This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

---

GEOFF WHITE. Do you remember Hot Shots, the Charlie Sheen comedy?

---

GRAHAM CLULEY. Oh yes, Pop Duh.

---

GEOFF WHITE. Yes, Pop Duh. Saddam Hussein gets killed for reasons too complicated to explain in this podcast, or indeed in life generally. The one that's killed is a sort of hybrid version of Saddam Hussein mixed with his own dog. So we had this conversation about, well, does that count? Because actually he's a sort of chimera. And it's like, I'm now corresponding with Seth Rogen on Twitter about whether Saddam Hussein was a real character in Hot Shots.

---

UNKNOWN. Smashing Security, Episode 224: The Lazarus Heist, Facebook Fauxpas, and No-Cost Security with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 224. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And Carole, we're joined this week by a returning guest. He's got a brand new podcast. It's Geoff White. Hello, Geoff.

---

GEOFF WHITE. Hello, hello. Thanks for having me again.

---

CAROLE THERIAULT. A fabulous new podcast. Oh my gosh, Geoff.

---

GEOFF WHITE. Thank you. It's very kind.

---

CAROLE THERIAULT. Well, it's pretty— I was really impressed. I haven't finished the first episode. I've got 10 minutes left, and I'm dying to know what happens, so—

---

GRAHAM CLULEY. We should name-check it, shouldn't we? So it's The Lazarus Heist.

---

GEOFF WHITE. Indeed, The Lazarus Heist. So named for, as a lot of your listeners will be aware, the Lazarus Group, the alleged North Korean elite group of hackers. You would not believe how long it took us to settle on a title. It was something like 6 weeks. And from the beginning, From the beginning, I was like, "The Lazarus Heist," that's a good title. And they said, "What about this or this?" "The Lazarus Heist," that's a good title.

---

CAROLE THERIAULT. Can we have a failed title?

---

GEOFF WHITE. Oh God, well, there's all these— I mean, The Lazarus Group, there's all these other names they've got, like Stardust Colima and Beagle Boys. And so we came up with all these other names. We came up with what we thought was a good name, but then somebody had already written a book with that name. And it just—

---

GRAHAM CLULEY. Ah, anyway. Were you not tempted to give it a name like Kim Jong Pone or something like that? You could have called them Kim Jong Pone.

---

GEOFF WHITE. Oh, where were you when we needed you? No, we were trying to— Yeah, then there was this whole thing of, "Well, you know, will people be able to spell the word Lazarus?" And, "Should we get North Korea in the title?" I don't know. We went all through all sorts of hoops. But the reason I liked Lazarus Heist was, if it's on the COVID of a book or something, it sounds like a Frederick Forsyth book. That's why I liked it. I thought that just sounds sexy. And so, I'm glad they went with it in the end.

---

CAROLE THERIAULT. We're gonna hear tons more about this in just a minute in Geoff's section, aren't we?

---

GEOFF WHITE. You are. Definitely. If I have anything to do with it, we are.

---

CAROLE THERIAULT. So, let's thank this week's sponsors, 1Password and Duo Security. Smashing Security. Their support helped us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I've got a different, different, honestly, Facebook data breach. Not the one you're thinking of. Groan.

---

CAROLE THERIAULT. Geoff, what about you? We already know.

---

GRAHAM CLULEY. Indeed.

---

GEOFF WHITE. I'll be wanging on about my new podcast.

---

CAROLE THERIAULT. And I'm looking at a cyber approach designed specifically for strapped local municipalities. Let's check it out and see if it's any good. And we have a great interview with Helen Patton of Duo Security. She's worked everywhere and just recently joined Duo Security, which is now part of Cisco. She is wise people, so put up with us wibbling about until we get to her. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, as I just alluded to, Facebook has suffered Another data breach. Now, you might remember a few weeks ago, we talked about it in episode 222 with Nina Schick, that Facebook had the rather embarrassing situation of finding out that a mere half a billion Facebook users had had their personal data leaked online, their phone numbers and other information as well.

---

CAROLE THERIAULT. Teeny tiny, teeny tiny.

---

GRAHAM CLULEY. Yeah, don't worry, don't worry about it. But I think it's worth just recapping what happened there and how it happened. Because we now have more information than when we recorded that podcast. And then we'll get on to what's now happened in terms of a breach. So, the details of 533 million users from 106 countries were scooped up via a vulnerability in a Facebook feature called Connect with Friends. All the time Facebook is bugging you saying, uh, uh, wouldn't you like to know who your Facebook friends are?

---

CAROLE THERIAULT. 'Just upload your—' 'Do you have any friends?' 'Yes, do you?

---

GRAHAM CLULEY. Prove you have friends. Upload your address book to us, please, please.' They're always whining on about it. So what they do is, once they've got access to your address book, they compare the phone numbers, the ones which they already have from other Facebook users, to ones you've stored on your smartphone. Okay. And that's A bit of a problem, isn't it? Because it means that even if you've never chosen to be a member of Facebook because it's a steaming crock of shit, you may have had your details uploaded to Facebook by one of your acquaintances. Someone who happens to have your phone number and details in their address book.

---

CAROLE THERIAULT. Wasn't that always the case pre-mobile land?

---

GRAHAM CLULEY. Oh yeah, it was always possible to do some of these things and to collect the information, but with smartphones, of course, it's become so much easier, and people have this information simply to hand. It's just pressing a button and off it goes.

---

GEOFF WHITE. I think you, as part of the terms and conditions, I get the feeling that you consent to this. You warrant that you have asked everybody in your address book that it's okay to share their info. I think that's in the terms and conditions.

---

CAROLE THERIAULT. Yeah, page 26.

---

GEOFF WHITE. Yeah, yeah, yeah, after the bit about, you know, killing of your firstborn and, you know, plagues of locusts, all that kind of— yeah, high up where you'd read it, you know.

---

GRAHAM CLULEY. So that's obviously a problem that Facebook does this basically with your address book. But the other problem is this: Facebook had very few safeguards in place to protect this particular feature from being abused, which meant that someone was able to basically exploit Facebook's connection feature, their connect with friends feature, by pretending to have in their address book every single phone number on planet Earth.

---

CAROLE THERIAULT. Yeah. So like 500—

---

GRAHAM CLULEY. Well, if you had every possible combination of phone number, no, 000000000 to 999999999, you could upload all of those to Facebook through this feature. Shit. And that way you would be able to determine that person X was the owner of phone number Z. Do you see what I mean?

---

CAROLE THERIAULT. Yeah. Yeah. And the irony here is every single phone number or combination of numbers that was uploaded as a phone contact that Facebook didn't recognize, it probably went, ooh, a brand new contact we can go after.

---

GEOFF WHITE. Ooh. "Ooh, this guy's just got nines in his phone number. We haven't found him before." But this, I mean, you know, that is— I think I'm right in saying quite a lot, which is obviously a mathematical term. That's like 10 to the power, you know, isn't that 10 to the power 12 or something? That's insane numbers. But yeah, I guess they're not writing them all down by hand, I suppose.

---

GRAHAM CLULEY. They managed to get half a billion Facebook users' details as a result of this. And the thing is that if you do this, you get information which is not publicly viewable on users' profiles, right? So your phone number does not have to be publicly viewable on your profile, but this will have revealed your phone number to somebody. Yeah.

---

GEOFF WHITE. When I was doing this TalkTalk investigation years ago, that's how I found the Indian scammer. Because somebody gave me his phone number, his Indian mobile number, and I entered it into Facebook. And at that stage, you could enter a number into Facebook, and even if the number wasn't public on the person's profile, their profile would come up. That is true. Oh my God.

---

CAROLE THERIAULT. So how many examples do we need of Facebook screwing up before people get off it? I mean, their share price is still rocketing. I just don't get it.

---

GRAHAM CLULEY. Well, you know someone who had their phone number exposed by this breach and probably should get off Facebook is a guy called Mark Zuckerberg. Yes. So he is one of many people who had this experience, which meant now people in the public debate.

---

CAROLE THERIAULT. He's on our side. He's now on our side.

---

GEOFF WHITE. Oh, shucks. What, you mean my number was in? Oh God, better sort this whole thing out then.

---

GRAHAM CLULEY. Well, Facebook, you'll be surprised to hear Facebook, Facebook downplayed the problem. Facebook called the data, quote, old data. Well, it wasn't really old, was it? Unless you'd changed your phone number.

---

CAROLE THERIAULT. Like, my name has been around for a while.

---

GRAHAM CLULEY. Yes, exactly. And you haven't changed your sex and under lockdown, none of us have changed our location. So, you know, this wasn't really old data. Well, that got them a bit of criticism. Then they said, well, it isn't really a breach, they said, because the data has been scraped from our site. They said it's not as though we got hacked, they said.

---

CAROLE THERIAULT. Can you imagine the meeting where these were discussed? These would be the soundbites we would give to the press. Yeah. Old data.

---

GRAHAM CLULEY. Yes, that will confuse them. Well, it's funny you say that, Carole. Oh, oh, oh, because this is where the other breach has occurred. Because I said at the beginning, Facebook has been breached once more, and I'm getting the popcorn.

---

CAROLE THERIAULT. I'm getting the popcorn. Hold on.

---

GRAHAM CLULEY. Hold on. What happened was Facebook's PR department accidentally forwarded their internal plan as to how to deal with this snafu to a member of the press. Detailing their strategy for handling questions about the breach. They, they— Oh, I love it.

---

CAROLE THERIAULT. This is too delicious. Okay. Can you read the entire thing slowly from start to finish?

---

GEOFF WHITE. In an American accent? I won't read it all.

---

GRAHAM CLULEY. They emailed it to a Belgian journalist going by the name of Pieter-Jan van Lempoeten. I've never heard a more Belgian-sounding name than that. They accidentally forwarded him an internal email which meant to only have been seen by Facebook's European comms team. And in it they are, well, first of all they're doing a bit of a post-mortem as to how well they've managed to dampen the news. And they're saying, although the media have been very critical of our response, some have called us evasive, some are noting that we haven't apologised, because Facebook still hasn't apologised or said sorry or anything for this.

---

CAROLE THERIAULT. Of course not! Because it's not their style.

---

GRAHAM CLULEY. And they say, look, the media are framing Facebook's assertion that the information was already public as misleading. So Facebook's been saying this information was already out there. How can this be a breach? But the media weren't buying it.

---

GEOFF WHITE. Well, it wasn't— it wasn't out there. The whole point is it wasn't out there. You can't use the word—

---

GRAHAM CLULEY. sorry. No, no, no, you're quite right. Part of it was not out there. Okay. Maybe if you had connected with someone who was a friend, then you would have been able to access it. But the whole point of this exploitation was you were able to get information which you would not normally be able to get. And they should have had measures in place. So Facebook's comms team, they say in this email they forwarded to the journalist—

---

CAROLE THERIAULT. Is this an external group or an internal group, the PR team? Oh no, it's internal.

---

GRAHAM CLULEY. It's fb.com. Okay, so it's not like a third agency? No, these are people employed by Facebook, within Facebook. Yeah, that's right.

---

CAROLE THERIAULT. So they had a meeting, they put together their comms plan, they did the post-mortem, they put the notes together, they fired it off to this Beldam journalist. Oopsie.

---

GRAHAM CLULEY. And they said, The good news is that we're seeing a decline in coverage both on social media and traditional media. So people got all hot and antsy about it, but it seems to be calming down, they're saying. And they say, well, we're gonna share now our strategy of what we're going to do going forward. They say, what's necessary is we need to start framing this data scraping, as they call it, in order to deflect future criticism, we need to frame this as a broad industry issue. And normalize the fact that this keeps on happening regularly.

---

CAROLE THERIAULT. So basically saying, we're not at fault, it's just that the bad guys are just too strong and too numerous, and it's happening to everybody. Exactly.

---

GRAHAM CLULEY. And it ain't just us.

---

GEOFF WHITE. And I know of at least two other PR operations and departments in tech companies that I've come across who I've pinned for particular cock-up, who've used exactly the same strategy, called me in and said, well, you know, it's an industry-wide problem, and have then tried to name their competitors to sort of say, well, you know, Company X, they've got problem. It's like, no, no, no, no, no, don't, you know, don't try and pull that one. Ah, cynical.

---

GRAHAM CLULEY. So carrying on the email, they then say, well, in the next several weeks, they say, we are going to publish a new blog post describing the steps we're taking to prevent scraping off the site. And they admit in the email, they say, look, when we do this, there is going to be a revelation about a significant volume of other scraping activity.

---

CAROLE THERIAULT. A revelation?

---

GRAHAM CLULEY. Yes. You use that word? That's me.

---

CAROLE THERIAULT. Okay, okay, oh my God, disinformation, misinformation. Okay, I didn't know you were adding color.

---

GRAHAM CLULEY. They are going to reveal a quote significant volume of scraping activity in this forthcoming blog post, which they say they hope will normalize the issue and help avoiding criticism. So in short, this is where we're at. If we outside of Facebook stop talking about this issue, Facebook isn't going to provide any more information, right? Hmm. They're hoping the problem goes away. They also want to frame this and normalize it as an ongoing industry problem, and they want to avoid any criticism that they haven't been transparent. Which they haven't been.

---

GEOFF WHITE. And, well, no, they haven't, and there lies the problem, because they initially said this problem was discovered and resolved in August 2019, and then researchers came out of the woodwork and said, "Hang on, I told you about this in 2017." [NOISE] And look, this entire thing, after Cambridge Analytica, I quite clearly remember the testimony in the Senate committee where I remember Facebook saying, "We actually think this kind of scraping behavior might have affected all of our users, as in all 2 billion users." I mean, A, I don't think this is new, and B, this isn't just glitched somewhere with one— They sort of admitted to mass scraping, I'm pretty sure. Maybe I've got the committee wrong, but anyway.

---

GRAHAM CLULEY. I think you're probably right. And the thing I feel about this is, yes, sure, if something's up on a public page, well, Google is scraping that, for instance, right? All kinds of sites are probably scooping that up in some fashion. But here they got information which was not publicly viewable as well.

---

CAROLE THERIAULT. But old data. But old data. So, you know.

---

GRAHAM CLULEY. Old days, like your name. But even if there wasn't that issue, surely Facebook has the wits about it to spot 'Oh, hang on, someone is trying to connect with 100,000 or 1 million or half a billion people. That's a bit suspicious.

---

GEOFF WHITE. I think maybe I should rate limit that.' Well, maybe they just think, 'Wow, we've hit upon the one person in the world who knows loads of people, like a super connector. Oh my God.' Yeah, exactly.

---

CAROLE THERIAULT. That's exactly what I think they did.

---

GEOFF WHITE. And they were like, 'Oh my God, finally, the man who knows everybody.' Yes.

---

GRAHAM CLULEY. So the worst thing from Facebook's point of view is for people to carry on talking about this. And when I realized that, I thought, I know what I'm going to talk about on the podcast this week. I think we should, we should return to this because we've all had that situation of forwarding an email. Or actually what happens is sometimes you, your email autocompletes, doesn't it? So someone in Facebook's PR team probably were trying to forward it to another Peter or something, and they accidentally typed Pieter van whatever his name was, and it went to him instead. We've all had that happen, and it can be disastrous. But in this particular case, it's just compounded already a PR nightmare for Facebook.

---

GEOFF WHITE. Well, has it?

---

CAROLE THERIAULT. I hope it has because ultimately what matters is the fricking coffers, right? The money in the bank. That's what seems to motivate them. And until people get off it and they lose advertisers, they're not going to stop.

---

GEOFF WHITE. And I have friends who have issues with Facebook for exactly this kind of reason, but are all on WhatsApp. And WhatsApp was a brilliantly engineered takeover because it opened up a whole new— people who weren't on Facebook, who wouldn't have got Facebook on their phone, suddenly they've installed WhatsApp and that's opened up a whole new trove of information for Facebook to look at.

---

CAROLE THERIAULT. It's like I listen to The Daily from The New York Times pretty regularly and they have ads for Facebook and they're always like, "Oh, Facebook, we were there for you and help connect people and blah blah blah." And I'm like, how the fuck can the fucking New York Times have Facebook advertising?

---

GRAHAM CLULEY. Editorial's separate from advertising departments.

---

CAROLE THERIAULT. Well, actually, interesting you say that, but I saw a few articles that said maybe they're, you know, I think it was the Wall Street Journal that kind of said, why aren't the New York Times talking about Facebook?

---

GRAHAM CLULEY. It's a challenge for many news outlets, isn't it? We'll take on just about anyone as a sponsor, won't we, Carole?

---

CAROLE THERIAULT. No, we won't. No, we won't. Only very, very elite.

---

GEOFF WHITE. Right. Yeah. Right. Well, now let's hear from our sponsor.

---

GRAHAM CLULEY. Sponsor the Lazarus Heist and see what they have to say about the brand new pod—

---

GEOFF WHITE. Sponsor implies I'm paying you some money, which you should point out, very much, very much not the case. Geoff, over to you.

---

GRAHAM CLULEY. What do you want to talk to us about this week?

---

GEOFF WHITE. Well, yeah, I say it's the podcast. The first episode of the Lazarus Heist podcast went out yesterday. This is something I've been working on for about 9 months, but The interesting thing is, obviously, it's about North Korean government hackers and their alleged activity. We've had to be very, very careful, so we couldn't really tell anybody about what we were working on and what we were doing, which is incredibly frustrating because you get these great things, you're like, "Oh my God, it's great," and you want to go to Twitter, but you have to stop yourself. But we can now go public about it. Basically, off the book I published last year, Crime.com, one of the chapters got picked up, and it's the chapter about Really, it's about the Bangladesh Bank job. So North Korean hackers allegedly broke into Bangladesh Bank, tried to steal $1 billion. Through a series of mishaps, which I hadn't even fully comprehended how completely coincidental the mishaps were, they managed not to get $1 billion, but they did get $81 million. And then they laundered it through a bunch of casinos in the Philippines. And I suspect a lot of your listeners will have come across this story. I'd be surprised if they haven't. Honestly, the people we found and the stories they tell, it's just absolutely astonishing. Like the guy who was working in the casino when they turned up with the money. And he was like, "Yeah, these guys turned up I'd never seen before, and they had so much money we had to open up a whole new room for them 'cause there was too much money. We had trouble counting it, there was that much money. And then when they gambled, they just didn't care if they won or lost." Like, who does? He was completely nonplussed by this group. And then of course, later it turns out this was part of the money laundering effort. It's just incredible. Amazing tales, amazing people we've got hold of. And so we start off with the Sony hack. And again, Sony hack's really interesting because you think you know it, but then you actually hear from people who were in Sony at the time. It's like, "God, that was an annihilation of the company." The cynicism with which that unfolded, that attack, was amazing. Yeah.

---

CAROLE THERIAULT. I've been in the industry a long time and I've been peripherally involved with the Sony hack for a long, long time, and I still learn stuff. In your bit, right? Totally. And it was so interesting with your co-host, right? Because actually, tell us about her.

---

GEOFF WHITE. Yeah, so this is, yeah, really lucky to have this. So we were looking, I was like, oh, this Bangladesh bank job and the hacking. And the BBC were like, but yeah, it's North Korea. Let's have a, allegedly, let's have a look at North Korea and how that country works. So we've got a woman called Ji Lee who ran the Associated Press Bureau, the AP Bureau. She opened the first foreign news bureau in Pyongyang in the capital of North Korea. She lived there for 8 years. The stories she's got about the place and the way it works. It's just absolutely astonishing. I didn't realise this, but the image is sacred. The image of Kim Jong Un and the other leaders is sacred. So if you have a newspaper in North Korea, you can't throw it in the bin or crumple it up, because it's got his picture on it. I love that. And there was this story of a group of tourists going to Pyongyang, and one of them was trying to take a funky angled picture of the statues. And this guy, this soldier, literally an armed soldier, came over and said, "No, you have to take a picture normally, because we don't want any funky angles." 'cause that's not allowed. It's just— it's a different world. It's a totally different world. And she knows it, like, back to front. It's just incredible. Amazing.

---

CAROLE THERIAULT. Yeah, yeah. Totally fascinating. So, having her there as a counterfoil is so great, 'cause she's a reporter, but not a specialist in cyber. Is that right? So, she knows all about North Korea, but not cyber.

---

GEOFF WHITE. I know a lot about cyber. Yeah! I know a bit about North Korea, but you just have no idea how crazy and different this country is.

---

GRAHAM CLULEY. So, I've only heard the first episode so far, which obviously is focusing at the moment on the Sony Pictures hack. What I really enjoyed about it was that you were speaking to actual employees who worked inside Sony Pictures and also people who worked on the contentious comedy movie The Interview, which was— so you were speaking, for instance, to the screenwriter who at one point was considering whether he needed personal security because it sounded like the threats were going to get more physical.

---

GEOFF WHITE. Yeah, yeah. Well, they got— I mean, obviously there was an intimation from the hackers at one point they were going to turn all of this physical and unleash violence. So basically, a lot of the people around the interview, the bigger stars, got security bodyguards. And the screenwriter was like, "Oh, maybe I need a bodyguard." So he hired this Israeli security expert to talk to him. And the Israeli security expert basically came in and said, "You're the screenwriter. Nobody cares about you. You are under no danger at all." But I was trying to get, obviously, Seth Rogen to do an interview for us. And Seth, if you're listening, my door's still open, man. I'm still here for you. So he blanked me completely on Twitter. And then we had this bizarre exchange where— because obviously the plot of the interview is a bunch of journalists go to North Korea for an interview with Kim Jong-un, and the CIA try and get them to assassinate him. That's the plot. So I was saying, "Well, are there any other films, fictional films, where a real world leader actually gets killed as part of the film?" And sure enough, Seth Rogen chimes in. So we've got this back and forth of like— and the only one we could work out was The Hot Shots. Do you remember Hot Shots? The Charlie Sheen comedy? Oh yeah, Sparta. Yes, Pog Durr. Saddam Hussein gets killed in both films, but in the second film, for reasons too complicated to explain in this podcast, or indeed in life generally, the one that's killed is a sort of hybrid version of Saddam Hussein mixed with his own dog. So we had this conversation about, "Well, does that count? Because actually he's a sort of chimera." And it's like, I'm now corresponding with Seth Rogen on Twitter about whether Saddam Hussein was a real character in Hot Shots. It's bizarre.

---

CAROLE THERIAULT. And the way you cover that bit though, when you're talking, his name is Dan Sterling, I think, right? Is that right? Yeah, yeah. When you're speaking with him and kind of goes, "Yeah, that's when we decided to actually make it Kim Jong-un rather than a fictitious guy." And when he says that, I'm thinking, "Yeah, that sounds a bit beyond edgy." One of the interviews we didn't use in the podcast, I still think it's good, but for various reasons, it didn't work out.

---

GEOFF WHITE. Somebody was sort of saying, "Look, you've got to realize, in North Korea, Kim Jong-un is kind of treated a bit like the Prophet Muhammad." So, In Islamic art, you don't depict the prophet. And it's that level of— that it is quasi-religious. You couldn't quite describe it as religious, but it's very close to religion. And, you know, when you depict the Prophet Muhammad, that is a very sensitive issue for Muslim people. You cause the same level of offense in North Korea. And there's arguments about whether you should and shouldn't, but you've got to realize that's the level of offense you're causing.

---

CAROLE THERIAULT. But I'm surprised because you mentioned at one point that the producers went and spoke to the government officials just to kind of get a kind of nod, I guess, or like, you guys are cool with this?

---

GEOFF WHITE. Yes, they spoke to private intelligence community type people. Yeah.

---

CAROLE THERIAULT. Did no one say, "No, please, God, don't! Are you insane? He's mental!" You know?

---

GEOFF WHITE. Again, interview that we didn't include in the podcast. There was some interesting advice, and the advice was, well, on the one hand, yes, you might get pushback. I don't think anyone thought what would happen to Snowden would happen. I mean, it was astonishing, the annihilation that they reached. But the counterargument was, well, A, A, if you backtrack and soft-pedal, you're kowtowing to censorship, effectively self-censoring. And B, a film like this is a sort of exercise in soft power. Maybe people in North Korea will see it and they'll think, "Well, we'll take on Kim Jong-un." So there was a sense of it got quite big and quite political. And one of the arguments was, "This is what America does. We are freedom of speech. We go up against people like this." So I think Sony was hearing that as being an argument of, "Well, okay, let's keep going." think. But obviously, let's face it, hindsight's 50/50, isn't it? We had no idea they were going to get as stamped on as they were. But the advice was ambivalent at best. I don't think anybody said to them, no, don't do this. Are you crazy?

---

CAROLE THERIAULT. Yeah, it obviously worked because with Trump, all we had was a huge inflatable baby in diapers. So that's a bit better somehow. Where is the baby?

---

GEOFF WHITE. I wonder what's happened to that.

---

GRAHAM CLULEY. Do we know at all what North Korea thinks of Team America World Police? Which had Kim Jong-il in it, didn't it, of course? Yes, Kim Jong-il was was killed in that.

---

GEOFF WHITE. Now again, with Seth Rogen, it was like, well, that's a puppet. Does a puppet count? Anyway, but here's the interesting thing. So I was like, yeah, why didn't they kick up a fuss about Team America? Kim Jong-un came in, and all this stuff you find out when you speak to someone like Gene Lee, who's an expert. Kim Jong-un comes in. Kim Jong-il, his predecessor, had had 30 years of being groomed for power. He was the big guy. He was going to come in. Everybody knew Kim Jong-il is this guy. He's going to take over. Kim Jong-un, nobody had heard of this guy. Literally, they'd never seen his face before. And suddenly he pops up as their leader. And so he's got to stamp his authority. He's got to say, "I am the guy. I'm going to protect you." So when something like The Interview comes out, you can imagine, again, this is all allegations from the FBI, but if it is true that North Korea did this, it makes a bit of sense because Kim Jong Un's like, "No, nobody screws with me, buddy. I am going to wreak havoc on you." And that makes his people think, "Oh yeah, this guy's a strong man, strong leader." He opened a can of whoop-ass.

---

CAROLE THERIAULT. Yeah, basically.

---

GEOFF WHITE. And unleashed it. Yeah. But this is just the start. We go into all sorts of crazy stories. So how many episodes do you have? 10 at the moment, 10. But we're still working on it.

---

GRAHAM CLULEY. I hope Seth Rogen does call you up.

---

GEOFF WHITE. I still— I still hold out a candle for Seth.

---

GRAHAM CLULEY. And then you can upload his phone number to Facebook, maybe.

---

GEOFF WHITE. Yeah, yeah, yeah, exactly.

---

GRAHAM CLULEY. Carole, what have you got for us this week?

---

CAROLE THERIAULT. A lot of us might think that ransomware scammers go after going after the rich, the powerful, you know, banks, insurance providers, CEOs, Elon Musk. Did you hear about his Tesla thing? Oh, the cars that—

---

GRAHAM CLULEY. Oh, some Teslas crashed, didn't they? Yeah, so it crashed, two people inside.

---

CAROLE THERIAULT. And the whole thing is like, people are confused about the automatic driving feature, assuming it's like driverless caring. And Musk is, as far as I can see, saying, no, no, there's no confusion. It's like, well, people keep getting in the car and then hitting trees.

---

GEOFF WHITE. I must admit, you know, calling it autopilot did seem to be a bit of a kind of— I agree. Most people think that's an automatic pilot. I don't know, maybe I'm just—

---

CAROLE THERIAULT. I'm with you 100%.

---

GRAHAM CLULEY. But at the same time, there are thousands of other car crashes every day which don't get that kind of attention.

---

CAROLE THERIAULT. Oh, are you buying a Tesla?

---

GRAHAM CLULEY. Is that what's going on? No, I don't have one, no.

---

CAROLE THERIAULT. But anyway, okay, so ransomware, Carole, ransomware. Yes, ransomware. Okay, so sure, loads of high-caliber places get targeted, but take heed, little cherubs. The less financially secure, less infosecurity-savvy organizations out there, like local education, local government, local healthcare, are getting caught in the web. And I was like, how bad is this? Because I mean, I'd go where the money is. I'd go for the big places that might have weaker security were I a bad guy, I imagine. But according to Barracuda Networks, they did some study last year, and like they say, 44% of global ransomware attacks have taken place are aimed at municipalities. So basically almost half of global ransomware attacks are aimed at municipalities.

---

GEOFF WHITE. So this is town councils and local governments. Yes. Whoa. That's— Right?

---

GRAHAM CLULEY. Well, it doesn't— that kind of makes sense in some ways, doesn't it? Because you would expect them maybe not to have a huge cybersecurity budget, but the impact of those municipalities being— their network being buggered impacts so many hundreds of thousands of people, doesn't it?

---

GEOFF WHITE. And they have a legal duty, I think, some of those. You have child protection, for example. You have a legal duty to provide it. So, unlike a private company, a council can't necessarily say, "Well, sorry, we're not gonna pay up." Yeah.

---

CAROLE THERIAULT. So I'm reading this and I'm going, "Wow, that's weird." And then weirdly, as I'm contemplating this as a story, Graham and I get a Canadian listener on Twitter pointing us to an exact example of this. This, an attack that happened in a teeny tiny small Canadian town of 5,000 called Didsbury. So quote, the town of Didsbury discovered it was the victim of a cyberattack in which fraudsters encrypted the town's information systems with ransomware. And then I love this, it's like the threat actor may have access to files with limited information of a small number of residents such as name, phone number, address, and email address. Oh, I don't know if that's tiny limited, but anyway. First question I had was, why are municipalities with less cash being targeted? I get that they would have less IT in place, but you're thinking it's just the impact is what you're saying.

---

GRAHAM CLULEY. Well, I'm thinking there'd be enormous pressure on them to pay up because it's not just commercial. It's like people who need the housing benefit, for instance, or, you know, or a fireman to come in, right?

---

CAROLE THERIAULT. Or fines to be paid.

---

GRAHAM CLULEY. Just everything clogs up and stops.

---

CAROLE THERIAULT. Did I just say fireman? Like the 1980s?

---

GRAHAM CLULEY. What do you mean to say? Fireperson. Firefighter. Oh, okay.

---

GEOFF WHITE. Of course. I don't think you get to pick the gender. I think they just turn up.

---

CAROLE THERIAULT. Yeah, Graham.

---

GEOFF WHITE. And also, phoning up to request a female fire crew, that might sound a bit weird. Like, I want the female fire crew.

---

CAROLE THERIAULT. We'll get 6 firemen and 1 firewoman.

---

GRAHAM CLULEY. Thank you. Keep your gumboots on. Oh, did I say that out loud? Sorry, I was just thinking it. Okay.

---

CAROLE THERIAULT. So do you think there's like two tiers of like, or many tiers of ransomware attackers, right? There are going to be those that are very slick. They're going to go after like the supply chain of huge industries. And then there's going to be the lucky punks who are just trying tried and tested techniques on those that are most poorly defended. And that's what I think is happening. I just think because almost half of ransomware attacks are happening on small, unwitting, you know, "What's ransomware?" type environments, it's pretty difficult. So I think we all agree these people need some cyber knowledge, some cyber defense going on. Problem is either they can't afford people with the right seniority, and herein lies the famous technology catch-22. You've got lots of young talented folk who are desperate to get a job, but you have that shitty catch-22, which in order to get an entry-level position, you need to have job experience. Even a mom-and-pop shop won't just take a student, right? They're going to want someone who has real-life experience. And so you've got this huge gap, right? And so how do you fix that? Oh, there's loads of like corporations out there, nonprofits trying to fix this issue, right? So you've got like the biggies like Cisco and Cyberary and NextGen, like, and they all offer free training. Cyber Essentials stuff. And I'll put loads of links inside the show notes if anyone's interested in looking at that. But one that caught my eye is called Pisces. That's P-I-S-C-E-S. And weirdly, when I Googled them to look into how they worked, I saw that Dave Bittner from CyberWire chatted to one of the founders about a month ago. These guys are a nonprofit that provide free cybersecurity monitoring to public sector municipalities that meet their criteria in exchange to use the data collected to train their students in real-life situations. So effectively, the students are the analysts. They are the security defenders.

---

GRAHAM CLULEY. Pisces are offering this kind of information and training for free online, are they? No, no, Pisces—

---

CAROLE THERIAULT. it's not information. They will monitor your network. Oh, right. You are a public sector organization, right? A city, a county, a port, a school district, or a public utility. Mm-hmm. You have less than 150 employees. And there's a few other tiny little things, and you agree to share anonymized event information. Okay. All right. Pisces, who's now working with 5 universities, but trying to expand that across the states and even further, they want to use that metadata that's collected from customer networks so that students who act as cybersecurity analysts can learn, right? And evaluate the events that are being observed and learn about it and become Good at their jobs and hireable. Pisces.

---

GRAHAM CLULEY. Sounds a bit fishy to me. Come on. It was better than that. Come on. Seriously. Really? Yeah. No, it really was. Maybe it's my delivery. I just— I've had that up my sleeve for about 30 seconds. I was thinking, how am I going to get this in?

---

GEOFF WHITE. Itching to use that one.

---

GRAHAM CLULEY. I was dying to use it. This Pisces thing, Crow, is it a bit fishy?

---

CAROLE THERIAULT. Geoff's your bed buddy. Thank you, Geoff.

---

GRAHAM CLULEY. Thank you, Geoff. Can't believe I—

---

GEOFF WHITE. I genuinely was laughing more on the second time. It's like one of those ones when you expect it to be the same thing.

---

GRAHAM CLULEY. Let's try a third time. Let's try a third time. Is that Pisces? Bit fishy or not? Geoff's just perfect.

---

CAROLE THERIAULT. I'm just laughing at Geoff. Don't you think IT, like cybersecurity professionals, shouldn't they be treated like other professions like law or medicine. Like, if you're going to become a surgeon, you don't just attend a class and then get a job doing triple heart bypasses, right? And go, oh, hand me the knife, let's go. You need to go through— you need to prove that you can handle tough real-life situations.

---

GRAHAM CLULEY. I don't know about that, Carole. First of all, doctors and surgeons, what do they really know? I sometimes had to, you know, I've sometimes had medical issues about my person, and I thought, should I go to the doctor? Is this something which I could sort out for myself with maybe some, you know, maybe some fishing wire, some tweezers, some nail clippers. I can probably do some, I could do some dentistry on myself. I could maybe even do open heart surgery. They go, they go to medical school for years and years and years. But the difference I suppose is the body doesn't change. So training you get in terms of the body and medical training is well established, but cybersecurity, are you meant to go to school for years on that? Because it's changing all the time, isn't it?

---

CAROLE THERIAULT. I'm thinking more that this is a really good stopgap because you've got people that are at university and they're getting to have the experience of working in real-life situations. When I went to university, I went to university 4 months, I worked for 4 months in the organizations, in corporations, just to get a taste of what it would be like to sit at a desk for 16 hours a day. So fun. I learned that way how to do it. I think it's great that they're learning this. Because people are sitting there with degrees and no job. That is true. That is true. Yes. And they want work and no one's hiring them because they don't have, you know, can you prove that you, how do you improve security efficiency? What is your technology knowledge? You know, tell me about the regulations and standards that you've actually implemented. Like, I've not done any of that. I've just studied.

---

GEOFF WHITE. This is true. There is a fine line though, isn't there, to walk between, you know, giving people valuable experience they need to get a job. Exploiting a free labor force who are desperate. It's that classic work experience. For me, if work experience goes on longer than a couple of months, that's not work experience, that's just work. You are then working.

---

CAROLE THERIAULT. Yeah, this is a double whammy because they're also paying probably for their education, right? That's the thing. But I think actually it's a win-win. They're already paying for their education and they can come out of it saying, "Oh, I got all these credentials, I got all these certificates," plus, I worked with these companies. Yes, yes.

---

GEOFF WHITE. And if you do work experience, in my experience, if you do work experience and you're worth your salt and you're good, you can then get your knees around the table and you can usually get work thereafter. 100%.

---

SPEAKER_03. So I suppose that's true. Yeah. Anyway, cool idea.

---

CAROLE THERIAULT. And it'd be great to see more companies trying to offer that to university students. I like the idea of it.

---

GEOFF WHITE. Well, I'd say, you know, for companies like Pisces, their fate is written in the stars. Ha ha! I like that. Boom boom!

---

GRAHAM CLULEY. You like that one, did you, Carole? Right. I did.

---

CAROLE THERIAULT. It was hilarious. He's so funny.

---

GRAHAM CLULEY. He's been working on that. Yes.

---

GEOFF WHITE. Never knowingly out-punned. That's the—

---

CAROLE THERIAULT. Yeah. You guys are so cool.

---

GRAHAM CLULEY. 1Password is the most trusted enterprise password manager and the number one solution for easily and securely managing all the secrets your team uses every day. But machines have secrets too. These secrets give humans and machines access to other machines. They're how a database admin accesses a database or an app accesses another app. Well, 1Password has just launched Secrets Automation, a new way to secure, orchestrate, and manage your company's infrastructure secrets. So now you can protect all your company's most vulnerable secrets in one place. Find out more at 1password.com/secrets. And thanks to 1Password for supporting the show.

---

CAROLE THERIAULT. Protect your workforce with simple, powerful access security from Duo, powered by Cisco. The rapid expansion of remote working has presented challenges for all of us. At Duo Security, it's their mission to make application access more secure for organizations of all sizes. Its modern access security is designed to safeguard all users, devices, and applications so you can stay focused on what you do best. So, want to proactively reduce the risk of a data breach, verify users' identities, gain visibility into every device, and enforce policies to secure access to every single application? Thought you would. Why not give your organization the peace of mind that only complete device visibility can bring? Visit duo.com to sign up for a 30-day trial. That's duo.com. I mean, how easy is that to remember?

---

GRAHAM CLULEY. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

GEOFF WHITE. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily. It should not be. Well, my pick of the week this week is once again a computer game, a video game. Yes. God. Well, no, they're— well, these are very popular. I've had a lot of feedback on Twitter regarding— Inundated, are you? Well, one or two messages from people. In the tens. No, I wouldn't say in the tens, but— In the threes. Certainly in the single digits. Yes. So my pick of the week this week is a game from a company called Klyaks Games. And do you remember, Kroll, back in the day when we had a Nintendo GameCube? Not the same one. Yes. We didn't share the same one, but we— No. Do you remember a game called Super Monkey Ball?

---

CAROLE THERIAULT. Oh yes, very much. Yeah, played a lot of that.

---

GRAHAM CLULEY. Super Monkey Ball was hugely enjoyable. Yeah. And—

---

CAROLE THERIAULT. I think I played one level probably 1,000 times because I just could not do it. It basically consisted—

---

GRAHAM CLULEY. you had a small monkey inside a Perspex ball and you had to roll him around a course.

---

GEOFF WHITE. Oh, I thought ball as in like a posh event. I had no idea of that. Monkeys in Monkey's Gym.

---

GRAHAM CLULEY. No, no, no, no. Damn it. It's not like that. And you would have to— you'd have to sort of avoid obstacles and get to the finish line in the right length of time. Brilliant game. They then redid it for the Nintendo Wii and it was absolute rubbish. The GameCube version was fantastic. Now, this game has— I found a Super Monkey Ball for the Nintendo Switch and it is called Paperball Deluxe. and it is, some would say an homage, other people would say a complete and utter rip-off of Super Monkey Ball. The only difference is they have cats rather than monkeys. But other than that— What's it called again? It's called Paperball Deluxe. And it is just like Super Monkey Ball to the extent of the music being the same, the graphics.

---

CAROLE THERIAULT. Okay, so it's a rip-off.

---

GRAHAM CLULEY. It's a complete rip-off, but it's brilliant and just as enjoyable as the old Super Monkey Ball, although you can't play Monkey Ball Golf in Paperball Deluxe or some of those things.

---

CAROLE THERIAULT. Will you say on air that if Monkey Ball does come to the Switch and it's amazing, you will go back to the original?

---

GRAHAM CLULEY. Only if it's better. I think there is a Super Monkey Ball for the Switch, and I believe it to be inferior to this, which has basically recreated, has brought back from the dead, rather like Lazarus. It has brought back from the— It's a heist. They have stolen the intellectual property of the classic Super Monkey Ball and repackaged it as Paper Ball Deluxe. It's also available for Windows.

---

CAROLE THERIAULT. How would you feel if someone repackaged Smashing Security with two other hosts?

---

GRAHAM CLULEY. They've tried. Host Unknown. They've tried. It's rubbish. They even stole our jingles. But in the case of Paperball Deluxe, it's a winner. I like it. And that is why it is my pick of the week. Geoff, what's your pick of the week? Pick of the week?

---

GEOFF WHITE. Well, it's something very obscure, but I really enjoyed it. So I had my coronavirus jab yesterday. I got an armful of Sputnik. And after— I was sitting on the sofa, I was braced for all these side effects. Everybody said, oh, you know, you'll get this, you'll get that. So I thought, well, I'm going to give myself the afternoon off and I'll sit on the sofa. And I found myself watching— I've wanted to watch this for a while— there's a video of a guy called Geoff Mills, who's quite a famous house DJ, and it's called the Exhibitionist Mix. And it's basically 45 minutes of just him DJing. And the speed with which this guy— and the subtlety— it's like— so it is like watching somebody play a musical instrument when you see him, because you can see all the little knobs he twiddles and all the things he does in his decks and everything. And you suddenly realize It's not just stick a record on, try and beat match it, flip the fader across. There's loads going on. And I just— I went down a whole rabbit hole of all of these sort of boiler mix videos and just watching people DJing. And it kind of gave me a whole new appreciation of DJing as they're basically playing a musical instrument. Richie Hawtin as well does a thing called How I Play, which is amazing. So I would recommend Geoff Mills' The Exhibitionist Mix for anybody who's got time to kill and wants to get into a a bit of DJing geekery. Ooh. Yes.

---

GRAHAM CLULEY. And this is on YouTube, is it? It's on YouTube, yes, yes.

---

GEOFF WHITE. Oh, cool. Cool.

---

CAROLE THERIAULT. I see I know nothing about this guy, so yeah, I can't even ask a question.

---

GRAHAM CLULEY. I know nothing about dance music.

---

GEOFF WHITE. How long is it? It's Spinning the Platters That Matter.

---

CAROLE THERIAULT. It's a hip parade. Yeah, give us some lingo.

---

GEOFF WHITE. Give us something else we can say. Well, there's a bit of Woodley Woodley Wax. At one stage, I think.

---

GRAHAM CLULEY. Ooh, is everything going to be wow wow Wild West Will Smith?

---

CAROLE THERIAULT. Oh God. Is that what we're talking about?

---

GRAHAM CLULEY. Now I know what you're talking about.

---

GEOFF WHITE. Certainly more than I do with Super Monkey Bash or whatever it's called. Super Monkey Ball.

---

GRAHAM CLULEY. Fantastic. Krow, what's your pick of the week?

---

CAROLE THERIAULT. Well, Mindgame is not for you, okay? So you can just sit back and you don't even have to comment. It because you'd hate it. It's called Invincible. It's a cartoon series premiering on Amazon Prime Video, and it's based on a comic book series by the same name by Robert Kirkman and Cory Walker. So, okay, so basically Invincible, you have a teenager named Mark, and his father Nolan is like a Superman-inspired, all-powerful superhero named Omniman! Which is why I love it. I love that name. Okay. And teenager Mark starts to exhibit some of his father's superpowers. Mom is not a superhero. And so things start changing fast. And by the end of the first episode, my jaw was on the floor. Like, shocking end for first episode. I'm not kidding. And a very refreshing twist on a coming-of-age story. So, yeah, it's complicated. You know, he's a high school senior. He grows up in the middle-class suburbs and has to deal with things that are way more complicated, but he thinks he knows everything. So, anyway, fascinating. And huge cast, including Seth Rogen, who's in the cast. Yes!

---

GEOFF WHITE. My friend, my mate Seth.

---

GRAHAM CLULEY. Your bud bud, your bud bud. But not Kim Jong-un's friend.

---

CAROLE THERIAULT. No, Kim Jong-un does not— much. Doesn't— he wasn't on the cast list. Um, now, warning, it is pretty gory at times, right? And it can be heavy. Um, and— but it has great combat scenes if you're into that. And there's, uh— but remember, it's pretty gory. And Superheroes Are Go-Go—

---

GRAHAM CLULEY. well, that's what it's called, is it, Carole? Superheroes Are Go-Go?

---

CAROLE THERIAULT. No, it's called Invincible.

---

GRAHAM CLULEY. Invincible. I just wanted to make sure so that I could avoid it. That's great.

---

CAROLE THERIAULT. Yeah, so it doesn't sound— so if it's your thing, because you're not like Graham and you're not a grumpy old Check it out.

---

GEOFF WHITE. I love the fact that all of our pick of the weeks are mutually antagonistic. We've all picked something that none of the others— Yes. There's no Venn diagram crossover in any of what we've just talked about, is there?

---

CAROLE THERIAULT. But that's okay, right? We're serving up things for lots of different types of people. Diverse. Yes, diverse. Okay, so the little rich guy, Geoff Bezos, is serving this up on Amazon Prime for you. So Invincible, if you want it, check it out.

---

GRAHAM CLULEY. Marvelous. Now, Carole, you've been chatting this week, haven't you, to Helen Patton at Duo Security?

---

CAROLE THERIAULT. Yes, she's so interesting. I swear to God, I loved our chat. So, uh, I don't think it needs any prelude. Just listen, folks, and learn. All right, we are very excited to have Helen Patton here. Now, she is an advisory CISO for Duo Security, which is now part of Cisco. Helen, thank you so much for coming on Smashing Security.

---

SPEAKER_03. I'm excited.

---

CAROLE THERIAULT. Thank you for having me. Okay, so Helen, give us like a bio, if you will.

---

SPEAKER_03. So I've only been here for two months, uh, so I'm still trying to— yeah, completely brand new. Prior to joining Duo, I was the CISO for The Ohio State University for 8 years, and we were a super big a big Duo customer there. And then prior to that, I did security and risk at JPMorgan Chase. So I've sort of been all over the place, and I'm really excited to have joined Duo Security. They're a fabulous security company, and now that they're part of Cisco, we're super excited about the possibilities that we have. So my, I can tell you about my day-to-day, but I actually don't know if it's good yet. I'm still working out what I'm meant to be doing.

---

CAROLE THERIAULT. We're nosy.

---

GEOFF WHITE. We want to know everything you can tell us.

---

SPEAKER_03. The role of advisory CISO is really meant to be a bidirectional role that helps. We are the voice of practical security folks, CISOs and other security leaders into the Duo and Cisco organization as they think about what product features they need and how to think about the products that we have. We're very interested in making sure that our security products are as simple and clear and secure and frictionless as they can possibly be. So we work with the internal teams to help them understand how the security teams are going to think about what we're doing and so forth. And then alternatively, we also do things like this where we're talking to the community about, you know, what we're thinking, what are the security trends that we're tracking, how do we think about things like zero trust and SASE and XDR and passwordless and all of those kinds of things. And frankly, trying to get rid of some of the buzzword bingo that happens in the security space as well. So it's a really fun job.

---

CAROLE THERIAULT. The irony is you just used 3 buzzword bingos.

---

SPEAKER_03. I know. You got to start somewhere. We use the words and then we go, don't use the words. So that's how that works.

---

CAROLE THERIAULT. But we are learning as an industry, I think, because we are keeping people outside of the industry by using language that is not universally explainable. So it's good that we're all becoming aware of it. Definitely. So, okay, so that's really interesting. I think they are very lucky to have you as well because obviously you're gonna have background in finance, you have backgrounds in academia, you've got work with corporations, and it'd be really interesting to know what you think about right now. Like, so remote work has gone through the roof because of the pandemic, and I bet there have been some unexpected challenges. So what have you witnessed? What have you seen?

---

SPEAKER_03. It's been really interesting to me. What we saw when, when COVID first hit was some companies doubled down on security security spending. They had to send all their folks home. They hadn't really done that sort of ubiquitously across their company, so they had to think about VPNs and they had to think about how do they get devices that are securely managed into the hands of people that can't physically come to the office anymore. In some industries, there was a doubling down of security and an acceleration of security programs, and the security folks in those organizations went, wow, this sort of sucks, we're in a pandemic, but wow, this is great, we're getting sort money thrown at us. And then there were other industries where it was like, we're going to sort of hunker down, we're not going to spend anything on security because we don't think it's an enabler and we're going to just sort of deal with the pandemic as best we can. But we're going to sort of take a risk exception that we're not going to be doing it in a secure way because we just can't deal with that right now. And it's been really interesting to me to see sort of which verticals are doing one or the other, and it does seem to be very much a binary choice. There doesn't seem to be a lot in the middle. So I'll be interested to see what happens in the next 12 months as those companies now try to get people to come back to the office in a hybrid kind of way, and they're working out what the typical day looks like and how they're going to secure it. And I'm also interested to see how our regulators think about it, you know, healthcare regulators went from we're not— we don't trust telemedicine to telemedicine for everyone. And so now I'm wondering, are they going to reverse that? Are they going to do something different with that? So it'll be really interesting to see.

---

CAROLE THERIAULT. No, I was, I was thinking that this is just as an aside, but I was thinking about, you know, all the things that you have to make clear when you fill through compliance reports, you know, for regulators and such, and all how that must have been just all over the place during the last year, year and a half. Yeah. And should you find yourself not compliant and get hit by something, is there a kind of, I don't know, is there a little bit of like extra belts that they're going to go, well, we understand. I wonder how it works.

---

SPEAKER_03. Yeah, it'll be interesting. I was talking to a CISO for an insurance company in the United States earlier this week, and they do a lot with paper. And so they had claims agents who are now working from home. Who couldn't print out stuff. The regulations require that they print out stuff. So, the regulations are saying, thou must use paper. But, if you're going to thou must do paper, it must be in a secure facility. Well, I'm sorry, your kitchen table ain't going to cut it. So, it's been really interesting to see some of those things that aren't necessarily technical, they're business process, but they're going to have a security impact. You know, you send them home with a printer and a shredder, Yeah, like what do you do?

---

CAROLE THERIAULT. Right, and a webcam to make sure they actually shred everything. Yeah, it's so fascinating. So these are some of the current issues. Like what are ones that you see right now in the world of password authentication? What are the big dramas that people are facing now in this new world?

---

SPEAKER_03. Yeah, it was interesting. People hate passwords, right? I think I have not come across anybody internally, externally, or customer who says, "Yay, I have another password." And now we're making people remote from home and depending again on the sort of the technical stack of the companies, being able to change a password really hard, like made things break. So now your help desk is getting whacked really tough. And we're also at the same time though dealing with some changes in technology. So I think the timing is interesting because there's this demand for getting away from passwords, particularly as people are working remotely. We're now at a point where things like hardware-based biometrics, standards around FIDO, FIDO2, those kinds of things are really starting to pick up and be able to be used. And so I think we'll see a big jump in passwordless capabilities actually made more quick by the pandemic. So we will see, but if we're going to work in a hybrid environment, we've got to do something about making it easier for people to be authenticated and trusted trusted.

---

CAROLE THERIAULT. Yeah, maybe this is too tricky a question, but I've been thinking about this a lot recently. So the idea that, you know, you know, I, I was on Amazon and I ended up buying some stuff and it was so frictionless, it was so easy, and then these packages arrived at my house and I was like, did I really need all this? And the lack of friction, how much did it contribute to me just doing another click? So I'm always interested in, in terms of passwords and authentication and identity management, do we— don't we Do you want a little bit of friction just so people kind of stop and think and go, "Do I really want to do this?" I'd be really interested in your thoughts on that.

---

SPEAKER_03. Yeah, I will tell you, as a traditional security manager, absolutely. I want people to be thinking about security all the time. We have businesses where we send stuff out by email and we say, "Click on this link to go to this website to do this piece of work." And then the security team come along behind and say, "Don't click on stuff." It's a problem. Yeah. So, right. So I think that, that thinking from a security perspective has to change. The question is, can we trust the passwordless authentication chain? So if we take what you know, which is your password, out of the chain and instead use a combination of something you are like a biometric and something you have like a device that we know is fully patched, not jailbroken, those kinds of things. And then be able to say to the user, as long as you have your fingerprint and your device is patched, I'm not gonna ask you to know what your password is. So I can't share it online if somebody asks me to share my password. I'm just not gonna know what it is, so I can't share it. It's also going to reduce the amount of man-in-the-middle attacks potentially, again, depending on which factors, authentication factors, that we want to think about. I'll give you an example. If you're a doctor in a hospital, every time you walk into a, into an examination room, there is a computer and you have to sign on to it every single time. It's not that they carry their own laptops around and they move— like, there's a different machine in every examination room, and we're asking them to not only remember their password but carry around a token. I've seen hospitals where the doctors are, no joke, they're carrying 12 different hardware tokens around with them because they work in 12 different medical centers that are slightly related but not completely related because they're in a system. Those kinds of things, right? What would it mean for a doctor to be able to say, I'm going to use my fingerprint and I'm good? Yeah. Now I recognize the challenge of that is also that we've got to make sure that those biometric biometrics are secured from a privacy perspective. So again, I think the local hardware biometric opportunity of FIDO helps with that. You're not sharing your biometrics in the cloud where it can get scraped off an AWS instance or whatever. Yes. But I also think we need to be mindful of people with various kinds of disabilities and making sure that they can utilize the biometric capabilities as well. If you don't have fingertips, if you— You know, if the artificial algorithm isn't taking into account the fact that you're really quite unique, or maybe you're not that unique but the AI just sort of sucks, you know, what's that going to mean? So I, I think there are still things we're working through, um, as an industry, but I think now we have the focus to work through it. And we know that when the industry puts their mind to it, stuff happens and it's good.

---

CAROLE THERIAULT. So I'm excited about You know, it's interesting because obviously organizations care a lot about authentication, right? They want to make sure the right people have access to the right documents at the right time. And they want systems to make that, you know, virtually 100% of the case all the time. Yet I'm not sure that home users have that same concern. You know, I worry that they kind of like, oh, everyone knows everything about me already. Who cares? It's fine, right? And how do you— how do we deal with that? Like, how do we educate consumers? Is it just going through organizations? Because, of course, organizations can then spread the message to their users and to their customers.

---

SPEAKER_03. I think organizations have a role to play. I think, you know, K-12, high schools, colleges really have a role to play as well. We're not doing a great job of that in the United States. There's not a course that you take as a high schooler or a, or a 4-year college student that says this is how you do digital activities in a secure way. Like, it should be— it's part of— everyone works with tech these days, right? It's, it's part of being a citizen. How do you identify misinformation? How do you check your source? All of those kinds of things we really need to be thinking about. But I think companies do have a role to play in that. When I was a CISO at Ohio State, we did a lot of training and awareness that was really about how do you help individuals be secure at home. The reality is they actually care less about company data. And I won't say that really loudly to my compliance partners. Don't tell anybody, listeners. Don't tell anybody. No, they don't really care that much. But they do care that their taxes are filed and that the taxes are filed correctly and that the tax return comes back really fast. Trust. And they do care that their medical information isn't shared broadly with the world. Now, they may choose to do that, and if they do that, then that's fine. But they don't want it accidentally coming about because of, you know, a poor hygiene at the doctor's office. So I think from a security training awareness perspective, the companies have an opportunity to say, this is how you protect your family, this is how you protect yourself, this is how you protect the stuff you care out. And by the way, those same things, those same principles also apply in the office. So if you're comfortable doing it at home, do it in the office. And it's just an easier way to think about it. But, but we're not there yet. We've got to do some of that stuff. No, but it's good.

---

CAROLE THERIAULT. It's good that people are working on this. And I— okay, I'm gonna have to ask you because you're, uh, well, an expert in this area. If you don the crystal ball and you look ahead, say 5 years, what do you see? What— how do you see us using authentication in a way that makes sense to you. I won't hold you. I won't call you in 5 years and go, you were right, you were wrong. I promise.

---

SPEAKER_03. Yeah. So, you know, I think you talk to anybody and they'll say my company has a single sign-on product and they do, but they usually have more than one, right? Or they have a single sign-on product for all their corporate apps. But the user in their job job also has to sign on to 25 other things, and they have a different login account and a different password for all of those 25 other things. So we haven't realized completely the promise of single sign-on. So there's, first of all, there's that. The second thing is, of course, everybody's going to the cloud in some way, shape, or form. Some, some very lucky organizations consider themselves to be cloud native, but more often than It's a blend. We've got on-prem stuff, in-the-cloud stuff, SaaS or infrastructure as a service. And every single one of those interfaces requires a different kind of authentication path, which is really frustrating for the user, right? So if you're an IT administrator in a company, you've got to do one thing to log in through your VPNs, another thing to log in through your corporate app, another thing to log in another thing to log into whatever RADIUS server you're using and your privileged account management solution and whatever. So, I think what you're going to start to see, and I think what we're trying to get to in the Duo Cisco world is to be able to say, how do we bring together all those authentication types and start making that a common experience? So, as a user, you don't have to go, okay, right now I'm logging into Workday and I do it this one way. And then the next thing I've got to do, I've got to get to my email, but to get to my email, I need to go through my VPN, so I'm going to log in this other way. How do we think about one login that is then ubiquitously shared in a secure way across all pieces of the hybrid environment? And then also allows for security monitoring and all the detection and response things that our security people really care about. So that's where I think it's headed. And it can't come soon enough.

---

CAROLE THERIAULT. I am so glad, Helen, that you are in charge of figuring out this route rather than me.

---

SPEAKER_03. Yeah. No, no, it's very complicated.

---

CAROLE THERIAULT. It is, and there's so many different factors that pull at it. Thank you so much for your time today. My pleasure. Is there anything else you'd like to add?

---

SPEAKER_03. You know, I think I would just say to anybody who's listening, engage in the conversation. The more people who engage, the more we democratize how this is done and how we move forward. And really, if we're going to do— this is about identity. And that's not something we can do a poor job of. This is really important stuff. So engage, and happy to talk to anybody who wants to have further conversations.

---

CAROLE THERIAULT. Perfectly said. And listeners, remember that you can proactively reduce the risk of a data breach, verify users' identities, gain visibility to every device, and enforce policies to secure access to every application by visiting duo.com/secure. And signing up for a 30-day trial. Helen, thank you so much.

---

SPEAKER_03. It's been great. You are most welcome. Thank you.

---

GRAHAM CLULEY. Marvelous. Excellent stuff. Well, that just about wraps up the show for this week. Um, Geoff, I'm sure lots of our listeners would love to follow you online and of course find out more about The Lazarus Heist. What is the best place for folks to do that?

---

GEOFF WHITE. Uh, you can find me on Twitter. It's probably the best place. It's Geoff Geoff with a G, G-O-F-F, White like the color, and it's 247 because I am Geoff White 24/7.

---

GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G, and we've also got a Smashing Security subreddit as well. And don't forget to make sure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.

---

CAROLE THERIAULT. And huge thank you to this episode's Sponsors Duo Security and 1Password, and to our wonderful Patreon community. It's thanks to all of these people the show is free for all. For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 223 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye-bye, bye!

---

CAROLE THERIAULT. Geoff, if you weren't here and I'd listened to your podcast, that would've been my pick of the week.

---

GEOFF WHITE. Aww. Very kind of you, very kind. But you chose something that you knew Graham would hate instead.

---

CAROLE THERIAULT. Well, you know, it's hard after 224 episodes, right? To come up with cool stuff that you find every week.

---

GEOFF WHITE. That thing implies that you have, you know, that you have enough stuff in your life going on that you can pick—

---

GRAHAM CLULEY. I've got a long list of videos games. I'm finding it not difficult at all. Exactly. And no one's bored by it.

-- TRANSCRIPT ENDS --