost as fun to say as squish.

Yes.

Now, what is quishing? And we know in this little neck of the woods, but it's a coined industry term for a scammy phish, one that involves a QR code. And if you read about scams with QR codes, typically I'm seeing stuff related to parking meter scams. Is that true for you as well? That seems to be the biggest news around QR codes that I can see.

Yes, parking tickets and things. Yes, it's a place where you can just stick up a bogus QR code and obviously people want to pay, they're desperate to pay in a quick fashion. And so they will just scan it and enter their payment information.

You know, and I can understand how that happens because, you know, every single borough in England seems to use their own payment system. Right? So it's not if it brought you to a website that looked like Staffordshire's payment system for the council's parking lots, you would know what to look for.

Yeah.

But we also see QR codes in restaurants to help people order and pay and provide feedback.

Yes.

And we've seen them in mobile payment service Apple Pay and Google Pay have also embraced QR codes for quick and secure transactions. A report from Juniper Research shows that the value of QR code payments is projected to exceed $2.7 trillion by 2025. That's this year.

What?

$2.7 trillion.

Trillion.

And this surge in QR code-based transactions indicates a shift in consumer preferences towards contactless payment methods. We just don't want to touch buttons anymore. We're done with that. We're done with the touch, touch.

How often in a week would you say that you scan a QR code, Carole?

Rarely.

Yes, me too.

Very rarely, because I'm petrified of everything internet-related. I don't even know why I do this show anymore. I try to avoid them. But it's even bigger than that, Graham, because even companies Starbucks, right? They've integrated QR codes into their loyalty program so consumers can make payments and then earn rewards through their mobile app by scanning codes at the point of sale. So you get one of those cups and then you can scan it right there.

Ah, actually, I have encountered that. Mm-hmm. Because I've got a particular bank account, and one of the perks it gives me is it gives me the option of getting a free sausage roll each week.

What, at Greggs?

Yes, at Greggs. And all I have to do is flash a QR code at them.

Do you ever run into David Cameron? He's in your neck of the woods. He loves the Greggs. He loves the Greggs. Nike uses QR codes in their retail stores so customers can scan codes on in-store displays to learn more about products, see reviews, yada, yada, yada.

Okay. Yeah. All right. Okay.

Heinz. Heinz has QR codes on its ketchup bottles directing users to websites with recipe ideas featuring ketchup.

Hang on. There are recipe ideas featuring ketchup?

Yes.

Recipes? Surely.

So I went and looked. I went and looked because I was what? What is it going to be? Meatloaf? What's it going to be? A hot dog? Throw some ketchup onto the recipe? So one of the recipes touted itself this: scallops are always wow, so make them more often. An easy recipe with great flavors of honey, garlic, and featuring Heinz tomato ketchup infused sauce.

You don't put ketchup on scallops.

I agree, because they're entirely too expensive.

Can you imagine?

In short, people seem to love the QR codes and companies love them because it gives them more information about you, the user, the consumer, gives them more power, more flexibility, and ultimately all that leads to more moolah. That's the game plan. And guess what? Because everybody loves them, the bad guys are jumping on the bandwagon.

Yep.

So according to a recent deep dive in Fast Company, quishing attacks— I'm sorry, I love the word. I've got to say it.

I can't stand it.

Quishing attacks surged almost tenfold in the last three years. And they're becoming more prevalent in email phishing attacks. So just last week, Microsoft warned of several phishing campaigns that are leveraging tax-related themes to deploy malware and steal credentials. Now, Graham, what do you think is the big problem with QR codes and quishing?

I think a big problem is that—

Is the name.

Well, yes, it's the name of the bloody things. But the second big problem with these QR codes is that you don't know at the point of scanning where you're going to be taken. It's not you can look at the URL and think, oh, that sounds a bit dodgy, or why have they misspelt that? So you just scan the thing and it'd be your mobile phone normally, which maybe doesn't have the room to show you the entire URL, or it's in too small a font for you to be able to read, takes you to some webpage and you just assume it's legitimate.

Yeah. Well, it seems according to this Fast Company report that most security systems, while they can detect malicious links email security system, for instance, they have trouble analyzing images or QR code content. So this allows scammers to evade detection and deliver malicious payloads directly to their potential victims.

I can well believe that security software, which is designed to check out links, may not yet have evolved enough to examine QR code. I may be wrong. I mean, there's plenty of security vendors who sponsor this podcast. Maybe they handle QR codes wonderfully.

Apparently in the first half of 2024, 12% of all email phishes contained a QR code. Actually, if we look at the four different techniques that criminals seem to use to exploit QR codes, so as you mentioned earlier, one is obscurity attacks. So this is like traditional phishing links, which can be visually inspected, but you can't see where you're going in a QR code. So that's one of the big techniques that they love to take advantage of. The other one is hijacking switch accounts. So this is where they would put, like the parking meter thing, they would put a new QR code over another one to try and get you to redirect you to a fraudulent webpage.

Right.

Yes.

But this is interesting, privacy invasion attacks. So this is where phishing exploits the misuse of shared or leaked QR codes to gain unauthorized access to personal accounts or services. Now, for example, to drive this point home, a woman in China accidentally shared her restaurant ordering code online while sharing food photos on social media. Strangers used it to place orders worth 430,000 yuan, or $60,000, directly charging her account.

That is a lot of ketchup.

Yeah, it's a lot of scallops. The other one is brushing scam. So this is where unsolicited packages are sent to your address, often using a box from Amazon containing unexpected items. And these packages may include a QR code inside the box or as part of the letter documentation. And when scanned, the QR code redirects you to a malicious website designed to steal your personal information. So you could go there and go, I never ordered this, da da da da da. Yeah, and get your information that way. Now, other than being very wary of QR codes, it's not clear to me that much can be done from a consumer side, right? Apparently some QR code scanner apps provide a preview of the URL before you open, so you can use these apps to check the destination of the QR code to ensure it matches the expected website.

Yes, but. Well, yeah, because my phone does that, right? It does display a little preview, but of course it's only able to show you so much. And also you could have a URL redirect service. So it may not be the first site which you go to. The first site you go to may be something like TinyURL or Bitly or something like that. And then who knows where you're going to end up?

Exactly. Well, actually, there is something you can do. Actually, there is something I think you can do. It's using a trusted password manager. Because the trusted password manager will not fill in the details of your account if it does not recognize the site. You know, the QR code magically transported you to. So a bit like you were talking about last week with Troy Hunt's case.

Yes.

I think you mentioned that his password manager did not put in the details and then he did it manually. Is that right?

That's absolutely correct. But of course, if this is, for instance, the parking situation where you've gone somewhere to park you may not have an account with that particular site. It may be that you are gonna register an account with them, 'cause you've never gone there to park before. And so—

Yeah.

You might just be entering your details manually, painful as that is.

So this may just be the dawn of the rise of the quish. Graham, I'm sorry.

I really dislike that word.

Carole Theriault. So consider yourself forewarned. My advice is just don't use them unless you absolutely have to, 'cause I have encountered some instances where you absolutely have no way out of it, and then keep those peepholes of yours open and try and spot any dodginess. But, you know, if you go to a restaurant and they say, "Oh, just pay your bill with the QR code," you can say, "No, I am gonna pay the normal way, thank you very much." You can obviously have some security software running on your phone to examine the URLs you are going to, which can tell you if it's a known malicious URL, for instance.

Sometimes these sites may have been set up just in the last few weeks, so they may not yet be on a database or they may not have fallen into the hands of cybersecurity researchers, in which case you could get a security solution which looks at the domain you're being taken to and it could say, hang on, this is a brand new domain. This is one which wasn't live a month ago and therefore could display a warning at that point and say you are going to a brand new website. So if you thought you were going to something established, that is a great indicator that you're going somewhere malicious instead.

Okay. Can I throw a bit of water on that fire?

You can.

I know of many companies, particularly in our tech industry, that create these microsites, right, for particular marketing campaigns or giveaways or information, you know, research. It did in the last week or so and could be legitimate.

Yes, but if they were subdomains, so if they were example.companyname.com, then company.com still is a well-established domain.

You remember the days though.

I know the crazy things that marketing departments do. I'm not saying it's a 100% solution. I'm just saying it's an additional layer of security you could put in place.

Do you know what? I agree with you 100%. Yes. Let's end there.

Finish everything there. That's, that'd be the final message of Smashing Security.

Google Workspace and Microsoft 365 are critical to business, but they're also a headache for security teams. Constant phishing alerts, endless manual remediation of misconfigurations, and a flood of user reports about suspicious emails. Teams are stuck between two bad options: letting things slip or becoming the department of no.

Instead of hoping you catch every single attack, Material.security protects your most sensitive data, even if an account is compromised. So when attackers inevitably get in, they still can't touch the stuff that matters without additional verification. It's like having a tireless security analyst who handles the routines and frees your team to focus on real threats. And for cloud workspaces, Material.security has your back. Misconfigurations, shadow IT, ransomware, constant policy changes, Material not only monitors everything continuously, it fixes the simple stuff automatically.

So if you're ready to stop drowning in alerts and start getting ahead of threats, check out material.security. That's material.security.

Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.

Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.

You see, Vanta allows your company to centralize security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant but stay compliant.

So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff. Head to vanta.com/smashing to learn more. That's vanta, V-A-N-T-A, .com/smashing. And thanks to Vanta for sponsoring Smashing Security. Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?

Well, 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.

1Password Extended Access Management is the first security solution that brings all these unmanaged devices, apps, and identities under your control. It ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.

So secure every app, device, and identity, even the unmanaged ones. Go to 1password.com/smashing. That is 1password.com/smashing. And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week?

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Week. Pick of the Week. Better not be.

Well, my Pick of the Week this week is not security-related, and it's also, I'm afraid, not a Pick of the Week. I know we've been really positive this episode, but I'm gonna have to present you with a Nitpick of the Week.

Oh, quelle surprise.

As regular listeners may know, I'm rather fond of the game of chess.

Yes.

And so I got very excited when a new TV programme was announced called Chess Masters: The Endgame, coming to BBC.

Yes.

Presented by Sue Perkins.

We always say the lovely Sue Perkins.

The lovely— sorry, presented by the lovely Sue Perkins.

Thank you.

This programme tries to do two things. It tries to entertain chess novices and people who don't know how to play chess. It also tries to entertain people who do know how to play chess and are enthusiastic about chess.

A bit like us on our show.

Right.

With technology.

Unlike us, however, it completely fails at both. Because it is truly terrible television.

Oh no!

Have you seen any of this?

No!

It's awful.

This is not on my hot watch list, sorry.

Well, you see, it was on my list because it said chess in the title, so I thought it'd be fun. But it's like they've taken Traitors, which is a fun TV programme, if you've ever seen Traitors.

I have, I have, yeah.

Yeah, it's quite fun.

Yeah, it's great fun.

And they've tried to sprinkle chess through it. And—

Makes chess suddenly much more exciting and fun?

They've tried to make chess more exciting. I mean, chess is very exciting, but what they've done is they've just eradicated all of the joy entirely from it. So everyone's got a nickname. Everyone's like, "Oh, I am the Destroyer, I am the Anarchist." And they're playing chess, and they are presented, these people playing this competition, as some of the best upcoming chess players in Britain. It's like, "No, they're not." I'm not that good at chess, right?

Oh, they didn't call you. That's the problem. They didn't call you to just come on the show. Is it like Robot Wars, but Chess Wars?

No, that would've been good. That would've been good. If they'd had robots playing chess, that would've been more entertaining than what this actually is. Most of these guys are worse than me. I can tell. And I'm not that great. So it's not very entertaining. I think it makes no sense at all if you can't play chess because you don't understand what's going on. It makes no sense at all if you do like chess. The analysis is just terrible, even with the lovely Sue Perkins.

Are you looking for a new job? You're looking for a new job.

Well, I just— It's okay.

You know, I'm sure they'd take you. I'm sure you'd be very good at it. Maybe you should call the lovely Sue Perkins and, you know, offer her some advice.

Back in the late 1970s and early 1980s, there used to be a programme on BBC called The Master Game, which was about chess, and it was so much better. This is 40 years ago, and it was better than what they are putting on the TV now. It was more interesting, it was more entertaining. It was presented by Bill Hartston, who was an International Master, and Jeremy James. You can find it on YouTube. Go and check that out if you want to see how chess should be done on TV. Or indeed go on YouTube where there are millions of amazing YouTube influencers now who are now playing chess. Chess apparently is a big thing now on the social media. But this television programme, utterly unentertaining, and that is why it is my Nitpick of the Week.

Wow.

I'll calm down. Carole, what's your pick of the week?

Mine is not a nitpick. Mine is a pick of the week. Now, you guys know I'm a bit of a card shark. Funny, we're both doing games this week, Graham. I play cards a lot, and I much prefer playing cards in real life. But sometimes that's not possible. Maybe it's 4 a.m., right? And you don't want to wake up your husband because he wouldn't appreciate being poked for a game of gin rummy. Exactly. Maybe you're waiting for an appointment somewhere, or maybe you're commuting. And what do you do to fill those minutes other than wasting time on the socials? So this week I'm choosing a cribbage app.

Oh, you and cribbage.

Yeah, I've had a cribbage app on the show before and I recommended one last summer and I much, much, much prefer this one. This app is called Cribbage Classic, created by Games by Post LLC. Who knows who they are? But this app seems to be a result of love of the game. Because cribbage, or crib as we call it in the know, is a card game traditionally for two players, but you can play three or four. And it involves playing and grouping cards in combinations to gain points all games. But it has several distinctive features because you have this gorgeous cribbage board, right? A set of pinholes and pins used for scorekeeping. And you have a unique scoring system. So it's just a very cool game and it's not easy to pick up. But once you get it, it's a treat of a game. And this app, Cribbage Classic, is great for beginners and pros. You can have a beginner game or a pro game.

Yes.

And there's features like a hint feature, which can tell you what to do when you're confounded. And it's not loud and brash, you know, with lots of whiz-bang. It's just a nice, quiet card game for a bit of alone time.

Can I ask some questions? Is it an app you have to pay for? Is it ad-supported? It is free.

It does tracking with non-identified with the user and there are no ads.

Oh, that's lovely.

Yeah, it's one of those things like sticky pickles, right? No ads, just solid content done with love. That's it.

Never heard of it.

So that is my pick of the week, Cribbage Classic app by Games by Post LLC. Find it in your app store or wherever you get your apps safely.

Terrific stuff. Great. Now, Carole, you've been busy this week. You've been chatting to the folks at Material.security.

Yes, Josh Donelson and Tony Albano. They both share tips on using AI safely in today's companies and startups. Listen up. So, Smashing Security listeners, we are speaking with not one, not one but two infosecurity gurus, Material.security. This is the company that offers a unified detection and response platform for Google Workspace and Microsoft 365. So we have Josh Donelson, who leads technology alliances, and we have Tony Albano, a seasoned AI ambassador with Google and Workspace security expert. Welcome both to the show, gentlemen.

Thank you.

Great to be here. Thanks for having us.

Yeah.

Maybe you both can give us a quick bio so our listeners know a little about you and about your roles at Material.security. Maybe we can start with you, Josh. Certainly. Yeah.

So my name is Josh Donelson. I look after technology alliances here. So all of our security ecosystem and platform partnerships. My career started as a hardware engineer, if you go back far enough, and then some time at VMware, and then a bunch of time at places like Okta. Looking after identity and cybersecurity. Been here at Material for a couple of years now and really looking forward to the conversation today.

Fantastic. What about you, Tony?

Yeah, I've essentially been living and breathing collaboration and security my entire career across a number of different organizations. And being here at Google, wanted to take advantage of the opportunity to dive into AI and specifically how it works with the Google Workspace platform. So it's great to be able to take advantage of all the things Google has to offer.

Brilliant. Okay, so let's kick off with a topic that we can't seem to get enough of these days: AI. We know that it's a powerful tool, and we know that powerful tools can be used for good and bad. So how are you guys seeing AI show up in organizations today?

I think we're at an incredibly interesting inflection point. AI has typically been used in order to shore up defenses across organizations. So you can look at things like automated email protection for massive amounts of spam, things of that nature. And all of that has been integrated into these products for years and years. And what we're seeing more and more of with the advent of large language models is the ability to now customize attacks, things like phishing campaigns, spam campaigns, et cetera, that are directly targeted to individuals or organizations, people are able to do that much faster, right? You're able to iterate through these different campaigns at a much higher rate. And what that means is now the tools of detection have to be able to update themselves at a much faster pace as well.

When I started in this business, I'll tell you, we used to have CDs that we'd send to customers. And we would say hundreds of new identities or viruses now identified, hundreds. And you guys are talking millions, right?

Not just millions, maybe tens of millions. The volume of messaging is just at a superhuman scale. So we have to leverage these foundational investments in things like AI and things like automated detection in order to make sure that our services are supercharged with that security presence as well. So essentially what we're investing in is the frontline being the phalanx that any of these bad actors would have to get through. If something were to happen, that's where human detection and that human intelligence can come into play as well. So we still need to ensure that not just do we have best-in-class automated detection, automated protection across our entire platform of services. But then how do we essentially put together some disparate actions or dots? And there's a lot of tools built into Workspace that allow our administrators to be able to string together events, say, in the event of an internal issue. But I think that's where Josh's team over at Material really comes into play as well.

Yeah, I'd love to hear from you, Josh, on this.

Yeah. The one plus one that I would add to the volume of threat conversation is that the rate of change is so much higher now than even 18, 24, 36 months ago. When one attack shows some flavor of success, it becomes super easy to then have 1,000 tiny iterations on it. The perspective here at Material is to really take a pragmatic approach to how we are using AI and really making sure we're doing what AI is really, really good at. And what we've learned is AI is not a catch-all for detection. You can't just say, here's our large language model or here's a pre-trained set of models. Please catch everything that's coming in the front door that Google doesn't already catch because the cost of a false positive is just too high. We can't block business. We can't impact the user experience or the employee experience. We can't stop folks from collaborating or the business doesn't move forward. What we're thinking about here at Material are things like AI is phenomenal at large-scale pattern matching, right? Have I ever seen anything this before? Can I rapidly bring that metadata from a bunch of different platforms and put it right in front of a security analyst so that that human can much more quickly decide, real threat, false threat, triaging all of those messages. If you think of the flow of a normal security analyst day, the vast majority of these things are caught by Google native platform services, 99.99%, I think, at one of the reports I read recently. But the really novel ones maybe get through, or maybe there's one that's very specific to my business or one of my executives. If it gets reported, it needs to be triaged. But if my security team has 37 other newsletters that they signed up for but they don't want to see anymore getting in the analyst's way, that becomes a problem that really has nothing to do with the type of threat itself, just an operations problem. So at Material, we can take AI and say, those 3 are obviously newsletters, look at them later. This one is obviously a threat, we're going to block it right away until you can get to it. And for these two in the middle, we think they're worth your eyeballs right now. And that triage effort is really, really powerful in terms of operationalizing what are typically smaller teams. If you're a large Fortune 500, you may have the capacity to write 1,000 detection rules in your own platform. But most of us need a little bit of help. And that's a really, really pragmatic way to apply AI that doesn't take the human hand off the wheel, if you will.

Right.

OK, but what about when you have an insider threat, right, where an employee or a trusted business partner or whatever plays the double agent?

When we talk about that insider risk, usually what we're also concerned about is not just something like an email communication, but it may be the oversharing of content. Right? So if there are sensitive documents, sensitive pieces of material that may be stored in the platform, how do we ensure that that user isn't able to overshare that material externally, whatever the case may be, right? So this is another area where Google has invested in a lot of foundational AI that now we allow organizations to actually train their own models. Maybe it's a patent, maybe it is, if you're in biotech research, maybe it's some sort of a genome or a protein or whatever the case may be where those traditional DLP engines fall flat. Well, now by leveraging AI, we're able to train our own models based on the material that our organization considers sensitive, right? So if we take the case of patents, if, let's say, we have 100 different patents that are just sitting out there, now we can point our detection engine at that and say, okay, I want you to train your model based on all of the patents that we've filed. And now, because it works directly with our sensitivity system, now we can say this particular document is considered confidential, this one is eyes only, and then that flows through to say what can be shared externally and what cannot.

Yeah, yeah.

Yeah, we've had customers tell us that getting to a point where they have a rational labels taxonomy can be a challenge, right? There are a number of different APIs inside of the Workspace ecosystem that you'd have to look at. The training of some of those models to really use the label taxonomy to its fullest can take some time. Got a number of customers that have come to us and said, we know we have to fix this, but job one is figuring out what we have. And that's really hard because again, there's not extra people just sitting around looking for things to do. So this operations model of pulling together all the incredible signal and the power of the native tools, the DLP rules based on labels, we've empowered the Material Platform to sort of help with that. There's a bunch of AI behind the scenes that helps additional sensitive data discovery, and we're able to write back labels into Google Workspace to accelerate some of that work. But at the core, it's giving the operations folks some help to make sure that they're able to take the most advantage of what Google has built. So that's the operation side. I do want to take just a couple of seconds and talk about sort of AI specifically detecting things like ransomware, insider threat. And if you think about what we're addressing here, right, it's a business that has centered their operations inside of Google Workspace, right? That's where the business runs from. I've got strategy documents. Tony talked about patents. The amount of collaboration and back and forth before you submit a patent is through the roof. If no one's ever done that, it's a wild project to take on. But all those drafts, they're going to end up in email. And all those external partners, you're collaborating with a law firm, you're collaborating probably with outside expertise, you're collaborating with somebody that's going to help you package and file that and deal with the government. Those are all external people. So if you think about what insider threat or account takeover looks like, it looks like a change in your communication pattern.

Right. Interesting.

It's like, well, I didn't, I've never talked to that person before, but I'm sending them a patent document. That doesn't make sense. Detecting that is really hard because sending an external email is valid. Having a forwarding rule in my inbox is valid. Having that sensitive data in my inbox is valid. The combination of all of those things is what signals something like insider threat. And so because of where Material is connected, we can apply some of our backend AI, by the way, to the previous point, also humans. To some of these detections and raise them directly to a security operations professional. And so it's really an unlock for Workspace in a lot of ways, which is like, go forth, right? Go forth and prosper because the platform is going to catch the vast majority of it. And this sort of novel— here's, here's that same theme again, right? This novel or this unique or this change in previous behavior, Material is going to be able to get because we're connected directly into the inbox. It's just a really, really wonderful partnership.

Wow.

Okay. We're fast running out of time. But before, before we wrap up, I'd love to know your thoughts on the smaller firms, because a lot of firms, a lot of security outfits out there focus on the big fish, the big organizations. What are your views on that market segment? Because it seems to me if nobody focuses seriously on these groups, like the startups that are working with AI at the frontier, they could be ducks sitting in a pond of infosecurity risk.

The bottom line is a number of what we might term small and medium businesses are actually the hypergrowth businesses that are going to be the Fortune 2500 in 3 years. They are experiencing massive employee growth. They are certainly trying to operate in multiple regions, or maybe they've got a product that is the next viral thing. And so they're getting hit on all sides with requests for collaboration and partnership. These are the ones that have all the same kinds of business risk as a larger entity, but none of the team. And so this idea of being able to, one, aggregate signals into, into a single place, whether you sort of orbit your SOC around the endpoint or if you orbit your SOC around the network or in our case, you know, we're sort of wanting you to orbit the SOC around Workspace because that's where business flows. But you have to pick one. And then you want to think of your toolset as a thing that can help you establish baselines. What do I have? What's being used for? Who's using it? Are they allowed to? And what are some of the access models correlating against what's normal and what's not normal? Point is, something like Material can help with that aggregation and operations acceleration from a Workspace perspective, it's part of what we were designed to do and why we're such great partners. SPEAKER_02. Hear, hear. You know, when you look at it from an executive standpoint, it's the question of where do we invest? You know, my advice to some of those small businesses would be to, number one, understand what you have, what are you trying to protect? What does that data look like? And work hand in hand with executive leadership to understand exactly where that growth is supposed to be taking place. So that we can better understand the tools we have in our tool belt and deploy them in an effective manner. The last thing that we want to do as security experts is impede the growth of an organization, impede the collaboration that is required to partner with other organizations because nobody grows in a silo, right? So we need to ensure that we have that baseline understanding, we establish it, deploy it, and then we can look at optimizing and ensuring that we are leveraging whatever tools we have available to provide that defense in depth and the defense at scale that we need to do in order to be successful.

Brilliant. Smashing Security listeners, Material.security has a glut of information about detection and response in today's AI-driven world. Check it out for free at material.security. That is material.security. Josh Donelson of Material.security and Tony Albano of Google, thank you so much for sharing your expertise with us. SPEAKER_03. Absolutely. SPEAKER_02. Thank you for having me.

Terrific stuff. And that just about wraps up the show for this week. You can find Smashing Security on BlueSky, unlike Twitter, which wouldn't let us have a And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

And huge, huge thank you to our episode sponsors, 1Password, Vanta, and Material.security. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 411 episodes. Check out SmashingSecurity.com.

Until next time, cheerio. Bye-bye.

Bye.

Excellent stuff.