The Colonial Pipeline attack has shone light on the activities of the Darkside ransomware gang, we take a skeptical look at cryptocurrencies and the blockchain, and Eufy security cameras suffer an embarrassing security failure.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by BBC technology correspondent Rory Cellan-Jones.
Plus don't miss our featured interview with Vanessa Pegueros of OneLogin.
Visit https://www.smashingsecurity.com/228 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guests: Rory Cellan-Jones and Vanessa Pegueros.
Sponsored By:
- 1Password: With 1Password you only ever need to memorize one password. All your other passwords and important information are protected by your Master Password, which only you know. Take the 14 day free trial now.
- Skiff: We store more personal information on our devices than we do in our homes. Where do you go online when you want to write or share something privately?
- Skiff is the first collaboration platform built for privacy from the ground up. Every document, note, and idea you write is end-to-end encrypted and completely private. Only you and your trusted collaborators - no one else, not even Skiff - can see what you've created.
- Skiff is offering listeners of Smashing Security early access. Sign up now: skiff.org/smashing
- OneLogin: According to the OneLogin IAMokay Mental Health Survey, more than 77% of technology leaders have said that their work-related stress increased due to the COVID-19 pandemic.
- As a result, CISOs and IT executives have been under ever-increasing pressure - leading to deteriorating mental health, addiction issues, and even suicidal thoughts and tendencies.
- OneLogin's message? You're not alone. Attend their live event on Weds May 26, "Keeping the Mind Clear and the Company Secure" at smashingsecurity.com/oneloginiamokay
Links:
- Major US oil pipeline shut down after ransomware attack — Graham Cluley.
- Abrdn: Standard Life Aberdeen vowel-less rebrand mocked — BBC News.
- DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized — Brian Krebs.
- Colonial Pipeline did pay ransom to hackers, sources now say — CNN.
- Darkside Retreats to the Dark — Kim Zetter on Substack.
- Elliptic Follows the Bitcoin Ransoms Paid by Colonial Pipeline and Other DarkSide Ransomware Victims — Elliptic.
- "Always On: Hope and Fear in the Social Smartphone Era" by Rory Cellan-Jones — Bloomsbury.
- Eufy privacy breach leaks both live and recorded cam feeds — 9to5 Mac.
- WARNING Disconnect any Eufy Security products you own immediately — Reddit.
- Server glitch allowed Eufy owners to see through other homes’ cameras — The Verge.
- Crown Court (TV series) — Wikipedia.
- Fulchester Crown Court — Fan website.
- Crown Court - The Jawbone of an Ass (1978) — YouTube.
- Crown Court - Treason — YouTube.
- BBC Weather app for Android — Google Play Store.
- BBC Weather app for iOS — iOS App Store.
- The Hyacinth Disaster - A Sci Fi Audio Drama.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
ROBOT. I mean, the great thing about Elon Musk is he's always thought big. He's thought big about transforming the car industry, transforming the space industry. And at the end of that interview, I wrote a blog about him with the headline "Bonkers but Brilliant," which his PR man didn't like. And I had to try and explain to him that bonkers in English— this is two nations separated by a common language— bonkers is a really affectionate term. Yes, yes. He didn't buy it, and I've not had an interview since. But At least that back in 2016, he was a visionary. Smashing Security, Episode 228: Pipeline Pickle, Blockchain Bollocks, and You Fee Snafu with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 228. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And we're joined by a hot young new author, someone who's new on the scene. Hubba hubba! I probably haven't even encountered him before. It's BBC technology correspondent and guru Rory Cellan-Jones.
RORY CELLAN-JONES. Yeah, hi there. You can call me whatever you like, as long as, uh, maybe not young. Yeah, young is a bit—
CAROLE THERIAULT. how about Roar?
RORY CELLAN-JONES. Roar, Roar, Ingenue, up and coming.
GRAHAM CLULEY. But you are newly authored, aren't you? You've got—
RORY CELLAN-JONES. I have got a book out. I'm not going to be as crude enough to say that's why I'm here, Graham, but, um, it's, it's one good reason. Always on in good bookshops and bad ones right now.
CAROLE THERIAULT. And we're going to talk about it in a mo', in a bit more detail. First, let's thank this week's sponsors: 1Password, 1Login, and Skiff. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. I'm going to give you an update on your colonial pipeline.
RORY CELLAN-JONES. Whoa, okay.
CAROLE THERIAULT. Rory?
RORY CELLAN-JONES. Well, I'm, I'm actually going to be talking about my love for cryptocurrencies, not how, how I came to detest them in every form, uh, the journey I took.
CAROLE THERIAULT. And I am going to look at another snafu involving home surveillance cameras. Plus we have a featured interview with Vanessa Pegueros from 1Login. So all this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, the big story this month. I'm sure you've heard about it already, has been this cybersecurity attack, this incident involving the Colonial— Colonial? Is that how you say it? Colonial!
RORY CELLAN-JONES. It's got nothing to do with the colon. It's Colonial, for heaven's sake. Do you have trouble with the English language?
CAROLE THERIAULT. Ever since he hit 50.
GRAHAM CLULEY. How do you know they say it the same? Because what you've got here is a great big pipe carrying fluid along the great length—
UNKNOWN. You're making a little jeu de mots on the poop truck.
CAROLE THERIAULT. That's what you're doing. That is your big joke.
GRAHAM CLULEY. Well, it stretches 5,500 miles.
CAROLE THERIAULT. Yours might.
GRAHAM CLULEY. If you straightened it out, beyond curled it, 5,500 miles up the east coast of the United States, from Houston to New York Harbour, carrying 100 million gallons of fuel every day. Well, not every day. Because for a few days earlier this month, it was not carrying any fuel at all. It was on May 7th that the company which runs the Colonial Pipeline— they are called imaginatively the Colonial Pipeline Company.
CAROLE THERIAULT. If they were called Burt Bacharach, you'd have an issue.
GRAHAM CLULEY. Like, there's no way they could do it. I would. Yeah, I'd be very upset if I were Burt Bacharach, if my name had been used in such a fashion. Did you hear about that company Aberdeen? Something rather Aberdeen who've just—
RORY CELLAN-JONES. Aberdeen.
UNKNOWN. Yes.
GRAHAM CLULEY. What they've done is they've rebranded themselves. So the only vowel is the one at the beginning. So Ab and then brdgn. It's a bit like Twitter before it was Twitter, wasn't it?
RORY CELLAN-JONES. It certainly was.
GRAHAM CLULEY. It's ridiculous.
RORY CELLAN-JONES. That is branding consultancy fees coming out of your ears for that. Those are the same people who turned the post office into Consignia 20 years ago. Not quite, but A similar triumph.
CAROLE THERIAULT. Thank all the domain squatters out there. High five to you guys. That's why this happens.
GRAHAM CLULEY. Well, anyway, the Colonial Pipeline Company, also known as BERT, discovered it had been hit by ransomware. And I mean, you can't have escaped the news. The pipeline was shut down for some days. There was panic buying. There was queuing at American gas stations. Some folks even tried to stock up on fuel because they thought, well, we need to hoard it. And they had to issue a warning to people not to fill plastic carrier bags with petrol. I saw that going out from the authorities.
CAROLE THERIAULT. Do I hear a judgy, judgy voice there? Yes, yes you do.
RORY CELLAN-JONES. Do I?
GRAHAM CLULEY. Go on. I should judge people who are filling plastic bags with petrol.
CAROLE THERIAULT. No, this is a trap, Graham. Carry on, but know this is a trap.
UNKNOWN. Is it?
GRAHAM CLULEY. Oh, okay.
CAROLE THERIAULT. Don't you remember at the beginning of the coronavirus, who bought tons of toilet paper.
GRAHAM CLULEY. Right.
RORY CELLAN-JONES. Was it, was it, was it Graham Cluley by any chance?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. It was actually Mrs. Cluley. It was Mrs. Cluley.
CAROLE THERIAULT. Well, it was Graham Cluley Corporation.
GRAHAM CLULEY. The reason was that we were unable to buy a single pack. So we went online and it turned out we were only able to buy in a crate. So we ended up with about— You were only able. We had to get about 140 rolls. They wouldn't split it up. That's why. We're still going through it.
CAROLE THERIAULT. Anyway, thank you very much for that shortage.
GRAHAM CLULEY. Thank you for bringing that up for me. Now, inevitably, there were fears that this ransomware attack could have been state-sponsored. Who could it be? Russia? North Korea? China? Belgium?
RORY CELLAN-JONES. Russia!
GRAHAM CLULEY. One of the usual.
RORY CELLAN-JONES. I guessed. Do I get 10 points for that?
GRAHAM CLULEY. Well, there certainly seems to be a Russian link, yes. Whether it was state-sponsored or not, whether Vladimir himself pushed the button, is open to some question, I think.
CAROLE THERIAULT. So he's in a difficult position though, right? Because worldwide he'd want to say to everybody, nobody would want to tell everybody, of course I know what's going on, but he may or may not, right? But he has to kind of say, I know everything that happens in my country, everywhere. No one is afraid of me. So he's kind of in a catch-22, I think.
GRAHAM CLULEY. Well, anyway, it was the DarkSide ransomware gang and they thought, oh dear crumbs, you know, we're getting quite a lot of attention. So They said to Colonial Pipeline, they said, we've determined that if you pay us $5 million, we can bring your systems back up again. And if DarkSide is familiar to you, we spoke about them in episode 201 of the podcast when they were talking about giving percentages of their ill-gotten proceeds to charity, Robin Hood style.
RORY CELLAN-JONES. Hmm. It's ransomware as a service, isn't it? This is the other thing about it.
GRAHAM CLULEY. It is. It's not just the DarkSide gang because other people will use their technology and infrastructure to launch their own ransomware attacks. Outside, take a cut of it.
RORY CELLAN-JONES. And they put out these wonderful statements that are basically their CSR, their corporate social responsibility policies.
GRAHAM CLULEY. Yes.
RORY CELLAN-JONES. I love that. We don't mean to do bad, we just want money. That's all we're about.
GRAHAM CLULEY. So you might be wondering, if they're such good guys, why did they shut down the pipe? You know, although it obviously, you know, would have added to the pressure on Colonial Pipeline.
CAROLE THERIAULT. Cause a blockage?
GRAHAM CLULEY. Crowell, that's a bit grubby. I know what you did there. And I'm not going to rise to that. No, it wasn't that at all. In fact, Colonial Pipeline, they decided to shut down the pipe. And according to CNN and also cybersecurity journalist Kim Zetter, it wasn't the ransomware that affected the pipeline at all. The reason why they shut down the pipe was Colonial Pipeline realized that their billing system had been compromised, which meant if they delivered fuel, they wouldn't be able to charge for it. And they wouldn't be able to monitor who was getting what.
RORY CELLAN-JONES. Which is extraordinary, because we all assumed this was the ultimate example of how the Internet of Things doesn't work. But it wasn't that.
GRAHAM CLULEY. No, it wasn't that at all. The pipeline wasn't affected by the ransomware attackers at all. It was just that Colonial thought, we've got to shut down the pipeline.
UNKNOWN. Yeah.
CAROLE THERIAULT. And it shows you the power of ransomware, because if you lock up all the details of every single customer that you have and you can't bill, You're causing infrastructure chaos, which they did. I can't believe people were actually filling plastic bags. That has to be just one person in the entire universe. There could not have been many going, oh yeah, here's my little Walmart bag.
GRAHAM CLULEY. I think it might have been one person and all the other people spontaneously combusted. They just found a small pile of ashes. Now, well, it's interesting, isn't it? Because this idea of shutting it down because you can't charge properly for what you're delivering. I remember when I think it was the Vancouver rail system, they got hit by ransomware, which meant that they weren't able to sell tickets. And what they did is they just opened up the gates and they said, everyone can travel for free while we recover from a backup.
CAROLE THERIAULT. Canadian.
GRAHAM CLULEY. Oh, yes.
RORY CELLAN-JONES. I suppose it's a bit different when you've got an asset like oil, which is being like taken away rather than a kind of transit system, which, you know, you're running anyway, possibly not for profit.
GRAHAM CLULEY. I suppose.
CAROLE THERIAULT. I wonder how long it took though. For them to shut it off. I mean, maybe originally they shut it off because they had no idea what the hell was going on and they just said, my God, you know, they could be stealing this oil. We have no idea. So they just shut down everything and then realized—
GRAHAM CLULEY. well, obviously the impact of this was quite considerable. A chap called Joe Biden, who's now president of the United States, he didn't fill a black bag full of petrol. No, he didn't do that. So he was talking about this ransomware gang in press conference You know things got quite serious, and I think DarkSide realized they may have bitten off more than they could chew. And so they're saying, "Look, oh no, no, hi, yeah, we're nice guys." By ransomware standards, they were saying, "Look, we're not like those North Koreans. We're not state-sponsored, we're not political. We'll be more careful in future." And Colonial was meanwhile trying to bring its systems back up, and they had been charged, I said, $5 million by the DarkSide gang. So they weren't being that nice, really. And they ended up paying it. They ended up spending $5 million.
RORY CELLAN-JONES. Allegedly.
GRAHAM CLULEY. Well, reportedly.
RORY CELLAN-JONES. Yeah, yeah. Lots of sources.
GRAHAM CLULEY. Lots of sources. I don't think they've issued a press release saying, "Isn't this great? We've spent $5 million." No, no.
RORY CELLAN-JONES. And what do you think about that, Rory, though, if they did pay?
CAROLE THERIAULT. What is your view on that? Do you think—
RORY CELLAN-JONES. Well, this is the big debate, isn't it? I mean, the serious side of it is that this is a huge threat to not just pipelines, but hospitals have been hit, schools in London. I was just hearing a terrible case of a whole bunch of schools where private data of kids and teachers was— they didn't pay, and this private data was splashed online. And there is a kind of global movement to try and say, we will make it a crime to pay a ransom. But nobody's going to agree to that, are they?
GRAHAM CLULEY. Well, anyway, they paid and in return they got a decryption tool from DarkSide and some tech support. You know, sometimes these gangs these days actually give you advice. This is how you can better protect your network in future. They sort of do customer support online, but it turned out it wasn't the best advert in the world for DarkSide because their decryption tool reportedly proved too clunky and slow to fix Colonial Pipeline's systems in a timely fashion. So they went back to their backups anyway in the end.
CAROLE THERIAULT. So they paid probably so that their customers' information didn't go out. That's why they paid. They also hoped to get this decryption tool that would allow them to just go back to business as normal.
GRAHAM CLULEY. So they had data encrypted, but they also had data stolen. But it appears the data which was stolen had only made it to some servers in New York. And was sort of in transit, and they spoke to some web hosts and got those servers shut down, they believe, before the bad guys got the data, according to reports like Kim Zetter.
RORY CELLAN-JONES. What is weird about this is what they thought they were paying for. And do they get their money back now? Because this darkweb mob claimed to be a responsible company with, you know, consumer-friendly policies, and therefore I think there's a case for Which magazine or someone.
GRAHAM CLULEY. Kate Bevan.
RORY CELLAN-JONES. Yeah, my friend Kate Bevan. I'm going to suggest this as a feature. Let's have a customer rating of all the ransomware gangs. Which of them provide the best service? Once you've been phished.
CAROLE THERIAULT. Which ones should you pay? Which ones seem honourable?
GRAHAM CLULEY. Well, good luck getting your money back from DarkSide because DarkSide appear to have gone dark. It seems its servers have gone down. Its little bitcoin account, according to researchers who've been trying to trace the money, has been emptied. And word is spreading on the computer underground that they've closed their doors and they're not going to be doing any more mischief. Now, it's a mystery as to whether it was the authorities who took them down or not.
RORY CELLAN-JONES. Hard to say, right?
CAROLE THERIAULT. Yeah, they just got shit-scared going, "This is bigger than we can chew, guys." Or is DarkSide pretending that they've been taken down by the feds?
GRAHAM CLULEY. While actually pocketing the money of their affiliates, because Colonial Pipeline aren't the only victim they've had. I mean, they've had other victims since then. There was a, I think it was German chemical gang they got $4.4 million out of in the last week or so. So it might be that DarkSide are robbing other criminals as well. Really hard to know exactly what's going on here.
CAROLE THERIAULT. But DarkSide aren't playing by the accepted rules of this is fair play. I don't think.
GRAHAM CLULEY. Yeah, exactly. It's a bit like—
CAROLE THERIAULT. And we're paying them because they've got us hook, line, and sinker otherwise.
GRAHAM CLULEY. What are the rules when you do boxing?
RORY CELLAN-JONES. I've forgotten what they're called. The Queensbury— Marcus of Queensbury rules.
GRAHAM CLULEY. Marcus of Queensbury rules, exactly.
RORY CELLAN-JONES. They're not playing by them.
GRAHAM CLULEY. It's just not cricket. These Russians, what they're doing. But it does seem to have had, in fact, all of this media attention and obviously President Biden's attention as well. And the authorities has seemed to have sent a bit of a scare and a chill through the computer crime underground. For instance, there's a cryptocurrency mixing service. This is something which cybercriminals use to sort of launder their money to make it harder to track where their bitcoin transactions have gone. One called Bitmix, that seems to have ceased its operations. Other forums are saying we're not going to advertise ransomware as a service schemes anymore and help the gangs because We don't want to get into trouble ourselves. So if you are a ransomware gang leader, Rory—
RORY CELLAN-JONES. What are you saying?
GRAHAM CLULEY. No, I'm just saying if you were, here is my advice. Don't target firms which run critical infrastructure, even if you don't hit the critical infrastructure, because that's going to get you a lot of headlines and unwanted attention. Keep your head down. You don't want the US authorities and Joe Biden knowing your name. And if you want to sleep easier at night, just do something profitable that's legal.
CAROLE THERIAULT. Okay. Can you tell me something though?
GRAHAM CLULEY. Like write a book about computer technology. Sorry?
CAROLE THERIAULT. Tell me what legal employment you can think of that has this kind of ROI, because they've got quite a nice little system here if people are paying up all the time.
GRAHAM CLULEY. I think cybersecurity industry. I think right now they're the ones who are really cashing in right now, aren't they? Rory, what have you got to talk to us about this week?
RORY CELLAN-JONES. I've got to talk to you about one of my favourite subjects, also a subject which has me whimpering under the table when I look at my inbox, and that is cryptocurrency, which I've had a long and tawdry relationship with.
CAROLE THERIAULT. Can't wait.
GRAHAM CLULEY. How much have you lost, Rory? Come on, admit it. No, no, you who's digging up a garbage tip in Wales trying to find— it's not—
RORY CELLAN-JONES. I did that story. The worst thing is I've actually made a bit of money about it despite hating it with a passion. So there's a chapter in a book which has just come out called Always On: Hope and Fear in the Social Smartphone Era.
CAROLE THERIAULT. Sounds amazing.
RORY CELLAN-JONES. Uh, which is a kind of history of the era which started in 2007 with the launch of the iPhone and tells the story of the way smartphones and social networks came together and changed our lives in all sorts of ways. But there is one a whole chapter, uh, on cryptocurrencies and the madness of them. And the iron entered my soul in 2016 when I got what was supposed to be one of the great scoops of my career, which all went a bit wrong. Uh, this story was given to me, a gentleman from The Economist, and somebody from GQ. What a combination! The BBC, The Economist, and GQ. And it was to meet the man who was Satoshi Nakamoto. And that was Dr. Craig Wright, an Australian figure.
CAROLE THERIAULT. Ah, yes.
GRAHAM CLULEY. So just to be clear to anyone who doesn't realize, Satoshi was the sort of anonymous inventor of Bitcoin. The person who created it.
RORY CELLAN-JONES. Yes, the grand maester. The kuba. He wrote a paper in 2009 called Bitcoin. I think it was called Bitcoin: A Peer-to-Peer money system. And ever since, there's been huge mystery about what his or her or their real identity is.
GRAHAM CLULEY. Mm-hmm.
RORY CELLAN-JONES. And this guy came forward to cut a long story short. He proved in, in his terms to us that he was Satoshi Nakamoto by, uh, engineering this particular transaction or demonstration, uh, and You know, so complex was it that I hadn't a clue what was going on, but there were two people prominent in the bitcoin community in the room who vouched that, yeah, it seemed to be true. And we put our piece out, luckily not saying he is, but saying he claims to be. And within hours, the incredibly— Fighty? The incredibly fighty cryptocurrency community, you know, the People's Front of Bitcoin versus the Bitcoin People's Front, had torn apart his claims. Uh, and it all ended a couple of days later where he promised what he called extraordinary proof. And I had to send a tiny sum of bitcoin to an address which was something like the genesis block, the original, one of the very first bits of bitcoin that had never been touched since and could only have been controlled by Satoshi. And he would send it back. And we got our cameras in front of this screen where you could see, you know, it's the blockchain, you could see what's going on. And you could see my money had gone in and we waited for a red arrow signaling it coming out. And we waited and waited, it didn't happen. And then we got a statement from him saying he couldn't do this. He was just, you know, it was all too much for him. He'd come over all funny. And ever since, ever since I've been waiting for my 0.017 bitcoin back from Satoshi Nakamoto, and it was only worth a fiver then, but I think it's worth something like 200 quid now.
CAROLE THERIAULT. Anyway, that's a dinner somewhere.
RORY CELLAN-JONES. Yeah, yeah. Anyway, I proceeded to do a lot more journalism about not just bitcoin but about these things. Do you remember ICOs? Initial coin offerings where people built businesses on the blockchain Dating on the blockchain, for God's sake. Because there was a period when you would meet people who'd say, oh, bitcoin, no, no, no, you don't want to worry about that. That's not interesting. What's interesting is the thing underneath it, the blockchain. I think the first time somebody said to me, the blockchain is going to be bigger than the internet itself was 2014. They've been saying it every second day since, and it still ain't, in my view. And Then we come right up to date with what's happened in the last month or so and enter another character in my book, the extraordinary Elon Musk.
CAROLE THERIAULT. Oh, Graham has a bit of a bromance with him.
RORY CELLAN-JONES. Yeah, well, I interviewed Elon Musk in 2016, and there's a whole story behind that about getting that interview. And I mean, the great thing about Elon Musk is he's always thought big. He's thought big about transforming the car industry, transforming the space industry. And at the end of that interview, I wrote a blog about him with the headline, "Bonkers but Brilliant," which his PR man didn't like. And I had to try and explain to him that bonkers in English— this is two nations separated by a common language— bonkers is a really affectionate term. Yes, yes. He didn't buy it. And I've not had an interview since. But at least back in 2016, he was a visionary. You could say he was a visionary. He was doing amazing things. And in some ways, he's still doing amazing things. But he's not talking about them. He spent the last two months talking about cryptocurrency in the most daft and idiotic way. He first announced that Tesla was going to buy a bunch of bitcoin and accept payment in bitcoin because he has got a huge clique of Twitter followers who hang on his every word.
GRAHAM CLULEY. Muskavites, I think they're called.
RORY CELLAN-JONES. Yeah, yeah, yeah. Really? I didn't know that. That is good. That is good. Muskavites. And then of course the crypto crowd are even crazier. The people who have profiles with lights coming out of their eyes, that meme, or send you a Simpsons meme if you're at all critical, saying, have fun staying poor. Yeah, those kind of folks. So he propelled the bitcoin price to new heights, to $60,000, when old Satoshi HoHo When I paid him that 0.017, it was about $5,000. So you see, that's how much changed. Anyway, he did that. He also started riffing about Dogecoin, which is this complete joke coin, which was literally started as a joke, and that began to take off. And then a few days ago, suddenly he decides actually bitcoin is bad for the environment. Who knew?
GRAHAM CLULEY. Yeah, surprise, surprise.
RORY CELLAN-JONES. Yeah. I think what's happened is that the poor benighted Tesla sales staff are saying, listen, we can't— this is a nightmare accepting payments in bitcoin. It's worth X one day, X minus 10% the next day, X plus 10% the third day. This is barking mad. And he's finally listened. But it's caused endless ructions. And still I come back to the fact that bitcoin and all cryptocurrencies are just not a good idea. Um, well, there are two ways of looking at them. Either you believe in them and you believe in the philosophy behind them, which is an interesting philosophy and an extreme libertarian philosophy which says all banks will basically melt away, all fiat currencies, uh, your pounds, your dollars will go away, and bitcoin will rule the world, or other cryptocurrencies will rule the world. So you can either believe that, and there are some people who believe that, Or you can be in it, frankly, for a quick buck, which is, you know, the best reason to be in it, thinking it's worth $10 now, it'll be worth $20 tomorrow. Those are the only two reasons to believe in it. And what's extraordinary to me is about a month ago, I was on not a podcast, I was in a Clubhouse room talking at an event, and a senior figure in the London fintech community, when I was going on one of these riffs like I just have, said, big guy in London, he was a nice guy, and he said, Rory, you've got it all wrong about cryptocurrency. It is now being seen in financial circles as a recognized asset class, honestly. And I thought, yeah. And then I open up the Financial Times this week and find the city suddenly has decided, after a month of Elon Muskery and all this nonsense, oh, it certainly isn't an accepted asset class, brackets, wouldn't touch it with a 10-foot barge pole. So which kind of shows that don't believe the latest craze that even the establishment tells you is great. Don't forget that in 2007, 2008, they were telling you that CDOs and all those complex derivatives were the future just before they tanked the world economy. So that is my view of cryptocurrency. And it will— people do listen to this podcast, don't they, Graham?
GRAHAM CLULEY. Oh yes, yes, yes.
RORY CELLAN-JONES. I will now get a tidal wave of abuse because the other thing is it is a community full of fanatics who will not brook any criticism. Can I give you a quote which I use in my—
GRAHAM CLULEY. Is this quote included in any book which has recently been published?
RORY CELLAN-JONES. It is included in a very recently published book, Always On, available in all good bookstores and online. Hunter S. Thompson. This is how he describes crypto. It's not actually, but I'll tell you what he's describing in a minute. Because he was dead before crypto. A cruel and shallow money trench, a long plastic hallway where thieves and pimps run free and good men die like dogs. There's also a negative side. And he was talking about the music business, but in my experience That's the crypto business too.
UNKNOWN. Yeah.
CAROLE THERIAULT. So some people— do you think a lot of people have invested all of their earnings? Like, are there going to be horror shows of, of just lost cash everywhere? Or do you—
RORY CELLAN-JONES. well, some people have invested enormously in it because some people have made a lot of money. Let's, let's be fair. But, but the, the big question is, of course, because there's this culture of hodling. Do you know about hodling?
CAROLE THERIAULT. No, I don't.
RORY CELLAN-JONES. If you're a hodler, and it comes from a Game of Thrones character, or it actually comes from somebody mistyping hold once. If you're a hodler, part of the culture is you will never sell, you'll always hold, because bitcoin is, quote, going to the moon where we'll all drive around in Lambos. Lamborghinis. This is the culture. So some of the— a few of the people I've got who've got out, got out at the top, have done extremely well indeed. Others not so much. I heard a brilliant tale on the New York Times Daily podcast the other day about a guy who's got into Dogecoin and has always wanted to buy a house and had been saving up for a house and decided that the conventional economy wasn't doing it for him, invested in Dogecoin, and he's now got $2 million. From having put all of his money into Dogecoin, except that he's insisting he won't sell because his line was, well, the guy who bought Amazon at $10 and then sold it at $20, he's looking a fool today. And that's my philosophy with Dogecoin.
CAROLE THERIAULT. Yeah.
RORY CELLAN-JONES. The trouble is, you know, Dogecoin ate Amazon and he may never have his house.
GRAHAM CLULEY. Amazon, that's an online bookstore, isn't it?
RORY CELLAN-JONES. It is, where you can buy, yeah, Always On by Rory Cellan-Jones. Other bookstores are available.
GRAHAM CLULEY. Excellent. Krow, what have you got for us?
CAROLE THERIAULT. Okay, so I want you guys to imagine you're getting out of bed in the morning, right?
GRAHAM CLULEY. Right.
CAROLE THERIAULT. You're still puttering around the slippers, and you go downstairs, and you see that your bins have been totally thrown around the home. Like the kitchen bin has just been desecrated. And you already know who the culprits might be. It's your 5-year-old or your 5-month-old puppy. And you need to know who it is. So luckily, luckily for you, you have a smart home surveillance in your house.
GRAHAM CLULEY. All right.
CAROLE THERIAULT. And you can just log into your account and see who ransacked the kitchen bins. So you log in, but lo and behold, it is not your house on the feed. It's not your kitchen. And it's not your dog or child. But someone else's home entirely, you have access, in fact, to all their controls. So you can actually change cameras, change the zoom and the tilt, switch between views.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Imagine you're there. Imagine you're in that scenario right now. Now, Graham, I want you to imagine that it's Garry Kasparov's house that you have accidentally stumbled upon.
RORY CELLAN-JONES. Yes.
CAROLE THERIAULT. How long before you switch off?
GRAHAM CLULEY. Well, I don't want to spy on Gary. I wouldn't want to do that. I just want to play chess with him.
CAROLE THERIAULT. Be truthful though.
GRAHAM CLULEY. How long? Well, no, I don't—
CAROLE THERIAULT. You'd turn it off right away?
GRAHAM CLULEY. I think I'd feel quite disturbed because if he doesn't realise he's being watched, who knows if he's padding around in his wife-fronts. It may not be something you want to watch.
CAROLE THERIAULT. What about Piers Morgan?
GRAHAM CLULEY. Oh, Rory, we're so in line with everything.
CAROLE THERIAULT. What about Elon Musk, Rory? Would you want to just have a little spy?
RORY CELLAN-JONES. No, don't call him. No, no, no, no.
GRAHAM CLULEY. Don't call him bonkers.
RORY CELLAN-JONES. Yes.
CAROLE THERIAULT. Yeah, definitely not. This all kicks off last week because a message pops up on Reddit, right? And the post title was Warning: Disconnect any Eufy security products you own immediately. Okay.
GRAHAM CLULEY. Oh, E-U-F-Y.
CAROLE THERIAULT. E-U-F-Y.
GRAHAM CLULEY. I've got a Eufy thing.
CAROLE THERIAULT. Do you?
GRAHAM CLULEY. I have a Eufy baby cam. Thing, baby monitor.
CAROLE THERIAULT. Uh-oh.
GRAHAM CLULEY. Mine isn't connected to the internet. Mine is only using radio waves or whatever. So I don't have an internet one.
CAROLE THERIAULT. Right. Back to Eufy. Back to Eufy security products, right? So someone on Reddit says, I was just randomly given someone else's camera feed and had access to all their event recordings. I was still logged into my account when this happened. So it appears to be a bug within the app itself. I have no idea how this is even possible. I'm like, Eufy, what is Eufy? So I go looking on their website. Eufy's motto is, smart home simplified is what drives us to build easy-to-use smart home devices and appliances that are designed to enhance your life. Yet someone on Reddit compared it to a Black Mirror episode, the fact that they could see someone else's stuff.
GRAHAM CLULEY. Not the one involving the pig and the prime minister.
RORY CELLAN-JONES. So apparently live, if I was watching Piers Morgan with a pig.
GRAHAM CLULEY. Now that's a whole different matter. God, straight onto my Twitch stream with that one.
CAROLE THERIAULT. So live and recorded camera feeds were being shown to complete strangers, and Eufy security users also had complete access to the account. So they could, you know, so anything they could change, anything they could change the configurations. So I thought, well, why don't we check out the features of the Eufy security camera just to see what they could get, right? So this is where marketing can work against you horribly, right?
GRAHAM CLULEY. That's okay.
CAROLE THERIAULT. So number 1, know when someone's there. The on-device AI instantly determines whether there's a human present within the camera's view. Sight at night, keep an eye on any room, even in low light settings.
GRAHAM CLULEY. Oh, some night vision. Lovely.
CAROLE THERIAULT. Yep, great.
GRAHAM CLULEY. Yes, lovely.
CAROLE THERIAULT. Follow the action. When motion is detected, the camera automatically tracks and follows the moving object. So no need to worry about a joystick.
RORY CELLAN-JONES. Right.
CAROLE THERIAULT. You can customize the areas in which detections takes place through activity zones. So you could say, I'm really interested in what came to the bedroom or whatever. Horror show. Plus you can communicate from your camera. So say your little poochie was at home, you can kind of go, hey poochie, poochie, hey poochie, and they can woof woof back at you.
GRAHAM CLULEY. Is that what you call your husband? Does he often woof back at you?
CAROLE THERIAULT. That's Wookie, that's Wookie.
GRAHAM CLULEY. Oh yes.
CAROLE THERIAULT. So what was quite interesting, so I'm looking at this and ironically, despite this being a home security product, I found like no security-related information on the Eufy Security Products website. So nothing. So then I thought, well, how do most people buy this stuff? And I'm gonna ask you how you bought your Eufy product, Graham, 'cause I bet that's what I've—
GRAHAM CLULEY. I think I went to an online bookstore and I was about to buy a book called "Always On" and I was distracted into buying a baby monitor instead.
RORY CELLAN-JONES. Bad mistake.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. People are going to Amazon, right? Or online Walmart or something to buy this. And so I'm looking through all that and there's no security information at all except the very end in some of their marketing blurb at the end, said every Eufy security product is engineered to ensure your security data is kept private. Have peace of mind that you will have a secure record of everything that happens around your home. And that is it. So what happened? Well, we don't know yet. We don't actually know what happened, but Eufy has issued a statement. So I would love to see what you guys think of this.
GRAHAM CLULEY. And so this is only happening to some Eufy users.
CAROLE THERIAULT. Yes, some. They claim somewhere, not here, but somewhere I saw them say it affected 0. 0.001% of its users.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. But I don't know how many users they have, so it's all complicated.
RORY CELLAN-JONES. And how?
GRAHAM CLULEY. How?
CAROLE THERIAULT. Well, yes, how? So this is what they say. Eufy said, okay, dear Eufy security users, a software bug occurred during our latest server upgrade at 4:50 AM Eastern Standard Time. Our engineering team recognizes this issue at around 5:30 AM and quickly got it fixed by 6:30 AM. And then it says, we recommend all users please unplug and reconnect the device, log out of the Eufy Security app and log in again.
GRAHAM CLULEY. Yeah, please, please log out.
CAROLE THERIAULT. For any questions, contact our support team. That's it. That's what's on their website.
GRAHAM CLULEY. So it was something on their cloud system. So what they're doing is they're taking security footage and they're putting it up on some cloud server somewhere so you can remotely access your security camera. And normally You send some kind of ID and maybe some form of authentication to that server to say, I am Graham in Oxford and I want to view this. And their server was taking that information, you're Graham in Oxford, and then they were just taking someone completely random.
CAROLE THERIAULT. You were able to change the tilts on the camera that were live as well.
GRAHAM CLULEY. Yeah, they were changing the ID somehow. Yeah, they screwed up the ID. So that's what they made a screw-up, and that's how presumably they've been able to roll out an update to the cloud and fix it. But they need everyone to log out because they may already have accessed someone else's account.
CAROLE THERIAULT. And, you know, as smart as you are, that's wonderful that you think that, but that is pure conjecture on your part.
GRAHAM CLULEY. Oh, it's very— you know, I'm—
RORY CELLAN-JONES. that's— I thought I was just listening in awe there at that top analysis from Graham.
GRAHAM CLULEY. I think it's a plausible explanation of how they've cocked up. Yeah, they said a software bug. It's obviously some kind of authentication issue where they think you're one ID and you're not. You're a different ID. That's what I'm saying.
CAROLE THERIAULT. Okay, I'll give you that. It is a plausible reason, but we just don't know at the moment. But what it does show us is that even if hackers aren't involved, things can go wrong and your personal stuff can be gawped at by a third party. I mean, I just don't think I understand why people put home surveillance inside their home or why the benefits outweigh the risks for most of us. I can understand there's special situations where if you have an elderly parent that's at home alone and you want to check on them or things like that, I get that. But why do a large proportion of the population think they need home surveillance? I mean, Rory, what about you? Do you subscribe to this? Do you have this in your house?
RORY CELLAN-JONES. I find it weird too, but of course everyone is putting little video cameras outside their house in their doorbells now, aren't they?
CAROLE THERIAULT. Yeah.
RORY CELLAN-JONES. Which is possibly more, in some ways, more privacy invasive. I don't know, it's because you're capturing everybody that's coming along the street and they're being used by the police in some circumstances. Yes. I do have a camera, but it's what I call my nature camera and it's not online and I stick it on the back fence and I get shots of the fox that walks along my back fence.
GRAHAM CLULEY. I didn't know you're a naturist.
RORY CELLAN-JONES. Thank you very much. I am invading the privacy of the fox, and I apologize for that, but it is not in the cloud. The fox is off the cloud.
CAROLE THERIAULT. And here the fox is really trying hard to build a social media profile.
GRAHAM CLULEY. End-to-end encryption isn't just for messengers. You use Signal to chat in private, but what about your documents? Skiff is the first collaboration platform built for privacy from the ground up. Every document, note, and idea you write is end-to-end encrypted and completely private. Only you and your trusted collaborators can see what you've created. Unlike Google Docs, Evernote, or Notion, no one else, not even Skiff, ever has access. Skiff is offering listeners of Smashing Security early access. Sign up for Skiff's beta at skiff.org/smashing. That's S-K-I-F-F dot org slash smashing.
CAROLE THERIAULT. According to the OneLogin I Am OK mental health survey, more than 77% of technology leaders have said that their work-related stress increased due to the COVID-19 pandemic. In today's work-from-anywhere era, CISOs and IT executives work tirelessly to make sure the organization's information assets and technologies are properly protected. And this increased pressure has led to deteriorating mental health, addiction issues, and even suicidal thoughts and tendencies. 1Login's message: you are not alone. Smashing Security listeners are invited to attend their live event on Wednesday, May 26th for free. It's called Keeping the Mind Clear and the Company Secure. Learn more at smashingsecurity.com/1loginiamok. That's smashingsecurity.com/1loginiamok. And thanks to 1Login for supporting the show.
GRAHAM CLULEY. The perfect solution for companies of all sizes, 1Password is quick to deploy, simple to manage, and fits seamlessly into your team's workflow so you can secure your business without compromising productivity. All kinds of teams can securely share everything needed to work together. Give employees access to logins, documents, credit cards, and more on all of their devices. See if company email addresses or credentials have been exposed in a data breach and get alerts when accounts are compromised so you can update passwords right away. Find out more and try 1Password for free for 14 days at 1password.com. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
RORY CELLAN-JONES. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, my pick of the week this week, I ruminated for a long time. I thought, oh, there's a great book that's out now called Always On by Rory Cellan-Jones. I thought, should I plug that? No, he'll probably be doing it. Instead of that, I want to go back to my childhood. And I remember if I was bunking off school, if I was a little lad and I had a stomachache, I might see some daytime television.
CAROLE THERIAULT. We talking '32, '33 here or?
GRAHAM CLULEY. Not 1932 or '33, no, I'm talking about 1970s is what I'm talking about. And there used to be a TV show on, on ITV. I very rarely watched ITV. We weren't really allowed to watch ITV in my household. Pure BBC house.
RORY CELLAN-JONES. But, um, quite right.
GRAHAM CLULEY. There was, quite right. There was a programme which at the time I found deathly boring. I thought this is the worst thing on television ever. Which was called Crown Court, which was a courtroom drama. I think that's Mastermind, Rory.
RORY CELLAN-JONES. Oh, you're right. It was similar though.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. It was similar. I was about to launch into the Z-Cars theme. It was something like that. Anyway, it was set in the fictional city of Fulchester, and actors would act out the court case. But the jury, Krowl, was made up of members of the public.
RORY CELLAN-JONES. Okay.
GRAHAM CLULEY. And so they sat there like a jury, just, and at the end they had to say guilty or not guilty. And the actors—
CAROLE THERIAULT. It was like a faux court. Like a faux court.
GRAHAM CLULEY. Well, yes, yes. And it was made up stories. It wasn't like Judge Judy. I don't want you getting the wrong idea of what this was.
RORY CELLAN-JONES. It was classy. It was classy. It was classy.
GRAHAM CLULEY. With proper actors in it. And that's one of the reasons why I love watching it, because you see all these old— because I love a bit of retro television. Anyway, so I have found a website, and this is one of the things I love about the internet. I've found a fan website for Crown Court. Okay. And it's called Fulchester Crown Court, where they analyze the episodes. There've been 879 episodes of Crown Court, it turns out.
RORY CELLAN-JONES. It was every— it was lunchtime every day. It was, yes, Monday to Friday lunchtime. Yeah.
GRAHAM CLULEY. It was stripped throughout the week.
RORY CELLAN-JONES. It wasn't expensive. It wasn't— it wasn't—
GRAHAM CLULEY. No.
CAROLE THERIAULT. I'm going to have a watch then at cocktail hour, just see what it's all about.
UNKNOWN. Yeah.
GRAHAM CLULEY. Oh, okay. It's all on one set, Carole. It's not like It's not like Line of Duty. It's— But that's what I love about it.
CAROLE THERIAULT. I don't mind it. It's like a play. Yeah.
GRAHAM CLULEY. I was watching an episode from 1978 called The Jawbone of an Ass.
CAROLE THERIAULT. Of course you do. Of course you were.
GRAHAM CLULEY. It has been alleged that someone fractured his brother-in-law's jaw with a frozen leg of pork, and he's been charged with GBH. So I was watching this, and it's marvellous. And the guy who's accused— I won't give away whether he's guilty or not— was Dougie Brown, who you may remember as a stand-up comedian. Turns out he's an actor. I was watching another one about this treasonous guy. There's Richard Wilson in there. You would—
RORY CELLAN-JONES. I don't believe it.
GRAHAM CLULEY. I don't believe it. Michael Elphick as well. Michael Elphick. And they're in it.
RORY CELLAN-JONES. Can we just have more Graham Cluley impressions of great British actors? Or do you do Michael Caine?
GRAHAM CLULEY. Not a lot of people know that, Rory.
CAROLE THERIAULT. I could be doing the dishes right now.
RORY CELLAN-JONES. I just want you to know that. Yeah. Anyway, I've been washing my hair and that doesn't take long.
GRAHAM CLULEY. I will put some links in the show notes. I quite enjoy it. It's very 1970s. I didn't appreciate it as a kid, but now, in the, as my days are getting shorter.
CAROLE THERIAULT. You're in your 50s.
UNKNOWN. Shut up.
GRAHAM CLULEY. As the sun is setting, it's the sort of gentle television I enjoy. Go and check out Fulchester Crown Court, the website. Site. Link's in the show notes, or indeed go and watch some episodes of Crank Court yourself. Now, Rory, what's your pick of the week?
RORY CELLAN-JONES. Well, my pick of the week is so classically British and dull at first sight. It's the weather. The weather has been absolutely insane for the last—
GRAHAM CLULEY. bonkers.
RORY CELLAN-JONES. It's the thing that all Brits are talking about at the moment. So we were locked down last year. Last year, the lockdown, at least the first lockdown, happened in glorious spring weather. This year, April was incredibly cold, grey, and dull. Not a drop of rain. May has been torrential rain, followed by a brief bit of sun, followed by torrential— you never dry out. And it's been driving me up the wall. But it is one thing it has taught me is respect, for once, for the science of weather forecasts. Interesting, because we are all, and we particularly in recent weeks when you have been allowed to have people in your garden but not inside, have been obsessively looking at the weather app.
CAROLE THERIAULT. It's true.
GRAHAM CLULEY. Yes.
RORY CELLAN-JONES. Now we, my wife and I, have a drink every Sunday evening with two sets of neighbours, and we shuttle between our houses. And of course, the last couple of months that has been taking place in somebody's garden. Now, one set of people have a bit of an awning, so you can just about shelter under there, shivering to death, um, while the rain patters down. You know, so desperate are we for a drink with friends that we would do that. We don't, so we are very dependent on staring at this— these apps. And the sad truth is they have become pretty— we all mock the weather forecasters because we always notice when it's wrong.
GRAHAM CLULEY. Be careful, Rory, my father was a weatherman.
RORY CELLAN-JONES. Oh well, I'm about to give respect to other persons because actually they are now pretty darn good. And I'm looking out right now, I'm in my loft in Ealing, every 10 minutes it lashes down with rain. But I'm looking I'm looking at the BBC weather app, actually. And you just have to learn to read it properly, because every symbol for the next 4 hours is sunshine and showers. And you think, how good is that? How useful is that? But then I've just noticed there is a likelihood of rain percentage: 76%, 72%, 61%, 46%. So you could be pretty damn sure that it is going to rain. And even better, Dark Sky, which is a more bespoke app, is telling me that rain is going to stop in 60 minutes, followed by light rain, followed by light rain, followed by mostly cloudy. Anyway, the point I'm saying is the science behind this has got great, but this will never satisfy people. It tells us something about our attitudes to technology of all kinds. We, you know, 200 years ago, maybe 300 years ago, they used to cut open the belly of a goat and look at the liver and say it's going to rain on Sunday. And when the seer who did this got this wrong, he was beheaded. And we're still the same today. No, now we've moved on. We've put a lot of science behind it. Meteorologists use supercomputers. I think the Met Office in Britain has just announced a huge investment in a new supercomputer.
GRAHAM CLULEY. Yeah.
RORY CELLAN-JONES. And they do get it pretty accurate. I mean, British weather is probably more difficult to predict than any other because it changes so rapidly. And for instance, when there's snow, the boundary between people who've got snow and people who haven't is incredibly difficult to predict. And they will— there'll be outrage all over Twitter when people were promised snow and didn't get it. So I say, let's hear it for the weather forecasters, because pretty much, you know, 80% of the time, on the most difficult thing to predict that there is, they get it right.
CAROLE THERIAULT. Huzzah for weather people!
GRAHAM CLULEY. What if Elon Musk brought out a blockchain-powered weather app? Would you be using that, Rory?
RORY CELLAN-JONES. No, I would go and whimper in a corner because I spend I must design a filter in my email because the word blockchain needs to be excised from existence, from my life. Yeah, yeah. I wish you hadn't said that.
GRAHAM CLULEY. I'm sorry, I've ruined everything.
CAROLE THERIAULT. One thing I would say though is last week we were talking about apps that kind of snuffle information from you and how iOS is now warning of it. And one of the big finds in the New York Times was that weather apps are dastardly in this area. So I would just say to listeners, get weather apps, but get a good one. I also use the BBC weather app. Which I found very jolly good.
RORY CELLAN-JONES. Really jolly good.
CAROLE THERIAULT. Yeah, it is. It's great. But I don't know about any others.
RORY CELLAN-JONES. As I'm sure you were making the point, on iOS 14.5, you will find out whether they are tracking you or not.
CAROLE THERIAULT. So check that first.
RORY CELLAN-JONES. Turn that off.
CAROLE THERIAULT. Yeah. If you're not using Apple, screw them. Well, too bad.
GRAHAM CLULEY. And maybe consider paying. I mean, if there is an app you like, pay for it rather than maybe get the advertising.
CAROLE THERIAULT. But that doesn't necessarily mean they're not going to track you in a way you don't like.
GRAHAM CLULEY. Really? No. Scumbags.
CAROLE THERIAULT. Don't assume just 'cause it's— Yeah.
GRAHAM CLULEY. All right. Carole, what's your pick of the week?
CAROLE THERIAULT. Well, I'm actually a little nervous I did this one before. Look, we've done so many of these, but even if I have, it's a really good one. So it's a podcast called Highest Disaster. Have I done that clue?
RORY CELLAN-JONES. Oh.
GRAHAM CLULEY. I'll just look it up on our archive page.
CAROLE THERIAULT. Yeah, I'm sure I've shared in that.
RORY CELLAN-JONES. I think in 1973 you did that one.
GRAHAM CLULEY. I'm a long-term listener. No, I think you're clear, Carole. I think you're clear. You're okay.
CAROLE THERIAULT. Okay, perfect. Okay, so because I did hear this a number of years ago. Okay, so the premise is it's the year 2151. It's an audio drama podcast, 7 episodes, 1 series, start, middle, and finish, right? So there's 150 million resource-rich asteroids populating the void between colonized Mars— colonized, Graham— colonized Mars and Jupiter. Basically, there's tons of asteroids full of minerals, and there's super corporations out there that are competing because they're beyond the reach of civilized law. So there's loads of warring going on. And as the name suggests, there is a bit of a disaster that happens to MRS Hyacinth. So there are 7 episodes, and you— it's just, it's so great, the show. It's like really, the soundscape of it is astounding. And I quite love it. And it's quite emotional. Like, I dare people not want to tear up by the end of the 7th show.
GRAHAM CLULEY. So it's like a space opera kind of thing, is it?
CAROLE THERIAULT. Not an opera. You know what I mean?
RORY CELLAN-JONES. Soap opera. Yes, a space soap opera. What's wrong with it? There's nothing— he's being kindly about your choice. He's being enthusiastic.
GRAHAM CLULEY. Thank you, Rory.
CAROLE THERIAULT. I don't feel like soap opera. It's not like, will they get together?
GRAHAM CLULEY. Find out next week. No, it just means, okay, a space drama. Yeah, yes, an audio Right.
CAROLE THERIAULT. I don't know, maybe I come from North America. I suppose soap opera means something very specific to me. I recommend checking it out if you're into sci-fi audio drama listeners out there. A few listeners, I told them on Twitter, I DM'd a few people looking for other shows and it's coming.
GRAHAM CLULEY. And Hyacinth is the name of a spacecraft, is it?
CAROLE THERIAULT. Yes, MRS Hyacinth is one of the crew, the main crew that you follow in the show, hence the name.
RORY CELLAN-JONES. The Hyacinth Disaster, is that it?
CAROLE THERIAULT. You got it.
RORY CELLAN-JONES. Listen, while you're talking, I'm downloading the first episode.
CAROLE THERIAULT. Good, you'll love it. You'll love it.
GRAHAM CLULEY. Also, the podcast is called The Hyacinth Disaster.
RORY CELLAN-JONES. Disaster, yeah.
CAROLE THERIAULT. Yes, yeah, the podcast is called The Hyacinth Disaster, and that is my pick of the week.
GRAHAM CLULEY. Now, Carole, before we go, we've got an interview, haven't you? You've interviewed Vanessa Pegueros from OneLogin.
CAROLE THERIAULT. Yes, they did some research on mental health in the cyber IT space, and the results are pretty interesting. Check it out. Big welcome to Vanessa Pegueros. Is I saying your name correctly, Vanessa?
UNKNOWN. Yeah, that's good.
CAROLE THERIAULT. Okay, I just gotta check. Now, Vanessa is the Chief Trust and Security Officer at OneLogin. OneLogin is a cloud-based identity and access management provider.
UNKNOWN. Now, what's involved in being a Chief Trust and Security Well, yeah, I have the normal functions that, you know, most security leaders have, such as cybersecurity compliance and some elements of privacy. In addition, I do also have IT, which is a function under me, and that's a little different than most companies because typically security reports into IT. And here at OneLogin, and IT reports into security. And I can talk a little bit about why we structured it that way. Fundamentally, we believe that security is foundational to our customers' trust. And trust is a broad topic. It's not just technology, which, you know, a lot of people think security and technology, but trust is a more emotional component of do our customers believe in our product? If we mess up, will our customers give us a second chance? Do our customers believe what we say we're going to do and execute? So to me, it's a business term. And more and more today, because technology is so key to all companies, that security is a big element of that trust. And so that's why the title is a little broader at OneLogin. Login because we're a security company and because we know that fundamentally trust is critical to our customers.
CAROLE THERIAULT. I love that you guys have done that. Now you guys are launching a brand new campaign which coincides with May's Mental Health Awareness Month, and it's called I Am OK. What can you tell us about it?
UNKNOWN. Well, the security leaders and security practitioners, the teams They're under a lot of stress. They've been under a lot of stress even prior to the pandemic, but the pandemic has even made that stress greater. We did a survey of about 250 tech leaders in the March-April timeframe, and 77% of the respondents believe that the pandemic actually increased their work-related stress. And 86% of of the respondents reported their workload increased during the pandemic. So not only did the stress increase, but the, but the workload increased. So really a result of a few things. One is the threat environment is just getting greater and greater. There are more people attacking more, you know, companies, their, their systems. And there's also this concept of, you know, where actually the, the surface area of potential exploitation, which means that there's more way for hackers to actually compromise or, or break into systems. If you think about you're using cloud systems and you're using third-party SaaS applications and you have multiple devices, you have your laptop and your phone and your tablet, there's more and more places for hackers to actually compromise or exploit the person, the individual, depending on the type of service they're using or the device. So this is just making the job of security professionals more and more difficult. Totally.
CAROLE THERIAULT. Because if you think about it, I think back to, I don't know, maybe even 20 years ago, you had an 8-hour window to try and get someone attacked. The environment has changed so, so, so much. So I'm not surprised actually that IT people are finding the pandemic to be even more stressful. That means they now have to look after remote workers all over with different environments that they're not in charge of.
UNKNOWN. Yes, exactly. And that, and I think that's the fundamental difference with the pandemic. There were some modern enterprises such as like here at OneLogin, we were already very distributed. There were people working from home. We were used to that already, but there are more, like I'd say more mature companies that have been around a long time. That a smaller percentage of their workforce was actually working from home. And they had to make an abrupt shift and like all of a sudden had to get all these people equipped with laptops and make sure the right security controls were in place to do the best they could while they were working at home. And all of that had to happen very quickly. And that was incredibly stressful on the IT teams, but also the security teams. And I separate those two because they have, they have different functions. And as I mentioned, we here at OneLogin have IT underneath the security team. And the main reason we do that is because we want the IT priorities to be driven by security. We don't want it the other way around. Security is our number one value in the company. And we wanna make sure that all the activities and work done by our IT team are driven by security priorities. So that's why we have it embedded within the security team versus security being embedded in the IT team.
CAROLE THERIAULT. So this is a bit left field, but if a company was thinking, listening to you right now, Vanessa, and thinking, this is smart, like, I like this idea of security being above IT, what would be some of the things that they need to consider to make that shift within their environment?
UNKNOWN. It's a complete cultural shift for some companies that have been around for a long time. Obviously, you would have like a fundamental challenge with the traditional approach of the CIO and the CISO, the Chief Information Security Officer reporting to the CIO. So there's organizational challenges and cultural challenges around that. There's also the security leader needs to be, if you're going to kind of have that structure, the security leader needs to be very well equipped to deal at the business level as the CIO has has done for many years. So they become a true business leader. And I think that's fundamentally happening and changing already today because security is becoming such an important issue. It's at the board level. It's definitely at the CEO level. And the other big difference we have here at Wanlong is I report directly into our CEO because, again, security issues are so important. I can't be layered down. I need to be directly sitting at the table with my peers who lead up engineering and product development and marketing, and I need to be able to weigh in on those decisions. That is something I think is a trend that will grow in the future as security becomes more and more of an issue.
CAROLE THERIAULT. If you think about this campaign, the I Am Okay, I wonder if a lot of the stress comes from the immense responsibility put on IT people and the responsibility they have, especially during the pandemic, but the lack of ability to make calls. They still have to go begging with their hat to different people to get money or resource to do things. And they end up— in my experience, they've ended up having to shelve things they really want to do, and it is good for the business, because it's just too complicated and they're putting out too many fires.
UNKNOWN. Then knowing you have all the accountability and the responsibility, but you have no authority, you have no real influence, you can't, uh, really impact your outcome. And that is an incredible stressful formula. And so I think that that is one of the reasons the structure is very important, so that— and, and then you can also ensure that your CEO and your board has full awareness of the issues in the organization and can make better business decisions. So, a lot of times I feel bad for security teams that are buried down in organizations and they're trying to tell everybody about all the things that are wrong, but nobody's listening to them. It never makes its way up to the right people to really be informed about the risks.
CAROLE THERIAULT. Do you think it's a good idea to tell IT directors and VPs of IT out there to raise awareness, champion and the security advisor they have that is responsible for this stuff and listen to them because they may be acting, while they may think they're a bridge, right, to the upper echelons, they may be acting as a hindrance to trying to get the business more secure and more streamlined.
UNKNOWN. Yes, that's true. And that's where you get into the people, you know, human behavior and people's goals and aspirations. And it's very difficult for sometimes human beings to step aside and say, hey, I might not be, I need to move aside and figure out a better way to deal with this. But I think you're right. We need to make space for that messaging to go up to the right level of the organization. So, you know, as I said, better decisions can be made.
CAROLE THERIAULT. Getting back to your campaign, all these people being stressed out, which I completely understand, what were their coping mechanisms? Were they any different from the rest of us?
UNKNOWN. Well, unfortunately, I think that in my experience within security, I've seen some both positive and negative coping mechanisms within the profession. If you go to any security conference, whether it's Black Hat or RSA or, you know, these are big ones in the US, there is typically a lot of drinking. I think alcohol abuse, substance abuse is a big problem within our area of, you know, with security and even IT. And I think that this is becoming something that's being surfaced more and more as an issue. And one of the good things about our survey is it did emphasize, which was a little surprising to me, that about 3/4 of the survey respondents believe their organization valued their health and well-being. So this is like— Wow. Organizations are starting to— to realize this is a very stressful role and we are concerned about you. And we need to get people into positive mode around how to cope with this stress. So I think that's one of the goals of this panel discussion we're going to be doing on March 26th.
CAROLE THERIAULT. Yes, tell us about this panel. So listeners, you will be able to attend this panel and learn all of the stuff that they've found in their survey and plus meet a few people. So Vanessa, So tell us, tell us what will happen on that day.
UNKNOWN. Yeah, so we have a panel, myself and two other CISOs, as well as a mental health professional, that we're gonna sit together and talk about some of the challenges that we have around stress. We're going to talk about some real experiences around incidents, security incidents and breaches, and how that impacted us at a personal level. The mental health professional, who is will talk about some of the coping mechanisms that are important. And we're going to just talk about just generally have a very kind of a very free-flowing conversation on the general challenges of this for ourselves as leaders, but also for our teams and come up with some recommendations on things we should be doing.
CAROLE THERIAULT. I'm actually really thrilled you guys are doing this. I've been in the industry 20 years maybe, and I've had vague nods towards, "Hey, you guys okay? Get back to work." So in the infosec industry, it seemed, my takeaway of working in really hardcore corporateville was if you were very capable, people recognized that and leaned on you more. Everyone has their limits. There's a straw that breaks the back at some point. One tiny thing that can just do it. And being able to talk about it is a huge, huge thing for people. They're not isolated. Isolated.
UNKNOWN. Yeah, yeah. And they're not the only one feeling this. And I think that's going to your point around isolation. Sometimes people suffer in silence. They think they're the only ones that are feeling this. But this pandemic has been impacting— all of us have been suffering in our own way and loss, different kinds of loss, some much more severe than others. Coming together as community, I think, is super important during these tough times. I do think that there There are definitely, you know, some interesting notes that we got in our survey was that the respondents who basically said that in order to cope with their stress, 80% of them turned to exercise and 40% relied on meditation.
CAROLE THERIAULT. Wow.
UNKNOWN. People are figuring this out. Even despite that, they still said 24% of our respondents still indicated that alcohol and drug use were common in how they were dealing with the issues or their stress. So it's still a problem, you know, and we have to continue to work on it.
CAROLE THERIAULT. What are your, your tips for trying to calm down in a stressful environment? If you are an IT lead and you just can't hack it anymore, what advice do you have to these people?
UNKNOWN. Well, you know, it's situational. So there's different techniques I use. So during an actual situation, like a security incident, the first thing I do is actually take deep breaths. Just got really bad news, you know, like, oh, let me just breathe here. One of the most important things during crisis is to keep yourself calm, especially as a leader, because as a leader, if you're not calm, the people around you are not going to be calm. What's— what the worst thing you can, uh, experience is when your leader is, is, um, freaking out. Freaking out. And they're— and, and then, you know, the thing you feel is like, I need to freak out if my leader's freaking out. So, um, so it— as a leader, we need to stay calm. And I think, uh, breathing helps me personally. Uh, I try, uh, to exercise, uh, every— as much as I possibly can, which is usually 3 to 4 times a week. And that really helps me with controlling more in a more long-term sense my stress. So, you know, again, very depending on the situation. Yoga, getting outside and being in nature is very calming to me. Getting, you know, I like to love to go, especially when the weather gets good around here in Seattle, is I love to, you know, go out, get out in the woods and walk, you know, just get, get in the mountains and, and relax. Uh, nutrition, what you eat is super important. And it's like, you know, I feel better when I eat better. If I, you know, I found and experienced, uh, you know, during a security incident, people eat all kinds of junk food and they're stress eating. So I think that's important. And probably one of the number one things is sleep for me. I need to get— I know it sounds like a lot because I talk to people and they're like, "I barely get 5 hours." I need like 8 hours of sleep. And I really will strive to get that level of sleep. And so I can think better the next day. There are problems that I can't solve prior to going to sleep. I go to sleep the next day. I'm like, oh, I got it. I figured this out, you know? So I think it's that time we need to give our body to recharge.
CAROLE THERIAULT. You're totally right, Vanessa. I swear, if I could have you as my chief trust and security officer, someone who sleeps, does everything right, it would be amazing because a lot of us aren't doing everything right at the moment. And, um, we should take a page out of your book.
UNKNOWN. I do have— oh, I have to say, I'm not— um, nobody's perfect. So I do, I do have my, uh, my moments where I'm like, okay, I need to open some wine and have a drink.
CAROLE THERIAULT. But Vanessa, thank you so much for taking the time to chat to us today. Is there anything else you want to share with our listeners before we sign off?
UNKNOWN. No, I just hope, um, you know, you— everybody realizes, whoever's listening, if you're under this kind of stressed, you're not alone. Come and listen to our panel on March 26th. And if you bond with community, that's going to help you be stronger.
CAROLE THERIAULT. Yep. I can't say it any better. Vanessa Pegueros, thank you so much for your time today.
UNKNOWN. Thank you.
CAROLE THERIAULT. Listeners, sign up to this event, Securing the CISO: Keeping the Mind Clear and the Company Secure, for free by visiting smashingsecurity.com/1loginiamok.
GRAHAM CLULEY. Excellent stuff. And that just about wraps it up for this week. Rory, I'm sure lots of our listeners would love to follow you online and maybe find out about your book as well. What's the best way for folks to do that?
RORY CELLAN-JONES. I don't tweet about the book at all, but if you go to @ruskin147, I've also I've also put my toe in the water of Substack. Do you know that?
GRAHAM CLULEY. Yes.
RORY CELLAN-JONES. I've got a newsletter about the book, Substack Rory Cellan-Jones. So have a look for that.
GRAHAM CLULEY. Fantastic.
RORY CELLAN-JONES. Yeah, I won't bang on about it too much. Just only every half hour.
GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G. And you can also join the Smashing Security subreddit and don't Don't forget, if you want to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Google Podcasts. And if you fancy it, maybe give us a review, tell your friends, do something like that. We'd love it. Go on.
CAROLE THERIAULT. And huge thank you to this week's episode sponsors, 1Login, Skiff, and 1Password. And thank you to all our Patreon supporters too. It's thanks to all these people that this show is free for all. For episode show notes, sponsorship details, information on how to get in touch with us, and the last 227 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio, bye-bye.
CAROLE THERIAULT. Bye-bye.
RORY CELLAN-JONES. Bye-bye. What you're saying is we are of a level of sophistication able to appreciate this and Graham is not. Is that what you're trying to say?
CAROLE THERIAULT. Well, Graham just doesn't really like this sort of thing. He just pooh-poohs audio dramas all the time.
GRAHAM CLULEY. Well, I'm all right with radio drama on Radio 4, which comes from the BBC. I'm just not so sure about podcast drama.
CAROLE THERIAULT. Yeah, well—
GRAHAM CLULEY. For some reason it just feels wrong.
RORY CELLAN-JONES. Well, I shall try it.
GRAHAM CLULEY. I'm going to go back and watch Crown Court. That's where I should be.
CAROLE THERIAULT. That's exactly where you should be. There you go.
-- TRANSCRIPT ENDS --