Login chaos for England's contact tracing service, our drill-down on the Britain's Huawei 5G ban, MGM's blockbuster breach, and how to pronounce "Gigabyte."
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Plus we have a bonus featured interview with Scott Petry, the co-founder of Authentic8, all about how you can browse the internet safely, securely, and anonymously when conducting research, collecting sensitive evidence, and analyzing data.
Visit https://www.smashingsecurity.com/187 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guests: Maria Varmazis and Scott Petry.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
- Authentic8: Silo for Research (Toolbox) from Authentic8 is a secure and anonymous web browsing solution that enables threat intelligence, security, and public safety professionals to conduct research, collect evidence, and analyze data across the open, deep and dark web.
- To learn how Silo for Research enables teams to timely and efficiently investigate, while ensuring maximum security and oversight to ensure compliance - including GDPR - go to smashingsecurity.com/authentic8
Links:
- Coronavirus: Contact tracers in England 'locked out of accounts' — Sky News.
- TalkTalk’s ex-CEO Dido Harding heads up the UK’s Coronavirus tracing app… — Graham Cluley.
- Apparently Coronavirus-tracing scammers won’t sound professional… (Yeah, right!) — Graham Cluley.
- Huawei 5G kit must be removed from UK by 2027 — BBC News.
- US sanctions make Huawei more of a security risk, says leaked UK report — The Verge.
- A different future for telecoms in the UK — NCSC.
- Commerce Addresses Huawei’s Efforts to Undermine Entity List, Restricts Products Designed and Produced with U.S. Technologies — U.S. Department of Commerce.
- A hacker is selling details of 142 million MGM hotel guests on the dark web — ZDNet.
- WindowSwap.
- How do you pronounce "Gigawatt"? — Waldo Jaquith on Twitter.
- Metric (SI) Prefixes — NIST.
- No podcast.
- In the No Part 1 — Radiolab.
- 21 OSINT Tools for Cyber Threat Intelligence — Authentic8.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Hey everybody, Carole Theriault here. We just want to extend a heartfelt thanks to our Patreon supporters. Today we showcase these 10 with our deep thanks: Yurik Taraday, Alexander Burris, Mark Kali, Daniel Tedman, Stuart Mann, David Matthews, Richard Hicks, Giselle Warwick, Neil Wilson, and Michael Crumb. Thank you all. If you want to join the Smashing Security Patreon community, check us out at smashingsecurity.com/patreon. Now let's get this show on the road.
MARIA VARMAZIS. G-I-G-A-B-Y-T-E. How do you pronounce that?
CAROLE THERIAULT. Well, gigawatt, obviously.
GRAHAM CLULEY. Well, no, because she spelled bite, Carole.
CAROLE THERIAULT. So it's not even spelled. It's gigawatt.
MARIA VARMAZIS. Gigabyte and GIF, right? NIST says that the G-I-G-A prefix is pronounced jiga. What?
CAROLE THERIAULT. Jiga, jiga, jiga, jiga, jiga, jiga.
MARIA VARMAZIS. Making the pronunciation of what we normally would say gigawatts in Back to the Future is actually correct as jiga-watts.
UNKNOWN GUEST. What?
UNKNOWN. Smashing Security, episode 187. Huawei ban, MGM hack, and a contact tracing cock-up. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 187. My name's Graham Cluley.
CAROLE THERIAULT. I'm Carole Theriault.
GRAHAM CLULEY. And we're joined this week, you already know who it is, it's Maria Varmazis.
MARIA VARMAZIS. It's me. Yay!
CAROLE THERIAULT. Hi. Welcome, Maria.
MARIA VARMAZIS. Back by popular demand via Twitter. Thank you all for summoning me.
CAROLE THERIAULT. God, eh? Your fans went crazy. They're like, Maria! I broke the rules by asking you publicly just to see what would happen and whoa, what a—
GRAHAM CLULEY. name her on—
MARIA VARMAZIS. Yeah, I can't say no. The internet demands it. It's like proposing in public.
GRAHAM CLULEY. Well, what's coming up on the show this week?
CAROLE THERIAULT. Okay, first, thanks to this week's sponsors, Authenticate and LastPass. Their support helps us give you this show for free. Now, coming up on today's show, Graham is going to share the latest UK COVID tracing snafu. Maria asks, who are we when it comes to Huawei? And I'll be showing how not to handle No, did you really? And I will be showing how not to handle a ginormous data breach. Plus, we have an amazing feature interview with the CEO of Authenticate, Scott Petry, where you can learn more about how they can provide resilient privacy to online work. It's super cool. So stay tuned after Pick of the Week. And there's loads more coming up on this episode of Smashing Security.
MARIA VARMAZIS. Who are we watching? Can we really?
CAROLE THERIAULT. Oh my God. It was gorgeous.
UNKNOWN GUEST. Come on.
GRAHAM CLULEY. Now, chums, chums, it may have escaped your notice. There's a global pandemic going on. Did you spot it?
CAROLE THERIAULT. No.
GRAHAM CLULEY. Someone could have told me. Someone could have mentioned. Turns out, despite what some countries' leaders would have you believe, it's actually quite serious.
MARIA VARMAZIS. Mm.
GRAHAM CLULEY. And maybe something should be done about it. So I don't know what—
MARIA VARMAZIS. Would be nice.
GRAHAM CLULEY. Yeah, if someone could sort it out, that'd be smashing. Now, Great Britain, as we know, we lead the world, right?
MARIA VARMAZIS. Hashtag fact.
CAROLE THERIAULT. I don't think anyone would agree with that at all.
GRAHAM CLULEY. Well, you say that, Carole, but I think the evidence is all there. We're the only country which declares its own fabulousness in its actual name. We're great. We're Great Britain. France isn't Fantastic France. There's no Rather Super Russia, no Bloody Brilliant Belgium.
CAROLE THERIAULT. I don't think that's true at all. Have you done your research on that? I don't think you have.
UNKNOWN GUEST. What?
MARIA VARMAZIS. What about O Canada? It's very O.
CAROLE THERIAULT. Hold on, Grim. Hold on. What?
GRAHAM CLULEY. Are you reaching for the globe?
MARIA VARMAZIS. She's getting it.
CAROLE THERIAULT. I'm reaching for The Economist Pocket World in Figures. Okay, okay.
GRAHAM CLULEY. Challenge me if you wish.
MARIA VARMAZIS. The United States. We're very united.
GRAHAM CLULEY. Yes.
MARIA VARMAZIS. Cannot be divided. Definitely no culture war going on at all. United States.
CAROLE THERIAULT. So you're—
UNKNOWN GUEST. exactly.
CAROLE THERIAULT. Okay, maybe you're right. Maybe you're right. I will look it up and I'll say after the show.
MARIA VARMAZIS. The Democratic Republic of Canada. Toronto, right? I don't even need a map for that one.
GRAHAM CLULEY. Well, here in the United Kingdom, the powers that be decided to put in place a contact tracing program. Not an app. I mean, they tried to do an app, but it's had a few teething problems on the Isle of Wight, and they've admitted it's not actually very good. Maybe they'll get back to it later in the year. Who knows? Who knows? No, I actually mean that they've got people who are contacting people who've contracted COVID-19, working out where they've been, who they might have infected, trying to trace the infection. That's obviously a good thing to do.
MARIA VARMAZIS. Yes.
CAROLE THERIAULT. Kind of like this countrywide— people are actually calling people saying, "Hey, you apparently have been infected. Can you tell me where you've been so I can contact some of those people and let them know that it's serious?" What we've been doing in the Commonwealth of Massachusetts, as a matter of fact.
GRAHAM CLULEY. Yes, I think many countries have been doing something similar. And there were some concerns at first. Well, couldn't scammers phone up people, 'Send the text messages,' and the government reassured us that, 'You don't have to worry about that, because the genuine contact tracers—' Was there a cough there?
CAROLE THERIAULT. Because he got it, right?
GRAHAM CLULEY. So, 'You don't have to worry about that—' 'You don't have to worry about that, because the genuine contact tracers,' they said, 'will sound very professional.' Right. They said. And so you don't have to worry about scammers. Now, who should be put in charge of this monumental challenge? What great brain should organise this thing with the— Well, who they've ended up choosing is Dido Harding. And Dido Harding is the ex-chief executive officer of TalkTalk, who were massively hacked by teenagers. Yeah, good communicator though. Well, yes, she appeared on TV a lot talking about— What was it she was talking about? It was sequential attacks and ransomware.
MARIA VARMAZIS. It's like Rudy Giuliani, sort of cybersecurity expert. Yes. Yes. Oh. Wonderful.
GRAHAM CLULEY. But Dido has lots of experience. She used to be a horse jockey. She's a prominent member of the Jockey Club. Okay.
CAROLE THERIAULT. There's nothing wrong with that. Yeah. No, there's not.
GRAHAM CLULEY. No, let me explain.
MARIA VARMAZIS. Don't be a dick. No, he's a dick.
GRAHAM CLULEY. No, there's nothing wrong with being a jockey. And she's very important inside the Jockey Club. It was her organisation which gave the go-ahead to the Cheltenham Horse Racing Festival, where oodles of people, over 250,000 people went, while most of the country was preparing for lockdown. Oh. And then there was a flare-up of COVID-19 in Cheltenham.
CAROLE THERIAULT. She's had lots of experience. Can I just make sure I understand? So she was put in charge of this? Yes. The government's contact and trace program? Yes. She then broke the rules for her own course?
GRAHAM CLULEY. Oh, no, no. This was basically her interview, her audition for the job. So before she got the job, a few weeks before, she had organised this thing where there was a flare-up of— So she's perfect. I mean, to be honest, If you're going to trace lots of people who might have the infection, go down the list of people who went to the horse race, which she organised. So she has access to the data. It makes a lot of sense to me. Anyway, it is what it is. And in May, the UK government, Boris Johnson, stood up there and he said, we've got 25,000 contact tracers ready to go. He said, this is a world-beating test and tracing system. We're going to train them up, and they're going to be starting to phone everybody up. So you may ask, now it's a couple of months later, how's it all going?
MARIA VARMAZIS. Are they off to the races?
CAROLE THERIAULT. Sorry. It's going to be interesting, Graham, because we covered this a few weeks ago. It'd be interesting to see what's happened since, because it was imminently about to be, you know—
GRAHAM CLULEY. Well, it's all in place now, and it was all going very smoothly until this morning as we record this. We're recording this on Tuesday the 14th of July. Bastille Day. Fabulous French again. So, yeah, it was going well until then, because this morning at 8 o'clock, the contact tracers tried to log into their online system from their homes. As they do every day. As they do every day. But this day they were greeted with a message which said, "Your password has expired." You can't log in.
MARIA VARMAZIS. Wah-wah. Is this like an old-school security thing?
CAROLE THERIAULT. Because we used to do that in the old days, where we'd kind of force a password reset every, I don't know, twice a year, whatever, some amount of time.
GRAHAM CLULEY. In this case, it was exactly two months since the tracers had all been registered on the service. Two months had gone by. And so, they all had their passwords expired. So everyone got the same email.
CAROLE THERIAULT. It was an email they got. Oh no, they tried to log in They tried to log in.
GRAHAM CLULEY. Oh my god. You tried to log in, and you were told, "Contact your administrator." Now, there have been stories in the past— One guy named Joe. About— Stop it, Joe. Well—
MARIA VARMAZIS. Joe's on holiday going, "What the fuck?" Anyway.
GRAHAM CLULEY. If you found it difficult to contact an administrator, maybe they've turned their mobile phone off. You might try and go to the website, which lets you reset the password.
CAROLE THERIAULT. So these are the workers, right? These are the 25,000 people that have been hired by the government to help combat this pandemic.
MARIA VARMAZIS. This is the CTO being like, "Ticket resolved. There's a password reset protocol.
GRAHAM CLULEY. Why aren't they using it, dumb users?" So, if you went to the webpage run by Cytl, which lets you reset your password, you were greeted with a message from your browser saying, "Can't open that page." Because the server is not responding. Now, do you have any guesses? It's too much traffic.
MARIA VARMAZIS. DDoSed! They gave it a gentle hug to death.
CAROLE THERIAULT. Yeah, but it's almost like not DDoSed. It's DDoSed, but it's almost by request. Yeah, it's sort of—
MARIA VARMAZIS. It's like a requested DDoS. It's getting Reddited.
CAROLE THERIAULT. Maybe they were testing the resiliency of the system. That's what's going on.
GRAHAM CLULEY. I mean, just like COVID-19 does a denial of service on your own body, and you can't— you aren't effective, you know, you can't work and you can't stand up and you feel terrible. Similarly, this has happened to you as well, and you can't get through to the site because this is horrendous. Ah, okay. So I would like to remind everybody, I'm sure our listeners are very wise, but enforcing regular password changes just for the sake of it, like every two months, not necessarily a good idea.
CAROLE THERIAULT. No, it's also extremely old school, and there's much cooler ways to manage these things these days?
GRAHAM CLULEY. Well, I think you should only really change your password if you've got a reason to change your password. So only reset people's passwords if you've had a breach or something, or if you realize— Or it's weak. Yes, or if you realize you're reusing the same password. Let's hope those 25,000 people, by the way, when they were registered, weren't all given the same password. Let's hope that wasn't the case, but who knows.
MARIA VARMAZIS. They changed the password policy to expire every 90 days now. So that'll help.
GRAHAM CLULEY. But also the problem is that when you get told, if you're in a regular job, if you remember regular jobs, any of us, where if your company did enforce a password change on you, you would often take your existing password and you'd add a number 1 on the end. Exactly. Or number 2 or April. How do you know my password, Graham?
MARIA VARMAZIS. Who told you my algorithm?
CAROLE THERIAULT. I don't know if you're being 100% fair. I mean, I think in this instance, fine, but I think a lot of companies out there still— and we used to recommend it, I used to work at a security firm where we recommend it. In fact, internally, every 90 days the password was a forced change.
GRAHAM CLULEY. Yes, this is 10 years ago, but that might have been our IT department recommending it. I'm not sure that the security experts at that particular company thought that was a good idea.
CAROLE THERIAULT. All I'm saying is there's a lot of companies who are doing this where the IT experts who are responsible for security are mandating this, and I think there are some costs to this. And this is a very good example as one of them. If everyone's password has to be changed on the same day, your site goes down.
GRAHAM CLULEY. I think one reason why some companies have implemented in the past a sort of regular resetting of passwords is because people leave a company and they think, crikey, we don't want that password still living. Now, that does deal with that problem, but a better way to deal with that problem would be when someone leaves the company, reset any passwords which they had access to instead.
MARIA VARMAZIS. Rather than that would require an actual offboarding process that's somewhat organized. And that's asking a lot of them.
CAROLE THERIAULT. You can tell that Graham never worked in IT.
MARIA VARMAZIS. I don't even know if that's necessarily an IT problem, if that's just like people left, you know, especially for something maybe as ephemeral as a contact tracing program. These are usually duct tape and bits of string, right? So, yeah, having a robust organization around that might be asking a lot.
GRAHAM CLULEY. But, you know, well, that's why you bring in people like Dido Hardin, right, to head it up, who—
MARIA VARMAZIS. give everyone COVID-19 so you can test how robust your program is. No. Okay. No. So if we were talking about the company that we all used to work at when we used to do the hard password resets, I— there was another algorithm that was very common in the area where I worked, where someone I know, when she first started, her password was the top row of her keyboard, and the next reset it was the second row, and the third reset it was the third row. And then by the time you got to, what, month 6 or 5, she could just go right back to the top again. So, brrr, across the top. Oh, wow. Yeah, that was her security. Yep. Just keep going through. Yep. Yeah.
GRAHAM CLULEY. Great security. Maria, what have you got for us this week?
MARIA VARMAZIS. Today's story broke this morning, and it's actually a UK story, but in typical American fashion, I'm gonna make it about the United States first. And then we'll get our hands on it.
GRAHAM CLULEY. USA! USA, exactly.
CAROLE THERIAULT. Oh yeah, that has a different tinge to it now, doesn't it? Yeah.
MARIA VARMAZIS. America first? So in the middle of our quarantine haze, there was a story that I know I missed and you might have missed. It sounded like a typical back and forth in the long battle between US and China and another little petty political point being scored. By, uh, the United States against Huawei, which is the Chinese tech giant, right? Yes. So you're probably very well aware that Huawei has been on the U.S., quote, entity list since May 2019, which means that in the United States you need to have government permission to sell Huawei's tech. So, um, this has trickled down to things like getting, uh, Google had to revoke Huawei's Android license. I, I think you guys have covered it a lot in previous episodes. What does what's been going on. So basically bit by bit, the United States has been chipping away at Huawei's attempts to sort of infiltrate the United States market and the West in general, and trying to use different laws to force this telecom giant to stop working with the West and the United States under the guise of national and international security.
GRAHAM CLULEY. So what's the fear been? What's America been so worried about?
MARIA VARMAZIS. America's fear is that Huawei is sort of a proxy for the Chinese government and is basically allowing the Chinese government to spy on, say, United States interests. So The fear is that if, uh, the private sector in the United States, or heaven forbid the government, had any kind of Huawei kit, the Chinese government could spy and steal stuff. So the new development in May of 2020, during this whole pandemic, which I think we're all aware of by now, is that the United States Commerce Department enacted a new regulation that made it super, super tough for Huawei to make their own semiconductor chips, which are, you know, the hardware brains that run smartphones and other important things. The regulation said that as long as even the equipment used to make a semiconductor, for example, originates in the United States, the end product cannot be sold to Huawei. So I don't know if you know this. Yeah, yeah.
CAROLE THERIAULT. So how do you manage that with supply chains?
MARIA VARMAZIS. Well, I don't know if you know this, but the vast majority of semiconductor fabrication machines are actually made in the United States. So even if you're like a Korean or Taiwanese semiconductor manufacturer, Right. If you're using United States machines, you cannot sell chips to Huawei. So even if you're in Korea selling to China, if your equipment's American, the United States government says your product is now under United States Commerce controls and you cannot sell. Wow. TIL. Today I learned. Yep. So that happened in May. I, I know I was not paying attention, and this was like, huh, we had other fish to fry. This one totally slipped by me, and now we're seeing the repercussions of that. So that move that the United States Commerce Department made effectively stopped the vast majority of chipmakers all over the world from doing business with Huawei. So, uh, if you're a reputable chipmaker, and again, a lot of them are in Asia, no matter where you are, you can't do business with this huge tech giant. So Huawei now has a super hard time making these brains of their products, these chips, and they have to find new sources to get them made, but they can't go to any of like the reputable known folks in the supply chain all over the world. So security analysts watching this on the sidelines were going, Huawei's probably going to have to either try to home source this, which is not going to be great, or try to find dodgier suppliers who really can't guarantee the security integrity of what they're making.
CAROLE THERIAULT. Or presumably get semiconductors made by any other country other than the US. Well, semiconductor fabrication machines.
MARIA VARMAZIS. Yeah, made by some other country. And I— and that's not an easy— my dad was a semiconductor engineer.
CAROLE THERIAULT. This is like— I was thinking you were swatted up on this. Okay, that's good.
MARIA VARMAZIS. This is my dad's thing. It was like, I remember I grew up hearing about this kind of stuff all the time.
GRAHAM CLULEY. Is it big in Greece?
MARIA VARMAZIS. Are they making lots of semiconductors? My dad was in the United States. Yeah, stop being so racist. No, my dad, he came to the United States in the '80s. My dad was working for the United States. So, yeah, shame on you, Graham. Yeah, shame.
GRAHAM CLULEY. I thought this was a sideline from the hot sauce, the Vermaas' hot sauce. Maybe you're doing also Vermaas' semiconductor manufacturing facilities.
MARIA VARMAZIS. My dad worked at a semiconductor fab in Massachusetts. That was my dad's line of work.
GRAHAM CLULEY. How unglamorous. I thought it was really cool.
MARIA VARMAZIS. Excuse you!
GRAHAM CLULEY. Can I say, by the way, today I learned that TIL means 'Today I Learned.' I always thought it was 'True In Life.' But from what you said, Kroll, this has just blown my mind. So I'm basking in that at the moment.
MARIA VARMAZIS. Did you know that LOL does not mean 'Lots of Love'? Just checking on that one too. Okay. I think you're supposed to roll. Okay, so— Just think of how many people— LOL. Lots of love. Okay, sorry. Anyway, so back to the extremely interesting semiconductor story. Yes, yes. So I just gotta say, this is sort of some interesting chess by the US Commerce Department. Look at this interesting move. It does force the hand of pretty much everybody working with Huawei, no matter where you are. So bringing me back to the whole reason I'm bringing this story up, as of today there are repercussions now for the United Kingdom. So breaking news via the BBC this morning, there you go, UK's mobile providers are now being banned from buying new Huawei 5G equipment after 31st of December this year, and they must also remove all of Huawei's 5G kit from their networks by 2027. So that's a freaking long time. Well, a lot of the telecoms that they've been sort of working this out with said that if you try to do it sooner, that like, yeah, things will break, things will just break. They can't do it much faster than this. So yeah, yeah, it's, it is a long time.
CAROLE THERIAULT. They plan to cash out by then, so it's not going to be their problem.
MARIA VARMAZIS. But like, they can't do it that fast. So note that this ban is not retroactive against any existing Huawei kit from previous Gs. So like 2, 3, or 4G equipment can stay. Yeah, uh, the UK government says that that stuff does not pose the same security risk because presumably it was made with the more trustworthy chips. So the current thinking in pundit land is that the US's Commerce Department move in May against Huawei forced the UK's hand on this whole issue. Oh yeah, because yeah, in response to the US sanction in May, Huawei tried to reassure the UK that they had this massive stockpile of trustworthy chips that they already had. We got a deal for you guys. Yeah, we got a deal. They can pull from that stockpile the pile to assure a safe 5G rollout across the UK. But, uh, security analysts in the UK said that does not hold much water. So here we are. So this move is expected to delay the 5G rollout in the UK by about a year and cost £2 billion. And, you know, like, seriously, I wonder if—
CAROLE THERIAULT. what the 5G conspiracy theorists are thinking about this.
MARIA VARMAZIS. Oh, I'm sure they're loving it. They're like, no microchips in my neck! And no, the forums must be full of, you see, we told you, right?
GRAHAM CLULEY. Yeah, yeah. So your glorious leader, he's going to be quite happy about the UK making this decision, I think, isn't he?
MARIA VARMAZIS. I'm sure we'll hear a gloat if it hasn't already been published or he hasn't tweeted it already, I'm sure.
GRAHAM CLULEY. I wonder whether part of the incentive for the UK as well might have been to get a little bit closer to him and to America because we've got this impending deadline of Brexit coming up and we're very keen to get some of that American chlorinated chicken. The chlorinated chicken.
MARIA VARMAZIS. I'm sure this is not going to go down without a fight, and there's going to be some kind of retaliation from either Huawei or China. I mean, what is there? This just seems like another escalation in this whole Cold War, if you want to call it that, because this is a serious amount of cash which China now isn't going to get, right? As I said, if I was them, I would be pissed off. This is, this is really something, and I'd be pissed off at both the UK and the US right now. So there's no way this isn't gonna— there aren't going to be consequences to this. So, um, I, I guess watch spares.
GRAHAM CLULEY. But important message for listeners out there is if you've got a Huawei phone, it's not going to stop working or anything. You're not going to have to send it in or replace any chips inside or anything like that.
MARIA VARMAZIS. Consumer device, nothing like that. No, it should be okay. It's just if you are in a country where you're able to buy Huawei devices, uh, not the United States, their devices will probably get a lot harder to get your hands on and they may become unavailable. And they're, they're a lower cost alternative for smartphones, I believe. So this will have, at least on the consumer market, some consequences as well. But thinking bigger picture in terms of US, China, UK, that whole triangulation, there's, there's something's going to happen from this. I don't know what yet. Yeah.
CAROLE THERIAULT. And we're all a little bit brighter now on semiconductors.
GRAHAM CLULEY. Very illuminating, Maria.
MARIA VARMAZIS. You learned about it here on Smashing Security.
GRAHAM CLULEY. Yeah. Very good. We can, yeah.
CAROLE THERIAULT. Love Maria. Love Maria. She's fantastic, isn't she?
GRAHAM CLULEY. She's the best. Fantastic. Well, from the radiant memory banks.
MARIA VARMAZIS. Why am I talking like that?
GRAHAM CLULEY. Krul, what have you got for us?
CAROLE THERIAULT. Okay, well, you guys get to both sit back, and I'm gonna tell you a quick tale before we get into the nitty-gritty of the story, okay? So we start way back in the beginning of the aftertimes. So February, right? And this is when news of MGM Resort Resorts, suffering a data leak, started making waves, not just because they left their data unsecured, but we were hearing that more than 10 million user accounts stolen from MGM Resorts were being basically auctioned on a hacking forum or published on a hacking forum.
GRAHAM CLULEY. And MGM Resorts, this is a hotel company. They have a huge hotel in Vegas and other things.
CAROLE THERIAULT. Well, you know what? They were the hotel where the shooting happened. That was an MGM resort hotel.
GRAHAM CLULEY. Oh dear.
CAROLE THERIAULT. So ZDNet, a tech publisher, did some digging into this story. And according to its analysis published in late February, the MGM data dump that was shared contained the personal details of 10 million former hotel guests, right? We're not talking just like regular guests like you or me or even the illustrious Maria. We're talking like celebs like Justin Bieber and CEOs like Jack Dorsey and reporters and government officials and even employees at some of the world's largest tech companies.
GRAHAM CLULEY. So it's like their personal information, their contact details and things like that were included in this data which the hacker got hold of?
CAROLE THERIAULT. No, don't worry. It's not even that much, right? It's just your full name, your address, your phone number, email, date of birth, that sort of stuff. Peanuts. All right. Peanuts. Right, right. Anyway, so ZDNet had all these contact details and they thought, well, why don't we call some of these people up, right? And say, hey, we're ZDNet verifying a huge dataset. Can you confirm this information is yours? So they ended up chatting to loads of victims and the victims were like, oh shit, yeah, that is my full name, my contact deets, yada, yada, yada. And these folks also confirmed that they had stayed at the MGM Resort Hotel. So ZDNet were like, we're onto something here. Okay, okay, so we're still in February now, right? Right. So ZDNet now contact MGM Resorts going, hey guys, we found this like data dump and we've kind of confirmed a few deets, and could it be you're like the digital version of Typhoid Mary here, right? Because basically they hadn't yet admitted publicly that something had gone on. Oh, I see, right. And ZDNet get this response like within an hour from MGM Resorts security people, right? And it says, quote, This is back in February. So quote, last summer we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts. We are confident that no financial payment card or password data was involved in this matter. Did you— did I say sorry? Did you hear the sorry there?
GRAHAM CLULEY. No, there wasn't actually an apology.
CAROLE THERIAULT. You didn't see— okay, I didn't see one either.
GRAHAM CLULEY. So they haven't, they haven't said that we've informed the customers or—
CAROLE THERIAULT. actually, the hotel chain said they promptly notified all impacted hotel guests. Yes, in accordance with applicable state laws. All right. Now, I don't know what that means for the rest of the people that were in that data dump. You know, I'm sure they're not all US citizens. There might have been Canadians, for instance, or maybe Europeans or Africans or Asians or anyone from all over. And how does that apply?
GRAHAM CLULEY. Yes, because here in the Royal Duchy of Oxfordshire, we have very specific data notification rules, which they should have applied.
MARIA VARMAZIS. Wait, are we talking about Nevada's data protection laws? Like Nevada.
CAROLE THERIAULT. Now, okay, okay, so MGM Resorts also told ZDNet they effectively— don't worry too much, this data was old, right? And ZDNet was able to confirm this. So when they contacted people, none of them had stayed at a hotel past 2017, and some of the phone numbers they had called were disconnected. But of course many were still valid because how many people change house or change phone numbers, or I don't know, change their date of birth, right?
GRAHAM CLULEY. Right. Yes. Yes, exactly. How can you say the data's old?
CAROLE THERIAULT. But they said it was an old dump, an old data dump.
MARIA VARMAZIS. Story of my life.
CAROLE THERIAULT. The article ends with this statement, right? The size and the severity of this MGM Resorts security incidents pale in comparison to the massive data breach that impacted Marriott Hotels in 2017, when hundreds of millions of users were stolen by Chinese state-sponsored hackers. Hackers. Sorry, who said that? This was at the end of the ZDNet article.
GRAHAM CLULEY. All right, so they reassured people, yeah, there's been a breach.
CAROLE THERIAULT. They're saying, look, 10 million, 10 million, 10 million, it's not—
GRAHAM CLULEY. yeah, big deal. Yeah, right, it's not 100 million.
CAROLE THERIAULT. Yeah, yeah, exactly, exactly. Yeah, yeah. And you know, Bieber schmieber, who cares, right? Yeah, exactly, exactly. So, well, lo and behold, it seems that either MGM Resorts either played down the extensivity— extensiveness size of this hack, or despite having claimed they had two independent forensic teams analyze the situation way back in February. And so maybe they failed to notice that perhaps the problem was way bigger than was reported back in February.
GRAHAM CLULEY. When you say it was way bigger, what do you mean by way bigger?
CAROLE THERIAULT. Well, remember we were talking about 10 million guests? Yeah. Turns out it was 142 million guests. Oh, okay.
GRAHAM CLULEY. Oh, and your argument is that 142 million is bigger in some way than 10 million? Is that what you are arguing?
CAROLE THERIAULT. It's 132 million bigger, it seems.
GRAHAM CLULEY. My goodness, so quite a large number.
CAROLE THERIAULT. Mm-hmm. So the plot thickens because the hacker claims to have obtained this hotel data after they breached this company called DataViper. This is like a data leak monitoring service operated by Night Lion Security. Yes. So ZDNet contact the founder of Nightline Security, and Vinny Troia, in a phone call with ZDNet, said his company never owned a copy of the full MGM database, and the hackers are merely trying to ruin his company's reputation. Who knows? Anywho, what does ZDNet do next? They contact MGM Resorts for a quote saying, "Hey dudes, looks like maybe we missed a zero or something here because..." And they provided a quote which says, quote, MGM Resorts was aware of the scope of this previously reported incident from last summer and has already addressed the situation.
GRAHAM CLULEY. They used the word scope, did they? They used the word scope. Is it possible they were looking down the wrong end of the scope and so it appeared smaller rather than proper size?
CAROLE THERIAULT. The MGM Resorts spokesperson also pointed out that the vast majority of data consisted of contact information like names, postal addresses, and email addresses. You know, not the important stuff like financial information, just your private personal information. Um, so they still have not apologized. Didn't— there was a quote you read on— you saw something on Twitter just before we started recording, Graham. Do you remember what it said?
GRAHAM CLULEY. Yeah, the guy from the BBC said MGM are still not confirming actually the size of the breach. Um, I think they have—
CAROLE THERIAULT. where's GDPR? That's what I'm saying.
GRAHAM CLULEY. Come on, GDPR. Yeah, there been some Europeans there.
CAROLE THERIAULT. Yeah, and I think bug off, because ultimately what we're seeing here is how not to handle a data breach, like in the worst state. So the only way you can fight back is basically do not stay at MGM Resorts. That's what I would say. Shame on you, MGM Resorts.
MARIA VARMAZIS. Done. Yeah, I, I'm, I'm not surprised when a small company fucks up their response, but a company as huge as MGM, uh, they don't have an excuse. So I, yeah, just shaking my head at them because it's, uh, they should know better. This is not an acceptable response. It's— this story is a mess. Not your fault. Like, the, the facts of the story are an absolute mess.
CAROLE THERIAULT. Yeah. And basically MGM are the cause of the mess because they didn't come clean when they should have.
GRAHAM CLULEY. Are MGM the one with the lion? Are they? Have I Silo for Research Toolbox from Authenticate is a secure and anonymous web browsing solution that enables threat intelligence, security, and public safety professionals to conduct research, collect evidence, and analyze data across the open, deep, and darkweb. To learn how Silo for Research enables teams to timely and efficiently investigate while ensuring maximum security and oversight to ensure compliance, including GDPR, go to smashingsecurity.com/authenticate. That's smashingsecurity.com/authenticate, and that is spelled authentic with a number 8 on the end. Use a password manager.
CAROLE THERIAULT. Just do it. These aren't my words. These are the words of Brian X. Chen, the lead consumer technology writer at the New York Times. It's time that everybody uses a password manager, both at home and at work. Now get this, LastPass from LogMeIn offer businesses a secure vault with centralized secure access, single sign-on, and simplifies remote management of all these accounts. And guess what, you home users out there? You can get LastPass free. For more info, go to smashingsecurity.com/lastpass. That's smashingsecurity.com/lastpass.
GRAHAM CLULEY. And welcome back, and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
MARIA VARMAZIS. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily. Better not be. And my Pick of the Week this week is not security-related. Good. It is a website, a rather cute website. And what it does is it says, let's face it, we're all stuck indoors. It's going to be a while till we travel again. Wouldn't you like to look out through someone else's window somewhere else in the world? And on the website windowswap.com, and there's a dash between window and swap, you can see movies through other people's windows all around the world.
CAROLE THERIAULT. Oh, I love this one with these cute little doggies.
GRAHAM CLULEY. And you can cycle through them. So if you don't like one, just press it again. And you'll go somewhere else in the world. Oh, bunch of cars. Boring. And some of them are really rather relaxing. Oh, this is nice.
CAROLE THERIAULT. Have you ever landed on anyone having the, having, you know, doing the naughty?
GRAHAM CLULEY. Right, Kroll, stop. Right. No, no, no, no. No.
CAROLE THERIAULT. I'm not saying it's not what it's for, but you'd forget.
MARIA VARMAZIS. You'd forget that you would be filming. It's always gotta be filth with you, doesn't it, Kroll?
GRAHAM CLULEY. Kroll, I knew you'd try and make this scrubby. These are not live streams through people's windows. What they are is you get to submit to the makers of the site who are Sonali Ranjit and Vaishnav Balasubramanian. You can submit a 10-minute video file, which obviously they vet and watch, and then they put it up on the site if they like it. So it's not a live stream. It's just 10 minutes. But some of them are really charming and relaxing. I agree.
CAROLE THERIAULT. I might submit mine, actually. I might do the same.
GRAHAM CLULEY. Why not? It's very, very cute. And it is window-swap.com.
CAROLE THERIAULT. Okay, can I just ask a question? What if you submit a 10-minute video and it's perfect, and it's perfect, and a 9-minute 13? You run past naked. Really fast. Once again, can we go back to this?
GRAHAM CLULEY. It's always you being grubby, isn't it? It's always you who has to ruin things for everybody else. Else.
MARIA VARMAZIS. I think you're hinting that this is what you're going to do. I might. You might want to find my video.
GRAHAM CLULEY. 9 minutes 13, eh?
MARIA VARMAZIS. Okay, good to know.
GRAHAM CLULEY. Good to know.
MARIA VARMAZIS. Maria, what's your pick of the week? My pick of the week is going to piss some people off, and that's why I like it.
CAROLE THERIAULT. I saw you tweet about this.
MARIA VARMAZIS. I— yeah, if you follow me on Twitter and like actually pay attention to what I tweet, you've seen this story. Okay. So basically I want to know, I'm going to ask the two of you first. How do you pronounce the file format that ends with.gif? How do you pronounce that? GIF?
GRAHAM CLULEY.
A GIF. Because I'm not a pervert. And it's not a jiff? No, it's never ever.
CAROLE THERIAULT. No, I've never said jiff. I never said jiff. Okay. Always GIF. How do you pronounce a G-I-G-B-Y-T-E?
MARIA VARMAZIS. G-I-G-A-B-Y-T-E. Did I, did I misspell that? I forgot the A. Sorry. You know, a thing I just made up. I can spell. G-I-G-A-B-Y-T-E.
CAROLE THERIAULT. How do you pronounce that? Well, gigawatt, obviously.
GRAHAM CLULEY. Well, no, because she spelled byte. Uh, so it's not—
MARIA VARMAZIS. can't even spell, can he?
GRAHAM CLULEY. It's gigabyte. Gigabyte.
MARIA VARMAZIS. Gigabyte. And GIF, right? So, um, NIST, which is the National Institute of Science and Technology, United States, one of our big sciency places. I almost had an internship there. I should—
CAROLE THERIAULT. yes, they're actually— they're very cool because they provide a framework for cybersecurity. So if you're a company and you kind of want free resource on how to like build a security policy in your company, NIST has a ton of up-to-date resources. So just— sorry, just doing a little ad for them, but it is good stuff.
MARIA VARMAZIS. Yes, they're— they, they are a repository of extremely intelligent people. I highly respect them. Okay, so NIST says that the G-I-G-A prefix is pronounced correctly, jiga.
CAROLE THERIAULT. What? Jiga, jiga, jiga, jiga, jiga, jiga.
MARIA VARMAZIS. Making the pronunciation of what we normally would say gigawatts in Back to the Future is actually correct as jiga-watts.
CAROLE THERIAULT. Jiga-watts.
UNKNOWN GUEST. Hang on.
GRAHAM CLULEY. So in Back to the Future, they say jiga-watts.
MARIA VARMAZIS. They say jiga-watts, and people have been giving them shit since the '80s that Back to the Future was like, oh, they said jiga-watts. Apparently that's correct. And we should also be saying gigabyte.
CAROLE THERIAULT. Look, gigawatts is way more fun to say.
MARIA VARMAZIS. Gigawatt? Gigabyte.
CAROLE THERIAULT. Gigabyte? Gigawatt?
GRAHAM CLULEY. I wish Doc Brown wasn't French or something. He was just saying gigabyte.
CAROLE THERIAULT. Gigabyte. Yes, it's beautiful.
MARIA VARMAZIS. Say giga. Giga giga. Say giga giga.
CAROLE THERIAULT. See, it's fun. I think we need to get on board with the NIST.
GRAHAM CLULEY. No, I'm not. No, no, I'm not happy about this. Oh, surprise, surprise. The thing that we've all learned under lockdown is that scientists can't be trusted. There are There's Dr. Fauci going around telling people to wear masks, and we've been reliably told that maybe we shouldn't do that. And maybe similarly, we shouldn't trust these people trying to tell us that gigabyte isn't pronounced gigabyte.
MARIA VARMAZIS. It's jiggabyte, and I will die on this hill. No, I won't. But I— Jigga-jigga? Jiggabyte. Jigga-jigga. It's actually gigabite, if you want to go by the original Greek. Gigabite!
GRAHAM CLULEY. Oh, well, if you're Okay, the Greek has corrected us. No, no, no, no, that's not Greek.
MARIA VARMAZIS. I'm just joking. Oh my God, actual Greeks will be so mad at me. Funny.
GRAHAM CLULEY. Carole, what's your pick of the week?
CAROLE THERIAULT. Mine's not funny. Oh, mine's not funny.
GRAHAM CLULEY. Mine's not funny. Well, that just about wraps it up.
MARIA VARMAZIS. No, but it's kind of maybe important, maybe interesting, maybe.
CAROLE THERIAULT. Okay, maybe. Okay, so, so during the pandemic I have been giving some thought to the single folk out there, right? Because during a pandemic, if you're on the lookout for a partner, that's gonna suck. Yes. And I was thinking, oh, you know, I wonder what's going on. And then I was like scrolling through my pods and I found this pod that I subscribed to, I don't know, a few years ago, a year ago, and I'd never listened to it. And it's called No. I think I probably read about it somewhere, subscribed to it, and there it was sitting my feet.
GRAHAM CLULEY. No, with a canoe?
CAROLE THERIAULT. No, no, as an N-O.
GRAHAM CLULEY. No. Oh, N-O, right. Pronounced, pronounced no. Yes.
CAROLE THERIAULT. It's put out by a podcast network called The Heart Radio, and they put out a few episodes, and one of them was this 4-part series called No. And this is where— this is not for kids, this is not for kids— but this is where the host Caitlin Prest explores her kind of sexual Sorry, my mom's calling me.
MARIA VARMAZIS. What? In the middle of this?
CAROLE THERIAULT. Just— I know, like, Mom, your timing. She's like, Carole, do not say the words you're gonna say.
MARIA VARMAZIS. Don't stop. Wow, are you being dirty on the radio? Karen.
GRAHAM CLULEY. Karen's on the— Karen's calling in.
CAROLE THERIAULT. Oh my goodness. Um, so where the host Caitlin Press explores her kind of sexual boundaries and how she may be managed or mismanaged some of the situations as she kind of, I don't know, slalom through boyfriends, friends with benefits, all the stuff. But even cooler than that, so A, I recommend listening to it. I'm not saying you're gonna agree with it all. I'm not saying you will or won't. It's just worth listening to. It's gonna stretch your mind a bit. But even cooler is that a show that I have listened to for more than a decade, Radiolab, did this retrospective on this Caitlin No series that she did. And so they kind of sum up her 4 episodes into 1 tiny episode, and then they kind of explore it from different points of view, what she kind of covered in her show. It's fascinating. Check it out, or don't. All right. Or don't, you know.
GRAHAM CLULEY. So are you recommending the podcast now or the Radiolab episode? I recommend both. Okay. All right. And we'll put links in the show notes if anyone wants to check it out.
CAROLE THERIAULT. Under this episode, 187.
GRAHAM CLULEY. Marvelous. Well, that just about wraps it up this week. Maria, I'm sure lots of our listeners would love to follow you online and tell you that you're wrong about how to pronounce gigabyte. Gigabyte.
MARIA VARMAZIS. Giga giga.
GRAHAM CLULEY. Remind us what your Twitter handle is. I'm on gigabyte.
MARIA VARMAZIS. No, I'm on Twitter at @mvarmazis.
CAROLE THERIAULT. Please spell it correctly.
GRAHAM CLULEY. Fantastic. Fantastic. And you can follow us on Twitter @SmashInSecurity, no G, Twitter allows to have a G, and you can join the Smashing Security subreddit as well. And don't forget, if you want to be sure never to miss another episode, please subscribe in your favorite podcast app, such as Apple Podcasts, Spotify, or Pocket Casts.
CAROLE THERIAULT. And thank you for listening to us, for supporting, for sharing episodes of Smashing Security. You guys rock. Also, huge thank you to this week's Smashing Security sponsors, Authenticate and LastPass. Their support helps us give you this show for free. And make sure to stay tuned for our exclusive feature interview with Scott Petry, co-founder and CEO of Authenticate. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, au revoir, toodaloo.
CAROLE THERIAULT. All right, very exciting today, listeners. We have Scott Petry He's the co-founder and CEO of Authenticate. Scott, thank you so much for joining us on the show today. Carole, thanks for having me. You know, we also have another special guest here on this interview, don't we, Graham? Make yourself known.
GRAHAM CLULEY. I wasn't expecting to be introduced. Hello. I'm here. Nice to meet you, Scott.
UNKNOWN GUEST. Nice to meet you, Graham. Okay.
CAROLE THERIAULT. So first, Scott, tell us all about Authenticate. What do you guys do?
UNKNOWN GUEST. Well, Authenticate is focused on doing something that sounds really simple, but is actually pretty sophisticated. We build what's called a web isolation platform. And that basically means that as users interact with web services, we provide an intermediary web environment that conducts all their actions for them and turns whatever they're doing online into a safe, secure, benign, policy-controlled, audited work stream. So you can think about Authenticate as basically providing a platform that allows allows people to access the internet using browsers running on our platform rather than the browser on their own local device.
CAROLE THERIAULT. Okay. So I'm guessing the kind of people that would be really interested in this are people that are really interested in keeping their actions private or really into privacy? It's a great question.
UNKNOWN GUEST. And the answer is yes, plus. So when we started the company, You know, we, we, we basically saw that there was more and more stuff being done online, right? The proliferation of cloud applications, people moving all their personal activities, you know, banks and healthcare providers starting to provide web access portals for users. People were using the, the regular browser that came with their computer, using the browser to store passwords, to, you know, download data, cache information, keep their local state in that environment. At the same time, advertisers or bad actors are using the exact same channel of delivering web code to try to corrupt those systems. And so when we, when we started the company, we were thinking about pretty much a, a broad array of issues associated with the browser, and anonymity and privacy is absolutely one of those things. But also, like, integrity of the page code when you render a page, or the ability to manage credentials without those being stored in a place that's susceptible to exploit, or, you know, checking the integrity of a link to ensure it's not routing off to a rogue server somewhere before someone clicks it. So we really looked at this holistically. I mean, the, the, the, the web security world is defined by probably 12 different categories of product that live either at the endpoint, at the network, or at some sort of a edge-based control mechanism. And what we said was, why don't we take all of those capabilities and embed them in the application itself called the browser?
CAROLE THERIAULT. And that's how we built this platform. Ah, that's interesting. So you basically provide a browser that allows people to do work that, and it protects their identity and it kind of anonymizes them, not pseudo-anonymizes them, but anonymizes them. Wow. Better than GDPR.
UNKNOWN GUEST. We are, you know, fully compliant with GDPR and alphabet soup of other requirements as well for a variety of reasons. But, um, you know, we used to refer to the platform as a, as a cloud browser, you know, before the analyst community started to track this concept of virtual browser infrastructure or started become a category. Because the idea is basically you run the browser as a service and it lives in our platform. You have a secure connection to it. At that point, you're basically sort of using an intermediary or proxy— I don't want to say proxy for the technical reasons, but sort of metaphorical proxy to get out to the internet. That platform becomes the sacrificial lamb, and it keeps everything you're doing at arm's length from anybody on the other side of the equation.
GRAHAM CLULEY. And that's kind of the beauty of this approach, isn't it? Is that you're letting someone browse the internet like they would normally, but they're kind of doing it inside a protected bubble. And if anything bad happens in it, it's not gonna cause them any harm.
UNKNOWN GUEST. Exactly right. We transcode everything that the browser executes using standard protocols into our proprietary and encrypted display protocol, you know, remote rendering protocol. It's more than just display, it's audio, video, et cetera. It's binary files if authorized. But then the important thing, Graham, also is that in addition In addition to that bubble, a lot of our customers are operating in compliance-oriented organizations, or they have sensitive workflows like, you know, law enforcement investigations or financial, uh, uh, activities. We provide a full suite of administrative policies as well to control device access, data policies like upload and download, and then we have the ability for all activity to be logged centrally regardless of device, network, et cetera. And that log data is all encrypted with customer-controlled keys. So the customer gets to control their data rather than us controlling their data.
GRAHAM CLULEY. So that, that, that to me seems really cool because if I was, for instance, investigating financial fraud or if I was in law enforcement working on a case, I would imagine if I was using a, a normal browser on my computer, I'd kind of have to fill in a logbook every time I clicked on a link or downloaded something. Whereas if you're working inside that sort of environment you're describing, everything is sort of getting logged for you.
UNKNOWN GUEST. It's, it's absolutely right. And if you think about, you know, the, that example right there, and we have customers who have spoke, we've spoken to about this. When IT gives a financial crimes investigator a set of tools, they are are by definition doing things outside of corporate policy. They're going to a website perhaps or interacting on an internet forum that a normal employee wouldn't be allowed to get to. They're interacting with web code that could be damaging to the organization that a normal employee wouldn't be allowed to transit the gateway and come into the environment. And so, they're giving the employee these tools that allow them to conduct their investigations anonymously and securely, as Carole, you know, as you said. But it's also still inside of the realm of control, where IT has positive visibility over how the tool is being used and to prevent abuse, which is a critical part of the compliance equation as well.
CAROLE THERIAULT. So tell me about the customers you have. Like you mentioned law enforcement, I'm guessing there's also going to be some law firms. Firms involved, insurance companies?
UNKNOWN GUEST. A little bit of history. This is the second company that I've started. The first company was an email security company that was also a pioneer in the cloud space, and, and, uh, it became a pretty, uh, well-known, uh, company. And that was an awesome platform because we could sell the same thing to every customer. And if I had— if I understood knew then what I know now, uh, the, the cross to bear, or the, the challenge for our company is that we're not a single platform for a single customer. It's not like you can just go to every organization and say replace your browser. It's a little bit more difficult than that because of a variety of reasons, whether it's, you know, user preference issues or whether it's, uh, IT change management issues or whatever. What we've been able to do though, and what our market differentiation is, is that our product can be configured very specifically for very specific use cases. So yes, we have financial services firms using us for forms of financial fraud and money laundering investigations. Yes, we absolutely have law firms using us. The use case there is slightly different though. That might be an environment where the senior partners need to get access to social media sites or personal sites, but the law, the legal IT doesn't want that information to be commingled with sensitive client data on the same device. And so they can use our platform as a way to give a second window onto the internet where there's no data commingling, if you understand that. We have— It's almost like a virtual safe room. 100%, 100%. And with the recent change to the way everybody works, you know, if this was a video conference, you'd see me in one of the bedrooms in my house. And it's, you know, this is my office now. Uh, more and more people are working remotely, and so we've seen this idea of being able to take the browser and implement positive policy control and audit over the browser. It allows IT to get back in control of what people are doing when they're working remote without having to give them a laptop and a VPN connection et cetera. So we have a lot of organizations that are using this for regulated access to cloud applications, whether it's, you know, HR and payroll-related activity, call center, help desk-oriented activity. Those employees are all working remotely now. When you give— when you send your employees home, how do you tell them, okay, be careful when you log into, uh, Freshdesk, right?
CAROLE THERIAULT. And I know, I know, and use your computer, but make sure it's secure. Exactly.
UNKNOWN GUEST. Yeah, it's incredibly crazy. Our customers are across a variety of use cases ranging from very sensitive and very secure to just good IT practices for employees being online.
CAROLE THERIAULT. Let's say I'm listening to this and I'm thinking, this sounds extremely cool. I'm thinking this could be something good for my organization or for my project. What, what steps do they do? How does it work? Do they get to test it out or—
UNKNOWN GUEST. 100%. So, uh, we, we, we are a cloud-native platform, so there's no installation of anything required. You don't need to put network kit, you don't need to have a guy come visit your home and, you know, configure, configure your router or anything, right? You basically can see— exactly, uh, you, you sign up for the product. We certainly We give evaluations, we give trials. You can, like a web conferencing system, you can use the browser to access the platform or you can install a native client to access the platform. We support the traditional compute platforms and iOS. Then you basically run it like you would use a browser, whether it's inside a tab in Chrome or whether it's a window and a separate application. It looks like, acts like, quacks like a regular browser environment.
GRAHAM CLULEY. So there's really nothing to learn here. It's like if you know how to surf the web already, you can just surf the web but inside Authenticate silo.
UNKNOWN GUEST. 100%. Now the splitting of the use case though, like you might have people who want to have two separate environments, but in a pre-COVID world, IT liked to be able to say If you're going to X, render it in the local browser. If you're going to Y, that's when we'll use this web isolation platform. And so needless to say, we have all the IT integrations that you would want for traditional network environments as well, including the ability to forward URLs or redirect URLs to our platform. So you can say, my employee is going to be doing, you know, access to their behind-the-firewall web application or, you know, from their local browser. But if they go to Facebook, Facebook, that kicks over into our platform and that would be all seamless to the user.
CAROLE THERIAULT. This is a newbie question. I apologize if it's obvious, but so I'm using this browser and I go to something like Facebook or a page where I need to authenticate my login instance, right? So then how does that work? Do I just have to enter my password and it's Facebook knows that I'm the right person, but no one can trace it back to my particular IP address?
UNKNOWN GUEST. Yeah. So your IP address is certainly hidden. Facebook would see it as a a machine that maybe was or was not associated with you before. But an important point though, Carole, is once you give Facebook your identity, now they can track you through other things. Once you're logged in, they can drop a cookie. And I won't get into how we handle cookies, but you can either choose to save cookies or you can choose to have them purged. And we offer some capabilities around that. But if you're using the web anonymously, means you're not logging in regardless of the platform. As soon as you log in, server-side, they know who you are.
CAROLE THERIAULT. Exactly. Okay.
UNKNOWN GUEST. One of the things we do a lot of is training for people in terms of doing, you know, secure and, and, and what we call non-attributed, where you can't be attributed back to the kind of activity you're doing. Non-attributed access when you're doing investigations. One of the things that you have to tell people is this It just doesn't work like, it should not work like a normal browser where you order your pizza in one tab and you investigate the bitcoin transaction in another tab because you're mixing your environments there and those are all certain tells that can tell your adversary that you're conducting this investigation. So it just shows sort of how insidious this entire internet technology stack is when you have to think that carefully about what you're doing in this application on your computer to determine whether bad guys are tracking you or not.
CAROLE THERIAULT. It's awful. Yeah. And no, but I'm wondering if it's something that would even suit me in my line of work. Like, I have to do research on lots of different things that are unseemly, technologically unsound, immoral, unethical. And from my search results, it might look, you know, I might be getting fed information from YouTube and the like that is completely unwarranted for my interests.
UNKNOWN GUEST. So we do a lot of work with media. My second favorite story of customer acquisition was, you know, we, we have the ability to sign up on the web and we saw a name that was a name brand TV news anchor and signed up, took a 30-day trial, swiped his credit card and was using it. And about 6 weeks later, we got contacted from the CISO of that media organization. And did a deal with them. So the idea of individual users using it as a way to maintain safety and anonymity online is certainly important, more so for media people. You can keep yourself and your sources secure and basically untracked if you use our product in conjunction with some other pretty standard good messaging hygiene.
CAROLE THERIAULT. Yeah. Very cool, Scott.
GRAHAM CLULEY. And one of the things I like about this is that you're not being tracked when you're using this, but you can see who's trying to track you as well. And so you can begin to collect data like that with both the toolbox and Lightbeam as well, which is one of your— is that an add-on for it?
UNKNOWN GUEST. Yeah, we have some add-ons that are in the browser that allow you to do that. The thing I'll say though is that We are not doing that and trying to track any information. You are free to do that, but if you read our privacy policy, we're extremely clear that we don't, we don't use this platform as a way for us to collect user data or statistics and use those in any marketing or analytics type of way. And it sort of plays against us sometimes, Graham, because a lot of security companies like to tout dashboards that say how many exploits they've blocked or how— we just don't want to express anything surrounding how our customers are using our product. And when they encrypt their logs, you know, we don't have access— we wouldn't have access to that even if we were so motivated. So we've really— we give you the tools to do that and collect the information, but we're not trying to aggregate that and create side business and, you know, monetize the data like so many awful companies are.
GRAHAM CLULEY. Well, well done to you for that, because I do think when that kind of data is collected, it can be considered rather toxic data anyway. It's not the kind of data which you want lurking about on your drives or being collected either, because it's going to be abused by someone in marketing or, you know, they could have a data breach one day. So yeah, who wants it, frankly? Exactly.
CAROLE THERIAULT. Now, Scott, I have one last question for you. I see on your smashingsecurity.com/authenticate page you're offering a curated list of open-source intelligence research tools that you guys have. Tell me about that.
UNKNOWN GUEST. We've learned a lot about OSINT, which is open-source intelligence gathering, and we've spent a lot of time, you know, as I said, doing training, pulling together training programs and curricula, working with customers on improving their tradecraft. And so, so we've curated this list of different open-source tools that would help people conduct their investigations. And we like it if they want to try using those tools inside of our product. If they don't, you know, use a, use a virtual environment in their local computer so they don't taint their own environment. But as they conduct their research, this is a handy list of tools that can be used for people to dig a little bit deeper and learn more about, you know, companies or properties or regions as they conduct their investigations.
CAROLE THERIAULT. Yeah, it's an extremely cool piece of research. I know a lot of people that will love this, and the best bit is you don't even have a gate on it, which is sometimes a beautiful, beautiful thing. So on the behalf of the tech community, I thank you for that.
UNKNOWN GUEST. It's a nice freebie. You're welcome. And believe me, we have internal debates about that, but I think we really like, you know, give something to get something, right? Give something to get something. Exactly.
CAROLE THERIAULT. It's like you don't want someone to buy you a beer somewhere and then ask you to get married. I mean, it's too fast. It's too fast. Exactly.
UNKNOWN GUEST. Now, says the married woman on the Also, like, Joseph Stalin can only download so many copies of this gateway. Arnold Aardvark from Afghanistan.
GRAHAM CLULEY. Exactly, exactly.
CAROLE THERIAULT. Scott, is there anything else that you'd like to add? Um, it's been so great speaking with you.
UNKNOWN GUEST. Thank you, it's been great, uh, speaking with you both as well. I would just say that this, this idea of a, of a web isolation platform and and Silo as a browser running in a remote environment. It sounds very simple, but as you peel back and understand more about how the browser betrays you on a daily basis, whether you're using it for your own personal social connections and the cookies are being dropped and you're being tracked, or whether you want to do some actual research on the web, it just makes no sense to let all of that arbitrary third-party third-party code come into your environment and execute. And it's, it's shocking to me that we have become so cavalier about it. And, and, you know, literally $100 billion plus is being spent on securing the environment after people have rendered a web page. And so, you know, I guess the last thing I would say is, if you're listening to this and that makes sense, give it a try.
GRAHAM CLULEY. Authenticate.com. And that's Authenticate with a number 8.
CAROLE THERIAULT. Authentic8. Exactly. Scott Petry, co-founder and CEO of Authentic8. Um, thank you so, so much for coming on. It's been an amazing pleasure to speak with you.
UNKNOWN GUEST. Carole, it's been great as well. And Graham, thank you. It's been fun.
CAROLE THERIAULT. Cheers. All right, boys, that was pretty good. Everyone happy before I stop the recording?
-- TRANSCRIPT ENDS --