This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
CAROLE THERIAULT
Come on, 200, Cluley. Come on.
MARIA VARMAZIS
Seriously, well done.
CAROLE THERIAULT
Come the fuck on. That's amazing.
MARIA VARMAZIS
That is amazing.
CAROLE THERIAULT
How many podcasts do that?
GRAHAM CLULEY
1%?
CAROLE THERIAULT
Jesus Christ. And we don't even have each other. It's amazing. We should be recording.
GRAHAM CLULEY
We are.
MARIA VARMAZIS
Oh, great. The hate is what fuels you.
CAROLE THERIAULT
Fucking 200. Jesus.
Unknown
Smashing Security, Episode 200. Two flipping hundred. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode Two Fucking Hundred.
My name's Graham Cluley. Woo-hoo!
CAROLE THERIAULT
And I'm Carole Theriault, and you heard who we have with us.
MARIA VARMAZIS
Woo!
CAROLE THERIAULT
Maria Varmazis! Ah, 200, guys! Maria, thank you so much for coming on this extremely special episode. You know, someone was fighting you for this episode.
MARIA VARMAZIS
Really?
CAROLE THERIAULT
Oh yeah.
GRAHAM CLULEY
Well, who, Godzilla?
CAROLE THERIAULT
I'm not gonna name any names.
MARIA VARMAZIS
I didn't even know. Was it Kasparov again? That bastard.
CAROLE THERIAULT
Dave Bittner.
MARIA VARMAZIS
Oh, oh, oh, oh.
GRAHAM CLULEY
Should we just for a moment just sort of bask in the glory of having produced 200 episodes of this podcast?
CAROLE THERIAULT
Why don't we do that on our live stream at 8:00 PM UK time on Thursday, 5:00 in Boston, 2:00 PM West Coast. Graham still hasn't done the research of what time it is in Australia.
And for details, you would go to smashingsecurity.com/live. Be there, be square. Graham will be so embarrassed if there's only me. Yes.
GRAHAM CLULEY
And then we will properly celebrate. We're gonna take questions, aren't we, Carole?
CAROLE THERIAULT
Yes, it's an AMA. So this is where I promise I will only speak truth. On the show.
MARIA VARMAZIS
Woo-hoo!
GRAHAM CLULEY
Carole, what's coming up on the show this week?
CAROLE THERIAULT
On the 200th show, thanks to this week's sponsors: LastPass, Immersive Labs, and Mimecast. Their support definitely helps us give you the show for free.
And coming up on today's show: Graham grabs his ballerina slippers, Maria is going to look at women in tech, and I'm looking into smartwatches for kids and asking you, Maria and Graham, whether you would do this or not.
MARIA VARMAZIS
Oh boy.
CAROLE THERIAULT
Plus, we have a very fantastic featured interview with Michael Madon at Mimecast.
He is the Senior VP of Security Awareness, and previously— I know he won't me saying that— but he used to work at the U.S.
Treasury Department, and he was awarded the National Intelligence Distinguished Service Medal, and he won a Bronze Star.
MARIA VARMAZIS
Oh wow.
CAROLE THERIAULT
So he's an impressive dude with impressive things to say on how we can be safer online during these unprecedented times. I loved our chat, check it out at the end of the show.
MARIA VARMAZIS
All this and much more coming up on this 200th episode of Smashing Security.
GRAHAM CLULEY
Now, chums, as it is something of a celebration, I thought we could play a little game. We're going to play a word association game.
CAROLE THERIAULT
Oh, I love these. Okay.
GRAHAM CLULEY
I am going to say a word and I want both of you ladies to shout out the first word you think of.
CAROLE THERIAULT
Okay.
Unknown
Okay.
GRAHAM CLULEY
Space.
MARIA VARMAZIS
Star Trek. Wait, that's two words.
CAROLE THERIAULT
So that's one word.
MARIA VARMAZIS
So Trek.
CAROLE THERIAULT
Alright.
GRAHAM CLULEY
Space Trek, Carole?
CAROLE THERIAULT
Yeah, yeah, no, I'd probably— I was gonna sing Star Wars or Star Trek. So that's really outrageous. I know.
GRAHAM CLULEY
Warfare.
CAROLE THERIAULT
Warfare.
GRAHAM CLULEY
Yeah, what do you think of warfare?
CAROLE THERIAULT
Iraq, actually. Isn't that weird?
GRAHAM CLULEY
Mm-hmm, okay.
CAROLE THERIAULT
That's 'cause how old I am.
GRAHAM CLULEY
Yeah.
MARIA VARMAZIS
Warfare.
CAROLE THERIAULT
Trump?
MARIA VARMAZIS
No, my answer was Stratego, the board game, because— Okay.
GRAHAM CLULEY
We'll get you on tomorrow. More for Milly Grant. Men.
CAROLE THERIAULT
Bullies.
GRAHAM CLULEY
Bullying.
MARIA VARMAZIS
Bullying.
CAROLE THERIAULT
Men.
GRAHAM CLULEY
Sex. Sex. Not men. What's that? Well, look, don't worry if you don't have an answer for me at the moment, because maybe you just don't know it yet.
Because did you see all the kerfuffle on the internet this week? A kerfuffle?
CAROLE THERIAULT
Which one? Yeah, where were you looking? What hosepipe were you getting drenched by?
GRAHAM CLULEY
There was a UK government ad which was doing the rounds. People were retweeting it and sharing it on Instagram. It was turned into a meme about a young dancer called Fatima.
And the ad was basically saying, she should hang up her ballet shoes and pirouette her way into a new career. So there's a picture of this girl.
CAROLE THERIAULT
Okay, yeah, can we see the ad, but rather than having your—
GRAHAM CLULEY
Yeah, well, we'll link to it in the show notes. And—
CAROLE THERIAULT
Yeah. I'm looking at it. Okay.
GRAHAM CLULEY
There's a picture of a young woman sitting on a bench. And she's obviously a ballerina. She's got the leotard and the frou-frou what's-it-on.
CAROLE THERIAULT
Well, I think it's more to do with her leg spread, because that's actually quite difficult to do. Why don't you try it right now, Graham? Just try and do that pose right now.
MARIA VARMAZIS
He will end up in traction. Don't try it.
CAROLE THERIAULT
Don't try it.
GRAHAM CLULEY
I've already hurt my back. I'm gonna fall off my stool.
CAROLE THERIAULT
No, definitely do it. Do it right now.
GRAHAM CLULEY
Anyway, she is tying up her little ballet pump things. And it says next to it, it says, Fatima's next job could be in cyber, brackets, she just doesn't know it yet.
Rethink, reskill, and reboot. And it's all part of the Cyber First initiative run by the UK government.
CAROLE THERIAULT
And I think I know where you're going with this, and I think we're gonna have a bit of a jibaji. Okay. I might be on a weird side on this.
GRAHAM CLULEY
Okay. I actually— This is marvelous because I remember my own beginnings in computer security.
MARIA VARMAZIS
You were also a ballerina.
GRAHAM CLULEY
Well, actually, you know what, Maria? Actually, I was.
MARIA VARMAZIS
I didn't say you weren't.
CAROLE THERIAULT
No, Maria, stand your ground, honey. Really stand your ground on this. I'm with you 100%.
GRAHAM CLULEY
A lot of people may not realize this, but anyone who's seen my calves will know that I have quite a strong lower leg. And—
CAROLE THERIAULT
Really? Where was that when we went ice skating? When you were clinging to the edge for dear life and you literally dragged yourself around the skating rink?
MARIA VARMAZIS
All right, please tell me there's video of this.
CAROLE THERIAULT
No, no. Sadly, it was before video was widely available.
MARIA VARMAZIS
Before video existed. So the late 1800s. Okay, gotcha.
CAROLE THERIAULT
Told you he was old.
GRAHAM CLULEY
Now, I know some people think ballet's for sissies and it's a piece of cake doing a pirouette. Prancing around, twirling your arms in the air. But, well—
MARIA VARMAZIS
I don't think that.
GRAHAM CLULEY
Well, no, no, no. None of us think, because frankly, ballerinas are terrifying.
CAROLE THERIAULT
Have you seen their feet close up?
MARIA VARMAZIS
That was just what I was thinking. Anyone who does that to their feet, badass.
CAROLE THERIAULT
Yeah.
GRAHAM CLULEY
I haven't been to those kind of websites for a long time. No, I haven't seen anything like that.
CAROLE THERIAULT
Weren't you going to do a foot fetish website at one point?
GRAHAM CLULEY
Let's not talk about that, please.
MARIA VARMAZIS
Not right now.
GRAHAM CLULEY
Why would you mention that on a podcast?
CAROLE THERIAULT
It's our 200th show!
MARIA VARMAZIS
It's time for us to get honest.
GRAHAM CLULEY
Yes.
MARIA VARMAZIS
Let's be real. Let's get vulnerable, Graham. Let's do this.
GRAHAM CLULEY
Maybe we should talk about this more on the livestream. Yes, let's get back on the plot. I'm of the view you don't— How am I going to edit this? I'm of the view you don't want to—
CAROLE THERIAULT
As it always is with Maria on the show. That's not this one.
MARIA VARMAZIS
Hey, it's not my fault. I think it's all you.
GRAHAM CLULEY
I'm of the view you don't want to mess with ballerinas, right? Because they're strong, they're tough, they've trained. They could, you know, wasn't that Bond villain Xenia Onatopp?
She was, I think she was a ballerina.
CAROLE THERIAULT
They could strangle you with a little pirouette.
GRAHAM CLULEY
Yes.
CAROLE THERIAULT
Yes.
MARIA VARMAZIS
Black Swan, the movie.
GRAHAM CLULEY
Yeah.
Unknown
Oh yeah.
CAROLE THERIAULT
So good.
MARIA VARMAZIS
Yeah.
GRAHAM CLULEY
Any road, back to the plot. So the UK government have put out this ad saying, look, ballerinas, seriously, you should be thinking about becoming cybersecurity experts instead.
And I—
CAROLE THERIAULT
This ad came out last week, right?
GRAHAM CLULEY
Well, it became popular in the last week. Yes, I think it's actually been doing the rounds for about a year. Just writing notes. Yeah, we'll need that. For a year or so.
So presumably they thought she would be better at running the UK's test and trace operation than a former horse jockey who used to be in charge of TalkTalk when that got hacked.
That's probably their thinking. But many a cybersecurity expert might have made the mistake originally of beginning and forging a career in the arts instead.
CAROLE THERIAULT
Hush, hush.
GRAHAM CLULEY
No, for real, for real. Bruce Schneier used to be a Punch and Judy man. Did you know that?
CAROLE THERIAULT
That's not a ballet, dude.
GRAHAM CLULEY
No, but it's still the arts.
CAROLE THERIAULT
Oh, right, okay.
MARIA VARMAZIS
It is, it is.
GRAHAM CLULEY
Mikko Hypponen was a trapeze artist.
CAROLE THERIAULT
Was he?
GRAHAM CLULEY
Yes.
CAROLE THERIAULT
That's why he's so triangular in shape.
MARIA VARMAZIS
That's really cool.
CAROLE THERIAULT
He's like a Marvel Comics—
MARIA VARMAZIS
Does he bust it out at the Vegas DEF CON parties? Because they would have trapezes there, and if you have enough to drink—
CAROLE THERIAULT
I can just see him going, taking his ponytail, swinging it behind his head, and, "I am going!" He's like, "I am a trapeze artist!" Everyone's like, "No, dude, you're plastered.
MARIA VARMAZIS
Don't do—" I don't know if he drinks or not. I apologize if he doesn't. And then he's like, "No, for real." And then he does it and everyone shuts up.
GRAHAM CLULEY
He's Finnish, he drinks. And Edward Snowden—
CAROLE THERIAULT
Yeah, he could drink a whole bottle of vodka and still do it without any problems.
MARIA VARMAZIS
I don't like to suppose. I don't like to suppose, sorry.
GRAHAM CLULEY
Little known fact about little Eddie Snowden is he used to model balloons at kids' parties. Did you know that?
CAROLE THERIAULT
No. Is he going to come on the show?
MARIA VARMAZIS
That would be amazing.
GRAHAM CLULEY
We'll see. Maybe episode 201. We'll see. Anyway.
MARIA VARMAZIS
Is he who I fought with to be on episode 200? I'm gonna say that it was. I'm gonna say that it was.
CAROLE THERIAULT
Okay. Tell everyone, tell everyone.
MARIA VARMAZIS
That's going on Twitter.
GRAHAM CLULEY
People were furious about this ad, and I wanted to know what you thought of this ad, because some people were saying, this has killed the dreams of every Fatima, everyone who trained to become a ballerina or to work in the arts.
And it's saying to you, yeah, your job's rubbish. You're never going to make a career out of that. Come and be cyber instead.
MARIA VARMAZIS
What do you think? It's nothing new. Every— people say stuff like this all the time. So I have a very cynical view of it as someone who left tech to pursue a career in the arts.
CAROLE THERIAULT
Oh, you went the wrong way.
MARIA VARMAZIS
I left the money to go into the arts, so yeah. Okay, Graham.
CAROLE THERIAULT
Yes. You ready for this?
GRAHAM CLULEY
Yeah, I'm ready. I'm ready. Bring it.
CAROLE THERIAULT
Okay. Why are you asking us? 'Cause we're on the show right now.
GRAHAM CLULEY
Well, yeah.
CAROLE THERIAULT
It's 200th show.
GRAHAM CLULEY
I can't ask Edward Snowden 'cause he's not turned up to episode 203. So I have to ask you, what do you think?
CAROLE THERIAULT
Okay, there is a bloody pandemic on. How many people do you think are going to the ballet right now?
Well, that's— How many ballerinas do you think have been told, "Oh, you know what? You're so amazing.
It's just that no one's actually coming in to see you, and it doesn't really look great on screen right now, and we don't have all that sorted out for digital ballet." So maybe what's happening is the government's kind of saying these are people that could get a secondary career whilst we deal with the pandemic, earn extra skills.
Yes, maybe?
GRAHAM CLULEY
It's interesting you become a shill for the Tory government because that is pretty much— that is pretty much— Whoo! Whoo! Whoo! Whiting words.
UK Chancellor Rishi's point of view is that he has been sort of pronouncing upon the fact that many people who work in the arts at the moment might want to retrain.
Which did create quite a kerfuffle because other people are saying, well, it's almost a debasement of all the artistic jobs which are out there. And how would we feel if—
CAROLE THERIAULT
Well, okay, I know this is going to cause a lot of contention, but no one is forced to look at that ad and go, okay, I need to do this. Right?
There's not— there's— I'm looking at the ad again. I want to— I'm looking at it now. Let me look. Okay.
MARIA VARMAZIS
I don't understand people acting this is new. A new attitude. Right. This is the prevailing attitude towards a career in the arts is that they're not real jobs. And yes.
And in the UK compared to the US certainly values the arts more. There's more funding from the public compared to the United States.
But here in the States especially, it's and right now during the pandemic, you can't make a living off of it very easily.
And a lot of artists are told you need to have a real job in addition to your art job to survive.
GRAHAM CLULEY
And I think in the UK, people consider different artistic jobs differently. So you'll have at the very bottom, for instance, actors.
You know, which frankly is just pretending to be someone, isn't it? And doing a funny voice and not walking into the furniture.
And then you'll have dancers and you may have painters. But at the very top, at the very top, you have podcast co-hosts.
CAROLE THERIAULT
And I think they clearly are essential for the economy. Okay, so let's analyse. We're all very smart. Look at the ad.
It says Fatima's next job could be in cyber, as though that is the most wonderful place to be. No, I don't agree with that.
MARIA VARMAZIS
Don't do it, Fatima. Don't do it. Stay a dancer, please.
CAROLE THERIAULT
I think cyber if you're kind of thinking, I'm into that kind of stuff, and yeah, you can make a decent wedge on it as well.
Yeah, I mean, I know lots of freelance journalists, for example, who they say that they are freelance journalists but they have a day job to pay for that, and that sucks ass that that's happened.
Yeah, I think it's the arrogance of the "could be" in cyber, like even a ballerina could be that smart, you know. There's something about the "could" that maybe is a bit jarring.
GRAHAM CLULEY
And I don't like the, "She just doesn't know it yet." Yes, me neither. It's a bit condescending, isn't it? It's like at the moment she's wasting her time prancing around.
MARIA VARMAZIS
Yes, this person who spends her life priming her body to be in peak physical form definitely wants to sit hunched over at a desk typing.
Carpal tunnel goes so well with that pirouette.
CAROLE THERIAULT
Okay, you know what? You're changing my mind. You're right. After that, they're saying, "Rethink your decision, Fatima. Reskill yourself and reboot yourself.
This is an opportunity for you." Despite the fact you've worked your ass off for years and years and all you ever want to do.
Literally, Graham, because I bet her ass she could hold 5p between those cheeks.
GRAHAM CLULEY
You know what else? A bit of coaxial cable.
MARIA VARMAZIS
As I said, to me, I don't understand why people are angry as if this is a new attitude, because it's not. It's not one that I like, but it's out there all the time.
Good Lord, I heard it from my dad growing up.
CAROLE THERIAULT
Oh no, mine too. I studied economics. That was why I went to university.
MARIA VARMAZIS
I studied computer science. I know. Jesus.
GRAHAM CLULEY
I think the ad had good intentions, but was a bit backhanded. I think it was just trying to encourage young people to get interested in cybersecurity. Yeah. And you know what?
CAROLE THERIAULT
I get that. And you know what? Normally I would say we so, so need bright young minds to come in and from all industries, right?
Because you need different, you need different brains to tackle all these different problems. It's basically a social problem. How are people attacking us?
GRAHAM CLULEY
But imagine if you were Fatima and you were into ballet and you saw these big ads going on saying, oh, "Lovely that you're trying out that ballet thing, but frankly, dear, you should be doing something else." Well, I'd like to think Fatima would just go, "Fuck you, whatever, I'm sticking with ballet," if she wants to.
CAROLE THERIAULT
I'd like to think this wouldn't change her opinion of what she wants to do with her life.
GRAHAM CLULEY
Some people might be insecure. What if Mozart had been told he was wasting his time? Or Stephen Hawking, or Colonel Sanders, or someone important like that?
And instead, they'd been diverted into cyber.
MARIA VARMAZIS
Many questions there, okay. Here's my follow-up question.
GRAHAM CLULEY
Should we be using the word cyber at all?
MARIA VARMAZIS
That's what I thought this one was going to be about. I thought we were going to talk about the whole cyber discussion, right?
Because when I, as someone who grew up— excuse me, voice is cracking, this is how passionate I feel about this— somebody who grew up of the age of AOL chat rooms, when I hear your next job can be in cyber, my brain goes somewhere entirely different, especially when she just doesn't know it yet.
I'm like, oh, that sounds like a threat. So that's— so the language of this ad is actually what gets me a little bit— wow, my voice. This today. Amazing.
GRAHAM CLULEY
Because for youngsters who aren't aware, cyber used to mean a bit of hanky-panky online nookie. Yes. Oh my God, I'm so vanilla.
CAROLE THERIAULT
The BDSM community are correct. I didn't know that. What? What?
GRAHAM CLULEY
I'm not kidding. You didn't know that cyber meant cybersex? That's not a BDSM thing.
MARIA VARMAZIS
That's just—
CAROLE THERIAULT
No, no, they're just angry with me for last week, and they said, oh, you sound a bit vanilla. And I'm like, yep, owning.
GRAHAM CLULEY
Sorry, I'm a bit confused because you've used the word BDSM. Okay.
CAROLE THERIAULT
As my other job, I work with lots of companies and I have to do lots of stuff.
And so maybe my echo chamber is filled with the word cyber and I totally directly put it into cybersecurity. I'm drinking the Kool-Aid for 20 years now.
MARIA VARMAZIS
A lot of people do. And that's the debate right now and has been for— actually, it's been a debate for a really long time because U.S.
government uses cyber a lot and then the private sector in the U.S. hates it. And there's that whole thing there. And I personally always cringe when I hear cyber, 'cause I go, ugh.
Do you?
GRAHAM CLULEY
Because I saw some people being a bit snarky on Twitter this week about the word cyber.
And these were the same people who were defending Fatima or whatever and say, oh, she should stay as a ballet dancer. But they're saying, oh, she shouldn't have used the word cyber.
It's a fricking ad.
CAROLE THERIAULT
Does she even exist? Yeah.
MARIA VARMAZIS
Like, she could be a fricking— It's all an illusion. Yes. Cast away all your attachments. Yes. Everyone's freaking out about this.
CAROLE THERIAULT
Guys, Trump is about to be reelected. Oh God.
MARIA VARMAZIS
For God's sake, focus on what matters, goddamn it! For God's sake.
GRAHAM CLULEY
Well, I agree, Carole. I agree.
MARIA VARMAZIS
And put a bow on it, we're done.
GRAHAM CLULEY
I don't see why Maria is so upset about the use of the word cyber.
MARIA VARMAZIS
I'm not upset, I'm just Greek. I sound upset, okay?
CAROLE THERIAULT
She's not.
GRAHAM CLULEY
I thought she was.
MARIA VARMAZIS
No, no, no, I'm just—
CAROLE THERIAULT
This is the—
MARIA VARMAZIS
It's the Greek coming out.
CAROLE THERIAULT
She just thinks of sex.
MARIA VARMAZIS
Yeah, it's just— to me, cyber is cybersex. That's always what it's been. It's ASL, one of cyber. It was the thing that—
CAROLE THERIAULT
But you're way younger than me. How do you know this? Like what? What?
GRAHAM CLULEY
Did you never see The Lawnmower Man with Pierce Brosnan?
MARIA VARMAZIS
I was of the age when this stuff was going on. I was like, I was working at Sophos, obviously.
GRAHAM CLULEY
There was no sex there. So that's why I gave you these words at the beginning. Space, warfare, men, bullying, sex. Each one you can put cyber in front of. You see?
Cyberspace, cyber warfare, Cybermen. You have to be a Doctor Who fan for that one. Yeah, okay. Cyberbullying, cybersex.
But I didn't dare put down security because I thought that'd give it away.
CAROLE THERIAULT
You were so good. You won that round, Graham.
GRAHAM CLULEY
Well, I just think we need to relax about using the word cyber. And I think it's all right.
MARIA VARMAZIS
I think the battle is lost on cyber. Yeah, I agree. I can't, it's so annoying.
GRAHAM CLULEY
I just think all these people, 'cause what I haven't enjoyed this week in regards to this is the dog piling on. Okay, it was a dumb ad, right? And maybe it was uncool.
But a bit clumsy. The amount of whinging. I agree with you. It was just like, "Oh, this is terrible." And it's just like, well, yeah, it's not great, but we don't all have to moan.
And then they start complaining about the word cyber.
MARIA VARMAZIS
Well, what do we mean by cyber? Like in that context of that ad, what does that actually mean? Cyber what?
CAROLE THERIAULT
Pandora's box is open.
GRAHAM CLULEY
Well, they meant cybersecurity. They meant cybersecurity because it was the NCSC who were behind this.
CAROLE THERIAULT
Oh my God, Maria, I'm so— okay, okay, so we're basically— okay, are you right, Crow? Back the— back up, back up. We're rewinding the tape.
Okay, so you're saying Fatima's next job could be in cybersex with brackets.
MARIA VARMAZIS
She just doesn't know it yet. 5 minutes ago we had this conversation.
CAROLE THERIAULT
Okay, I told you I was— okay, I told you I was vanilla. I didn't get it. I didn't read that. I didn't see it.
MARIA VARMAZIS
I'm not kidding. I know that that's not how that ad's supposed to be read. So my brain's going, that's not how it's meant to be read, but my brain goes there.
I know I'm not the only one.
CAROLE THERIAULT
My brain's exploding.
MARIA VARMAZIS
You just figured out what I just told you 5 minutes ago.
CAROLE THERIAULT
Okay. Yes. Yes. And the government must be freaking out because that is definitely not what they meant.
GRAHAM CLULEY
No, I don't. Oh my goodness. I don't think that's— I don't think that is what anyone is saying that they meant. It's only Maria. Yeah.
Who's still in the '90s, who's thinking of cybersex. That's right.
MARIA VARMAZIS
Yeah. No. Oh yeah.
CAROLE THERIAULT
Because no one else was alive in the '90s and were actually paying attention.
MARIA VARMAZIS
No, no, no. It was just me.
CAROLE THERIAULT
It was just Maria.
MARIA VARMAZIS
I'm the only survivor of the '90s. It's true. Yep.
GRAHAM CLULEY
She is. Episode 200 and this is going on.
CAROLE THERIAULT
Maria.
MARIA VARMAZIS
Are we now just getting to the sex story?
GRAHAM CLULEY
Have you got a story for us? Can you make it quick?
MARIA VARMAZIS
Yeah, I've got this totally not controversial topic at all.
GRAHAM CLULEY
Okay.
MARIA VARMAZIS
So it was suggested to us by a loyal listener, @ilwombato on Twitter. Oh, @ilwombato. Yes. High five, sir. Sir or ma'am or other. Yes. Not going to presume anyone's gender here.
That's not that kind of podcast. The tweet that we were tagged in was this: Fact of the day, 50% of women who take a tech role drop it by the age of 35. Oh, okay.
GRAHAM CLULEY
Well, look, we've got two women here. Which one of you have dropped it by the age of 35? Me! Ah!
CAROLE THERIAULT
Well, no, Maria, take heed. Have you dropped it?
MARIA VARMAZIS
Well, here's the thing. Was I ever in one?
CAROLE THERIAULT
Oh! You're here. We're talking about cyber, not cybersex.
GRAHAM CLULEY
We're talking about cyber. Everyone knows that apart from you, Carole. Okay, so, so then—
MARIA VARMAZIS
Well, I've got to remind myself. So the quote was, "Take a tech role." Cyber was never even uttered in this.
And the source of this data was a study by Accenture that came out this year. So Accenture is a big consultancy firm. They do stuff like this.
Some people don't find these studies credible, whatever. I'm just going to take it at face value.
Yeah, they did a huge study called Resetting Tech Culture: 5 Strategies to Keep Women in Tech, because it is a notorious problem in the industry about the pipeline and why do women leave and all this stuff.
And can I ask, Maria, why did you leave tech?
GRAHAM CLULEY
Because apparently you're claiming you have left tech. Well, I kind of—
MARIA VARMAZIS
I don't know if I was ever in it. That was my follow-up statement because I worked in tech on the comms side. I was not a programmer. So is that what they mean?
Are we talking about only women who code, or are we talking about women who work in the tech industry in general regardless of the role?
GRAHAM CLULEY
So I don't know. You used a computer. You used a computer. You weren't flower arranging, were you? You were—
MARIA VARMAZIS
I did flower arranging for fun after work. That's true. Okay, so get to Ikebana for real.
I mean, it's a topic near and dear to me because I went to school for computer science and I was an earlier version of the pipeline problem where halfway through engineering school I changed to a completely different major.
So, yeah, okay, so it's all this stuff is perception, right?
CAROLE THERIAULT
And I would say that all of our listeners who've listened to you over the many, many stories you've helped tell with us, that you are a cute geek, techy lady.
GRAHAM CLULEY
She got stutter.
CAROLE THERIAULT
You're in the club. No, she's in the club. I think she's in the club.
MARIA VARMAZIS
Maybe. I mean, yes, maybe.
CAROLE THERIAULT
You feel you're in the club. You identify.
MARIA VARMAZIS
I identify with the club. I hugely respect women who actually are software engineers as I've never been one. So I feel this study is probably talking more about them.
But I know many women who are software engineers. So the stat of 50% of them leaving by 35 roughly tracks with my anecdote.
GRAHAM CLULEY
So does the survey give any descriptions of why people leave and what might we do to try and keep them?
MARIA VARMAZIS
Well, it's a huge study, so yes, there's a lot of it. And if we could go through the whole thing point by point, I don't think anything would surprise anybody, right?
Because if we put forward oh, we've got a solution to this problem, I would be a bazillionaire and I would just retire right now because I'd be all set.
I echo a comment that somebody made in the Twitter thread, what's the stat for men? The reasons that people leave are very different.
But I wouldn't be surprised if it's not terribly dissimilar for men. By a certain age, some people just go, I can't deal with this anymore and I'm leaving.
CAROLE THERIAULT
Yeah, so I can say for me why I left, because I think I would be, according to this data, I would be one of those people that left.
If you don't consider this tech and running a tech company and working with tech firms all the time. But my reason for leaving was your staff, people who were working for you.
GRAHAM CLULEY
Fuck my fucking staff.
CAROLE THERIAULT
Oh my God, they were so arrogant and "Actually, actually, come on, I think you're fine. Actually, come on, I think it's just deepening." Constantly. Okay.
GRAHAM CLULEY
Thank God he's no longer in your life, eh? Thank God you no longer have to work with him.
MARIA VARMAZIS
That bore. Oh, wait.
CAROLE THERIAULT
Also, though, I think it's a much harder climb, and I don't think men can really understand that. I'm not saying that men don't have hard climbs.
I just think when I did the climb, I had a number of wins, but I also got kicked back in a way that I found quite hard. And by the end of it, I just couldn't take it anymore.
It made me sick to my stomach to even support it.
MARIA VARMAZIS
That was sort of similar for me.
CAROLE THERIAULT
I had to get the fuck out was really where I got to.
MARIA VARMAZIS
So I left my last full-time job at age of 33, and I'm a few years older now. So that was for me, I left before 35.
You talk to other people who work in other industries and you go, you know what, they are fulfilled with what they're doing and they're not going through half the crap that I'm going through.
So why am I putting up with this? And that kind of sticks with you.
And again, it really does, Carole, as you say, just a huge setback where you go, it's really hard to bounce back from it. You just go, I don't know why I'm putting up with this.
CAROLE THERIAULT
So yeah, because they loved us for our creativity. And then you're basically working with Simon Cowell the entire time.
That's basically what I think corporations are to the artistic mind.
MARIA VARMAZIS
Yeah, I think college pipelines have maybe gotten their act together a little more.
They've gotten better at, since I was in college, helping to nurture an environment where women who want to code or work in the tech industry feel like they can be themselves.
And I know in my conversations with other women who have left, some of them are engineers, some of them just in the tech industry like me, it's when you get to the corporate world, then that's when you have to really start conforming to what they think a woman corporate needs to act and behave like and look like.
And especially techie men generally have been given a pass. You can kind of be like the crusty old guy in the corner who doesn't shower very often. I will say that is changing a lot.
People are sort of willing to put up with like genius techie guy being who he is and give him a lot of space.
But if you're a woman, you got to fit this very narrow sense of what a woman in corporate life has to be. And that's just not what a lot of us sign up for.
GRAHAM CLULEY
I think it's a bit unfair, Carole, to say they don't shower very often. I think you should take that back.
CAROLE THERIAULT
What?
GRAHAM CLULEY
I didn't say all of them. I think they shower often. They just don't ever change their clothes.
MARIA VARMAZIS
I do think that's changing. I think things have changed quite a bit in the last 10, 15 years for men and how they have to present themselves in corporate. But the difference is huge.
CAROLE THERIAULT
Yeah, but you know what? Fuck, it's really cool. 200 fucking episode. What are you wearing right now?
GRAHAM CLULEY
Sorry, what kind of podcast is it? What the fuck? What are you wearing right now?
CAROLE THERIAULT
Really? Did you just? ASL? Yeah. I'm wearing slippers, leggings, and a jean shirt, right? And very happy indeed.
GRAHAM CLULEY
I've got my ballerina's tutu and an aqualung on at the moment.
CAROLE THERIAULT
This is weird.
GRAHAM CLULEY
This is the 200 and fucking weirdest episode we've ever done. Jeez. Amazing.
MARIA VARMAZIS
I'm glad I could be here for this.
GRAHAM CLULEY
Carole, what's your story for us this week?
CAROLE THERIAULT
We're gonna switch gears now, everyone. So I used to think that parents were rather overprotective before 2020 with their kids.
Like, not all parents, but a number of parents, you know, what are they— what's the word— helicopter parents. Yeah.
And I think I saw a lot of that with some of the people I knew, and I used to think, oh God, just let them be.
But now today I'm like, whoa, if I had a kid right now in this situation, I'd be wanting to keep serious tabs on them, right?
Like, just know where you are, who you're hanging out with, what are you doing, are they infected? I don't know, just everything. Now, you guys are both parents.
Do you feel different since 2020 happened and all the bullshit that came with it?
MARIA VARMAZIS
No, it's totally exactly the same.
GRAHAM CLULEY
Yeah, it's just as petrifying being a parent as ever.
CAROLE THERIAULT
I mean, so if you saw him licking somebody else's face, your kid, would you be worried?
GRAHAM CLULEY
Well, yes, I'd be worried. Why is my child licking someone's face? Of course it would be worrisome regardless of the pandemic.
CAROLE THERIAULT
If they can't be safe. Okay, fair, fair. Yes.
GRAHAM CLULEY
The fact that we've got— Maria and I have kids, not together, but we have kids.
MARIA VARMAZIS
Yeah, let's please clarify that.
GRAHAM CLULEY
It's kind of irrelevant to that. You would think any kid who was going around licking people would be a bit odd.
CAROLE THERIAULT
I can see that some parents today wouldn't want to let their kids out of their sight, you know?
And also many can't because they're in homes where the parents are remote workers or stay-at-home parents and the kids are being homeschooled. All that time must be exhausting.
GRAHAM CLULEY
It'd be great if the kids were outside.
MARIA VARMAZIS
Yeah, I was just thinking a little out of sight would be nice.
CAROLE THERIAULT
Yeah.
And so maybe if you wanted them a little out of sight, but you wanted to know kind of where they were and what they were doing, you might employ technology to help you out a little.
And today we're going to talk about one of these little pieces of technology and see what you think. Okay.
So it's called the X4 smartwatch designed by Norway-based company called— I can't remember the name— Xplora. Xplore with an X, no E-X. Oh, really?
GRAHAM CLULEY
So that's the first concern is that they've got Xplore without an E. I find that rather upsetting, especially for a kid's product. Also the fact it says smartwatch.
Obviously any product which contains the word smart in its name is gonna start alarm bells ringing, isn't it?
CAROLE THERIAULT
Basically the new Xplora offers various uses, right? So it's an asset tracker, a bike tracker, pet tracker, kids smartwatch.
On their official website, the Xplora watch piece of kit on sale for right now £159 instead of the retail £179. So there's a sale.
They say the most advanced children's smartwatch to date. So you can swim, phone, capture great photos, and interact with recognized entertainment brands.
So as parents, you guys are— I'm guessing at this point you're going, yeah, yeah, not for me. Thanks though.
GRAHAM CLULEY
Thanks. Feels a bit overkill.
I mean, my son is sort of talking about wanting to wear a watch and things, and I'm trying to work out what I should get him, but this feels overkill to me.
Well, it's got GPS, right?
CAROLE THERIAULT
So you'll always know where your kid is.
They— you can have the messages come in, so there's SMSs they can send, and they can, you know, you can interact on the phone with them, go, where are you?
You should be home for dinner, and all that kind of stuff.
MARIA VARMAZIS
But you can do this with a phone, so—
CAROLE THERIAULT
Well, yes, but a phone has a lot more capability.
So this is— the idea behind this is that you can limit the functionality and that it's more ideal for a younger audience or an older, more elderly audience that might be bamboozled by all the tech.
GRAHAM CLULEY
Okay. So rather than calling it a smartwatch, they could call it a rubbish phone. Exactly. This is gonna sell well with the kids.
CAROLE THERIAULT
I'm all in. I'm all in with the rubbish phone thing.
MARIA VARMAZIS
I would actually really be intrigued by a rubbish phone. Yes.
GRAHAM CLULEY
That would be— Yeah, true, true.
MARIA VARMAZIS
Truth in advertising.
CAROLE THERIAULT
And then they have on their webpage, "As always with our products and services, they are fully GDPR compliant, making sure your data is secure and stored only in the EU.
We're offering localized speaking support to you." Teams in each of our markets to ensure a world-class experience. Okay, so put that little crazy kitten in your basket.
Okay, how many companies are up front, not just with complying with GDPR, but they're using it as their big sales pitch?
So maybe you're feeling a little bit okay, you know, and they're based in the EU, you know, they're in Norway, they're following— you know, their data is in the EU, they're following GDPR, and the portfolio of products is basically the, the wholesale pitch is this is an effective and safe way for you parents to stay connected to your children without giving them access to the internet at too young an age by a smartphone.
So that is the whole idea behind the X4 Xplora product.
GRAHAM CLULEY
All right. Okay.
CAROLE THERIAULT
At this point, I'm thinking these guys really get the concerned parent thing, right?
And they get that parents are also increasingly nervous about tech and data snarling and all that kind of stuff and bad stuff, cyber stuff. So hand clap to them.
You know, this is good.
GRAHAM CLULEY
I've just seen a picture of this on a kid's wrist. It's flipping enormous.
MARIA VARMAZIS
Yeah, it is. I was thinking that too.
CAROLE THERIAULT
Well, kids have small hands, right? I know. So these guys get all this, okay? And you'd be like, okay, hand clap. Well, slow that hand clap down. Get your popcorn.
Okay, researchers at Mimonic, a security firm in Norway, decided to do a little digging into this kid-friendly GDPR-compliant easy peasy to use smartwatch that's great for kids.
Yeah, and what they found is inside the popular smartwatch designed exclusively for children, it contains an undocumented backdoor that makes it possible for somebody to remotely capture camera shots, wiretap voice calls, and track locations in real time.
Why?
MARIA VARMAZIS
There's a camera on this thing so kids can take cool pics because it's important.
GRAHAM CLULEY
Yes, but I imagine parents would quite like to see their kids and listen to their conversations and all the rest of it, so this backdoor will be very handy, won't it, for helicopter parents?
CAROLE THERIAULT
So I'm reading this in Ars Technica, right? And I was like, "What?" So they say, he says, apparently they discovered the backdoor through some cool reverse engineering. Okay?
So the researchers, Sand and Likness, used a modified USB cable, soldered it onto the pins exposed at the back of the watch, and using an interface for updating the device firmware, was able to download the existing firmware off the watch and allowed them to inspect the insides of the watch, including the apps and the various code packages that were installed.
GRAHAM CLULEY
Okay, so for a hacker to do this, they don't have to solder something to a watch to do this, but the researchers did in order to understand how the watch worked and find the security holes.
CAROLE THERIAULT
You're gonna have to wait five minutes to find out the answer to that question, Graham.
So after doing more poking around, they said sending the SMS triggered a picture to be taken on the watch and was immediately uploaded to the Xplora server.
Okay, one of the researchers, Sand, wrote, there was zero indication on the watch the photo was taken. The screen remained off the entire time.
So I'm reading this going, oh my God, this is serious, right? Yeah. And then they have this line about how 19 of the pre-installed apps on the watch were developed by Qihoo 360.
This is a Chinese security company and app maker. Yeah. And one of the subsidiaries jointly designed the X4 with Xplora.
So basically, Qihoo are in bed with Xplora here on this one, and they manufacture all the watch's hardware. Ransware.
I was yakking to my husband, my smooth, super smart husband, about all this.
GRAHAM CLULEY
As opposed to your other husband? Yeah, how many have you got?
CAROLE THERIAULT
And I was telling him about the Qihoo and all this, and he went, oh, that's interesting, I think they're on the sanctions list in the States. And he checked, and indeed they are.
And Dan Goodin actually mentions this later down in his article. So anyway, there's loads and loads of information on how they actually did this.
Go see the links on the episode webpage. Okay, so you're thinking this watch now, you're thinking, oh, it doesn't sound so good, right?
You're thinking this sounds awful that this could happen.
GRAHAM CLULEY
I know, I'm now thinking it sounds awesome because if I'm a paranoid parent, what a brilliant way to photograph where they really are as opposed to where they're—
CAROLE THERIAULT
You already have a GPS in the phone that allows you to track them. You know exactly where they are. You don't need this backdoor for doing that.
GRAHAM CLULEY
Yeah, okay.
CAROLE THERIAULT
Yep. Okay, so then I'm reading all this and I'm thinking, okay, well, how do they react? Like, what happened?
So it turns out the research teams at Mimonic contacted Explora and said, "Hey, dudes, look what we found." And they issued a statement and they said, I'm gonna say it in short, but basically, "Thanks for telling us." And then they say, "Note, it would be really difficult to make use of this backdoor." So quote, "To make use of the functions, someone would need to know both the phone number assigned to the watch." It has a slot for a SIM card from a mobile phone carrier, right, that exists on the watch.
And they would also need to know the unique encryption key hardwired into each device. So then I'm like, oh, that's a different kettle of fish, isn't it? I don't know.
GRAHAM CLULEY
Well, I don't know how the encryption works and all the rest of that, but certainly in terms of mobile phone numbers, surely you could just sort of brute force it.
If you're after people who might have this particular device, then maybe you'd just run through a whole bunch of phone numbers to see which ones hit it or hit one of these devices.
It may not be that you're after a specific kid. You could just be after any kid.
Alright, hang on, why does it have the functionality that if you send a particularly crafted SMS, it will then take a photograph without the actual wearer being aware that it's happened?
CAROLE THERIAULT
Yes, that indeed is the question. Why the hell was that even there in the first place?
GRAHAM CLULEY
Because if you didn't have that functionality, then no one would be able to exploit it, right? Somebody forgot.
CAROLE THERIAULT
To me, and I don't know enough about this to say this with any veracity, but to me, it sounds like a weird snafu in the coding to have that in there.
GRAHAM CLULEY
Well, more than a snafu, it was obviously a deliberate choice, and it was coded for some purpose.
CAROLE THERIAULT
Okay, so this is the sitch as we see it right now, right?
There's a smartwatch that they're saying, "This is for kids." It had an undocumented backdoor on the watch as detailed by the Mimonic researchers, but by all accounts, it would be a bit of a pig to take advantage of.
However, what the fuck's it doing there in the first place, guys?
MARIA VARMAZIS
Somebody put it in during product testing for some sort of easy shortcut and they forgot to take it out. Maybe.
CAROLE THERIAULT
If they said that in a response, you'd be like, oh, I totally get it.
MARIA VARMAZIS
Yeah, but would a company really admit to that? I wish they would.
GRAHAM CLULEY
Yeah. So are they pushing out an update to disable that functionality?
CAROLE THERIAULT
Yeah, they very quickly issued a patch, which is good. The response seems good.
GRAHAM CLULEY
But it sounds to me, Carole, like you're kind of thinking this is quite a cool product. Despite this?
CAROLE THERIAULT
I don't know. I'm concerned by why this thing was there in the first place. So if smarter than Graham thinks he is, can explain that to me, right?
To say how this could have accidentally been a, "Oops, how did that end up in there?" You know, I'm imagining right now there must be a lot of difficult conversation between the two technology partners that have created this watch because this is not a fun place to be.
That's my view anyway. But you know, I just think, actually coming back to your point in the beginning, I'm up for basic phones.
Bring back the Nokia 3310, bring me back Snake, the brick.
MARIA VARMAZIS
Yeah, the brick. I would be a fan of bringing back the brick phones, that's for sure. I would totally go back to that. Battery life, battery life.
CAROLE THERIAULT
Yeah, you find it in your bag easier because they're not so slippy and tiny.
MARIA VARMAZIS
God knows you could drop that thing.
CAROLE THERIAULT
Yes.
GRAHAM CLULEY
And I also prefer the old ringtones. Modern ringtones are rubbish. I want the old polyphonic type of their little MIDI files almost.
MARIA VARMAZIS
What I miss were the little phone charms. I had one that would light up a second before my phone call would actually arrive. Because it would be the phone was waking up.
So if I had my phone on silent, I would just have this little light flashing and it was—
GRAHAM CLULEY
A visual indicator that your brain has been irradiated.
MARIA VARMAZIS
Correct. It was great. I was, this is cancer. It's on its way to my brain. No, no. All that, yeah.
GRAHAM CLULEY
This episode of Smashing Security is sponsored by LastPass. Now, everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses.
In fact, tens of thousands of companies rely upon LastPass to protect themselves.
LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So whatever the size of your business, go and check it out.
Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show.
CAROLE THERIAULT
This episode of Smashing Security is also sponsored by Immersive Labs. They have created a free ebook. It's called Aligning Cyber Skills to the MITRE ATT&CK Framework.
The idea behind this free ebook is it gives you a guided tour of how the MITRE ATT&CK framework can totally simplify and strengthen your cybersecurity skill strategy.
It literally is a go-to framework. Learn more at immersive labs.com/smashing. And thanks to Immersive Labs for sponsoring the show.
GRAHAM CLULEY
Today's show is sponsored by Mimecast, the number one cloud email security and resilience companion for Microsoft 365.
Safeguard your organization against phishing, business email compromise, and risks of ransomware with Mimecast awareness training, an important layer of defense that picks up where Microsoft security leaves off.
Mimecast's unique breed of awareness training creates real change in your people and how your organization thinks about security. The video modules are funny and engaging.
The phishing test examples are from real-life emails your employees have clicked on.
And the real-time dashboard gives you access to individuals' test results, allowing you to focus on the employees that need it the most.
Mimecast email security and awareness training creates real change in your people. Real life, real time, real change.
Learn more about the impact of security awareness training by downloading the free State of Email Security report at smashingsecurity.com/mimecasthub. Mimecast.
Relentless protection. Resilient World. And welcome back. And you join us at our favorite part of the show, the part of the show that we to call Pick of the Week.
CAROLE THERIAULT
Pick of the Week. Pick of the Week.
GRAHAM CLULEY
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Really?
CAROLE THERIAULT
On a 200-fucking-episode, it better not be Mr. Cluley.
GRAHAM CLULEY
And Carole, it's funny that you have just been speaking about old-fashioned mobile phone games like Snake, because my pick of the week this week is a slightly retro style of game.
It's called Scribble. I love Scribble! It is, you know this? I do. I love it, yes. So there's a ringing endorsement. Scribble is spelled S-K-R-I-B-B-L-E. And then .io.
That is the name of the website. And it is basically, it's sort of Pictionary, isn't it?
What happens is you are put into a room with about a dozen other people and one of them is nominated. They're given a word and they have to draw it on the screen with their mouse.
And everyone else is trying to guess what the word is.
CAROLE THERIAULT
Can we do this? If our live YouTube thing doesn't work out very well, could we just ask people to say what to draw and then we could just, we could play Scribble. Terrible. Okay.
MARIA VARMAZIS
Yeah, you can actually do a private room, so you don't have to have 12 strangers.
CAROLE THERIAULT
Oh, I can get off the stage? We're gonna go screw. Okay, bye everyone.
GRAHAM CLULEY
And it's quite fun. And the quicker you are at it, the more points you get, and—
CAROLE THERIAULT
Who do you play with, Graham?
GRAHAM CLULEY
Well, I don't know. Complete weirdos.
CAROLE THERIAULT
I was playing with— Do you play with your friends? Do you play with your buds?
GRAHAM CLULEY
I was playing with someone called Clever Dick earlier. I don't know if that was your username, Carole, but I was playing with them just earlier today. It's a simple little game.
And of course everyone— I'm terrible at drawing with a mouse. I don't have one of those, what are they called? The stylus.
Stylus or skating pad or whatever they're called, you know. But anyway, that is my pick of the week, scribble.io, but scribble is spelled in a weird way.
So look at it in the show notes. Scratch. Scribble. So Crow, you're the odd one out there because you've never played Scrabble.
Unknown
You should do it.
GRAHAM CLULEY
It's pretty good. Okay. Maria, what is your pick of the week?
MARIA VARMAZIS
Yay. So my pick of the week is yet again a video game because I'm stuck at home like everybody else and video games have become—
CAROLE THERIAULT
keep you sane, keep you sane. They do.
MARIA VARMAZIS
And this game is one that I probably wouldn't normally play. I feel like most of my endorsements start that way. I wouldn't normally play this. It's not really my style.
It's a game called Hades and it's by Supergiant Games. And they've made a whole bunch of amazing games like Bastion and Transistor, both of which I've enjoyed a great deal.
This one— Oh, yeah, of course.
CAROLE THERIAULT
That will mean something to somebody.
MARIA VARMAZIS
So to the people who— so Hades is a game about dying over and over and over and over and over and over.
And the plot of the story is basically you're the Prince of Hades, like you're Hades's son, and you're trying to escape the underworld.
And you will attempt it many, many, many, many times, and you will die over and over and over.
And every time you die, you learn something new, and you start over right at the beginning, but you kind of take some of that knowledge with you.
CAROLE THERIAULT
So it's like Groundhog Day with Bill Murray, a little bit.
MARIA VARMAZIS
And it's for people who know what a roguelike is, this is a roguelike game. So none— the rooms are never the same. They're generated on the spot by the game.
So you can't memorize the layout of a room or how a fight's gonna go because it's always random.
CAROLE THERIAULT
And is it physically fighting? Like, is it like, you know, like two characters having a— or is it more mental?
MARIA VARMAZIS
Oh no, it's fighting. It's a fighting game. And I'm not— OK. It gave me crazy carpal tunnel when I first started playing it because I'm just not really into that.
But the game is very smart about how it designs making the fights easier if you're not a fighting type person.
And normally, the kind of game where you just die over and over is not very interesting.
But they work it into the plot of the story in such a way that it's actually necessary for you to advance the plot. And they turn it on its head. It's very creative. Super, super fun.
And yeah, I highly recommend it. It's really fun.
GRAHAM CLULEY
Is it appropriate for all ages? Would you play this with your 3-year-old?
MARIA VARMAZIS
I have. Should I have? I don't— I mean, it's cartoony style. It's not, you know, you're controlling a tiny little sprite on the screen and you're fighting like crystal demons.
I don't know what its rating is, but should I play it in front of my 3-year-old? I don't know, but I have.
CAROLE THERIAULT
So no, the internet will tell you.
GRAHAM CLULEY
Ah, you're fine, you're fine. Fantastic. And Carole, what's your pick of the week?
CAROLE THERIAULT
Well, I have a very huge kicking pick of the week for you guys. I'm not even kidding.
It's super huge, because I have been working in secret with the lovely Anna Brady since the summer, and we've been grabbing tiny little moments together online, and we finally have something to show for it.
And because I made the deadline of the 200th show— yay!
You guys, get ready because I, Carole Theriault, announce a brand new hilarious podcast, Sticky Pickles, co-hosted with my very good friend Anna Brady, the Anna Brady that has appeared a number of times on Smashing Security.
Sticky Pickles, like being stuck in a pickle. Sticky Pickles, it's all about getting stuck in a pickle and having to think on your feet about how you might get out of it.
And we've obviously designed these to be as hilarious and ridiculous and cringeworthy as possible.
She doesn't know my story, I don't know hers, and it has absolutely nothing to do with technology. I know, don't cry, people.
GRAHAM CLULEY
I like the sound of that. Nothing to do with technology.
CAROLE THERIAULT
So hopefully by the time this goes live, you'll be able to just go subscribe to it.
But if not, you want to listen, you can go to stickypickles.com and you'll be redirected and you can listen directly.
So for the next wee while, our plan is to drop a new episode every Friday at noon UK time.
Your job, if you like what you hear, right, is to freaking tell me because I love doing it. But you know, if a tree falls in the forest, no one's there to hear it.
Who gives a fuck, right?
GRAHAM CLULEY
So how do we get in touch with you, Carole, to talk to you about the Sticky Pickles podcast?
CAROLE THERIAULT
Well, you can email us at . We have an Instagram page, Sticky Pickles Pod. How modern! Wow. Twitter page, called Sticky Pickles.
So if you like it, our plan is to make 1,000 downloads. Small potatoes for some.
GRAHAM CLULEY
I thought you were gonna say 1,000 episodes there.
CAROLE THERIAULT
I thought, oof. We can make our download number, that means maybe we should make more. It's just a question of logistics 'cause it actually takes a frickload of time.
MARIA VARMAZIS
It's true. Doesn't it?
CAROLE THERIAULT
And now that I'm doing 2 or 3 at a time, it's hard. So yeah, please.
GRAHAM CLULEY
So we need everyone who listens to Smashing Security who wants to hear more of Carole unleashed to download Sticky Pickles, the podcast?
CAROLE THERIAULT
Yes.
MARIA VARMAZIS
And download all of them, all 3 of them.
CAROLE THERIAULT
And then grab your friend's phone.
GRAHAM CLULEY
And then we go and—
MARIA VARMAZIS
Get me to 1,000. Downloading right now.
CAROLE THERIAULT
Oh no, Maria, I totally want your feedback. And we want to maybe invite guests, so that'd be a nice thing to know if we do another series of these.
Please, should we have guests on the show? It adds work, but if it's worth it, we'll do it. So it's down to you guys.
GRAHAM CLULEY
I've done my bit. Maybe if anyone is running a botnet, they could download the episode multiple times.
CAROLE THERIAULT
Hint!
MARIA VARMAZIS
I'm sure somebody listening is.
GRAHAM CLULEY
Not that we would condone such activity. However.
MARIA VARMAZIS
Never! It's just a statement of fact.
CAROLE THERIAULT
I would hate that, actually. I would hate that if all the bot— Yes, because then you're thinking, oh wow, 10,000 people loved my show. No, one guy did.
MARIA VARMAZIS
Botnet dudes, vary the IP addresses.
GRAHAM CLULEY
Yeah, forget that.
MARIA VARMAZIS
Forget that idea. Cycle those IPs. Do not do that.
CAROLE THERIAULT
Listen to it. Tell me I'm funnier.
GRAHAM CLULEY
Well, you will be funnier than me because I'm not on the show. Oh, you mean funnier than Anna?
CAROLE THERIAULT
No, no, I don't think I'm funnier than Anna. Anna is funny. She's hilarious. Yes, you're funny too. You're pretty good looking.
I bet most of our listeners, if they go through their podcasts on their phone, that some of them don't even have one podcast that is only presented by me.
GRAHAM CLULEY
Oh yeah. I should warn you, okay?
CAROLE THERIAULT
It's a teeny bit rude. Yeah. It's got the explicit tag for a reason.
MARIA VARMAZIS
Well, you know what a group of whales is a pod, a group of white males is a podcast.
CAROLE THERIAULT
Is that it? Yeah, well, not this one. Not this one. Sisters. Yeah, no, no, take a listen. I would really love feedback. And it's been kind of, you know, it was a pandemic panic special.
That's how we did this, because we thought we need to cheer ourselves up. So it is fun, and it does get crazy.
MARIA VARMAZIS
So how sticky are these pickles? Okay, there's—
CAROLE THERIAULT
Okay, okay. I don't want to give it any weight.
MARIA VARMAZIS
So sticky.
GRAHAM CLULEY
Can I just ask a question about the name? Does pickle mean— is it a euphemism?
CAROLE THERIAULT
Do you think your penis looks like a pickle? Not if it's healthy.
GRAHAM CLULEY
I'd go to the doctor if it did.
CAROLE THERIAULT
Right. Okay. So I think you answered your own question. Okay, good. Maria. Okay, I'll give you a weird little scenario.
Okay, I'm not going to give anything away, but imagine you're hosting a work party at your home. Right?
MARIA VARMAZIS
Hell on earth. Yes. Yeah, yeah. Okay.
CAROLE THERIAULT
And you have a family member there and they happen to get absolutely arseholed and do something utterly outrageous in front of your new colleagues.
MARIA VARMAZIS
Wasn't that an episode of The IT Crowd?
CAROLE THERIAULT
I don't know. I've never watched The IT Crowd. What? Okay, I'm not kidding. I know, I know, lots of people have told me that.
Everyone in my whole echo chamber can't believe that, but I've never actually seen a full episode in my life.
MARIA VARMAZIS
What the fuck? Okay, all right, so I haven't stolen it.
CAROLE THERIAULT
Okay, but question is, right, in the show is what do you do now?
So my— I'll set this up for Anna to be within cringeworthy, you know, oh my God, I have no idea how to handle this.
And then I'll— we'll set the question, let her just try and wiggle out of it live on air.
MARIA VARMAZIS
See, I'm a chaos agent, so I would just get everybody trashed, nobody will know.
CAROLE THERIAULT
You see, you could be a guest on the show.
MARIA VARMAZIS
You know my number.
CAROLE THERIAULT
You know my number. Oh, well, listen to it. Let us know if you want to be on it. Okay, okay, okay. That's my pick of the week. StickyPickle.com. Make me proud, guys. I'm counting on you.
MARIA VARMAZIS
StickyPickleOfTheWeek.com.
GRAHAM CLULEY
Sounds fantastic.
MARIA VARMAZIS
Sticky Pickle of the Week.
GRAHAM CLULEY
Sticky Pick of the... But you know how I'm going to cheer myself up is because I believe we have a featured interview with Mimecast. Oh, cool.
CAROLE THERIAULT
Yeah. Michael Madon is coming on the show now, and you can learn loads of stuff, but also he's very funny. So enjoy. Play it.
MARIA VARMAZIS
Hit it. Punch it, Chewy.
CAROLE THERIAULT
So October is here, and that means it's Cybersecurity Month.
Now, this is a very exciting thing for people within the industry, but there might be some people out there that don't even know it exists.
So I've invited Michael Madon, Head of Security Awareness at Mimecast, to join us. Michael, thank you so much for coming on the show.
Unknown
Hi, Carole. It's great to be back.
CAROLE THERIAULT
I'm glad because you are the guy that we need to talk about this. So it is Cybersecurity Month. Who cares? Should I care?
Unknown
You know, it's funny because sort of the way you were introducing it, it did seem like sort of a holiday and it is a holiday, but not for us, right?
It's really, in some ways, October begins the holiday season for hackers because they're ramping up for our actual holiday season and October is when they begin the ramp-up of their attacks.
On our side, for awareness month, I think the industry, I think we picked October really because of that, because we know that the holidays are a time when people are at their most vulnerable to do things like click something that's interesting, go online to interesting sites and buy cool stuff for Aunt Mildred.
But the hackers know that too.
And so October is a time when we really as a community come together to inform companies, to inform people, to inform Aunt Mildred that your computer is the coolest thing ever, but it's also really, it could be very dangerous and to be vigilant when you use a phone, your computer, etc., because there are criminals out there who are literally targeting you to get your information and to do things like empty your bank account.
CAROLE THERIAULT
Well, yeah, and I suspect this is probably, I mean, well, I know it is the first October that we've ever had where we have a global pandemic which has forced people to work from home.
So you have all these people that may have done all their online shopping within the secure perimeter of the business and now are doing a lot of that home shopping or that shopping on their home computers.
Do you see that that is going to cause some problems?
Unknown
Yeah, I actually see what's happening.
So what was before the virus, what was happening was there was this movement of work and home and personal life just really conflating into this well, some people would say a beautiful flower, but others would say this mess, right?
And so working from home and being stuck within four walls, I think has only compounded the problem, right? So I think people may be shopping at home with the home computer.
They may be shopping with their work computer. I think personal and work has been just mushed together more than it, more than it ever has.
I think since we started working with computers, there's never been a time where I think the separation between work and home has been less.
CAROLE THERIAULT
And so it's true, I flip-flop between doing work and then going and buying jogging pants, right?
Unknown
Exactly. And it never stops, and the hackers know this.
So I think what it has done, I think the virus and also compounded with just the general stress and turmoil that people feel in their, you know, the effect of the virus or a political system, is just putting people under a tremendous amount of stress.
And so what does this all mean? So the hackers love this because for them this is a field day, right? It actually really is a holiday, and here's why.
So typically what hackers do is they look for vulnerabilities in people, right?
They look for when people are not paying attention and they literally target people with things they think they'll be interested in.
So what they're really looking for is a person who's very busy, very distracted, under a lot of stress, and not paying attention. Well, welcome the great year of 2000.
Here we are, right? People are under an insane amount of stress, totally distracted, and oh, and there's one more component, craving information.
So the hackers are exploiting all this and they're having a field day. Hacks have gone up hundreds of times. And we see this in our own systems.
And if you don't train, and if you don't train yourself and train employees, the situation becomes pretty dire.
CAROLE THERIAULT
OK, so let's start with companies. OK, so we've got all these companies. They've got their home workforce now, a brand new thing for many companies.
What do you think are some of the key, what are the key things they need to address in terms of awareness?
If there is any one or the three messages you need them to get across to all their employees, what would you say that is?
Unknown
But before I joined Mimecast and sort of entered into the business world, I ran the intelligence shop out of the Treasury Department, the US Treasury Department.
So in that capacity, we worked on issues like sanctions, right? Sanctioning Iran or Iranian entities or North Korean entities, et cetera.
So often I'll get phone calls from people that I used to work with who are working with clients and have questions about treasury things.
So I get a call from a former colleague of mine who said, look, I have, I represent a client.
They are an engineering firm with a lot of IP, super, super cool energy stuff that's very, very important.
They got hit by a ransomware attack, and the ransomware attack hit them exactly where their IP was, and they were frozen up and they couldn't work.
So they were, the ransom attack was for $3 million, which they were going to pay. Yeah.
So they work with their attorneys, they were going to pay it, and at the last minute, and it was all above board, and at the last minute, the attorney said, sorry, wait a minute, you can't pay this ransom because the ransomware attacker is actually associated and affiliated with a designated entity.
And you can't, if someone is a designated entity by the UN or by the US, you literally can't send them money. It's like sending money to a terrorist organization, right?
And how did this happen? One of their employees clicked on a link, clicked on, it was actually an SMS, you know, went through their phone.
They also got the same message on their computer and they clicked that.
And so their phone was completely compromised and then their work computer was completely compromised and it was one person. And actually, there's no great answer.
There is no great answer. And the only right thing, which is unfortunately to say, is don't get into that situation.
CAROLE THERIAULT
I've heard you talk before about having a stop and think mentality. What do you, what does that mean to you?
What are you trying to suggest people should do when they're to employ that technique?
Unknown
Yeah, that's exactly right. And I don't think it really has changed.
So at the end of the day, if a person is getting an email that seems in any way, or a text, or honestly even a phone call, right, like a solicitation of some kind that seems in any way dodgy, chances are it is dodgy.
And there's no real big downside if you think it's dodgy and it's not, so what? You've checked it out.
But before you click on that link, either in your phone or on the computer or you provide any sort of personal information on the phone, which most banks, almost all banks will never require, stop and think about that and just take a tactical pause.
And at the end of the day, the safest thing you can do is just delete it.
And also block numbers that come in, set up email filters that were things just go to spam and you don't have to look at them.
And then on the corporate side is you have to have a layer of security that blocks as best as possible these phishing attacks that come in.
I mean, this is the number one threat that a company has for compromise is the individual, right?
So I think it's one, educate the individuals so if they see something, they take a tactical pause, take a breath and say, wait, should I really be clicking on this?
Is it really worth it, it seems funny, something's misspelled or the URL doesn't make any sense or this just doesn't seem right, ignore it or delete it.
And then on the company side, they have to provide protection for their employees so that their employees aren't overwhelmed with the attacks.
CAROLE THERIAULT
Do you think home users would be wiser to have two different email addresses, for instance, that they use all the time?
One for their online shopping where maybe they're not 100% confident that everything is above board and then having one that they use for banking and for more of their really serious trusted work?
The answer is maybe.
Unknown
If you do that, but then your password's the same for everything, then it doesn't matter.
CAROLE THERIAULT
Okay, good point.
Unknown
What I found, so at work, of course, we use a VPN, which is a virtual private network.
And then I started using that on my home computer too, especially with working from home and the fact that we're all just more vulnerable and we're all so interconnected with each other that if a hacker really wants to get at you, right, they can compromise one of your friends and pretend to write an email from that friend, right?
It won't be exactly the same, right?
Likely it'll be strange, or likely they may be asking for information or asking you to send them money or saying they're in a panic and they've gotten held up.
So it is very possible that one of your friends or colleagues has been compromised too. So I think a VPN is actually probably a nice way to go.
It's a little bit of a pain, but it does provide extra comfort on a personal computer. And then I do think setting up different personas, that's a really good point.
I do think setting up different personas that are separated from each by things always use different passwords. 100%. Always. And also multifactor authentication.
Again, it's a little bit of a pain. It is so much better to use multifactor authentication.
You know, places like Google or Microsoft, they all have multifactor and they've all made it pretty much as easy as possible.
CAROLE THERIAULT
The thing I think most people struggle with is there is this assumption that when they say download a new app or tool or service, they assume that the default configuration is the safest configuration.
So I think they just go, "I've just set it up as a default and that means it'll be safe enough." And I think that is a really, really dangerous approach.
And I try and encourage people to go and look at the configuration docs.
The problem though is those pages are always designed completely differently and it can be really frustrating.
Unknown
Totally. So a couple of things on that. That's super interesting, right?
If you look at, for example, a company that's in AWS, LastPass is only as secure as you want your configuration to be.
If the analogy's with your house, how secure do you want your house? You don't get your house with a bolt on it. You get a key set, but you don't have to use it.
It could be wide open. Do you want an alarm system? Do you want motion detecting? Are you actually gonna lock your door or just get the house the way it is and it doesn't come locked?
So I think that that's really the analogy that people should use.
I think for someone who's not necessarily sophisticated in looking at configuration, what I would say is this, if you're gonna download something, go to the actual website where that thing is.
Don't download something from a link. Like I would absolutely go to the actual website or go to the App Store.
CAROLE THERIAULT
Never download something from a link. And you web providers out there, make sure it's really easy to find the page.
Now, companies who want to provide training to their employees need to get their skates on and need to do it virtually, I guess.
Unknown
From a Mimecast perspective, we were built for this. I mean, we actually built the entire company virtually, but we also set the training up.
And the reason why we set it up so it would work in a virtual environment from the beginning was not that we predicted this insanity to happen, but because training needs to meet people where they are.
And people, many, many people do not want to take any sort of training behind a desk.
We designed our training so that we meet people where they are and they're not always behind their desk.
So what I would encourage companies to do is find a security awareness training program that really meets people, meets employees where they are, and also has a learning methodology that incorporates microlearning so that it's super short and people don't have to click through PowerPoint slides, God forbid.
And the last part, which is really the most important, is that a security program that addresses the hearts and minds of the employee, right?
Ultimately, cybersecurity training and awareness training is a hearts and minds campaign, right?
It's about changing the way people think about security from something they have to do, like compliancy, to something they want to do, that they're committed to do, right?
From compliance to commitment is really what you're looking for in a program.
CAROLE THERIAULT
I think that sounds great, and I think a place that our listeners can look is Mimecast.
If you want more information on this, please visit smashingsecurity.com/mimcasthub, and there you can find the State of Email Security 2020 report that has been published by Mimecast.
Michael, anything to add?
Unknown
I mean, the neatest thing is that when I sold Atata to Mimecast and we became Mimecast Awareness Training, we were always looking for that golden nugget that actually showed that our product worked.
You know, it's actually very, very hard for a company to actually prove that they work.
They look at tests and they say, look, people on phishing tests have gone down to 2%, but that's a test. It's hard to really demonstrate efficacy.
And what's so cool is that we just finished up research that shows definitively with 30,000 to 40,000 customers that if you don't have Mimecast awareness training, you're 5.2 times more likely to click on a bad link.
I mean, that was really meaningful for us because now we can show and then continue to learn from what we're doing.
CAROLE THERIAULT
Michael Madon, thank you so much for coming on the show. You're— it's always good to have an expert that really knows their stuff.
You can tell you've been in the industry a long time. I'm not saying you're long in the tooth or anything. Very long, long time. You see, I told you. Told you it's good, right?
GRAHAM CLULEY
I enjoyed all that. Excellent points. Well made. On that sticky pickled bombshell, we've just about wrapped it up for our 200— fuck. I can't even say it. Podcast.
It's hard to believe we've got this far, but we have to thank all, yes, each and every one of our lovely listeners, our sponsors, our amazing guests like Maria Varmazis, who's been on the show this week.
MARIA VARMAZIS
Yay, thank you for having me.
CAROLE THERIAULT
And congratulations on 200! Thank you so much. We look great for 200, I think, don't you?
GRAHAM CLULEY
Maria, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
MARIA VARMAZIS
Twitter is still where it's at, God help it. It's @mvarmazis is where I am.
GRAHAM CLULEY
And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't have a G, and you can also join the Smashing Security subreddit.
And don't forget, if you want to be sure never to miss another episode, and you really shouldn't, because we're gonna have at least another 200 fabulous episodes for you in the future.
Subscribe in your favorite podcast app, such as Apple Podcasts, Spotify, or Pocket Casts. And don't forget Sticky Pickles as well.
CAROLE THERIAULT
Okay, don't freak out, people, but as it's our 200th show, I'm sending you actual smooches on the cheek to all of you in the Smashing Security community. I know it's not safe.
Kick me. Mwah. Mwah. Mwah. Mwah. You chums rock. Also, high five to this week's Smashing Security sponsors, Mimecast, LastPass, and Immersive Labs.
Their support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Remember to show up on Thursday, 8 o'clock UT time, smashingsecurity.com/live.
GRAHAM CLULEY
Until next time, or maybe on the livestream. Cheerio, bye-bye.
CAROLE THERIAULT
Later. Goodbye. See you Tuesday. See you Thursday.
GRAHAM CLULEY
See you next Tuesday. See you next Tuesday.
MARIA VARMAZIS
We should have put it on Tuesday. I didn't want to say it. I was just sitting here chuckling. Well, it's been a pleasure. Thank you for having me on episode 200.
GRAHAM CLULEY
That's the way to say it.
EPISODE DESCRIPTION:
We're in celebratory mood as we celebrate our 200th episode, but there's still time to discuss Fatima the ballerina who the UK government wants to become a cybersecurity expert, why women are quitting the tech industry, and a smartwatch which might be putting your kids at risk.
Plus don't miss our featured interview with Mimecast's Michael Madon.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.