A company that ran anonymous tip lines for 35,000 American schools – handling reports of bullying, weapons, and self-harm – boasted on its website that it had suffered zero security breaches in over 20 years. A hacker called Internet Yiff Machine thought that sounded like a challenge, with predictable results…
Meanwhile, Rockstar Games gets hacked again – and the stolen data turns out to be less embarrassing than the financial secrets it accidentally revealed. GTA Online is still making half a billion dollars a year. Red Dead Redemption is not.
All this and more in episode 464 of the “Smashing Security” podcast with cybersecurity keynote speaker and industry veteran Graham Cluley, joined this week by special guest BBC cybersecurity correspondent Joe Tidy.
Plus! Don’t miss our featured interview with Ryan Benson of Meter.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
He said selling data, he said, goes against my principles. But principles, he said, are for the well-fed. He needs some grub on the table.
Can we not just give him a burger rather than $10,000? Smashing Security, episode 464. Rockstar got hacked. The data was junk. The secrets it revealed were not.
With Graham Cluley and special guest Joe Tidy. Hello, hello, and welcome to Smashing Security episode 464. My name's Graham Cluley.
Can we not just give him a burger rather than $10,000? Smashing Security, episode 464. Rockstar got hacked. The data was junk. The secrets it revealed were not.
With Graham Cluley and special guest Joe Tidy. Hello, hello, and welcome to Smashing Security episode 464. My name's Graham Cluley.
And I'm Joe Tidy.
Well, Joe, great to have you back on again. I have to say, author, of course, of— well, I actually have the book on the shelf behind me here.
Where is it? Let me see it. Let me see it.
Here it is.
Yeah. Thank you very much.
There you are. Within reach.
Lovely to see. I'm a little bit echoey, Graham. I don't know if you can tell, because I'm currently in what can only be described as a corridor. But I hope that's okay.
Hope the sound is all right.
Hope the sound is all right.
The corridors of power, I suspect that's where you are.
I'd like to say that, but no, it's just a corridor.
Now, for people who don't know, you are the— what is it? What's your official title? Cyber correspondent at the BBC?
That's right. Yeah, cyber correspondent. Yeah, actually, when I got the job at the BBC, ooh, 8 years ago, maybe 9 years ago, it was Cyber Reporter.
And I remember saying to them, that sounds a bit futuristic. Can you just, can you call me cybersecurity? Cause I sound like a robot.
But then over time I've realized that people know what cyber means. And also I do other things. I don't just do cybersecurity.
I do sort of online safety and gaming and crypto, that kind of thing. So Cyber Correspondent kind of covers it all.
And I remember saying to them, that sounds a bit futuristic. Can you just, can you call me cybersecurity? Cause I sound like a robot.
But then over time I've realized that people know what cyber means. And also I do other things. I don't just do cybersecurity.
I do sort of online safety and gaming and crypto, that kind of thing. So Cyber Correspondent kind of covers it all.
It's funny because back in the day, you know, it's like, I don't know, 1999, Cyber, most people thought of cybersex, didn't they?
They thought of the Lawnmower Man and things like that. And now it is all about cybersecurity.
They thought of the Lawnmower Man and things like that. And now it is all about cybersecurity.
Yeah, I wouldn't know about cybersex. Not really my thing.
Nor me, sadly.
But yeah, I think the term, when I say I'm a cyber reporter now, most people understand what that means. Whereas when I started, they were like, what on earth are you talking about?
Well, we're really glad to have you here today. And before we kick off, let's thank this week's wonderful sponsors, Meta, Elaspic, and Vanta.
We'll be hearing more about them later on in the podcast.
This week on Smashing Security, we're not going to be talking about how US-sanctioned cryptocurrency exchange Grinex has suspended operations after what they claim was a hack by Western intelligence agencies.
You'll hear no discussion of How hackers are bombarding executives' inboxes with hundreds of emails and then immediately following up with calls posing as the IT help desk, claiming to be there to fix the problem.
And we won't even mention how an iOS 26 update removed a Czech keyboard character, locking out any users who had it in their iPhone passcode.
So Joe, what are you going to be talking about this week?
We'll be hearing more about them later on in the podcast.
This week on Smashing Security, we're not going to be talking about how US-sanctioned cryptocurrency exchange Grinex has suspended operations after what they claim was a hack by Western intelligence agencies.
You'll hear no discussion of How hackers are bombarding executives' inboxes with hundreds of emails and then immediately following up with calls posing as the IT help desk, claiming to be there to fix the problem.
And we won't even mention how an iOS 26 update removed a Czech keyboard character, locking out any users who had it in their iPhone passcode.
So Joe, what are you going to be talking about this week?
I'm going to be talking about a fascinating data breach at Rockstar Games, the absolutely enormous games maker. They're the guys behind Grand Theft Auto and Red Dead Redemption.
Don't know if you're a gamer, Graham, you play these games?
Don't know if you're a gamer, Graham, you play these games?
I'm not a gamer, but Red Dead Redemption is extraordinary.
Brilliant.
Absolutely amazing game.
Yeah, absolutely amazing.
And I'm going to be asking, is it wise to leave a tip? Plus, we're going to be chatting to Ryan Benson of Meta, find out what they've been up to.
All this and much more coming up in this episode of Smashing Security. Time for a quick word from one of our sponsors today, Elastic. So here's a familiar scenario.
Something suspicious hits your network. You need answers and you need answers fast.
So your team logs into tool 1 and then tool 2, and then the thing that doesn't quite talk to either of them. By which point, whatever was happening has happened.
Well, Elastic unifies your security data so analysts can focus on detecting and responding to threats, not herding different dashboards, which is probably why over half of Fortune 500 companies use Elastic.
Find out more right now at smashingsecurity.com/elastic. That's smashingsecurity.com/elastic. And thanks to Elastic for supporting the show.
Now, I've got a tip for any company that handles sensitive data. My tip is to never ever boast about how good your security is, because it might bite you in the bottom one day.
Could be a problem.
All this and much more coming up in this episode of Smashing Security. Time for a quick word from one of our sponsors today, Elastic. So here's a familiar scenario.
Something suspicious hits your network. You need answers and you need answers fast.
So your team logs into tool 1 and then tool 2, and then the thing that doesn't quite talk to either of them. By which point, whatever was happening has happened.
Well, Elastic unifies your security data so analysts can focus on detecting and responding to threats, not herding different dashboards, which is probably why over half of Fortune 500 companies use Elastic.
Find out more right now at smashingsecurity.com/elastic. That's smashingsecurity.com/elastic. And thanks to Elastic for supporting the show.
Now, I've got a tip for any company that handles sensitive data. My tip is to never ever boast about how good your security is, because it might bite you in the bottom one day.
Could be a problem.
I mean, the amount of times that these companies say, we are unbreakable, unhackable, that kind of thing. And then of course, that just it's a red rag to a bull, isn't it?
To the cybersecurity world, because you want to break it. If you're told you can't break it, you want to break it.
It actually reminds me when I was at BBC Oxford, which is a regional BBC news program.
There was a guy, a local guy, a local company said, we've made a USB stick that's basically indestructible. So my team were, quick, Joe, go and do a video report with these guys.
And I filmed it all on my own. And we did the interview and everything. And they were kind of giving it the big one about how this USB stick is indestructible.
And I said, "Just for fun, can I run it over with my car?" And the guy's, "Yeah, okay." And I ran it over with my car, and I filmed everything, and it completely obliterated the USB stick.
To the cybersecurity world, because you want to break it. If you're told you can't break it, you want to break it.
It actually reminds me when I was at BBC Oxford, which is a regional BBC news program.
There was a guy, a local guy, a local company said, we've made a USB stick that's basically indestructible. So my team were, quick, Joe, go and do a video report with these guys.
And I filmed it all on my own. And we did the interview and everything. And they were kind of giving it the big one about how this USB stick is indestructible.
And I said, "Just for fun, can I run it over with my car?" And the guy's, "Yeah, okay." And I ran it over with my car, and I filmed everything, and it completely obliterated the USB stick.
Did you broadcast that or not?
Absolutely we did. It was great.
End of that company. They won't be ringing up BBC Oxford again, will they?
No, they will not.
Well, one company was rather proud of its boast that it had never suffered some kind of security breach. And it was an outfit called P3 Global Intel.
On its website, the company actually advertised that it had been in business for over 20 years with, in their words, zero security breaches. Zilch. Nought.
A marvellous, unblemished record. I think from your little chortle there, Joe, you can sense where this story is going already.
On its website, the company actually advertised that it had been in business for over 20 years with, in their words, zero security breaches. Zilch. Nought.
A marvellous, unblemished record. I think from your little chortle there, Joe, you can sense where this story is going already.
Yeah. Again, it sort of reminds me of those, you know, the factory so-and-so days since the last accident or whatever, you know? And it's, at the moment we're good.
There's been X amount of days before something went wrong. Yeah. It's, you're foreshadowing, aren't you, Graham? I can tell you're a storyteller.
There's been X amount of days before something went wrong. Yeah. It's, you're foreshadowing, aren't you, Graham? I can tell you're a storyteller.
I am. That's right. That's right. So you may be wondering, what does this company P3 Global Intel actually do?
And they run what's called a fully integrated and state-of-the-art tip acquisition and tip management solution.
In other words, it runs anonymous tip lines, Crime Stopper programmes, school safety hotlines, that kind of thing.
And it is used, and this is extraordinary to me, it is used by 35,000 American schools.
And they run what's called a fully integrated and state-of-the-art tip acquisition and tip management solution.
In other words, it runs anonymous tip lines, Crime Stopper programmes, school safety hotlines, that kind of thing.
And it is used, and this is extraordinary to me, it is used by 35,000 American schools.
Wow.
Obviously American schools desire having a hotline.
Yeah, I didn't even know this was a thing. But clearly it is.
Apparently it is. Students are encouraged to anonymously report if a classmate's being bullied, or if someone has brought a weapon to school, or if a friend is suicidal.
So, you know, very serious stuff.
So, you know, very serious stuff.
Absolutely, yeah.
So that's great that there's that facility, because obviously anonymity is the whole point.
If you are able to leave a tip anonymously, that's going to encourage students to submit a tip, which could be very, very important.
So it's rather unfortunate that a hacktivist going by the name— and brace yourself here, Joe, I know you are a seasoned cybersecurity reporter, so you've heard a lot of hacking names.
This is someone who goes by the name Internet Yiff Machine.
If you are able to leave a tip anonymously, that's going to encourage students to submit a tip, which could be very, very important.
So it's rather unfortunate that a hacktivist going by the name— and brace yourself here, Joe, I know you are a seasoned cybersecurity reporter, so you've heard a lot of hacking names.
This is someone who goes by the name Internet Yiff Machine.
Yiff Machine? What is a yiff?
I don't know what yiff is.
I'm looking it up. Have you looked it up?
I haven't looked up what yiff is. Maybe it's something that the youngsters understand. I mean, there was Jif, which became Cif, which was the bathroom cleaner.
It's that.
I don't know if it's that or yiff.
So apparently, according to Wiktionary, yiff is the bark of a fox. Slang, vulgar, informal.
Oh, hang on.
Hang on.
Hello.
Sexual intercourse.
Ding dong.
Between furries.
Yes, they are a bit noisy, foxes, from what I've heard.
Right. You've messed up with my internet history now. Thanks for that.
Yes. Well, you could be in trouble with your employer, but anyway.
So this chap, Internet Yiff Machine, he scooped up 91 gigabytes of data containing 8.3 million of those supposedly anonymous tips. Now, how did he do this?
And this is the worrying thing. It wasn't a sophisticated nation-state attack?
So this chap, Internet Yiff Machine, he scooped up 91 gigabytes of data containing 8.3 million of those supposedly anonymous tips. Now, how did he do this?
And this is the worrying thing. It wasn't a sophisticated nation-state attack?
Zero-day?
It wasn't a zero-day that no one had seen before. This was a simple cross-site scripting vulnerability in the LeverTip chat box.
So it turns out this company, P3 Global Intel, had failed to set some flags on their cookies properly.
So it was trivial for Internet Yiff Machine to steal a member of staff's session cookie through a little bit of social engineering, get him to click on something. Bam!
They've got the cookie. And once inside, they found it was child's play to exfiltrate vast amounts of data which should have been held securely.
In fact, they made 8.3 million requests over the course of 4 days without apparently P3 noticing anything at all had gone wrong.
So it turns out this company, P3 Global Intel, had failed to set some flags on their cookies properly.
So it was trivial for Internet Yiff Machine to steal a member of staff's session cookie through a little bit of social engineering, get him to click on something. Bam!
They've got the cookie. And once inside, they found it was child's play to exfiltrate vast amounts of data which should have been held securely.
In fact, they made 8.3 million requests over the course of 4 days without apparently P3 noticing anything at all had gone wrong.
This is a bit of a catalog of errors here, isn't it?
It really is. So I mean, this wasn't a sophisticated vulnerability that was being exploited. It's the kind of thing that you learn on day one of web security school.
It's the kind of thing that's been documented for years in the OWASP Top 10 of the things that you have to make sure your web application doesn't suffer from, the most common vulnerabilities on websites.
So basically someone left the front door open, the windows unlocked, and they put out a big sign in neon outside saying, nobody's ever broken in here. Try your luck.
It's the kind of thing that's been documented for years in the OWASP Top 10 of the things that you have to make sure your web application doesn't suffer from, the most common vulnerabilities on websites.
So basically someone left the front door open, the windows unlocked, and they put out a big sign in neon outside saying, nobody's ever broken in here. Try your luck.
Yeah. And hackers will do that.
Of course they will.
Yeah. If you tell them you can't hack me, yeah, you're going to get hacked.
Yeah. It's about so many times internet companies have made really big boasts and everyone out there is thinking, oh, you know, I'd love to prove them wrong.
I'd love, I bet it's possible if I put in enough effort. Turns out Internet Yiff Machine didn't have to put in very much effort at all.
Anyway, he grabbed all this data and he handed it over to an outfit, a whistleblower outfit called DDoSecrets. Are you familiar with DDoSecrets?
I'd love, I bet it's possible if I put in enough effort. Turns out Internet Yiff Machine didn't have to put in very much effort at all.
Anyway, he grabbed all this data and he handed it over to an outfit, a whistleblower outfit called DDoSecrets. Are you familiar with DDoSecrets?
Oh yes. Oh yeah, they've been around a long time.
Yeah, yeah, they have, haven't they?
And sort of linked to WikiLeaks, I think.
Yeah, it was like a WikiLeaks offshoot, I think.
And they rather like WikiLeaks, they've certainly had their fair share of controversy over the years as to whether they're doing the right thing or not and whether they're disclosing too much information and maybe working too closely with the hackers, you know.
Controversial outfit. Anyway, they dubbed it BlueLeaks 2.0.
And those of you with longer memories may remember in 2020, there was a breach of US law enforcement agencies and the data—
And they rather like WikiLeaks, they've certainly had their fair share of controversy over the years as to whether they're doing the right thing or not and whether they're disclosing too much information and maybe working too closely with the hackers, you know.
Controversial outfit. Anyway, they dubbed it BlueLeaks 2.0.
And those of you with longer memories may remember in 2020, there was a breach of US law enforcement agencies and the data—
Was that based around the George Floyd protests?
I think it was exactly that.
I think that, because there was lots of DDoS secrets activity around there. Lots of police forces were hacked around that time, I think. So it may have been linked to that.
I think it was.
And that original BlueLeaks incident involved the doxing of police officers and law enforcement agents, which obviously people were concerned that they could end up, you know, their families being put at risk and so forth.
Anyway, the good news is this data has not been published publicly, but the hacktivist has listed it for sale on a hacking forum for $10,000.
And that original BlueLeaks incident involved the doxing of police officers and law enforcement agents, which obviously people were concerned that they could end up, you know, their families being put at risk and so forth.
Anyway, the good news is this data has not been published publicly, but the hacktivist has listed it for sale on a hacking forum for $10,000.
And—
Doesn't sound like a hacker, does he?
Well, now, no, he doesn't, does he really?
No.
And there's some sensitive information in there. So a researcher asked Internet Yiff Machine about this, said, you know, what are you doing?
And he said, look, he basically said, I'm paraphrasing, he said, selling data, he said, goes against my principles. But principles, he said, are for the well-fed.
And he said, look, he basically said, I'm paraphrasing, he said, selling data, he said, goes against my principles. But principles, he said, are for the well-fed.
Oof.
No, he needs some grub on the table. Can we not just give him a burger rather than $10,000? And he says, unfortunately, he's not doing very well financially.
He says, don't worry though. He says, I only intend to sell one copy. I'm gonna keep the exposure limited.
And that they're very, very sorry about this, but they're gonna have to do it.
He says, don't worry though. He says, I only intend to sell one copy. I'm gonna keep the exposure limited.
And that they're very, very sorry about this, but they're gonna have to do it.
Because that's how things work, isn't it?
Yes.
There's only ever one owner. Because you can't just copy it.
No, nobody's ever copied data. It's not like the— It's like, what? Come on, how are you going to control how this information is used and abused? It's ridiculous.
I mean, I suppose it is better than the attitude of most ransomware gangs, but it's not really any comfort at all, is it?
I mean, I suppose it is better than the attitude of most ransomware gangs, but it's not really any comfort at all, is it?
It's far off. Far off. No, not at all, no.
Well, at least the ransomware gangs tell you quite often these days how they got in. They offer to sell additional services.
Yeah, that's true. Yeah, yeah. But also, this is really, really sensitive data, isn't it? You can imagine some of the stuff in it.
It is. I mean, there was information about people self-harming. There was information about abuse and, you know, all kinds of ghastly information.
And the data apparently goes back as far as 1987. Some of this data, it goes back decades.
And the data apparently goes back as far as 1987. Some of this data, it goes back decades.
Wow.
And one researcher who saw the data was able to identify someone who had had something happen to them when they were a toddler, and they were able to contact them today about it because this data had been breached.
I mean, it's ghastly to think that it could have been pieced together like that. Yeah. So very disturbing, some of this. Last month, Portland police took some action.
They told local residents to stop using Crime Stoppers while the hack was being investigated because they said, we just can't be confident it's safe anymore.
And as of this recording, P3's parent company, Navigate360, they have not publicly confirmed that a breach has occurred.
They haven't notified any schools or any individuals, hasn't responded to press inquiries. There's already a class action suit being revved up against them.
But the claim on their website that they've suffered zero security breaches has been updated. It's been removed. They just quietly shuffled that to one side.
So rather than in the last 20 years, it's, don't ask about that. Don't ask about that.
I mean, it's ghastly to think that it could have been pieced together like that. Yeah. So very disturbing, some of this. Last month, Portland police took some action.
They told local residents to stop using Crime Stoppers while the hack was being investigated because they said, we just can't be confident it's safe anymore.
And as of this recording, P3's parent company, Navigate360, they have not publicly confirmed that a breach has occurred.
They haven't notified any schools or any individuals, hasn't responded to press inquiries. There's already a class action suit being revved up against them.
But the claim on their website that they've suffered zero security breaches has been updated. It's been removed. They just quietly shuffled that to one side.
So rather than in the last 20 years, it's, don't ask about that. Don't ask about that.
Yeah, yeah. Everything's fine.
But it's pretty unacceptable that they haven't communicated at all about it, isn't it?
Oh yeah. As a journalist, this really, really bugs me because of course, it's really difficult when you cover these cybercrime incidents because the victim here, is it P3?
Is that what they're called? P3? So, you know, they're a victim. They've been hacked by a criminal. However, they're also the custodians of this really important sensitive data.
So in a sense, they're kind of culpable for doing bad security at the same time.
So it's really hard when you kind of, I haven't covered this story myself, but there are journalists that have, they'll be wanting to get answers from this company.
And the company have been clearly really, really terrible in transparency.
And those people who have done tips, who've used the tip line, they need to be told, by the way, that tip you gave us anonymously, that might be out there now.
Someone could find that and put your name to it. It's really, it's a really nasty breach. It's a really nasty bit of PR from them.
Is that what they're called? P3? So, you know, they're a victim. They've been hacked by a criminal. However, they're also the custodians of this really important sensitive data.
So in a sense, they're kind of culpable for doing bad security at the same time.
So it's really hard when you kind of, I haven't covered this story myself, but there are journalists that have, they'll be wanting to get answers from this company.
And the company have been clearly really, really terrible in transparency.
And those people who have done tips, who've used the tip line, they need to be told, by the way, that tip you gave us anonymously, that might be out there now.
Someone could find that and put your name to it. It's really, it's a really nasty breach. It's a really nasty bit of PR from them.
This is the interesting thing. If the tips are anonymous, presumably they don't know who the people are who've left the tips?
Well, hopefully in that sense, that protects them a little bit, doesn't it? Because you could say, I'm in year 3. Did you know that this kid here is bringing a knife into school?
Whatever. If that was anonymous, then you'd be a bit more, okay, that's safe. But what if names are left on there?
Whatever. If that was anonymous, then you'd be a bit more, okay, that's safe. But what if names are left on there?
Well, exactly, because the tip is probably going to contain information which is actionable. So, it could be people who've never had any interaction with this tip hotline as well.
People who the company doesn't have any contact details for, who have been impacted by this.
People who the company doesn't have any contact details for, who have been impacted by this.
That is such a good point. Yeah. Yeah. They're more likely to be impacted than the actual tip givers, aren't they?
Yes. And of course, this goes back decades.
So, even if you did have contact information, piecing together who these people are, I'll tell you the comparison I was thinking of was, of course, the Julius Kivimäki, the Vastamo.
You wrote a book all about it.
So, the Vastamo Psychotherapy Clinic hack in Finland, where he then went on to blackmail these people after their psychotherapy notes ended up in his lap, effectively, after he did a hack.
This is information which potentially could be pieced together and used for blackmail purposes as well.
So, even if you did have contact information, piecing together who these people are, I'll tell you the comparison I was thinking of was, of course, the Julius Kivimäki, the Vastamo.
You wrote a book all about it.
So, the Vastamo Psychotherapy Clinic hack in Finland, where he then went on to blackmail these people after their psychotherapy notes ended up in his lap, effectively, after he did a hack.
This is information which potentially could be pieced together and used for blackmail purposes as well.
Absolutely, yeah. Well, to be honest, you know, if they can, they'll find any way to get paid, won't they?
Yeah.
These cybercriminals, and they'll stoop lower and lower and lower.
So I wouldn't be surprised if this person isn't given $10,000 for their, almost reminds me of the Wu-Tang Clan, where they did one album and they sold it to one person to try and keep it exclusive.
If they're not gonna do that and they're not gonna get their 10 grand, I'm afraid some of those people in that dataset might be approached by them.
So I wouldn't be surprised if this person isn't given $10,000 for their, almost reminds me of the Wu-Tang Clan, where they did one album and they sold it to one person to try and keep it exclusive.
If they're not gonna do that and they're not gonna get their 10 grand, I'm afraid some of those people in that dataset might be approached by them.
Might be.
Which would be very scary and very troubling for them. It's unusual, isn't it, for hackers to reach out directly to data breach victims?
But we know it does happen in the Vistoma case.
But we know it does happen in the Vistoma case.
Yeah, we do.
It also happened recently here in the UK with the Kiddos nursery hack.
Yes.
There was this really weird, everyone went crazy for it in terms of it was a real nasty nadir in cybercrime where some teenagers hacked into Kiddo Nurseries, which is a chain of nurseries, stole all the data, particularly the kids' pictures and profiles and stuff, safeguarding notes.
And then the company Kiddos wasn't paying, so then the hackers called up some of the families, some of the mums and dads and said, "We've got your kids' profile pictures" to scare the parents.
Absolutely horrendous and hideous.
And then the company Kiddos wasn't paying, so then the hackers called up some of the families, some of the mums and dads and said, "We've got your kids' profile pictures" to scare the parents.
Absolutely horrendous and hideous.
Yeah, horrible stuff. I was just thinking, if someone does pay the $10,000, of course, to access this information, they're going to want to then monetize it, aren't they?
That's a great point.
They are going to.
What are you going to do with it? Yeah, of course. Unfortunately, the chances of those people being victimized further increases, doesn't it?
Yeah, it's not collecting butterflies if you're collecting data.
Absolutely not. No, good point there. Yeah, I think this is probably just the start of it, isn't it? What a nasty one.
Well, time now to talk about one of our sponsors, Meta. Joe, have you ever had to set up a network for a new office?
Once. I've since sought therapy.
Ah, right. Well, Meta exists to make all of that someone else's problem. They are a network as a service company, but a proper end-to-end one.
You hand them a physical address, a floor plan, they handle everything.
They sort out the ISP, they design and deploy the network, they turn up on the site, they rack their own hardware, kits that they've actually designed themselves, not just rebranded someone else's gubbins.
You hand them a physical address, a floor plan, they handle everything.
They sort out the ISP, they design and deploy the network, they turn up on the site, they rack their own hardware, kits that they've actually designed themselves, not just rebranded someone else's gubbins.
So I don't have to spend 45 minutes on hold with the telecoms company only to be told they've misspelled our company name on the contract.
Right, right. Yeah, not a single minute of that. And once you're up and running, you get one dashboard for monitoring, security, VLANs, firewall, DNS security, the whole works.
Full control without any of the soul-destroying groundwork.
Full control without any of the soul-destroying groundwork.
This begs the question, what's the catch?
Genuinely, no catch. It's a straightforward subscription model. They even have a hardware buyback program if you've already blown the budget on equipment from another vendor.
So they'll take away the evidence of my previous terrible decisions?
Right, basically, yes. So find out more at mita.com/smashing. That's m-e-t-e-r.com/smashing. And thanks to Meta for supporting the show. Joe, what have you got for us this week?
I have got a story about Rockstar Games, which was hacked again.
I was particularly interested in this one because, as you mentioned my book earlier, at the end of my book, I talk about a gang called Lapsus$.
Which in about 2022, 2023 were a really big deal.
And one of the guys from Lapsus$ hacked Rockstar Games and stole a huge amount of data and source code, got into the Slack, I remember, of the company and posted pictures of penises.
I was particularly interested in this one because, as you mentioned my book earlier, at the end of my book, I talk about a gang called Lapsus$.
Which in about 2022, 2023 were a really big deal.
And one of the guys from Lapsus$ hacked Rockstar Games and stole a huge amount of data and source code, got into the Slack, I remember, of the company and posted pictures of penises.
Like you do.
Because he's a teenager and why not?
Yeah, anyway, and then he also published some 90 clips of GTA 6, the forthcoming GTA game, which by all accounts will be the biggest game, biggest entertainment product ever.
Yeah, anyway, and then he also published some 90 clips of GTA 6, the forthcoming GTA game, which by all accounts will be the biggest game, biggest entertainment product ever.
They've been working on it for like 10 years or something, is it? I mean, it—
Yeah, the hype is incredible. $2 billion have been spent on it, something insane. Anyways, so that was that hack, and it cost Rockstar $5 million in disruption and cybersecurity.
Now we find out that a group, again, we think teenagers, called Shiny Hunters, you might have heard of Shiny Hunters, they've been quite prolific in data breach extortion attacks in the last couple of years.
They have got into Rockstar Games using a third-party provider of, I think it was a bit of API that manages their cloud storage, that kind of thing.
And they have stolen quite a chunk of data. But the interesting thing here is that neither the hackers nor Rockstar thought it was really worth much. I spoke to the hackers.
They said, oh, we've got this data. We are extorting Rockstar. They're not paying though. And I said, well, what is it? And he goes, eh, it's junk data, to be honest.
But we tried to get paid. And what's funny is, of course, they've admitted it. Rockstar has said, the quote that we reported at the BBC was, this isn't going to impact us at all.
So, you know, the data's gone, but we're not going to pay the criminals, which is of course what everyone says, don't pay, don't pay, don't pay. So that's good in a sense.
But what I think is fascinating here is the data has now been published and put online on the Shinyhunters darknet website. It's now being sent around and being shared.
And although most of it is, in their words, junk, there's a few tidbits of information which have ended up being a massive talking point in the gaming world.
Now we find out that a group, again, we think teenagers, called Shiny Hunters, you might have heard of Shiny Hunters, they've been quite prolific in data breach extortion attacks in the last couple of years.
They have got into Rockstar Games using a third-party provider of, I think it was a bit of API that manages their cloud storage, that kind of thing.
And they have stolen quite a chunk of data. But the interesting thing here is that neither the hackers nor Rockstar thought it was really worth much. I spoke to the hackers.
They said, oh, we've got this data. We are extorting Rockstar. They're not paying though. And I said, well, what is it? And he goes, eh, it's junk data, to be honest.
But we tried to get paid. And what's funny is, of course, they've admitted it. Rockstar has said, the quote that we reported at the BBC was, this isn't going to impact us at all.
So, you know, the data's gone, but we're not going to pay the criminals, which is of course what everyone says, don't pay, don't pay, don't pay. So that's good in a sense.
But what I think is fascinating here is the data has now been published and put online on the Shinyhunters darknet website. It's now being sent around and being shared.
And although most of it is, in their words, junk, there's a few tidbits of information which have ended up being a massive talking point in the gaming world.
Right.
Anything to do with GTA is a talking point because of the size of it.
But what's really interesting is that the financials of how much GTA Online makes and how much Red Dead Redemption makes have been released as well.
So you've got these Reddit threads full of gamers talking about, oh my God, I can't believe it makes this much. The headlines are GTA Online.
Bear in mind, this is something like a 13-year-old game.
But what's really interesting is that the financials of how much GTA Online makes and how much Red Dead Redemption makes have been released as well.
So you've got these Reddit threads full of gamers talking about, oh my God, I can't believe it makes this much. The headlines are GTA Online.
Bear in mind, this is something like a 13-year-old game.
Yes.
It still makes half a billion dollars a year.
Bloody hell.
I mean, we knew it was big. We didn't know it was that big.
This is another thing that's come out of the data breach, is that only a very small fraction of people who play that game actually spend in that game.
This is another thing that's come out of the data breach, is that only a very small fraction of people who play that game actually spend in that game.
Right.
And they buy these, you know, shark vouchers or tokens, you know, the in-game currency type stuff.
Yes.
Is this to pimp up their vehicles or to wear a fancy suit? I think so, that kind of thing. Or have a more dangerous weapon or something.
Yeah, I think it's all cosmetic stuff. So I think it's like to upgrade the visuals of your character, like Fortnite does with V-Bucks and that kind of thing.
But the interesting thing about it as well is that Red Dead Redemption, which people kind of had a feeling it wasn't that popular, it's not got anywhere near the kind of size of GTA following.
But because of this data breach, we now know just how little people spend in Red Dead Redemption.
And the reason possibly why Rockstar Games isn't really putting much effort into Red Dead Redemption according to the data breach, whereas GTA Online is making about $500 million per year, unfortunately Red Dead is only pulling in about $26.4 million per year.
Still not bad, is it?
But what gamers are saying is that this really does say a lot about where the money and effort and design is going, which is GTA, because that's where the money is.
And this article I love from PC Gamer, it says, maybe Red Dead isn't Red Dead, it's just dead, dead because there aren't many players.
But the interesting thing about it as well is that Red Dead Redemption, which people kind of had a feeling it wasn't that popular, it's not got anywhere near the kind of size of GTA following.
But because of this data breach, we now know just how little people spend in Red Dead Redemption.
And the reason possibly why Rockstar Games isn't really putting much effort into Red Dead Redemption according to the data breach, whereas GTA Online is making about $500 million per year, unfortunately Red Dead is only pulling in about $26.4 million per year.
Still not bad, is it?
But what gamers are saying is that this really does say a lot about where the money and effort and design is going, which is GTA, because that's where the money is.
And this article I love from PC Gamer, it says, maybe Red Dead isn't Red Dead, it's just dead, dead because there aren't many players.
So unlikely we'll get a third incarnation of it perhaps.
And no, but again, people are a bit worried now because of the data breach, because they're saying that is GTA 6 going to be aiming for that online audience?
Is it not going to be a buy it once and play it forever? Is it going to be a live, constantly updated game?
Because now they've seen the financials and it makes so much sense business-wise.
And perhaps people are saying, maybe that's why Rockstar isn't rushing with GTA 6, because they're making so much money on GTA Online.
The reason I bring this up, you know, I know it's not a gaming podcast, but in terms of data breaches, I think this is a real fascinating case study in the unintended consequences of letting data that you think isn't that interesting into the public.
And I love the PC Gamer article title is Rockstar hackers release their stolen data, reveal that Rockstar was probably right not to pay anything for it.
But perhaps maybe Rockstar might be thinking that again because there's this information, you know, maybe it was already out there through investor calls and things like that, but no one really paid any attention.
But now it's out there and people are really poring over it and analyzing it and reading lots and lots between the lines.
Is it not going to be a buy it once and play it forever? Is it going to be a live, constantly updated game?
Because now they've seen the financials and it makes so much sense business-wise.
And perhaps people are saying, maybe that's why Rockstar isn't rushing with GTA 6, because they're making so much money on GTA Online.
The reason I bring this up, you know, I know it's not a gaming podcast, but in terms of data breaches, I think this is a real fascinating case study in the unintended consequences of letting data that you think isn't that interesting into the public.
And I love the PC Gamer article title is Rockstar hackers release their stolen data, reveal that Rockstar was probably right not to pay anything for it.
But perhaps maybe Rockstar might be thinking that again because there's this information, you know, maybe it was already out there through investor calls and things like that, but no one really paid any attention.
But now it's out there and people are really poring over it and analyzing it and reading lots and lots between the lines.
Well, we've got time now to talk about one of today's sponsors, Vanta. Joe, what keeps you up at 2 o'clock in the morning?
The dog next door, mostly.
Oh, right. Well, yeah, but I'm talking professionally. What keeps you up?
Oh, whether we've got the right security controls in place, whether our vendors are secure, how to escape the nightmare of outdated tools and endless manual processes.
Exactly. Which is where today's sponsor comes in. It's Vanta.
Fanta, the fizzy orange drink. How can this possibly be true?
No, no, Joe. It's Vanta with a V. It's a trust management platform.
It's not a drink full of sugar, it automates all of that tedious manual compliance work so you can stop drowning in spreadsheets, chasing audit evidence, and filling out questionnaire after questionnaire.
It's not a drink full of sugar, it automates all of that tedious manual compliance work so you can stop drowning in spreadsheets, chasing audit evidence, and filling out questionnaire after questionnaire.
Lush. I hate questionnaires.
Well, who doesn't? Vanta continuously monitors your systems. It centralizes your security data. It keeps your program audit ready all of the time.
It also uses AI to streamline evidence collection and flag risks. It automates compliance for SOC 2, ISO 27001, HIPAA, GDPR, and more.
It also uses AI to streamline evidence collection and flag risks. It automates compliance for SOC 2, ISO 27001, HIPAA, GDPR, and more.
So basically it handles the boring stuff so we can focus on the interesting stuff.
Exactly. Precisely that. And for a limited time, new customers can get $1,000 off. $1,000? Yep. $1,000.
Head to vanta.com/smashing That's V-A-N-T-A dot com slash Smashing and get started today.
Head to vanta.com/smashing That's V-A-N-T-A dot com slash Smashing and get started today.
And maybe get a decent night's sleep for once. Oh, and unlike fizzy drinks, Fanta isn't bad for you. That was a fruit twist.
And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something that could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Well, my pick of the week this week is not security-related. I'm sure you're like me, Joe. I used to love Twitter.
It doesn't have to be security-related necessarily. Well, my pick of the week this week is not security-related. I'm sure you're like me, Joe. I used to love Twitter.
Oh, I miss it.
Don't you just?
I miss it so much.
I mean, it wasn't perfect, but as a news junkie, and I am a news junkie, it really appealed to me.
Yeah, same. It was the place where everyone was. Every morning you would know, okay, this is where people are.
It's great. And it appealed to me much more than any other social media platform. And then it all went terribly wrong.
And I don't think we need to name anyone in particular, which coincided with it going terribly wrong. But I think we recognise that Twitter changed and not only changed its name.
They want us to call it X for some ridiculous—
And I don't think we need to name anyone in particular, which coincided with it going terribly wrong. But I think we recognise that Twitter changed and not only changed its name.
They want us to call it X for some ridiculous—
Yeah, I find it hard to call it X.
I can't really call it X to this day because I'm not 13 years old. It just seems like a stupid name.
It just sounds, yeah.
So I deleted my account. I said goodbye, moved to other places like Bluesky and Mastodon, which aren't really as great as Twitter was in its heyday, but—
No, not at all. And you actually left behind a decent following as well, Graham, didn't you? So was that an ethical sort of moral standpoint for you?
It's hard to believe, isn't it? Yes, I did. So yeah, I had, I think I had about 120,000 followers.
Wow.
That was a big decision then. Do you?
Well, yeah, I decided I didn't want to be there. I didn't want to encourage other people to be there. A bit like closing down your Facebook account or something like that, really.
So I went elsewhere.
But the thing is, sometimes I still have reasons to go to Twitter because sometimes someone posts up something like, you see these AI videos with Lego characters during the current conflict in Iran, for instance, and they're being posted up on Twitter and you think, oh, I'd quite like to see that, but I don't want to create a Twitter account.
And I don't want to link to Twitter from an article because it's full, you know, it's horrible and it's bile-filled and it's full of bots.
You know, I just don't feel right linking to it. And that is when I discovered a site called Xcancel.
And Xcancel is a third-party interface that allows people to view and link to, you can't post to Twitter via it, but you can view and link to content which is on Twitter without directly using Twitter or X itself.
Does that make sense?
So I went elsewhere.
But the thing is, sometimes I still have reasons to go to Twitter because sometimes someone posts up something like, you see these AI videos with Lego characters during the current conflict in Iran, for instance, and they're being posted up on Twitter and you think, oh, I'd quite like to see that, but I don't want to create a Twitter account.
And I don't want to link to Twitter from an article because it's full, you know, it's horrible and it's bile-filled and it's full of bots.
You know, I just don't feel right linking to it. And that is when I discovered a site called Xcancel.
And Xcancel is a third-party interface that allows people to view and link to, you can't post to Twitter via it, but you can view and link to content which is on Twitter without directly using Twitter or X itself.
Does that make sense?
So it's using X with really thick rubber gloves on or wearing a hazmat suit.
Yes, exactly. Exactly. You won't publish anything, but you can see what's going on there.
You don't have to create an account, which means I can replace x.com with xcancel.com in all of my URLs to access content through it.
I can even use a browser extension that automatically redirects any links to the old Twitter to go to xcancel.com instead. Or I don't use Google as a search engine.
I use something called Kagi, which is something you pay for, but it has some nice benefits.
And I can tell Kagi to always change search results which go to X to go to Xcancel instead automatically.
You don't have to create an account, which means I can replace x.com with xcancel.com in all of my URLs to access content through it.
I can even use a browser extension that automatically redirects any links to the old Twitter to go to xcancel.com instead. Or I don't use Google as a search engine.
I use something called Kagi, which is something you pay for, but it has some nice benefits.
And I can tell Kagi to always change search results which go to X to go to Xcancel instead automatically.
That is smart.
So I feel I'm doing my little bit.
Yeah.
My little tiny chink to chip away from their number of page visits every month by doing that.
So my recommendation to people, I don't know if other people are gonna like it or whether they're as obsessed about this kind of thing as I am, but my pick of the week is xcancel.com.
So my recommendation to people, I don't know if other people are gonna like it or whether they're as obsessed about this kind of thing as I am, but my pick of the week is xcancel.com.
Nice. What would it take for you to get back on Twitter? Let's say a certain CEO maybe stood down or handed over the reins to someone else.
If there was some sort of declaration or something, would you go back on?
If there was some sort of declaration or something, would you go back on?
Fool me once, shame on me.
Yeah, yeah, yeah.
Oh no, shame on you, isn't it? Anyway, but yes, you know what I mean? There's a lot of shame going around as well. I think I'd always be nervous about it.
And to be honest, from what I've seen, a lot of it is bots or a lot of it is porn or AI content. And it's just this isn't actually valuable. Yeah.
Although Mastodon and Bluesky aren't as great as Twitter used to be, I do find them more pleasant places to hang out. I'm quite happy being there, to be honest. Anyway, xcancel.com.
Joe, what's your pick of the week?
And to be honest, from what I've seen, a lot of it is bots or a lot of it is porn or AI content. And it's just this isn't actually valuable. Yeah.
Although Mastodon and Bluesky aren't as great as Twitter used to be, I do find them more pleasant places to hang out. I'm quite happy being there, to be honest. Anyway, xcancel.com.
Joe, what's your pick of the week?
I'm probably going to choose a book I'm reading at the moment, which is We Are Anonymous by Parmy Olson. It's an old one.
I think it probably came out where— so the events of the book are about Anonymous, the hacking collective. So she's writing about things that happened in 2009, 10, 11, 12.
I think it came out in '14.
I think it probably came out where— so the events of the book are about Anonymous, the hacking collective. So she's writing about things that happened in 2009, 10, 11, 12.
I think it came out in '14.
I think it was earlier than that.
Well, I'm late to the party. But the good news is the party's still swinging. It's fantastic. I'm really enjoying it.
It's a really good page-turner and it gives us the type of cyber writing and reporting that I really is where you get to know the individuals and you get to find out what makes them tick.
And I'm really enjoying it. And she's a great writer, American. I think she was at Wired and now I think she's a Bloomberg tech columnist or something.
It's a really good page-turner and it gives us the type of cyber writing and reporting that I really is where you get to know the individuals and you get to find out what makes them tick.
And I'm really enjoying it. And she's a great writer, American. I think she was at Wired and now I think she's a Bloomberg tech columnist or something.
Yeah.
And she's written another book called Supremacy, which is about Sam Altman and Demis Hassabis of DeepMind in Google, and that's really good as well.
But yeah, I'm really enjoying it. We Are Anonymous is the book, and check it out if you haven't already.
But yeah, I'm really enjoying it. We Are Anonymous is the book, and check it out if you haven't already.
And it's a real blast to the past, isn't it? About some of those old hacking gangs who are making the news.
I think LulzSec are covered in it quite a lot, for instance, who were a very prominent, primarily British hacking gang back in the day.
I think LulzSec are covered in it quite a lot, for instance, who were a very prominent, primarily British hacking gang back in the day.
Yeah, and they feature in my book as well, 'cause my book is about teenage hacking.
And I realize now, too late, that I should have read her book while I was, or before I was writing mine, because it would've helped inform my reporting.
But luckily, I haven't got anything wrong, but I could've just got some really nice detail from the sort of stuff that she got.
Because as you say, she follows a small group of the Anonymous core, which turn out, lots of them, to be part of this really world-changing group that was LulzSec.
And I realize now, too late, that I should have read her book while I was, or before I was writing mine, because it would've helped inform my reporting.
But luckily, I haven't got anything wrong, but I could've just got some really nice detail from the sort of stuff that she got.
Because as you say, she follows a small group of the Anonymous core, which turn out, lots of them, to be part of this really world-changing group that was LulzSec.
Does it feel another time now? Does it feel, do you think, a different age?
I don't think so, actually. I think there's a lot of stuff that just keeps coming around.
So, some of the character beats, some of the things that make these hackers tick, you could see that in the book that Parmi wrote 10 years ago, and you could also see it in the book that I wrote last year.
There is a certain number of character traits that you see in these young hackers who like anarchy and chaos, and that really does come through.
And I think in a sense, it goes all the way back to the Hacker Manifesto of the, was it the late '80s, mid-'80s, where you had this idea of the smartest people in the room, they think faster than everyone else, and they want to show everyone how clever they are by doing crazy magical things with computers.
So it does feel almost timeless, that type of story. And that's been really interesting to notice as I've been reading it.
So, some of the character beats, some of the things that make these hackers tick, you could see that in the book that Parmi wrote 10 years ago, and you could also see it in the book that I wrote last year.
There is a certain number of character traits that you see in these young hackers who like anarchy and chaos, and that really does come through.
And I think in a sense, it goes all the way back to the Hacker Manifesto of the, was it the late '80s, mid-'80s, where you had this idea of the smartest people in the room, they think faster than everyone else, and they want to show everyone how clever they are by doing crazy magical things with computers.
So it does feel almost timeless, that type of story. And that's been really interesting to notice as I've been reading it.
Well, thanks very much. Good pick of the week there.
Right.
Well, we've got some time now to have a featured interview with a special guest.
Well, if you've ever had to set up networking for a new office or you've watched an IT team try to bolt security on top of infrastructure, that was never designed for it, you'll know it's rarely pretty.
Well, Ryan Benson is from Meter, a company that thinks that there's a better way. Ryan, thank you for joining me.
Well, if you've ever had to set up networking for a new office or you've watched an IT team try to bolt security on top of infrastructure, that was never designed for it, you'll know it's rarely pretty.
Well, Ryan Benson is from Meter, a company that thinks that there's a better way. Ryan, thank you for joining me.
Oh, thank you for having me, Graham.
So IT teams, they're constantly being asked to do more with less resources, aren't they? So what does it actually look like out there on the ground?
What corners are people ending up cutting?
What corners are people ending up cutting?
Well, Graham, I've been doing this for almost 25, I don't want to admit how many years. And until I joined Meter, I was always asked to design to mediocrity, right?
I would come up with a great network design and I'd have redundant firewalls and I'd have powerful switches and what have you.
And then inevitably we'd go to the money folks and they'd say, uh-uh, you know, rip out 30% of it or whatever, right. And so we would rip out this SKU or this box or whatever.
And that would take oftentimes weeks of my work and working with the limited resources at those IT teams to come up with something that would fit the budget and yet also keep the business running.
So we designed to mediocrity, rip out a bunch of cool design that I spent all this time working on.
And in the end, we'd have something that works, but really isn't the greatest and might have some holes or what have you.
And then 3 to 5 years later, we'd have to come back around and say, okay, well, here's some new boxes with some new chips or some new technology.
I would come up with a great network design and I'd have redundant firewalls and I'd have powerful switches and what have you.
And then inevitably we'd go to the money folks and they'd say, uh-uh, you know, rip out 30% of it or whatever, right. And so we would rip out this SKU or this box or whatever.
And that would take oftentimes weeks of my work and working with the limited resources at those IT teams to come up with something that would fit the budget and yet also keep the business running.
So we designed to mediocrity, rip out a bunch of cool design that I spent all this time working on.
And in the end, we'd have something that works, but really isn't the greatest and might have some holes or what have you.
And then 3 to 5 years later, we'd have to come back around and say, okay, well, here's some new boxes with some new chips or some new technology.
Right. So the existing approaches seem to fail, don't they? They don't do so well. There's always trade-offs being made.
If it's hardware or you're sacrificing redundancy or you're working with lots of different vendors and there, all sorts of problems can occur, can't they?
If it's hardware or you're sacrificing redundancy or you're working with lots of different vendors and there, all sorts of problems can occur, can't they?
Correct. Correct.
So you might have not only just single points of failure, but in kind of the traditional way of doing these things, you might go for a lower tier software license that doesn't have as many features or something like that.
And that's kind of the way that we've done things for a long, long time. Well, what if we didn't have to do that? What if we always put our best foot forward?
So you might have not only just single points of failure, but in kind of the traditional way of doing these things, you might go for a lower tier software license that doesn't have as many features or something like that.
And that's kind of the way that we've done things for a long, long time. Well, what if we didn't have to do that? What if we always put our best foot forward?
And there is a temptation, I think, inside some companies to treat every security gap, you know, it's like, how are we going to deal with this? It's well, we'll buy another tool.
But sometimes that's not always the best approach, is it? Right.
But sometimes that's not always the best approach, is it? Right.
Because you know, you can have a whole bunch of tools, but if you're not equipped to manage them or to log in to a bunch of different dashboards or constantly be looking at them, it's not really a great approach to security because you might have the best tool, but if you don't know how to pick it up and use it, right, or if you don't have the time to pick it up and use it, it's not useful to you.
So Ryan, for listeners who haven't come across Meta before, how do you sum it up?
Well, Graham, we're an enterprise networking company that delivers wired, wireless, security, cellular, even as a subscription.
So the idea is that we deliver world-class networking and security so the customer can go and enjoy whatever it is they want to do with their life and not have to worry about any of the technology.
The idea is that everything, not just the boxes in the closet or the APs on the wall or whatever, all of it is a service.
The support, day 2 and beyond, the design before we ever put anything in the building, the way that we configure the gear, all of that is done from Meteor.
And then supported, you know, in year 2, year 3, if there's some new Wi-Fi that comes out, you know, we deliver all that.
So the idea is that we deliver world-class networking and security so the customer can go and enjoy whatever it is they want to do with their life and not have to worry about any of the technology.
The idea is that everything, not just the boxes in the closet or the APs on the wall or whatever, all of it is a service.
The support, day 2 and beyond, the design before we ever put anything in the building, the way that we configure the gear, all of that is done from Meteor.
And then supported, you know, in year 2, year 3, if there's some new Wi-Fi that comes out, you know, we deliver all that.
So I've heard that Meta's position is that security needs to be designed into the network from the ground up. So it's security built in, not bolted on, not added afterwards.
But what does that actually mean in practice? What's different about how you guys build things?
But what does that actually mean in practice? What's different about how you guys build things?
Yeah, I think it's, you know, some people use the term positive security model.
Our default position when we deploy a new network to have security baked into the design of the network.
So when something gets deployed, we've already designed it to be Zero Trust in terms of, you know, traffic flowing east-west within the network and things like that in the actual physical design and the software configuration of the network.
Our default position when we deploy a new network to have security baked into the design of the network.
So when something gets deployed, we've already designed it to be Zero Trust in terms of, you know, traffic flowing east-west within the network and things like that in the actual physical design and the software configuration of the network.
So phrases like Zero Trust and NAC and others, these get thrown around a lot, don't they, by the marketing teams? I think they love all that.
Oh, yes. Yeah.
In non-jargony terms, what does enforcement actually look like at the network level? How would you describe it?
Not to get too jargony or too technical, but one of the things that we do is block traffic east-west by default in the actual switching infrastructure that gets delivered or the wireless infrastructure, you know, we isolate clients from talking to each other and then open those things up as needed, as the customer desires.
So if there is an application that needs to talk east-west or what have you, we define that before the network ever even gets delivered.
We do something called a digital twin where all of it is designed, you know, in the cloud before the physical gear is ever delivered.
And then we all agree with the customer and we do a validation step.
It doesn't sound like maybe the sexiest thing in the world to sell, but it is pretty cool that, you know, we go through the whole process of implementation and design, and then we shake hands and say, yes, you know, we agree that this is how we want to run our business or our school or our government or whatever.
And then we say, all right, well, now we can actually physically build it. So I think a lot of that is what makes us capable of delivering a secure network from day one.
So if there is an application that needs to talk east-west or what have you, we define that before the network ever even gets delivered.
We do something called a digital twin where all of it is designed, you know, in the cloud before the physical gear is ever delivered.
And then we all agree with the customer and we do a validation step.
It doesn't sound like maybe the sexiest thing in the world to sell, but it is pretty cool that, you know, we go through the whole process of implementation and design, and then we shake hands and say, yes, you know, we agree that this is how we want to run our business or our school or our government or whatever.
And then we say, all right, well, now we can actually physically build it. So I think a lot of that is what makes us capable of delivering a secure network from day one.
Now, a lot of companies, I would think, have already got some kind of security stack that they've invested in. So it could be an EDR or a SIEM, identity tools.
Sure.
If Meta comes in, does all that get replaced or does it sit alongside that?
Well, I would say that some of it gets replaced. Obviously, the physical network, the management of that network and what have you.
But no, the existing SIEM, the IDP and all of that stuff, we integrate deeply with all of those things. In fact, they're critical to delivering a secure network.
So your existing IDP, your existing SIM, those things are going to stay and we're going to integrate in tightly with those things.
So we can do role-based access control, the concept of least privilege, so if you add a new administrator or a new person in your team, they're not going to have keys to the kingdom day one and what have you.
And obviously your MFA and all of that, that you use today with your IDP is still going to be used.
But no, the existing SIEM, the IDP and all of that stuff, we integrate deeply with all of those things. In fact, they're critical to delivering a secure network.
So your existing IDP, your existing SIM, those things are going to stay and we're going to integrate in tightly with those things.
So we can do role-based access control, the concept of least privilege, so if you add a new administrator or a new person in your team, they're not going to have keys to the kingdom day one and what have you.
And obviously your MFA and all of that, that you use today with your IDP is still going to be used.
So your existing investments, they are preserved. You're not chucking all of that out.
Yeah, that's a good way to put it.
So let's look at a typical customer and the sort of what's happening in the real world. What does their situation look like before you come in? And what's changed afterwards?
Yeah, I think it's what we talked about just a few minutes ago is that the incentives change.
And I think that's one of the biggest differences that I could possibly say about Meter is that it doesn't necessarily matter if our APs are the strongest or the switches are the coolest or fastest or whatever, which of course I would say they are, but I might be biased.
But it does matter that we care very much about the outcome.
So if you're a hardware store and you want to run that hardware store efficiently and take obviously point of sale swipes and you want to have your folks with their inventory scanner guns be able to scan the inventory and fly around forklifts at 35 miles an hour and whatever else we care about that as much as we care about delivering an access point or a switch or what have you.
So what that means is instead of worrying about what switches go in the closet and what firewalls are plugging into the ISPs, or even what ISPs there are, right?
We care very much about your hardware store running and operating as best as it can. And we contractually obligate ourselves to that. So we deliver an SLA.
We're not delivering a SKU, but we're delivering a network. And I think that's the big difference is that for me, I love this stuff and you probably love it as well.
And that's why we talk about it on podcasts and why we talk about it with friends and other network folks.
And I think that's one of the biggest differences that I could possibly say about Meter is that it doesn't necessarily matter if our APs are the strongest or the switches are the coolest or fastest or whatever, which of course I would say they are, but I might be biased.
But it does matter that we care very much about the outcome.
So if you're a hardware store and you want to run that hardware store efficiently and take obviously point of sale swipes and you want to have your folks with their inventory scanner guns be able to scan the inventory and fly around forklifts at 35 miles an hour and whatever else we care about that as much as we care about delivering an access point or a switch or what have you.
So what that means is instead of worrying about what switches go in the closet and what firewalls are plugging into the ISPs, or even what ISPs there are, right?
We care very much about your hardware store running and operating as best as it can. And we contractually obligate ourselves to that. So we deliver an SLA.
We're not delivering a SKU, but we're delivering a network. And I think that's the big difference is that for me, I love this stuff and you probably love it as well.
And that's why we talk about it on podcasts and why we talk about it with friends and other network folks.
Right.
But really the rest of the world sees the internet now as plumbing and it just needs to work. And that's what we're delivering.
And I think that is the big difference for our customers, is that they can rely on a great outcome that also is secure because we put it in the contract.
And I think that is the big difference for our customers, is that they can rely on a great outcome that also is secure because we put it in the contract.
So you said that this isn't the sexiest thing in the world, Ryan, but then you start talking about plumbers. I mean, I think you are painting a picture now. Anyway.
Well, Graham, when people go to visit Rome, they go and what do they see? The Trevi Fountain. They see the aqueduct.
Yes.
That's 2,000-year-old plumbing. So that's true.
That is true. We've been running ads for METER on the podcast for a while now.
And one of the things that's been absolutely fascinating to me is that you guys even get down to the floor plans, right?
You're working at that kind of level with some of your customers.
And one of the things that's been absolutely fascinating to me is that you guys even get down to the floor plans, right?
You're working at that kind of level with some of your customers.
Well, it's not just some of them, it's actually all of them.
And I think I was just talking with someone about this yesterday, that is one of the biggest differences is that, you know, once again, we were talking about earlier, instead of me being a nerd and putting SKUs and bills of material together and a Visio drawing that takes me a month to do and all that, all that goes away.
If we talk to a customer and they say, hey, we, you know, we your idea, you know, what's the price?
Instead of going through all that, we're just, hey, send us a floor plan of your most painful location, you know, something that maybe you need to look at lately.
And I think I was just talking with someone about this yesterday, that is one of the biggest differences is that, you know, once again, we were talking about earlier, instead of me being a nerd and putting SKUs and bills of material together and a Visio drawing that takes me a month to do and all that, all that goes away.
If we talk to a customer and they say, hey, we, you know, we your idea, you know, what's the price?
Instead of going through all that, we're just, hey, send us a floor plan of your most painful location, you know, something that maybe you need to look at lately.
That's it. We just need a floor plan or sometimes even just square footage and the type of building, right?
And then we know based on our experience building networks for a warehouse or for a school or for a high-density office or whatever, we know how much it's going to cost us to build a state-of-the-art, great, secure network.
And so we can just give you a price.
And then we know based on our experience building networks for a warehouse or for a school or for a high-density office or whatever, we know how much it's going to cost us to build a state-of-the-art, great, secure network.
And so we can just give you a price.
And so that reduces so much friction because at some point we can say, hey, here's what it is, you know, you want to do business or not?
So there's no extra SKUs, there's no add-on licenses for advanced features.
None of that.
Is that genuinely sustainable as a business model or does the catch arrive later?
Well, it's funny you ask that because I don't think I can say I've had a bad meeting since I've joined Meter.
But, you know, the only pushback we get is usually this seems too good to be true. Where's the catch?
But, you know, the only pushback we get is usually this seems too good to be true. Where's the catch?
Right.
Or wait a minute, if you do all this, it's probably too expensive. I can't afford it.
And, you know, I would say that's probably true if you own two coffee shops or something, you know, that's not really a great fit, I guess, for Meter at this time.
But, you know, if you own 100 coffee shops, we are absolutely your best option.
And, you know, I would say that's probably true if you own two coffee shops or something, you know, that's not really a great fit, I guess, for Meter at this time.
But, you know, if you own 100 coffee shops, we are absolutely your best option.
Right.
The idea of it being a consistent spend to say you're always going to have the best network and you can just forget about networking and go on and sell your coffee or whatever it is your mission is.
That's really our promise is to say, hey, hire the experts at this. We'll deliver the best and you can go on about your mission.
That's really our promise is to say, hey, hire the experts at this. We'll deliver the best and you can go on about your mission.
So one final question for you, Ryan.
If a listener's out there listening right now and thinks, oh, crumbs, you know, we could do with help with this, what's the right first step that they should take?
If a listener's out there listening right now and thinks, oh, crumbs, you know, we could do with help with this, what's the right first step that they should take?
Well, they could certainly head to our website, meter.com/smashing, and see if they what they see.
And if they do, obviously they can reach out to us, you know, either there or or heck, even email me, .
I'll be happy to align you with the right folks.
And if they do, obviously they can reach out to us, you know, either there or or heck, even email me, .
I'll be happy to align you with the right folks.
Great stuff. Well, it's been great talking to you, Ryan. Thanks so much. There you have it, listeners.
You can find out more, just go to meter.com/smashing. That's M-E-T-E-R.com/smashing. And thanks as always to Meter for supporting the show and for you, Ryan, for coming on it.
Well, thank you, Graham, for having us. It's been an honor.
My pleasure. Well, that just about wraps up the show for this week. Thank you so much, Joe, for joining us. Always a pleasure to have you on.
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for people to do that?
Well, Twitter obviously is the greatest website ever, so you should be— no, I'm actually working really hard to do more and more social stuff.
So my Instagram and my TikTok, just my name. In fact, my Instagram is MrJoeTidy, and then I'm also on Blue Sky and LinkedIn as well. But I'm, OnlyFans, of course.
Yeah, you know my OnlyFans, just put I'm going to put a little, what's it called?
So my Instagram and my TikTok, just my name. In fact, my Instagram is MrJoeTidy, and then I'm also on Blue Sky and LinkedIn as well. But I'm, OnlyFans, of course.
Yeah, you know my OnlyFans, just put I'm going to put a little, what's it called?
Aubergine?
Affiliate link.
Oh yeah, okay, well. You can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Reddit or Bluesky or Mastodon as well.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
Episode show notes, sponsorship info, guest lists, and the entire back catalog of 464 episodes. Go, I know, I know. Go and check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
Episode show notes, sponsorship info, guest lists, and the entire back catalog of 464 episodes. Go, I know, I know. Go and check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
See ya.
You've been listening to Smashing Security with me, Graham Cluley, and I'm ever so grateful to Joe for joining us this week and to this episode's sponsor, Sophos.
Sponsors Elastic, Vanta, and Meta. And also, of course, the following patrons who've been plucked out of the hat. So who have we got this week?
Skur Imtiaz Ahmed, a name of real gravitas, that. I imagine he's read all of the Ts and Cs and actually understood them. The magnificently monikered Urs Schoenhoser.
Lewis, just Lewis, so confident he doesn't need another name. Trustworthy sidekick to Inspector Morse. The solid and trustworthy Robert McCurdy.
Benjamin Harouth, the kind of guy who's never once clicked remind me later on a software update. Who else?
Kennethingham gives the vibes of being the most knowledgeable person in any given room, but too polite to mention it. We appreciate that, Kenneth.
Marvin71, yep, Marvin with a number. The 71 could be a birth year, I suppose, a high score, number of times he's explained to someone why they shouldn't reuse passwords.
We're guessing it's all 3.
And finally for this week, Karen Reynolds, the most organized person on the incident response team and the one who brought homemade biscuits to the debriefing session.
Those are just a few members of Smashing Security Plus, which means that they get their episodes ad-free, earlier than the general public, and can be pulled out of the hat at random to have their names mocked at the end of the show.
If you'd like to join Smashing Security Plus, just head over to smashingsecurity.com/plus for all of the details.
You can also support the show in plenty of other ways, and they aren't going to cost you a single penny.
You can like, subscribe, leave a 5-star review, but most important of all, go and tell your friends.
Go on, go and tell them that you listen to Smashing Security and encourage them to do the same. Well, until next time, that's just about it for us.
So I'll say toodloo, cheerio, bye-bye.
Sponsors Elastic, Vanta, and Meta. And also, of course, the following patrons who've been plucked out of the hat. So who have we got this week?
Skur Imtiaz Ahmed, a name of real gravitas, that. I imagine he's read all of the Ts and Cs and actually understood them. The magnificently monikered Urs Schoenhoser.
Lewis, just Lewis, so confident he doesn't need another name. Trustworthy sidekick to Inspector Morse. The solid and trustworthy Robert McCurdy.
Benjamin Harouth, the kind of guy who's never once clicked remind me later on a software update. Who else?
Kennethingham gives the vibes of being the most knowledgeable person in any given room, but too polite to mention it. We appreciate that, Kenneth.
Marvin71, yep, Marvin with a number. The 71 could be a birth year, I suppose, a high score, number of times he's explained to someone why they shouldn't reuse passwords.
We're guessing it's all 3.
And finally for this week, Karen Reynolds, the most organized person on the incident response team and the one who brought homemade biscuits to the debriefing session.
Those are just a few members of Smashing Security Plus, which means that they get their episodes ad-free, earlier than the general public, and can be pulled out of the hat at random to have their names mocked at the end of the show.
If you'd like to join Smashing Security Plus, just head over to smashingsecurity.com/plus for all of the details.
You can also support the show in plenty of other ways, and they aren't going to cost you a single penny.
You can like, subscribe, leave a 5-star review, but most important of all, go and tell your friends.
Go on, go and tell them that you listen to Smashing Security and encourage them to do the same. Well, until next time, that's just about it for us.
So I'll say toodloo, cheerio, bye-bye.
Host:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Guest:
Joe Tidy:
@joetidy.bsky.social
/ joe-tidy-1932764
Episode links:
- Grinex exchange blames “Western intelligence” for $13.7M crypto hack – Bleeping Computer.
- Are Former Black Basta Affiliates Automating Executive Targeting? – Reliaquest.
- Apple is working on passcode bug locking out iPhone users – The Register.
- Hackers who stole crime tip records offering data cache for $10k – San.
- P3 Advertised 20+ Years and 0 Security Breaches. You Can Guess What Happened Next – Databreaches.net.
- Portland police urge residents to avoid Crime Stoppers following hack – San.
- GTA-maker Rockstar Games hacked again but downplays impact – BBC News.
- Rockstar hackers release their stolen data, reveal that Rockstar was right to not pay them anything for it – PC Gamer.
- XCancel.
- ”We Are Anonymous” by Parmy Olson – Penguin.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Elastic – AI is transforming security operations, but security is still a data problem. Learn how context-rich data drives faster, more reliable defence.
- Meter – Network infrastructure for the enterprise. Get a free personalised demo.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Join Smashing Security PLUS for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
