Listen early, and ad-free!

229: Dating leaks, right to repair, and a stinky bishop

With , , ,
May 26, 2021
Read the transcript

A big cheese ends up in jail, a Japanese dating site spills the dirt after a hack, and we learn all about the right to repair.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Paul Roberts from The Security Ledger.

Plus don't miss our featured interview with Javvad Malik from KnowBe4.

Visit https://www.smashingsecurity.com/229 to check out this episode’s show notes and episode links.

Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Special Guests: Javvad Malik and Paul F Roberts.

Sponsored By:

Support Smashing Security

Links:

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

PAUL ROBERTS. Maybe for our benefit, could you describe what a Stilton cheese tastes like? Because I might, it might add a little bit to that.

GRAHAM CLULEY. Ah, yes. So a Stilton cheese tastes a bit like, you know when you've been wearing socks for about 6 weeks nonstop and you have some kind of fungal infection?

CAROLE THERIAULT. But delicious socks, not like gross socks.

GRAHAM CLULEY. Yes. And you've maybe been walking around in some damp fields.

CAROLE THERIAULT. Nice fields, beautiful fields. With flowers and stuff.

PAUL ROBERTS. Just in your socks, just no shoes. Exactly. Just walking in the socks on the ground.

CAROLE THERIAULT. And then maybe you got caught in a rain shower and then took a shower in your socks and then slept in your socks and then did that for a year or two.

GRAHAM CLULEY. And then you put them in the airing cupboard or the microwave for a few minutes. And it's, oh, it's very, oh my goodness, it's quite, oh.

CAROLE THERIAULT. It's fricking delicious.

UNKNOWN. Smashing Security, Episode 229: Dating Leaks, Rights to Repair, and a Stinky Bishop with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 229. My name's Graham Cluley.

CAROLE THERIAULT. I'm Carole Theriault.

GRAHAM CLULEY. And we are joined this week by a special guest, someone who hasn't been on the show before. It's Paul Roberts from The Security Ledger. Hello, Paul.

PAUL ROBERTS. Hey, Graham. Hey, Carole. How are you?

CAROLE THERIAULT. Good. It's been a long time, Paul.

PAUL ROBERTS. It has indeed. Years, years since we've seen each other.

GRAHAM CLULEY. I think decades, actually.

CAROLE THERIAULT. I'm actually embarrassed you haven't been on the show before. Well, don't be.

GRAHAM CLULEY. We might be embarrassed after the show's recorded as well that he's been on the show.

CAROLE THERIAULT. That's true.

GRAHAM CLULEY. Let's put it that way.

CAROLE THERIAULT. Let's see what happens.

PAUL ROBERTS. This could be a disaster.

CAROLE THERIAULT. Paul, for our listeners that don't know you, what can you tell them? What do they need to know about you?

PAUL ROBERTS. I'm the editor-in-chief and publisher of the Security Ledger, securityledger.com, which is a cybersecurity news website since 2012. And I'm the founder of securerepairs.org, which is a group of smashing security and information technology professionals who support the right to repair.

CAROLE THERIAULT. Okay, so all we need now is to thank this week's sponsors, 1Password, 1Login, and KnowBe4. Their support helps us give you the show for free. Coming up on today's show, Graham, what do you got?

GRAHAM CLULEY. I'm going to be talking about cheese.

CAROLE THERIAULT. Whoa, got bored of cyber? Okay. And Paul, what about you?

PAUL ROBERTS. I'm going to be talking about the right to repair and cybersecurity.

CAROLE THERIAULT. Super. And I'm going to be looking for love in Japan. Plus, we have an interview with Javvad Malik from KnowBe4. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chums, Chums, do you have a secret stash? Do you have a secret stash, Carole?

CAROLE THERIAULT. I have many things, yes. Paul?

PAUL ROBERTS. Yeah, I absolutely do.

GRAHAM CLULEY. Yeah? What sort of stash do you have?

CAROLE THERIAULT. None of your fucking business. Come on.

PAUL ROBERTS. Exactly, Graham. If I were to tell you, then it wouldn't be a secret anymore, would it?

GRAHAM CLULEY. Very true. Well, you know, in the middle of the night, if you can't sleep, do you find yourself sneaking out of bed, trying not to wake your partner, Creeping tippy-toe down the stairs, opening the fridge, and hallelujah! There, hidden behind the kale and the quinoa, there it is, the thing which will satisfy all of your munchies: some stinky cheese.

CAROLE THERIAULT. No, in the middle of the night?

GRAHAM CLULEY. No.

CAROLE THERIAULT. You know what, I've always wanted to be one of those people. When I was a kid, I used to obsess about being able to do that when I was older. I could go down to the fridge, no one would, you know, I wouldn't wake anyone up, whatever, whatever. But I never do it.

PAUL ROBERTS. I often have cravings just before bed, but I really try and resist them. But I must say, Graham, I have never craved cheese.

GRAHAM CLULEY. A soft little one like a French brie, something hard like a cheddar.

PAUL ROBERTS. You're selling it. The way you say it, I feel like I should be eating cheese before bed.

CAROLE THERIAULT. Yeah, do you have a cheese platter in your fridge already for your 4 o'clock munchies?

GRAHAM CLULEY. With my Jacob's cream crackers at hand and my pickles.

CAROLE THERIAULT. Your chutneys.

GRAHAM CLULEY. Here's the thing. Here's the thing. Cheese is my crack cocaine. I'm not being flippant. Scientists at the University of Michigan, which is in the United States of America. They say—

UNKNOWN GUEST. What are you being local? What?

CAROLE THERIAULT. Michigan, isn't it? Michigan.

PAUL ROBERTS. It's Michigan.

CAROLE THERIAULT. What's the Michigan?

PAUL ROBERTS. It sounds like—

CAROLE THERIAULT. Gloucestershire. That's what you just did.

PAUL ROBERTS. Not McChicken.

CAROLE THERIAULT. Yeah, not McChicken.

PAUL ROBERTS. That is something different.

GRAHAM CLULEY. Frittermanga. Anyway, those boffins, they say that cheese triggers a part of the brain in a similar way to addictive illegal drugs. So, I thought it would be fun if we could play a little game. I am going to give you a name, and you, you are the contestants, Paul and Kroll. You have to tell me if it is a cheese or something else narcotic. Okay? Are you ready to play the game? Okay.

CAROLE THERIAULT. I might—

GRAHAM CLULEY. Okay.

CAROLE THERIAULT. I don't know if I'm going to be Good or bad?

UNKNOWN GUEST. Cheese or wheeze?

GRAHAM CLULEY. Let's decide.

CAROLE THERIAULT. Yep.

GRAHAM CLULEY. Okay.

CAROLE THERIAULT. I am ready.

PAUL ROBERTS. I was born to play this game.

GRAHAM CLULEY. Stinky Bishop. Stinky Bishop.

CAROLE THERIAULT. Cheese.

GRAHAM CLULEY. Cheese. Pull.

PAUL ROBERTS. I'm gonna say that's cheese, yeah. Yeah, sure.

GRAHAM CLULEY. It is a cheese. It's also an unpleasant medical condition produced by— produced since 1972 from the milk of Gloucester cattle. Has a distinctive aroma, made famous in a Wallace and Gromit movie. Okay, next one. Poochie love. Poochie love.

CAROLE THERIAULT. That is not cheese. I don't still know what illicit is. So, I'm gonna say not cheese.

PAUL ROBERTS. I'm gonna break it. I'm gonna say that is cheese.

GRAHAM CLULEY. Well, it's a strain of marijuana. The old Mary Jane.

CAROLE THERIAULT. The jazz cigarettes.

GRAHAM CLULEY. Okay, next. Dirt lover. Dirt lover.

CAROLE THERIAULT. That's gonna be not a cheese. Not a cheese.

PAUL ROBERTS. Yeah, I'm with Carole on that.

UNKNOWN GUEST. Yeah.

GRAHAM CLULEY. Dirt Lover comes from the Green Dirt Farm in Missouri. It is a cheese covered in a layer of vegetable ash. It's also a sexual fetish, of course. Okay, next.

UNKNOWN GUEST. Next.

GRAHAM CLULEY. Shatner's Bassoon. Shatner's Bassoon.

CAROLE THERIAULT. That is not a cheese. Ah.

PAUL ROBERTS. I feel like there's some inside knowledge here that I lack. So I'm gonna break with custom. Carole and say that is a cheese.

CAROLE THERIAULT. I swear to God, there's none.

GRAHAM CLULEY. No, Carole is right. It's a made-up drug. Fat Bottom Girl. Fat Bottom Girl.

PAUL ROBERTS. Not a cheese.

CAROLE THERIAULT. Not cheese, I agree.

GRAHAM CLULEY. It is a cheese. Oh!

CAROLE THERIAULT. From where?

GRAHAM CLULEY. From somewhere. Goes well with red wine, apparently.

CAROLE THERIAULT. I love that you do your research.

GRAHAM CLULEY. It has flavours of almonds, butter, slightly tangy sweetness. Also a song by Queen. And finally, purple monkey balls.

CAROLE THERIAULT. Definitely a cheese. My favorite cheese.

PAUL ROBERTS. Wait, what is it again?

GRAHAM CLULEY. Purple monkey balls. You're not going to get it. It's a strain of marijuana again.

UNKNOWN GUEST. Yeah.

PAUL ROBERTS. Yeah.

CAROLE THERIAULT. Why are you talking about marijuana all the time?

GRAHAM CLULEY. Because I've explained that cheese are my type of drug.

PAUL ROBERTS. Is marijuana legal in the UK?

GRAHAM CLULEY. Oh, no, no, no, no, no. No? I don't have any of that sort of nonsense.

PAUL ROBERTS. Because here in Massachusetts, it is legal.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Are you constantly high?

PAUL ROBERTS. No comment.

CAROLE THERIAULT. No comment.

GRAHAM CLULEY. Well, a blue Stilton is my crystal meth. I know it's bad for me, but it's irresistible. I would sell my kid's bike. I'd become a rent boy if I thought I could fund my love of a stinky bishop. But some people, some people aren't like me. Some people haven't gone as deep into vice as me, and they've contented themselves with the likes of cocaine, heroin, MDMA, horse tranquilizers, that kind of thing.

CAROLE THERIAULT. Paracetamol.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. We all have our vices.

GRAHAM CLULEY. Yeah, we've all got our vices, right? Some people go to street corners to score. I go down to Waitrose and breathe in the contents of the cheese counter.

CAROLE THERIAULT. Some people do yoga, you know.

GRAHAM CLULEY. Exactly. Everyone's got their thing, right?

PAUL ROBERTS. Cheese strikes me as a very English thing. And it's not just from the Wallace and Gromit, but I mean, of course, here in the United States, we are defined by American cheese, which if you've ever had it, That's not cheese at all.

UNKNOWN GUEST. No.

PAUL ROBERTS. It's barely cheese. I mean, it's mostly noticeable for being incredibly regularly square.

GRAHAM CLULEY. Well, look, I'm going to switch from cheese now. I'm going to go to—

PAUL ROBERTS. Finally.

GRAHAM CLULEY. Hard drugs, because a chap called Carl Stewart from Liverpool has been a bit of a naughty boy. He used the name Toffee Force and was up to no good on EncroChat. Do you guys know what EncroChat is?

CAROLE THERIAULT. No.

PAUL ROBERTS. New one to me, Graham.

GRAHAM CLULEY. EncroChat is a secure encrypted messaging service. Which runs on modified Android phones. It promises worry-free, secure communications. Now, can you imagine who would be particularly interested in spending thousands of dollars and a regular subscription to have such a phone?

PAUL ROBERTS. Celebrities.

CAROLE THERIAULT. Elon Musk.

GRAHAM CLULEY. It's— well, it's criminals. Yes, of course.

CAROLE THERIAULT. Oh, right.

GRAHAM CLULEY. It is criminals.

CAROLE THERIAULT. Sorry, Elon.

GRAHAM CLULEY. And last year, law enforcement agents across Europe, they managed to crack into EncroChat, proving that its encryption and the security wasn't quite as good as people had imagined. And apparently it had over 60,000 users worldwide, 10,000 in the UK. And everyone thought they were safe with it, right? They thought, I've got this special phone, I've bought it from this French company, EncroChat, and if the cops ever come knocking on my door, all I have to do is enter a 4-digit PIN onto the phone and it wipes automatically all the data from the phone.

CAROLE THERIAULT. So that was their sales point? Was that their sales pitch?

GRAHAM CLULEY. The pitch It was really, these are totally secure communications.

CAROLE THERIAULT. We don't save anything, you can delete everything from your phone, no one can find it, bish bash bosh. Okay.

PAUL ROBERTS. So it wasn't just the app, it was the phone hardware itself.

GRAHAM CLULEY. It's a modified version of Android, that's right. Special phones. And this has been quite a big deal. They've arrested lots of people having cracked into EncroChat. And they had this chap, Carl Stewart, who they suspected was supplying large amounts of Class A and Class B drugs under the name Toffifee was. How could they prove this? Well, it turned out that this chap Toffifee was a lover of Stilton cheese.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. Not just any Stilton cheese, but the kind of mature blue Stilton cheese you buy at Marks Spencer.

CAROLE THERIAULT. Which is all right. It's not like the best or anything.

GRAHAM CLULEY. Well, according to that—

CAROLE THERIAULT. I'm a cheese nut. No.

GRAHAM CLULEY. Well, according to the packaging, it says delicately rich and creamy. And he, I mean, he was from Liverpool. He wasn't gonna have some glamorous exotic cheese.

CAROLE THERIAULT. He probably watched the Marks Spencer's ad. You know, it's a woman, you know, who'd go like, this is not just any cheese. This is a Marks Spencer's, blah, blah, blah.

GRAHAM CLULEY. Okay, maybe for the—

PAUL ROBERTS. I think it's not the moment.

GRAHAM CLULEY. Maybe for our benefit.

PAUL ROBERTS. Could you describe what a Stilton cheese tastes like? Because it might add a little bit to that.

GRAHAM CLULEY. Ah, yes. So Stilton cheese tastes a bit like— you know when you've been wearing socks for about 6 weeks nonstop? And you have some kind of fungal infection.

CAROLE THERIAULT. But delicious socks, not like gross socks.

GRAHAM CLULEY. Yes. And you've maybe been walking around in some damp fields.

CAROLE THERIAULT. Nice fields. Beautiful fields.

PAUL ROBERTS. With flowers, just, just in your socks, just no shoes, just walking in the socks on the ground. Yeah.

CAROLE THERIAULT. And then maybe you got caught in a rain shower and then took a shower in your socks and then slept in your socks and then did that for a year or two.

GRAHAM CLULEY. Then you put them in the airing cupboard or the microwave, uh, for about— for a few minutes, and it's, it's always very— oh my goodness, it's quite—

CAROLE THERIAULT. it's freaking delicious.

GRAHAM CLULEY. It is delicious.

CAROLE THERIAULT. Really good Stilton is like a cream because it's so— anyway, it's delicious if If you like blue cheese and you haven't had it, yeah, do it.

GRAHAM CLULEY. It's good.

PAUL ROBERTS. It's good. Okay, it sounds like a full-body experience.

CAROLE THERIAULT. You want it in a jar. That's all I'm saying. Not in a packet. In a jar. That's when it's scraped off the socks.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. It will try and infect everything else with the smell.

CAROLE THERIAULT. Yeah, your whole fridge.

GRAHAM CLULEY. It's not as bad a smell as a— is it a durian fruit, Crow?

CAROLE THERIAULT. Durian, yeah.

PAUL ROBERTS. Yes, which I've never smelled, although I have seen film of people smelling it and tasting it. I've heard it is quite decent.

GRAHAM CLULEY. I had a friend once.

UNKNOWN GUEST. Yeah.

GRAHAM CLULEY. Who will remain nameless, who tricked me into eating a chocolate without telling me it contained durian fruit.

CAROLE THERIAULT. It's like, I came down and I was like, it's the most delicious chocolate ever. Oh my God. Oh my God.

PAUL ROBERTS. Here's one.

CAROLE THERIAULT. Gotta have it. Oh my God. It's so good. Oh my God. Graham, try it. And he just shoved it right in his face. And I just watched.

GRAHAM CLULEY. The durian fruit tastes a bit like sewage, doesn't it?

CAROLE THERIAULT. I don't know. I didn't try it.

GRAHAM CLULEY. I can tell you it does.

PAUL ROBERTS. What is the thing with durian fruit? Why are people— it's like a delicacy, particularly in Asia, I hear.

CAROLE THERIAULT. It's a delicious— I think it's a delicious texture and delicious taste, but a horrible smell if raw and improperly prepared.

GRAHAM CLULEY. I think you're not allowed to transport it on passenger airlines. Is that right?

PAUL ROBERTS. Yes, it's too smelly. What did that chocolate taste like, Graham?

GRAHAM CLULEY. I can't remember the chocolate part of it.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Anyway, back to Stilton cheese, which is nothing like durian fruit. It is a delicacy, but quite pungent. Anyway, so this chap, right? This chap called Stuart Toffee Force. What he did was he had posted on EncroChat a photograph of a block of Stilton cheese in the palm of his hand. While standing in the aisle of Marks Spencer. And from that picture, just of his hand holding the cheese, the police were able to identify him. And that's—

CAROLE THERIAULT. Oh my— Did they magnify his fingerprints?

GRAHAM CLULEY. Exactly.

CAROLE THERIAULT. No.

GRAHAM CLULEY. Shut up!

CAROLE THERIAULT. Shut up! CSI!

PAUL ROBERTS. See, I would have thought they went back and looked at surveillance film and found the guy holding a cheese and his cell phone up.

GRAHAM CLULEY. That could have been me. That could have been me holding the cheese.

CAROLE THERIAULT. At 4 AM in the morning.

PAUL ROBERTS. That might happen hundreds of times a day in the UK, though.

GRAHAM CLULEY. So the Met Police now, they've arrested more than 60 people, many of whom have been charged with serious drug trafficking or firearms offences. Carl Stewart, this chap with the cheese, he's now been sentenced to 13 years and 6 months in the clink.

CAROLE THERIAULT. I can't remember what he did now. All I remember is he liked cheese.

GRAHAM CLULEY. He was trafficking— He was trafficking in horse tranquilisers and heroin.

PAUL ROBERTS. And so he obviously had had a record and had prints on file with law enforcement prior to this, I guess.

GRAHAM CLULEY. Well, they'd already arrested him, so maybe they took his prints then and matched them to the ones in the evidence. Oh, right.

UNKNOWN GUEST. Right.

PAUL ROBERTS. There we go.

GRAHAM CLULEY. That is a level of detail which I would expect a serious reporter like those at the Security Ledger to investigate rather than me.

CAROLE THERIAULT. Yeah, don't leave it to Graham.

GRAHAM CLULEY. Paul, what have you got for us this week? What are you here to talk about this week?

PAUL ROBERTS. Well, I'm here to talk about the right to repair.

GRAHAM CLULEY. What is a right to repair?

PAUL ROBERTS. Okay, so a right to repair is basically what it sounds like. It is a legal right, in other words, written into law, that gives you as the owner of a thing the right to repair it. And usually what that means practically, because you'd be like, well, I can repair it. But these days, increasingly, because everything we use basically has software on it, and also these days digital locks, right? right? Like DRM, digital rights management software. Um, owners need more than just the, the thing itself. They need access to the software that runs it to read error codes and figure out what's wrong with it. Uh, if there's a part, a component on a circuit board that has, uh, burned out, they need a schematic diagram to figure out where that component is on the board and a part number to replace it themselves if they want to do that repair. And so right to repair laws basically codify that in law and say, as a manufacturer, if you make a thing and you have authorized repair people who, you know, get access to these tools and parts and information, then you also need to make that available to, you know, your customers, the people who own the device and basically their agents, people they might hire to do a repair. So independent repair shops.

CAROLE THERIAULT. Hallelujah. Right. Because I honestly, it, okay. I'm sorry. I'm already on your side. Sorry, listeners, I didn't keep the tension up, but okay, carry on. I'll get on my soapbox later.

PAUL ROBERTS. So this is a really important thing, and it is something that is a little bit esoteric. I think most people don't pay a lot of attention to this, but it is a movement that's been picking up steam both in the EU and in the UK and in North America and in Australia, and really has a lot of people paying attention to it. And I think because we are increasingly inhabiting a world of intelligent, internet-connected, software-driven stuff, and the more onerous these kind of manufacturer-imposed ecosystems, kind of walled gardens become, the more people are kind of taking notice of this and saying, "You know what? This is not fair," or, "This is inconvenient for me," or, "This is costing me money needlessly." I want to do a repair myself.

CAROLE THERIAULT. Could I give you like a situation and you could tell me how the right to repair movement might suggest I would go about it?

PAUL ROBERTS. Yes.

CAROLE THERIAULT. It happened to a friend, definitely not me.

UNKNOWN GUEST. Okay.

CAROLE THERIAULT. But I was on my laptop, right? With a glass of very, very nice whiskey. And then my husband asked me a question and I used my hand to communicate, which I do often. Like, which—

PAUL ROBERTS. F off.

CAROLE THERIAULT. Like, or I love you, probably. And I spilled all the whiskey all over the keyboard of the laptop, which basically, you know, I then put it upside down in rice because I read that was a good idea, but it's not been working really well. So in that sitch, are you saying that that would be something I could say, look, you have to help me try and fix this?

PAUL ROBERTS. So the problem would be this, which would be you did something really common, which is spilled a liquid into your laptop keyboard. And in that situation, there is probably some damage caused by that that is preventing your laptop from working correctly.

CAROLE THERIAULT. Moisture. Right. Yeah.

PAUL ROBERTS. Maybe there were some short circuits of components on the motherboard on the computer as the liquid seeped in.

GRAHAM CLULEY. And all the rice that's now stuck to it as well.

PAUL ROBERTS. Who knows what the rice did. So basically you want to fix your laptop and right to repair is really about what are your options as a consumer for getting that laptop fixed. Okay.

CAROLE THERIAULT. Right.

PAUL ROBERTS. And There are generally, in most things in life, there should be 3, which is the manufacturer might offer to repair it or have one of their authorized or licensed repair people do it. You can try to repair it yourself if you're technically inclined, and many people are, or you could hire an independent, in other words, non-authorized repair shop to do it. And generally, it's like with your automobile, right? Your car. If you bring it to the dealership and their repair people, they'll have all the parts and tools and stuff, but it might be more expensive. If you bring it to the corner repair shop, um, same thing, they'll be able to fix it, maybe slightly less expensive. Maybe they won't use the manufacturer's OEM parts. Um, but you'll save money. And obviously if you go out in your driveway and go under your car and repair it yourself, that's the cheapest solution. And that's a functioning market. The way it works for many devices these days, including your MacBook, you need parts and access to information. So the reality for many consumers today who are in your situation is they bring their you take your MacBook to the Apple Store, to the Genius Bar, and they say, mm, they take it out back and light incense and wave their hands over it and bring it back out to you and say, sorry, no, liquid damage. We don't do repairs like this. We suggest that you buy a new MacBook.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. Yeah, I'm waiting to meet a real genius at the Genius Bar, honestly, 'cause I've been there a lot looking for them.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. 'Cause, you know, I like smart people.

PAUL ROBERTS. And when they say that, it does not mean that that is an unrepairable laptop. It just means it's a repair that the Genius Bar does not do because Apple does not allow them to do it. Apple doesn't want to hire and retain the people to do the soldering work or the more complex repairs that that would require.

CAROLE THERIAULT. Right.

PAUL ROBERTS. Okay. So they would basically say, why don't you just buy a new laptop? And most people would be like, okay, I'll buy a new laptop. It costs you thousands of dollars. It is not the cheapest option available to you. Your old laptop gets thrown in a landfill where it leaches dangerous chemicals into the earth. But that's the way that that system's set up. The other alternative would be to take it to an independent repair shop where they might have the skills and tools to repair that liquid damage. But many of those independent repair shops do not have access to the tools that Apple makes available to figure out, okay, Carole spilled whiskey into her laptop. What components actually burned out?

CAROLE THERIAULT. Do I have a vacuum anywhere?

PAUL ROBERTS. What components burned out? What do we need to replace on this? What is broken exactly? And you need software to tell that to you. And Apple has a whole bunch of tools. Tools that they don't make available to non-authorized repair people. They also don't make the parts available. So if you want to replace a discrete component, they don't give you the schematic diagram to tell you what those parts are and where they are. And they don't give you access to the parts.

CAROLE THERIAULT. I'm such an Apple fangirl. I'm really feeling this right now.

PAUL ROBERTS. It isn't just Apple. So this is in one way or another, it's many device makers, though not all. Companies like Dell and Hewlett-Packard make both parts diagnostic tools and schematics.

CAROLE THERIAULT. They sell you ink services, like £50 a month or something.

PAUL ROBERTS. There are major computer manufacturers who are very pro-repair and have a healthy ecosystem of parts that you can buy inexpensively and access to tools and so on.

GRAHAM CLULEY. So what's the argument that these companies who aren't sort of making it easier to repair things, what's their argument for doing this?

PAUL ROBERTS. They're variations on the same argument that the car dealership would make to you to discourage you from ever going to the corner repair shop. Shop, right? Which is our parts are superior to their parts. Their parts are going to break or, and cause you to get in an accident. Our mechanics are PhDs walking around in lab coats and their repair people are grease monkeys without high school diplomas. Um, you know, we care about the safety and privacy of your data and those other people are probably criminals who will steal it and sell it. So it's, it's a bunch of, um, kind of misleading and untrue qualitative statements about the superiority of authorized repair, but there's no data to back up any of those claims, but they make them anyway.

GRAHAM CLULEY. And what do you suspect are the real reasons why they're not doing this?

PAUL ROBERTS. So a couple things, and it depends on the company. In the case of Apple, there certainly is, you know, obviously having a monopoly on aftermarket service and parts is incredibly valuable to Apple. You know, they make money off the Genius Bar, certainly. However, I actually think that that's less of an issue for them than the fact that they really want to try and create a situation where the lifecycle of their phones, particularly, and iPads is as low as possible. They want you to re-get a new phone every 2 to 3 years. And if there are robust repair options that let you extend the life of your phone to 5, 7, 10 years, that has a major impact on Apple's Apple's revenue models. For other companies, and I've written a lot about John Deere, a major US agricultural equipment maker, it seems clear that the monopoly on the aftermarket parts and service is the point.

CAROLE THERIAULT. Yeah, that's where you make your money.

PAUL ROBERTS. That's where they're making their money. And service revenue as a percentage of their overall revenue has skyrocketed in the last 10 or 12, 15 years as they've been able to basically lock out out independent repair and owners from being able to work on their own stuff.

CAROLE THERIAULT. Fun topic, Paul.

PAUL ROBERTS. Sorry.

CAROLE THERIAULT. I'm sorry. No, no, it's an important topic. I was just kidding. I was just trying to make a little levity there.

PAUL ROBERTS. Yeah, I mean, let me tell you why I think this is really important. Okay, so first of all, let me tell you, do you want the, this is a cybersecurity podcast, so here's the link to cybersecurity.

GRAHAM CLULEY. Right, yes. 'Cause I had plenty in my story, let me point that out.

PAUL ROBERTS. You did, yours was all cybersecurity.

GRAHAM CLULEY. Yes.

PAUL ROBERTS. Okay, so I got involved in this because I started going to like fix-it clinics in and around Boston where you go and just get stuff repaired by people in your community. It's great. Before COVID they were a thing. And ended up talking to a guy, Nathan Proctor, who is the head of the Right to Repair program at US PIRG, the Public Interest Research Group. And he was talking about the efforts to get this law passed in some of the states in the United States. And he was saying that one of the big arguments against, one of the things that sends lawmakers screaming is cybersecurity. That vendors, OEMs can come in and say, hackers, hacking, data theft, and people kind of run screaming. And I knew enough to know that those arguments were almost certainly not accurate, that there wasn't really a cyber risk in repair and the types of things these laws were asking about that devices get hacked because of other problems. Right? You know, poor configuration, vulnerable software, you name it. And so I started this group Secure Repairs to basically say, listen, as a security community, we should speak with one voice on this and we should speak the truth about what, where security risks are with connected devices and where they aren't. And we should use our influence to sort of try and bend this policy discussion in the right direction. And the right direction being the one based on facts and not fear.

CAROLE THERIAULT. Do you know what though? If I made a cell phone and the world decided, oh my God, I need to have that, and everyone bought it, yes, I would be an absolute control freak about everything about it.

GRAHAM CLULEY. Because, oh, you're not suggesting Apple are control freaks, are you? That's not— that doesn't sound like them at all.

CAROLE THERIAULT. Saying is— I— all I'm saying is I get it, right? Because I understand what you're saying 100%. It makes 100% sense. I agree. I agree. Ethically, morally, I agree.

PAUL ROBERTS. Yes.

CAROLE THERIAULT. But I also can recognize in me, were I the successful creator of this tiny anything that I didn't, and I thought I was so smart and no one else could possibly do as good a job as my people could, which I would, because that's the type of person I am. I would be exactly the same and it would suck. And I would need people like you on my case.

PAUL ROBERTS. If you have a business, why would you not want a monopoly on whatever it is that you do?

CAROLE THERIAULT. Exactly.

PAUL ROBERTS. Right? Who would not want that?

CAROLE THERIAULT. What do you use, Paul?

PAUL ROBERTS. I have an Apple iPhone. I have an Apple iPhone. It's a, you know, it's an older model.

GRAHAM CLULEY. That's why he's hot on all this. He's peeved about every time he has to go to the Genius Bar. They won't blink and fix it. They won't replace his battery.

PAUL ROBERTS. Right.

GRAHAM CLULEY. Carole, what have you got for us this week?

CAROLE THERIAULT. Cluley, do you remember Yik Yak?

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. Can you tell our lovely listeners what about our plans on Yik Yak?

GRAHAM CLULEY. Well, many years ago, it's probably about 20 years ago.

CAROLE THERIAULT. 20? I thought I put 15 in my notes.

GRAHAM CLULEY. But anyway, Carole, you, I, and our two lovely listeners lovely Croatian friends, we ganged up together to take on the world and create a social networking dating website thing that was going to make us a fortune. And we called it Yik Yak.

CAROLE THERIAULT. Yep. And we bought the domains.

UNKNOWN GUEST. Yes.

CAROLE THERIAULT. And I remember we had one meeting where we were kind of like, okay, how are we gonna parse people's choosing, right? Like, we were making up this algorithm for ourselves, like hair color, color, height, right?

PAUL ROBERTS. People care about that.

CAROLE THERIAULT. And we had a meeting about discussing all this stuff. But did you ever think about whether people would just use it for hookup versus serious relationship? Did that ever occur to you?

GRAHAM CLULEY. It never occurred to me at all that people might want to have sex. No, that's not a thought which ever crosses my mind.

CAROLE THERIAULT. Well, if we were around today, single, free and easy— Paul, you're not, uh, you're not single and free right now, right?

PAUL ROBERTS. God, No. Yeah.

CAROLE THERIAULT. Yeah, we're all married. Okay. So, okay. But if we were single, we would probably be using dating apps to meet people. And the thing is, apparently the pandemic has changed online dating. There's a shift. So it obviously had a reputation for being a little fast-paced. You know, I knew people who could munch through matches as though they were Skittles, right? The Beeb suggested that some of the changes might be here to stay even as life returns to normal, because of course this all has to do with the pandemic. So someone said, I think video calls are very much here to stay as a means of pre-screening people you meet on apps. Yes.

GRAHAM CLULEY. God, how awful would that be?

CAROLE THERIAULT. I love it.

PAUL ROBERTS. I'm kind of surprised that people weren't doing that before. Like, are you really gonna go out and meet somebody randomly? You know, in meat space.

CAROLE THERIAULT. And someone says, once the first lockdown ended, I still preferred initially getting to know people in the virtual world before we went for drinks. I feel it's definitely a positive trend. I'm now going on fewer dates, but when I do, it tends to be far more likely that date goes well.

GRAHAM CLULEY. Okay, all right.

CAROLE THERIAULT. Right, 'cause you're screening. You kind of meet someone, you're like, okay, I don't like you, but you don't have to schlep back home.

PAUL ROBERTS. Is there chemistry over Zoom though? I mean, is that a thing? Thing? Like, can you have chemistry with somebody over a Zoom connection?

GRAHAM CLULEY. They wouldn't be able to smell my pheromones.

CAROLE THERIAULT. I'm going to call my husband tonight. I'm going to say, go upstairs to your office. I'll call him on Zoom and I'll see if there's more flirtiness.

GRAHAM CLULEY. Oh, we know what he's like. He's very flirty.

PAUL ROBERTS. Oh, look, he fell asleep watching TV again.

CAROLE THERIAULT. Exactly. That's normally me, actually. Okay. Before the pandemic, though, apparently many couples still met at school, mutual friends, family, church, bars, whatever. Whatever, right? But then pandemic happened. And this is confirmed by people like Match Group, you know, which own dozens of dating apps, Tinder, OkCupid, Hinge, or Hinge, as some of us like to call it. They reported an 11% increase in average subscribers in a 12-month mid-pandemic period. That's pretty big, right? And they just think that the pace is slowing down. So the data is showing that people are being more selective and intentional about who they're reaching out to in the first place.

GRAHAM CLULEY. Of course, they can't go meet meet people. Of course, yes, of course it's slower down because you can't go out.

CAROLE THERIAULT. Exactly. So I'm thinking, I'm thinking, who's, who's winning in this, right? Because there are some apps out there that are geared to more serious relationships than just the bone-in type.

GRAHAM CLULEY. Sorry, what did you say?

PAUL ROBERTS. I'm crying.

GRAHAM CLULEY. Like a bone-in radio show? What's—

CAROLE THERIAULT. Then the more one-night stands.

PAUL ROBERTS. Z-E-Z-O-N-1-N?

CAROLE THERIAULT. I wouldn't know, Paul, come on. So serious relationship websites like the Japanese Omiyae. I know I'm saying it wrong, fuck. So I even got my husband to teach me.

GRAHAM CLULEY. Sorry, is it spelled that?

PAUL ROBERTS. Or is it like Omiya Gladden or something?

GRAHAM CLULEY. What is that?

CAROLE THERIAULT. Oh no, I've got the giggles now. This is really bad. O-M-I-A. That doesn't sound—

GRAHAM CLULEY. O-M-I-A.

CAROLE THERIAULT. Okay.

PAUL ROBERTS. How do you spell it?

CAROLE THERIAULT. How do you spell it? I have the giggles. I can't stop now. O-M-I.

GRAHAM CLULEY. Is that it? O-M-I? If so, you're definitely pronouncing it incorrectly.

CAROLE THERIAULT. No. O-M-I-A-I.

GRAHAM CLULEY. Oh, O-M-I-A.

PAUL ROBERTS. O-M-I. O-M-I. OMIA.

GRAHAM CLULEY. Catchy name. They're not listening anyway, Carole, so don't worry, they're not listening.

CAROLE THERIAULT. But anyway, all I can tell you is the name connotes traditional matchmaking systems, okay, that has been going on for centuries. So the name means like look meet or look love. There's like a jeu de mots there somewhere in the OMIA. As someone described it in an app review, saying the search function is very detailed, allows you to specify preferences in various fields including nationality, education, income, and body type. So in Japan, that seems to be the 4 things that matter. Nationality, education, income, and body type. So Japanese, smart, rich, thin. That's all they care about, it seems. Okay. It focuses on trying to offer its customers an opportunity for a long-term relationship rather than a short-term fling.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. 5 to 7 million people have used this and they claim they facilitate more than 50 million successful matches so far. Like, what's a successful match?

GRAHAM CLULEY. How do they know that?

CAROLE THERIAULT. Yeah, exactly. What, 3 months, 6 months, a marriage?

GRAHAM CLULEY. Do people go back to the app and say, "Yep, that one worked," or "I snookered her," or whatever?

CAROLE THERIAULT. And then they get like a £10 voucher?

GRAHAM CLULEY. No. Yeah.

PAUL ROBERTS. I like the way that they're sort of like, "Well, we're different 'cause we're trying to get people to have long-term relationships." And it's like, how much— like, is that really a new concept? I don't think it is.

CAROLE THERIAULT. Yeah, hey, it's all rebranding, dude.

PAUL ROBERTS. There are really two flavors in the dating app world, which is hookups and people who want I don't wanna have relationships. Like those are the two, that's basically the two choices.

CAROLE THERIAULT. That is, yeah. So anyway, the reason I'm talking about it is they got hacked.

GRAHAM CLULEY. Oh.

CAROLE THERIAULT. At 2 million users and most likely exposed. Okay, now they announced this on a Friday. Weren't we talking about that earlier? The Friday announcements, right? So they did this and they said that the personal data of 1.71 million users was likely to have leaked due to unauthorized access to its servers. Server.

GRAHAM CLULEY. Oh dear.

CAROLE THERIAULT. Okay, so number one, the first thing to know is Bloomberg said the value of OMIAs share fell almost 20%. Okay, and that is the biggest drop that company ever saw since it got listed in 2017, and they're valued around $70 million. So a big chunk of change. The parent company notified the public of the breaches, and they've put together this kind of document which I want us to look at in a second. But basically Apparently the still unknown hackers have made away with usernames, photographs, as well as data from ID cards, driver's licenses, and passports, all of which were mandatory during the registration. And this was all for their security messaging, which we'll get to in a second. Okay.

GRAHAM CLULEY. Oh, so they, they asked for all this kind of really detailed personal information and scans of things like ID cards and passports. Passports?

CAROLE THERIAULT. To make sure that they could say, we know who you— we're validating the people.

GRAHAM CLULEY. No mischief makers. I can't create an account, call myself Gloria something or other.

CAROLE THERIAULT. Exactly.

GRAHAM CLULEY. And right, unless I have Gloria's passport, right?

CAROLE THERIAULT. They've put a statement, and Paul, I'm particularly interested in your point of view here, both as a journalist and someone who lives in the States, right? And has probably read millions of these. You may have to do a little quick Google Translate depending on how good your your Japanese is, 'cause I don't think I can send it to you in English.

PAUL ROBERTS. My Japanese is excellent.

CAROLE THERIAULT. Okay, well good, I hope you read that in real time. So.

PAUL ROBERTS. By which I mean, Chrome did it for me.

CAROLE THERIAULT. Fantastic, okay, so this is their apology and notice regarding member information leakage due to unauthorized access. Okay, right off the bat, I'm thinking that is not from the US.

PAUL ROBERTS. Yes.

CAROLE THERIAULT. From a liability standpoint, right?

PAUL ROBERTS. Yeah, that is true, yeah, yeah, yeah.

GRAHAM CLULEY. Yeah, but I have seen press conferences before from Japanese companies after they've been hacked where the board actually go on television and do a very deep bow of apology.

CAROLE THERIAULT. I think we should adopt it.

PAUL ROBERTS. Yeah, I'd love that. I know I'm so with you.

CAROLE THERIAULT. So second paragraph, the we deeply apologize for any inconvenience caused by our members and all concerned. So inconvenience, I think, is a little bit of a light word considering you've somehow my passport number has gotten snarfed along with all my other personal ID. Yes. But they say at this time they're kind of searching the web and they're saying they're not looking. Let's see, that's a really hard statement to make, right? Like, we haven't seen it be used, therefore it's not happening yet because maybe we're not looking in the right places, you know? I don't know.

GRAHAM CLULEY. So they're searching the web for exposed members, is that what you're saying?

CAROLE THERIAULT. Yeah. Are they? Are they? Are they?

GRAHAM CLULEY. Thank you, Paul. Glad you got it.

CAROLE THERIAULT. Oh, were you being dirty?

GRAHAM CLULEY. Yes, I was.

CAROLE THERIAULT. Oh, I don't get that.

GRAHAM CLULEY. I'm like totally not into that sort of thing. Don't worry, it's good that you don't. Go and get it, girl.

PAUL ROBERTS. And they're getting a lot of hits too.

CAROLE THERIAULT. We're just gonna crack on. We're cracking on, we're cracking on. So they— but like health insurance cards, passport numbers, they have this also, this ID number Japan, the numbers, car driver's license.

PAUL ROBERTS. Yeah.

CAROLE THERIAULT. So, and it says of these, about 60%, which is the majority of the total— thank you— is occupied by driver license image data. So they also have your phishing. But they—

PAUL ROBERTS. that's great. That's—

GRAHAM CLULEY. yeah.

CAROLE THERIAULT. And then they say, don't worry though, because we outsource our financial stuff, so no one got a hold of the credit card info.

PAUL ROBERTS. Yeah, well, phew. It's like, look, you can always cancel a credit card. I mean, that's not a big deal. But, you know, you can't— you can't unsee that driver's license or passport. I like the deep bow thing as well, and I would love to see Western companies do that because I think it's both deserved and would be a really welcome change from the sort of legalistic, "Regarding the incident that occurred last week regarding our members." If you were offended, we're—

GRAHAM CLULEY. Yeah.

PAUL ROBERTS. On the other hand, they do engage in what I think you guys would recognize some pretty common breach hand waving. "We have no reason to believe that any of the stolen information has been used." It's like, "We have no reason to believe that the $600 they took from your bedside drawer has been spent." Well, I think it will be spent. I think that's actually why they took it.

CAROLE THERIAULT. And check this out. So on the site, women can join for free while men have to pay about $40 a month in order for—

GRAHAM CLULEY. Sexist.

CAROLE THERIAULT. In order to use the services. Yet both parties seem to have lost their data, so.

PAUL ROBERTS. Yes.

CAROLE THERIAULT. Right? So I guess there's equality there. Now on their website, you see I give you the link there, um, in the cast.

GRAHAM CLULEY. Oh, I'm on their homepage right now. Ommi Eye, they've got— they've underlined the eye bit at the end.

CAROLE THERIAULT. But if you, if you scroll down, that they actually advertise their reasons for being safe and secure, right? They say basically there, we make various efforts so that users who want to have a serious relationship can use it safely and securely. So we only display nicknames, only the people that have passed the age confirmation, which we have, you know, checked through every single Only people who've uploaded their passport will be allowed onto the site.

PAUL ROBERTS. They're saying, you know, let me say, my first off-the-top-of-my-head impression of this site is that I am too old to use it, right? And you know what, that when I look at these faces, they all look young.

CAROLE THERIAULT. In the security section, they have this note, okay, there's a starred bit, it says the use is limited to singles and is prohibited for those who have a lover.

GRAHAM CLULEY. Don't get greedy. Don't get greedy.

UNKNOWN GUEST. That's right.

PAUL ROBERTS. That's right.

CAROLE THERIAULT. Lovers are not welcome.

GRAHAM CLULEY. If you are looking for an affair, then go to ashleymadison.com.

PAUL ROBERTS. That's true.

GRAHAM CLULEY. As careful with your data.

PAUL ROBERTS. That's right.

CAROLE THERIAULT. But they're just looking for one-night stands. That was hookup material. That wasn't love. That was an eHarmony. Isn't that the love one? eHarmony?

PAUL ROBERTS. Yes. eHarmony is the algorithmic love company.

CAROLE THERIAULT. Is it?

PAUL ROBERTS. One of the things that I think is interesting is the cost of collecting and retaining this data. You applaud them for their sincere efforts to verify the actual identity of all their applicants, but you wonder, having verified that identity, why are you holding onto this data? Because it's like the 30,000-gallon tank of spent diesel fuel in the back of your lot. If it just sits there long enough, something bad's gonna happen.

GRAHAM CLULEY. [Speaker] Or the crate of mature Stilton, which I have in my living room.

PAUL ROBERTS. [Speaker] Or the crate of mature Stilton. Right.

UNKNOWN GUEST. It—

PAUL ROBERTS. there is a risk to holding onto it. And the risk is that it's going to leak. And I wouldn't want to know what that crate of Stilton would look like if it were to leak. But I'm guessing it would be an ugly scene.

CAROLE THERIAULT. Delicious.

PAUL ROBERTS. An ugly and smelly scene.

CAROLE THERIAULT. I'd eat it. Yummy. So what's a con game? It's a fraud that works by getting the victim to misplace their confidence in the con artist. An artist. In the world of security, we call confidence tricks social engineering. And as our sponsors KnowBe4 can tell you, human error is how most organizations get compromised. Where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. And to do that, they need new-school security awareness training. KnowBe4, the provider of the world's largest security awareness and simulated phishing platform. See how your security culture stacks up against KnowBe4's free phishing test. Get it now at knowbe4.com/freetest. That's K-N-O-W-B-E and the number 4 dot com slash freetest. Think of KnowBe4 for your security training.

GRAHAM CLULEY. The perfect solution for companies of all sizes, 1Password is quick to deploy, simple to to manage and fit seamlessly into your team's workflow, so you can secure your business without compromising productivity. All kinds of teams can securely share everything needed to work together. Give employees access to logins, documents, credit cards, and more on all of their devices. See if company email addresses or credentials have been exposed in a data breach and get alerts when accounts are compromised, so you can update passwords right right away. Find out more and try 1Password for free for 14 days at 1password.com.

CAROLE THERIAULT. According to the OneLogin I Am OK mental health survey, more than 77% of technology leaders have said that their work-related stress increased due to the COVID-19 pandemic. In today's work-from-anywhere era, CISOs and IT executives work tirelessly to make sure the organization's information assets and technology technologies are properly protected. And this increased pressure has led to deteriorating mental health, addiction issues, and even suicidal thoughts and tendencies. 1Login's message: you are not alone. Smashing Security listeners are invited to attend their live event on Wednesday, May 26th, for free. It's called Keeping the Mind Clear and the Company Secure. Learn more at smashingsecurity.com. Smashingsecurity.com/1loginiamokay. That's smashingsecurity.com/1loginiamokay. And thanks to 1Login for supporting the show.

GRAHAM CLULEY. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

PAUL ROBERTS. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

CAROLE THERIAULT. Better not be.

GRAHAM CLULEY. Well, my Pick of the Week this week is not security-related. I have, over the last few days, watched a TV program on the old television, in fact, on BBC iPlayer, and it is an adaptation of a book by Nancy Mitford called The Pursuit of Love.

CAROLE THERIAULT. Are you freaking kidding me?

GRAHAM CLULEY. No, I am not. Why, have you chosen that as well?

CAROLE THERIAULT. No, but, you know, I'm surprised you're— Is this a book you're doing?

GRAHAM CLULEY. No, I'm not doing a book. I'm doing the TV version. Oh, right, okay.

CAROLE THERIAULT. I was just gonna say, 'cause it's a beautiful book, listeners. Anyone who likes to read. I just didn't believe you were reading a book like that.

GRAHAM CLULEY. No, I have not.

CAROLE THERIAULT. But if you'd like it, it's good.

GRAHAM CLULEY. Kroll? I've seen the TV version.

CAROLE THERIAULT. Oh, right. Who needs the book?

GRAHAM CLULEY. And I really, really liked it because it was funny and crazy. And I'll tell you some of the people who star in it. We got Lily James, Dominic West, Andrew Scott, who was Moriarty. He was also in Fleabag, if you remember him. And we also have Emily Mortimer, who appears as the Bolter, who is the mother of one of the characters. And Emily Mortimer, the actress, also directs, and she wrote the adaptation as well of The Pursuit of Love. And it's really very entertaining. I wasn't quite sure what to expect when I started it, but I thought, oh, this is a lot of fun, and I greatly enjoyed it. And I was reading an interview with Emily Mortimer where she said it was partly based, or at least inspired by, that Marie Antoinette movie from a few years ago, which had modern bits and period bits, but modern music and all the rest of it. It's cut very well.

CAROLE THERIAULT. What's this play? Where did you see this?

GRAHAM CLULEY. On the BBC website.

CAROLE THERIAULT. Oh, on the BBC.

GRAHAM CLULEY. Yes, on the BBC. On the BBC, darling. Yes, on the BBC.

CAROLE THERIAULT. Brilliant.

GRAHAM CLULEY. Anyway, so my recommendation, my pick of the week this week is The Pursuit of Love on BBC iPlayer. I think you'll rather enjoy it. Paul, what's your pick of the week?

PAUL ROBERTS. I have, you know, I feel like the dinner guest who you invite and, you know, he just ends up talking about like environmental pollution or crime or something and just brings the whole party down.

CAROLE THERIAULT. Fun, so fun.

PAUL ROBERTS. I have a cybersecurity story that I grabbed from, um, MIT Technology Review called Colonial Pipeline Ransomware Hackers Had a Secret Weapon: Self-Promoting Cybersecurity Firms. And it's by Renee Dudley and Daniel Golden. This is one of those stories that I didn't write, but I kind of wish I wrote. First of all, it profiled the work of this group called the Ransomware Hunting Team that is, um, kind of a volunteer group that helps that helps ransomware victims get free of the ransomware and kind of works behind the scenes. Really interesting looking at that. It's also interesting because it talks a little bit about some of the ethical quandaries that cybersecurity firms face when they look to both call attention to their wares and their technical expertise, but also in the process might actually do a favor for some of the cyber criminal groups that they are actually working against.

GRAHAM CLULEY. So in this case, a bit of a tip-off.

PAUL ROBERTS. In this case, a cybersecurity firm developed a decryptor for some ransomware used by the DarkSide group and basically blasted out to the world that they had a decryptor and that DarkSide's ransomware was reusing RSA keys. And that was a big red flag to the DarkSide group to fix that flaw in their ransomware, which they promptly did, and then thanked the cybersecurity firm for phishing them off. So there was a— there's a big discussion in this article just about that dynamic. What, what is the moral responsibility of cybersecurity companies? And is there a right way to do this?

GRAHAM CLULEY. So I read this article. It's an interesting security article. Yeah, I'm afraid it is.

PAUL ROBERTS. I'm really sorry.

GRAHAM CLULEY. But that's all right.

PAUL ROBERTS. Will you ever forgive me?

CAROLE THERIAULT. No.

GRAHAM CLULEY. But basically, I was thinking I'm thinking you're kind of damned either way, aren't you? Because if you produce a tool to decrypt the damage done, you want to tell people that it's available because there may be victims who never find out that there's a tool available or there's a way to do the decryption.

PAUL ROBERTS. Yes.

GRAHAM CLULEY. You know, it's, you know, I have some sympathy with the security firm.

PAUL ROBERTS. Yes. This gets in. I mean, there are often issues that come up. You know, did Franklin Roosevelt know about Pearl Harbor but didn't do anything because he knew that then the US would be able to get into the I mean, these type of ethical quandaries come up all the time. And in the cybersecurity ransomware world, they come up all the time as well. The big problem that this article raised, and this is a sort of structural problem, is that the traditional people we look to to address these problems, like the FBI or Scotland Yard, are way behind even volunteer groups like this ransomware hunting team in actually being able to intercede and help companies. I wrote an article for Security Ledger years ago, like 2014, based on a presentation I had seen in Boston by the head of the Boston FBI, where he basically told an audience, if you get infected with ransomware, just pay the ransom because we can't help you. The encryption's too good. We don't have the technical expertise to decrypt this stuff. So just pay the ransom. We can't spin straw into gold. We don't have the ability to do this. Behind the bad guys in terms of our technical expertise and our ability to fight back.

GRAHAM CLULEY. So this article is your pick of the week this week. And if people want to hear more about the arguments back and forth, they can go and check it out. Carole, what's your pick of the week, brackets, not security related, close brackets.

CAROLE THERIAULT. It's very, very not security related. And my pick of the week is not an audio drama, but it's an app.

UNKNOWN GUEST. Marvelous.

CAROLE THERIAULT. Okay. To help you take better pictures. Well, if you used to take pictures with an old camera and you miss the flexibility of that, but you don't really want to carry carry around a DSLR all the time. And it's called Obscura. Basically, Apple has a very good native app, but it's highly automated, right? And to some people, people that might be used to taking pictures with old cameras, it can feel a bit like a digital straitjacket because you don't have any manual control over the images. I mean, it's been getting better. I'm not saying it's the worst, but I'm just saying for a However, you can get Obscura, which I really like. You get full control over the key camera settings. The UI is very nice, easy to kind of intuit and clear, speedy, and it's got great haptic feedback. And it also can read different picture formats. So JPEGs, but also the Apple HEIC and the RAWs and all those things. And it works in landscape portrait and has loads of filters. Filters, which I haven't, I'm not really into filters, but if you are into that, there's tons of them. And it's just a really cool app. And I think well worth the money. So if you're into—

GRAHAM CLULEY. Are you now using this as your default camera app?

CAROLE THERIAULT. I'm learning. I have to get the memory muscle to work, right? Because I keep kind of going, oh, that's amazing. And then I take it and I'm like, oh God, why can't I get? And I'm like, no, no, just go to the other app and then fix the exposure and I'll get a much better pic. So it's worth it. So the app is called Obscura and it's my pick of the week.

GRAHAM CLULEY. Oh, bless. Now, Carole, you've been speaking to Javvad Malik from KnowBe4 this week.

CAROLE THERIAULT. Yes, we had a very amazing chat, and what a great guest. So take a listen. This is Javvad. All right, we're here with someone who has actually been a guest host on Smashing Smashing Security before. That's Javvad Malik. He is a security awareness advocate at KnowBe4. Welcome, Javvad.

UNKNOWN GUEST. Thank you so much, Carole. Thank you for having me.

CAROLE THERIAULT. You are sitting now in the throne. This is like the featured interview, so we're kind of celebrating you and KnowBe4 in this.

UNKNOWN GUEST. I know, I feel very honored and, you know, I could get used to this. This throne is quite comfortable.

CAROLE THERIAULT. Javvad, you do a lot of things. So on top of being a security awareness advocate at KnowBe4, you also are a host on a podcast, you're a popular vlogger and blogger, you do events, you're basically an all-round security pundit. Would that be fair?

UNKNOWN GUEST. Yes, that's right. Um, when I try to sound cool, uh, I, I say I'm— think of like The Rock, who's multi-talented in every facet, like wrestling, movies, business ventures. That's what I aspire to be in the security world.

CAROLE THERIAULT. I don't think you need to aspire. I think you've already reached many of those dizzying Oh, you're very kind. Well, look, now we are here to talk about KnowBe4. So can you tell us a little bit about the company and what KnowBe4 does?

UNKNOWN GUEST. So KnowBe4 is focused on the human. You know, we talk about all our layers in security and we have all of our technical layers and protect and defend and detect and respond and all that kind of stuff. And majority of times we're focusing on the technical layers, which are very important. But what KnowBe4 focuses exclusively on is the human layer within that. So people, they make mistakes and/or they can be fooled. And criminals, they, you know, if, you know, breaking into an organization technically directly is quite difficult these days. So it's a favored technique is to just go after the user. So whether that be a phishing email, of sending them a USB or drive to plug in or phoning them up and pretending to be someone and getting them to do something that's not in their best interest. That is the preferred method that a lot of criminals break into organizations. I mean, even if you look at a lot of these threat intelligence reports that track nation-states or organized criminal gangs, the majority of the time, point of entry is through phishing emails. So what we do at KnowBe4 is we help try to strengthen the humans. We give them security awareness and training, help them practice in a safe environment by sending them simulated phishing emails. And then there's a whole ton of awareness content on the back of it in the form of videos and games and all the other material like posters and what have you, just to help people, you know, just remember what's important and what to do if they suspect anything to be a bit malicious. Delicious.

CAROLE THERIAULT. Maybe you can tell us about it from the point of view of someone who might be interested in running these phishing simulations. They come across your name, how does it work?

UNKNOWN GUEST. Product is really self-service. It's highly automated. So if you're a customer or even if not, you can sign up to a free phishing test on our website. You go knowbefore.com/freetest and you can sign up there. And what you'll see is that there's like thousands of templates there. And these are in like different languages. They're bundled into different categories. So if you want, hey, let's do social media type one. So you can say, okay, let's send our users a LinkedIn phishing template because that's quite a popular one in the work area. You can tailor it to be, you know, more specific or more generic. And, you know, it goes off to all the users that you specify. And the great thing about the platform is that it can randomize the time it sends them out. So it's not like everyone in the office gets the exact same template at the exact same time, because you then get the meerkat kind of response where one person gets it, he looks up, and they look around and say, "Hey, has anyone else got this?" And everyone's like, "Yes, we got this." And then it kind of defeats the purpose of the test.

GRAHAM CLULEY. So—

CAROLE THERIAULT. It reminds me of the mass mailers of the late—

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. The early noughties.

UNKNOWN GUEST. Yeah, exactly. So you can actually send different templates to different groups of people or different individuals and at different times. So it staggers them out. And then what you can do, you can see how many people have opened the email, how many people have clicked through on a link or whatever the payload might be. It might be a link, it might be a, hey, enter your credentials here, it might be reply or whatever that is. And then also you can see how many people have reported it to your security team. So whether that's an internal process you have, like if you receive a suspicious email, forward it to the security team, or you can download our Phish Alert button, or PAB for short, which is a Gmail and Outlook plugin that sits in your inbox. So if you see an email that looks suspicious, you just click the button and it takes it out of your inbox and sends it to the security team to investigate. Investigate.

CAROLE THERIAULT. So basically, you're putting the IT team in the driver's seat rather than you guys doing all the decision-making on what content's included and how they're sent out. They actually get to decide themselves completely. It's almost like an autonomous effort.

UNKNOWN GUEST. Yeah, exactly, exactly.

CAROLE THERIAULT. And that's kind of cool.

UNKNOWN GUEST. Yeah, I mean, you know, it's the security teams that ultimately have the relationship, or should have the relationship, with all the users within the organization. Organization. So they're best placed to make the right decisions if they have the right relationships. And we've seen examples of where this has gone wrong, where, you know, they, they should have that environment where they tell people, hey, if you receive phishing email, this is what you should do, this is what you should look out for. We're going to be doing simulation tests at this time, you know, throughout the year. And these are some of the topics that, you know, we, we think are inappropriate for our user base because of whatever reasons. It's when you get that wrong, people, instead of being educated in a phishing test, they end up getting annoyed.

GRAHAM CLULEY. Yeah.

UNKNOWN GUEST. What we try and do is give the people the right tools so that they can— and we offer them training and guidance on this— is like, you know, how to send, structure these campaigns so that when it goes out, people receive it with this spirit and intent that it was intended to, which is like, hey, this is a training exercise. We're all trying to get better here. We're not We're not trying to catch people out and punish them for making a mistake, which frankly anyone can make.

CAROLE THERIAULT. [Speaker:KATIE_KAAPCKE] Because, you know, an IT team that act like a kind of authority of punishment is not gonna get people on side in terms of security. What you'll get is people trying to bypass security to do things in a secret way, which puts the company presumably more at risk. So it's important to work with the people to see the, you know, that the point of this is to get people educated and protect the firm and the individuals.

UNKNOWN GUEST. That's absolutely, that's exactly it. I mean, there was a story I read a few weeks ago and it was on Sophos Labs published it. And there was a biomedical institute and they partner with some universities and there was some visualization tool that you could use if you were on-premise. But if you're using your own machines, which everyone was because everyone's working from home, They weren't offering a license for that, and the license was really expensive. So what a user ended up doing, or a student, they downloaded a cracked copy, and Windows Defender threw up an alert, and so they disabled Windows Defender.

CAROLE THERIAULT. Oh.

UNKNOWN GUEST. And they then logged on and done their work, and two weeks later, the company was hit by ransomware. And this is the thing, is that people are just trying to do their job most of the time. They're trying to be helpful, and they're trying to get their work done. And technology should be there to facilitate them in doing what they do. And if it's there as a blocker, and security is no exception, security is probably, when implemented poorly, it becomes the biggest blocker. You know, if it's not implemented properly, then people will find creative ways to bypass it just to get the job done. And unfortunately, that does open up or exposes the company to breaches.

CAROLE THERIAULT. And so this kind of test would, at knowbe4.com/freetest, allows you to, I don't know, take a pulse of the company's ability to be fooled by such things.

UNKNOWN GUEST. Yeah, that's right. That's right. And we have benchmarking reports on our website as well. You can go into the resources and you can look for our benchmarking reports. And most companies, when they do their first test without training and everything, it's typically over 30% of people will click on a— will fall victim to a phishing email. Right. And that's a high percentage. That's like 1 in 3 people nearly.

CAROLE THERIAULT. That's more people than click on ads.

UNKNOWN GUEST. Yeah, exactly, exactly.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. So 3 out of 10 people typically will fall for this if they've not given any previous cybersecurity training. Is that what you're saying?

UNKNOWN GUEST. That's right, that's right.

CAROLE THERIAULT. And then what kind of numbers do you see after the training has gone through? If people have gone through a few simulations, have included, you know, like having presentations and, you know, education provided in internally?

UNKNOWN GUEST. Yeah, so there's a process you need to go through. Um, you know, typically if you're doing monthly sort of simulated phishing and you're offering ongoing awareness training, so you sign them up to courses and they can be short ones, but it's like less but more often is probably better. Uh, and you've run it like a proper campaign, then after 90 days even you can like halve that to about 10 to 14% of people. And if you actually carry that on for a year, that drops down to about 5%. So a significant reduction can be achieved over that period of time.

CAROLE THERIAULT. Are you surprised at the number of companies that don't take security seriously even today? I mean, I don't know, I'm in the echo chamber, right? I'm on this podcast every week. So I'm thinking in brief, breathing and snarfling security all the time. But people who work in other industries, like say retail, finance, health, like, are they thinking about security as much as they should be, do you think?

UNKNOWN GUEST. You know, it's that age-old problem. If you take a problem to an engineer, they will reframe it as an engineering problem and they'll give you an engineering solution. If you take a problem to a security person, they're gonna reframe it as a security problem problem and present you with a security answer. So I think you're right. We have this bias because we are in this echo chamber as security professionals or practitioners and other organizations and people working in other departments, they don't have that lens and they're looking at things like, hey, what's our return on investment? What's our profitability this quarter? How can we make it out of the pandemic without going bust? If you ask me from just a pure security perspective, I'm like, no, people don't pay attention. And you know, they do far too little, far too late. But I think on the flip side, I think when you look at over the last couple of decades, there is a rise in awareness. People are a bit more clued on, and especially from a technical perspective, like operating systems and platforms are a lot more secure than what they used to be. Security, cloud services are really good by and large, but it's just making people aware of some of the dangers that are still out there. And we see it all the time with like unsecured S3 buckets out there. It's not that the functionality doesn't exist, it's just that someone just forgot to check or didn't think to check that should this option be ticked to private or public.

CAROLE THERIAULT. Yeah.

UNKNOWN GUEST. So, so I think it's It's just about making people aware and just reminding them and being that constant thing in the background. It's not something you can fix quickly. It's like any behavior change, and that's ultimately what we're going for. It's like behavior change. When we look at things like environmental awareness, growing up, there wasn't really a concept of recycling or separating out your rubbish. Throw away your rubbish. But today you walk into any corporate office or even public dustbins, there's like at least two, if not more, there's maybe five in some offices where when you go to throw away your rubbish, there's like, oh, let me separate my recyclables from my landfill and what have you. Yeah, yeah. And, but this is something that happened over a long period of time and raising awareness. And I think that that's the process we're going through at the moment with security awareness.

CAROLE THERIAULT. Yeah, and also, I mean, with ransomware on the rise and with the pandemic forcing people to work from home creating almost a kind of new playground for malicious actors. I think it's important for us to understand how we are being duped, and that changes all the time because, of course, as soon as we're all aware that something can happen, we tend to be on our guard. So they change the pattern, and people like KnowBe4, for example, are paying attention to that all the time. So I guess you're updating these tests and constantly providing new information information so people can kind of get tested against what's going on right now outside.

UNKNOWN GUEST. Yeah, that's right, that's right. So our templates are constantly being updated, and, and then our awareness and training modules are always— there's always new content being added.

CAROLE THERIAULT. Yeah, fantastic. Listeners, if you want to try a free phishing test, check out knowbe4.com/freetest and see how safe your office is against this kind of stuff. Javvad Malik, thank you so much for coming on the show.

UNKNOWN GUEST. Oh, it's always a pleasure, Carole. Thank you so much.

GRAHAM CLULEY. Fascinating stuff. Well, that just about wraps it up for this week. Paul, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

PAUL ROBERTS. Two ways. Go to securityledger.com, and if you're interested in the right to repair stuff, I have a Substack. As every self-respecting journalist does these days, which is fighttorepair.substack.com.

GRAHAM CLULEY. Cool. And you can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G. And we're also up on Reddit, so look for the Smashing Security subreddit up there. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Pocket Casts, Spotify, and Google Podcasts.

CAROLE THERIAULT. And thanks to this week's episode to our episode sponsors, 1Password, KnowBe4, and 1Login, and of course to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 228 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio, bye-bye.

CAROLE THERIAULT. Bye.

GRAHAM CLULEY. Bye.

PAUL ROBERTS. You guys are great. You're so smooth. It's like a well-oiled machine.

CAROLE THERIAULT. Carole Theriault here from Smashing Security. Now I have some fantastic news for you. You know how we started asking for a few more reviews? Well, quite a few of you decided to take part and take that 60 seconds to write something nice about us. Well, guess what? It's really helped. We've had our most downloaded show ever last week. How frickin' cool is that? This week I want to do a shout out to Zixis, who wrote, many thanks to the hosts and guests for making the flow of entertaining and thought-provoking content. Listening to the podcast used to be part of my commute, and now it's an even more essential "Essential part of my lockdown endurance routine. Awesome and well done." Thank you, Zixis. And also to Red Piano Roland. "Always my pick of the week. This show never fails to make me smile. I always look forward to each new episode and listen whilst doing the cooking. It's been a rough few months, and you guys have always been a lift to my spirits. Thank you, Graham and Carole." You are so, so welcome, Roland. Red piano Roland. Guys, if you've got the time, please keep them coming. It is seriously making a difference in keeping us independent. Plus, it's just really, really nice to hear from you guys. Otherwise, it's just Graham, and I mean, ugh. Buckets of love.

-- TRANSCRIPT ENDS --