PAUL ROBERTS
Maybe for our benefit, could you describe what a Stilton cheese tastes like? Because I might, it might add a little bit to that.
GRAHAM CLULEY
Ah, yes. So a Stilton cheese tastes a bit like, you know when you've been wearing socks for about 6 weeks nonstop and you have some kind of fungal infection?
CAROLE THERIAULT
But delicious socks, not like gross socks.
GRAHAM CLULEY
Yes. And you've maybe been walking around in some damp fields.
CAROLE THERIAULT
Nice fields, beautiful fields. With flowers and stuff.
PAUL ROBERTS
Just in your socks, just no shoes. Exactly. Just walking in the socks on the ground.
CAROLE THERIAULT
And then maybe you got caught in a rain shower and then took a shower in your socks and then slept in your socks and then did that for a year or two.
GRAHAM CLULEY
And then you put them in the airing cupboard or the microwave for a few minutes. And it's, oh, it's very, oh my goodness, it's quite, oh.
CAROLE THERIAULT
It's fricking delicious.
Unknown
Smashing Security, Episode 229: Dating Leaks, Rights to Repair, and a Stinky Bishop with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 229. My name's Graham Cluley.
CAROLE THERIAULT
I'm Carole Theriault.
GRAHAM CLULEY
And we are joined this week by a special guest, someone who hasn't been on the show before. It's Paul Roberts from The Security Ledger. Hello, Paul.
PAUL ROBERTS
Hey, Graham. Hey, Carole. How are you?
CAROLE THERIAULT
Good. It's been a long time, Paul.
PAUL ROBERTS
It has indeed. Years, years since we've seen each other.
GRAHAM CLULEY
I think decades, actually.
CAROLE THERIAULT
I'm actually embarrassed you haven't been on the show before.
PAUL ROBERTS
Well, don't be.
GRAHAM CLULEY
We might be embarrassed after the show's recorded as well that he's been on the show. Let's put it that way.
CAROLE THERIAULT
That's true. Let's see what happens.
PAUL ROBERTS
This could be a disaster.
CAROLE THERIAULT
Paul, for our listeners that don't know you, what can you tell them? What do they need to know about you?
PAUL ROBERTS
I'm the editor-in-chief and publisher of the Security Ledger, securityledger.com, which is a cybersecurity news website since 2012.
And I'm the founder of securerepairs.org, which is a group of security and information technology professionals who support the right to repair.
CAROLE THERIAULT
Okay, so all we need now is to thank this week's sponsors, 1Password, 1Login, and KnowBe4. Their support helps us give you the show for free.
Coming up on today's show, Graham, what do you got?
GRAHAM CLULEY
I'm going to be talking about cheese.
CAROLE THERIAULT
Whoa, got bored of cyber? Okay. And Paul, what about you?
PAUL ROBERTS
I'm going to be talking about the right to repair and cybersecurity.
CAROLE THERIAULT
Super. And I'm going to be looking for love in Japan. Plus, we have an interview with Javvad Malik from KnowBe4. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY
Now, chums, do you have a secret stash? Do you have a secret stash, Carole?
CAROLE THERIAULT
I have many things, yes. Paul?
PAUL ROBERTS
Yeah, I absolutely do.
GRAHAM CLULEY
Yeah? What sort of stash do you have?
CAROLE THERIAULT
None of your fucking business. Come on.
PAUL ROBERTS
Exactly, Graham. If I were to tell you, then it wouldn't be a secret anymore, would it?
GRAHAM CLULEY
Very true.
Well, you know, in the middle of the night, if you can't sleep, do you find yourself sneaking out of bed, trying not to wake your partner, creeping tippy-toe down the stairs, opening the fridge, and hallelujah!
There, hidden behind the kale and the quinoa, there it is, the thing which will satisfy all of your munchies: some stinky cheese.
CAROLE THERIAULT
No, in the middle of the night?
CAROLE THERIAULT
You know what, I've always wanted to be one of those people. When I was a kid, I used to obsess about being able to do that when I was older.
I could go down to the fridge, no one would, you know, I wouldn't wake anyone up, whatever, whatever. But I never do it.
PAUL ROBERTS
I often have cravings just before bed, but I really try and resist them. But I must say, Graham, I have never craved cheese.
GRAHAM CLULEY
A soft little one like a French brie, something hard like a cheddar.
PAUL ROBERTS
You're selling it. The way you say it, I feel like I should be eating cheese before bed.
CAROLE THERIAULT
Yeah, do you have a cheese platter in your fridge already for your 4 o'clock munchies?
GRAHAM CLULEY
With my Jacob's cream crackers at hand and my pickles.
CAROLE THERIAULT
Your chutneys.
GRAHAM CLULEY
Here's the thing. Here's the thing. Cheese is my crack cocaine. I'm not being flippant. Scientists at the University of Michigan, which is in the United States of America. They say—
Unknown
What are you being local? What?
CAROLE THERIAULT
Michigan, isn't it? Michigan.
PAUL ROBERTS
It's Michigan.
CAROLE THERIAULT
What's the Michigan?
PAUL ROBERTS
It sounds like—
CAROLE THERIAULT
Gloucestershire. That's what you just did.
PAUL ROBERTS
Not McChicken.
CAROLE THERIAULT
Yeah, not McChicken.
PAUL ROBERTS
That is something different.
GRAHAM CLULEY
Anyway, those boffins, they say that cheese triggers a part of the brain in a similar way to addictive illegal drugs. So, I thought it would be fun if we could play a little game.
I am going to give you a name, and you, you are the contestants, Paul and Carole. You have to tell me if it is a cheese or something else narcotic. Okay?
Are you ready to play the game?
CAROLE THERIAULT
I might—
CAROLE THERIAULT
I don't know if I'm going to be good or bad?
Unknown
Cheese or wheeze?
GRAHAM CLULEY
Let's decide.
CAROLE THERIAULT
I am ready.
PAUL ROBERTS
I was born to play this game.
GRAHAM CLULEY
Stinky Bishop. Stinky Bishop.
GRAHAM CLULEY
Cheese. Paul.
PAUL ROBERTS
I'm gonna say that's cheese, yeah. Yeah, sure.
GRAHAM CLULEY
It is a cheese. It's also an unpleasant medical condition produced since 1972 from the milk of Gloucester cattle. Has a distinctive aroma, made famous in a Wallace and Gromit movie.
Okay, next one. Poochie love. Poochie love.
CAROLE THERIAULT
That is not cheese. I don't know what illicit is. So, I'm gonna say not cheese.
PAUL ROBERTS
I'm gonna break it. I'm gonna say that is cheese.
GRAHAM CLULEY
Well, it's a strain of marijuana. The old Mary Jane.
CAROLE THERIAULT
The jazz cigarettes.
GRAHAM CLULEY
Okay, next. Dirt lover. Dirt lover.
CAROLE THERIAULT
That's gonna be not a cheese. Not a cheese.
PAUL ROBERTS
Yeah, I'm with Carole on that.
GRAHAM CLULEY
Dirt Lover comes from the Green Dirt Farm in Missouri. It is a cheese covered in a layer of vegetable ash. It's also a sexual fetish, of course. Okay, next.
GRAHAM CLULEY
Shatner's Bassoon. Shatner's Bassoon.
CAROLE THERIAULT
That is not a cheese. Ah.
PAUL ROBERTS
I feel like there's some inside knowledge here that I lack. So I'm gonna break with custom and Carole and say that is a cheese.
CAROLE THERIAULT
I swear to God, there's none.
GRAHAM CLULEY
No, Carole is right. It's a made-up drug. Fat Bottom Girl. Fat Bottom Girl.
PAUL ROBERTS
Not a cheese.
CAROLE THERIAULT
Not cheese, I agree.
GRAHAM CLULEY
It is a cheese. Oh!
CAROLE THERIAULT
From where?
GRAHAM CLULEY
From somewhere. Goes well with red wine, apparently.
CAROLE THERIAULT
I love that you do your research.
GRAHAM CLULEY
It has flavours of almonds, butter, slightly tangy sweetness. Also a song by Queen. And finally, purple monkey balls.
CAROLE THERIAULT
Definitely a cheese. My favourite cheese.
PAUL ROBERTS
Wait, what is it again?
GRAHAM CLULEY
Purple monkey balls. You're not going to get it. It's a strain of marijuana again.
CAROLE THERIAULT
Why are you talking about marijuana all the time?
GRAHAM CLULEY
Because I've explained that cheese is my type of drug.
PAUL ROBERTS
Is marijuana legal in the UK?
GRAHAM CLULEY
Oh, no, no, no, no, no. I don't have any of that sort of nonsense.
PAUL ROBERTS
Because here in Massachusetts, it is legal.
CAROLE THERIAULT
Are you constantly high?
CAROLE THERIAULT
No comment.
GRAHAM CLULEY
Well, a blue Stilton is my crystal meth. I know it's bad for me, but it's irresistible. I would sell my kid's bike.
I'd become a rent boy if I thought I could fund my love of a stinky bishop. But some people, some people aren't like me.
Some people haven't gone as deep into vice as me, and they've contented themselves with the likes of cocaine, heroin, MDMA, horse tranquillisers, that kind of thing.
CAROLE THERIAULT
Paracetamol.
CAROLE THERIAULT
We all have our vices.
GRAHAM CLULEY
Yeah, we've all got our vices, right? Some people go to street corners to score. I go down to Waitrose and breathe in the contents of the cheese counter.
CAROLE THERIAULT
Some people do yoga, you know.
GRAHAM CLULEY
Exactly. Everyone's got their thing, right?
PAUL ROBERTS
Cheese strikes me as a very English thing.
And it's not just from the Wallace and Gromit, but I mean, of course, here in the United States, we are defined by American cheese, which if you've ever had it, that's not cheese at all.
It's barely cheese. I mean, it's mostly noticeable for being incredibly regularly square.
GRAHAM CLULEY
Well, look, I'm going to switch from cheese now. I'm going to go to—
GRAHAM CLULEY
Hard drugs, because a chap called Carl Stewart from Liverpool has been a bit of a naughty boy. He used the name Toffee Force and was up to no good on EncroChat.
Do you guys know what EncroChat is?
PAUL ROBERTS
New one to me, Graham.
GRAHAM CLULEY
EncroChat is a secure encrypted messaging service which runs on modified Android phones. It promises worry-free, secure communications.
Now, can you imagine who would be particularly interested in spending thousands of dollars and a regular subscription to have such a phone?
PAUL ROBERTS
Celebrities.
CAROLE THERIAULT
Elon Musk.
GRAHAM CLULEY
Well, it's criminals. Yes, of course.
CAROLE THERIAULT
Oh, right.
GRAHAM CLULEY
It is criminals.
CAROLE THERIAULT
Sorry, Elon.
GRAHAM CLULEY
And last year, law enforcement agents across Europe, they managed to crack into EncroChat, proving that its encryption and the security wasn't quite as good as people had imagined.
And apparently it had over 60,000 users worldwide, 10,000 in the UK. And everyone thought they were safe with it, right?
They thought, I've got this special phone, I've bought it from this French company, EncroChat, and if the cops ever come knocking on my door, all I have to do is enter a 4-digit PIN onto the phone and it wipes automatically all the data from the phone.
CAROLE THERIAULT
So that was their sales point? Was that their sales pitch?
GRAHAM CLULEY
The pitch was really, these are totally secure communications.
CAROLE THERIAULT
We don't save anything, you can delete everything from your phone, no one can find it, bish bash bosh. Okay.
PAUL ROBERTS
So it wasn't just the app, it was the phone hardware itself.
GRAHAM CLULEY
It's a modified version of Android, that's right. Special phones. And this has been quite a big deal. They've arrested lots of people having cracked into EncroChat.
And they had this chap, Carl Stewart, who they suspected was supplying large amounts of Class A and Class B drugs under the name Toffifee. How could they prove this?
Well, it turned out that this chap Toffifee was a lover of Stilton cheese.
GRAHAM CLULEY
Not just any Stilton cheese, but the kind of mature blue Stilton cheese you buy at Marks & Spencer.
CAROLE THERIAULT
Which is all right. It's not the best or anything.
GRAHAM CLULEY
Well, according to that—
CAROLE THERIAULT
I'm a cheese nut. No.
GRAHAM CLULEY
Well, according to the packaging, it says delicately rich and creamy. And he, I mean, he was from Liverpool. He wasn't gonna have some glamorous exotic cheese.
CAROLE THERIAULT
He probably watched the Marks & Spencer ad. You know, it's a woman who'd go, this is not just any cheese. This is a Marks & Spencer's, blah, blah, blah.
GRAHAM CLULEY
Okay, maybe for the—
PAUL ROBERTS
I think it's not the moment.
GRAHAM CLULEY
Maybe for our benefit.
PAUL ROBERTS
Could you describe what a Stilton cheese tastes like? Because it might add a little bit to that.
GRAHAM CLULEY
Ah, yes. So Stilton cheese tastes a bit like— you know when you've been wearing socks for about 6 weeks nonstop? And you have some kind of fungal infection.
CAROLE THERIAULT
But delicious socks, not gross socks.
GRAHAM CLULEY
Yes. And you've maybe been walking around in some damp fields.
CAROLE THERIAULT
Nice fields. Beautiful fields.
PAUL ROBERTS
With flowers, just in your socks, just no shoes, just walking in the socks on the ground. Yeah.
CAROLE THERIAULT
And then maybe you got caught in a rain shower and then took a shower in your socks and then slept in your socks and then did that for a year or two.
GRAHAM CLULEY
Then you put them in the airing cupboard or the microwave for about— for a few minutes, and it's always very— oh my goodness, it's quite—
CAROLE THERIAULT
It's freaking delicious.
GRAHAM CLULEY
It is delicious.
CAROLE THERIAULT
Really good Stilton is like a cream because it's so— anyway, it's delicious. If you like blue cheese and you haven't had it, yeah, do it.
PAUL ROBERTS
It's good. Okay, it sounds like a full-body experience.
CAROLE THERIAULT
You want it in a jar. That's all I'm saying. Not in a packet. In a jar. That's when it's scraped off the socks.
GRAHAM CLULEY
It will try and infect everything else with the smell.
CAROLE THERIAULT
Yeah, your whole fridge.
GRAHAM CLULEY
It's not as bad a smell as a— is it a durian fruit, Carole?
CAROLE THERIAULT
Durian, yeah.
PAUL ROBERTS
Yes, which I've never smelled, although I have seen film of people smelling it and tasting it. I've heard it is quite decent.
GRAHAM CLULEY
I had a friend once.
GRAHAM CLULEY
Who will remain nameless, who tricked me into eating a chocolate without telling me it contained durian fruit.
CAROLE THERIAULT
It's like, I came down and I was like, it's the most delicious chocolate ever. Oh my God. Oh my God.
CAROLE THERIAULT
Gotta have it. Oh my God. It's so good. Oh my God. Graham, try it. And he just shoved it right in his face. And I just watched.
GRAHAM CLULEY
The durian fruit tastes a bit like sewage, doesn't it?
CAROLE THERIAULT
I don't know. I didn't try it.
GRAHAM CLULEY
I can tell you it does.
PAUL ROBERTS
What is the thing with durian fruit? Why are people— it's like a delicacy, particularly in Asia, I hear.
CAROLE THERIAULT
It's a delicious— I think it's a delicious texture and delicious taste, but a horrible smell if raw and improperly prepared.
GRAHAM CLULEY
I think you're not allowed to transport it on passenger airlines. Is that right?
PAUL ROBERTS
Yes, it's too smelly. What did that chocolate taste like, Graham?
GRAHAM CLULEY
I can't remember the chocolate part of it.
GRAHAM CLULEY
Anyway, back to Stilton cheese, which is nothing like durian fruit. It is a delicacy, but quite pungent. Anyway, so this chap, right? This chap called Stuart Toffee Force.
What he did was he had posted on EncroChat a photograph of a block of Stilton cheese in the palm of his hand while standing in the aisle of Marks & Spencer.
And from that picture, just of his hand holding the cheese, the police were able to identify him.
CAROLE THERIAULT
Oh my— Did they magnify his fingerprints?
CAROLE THERIAULT
Shut up! CSI!
PAUL ROBERTS
See, I would have thought they went back and looked at surveillance film and found the guy holding a cheese and his cell phone up.
GRAHAM CLULEY
That could have been me. That could have been me holding the cheese.
CAROLE THERIAULT
At 4 AM in the morning.
PAUL ROBERTS
That might happen hundreds of times a day in the UK, though.
GRAHAM CLULEY
So the Met Police now, they've arrested more than 60 people, many of whom have been charged with serious drug trafficking or firearms offences.
Carl Stewart, this chap with the cheese, he's now been sentenced to 13 years and 6 months in the clink.
CAROLE THERIAULT
I can't remember what he did now. All I remember is he liked cheese.
GRAHAM CLULEY
He was trafficking— He was trafficking in horse tranquilisers and heroin.
PAUL ROBERTS
And so he obviously had had a record and had prints on file with law enforcement prior to this, I guess.
GRAHAM CLULEY
Well, they'd already arrested him, so maybe they took his prints then and matched them to the ones in the evidence.
PAUL ROBERTS
There we go.
GRAHAM CLULEY
That is a level of detail which I would expect a serious reporter like those at the Security Ledger to investigate rather than me.
CAROLE THERIAULT
Yeah, don't leave it to Graham.
GRAHAM CLULEY
Paul, what have you got for us this week? What are you here to talk about this week?
PAUL ROBERTS
Well, I'm here to talk about the right to repair.
GRAHAM CLULEY
What is a right to repair?
PAUL ROBERTS
Okay, so a right to repair is basically what it sounds like. It is a legal right, in other words, written into law, that gives you as the owner of a thing the right to repair it.
And usually what that means practically, because you'd be like, well, I can repair it.
But these days, increasingly, because everything we use basically has software on it, and also these days digital locks, right? Like DRM, digital rights management software.
Owners need more than just the thing itself. They need access to the software that runs it to read error codes and figure out what's wrong with it.
If there's a part, a component on a circuit board that has burned out, they need a schematic diagram to figure out where that component is on the board and a part number to replace it themselves if they want to do that repair.
And so right to repair laws basically codify that in law and say, as a manufacturer, if you make a thing and you have authorized repair people who get access to these tools and parts and information, then you also need to make that available to your customers, the people who own the device and basically their agents, people they might hire to do a repair.
So independent repair shops.
CAROLE THERIAULT
Hallelujah. Right. Because I honestly, it— okay. I'm sorry. I'm already on your side. Sorry, listeners, I didn't keep the tension up, but okay, carry on. I'll get on my soapbox later.
PAUL ROBERTS
So this is a really important thing, and it is something that is a little bit esoteric.
I think most people don't pay a lot of attention to this, but it is a movement that's been picking up steam both in the EU and in the UK and in North America and in Australia, and really has a lot of people paying attention to it.
And I think because we are increasingly inhabiting a world of intelligent, internet-connected, software-driven stuff, and the more onerous these kind of manufacturer-imposed ecosystems, kind of walled gardens become, the more people are kind of taking notice of this and saying, "You know what?
This is not fair," or, "This is inconvenient for me," or, "This is costing me money needlessly." I want to do a repair myself.
CAROLE THERIAULT
Could I give you a situation and you could tell me how the right to repair movement might suggest I would go about it?
CAROLE THERIAULT
It happened to a friend, definitely not me.
CAROLE THERIAULT
But I was on my laptop, right? With a glass of very, very nice whiskey. And then my husband asked me a question and I used my hand to communicate, which I do often.
CAROLE THERIAULT
Or I love you, probably.
And I spilled all the whiskey all over the keyboard of the laptop, which basically, you know, I then put it upside down in rice because I read that was a good idea, but it's not been working really well.
So in that situation, are you saying that that would be something I could say, look, you have to help me try and fix this?
PAUL ROBERTS
So the problem would be this, which would be you did something really common, which is spilled a liquid into your laptop keyboard.
And in that situation, there is probably some damage caused by that that is preventing your laptop from working correctly.
CAROLE THERIAULT
Moisture. Right. Yeah.
PAUL ROBERTS
Maybe there were some short circuits of components on the motherboard on the computer as the liquid seeped in.
GRAHAM CLULEY
And all the rice that's now stuck to it as well.
PAUL ROBERTS
Who knows what the rice did. So basically you want to fix your laptop and right to repair is really about what are your options as a consumer for getting that laptop fixed.
PAUL ROBERTS
And there are generally, in most things in life, there should be three, which is the manufacturer might offer to repair it or have one of their authorized or licensed repair people do it.
You can try to repair it yourself if you're technically inclined, and many people are, or you could hire an independent, in other words, non-authorized repair shop to do it.
And generally, it's your automobile, right? Your car.
If you bring it to the dealership and their repair people, they'll have all the parts and tools and stuff, but it might be more expensive.
If you bring it to the corner repair shop, same thing, they'll be able to fix it, maybe slightly less expensive.
Maybe they won't use the manufacturer's OEM parts, but you'll save money.
And obviously if you go out in your driveway and go under your car and repair it yourself, that's the cheapest solution. And that's a functioning market.
The way it works for many devices these days, including your MacBook, you need parts and access to information.
So the reality for many consumers today who are in your situation is they bring their you take your MacBook to the Apple Store, to the Genius Bar, and they say, mm, they take it out back and light incense and wave their hands over it and bring it back out to you and say, sorry, no, liquid damage.
We don't do repairs this. We suggest that you buy a new MacBook.
CAROLE THERIAULT
Yeah, I'm waiting to meet a real genius at the Genius Bar, honestly, 'cause I've been there a lot looking for them.
CAROLE THERIAULT
'Cause, you know, I smart people.
PAUL ROBERTS
And when they say that, it does not mean that that is an unrepairable laptop. It just means it's a repair that the Genius Bar does not do because Apple does not allow them to do it.
Apple doesn't want to hire and retain the people to do the soldering work or the more complex repairs that would require.
PAUL ROBERTS
Okay. So they would basically say, why don't you just buy a new laptop? And most people would be like, okay, I'll buy a new laptop. It costs you thousands of dollars.
It is not the cheapest option available to you. Your old laptop gets thrown in a landfill where it leaches dangerous chemicals into the earth.
But that's the way that system's set up.
The other alternative would be to take it to an independent repair shop where they might have the skills and tools to repair that liquid damage.
But many of those independent repair shops do not have access to the tools that Apple makes available to figure out, okay, Carole spilled whiskey into her laptop.
What components actually burned out?
CAROLE THERIAULT
Do I have a vacuum anywhere?
PAUL ROBERTS
What components burned out? What do we need to replace on this? What is broken exactly? And you need software to tell that to you. And Apple has a whole bunch of tools.
Tools that they don't make available to non-authorized repair people. They also don't make the parts available.
So if you want to replace a discrete component, they don't give you the schematic diagram to tell you what those parts are and where they are.
And they don't give you access to the parts.
CAROLE THERIAULT
I'm such an Apple fangirl. I'm really feeling this right now.
PAUL ROBERTS
It isn't just Apple. So this is in one way or another, it's many device makers, though not all.
Companies like Dell and Hewlett-Packard make both parts diagnostic tools and schematics.
CAROLE THERIAULT
They sell you ink services, like £50 a month or something.
PAUL ROBERTS
There are major computer manufacturers who are very pro-repair and have a healthy ecosystem of parts that you can buy inexpensively and access to tools and so on.
GRAHAM CLULEY
So what's the argument that these companies who aren't sort of making it easier to repair things, what's their argument for doing this?
PAUL ROBERTS
They're variations on the same argument that the car dealership would make to you to discourage you from ever going to the corner repair shop, right?
Which is our parts are superior to their parts. Their parts are going to break or cause you to get in an accident.
Our mechanics are PhDs walking around in lab coats and their repair people are grease monkeys without high school diplomas.
You know, we care about the safety and privacy of your data and those other people are probably criminals who will steal it and sell it.
So it's a bunch of kind of misleading and untrue qualitative statements about the superiority of authorized repair, but there's no data to back up any of those claims, but they make them anyway.
GRAHAM CLULEY
And what do you suspect are the real reasons why they're not doing this?
PAUL ROBERTS
So a couple things, and it depends on the company.
In the case of Apple, there certainly is, you know, obviously having a monopoly on aftermarket service and parts is incredibly valuable to Apple.
You know, they make money off the Genius Bar, certainly.
However, I actually think that that's less of an issue for them than the fact that they really want to try and create a situation where the lifecycle of their phones, particularly, and iPads is as low as possible.
They want you to get a new phone every 2 to 3 years.
And if there are robust repair options that let you extend the life of your phone to 5, 7, 10 years, that has a major impact on Apple's revenue models.
For other companies, and I've written a lot about John Deere, a major US agricultural equipment maker, it seems clear that the monopoly on the aftermarket parts and service is the point.
CAROLE THERIAULT
Yeah, that's where you make your money.
PAUL ROBERTS
That's where they're making their money.
And service revenue as a percentage of their overall revenue has skyrocketed in the last 10 or 12, 15 years as they've been able to basically lock out independent repair and owners from being able to work on their own stuff.
CAROLE THERIAULT
Fun topic, Paul.
CAROLE THERIAULT
No, no, it's an important topic. I was just kidding. I was just trying to make a little levity there.
PAUL ROBERTS
Yeah, I mean, let me tell you why I think this is really important.
Okay, so first of all, let me tell you, do you want the, this is a cybersecurity podcast, so here's the link to cybersecurity.
GRAHAM CLULEY
Right, yes. 'Cause I had plenty in my story, let me point that out.
PAUL ROBERTS
You did, yours was all cybersecurity.
PAUL ROBERTS
Okay, so I got involved in this because I started going to fix-it clinics in and around Boston where you go and just get stuff repaired by people in your community. It's great.
Before COVID they were a thing. And ended up talking to a guy, Nathan Proctor, who is the head of the Right to Repair program at US PIRG, the Public Interest Research Group.
And he was talking about the efforts to get this law passed in some of the states in the United States.
And he was saying that one of the big arguments against, one of the things that sends lawmakers screaming is cybersecurity.
That vendors, OEMs can come in and say, hackers, hacking, data theft, and people kind of run screaming.
And I knew enough to know that those arguments were almost certainly not accurate, that there wasn't really a cyber risk in repair and the types of things these laws were asking about that devices get hacked because of other problems.
Right? You know, poor configuration, vulnerable software, you name it.
And so I started this group Secure Repairs to basically say, listen, as a security community, we should speak with one voice on this and we should speak the truth about where security risks are with connected devices and where they aren't.
And we should use our influence to sort of try and bend this policy discussion in the right direction. And the right direction being the one based on facts and not fear.
CAROLE THERIAULT
Do you know what though?
If I made a cell phone and the world decided, oh my God, I need to have that, and everyone bought it, yes, I would be an absolute control freak about everything about it.
GRAHAM CLULEY
Because, oh, you're not suggesting Apple are control freaks, are you? That doesn't sound like them at all.
CAROLE THERIAULT
All I'm saying is I get it, right? Because I understand what you're saying 100%. It makes 100% sense. I agree. I agree. Ethically, morally, I agree.
CAROLE THERIAULT
But I also can recognize in me, were I the successful creator of this tiny anything that I didn't, and I thought I was so smart and no one else could possibly do as good a job as my people could, which I would, because that's the type of person I am.
I would be exactly the same and it would suck. And I would need people like you on my case.
PAUL ROBERTS
If you have a business, why would you not want a monopoly on whatever it is that you do?
CAROLE THERIAULT
Exactly.
PAUL ROBERTS
Right? Who would not want that?
CAROLE THERIAULT
What do you use, Paul?
PAUL ROBERTS
I have an Apple iPhone. It's an older model.
GRAHAM CLULEY
That's why he's hot on all this. He's peeved about every time he has to go to the Genius Bar. They won't blink and fix it. They won't replace his battery.
GRAHAM CLULEY
Carole, what have you got for us this week?
CAROLE THERIAULT
Cluley, do you remember Yik Yak?
CAROLE THERIAULT
Can you tell our lovely listeners what about our plans on Yik Yak?
GRAHAM CLULEY
Well, many years ago, it's probably about 20 years ago.
CAROLE THERIAULT
20? I thought I put 15 in my notes.
GRAHAM CLULEY
But anyway, Carole, you, I, and our two lovely Croatian friends, we ganged up together to take on the world and create a social networking dating website thing that was going to make us a fortune.
And we called it Yik Yak.
CAROLE THERIAULT
Yep. And we bought the domains.
CAROLE THERIAULT
And I remember we had one meeting where we were kind of like, okay, how are we gonna parse people's choosing, right?
Like, we were making up this algorithm for ourselves, like hair color, height, right?
PAUL ROBERTS
People care about that.
CAROLE THERIAULT
And we had a meeting about discussing all this stuff. But did you ever think about whether people would just use it for hookup versus serious relationship?
Did that ever occur to you?
GRAHAM CLULEY
It never occurred to me at all that people might want to have sex. No, that's not a thought which ever crosses my mind.
CAROLE THERIAULT
Well, if we were around today, single, free and easy— Paul, you're not single and free right now, right?
CAROLE THERIAULT
Yeah, we're all married. So if we were single, we would probably be using dating apps to meet people. And the thing is, apparently the pandemic has changed online dating.
There's a shift. So it obviously had a reputation for being a little fast-paced. You know, I knew people who could munch through matches as though they were Skittles, right?
The BBC suggested that some of the changes might be here to stay even as life returns to normal, because of course this all has to do with the pandemic.
So someone said, I think video calls are very much here to stay as a means of pre-screening people you meet on apps.
GRAHAM CLULEY
God, how awful would that be?
CAROLE THERIAULT
I love it.
PAUL ROBERTS
I'm kind of surprised that people weren't doing that before. Are you really gonna go out and meet somebody randomly in meat space?
CAROLE THERIAULT
And someone says, once the first lockdown ended, I still preferred initially getting to know people in the virtual world before we went for drinks.
I feel it's definitely a positive trend. I'm now going on fewer dates, but when I do, it tends to be far more likely that date goes well.
GRAHAM CLULEY
Okay, all right.
CAROLE THERIAULT
Right, 'cause you're screening. You kind of meet someone, you're like, okay, I don't like you, but you don't have to schlep back home.
PAUL ROBERTS
Is there chemistry over Zoom though? I mean, is that a thing? Can you have chemistry with somebody over a Zoom connection?
GRAHAM CLULEY
They wouldn't be able to smell my pheromones.
CAROLE THERIAULT
I'm going to call my husband tonight. I'm going to say, go upstairs to your office. I'll call him on Zoom and I'll see if there's more flirtiness.
GRAHAM CLULEY
Oh, we know what he's like. He's very flirty.
PAUL ROBERTS
Oh, look, he fell asleep watching TV again.
CAROLE THERIAULT
Exactly. That's normally me, actually. Okay. Before the pandemic, though, apparently many couples still met at school, mutual friends, family, church, bars, whatever. Whatever, right?
But then pandemic happened.
And this is confirmed by people like Match Group, you know, which own dozens of dating apps, Tinder, OkCupid, Hinge, or Hinge, as some of us like to call it.
They reported an 11% increase in average subscribers in a 12-month mid-pandemic period. That's pretty big, right? And they just think that the pace is slowing down.
So the data is showing that people are being more selective and intentional about who they're reaching out to in the first place.
GRAHAM CLULEY
Of course, they can't go meet people. Of course, yes, of course it's slowing down because you can't go out.
CAROLE THERIAULT
Exactly. So I'm thinking, I'm thinking, who's winning in this, right? Because there are some apps out there that are geared to more serious relationships than just the bone-in type.
GRAHAM CLULEY
Sorry, what did you say?
GRAHAM CLULEY
Like a bone-in radio show? What's—
CAROLE THERIAULT
Then the more one-night stands.
PAUL ROBERTS
Z-E-Z-O-N-1-N?
CAROLE THERIAULT
I wouldn't know, Paul, come on. So serious relationship websites like the Japanese Omiyae. I know I'm saying it wrong, fuck. So I even got my husband to teach me.
GRAHAM CLULEY
Sorry, is it spelled that?
PAUL ROBERTS
Or is it like Omiya Gladden or something?
GRAHAM CLULEY
What is that?
CAROLE THERIAULT
Oh no, I've got the giggles now. This is really bad. O-M-I-A. That doesn't sound—
PAUL ROBERTS
How do you spell it?
CAROLE THERIAULT
How do you spell it? I have the giggles. I can't stop now. O-M-I.
GRAHAM CLULEY
Is that it? O-M-I? If so, you're definitely pronouncing it incorrectly.
CAROLE THERIAULT
No. O-M-I-A-I.
GRAHAM CLULEY
Oh, O-M-I-A.
PAUL ROBERTS
O-M-I. O-M-I. OMIA.
GRAHAM CLULEY
Catchy name. They're not listening anyway, Carole, so don't worry, they're not listening.
CAROLE THERIAULT
But anyway, all I can tell you is the name connotes traditional matchmaking systems, okay, that has been going on for centuries. So the name means like look meet or look love.
There's a jeu de mots there somewhere in the OMIA.
As someone described it in an app review, saying the search function is very detailed, allows you to specify preferences in various fields including nationality, education, income, and body type.
So in Japan, that seems to be the 4 things that matter. Nationality, education, income, and body type. So Japanese, smart, rich, thin. That's all they care about, it seems. Okay.
It focuses on trying to offer its customers an opportunity for a long-term relationship rather than a short-term fling.
CAROLE THERIAULT
5 to 7 million people have used this and they claim they facilitate more than 50 million successful matches so far. Like, what's a successful match?
GRAHAM CLULEY
How do they know that?
CAROLE THERIAULT
Yeah, exactly. What, 3 months, 6 months, a marriage?
GRAHAM CLULEY
Do people go back to the app and say, "Yep, that one worked," or "I snookered her," or whatever?
CAROLE THERIAULT
And then they get a £10 voucher?
PAUL ROBERTS
I like the way that they're sort of like, "Well, we're different 'cause we're trying to get people to have long-term relationships." And it's like, how much— is that really a new concept?
I don't think it is.
CAROLE THERIAULT
Yeah, hey, it's all rebranding, dude.
PAUL ROBERTS
There are really two flavors in the dating app world, which is hookups and people who want to have relationships. Those are basically the two choices.
CAROLE THERIAULT
That is, yeah. So anyway, the reason I'm talking about it is they got hacked.
CAROLE THERIAULT
2 million users and most likely exposed. Okay, now they announced this on a Friday. Weren't we talking about that earlier? The Friday announcements, right?
So they did this and they said that the personal data of 1.71 million users was likely to have leaked due to unauthorized access to its servers.
CAROLE THERIAULT
Okay, so number one, the first thing to know is Bloomberg said the value of OMIAI's share fell almost 20%.
Okay, and that is the biggest drop that company ever saw since it got listed in 2017, and they're valued around $70 million. So a big chunk of change.
The parent company notified the public of the breaches, and they've put together this document which I want us to look at in a second.
But basically apparently the still unknown hackers have made away with usernames, photographs, as well as data from ID cards, driver's licenses, and passports, all of which were mandatory during the registration.
And this was all for their security messaging, which we'll get to in a second.
GRAHAM CLULEY
Oh, so they asked for all this really detailed personal information and scans of things like ID cards and passports? Passports?
CAROLE THERIAULT
To make sure that they could say, we know who you— we're validating the people.
GRAHAM CLULEY
No mischief makers. I can't create an account, call myself Gloria something or other.
CAROLE THERIAULT
Exactly.
GRAHAM CLULEY
And right, unless I have Gloria's passport, right?
CAROLE THERIAULT
They've put a statement, and Paul, I'm particularly interested in your point of view here, both as a journalist and someone who lives in the States, right?
And has probably read millions of these.
You may have to do a little quick Google Translate depending on how good your Japanese is, 'cause I don't think I can send it to you in English.
PAUL ROBERTS
My Japanese is excellent.
CAROLE THERIAULT
Okay, well good, I hope you read that in real time. So.
PAUL ROBERTS
By which I mean, Chrome did it for me.
CAROLE THERIAULT
Fantastic, okay, so this is their apology and notice regarding member information leakage due to unauthorized access. Okay, right off the bat, I'm thinking that is not from the US.
From a liability standpoint, right?
CAROLE THERIAULT
From a liability standpoint, right?
PAUL ROBERTS
Yeah, that is true, yeah, yeah, yeah.
GRAHAM CLULEY
Yeah, but I have seen press conferences before from Japanese companies after they've been hacked where the board actually go on television and do a very deep bow of apology.
CAROLE THERIAULT
I think we should adopt it.
PAUL ROBERTS
Yeah, I'd love that. I'm so with you.
CAROLE THERIAULT
So second paragraph, the we deeply apologize for any inconvenience caused by our members and all concerned.
So inconvenience, I think, is a little bit of a light word considering you've somehow my passport number has gotten snarfed along with all my other personal ID.
But they say at this time they're searching the web and they're saying they're not looking. Let's see, that's a really hard statement to make, right?
Like, we haven't seen it be used, therefore it's not happening yet because maybe we're not looking in the right places, you know? I don't know.
GRAHAM CLULEY
So they're searching the web for exposed members, is that what you're saying?
CAROLE THERIAULT
Yeah. Are they? Are they? Are they?
GRAHAM CLULEY
Thank you, Paul. Glad you got it.
CAROLE THERIAULT
Oh, were you being dirty?
GRAHAM CLULEY
Yes, I was.
CAROLE THERIAULT
Oh, I don't get that.
GRAHAM CLULEY
I'm like totally not into that sort of thing. Don't worry, it's good that you don't. Go and get it, girl.
PAUL ROBERTS
And they're getting a lot of hits too.
CAROLE THERIAULT
We're just gonna crack on. We're cracking on, we're cracking on.
So they— but like health insurance cards, passport numbers, they have this also, this ID number Japan, the numbers, car driver's license.
CAROLE THERIAULT
So, and it says of these, about 60%, which is the majority of the total— thank you— is occupied by driver license image data. So they also have your phishing. But they—
PAUL ROBERTS
That's great. That's—
CAROLE THERIAULT
And then they say, don't worry though, because we outsource our financial stuff, so no one got a hold of the credit card info.
PAUL ROBERTS
Yeah, well, phew. It's like, look, you can always cancel a credit card. I mean, that's not a big deal. But, you know, you can't— you can't unsee that driver's license or passport.
I like the deep bow thing as well, and I would love to see Western companies do that because I think it's both deserved and would be a really welcome change from the sort of legalistic, "Regarding the incident that occurred last week regarding our members." If you were offended, we're—
PAUL ROBERTS
On the other hand, they do engage in what I think you guys would recognize some pretty common breach hand waving.
"We have no reason to believe that any of the stolen information has been used." It's like, "We have no reason to believe that the $600 they took from your bedside drawer has been spent." Well, I think it will be spent.
I think that's actually why they took it.
CAROLE THERIAULT
And check this out. So on the site, women can join for free while men have to pay about $40 a month in order for—
CAROLE THERIAULT
In order to use the services. Yet both parties seem to have lost their data, so.
CAROLE THERIAULT
Right? So I guess there's equality there. Now on their website, you see I give you the link there in the cast.
GRAHAM CLULEY
Oh, I'm on their homepage right now. Omiai, they've got— they've underlined the eye bit at the end.
CAROLE THERIAULT
But if you, if you scroll down, that they actually advertise their reasons for being safe and secure, right?
They say basically there, we make various efforts so that users who want to have a serious relationship can use it safely and securely.
So we only display nicknames, only the people that have passed the age confirmation, which we have, you know, checked through every single.
Only people who've uploaded their passport will be allowed onto the site.
PAUL ROBERTS
They're saying, you know, let me say, my first off-the-top-of-my-head impression of this site is that I am too old to use it, right?
And you know what, that when I look at these faces, they all look young.
CAROLE THERIAULT
In the security section, they have this note, okay, there's a starred bit, it says the use is limited to singles and is prohibited for those who have a lover.
GRAHAM CLULEY
Don't get greedy. Don't get greedy.
PAUL ROBERTS
That's right.
CAROLE THERIAULT
Lovers are not welcome.
GRAHAM CLULEY
If you are looking for an affair, then go to ashleymadison.com.
PAUL ROBERTS
That's true.
GRAHAM CLULEY
Be as careful with your data.
PAUL ROBERTS
That's right.
CAROLE THERIAULT
But they're just looking for one-night stands. That was hookup material. That wasn't love. That was an eHarmony. Isn't that the love one? eHarmony?
PAUL ROBERTS
Yes. eHarmony is the algorithmic love company.
PAUL ROBERTS
One of the things that I think is interesting is the cost of collecting and retaining this data.
You applaud them for their sincere efforts to verify the actual identity of all their applicants, but you wonder, having verified that identity, why are you holding onto this data?
Because it's like the 30,000-gallon tank of spent diesel fuel in the back of your lot. If it just sits there long enough, something bad's gonna happen.
GRAHAM CLULEY
Or the crate of mature Stilton, which I have in my living room.
PAUL ROBERTS
Or the crate of mature Stilton. Right.
PAUL ROBERTS
There is a risk to holding onto it. And the risk is that it's going to leak. And I wouldn't want to know what that crate of Stilton would look like if it were to leak.
But I'm guessing it would be an ugly scene.
CAROLE THERIAULT
Delicious.
PAUL ROBERTS
An ugly and smelly scene.
CAROLE THERIAULT
I'd eat it. Yummy. So what's a con game? It's a fraud that works by getting the victim to misplace their confidence in the con artist. An artist.
In the world of security, we call confidence tricks social engineering. And as our sponsors KnowBe4 can tell you, human error is how most organizations get compromised.
Where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions.
And to do that, they need new-school security awareness training. KnowBe4, the provider of the world's largest security awareness and simulated phishing platform.
See how your security culture stacks up against KnowBe4's free phishing test. Get it now at knowbe4.com/freetest. That's K-N-O-W-B-E and the number 4 dot com slash freetest.
Think of KnowBe4 for your security training.
GRAHAM CLULEY
The perfect solution for companies of all sizes, 1Password is quick to deploy, simple to manage and fit seamlessly into your team's workflow, so you can secure your business without compromising productivity.
All kinds of teams can securely share everything needed to work together. Give employees access to logins, documents, credit cards, and more on all of their devices.
See if company email addresses or credentials have been exposed in a data breach and get alerts when accounts are compromised, so you can update passwords right away.
Find out more and try 1Password for free for 14 days at 1password.com.
CAROLE THERIAULT
According to the OneLogin I Am OK mental health survey, more than 77% of technology leaders have said that their work-related stress increased due to the COVID-19 pandemic.
In today's work-from-anywhere era, CISOs and IT executives work tirelessly to make sure the organization's information assets and technologies are properly protected.
And this increased pressure has led to deteriorating mental health, addiction issues, and even suicidal thoughts and tendencies. OneLogin's message: you are not alone.
Smashing Security listeners are invited to attend their live event on Wednesday, May 26th, for free. It's called Keeping the Mind Clear and the Company Secure.
Learn more at smashingsecurity.com/oneloginiamokay. That's smashingsecurity.com/oneloginiamokay. And thanks to OneLogin for supporting the show.
GRAHAM CLULEY
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT
Pick of the Week.
PAUL ROBERTS
Pick of the Week.
GRAHAM CLULEY
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
CAROLE THERIAULT
Better not be.
GRAHAM CLULEY
Well, my Pick of the Week this week is not security-related.
I have, over the last few days, watched a TV program on the old television, in fact, on BBC iPlayer, and it is an adaptation of a book by Nancy Mitford called The Pursuit of Love.
CAROLE THERIAULT
Are you freaking kidding me?
GRAHAM CLULEY
No, I am not. Why, have you chosen that as well?
CAROLE THERIAULT
No, but, you know, I'm surprised you're— Is this a book you're doing?
GRAHAM CLULEY
No, I'm not doing a book. I'm doing the TV version. Oh, right, okay.
CAROLE THERIAULT
I was just gonna say, 'cause it's a beautiful book, listeners. Anyone who likes to read. I just didn't believe you were reading a book like that.
GRAHAM CLULEY
No, I have not.
CAROLE THERIAULT
But if you'd like it, it's good.
GRAHAM CLULEY
Kroll? I've seen the TV version.
CAROLE THERIAULT
Oh, right. Who needs the book?
GRAHAM CLULEY
And I really, really liked it because it was funny and crazy. And I'll tell you some of the people who star in it. We got Lily James, Dominic West, Andrew Scott, who was Moriarty.
He was also in Fleabag, if you remember him. And we also have Emily Mortimer, who appears as the Bolter, who is the mother of one of the characters.
And Emily Mortimer, the actress, also directs, and she wrote the adaptation as well of The Pursuit of Love. And it's really very entertaining.
I wasn't quite sure what to expect when I started it, but I thought, oh, this is a lot of fun, and I greatly enjoyed it.
And I was reading an interview with Emily Mortimer where she said it was partly based, or at least inspired by, that Marie Antoinette movie from a few years ago, which had modern bits and period bits, but modern music and all the rest of it.
It's cut very well.
CAROLE THERIAULT
What's this play? Where did you see this?
GRAHAM CLULEY
On the BBC website.
CAROLE THERIAULT
Oh, on the BBC.
GRAHAM CLULEY
Yes, on the BBC. On the BBC, darling. Yes, on the BBC.
CAROLE THERIAULT
Brilliant.
GRAHAM CLULEY
Anyway, so my recommendation, my pick of the week this week is The Pursuit of Love on BBC iPlayer. I think you'll rather enjoy it. Paul, what's your pick of the week?
PAUL ROBERTS
I have, you know, I feel like the dinner guest who you invite and, you know, he just ends up talking about environmental pollution or crime or something and just brings the whole party down.
CAROLE THERIAULT
Fun, so fun.
PAUL ROBERTS
I have a cybersecurity story that I grabbed from MIT Technology Review called Colonial Pipeline Ransomware Hackers Had a Secret Weapon: Self-Promoting Cybersecurity Firms.
And it's by Renee Dudley and Daniel Golden. This is one of those stories that I didn't write, but I kind of wish I wrote.
First of all, it profiled the work of this group called the Ransomware Hunting Team that is a volunteer group that helps ransomware victims get free of the ransomware and kind of works behind the scenes.
Really interesting looking at that.
It's also interesting because it talks a little bit about some of the ethical quandaries that cybersecurity firms face when they look to both call attention to their wares and their technical expertise, but also in the process might actually do a favor for some of the cyber criminal groups that they are actually working against.
GRAHAM CLULEY
So in this case, a bit of a tip-off.
PAUL ROBERTS
In this case, a cybersecurity firm developed a decryptor for some ransomware used by the DarkSide group and basically blasted out to the world that they had a decryptor and that DarkSide's ransomware was reusing RSA keys.
And that was a big red flag to the DarkSide group to fix that flaw in their ransomware, which they promptly did, and then thanked the cybersecurity firm for ticking them off.
So there was a big discussion in this article just about that dynamic. What is the moral responsibility of cybersecurity companies? And is there a right way to do this?
GRAHAM CLULEY
So I read this article. It's an interesting security article. Yeah, I'm afraid it is.
PAUL ROBERTS
I'm really sorry.
GRAHAM CLULEY
But that's all right.
PAUL ROBERTS
Will you ever forgive me?
GRAHAM CLULEY
But basically, I was thinking you're kind of damned either way, aren't you?
Because if you produce a tool to decrypt the damage done, you want to tell people that it's available because there may be victims who never find out that there's a tool available or there's a way to do the decryption.
GRAHAM CLULEY
You know, I have some sympathy with the security firm.
PAUL ROBERTS
Yes. This gets in. I mean, there are often issues that come up.
You know, did Franklin Roosevelt know about Pearl Harbor but didn't do anything because he knew that then the US would be able to get into the— I mean, these type of ethical quandaries come up all the time.
And in the cybersecurity ransomware world, they come up all the time as well.
The big problem that this article raised, and this is a sort of structural problem, is that the traditional people we look to to address these problems, like the FBI or Scotland Yard, are way behind even volunteer groups like this ransomware hunting team in actually being able to intercede and help companies.
I wrote an article for Security Ledger years ago, in 2014, based on a presentation I had seen in Boston by the head of the Boston FBI, where he basically told an audience, if you get infected with ransomware, just pay the ransom because we can't help you.
The encryption's too good. We don't have the technical expertise to decrypt this stuff. So just pay the ransom. We can't spin straw into gold.
We don't have the ability to do this— behind the bad guys in terms of our technical expertise and our ability to fight back.
GRAHAM CLULEY
So this article is your pick of the week this week. And if people want to hear more about the arguments back and forth, they can go and check it out.
Carole, what's your pick of the week, brackets, not security related, close brackets.
CAROLE THERIAULT
It's very, very not security related. And my pick of the week is not an audio drama, but it's an app.
CAROLE THERIAULT
Okay, to help you take better pictures.
Well, if you used to take pictures with an old camera and you miss the flexibility of that, but you don't really want to carry around a DSLR all the time. And it's called Obscura.
Basically, Apple has a very good native app, but it's highly automated, right?
And to some people that might be used to taking pictures with old cameras, it can feel a bit like a digital straitjacket because you don't have any manual control over the images.
I mean, it's been getting better. I'm not saying it's the worst, but I'm just saying for a— However, you can get Obscura, which I really like.
You get full control over the key camera settings. The UI is very nice, easy to kind of intuit and clear, speedy, and it's got great haptic feedback.
And it also can read different picture formats. So JPEGs, but also the Apple HEIC and the RAWs and all those things. And it works in landscape portrait and has loads of filters.
Filters, which I haven't, I'm not really into filters, but if you are into that, there's tons of them. And it's just a really cool app. And I think well worth the money.
So if you're into—
GRAHAM CLULEY
Are you now using this as your default camera app?
CAROLE THERIAULT
I'm learning. I have to get the memory muscle to work, right? Because I keep kind of going, oh, that's amazing. And then I take it and I'm like, oh God, why can't I get?
And I'm like, no, no, just go to the other app and then fix the exposure and I'll get a much better pic. So it's worth it. So the app is called Obscura and it's my pick of the week.
GRAHAM CLULEY
Oh, bless. Now, Carole, you've been speaking to Javvad Malik from KnowBe4 this week.
CAROLE THERIAULT
Yes, we had a very amazing chat, and what a great guest. So take a listen. This is Javvad.
All right, we're here with someone who has actually been a guest host on Smashing Security before. That's Javvad Malik. He is a security awareness advocate at KnowBe4.
Welcome, Javvad.
Unknown
Thank you so much, Carole. Thank you for having me.
CAROLE THERIAULT
You are sitting now in the throne. This is like the featured interview, so we're kind of celebrating you and KnowBe4 in this.
Unknown
I know, I feel very honored and, you know, I could get used to this. This throne is quite comfortable.
CAROLE THERIAULT
Javvad, you do a lot of things.
So on top of being a security awareness advocate at KnowBe4, you also are a host on a podcast, you're a popular vlogger and blogger, you do events, you're basically an all-round security pundit.
Would that be fair?
Unknown
Yes, that's right. When I try to sound cool, I say I'm— think of like The Rock, who's multi-talented in every facet, like wrestling, movies, business ventures.
That's what I aspire to be in the security world.
CAROLE THERIAULT
I don't think you need to aspire. I think you've already reached many of those dizzying— Oh, you're very kind. Well, look, now we are here to talk about KnowBe4.
So can you tell us a little bit about the company and what KnowBe4 does?
Unknown
So KnowBe4 is focused on the human.
You know, we talk about all our layers in security and we have all of our technical layers and protect and defend and detect and respond and all that kind of stuff.
And majority of times we're focusing on the technical layers, which are very important. But what KnowBe4 focuses exclusively on is the human layer within that.
So people, they make mistakes and/or they can be fooled. And criminals, they, you know, if breaking into an organization technically directly is quite difficult these days.
So it's a favored technique is to just go after the user.
So whether that be a phishing email, of sending them a USB or drive to plug in or phoning them up and pretending to be someone and getting them to do something that's not in their best interest.
That is the preferred method that a lot of criminals break into organizations.
I mean, even if you look at a lot of these threat intelligence reports that track nation-states or organized criminal gangs, the majority of the time, point of entry is through phishing emails.
So what we do at KnowBe4 is we help try to strengthen the humans.
We give them security awareness and training, help them practice in a safe environment by sending them simulated phishing emails.
And then there's a whole ton of awareness content on the back of it in the form of videos and games and all the other material like posters and what have you, just to help people, you know, just remember what's important and what to do if they suspect anything to be a bit malicious.
CAROLE THERIAULT
Maybe you can tell us about it from the point of view of someone who might be interested in running these phishing simulations. They come across your name, how does it work?
Unknown
Product is really self-service. It's highly automated. So if you're a customer or even if not, you can sign up to a free phishing test on our website.
You go knowbefore.com/freetest and you can sign up there. And what you'll see is that there's thousands of templates there. And these are in different languages.
They're bundled into different categories. So if you want, hey, let's do social media type one.
So you can say, okay, let's send our users a LinkedIn phishing template because that's quite a popular one in the work area.
You can tailor it to be, you know, more specific or more generic. And, you know, it goes off to all the users that you specify.
And the great thing about the platform is that it can randomize the time it sends them out.
So it's not like everyone in the office gets the exact same template at the exact same time, because you then get the meerkat kind of response where one person gets it, he looks up, and they look around and say, "Hey, has anyone else got this?" And everyone's "Yes, we got this." And then it kind of defeats the purpose of the test.
CAROLE THERIAULT
It reminds me of the mass mailers of the late—
CAROLE THERIAULT
The early noughties.
Unknown
Yeah, exactly. So you can actually send different templates to different groups of people or different individuals and at different times. So it staggers them out.
And then what you can do, you can see how many people have opened the email, how many people have clicked through on a link or whatever the payload might be.
It might be a link, it might be a, hey, enter your credentials here, it might be reply or whatever that is.
And then also you can see how many people have reported it to your security team.
So whether that's an internal process you have, if you receive a suspicious email, forward it to the security team, or you can download our Phish Alert button, or PAB for short, which is a Gmail and Outlook plugin that sits in your inbox.
So if you see an email that looks suspicious, you just click the button and it takes it out of your inbox and sends it to the security team to investigate.
CAROLE THERIAULT
So basically, you're putting the IT team in the driver's seat rather than you guys doing all the decision-making on what content's included and how they're sent out.
They actually get to decide themselves completely. It's almost like an autonomous effort.
Unknown
Yeah, exactly, exactly.
CAROLE THERIAULT
And that's kind of cool.
Unknown
Yeah, I mean, you know, it's the security teams that ultimately have the relationship, or should have the relationship, with all the users within the organization.
So they're best placed to make the right decisions if they have the right relationships.
And we've seen examples of where this has gone wrong, where they should have that environment where they tell people, hey, if you receive phishing email, this is what you should do, this is what you should look out for.
We're going to be doing simulation tests at this time throughout the year.
And these are some of the topics that we think are inappropriate for our user base because of whatever reasons.
It's when you get that wrong, people, instead of being educated in a phishing test, they end up getting annoyed.
Unknown
What we try and do is give the people the right tools so that they can— and we offer them training and guidance on this— is how to send, structure these campaigns so that when it goes out, people receive it with this spirit and intent that it was intended to, which is, hey, this is a training exercise.
We're all trying to get better here. We're not trying to catch people out and punish them for making a mistake, which frankly anyone can make.
CAROLE THERIAULT
Because, you know, an IT team that act like a kind of authority of punishment is not gonna get people on side in terms of security.
What you'll get is people trying to bypass security to do things in a secret way, which puts the company presumably more at risk.
So it's important to work with the people to see that the point of this is to get people educated and protect the firm and the individuals.
Unknown
That's absolutely, that's exactly it. I mean, there was a story I read a few weeks ago and it was on Sophos Labs published it.
And there was a biomedical institute and they partner with some universities and there was some visualization tool that you could use if you were on-premise.
But if you're using your own machines, which everyone was because everyone's working from home, they weren't offering a license for that, and the license was really expensive.
So what a user ended up doing, or a student, they downloaded a cracked copy, and Windows Defender threw up an alert, and so they disabled Windows Defender.
Unknown
And they then logged on and done their work, and two weeks later, the company was hit by ransomware.
And this is the thing, is that people are just trying to do their job most of the time. They're trying to be helpful, and they're trying to get their work done.
And technology should be there to facilitate them in doing what they do.
And if it's there as a blocker, and security is no exception, security is probably, when implemented poorly, it becomes the biggest blocker.
If it's not implemented properly, then people will find creative ways to bypass it just to get the job done. And unfortunately, that does open up or exposes the company to breaches.
CAROLE THERIAULT
And so this kind of test would, at knowbe4.com/freetest, allows you to, I don't know, take a pulse of the company's ability to be fooled by such things.
Unknown
Yeah, that's right. That's right. And we have benchmarking reports on our website as well. You can go into the resources and you can look for our benchmarking reports.
And most companies, when they do their first test without training and everything, it's typically over 30% of people will click on a— will fall victim to a phishing email. Right.
And that's a high percentage. That's like 1 in 3 people nearly.
CAROLE THERIAULT
That's more people than click on ads.
Unknown
Yeah, exactly, exactly.
CAROLE THERIAULT
So 3 out of 10 people typically will fall for this if they've not given any previous cybersecurity training. Is that what you're saying?
Unknown
That's right, that's right.
CAROLE THERIAULT
And then what kind of numbers do you see after the training has gone through?
If people have gone through a few simulations, have included, you know, presentations and education provided internally?
Unknown
Yeah, so there's a process you need to go through.
You know, typically if you're doing monthly sort of simulated phishing and you're offering ongoing awareness training, so you sign them up to courses and they can be short ones, but it's less but more often is probably better.
And you've run it like a proper campaign, then after 90 days even you can halve that to about 10 to 14% of people.
And if you actually carry that on for a year, that drops down to about 5%. So a significant reduction can be achieved over that period of time.
CAROLE THERIAULT
Are you surprised at the number of companies that don't take security seriously even today? I mean, I don't know, I'm in the echo chamber, right? I'm on this podcast every week.
So I'm thinking and breathing and snarfling security all the time.
But people who work in other industries, say retail, finance, health, are they thinking about security as much as they should be, do you think?
Unknown
You know, it's that age-old problem. If you take a problem to an engineer, they will reframe it as an engineering problem and they'll give you an engineering solution.
If you take a problem to a security person, they're gonna reframe it as a security problem and present you with a security answer. So I think you're right.
We have this bias because we are in this echo chamber as security professionals or practitioners and other organizations and people working in other departments, they don't have that lens and they're looking at things, hey, what's our return on investment?
What's our profitability this quarter? How can we make it out of the pandemic without going bust?
If you ask me from just a pure security perspective, I'm no, people don't pay attention. And you know, they do far too little, far too late.
But I think on the flip side, I think when you look at over the last couple of decades, there is a rise in awareness.
People are a bit more clued on, and especially from a technical perspective, operating systems and platforms are a lot more secure than what they used to be.
Security, cloud services are really good by and large, but it's just making people aware of some of the dangers that are still out there.
And we see it all the time with unsecured S3 buckets out there.
It's not that the functionality doesn't exist, it's just that someone just forgot to check or didn't think to check that should this option be ticked to private or public.
Unknown
So I think it's just about making people aware and just reminding them and being that constant thing in the background. It's not something you can fix quickly.
It's like any behavior change, and that's ultimately what we're going for. It's like behavior change.
When we look at things like environmental awareness, growing up, there wasn't really a concept of recycling or separating out your rubbish. Throw away your rubbish.
But today you walk into any corporate office or even public dustbins, there's at least two, if not more, there's maybe five in some offices where when you go to throw away your rubbish, there's oh, let me separate my recyclables from my landfill and what have you.
And this is something that happened over a long period of time and raising awareness. And I think that that's the process we're going through at the moment with security awareness.
CAROLE THERIAULT
Yeah, and also, I mean, with ransomware on the rise and with the pandemic forcing people to work from home creating almost a kind of new playground for malicious actors.
I think it's important for us to understand how we are being duped, and that changes all the time because, of course, as soon as we're all aware that something can happen, we tend to be on our guard.
So they change the pattern, and people like KnowBe4, for example, are paying attention to that all the time.
So I guess you're updating these tests and constantly providing new information so people can kind of get tested against what's going on right now outside.
Unknown
Yeah, that's right, that's right. So our templates are constantly being updated, and then our awareness and training modules are always— there's always new content being added.
CAROLE THERIAULT
Yeah, fantastic. Listeners, if you want to try a free phishing test, check out knowbe4.com/freetest and see how safe your office is against this kind of stuff.
Javvad Malik, thank you so much for coming on the show.
Unknown
Oh, it's always a pleasure, Carole. Thank you so much.
GRAHAM CLULEY
Fascinating stuff. Well, that just about wraps it up for this week. Paul, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
PAUL ROBERTS
Two ways. Go to securityledger.com, and if you're interested in the right to repair stuff, I have a Substack.
As every self-respecting journalist does these days, which is fighttorepair.substack.com.
GRAHAM CLULEY
Cool. And you can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G.
And we're also up on Reddit, so look for the Smashing Security subreddit up there.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Pocket Casts, Spotify, and Google Podcasts.
CAROLE THERIAULT
And thanks to this week's episode to our episode sponsors, 1Password, KnowBe4, and 1Login, and of course to our wonderful Patreon community.
It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 228 episodes, check out smashingsecurity.com.
GRAHAM CLULEY
Until next time, cheerio, bye-bye.
PAUL ROBERTS
You guys are great. You're so smooth. It's like a well-oiled machine.
CAROLE THERIAULT
Carole Theriault here from Smashing Security. Now I have some fantastic news for you. You know how we started asking for a few more reviews?
Well, quite a few of you decided to take part and take that 60 seconds to write something nice about us. Well, guess what? It's really helped.
We've had our most downloaded show ever last week. How frickin' cool is that?
This week I want to do a shout out to Zixis, who wrote, "Many thanks to the hosts and guests for making the flow of entertaining and thought-provoking content.
Listening to the podcast used to be part of my commute, and now it's an even more essential part of my lockdown endurance routine. Awesome and well done." Thank you, Zixis.
And also to Red Piano Roland. "Always my pick of the week. This show never fails to make me smile. I always look forward to each new episode and listen whilst doing the cooking.
It's been a rough few months, and you guys have always been a lift to my spirits. Thank you, Graham and Carole." You are so, so welcome, Roland. Red Piano Roland.
Guys, if you've got the time, please keep them coming. It is seriously making a difference in keeping us independent. Plus, it's just really, really nice to hear from you guys.
Otherwise, it's just Graham, and I mean, ugh. Buckets of love.
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.