Listen early, and ad-free!

231: Sexy snaps and encrypted chat traps

With , , ,
June 9, 2021
Read the transcript

Criminals are caught in a encrypted chat trap, should you trust Apple's repair team with your sexy snaps, and do you think the FBI should be able to tell who has been reading the USA Today website?

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire's Dave Bittner.

And don't miss our featured interview with Dr Simon Wiseman, the CTO of Deep Secure.

Visit https://www.smashingsecurity.com/231 to check out this episode’s show notes and episode links.

Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Special Guests: Dave Bittner and Simon Wiseman.

Sponsored By:

Support Smashing Security

Links:

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. And because it's secure and encrypted, there's no need to talk in code. It's less, "Hey, D-Dog, it's time Mickey Blue Eyes swam with the fishes." That's good code, Graham.

CAROLE THERIAULT. You know what? Everyone would be fooled by that. You are a genius.

DAVE BITTNER. Impenetrable code. Very good.

UNKNOWN. Smashing Security, Episode 231: Sexy Snaps and Encrypted Chat Traps with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 231. My name's Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. And Carole, we're joined this week by, well, he's a favorite of the fans. It's Dave Bittner from the Cyberwar and Hacking Humans. Hello, Dave.

DAVE BITTNER. Hello, hello. Good to be back.

CAROLE THERIAULT. Hi, Dave. Thank you for coming on the show again.

DAVE BITTNER. The pleasure is mine.

GRAHAM CLULEY. Now I hear your house is under attack at the moment. Is that right, Dave?

DAVE BITTNER. It is. It's under an aural attack. We are deep in the midst of cicada land here on the East Coast of the United States, which means, oh, I don't know, 85 dB of constant noise. But also, cicadas are big, dumb bugs, and they just fly around into everything. They're harmless. They don't bite or sting or anything like that, but they just sort of buzz around and crash into you, and when you're driving, you get them on your windshield, and it's a nuisance, but it only happens every 17 years, so there's that.

CAROLE THERIAULT. Are you sure you're looking at this the right way? Surely this is just free protein? Like, don't you just get your barbecue out and—

DAVE BITTNER. Well, yes, there are people who are doing that. I am told that when you cook them up, they taste like shrimp, but I'm going to take other people's word for that.

CAROLE THERIAULT. Oh really? I would totally try. Well, totally.

DAVE BITTNER. Uh, yeah, if it—

CAROLE THERIAULT. I'll be there in 17 years.

DAVE BITTNER. Okay, there you go.

GRAHAM CLULEY. It's a date.

DAVE BITTNER. No, but the dogs and all the birds, like all the other critters, are having a feast off of these things.

CAROLE THERIAULT. Exactly. I think you just got this the wrong way. Okay. Um, how about we thank this week's sponsors? 1Password, deep secure, and KnowBe4. It's their support that helps us give you this show for free. Now coming up on today's show, Graham, what do you got?

GRAHAM CLULEY. I'm going to be talking about the amazing Anom encrypted secure chat app thing.

CAROLE THERIAULT. Okay, I know nothing about that. Good. Dave, what about you?

DAVE BITTNER. I've got the story of the FBI serving a process warrant in a child sexual abuse materials case.

CAROLE THERIAULT. Oh, great. Sounds fun.

GRAHAM CLULEY. Sherry?

CAROLE THERIAULT. I am going to reveal a screw-up at Apple that they tried to keep quiet. Plus, we have a featured interview. Simon Wiseman from Deep Pharmakure, he's their CTO, explains how their tech works so that they can guarantee zero malware. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chums, chums, are either of you a godfather?

CAROLE THERIAULT. Yes, I am.

UNKNOWN GUEST. Yes, I am.

CAROLE THERIAULT. I'm so bored of these bored questions. Why can't they even just be—

GRAHAM CLULEY. Have you ever found yourself stuffing cotton wool into your cheeks? Slurring your words.

DAVE BITTNER. Making people offers they can't refuse.

CAROLE THERIAULT. Horse heads in other people's beds.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Yep.

GRAHAM CLULEY. Are you Mr. Big, Dave? Don't answer that. Carole, are you a kingpin or queenpin?

CAROLE THERIAULT. Queenpin.

GRAHAM CLULEY. Of an organised crime syndicate? Well, I can tell you it's not easy, is it? It's not easy being the godfather of crime. Because who can you trust? Everyone's double-crossing everybody else. There you are one minute whispering commands into the ear of your consigliere. No records are being kept of what you've ordered to happen. Nothing to lead back to you. But that was back in the simple days, right, of Marlon Brando in The Godfather movie. But now we've got tech up to our eyeballs. So you've got to be very careful with how you communicate. And many people these days are using smartphones to communicate. And I've been watching—

CAROLE THERIAULT. We even have tech on our eyeballs, really. Glassware?

GRAHAM CLULEY. Yes, yes, yes. Those kind of crazy things. I know a chap who wears these weird sort of IoT sunglasses, and they've got this big bulbous bit at the side, which I don't know if it's Bluetooth or what it is, but he's— yeah, it's kind of, kind of crazy. Now, I've been watching Line of Duty on TV, so I know—

CAROLE THERIAULT. Still?

GRAHAM CLULEY. No, I have been. I've watched all of it now. But I know what cops do when they want to know what someone's been up to. They grab—

CAROLE THERIAULT. Based on the TV show.

GRAHAM CLULEY. Very realistic.

CAROLE THERIAULT. Yeah, it's like, yeah, I understand how to do forensic science after watching a series of CSI. I'm with you, I'm with you.

DAVE BITTNER. Zoom in, magnify.

UNKNOWN GUEST. Ants.

GRAHAM CLULEY. 5?

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. What they do is they grab your phone. I think this is what real police do, right? It's now, can we grab their phones? 'Cause people have got their phones on them all the time. People are sending emails, people are instant messaging, people are taking photographs, people are calling each other. Can we get the call log? Can we track where they were at a particular time? Can we find out who called them? A treasure trove of information for the cops. Well, there are apps out there which aim to fix all of that if you are a criminal. So what they do is they say, look, we will help your communications remain secure if you're nabbed by the police. And one of those is called—

CAROLE THERIAULT. Yeah, but that doesn't mean it's not just for criminals. Presumably it's for anybody who wants to keep their stuff private.

GRAHAM CLULEY. Oh, well, this particular one, Croll is specifically targeted at criminals. It's called An0m, and the O is a zero. A-N-0-M. It's a secure messaging app, runs on a stripped-down smartphone. Not any old smartphone. This is a smartphone which can't make phone calls, can't send emails. It looks like a terrible phone. You think this is a blip all in phone. All I've got on this phone is some sort of calculator app, but it's designed purely for criminals to have end-to-end secure encrypted communications with each other. And the idea is you can trust it because a NOM runs out of Switzerland, right? And we know—

CAROLE THERIAULT. Okay, so, so, so say you and I, the three of us, we were cohorts in some big-ass crime and we wanted to talk about it, but we live in different locations, right? And we don't have landlines anymore. So rather than, we would use this app to communicate because we would be clear that, you know, no one can listen in on, right? That's right.

GRAHAM CLULEY. No one can intercept the messages.

CAROLE THERIAULT. Gotcha.

GRAHAM CLULEY. And it comes out of Switzerland. And I think, I don't know about you, but when I see a piece of security software which comes outta Switzerland, I kind of think, oh, that's great. Because Switzerland likes secrets, doesn't it? Switzerland never wants to upset anyone. They'll look after your secrets like it were Nazi gold. You know, they will happily—

CAROLE THERIAULT. Swear. Or Trump, or Trump. I don't know, it wasn't—

DAVE BITTNER. Kind of their thing.

GRAHAM CLULEY. It's kind of their thing, right?

CAROLE THERIAULT. Watches, cuckoo clocks, and yeah.

DAVE BITTNER. Secret bank accounts.

GRAHAM CLULEY. And even if you're caught with an An0m phone, the cops may not realise what it's used for. And the way you access the encrypted chat system—

CAROLE THERIAULT. I'm sorry, I'm not clear. Is this a phone, like an actual phone, or is this an app on a phone?

GRAHAM CLULEY. It is an app running on an actual phone, but a particular phone. So you buy the phone which comes with the app. So it's a specially modified phone.

CAROLE THERIAULT. And I buy this at the robbery emporium?

GRAHAM CLULEY. Mm-hmm. Well, yeah. Or you buy it from a criminal. So you can go to a NOMS website and you can request one of these. And what criminals are doing is they realize that their criminal mates need these phones as well. Or if you are the godfather, Dave, you buy 100 of these phones and then you sell them to your cohorts, maybe making a little bit of a profit yourself. And when you get one of these phones—

CAROLE THERIAULT. I'm taking it out of your take.

GRAHAM CLULEY. And when you buy one of these phones, you also take out a subscription for the service. So you're, you're paying money every 6 months or so to keep it going. And they give you a special PIN. So the way you access the actual chat app is you open the calculator on your phone, you enter a particular number, and that then secretly craftily opens the chatting app, right? So you have the option as well, if you enter the wrong code, to wipe the phone. So if the cops get you, you'd think, well, I want to be sure everything's wiped off this.

DAVE BITTNER. This phone will self-destruct in 5 seconds. Yeah.

CAROLE THERIAULT. And do people use this phone, like, to do other stuff too? Like, they would have other stuff on it because they can do an auto-wipe? Or they would just have this for, you know, contacting—

GRAHAM CLULEY. I think if you're a serious criminal, you just use it for this. You don't risk putting anything else on it because you might put some piece of spyware on it, which could then snoop on you. You wouldn't want that. Right. So it's a bit like EncroChat, which we talked about a few weeks ago with Paul Roberts. Um, it's making money. The organization is obviously acting a little bit dodgily and it's assisting criminal gangs.

CAROLE THERIAULT. And they're in Switzerland. Untouchable.

GRAHAM CLULEY. Right.

UNKNOWN GUEST. Right.

GRAHAM CLULEY. And because it's secure and encrypted, there's no need to talk in code with your fellow criminals, right? Because you're fairly feel fairly secure about your communications. It's less, "Hey, D-dog, it's time Mickey Blue Eyes swam with the fishes." That's good code, Graham.

CAROLE THERIAULT. You know what? Everyone would be fooled by that. You are a genius.

DAVE BITTNER. Impenetrable code. Very good.

GRAHAM CLULEY. Anyway, anyway, so good news for criminals, right?

DAVE BITTNER. Mm.

GRAHAM CLULEY. No!

CAROLE THERIAULT. No, no, no!

GRAHAM CLULEY. This— what? No, Dave! What?

DAVE BITTNER. Go on, Graham.

GRAHAM CLULEY. This is not good. This is not good news for criminals. Tell me more. Because, because word reaches us from down under that the Australian Federal Police have arrested hundreds of people, seized tons of drugs and weapons, confiscated millions of dollars worth of assets, all from criminals who were using this Anon encrypted chat service. So to find out how they did this, We need to travel back in time 3 years.

CAROLE THERIAULT. How long?

GRAHAM CLULEY. 3 years.

CAROLE THERIAULT. Okay.

DAVE BITTNER. I don't have that kind of time.

GRAHAM CLULEY. Well, we'll make up for it later. So if you go back 3 years, what happened was the Australian police and the FBI, they were having a few beers together, right? Chit-chatting about this because they had just successfully shut down another encrypted messaging service. Beloved by criminals called Phantom Secure. And when Phantom Secure was shut down and dismantled, the cops thought, hang on a minute, we've shut down that, that just means the bad guys are going to go somewhere else, doesn't it? Yeah. Because nature abhors a vacuum. And so—

CAROLE THERIAULT. And they're looking for a super secure way to communicate.

GRAHAM CLULEY. Right. So they're thinking— so at first the police are thinking, well, which one should we try and dismantle next? And then they went, ahahaha, or in Australia, they went, oh ho, oh ho. Oh no, that's different. Anyway, so they went, crikes, mate, you know what we best do? You know what we best do?

DAVE BITTNER. Crikey.

GRAHAM CLULEY. We should create our own secure messaging app and pretend it's for criminals. And that's what they did. So they created this whole criminal infrastructure, secure chatting system called a NOM. They then got police informers to seed the app with other criminals and said, oh yeah, I'm using this app, you know, I've upgraded, I don't use WhatsApp anymore, I use this instead. So much—

CAROLE THERIAULT. did you read about the flashcard things? Don't use that one either.

GRAHAM CLULEY. No, don't. And eventually the big criminal bosses were using it as well. Based on other criminals' recommendations. And of course, they are the equivalent to social media influencers.

DAVE BITTNER. They are.

GRAHAM CLULEY. So if the big boss is using a particular chat app—

CAROLE THERIAULT. If Don Corleone was on Facebook, they'd all be on Facebook.

DAVE BITTNER. You better—

GRAHAM CLULEY. Yeah. Why aren't you following me on Instagram? Right? So that—

DAVE BITTNER. Bit of a status symbol having one of these devices.

GRAHAM CLULEY. Yeah, exactly. Exactly. And so everyone begins to do it. And some of the criminal bosses even sold the phones, like I was describing, the subscriptions, not realizing that ultimately the money was filling the coffers of the very police who were going to use the app against them, because the police were able to watch in real time messages being sent between hundreds of criminals for years.

CAROLE THERIAULT. And fund— and fund the investigation.

GRAHAM CLULEY. Yes!

CAROLE THERIAULT. You know, Graham, this does spit in the face of your theory that if you pay for something, you get what you pay for, you know, as opposed to getting free apps.

GRAHAM CLULEY. Mm-hmm. Very, very true. Very true, Carole.

CAROLE THERIAULT. It must have been extremely fun to create this app, you know, with this, like, we have to dupe people, like, you know, for the good.

GRAHAM CLULEY. We'll do a website. We'll make sure it's got a dark—

CAROLE THERIAULT. Black background.

GRAHAM CLULEY. Yes, a dark mode. Exactly. Make it look as criminal as possible. And the police reckon that they've stopped huge shipments of drugs. They've intercepted about 20 death threats, and they reckon, you know, other innocent people may have had their lives saved because of all these. And so all these arrests have happened in Australia as we speak.

CAROLE THERIAULT. So the reason it's come out that you know about this app is because of the arrests?

GRAHAM CLULEY. Yes. So the police have now gone public on it.

CAROLE THERIAULT. Hmm.

DAVE BITTNER. Now, Grandma, I've been following a lot of the conversation of this on your Twitter and other, other places. I've seen people say that the bad guys were starting to catch on to this in the past couple months. There was a blog post where someone— I guess the bad guys have their own security researchers, and someone figured out that traffic on this app wasn't just going between folks, it was going somewhere else. They were starting to get suspicious. Too late, so it seems.

GRAHAM CLULEY. Yeah, from that blog post, it looked like they were saying it appears some information may be being sent to like an American server or something, wasn't it?

UNKNOWN GUEST. It was.

CAROLE THERIAULT. And that would have forced the cop's hand to come clean anyway, right? Because if they are already sniffing of like, this could be not legit, right? They're starting to put in like fake information or whatever.

GRAHAM CLULEY. I guess there comes a point where the cops think How much are we going to get if we carry on doing this as opposed to, you know, basically playing our cards now? You know, is there more to be gained from saying, okay, we've got information about all these hundreds of people, we think we can go and arrest them and do some damage, or hang on a little bit longer? So maybe that is one of the things which influenced them.

DAVE BITTNER. Yeah, but certainly one for the good guys, right? I mean, Well, it is. Now, what do you all think this does for people's confidence in secure messaging apps in general? I mean, the ones in general use, like Signal, which is open source, so presumably folks are able to inspect the code of an app like Signal to make sure there's nothing like this going on, but how sure can you be?

GRAHAM CLULEY. In theory, yes. In theory, you're more confident when you hear something's open source, but of course, If everyone is feeling that same confidence and nobody actually goes and looks at the source code to see if there are vulnerabilities or if there's some backdoor in it or whatever, and I'm sure in the case of Signal, someone probably has, but oftentimes people just assume, don't they, that, well, it must be all right, comes from Switzerland.

CAROLE THERIAULT. It's— Well, it's not even that though. I'm sure the criminals they were going after were not like cyber whiz kids, right? So these are people that are probably like shifting boxes of stuff or whatever, who knows, but like not whiz kids. So if someone—

GRAHAM CLULEY. a lot of them may be, but yeah, but there may also be others who are on the sidelines, or people who are just curious, you know. They come across something— I mean, this thing had a Twitter account. They come across it, maybe they get hold of the app, and they're just— people are just interested.

CAROLE THERIAULT. I just wonder if a smart criminal would just gone, uh, why don't we just use Telegram or Signal at this stage?

GRAHAM CLULEY. Like, that's— I'm sure plenty of them are. And of course, there's lots of pressure from, uh, from governments to try and put backdoors into some of these messaging services.

DAVE BITTNER. [Speaker:TREVOR_BURRUS] Right, but does this weaken the case for that argument? Because if folks can say, well listen, you have other ways to get at this information besides weakening encryption, right? Here's an example. You put out your own app, so why should we weaken encryption when you can get— when you were so successful getting all these bad guys all around the globe by other means?

GRAHAM CLULEY. Well, you could use the same argument to say, didn't it work great with ANOM? Wouldn't it work even better if WhatsApp and Facebook Messenger and Signal and everything else were to do it as well?

DAVE BITTNER. True. Yeah, true.

GRAHAM CLULEY. Anyway, I don't know who to trust now.

DAVE BITTNER. Well, but you know, it's a good thing that the bad guys are looking over their shoulders, isn't it?

GRAHAM CLULEY. Yes, yes. If it makes them uncertain, I'm sure for those years when they found that, for instance, shipments of drugs were being intercepted, they were probably in— there's probably infighting and suspicions as to who might have said something. You know, only you knew this information.

DAVE BITTNER. Right, right. Who was the rat?

GRAHAM CLULEY. Well, David, what have you got for us this week?

DAVE BITTNER. Back in February, USA Today, which is a publication here in the US, They published a news story about the tragic death of two FBI agents who were in the process of serving a warrant in a CSAM case, and CSAM is Child Sexual Abuse Materials. So the FBI were going after someone who they alleged was involved in this horrible crime of imagery of child sexual abuse. So a team of law enforcement officers were attempting to execute this warrant. Evidently, the person that they were after had some sort of doorbell camera, saw them coming, and fired through the door at all these law enforcement people who were knocking on the door to serve him the warrant. Two officers.

CAROLE THERIAULT. With a gun.

DAVE BITTNER. With a gun, yes.

GRAHAM CLULEY. It wasn't with the doorbell, Crowe. They haven't yet made IoT doorbells that can shoot guns.

CAROLE THERIAULT. It could have been a water pistol. It could have been through a straw, little paper balls through a straw.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. You know, don't assume, Graham.

GRAHAM CLULEY. Okay.

DAVE BITTNER. Yeah, so real gun, real bullets, real people died. So two officers were killed, three others were wounded.

CAROLE THERIAULT. Holy moly.

DAVE BITTNER. Yeah, SWAT team was brought in. There was more gunfire exchanged.

GRAHAM CLULEY. This was in America, wasn't it? I'm guessing from what clues you've given me.

DAVE BITTNER. How could you tell, Graham? How could you tell? Eventually the suspect, my understanding is he took his own life again via gunshot. It's a tragic situation all around, starting with the child sexual abuse material, obviously the FBI officers killed in the line of duty, but where it gets interesting is the FBI served Gannett, who publishes USA Today, served them with a subpoena, and they wanted information about basically everyone who accessed a news article during a 35-minute window starting just after 8:00 PM on the day of the shootings. Now, the demand, which was signed by a senior FBI agent, it didn't ask the names of the people who read the story, but they were looking for IP addresses, mobile phone information that could lead to the identities of the folks who read the information. So now—

CAROLE THERIAULT. Yeah, I'm not following either.

GRAHAM CLULEY. So the shooting has happened.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. USA Today has published this story about something which happened earlier that day, right?

DAVE BITTNER. Right. Hours later, USA Today publishes the story. The story is still online, by the way. You can go read the story.

GRAHAM CLULEY. Okay. And then the FBI investigating the shooting want to know who's been reading the news article which came out after the shooting.

DAVE BITTNER. Correct. Correct.

GRAHAM CLULEY. It's a bit odd.

DAVE BITTNER. So, the— what people are supposing is that the FBI thinks, or thought, that perhaps someone else who was involved in this crime, in the child sexual abuse materials crime, may have been reading the article. Perhaps if we know who was interested in what went down here, who had an immediate interest in it, that might lead us to more of the people who were after it.

CAROLE THERIAULT. So like, but I'm guessing USA Today probably has what, like there'd be 1,000 a minute clicks? Like it doesn't narrow the pool that much.

DAVE BITTNER. No, no, it wouldn't. But beyond that, there are serious First Amendment rights issues here with this subpoena. Now, one of the interesting things I learned when reading this article is that this is a particular case where the FBI does not have to go in front of a judge to get a subpoena like this. This FBI agent only had to get the sign-off from one of his superiors at the FBI in order to proceed with this subpoena. And the reason behind this is that they say in cases like this, particularly with horrific things like child sexual abuse, they have made the case that they need to be able to act quickly because people are in jeopardy. Now, in this case, many hours went between the shooting and the publication of the news article, so it doesn't seem as though there was any real time constraint here on gathering this information. So the folks at Gannett, USA Today, they pushed back, they refused the subpoena, they said it was a clear violation of the First Amendment.

CAROLE THERIAULT. Because they would have to give the details, the information that they had IP addresses on every single person that had read that article, right?

DAVE BITTNER. Exactly.

CAROLE THERIAULT. Right, right, right.

DAVE BITTNER. And so I've been trying to think of an analogy for this, and it's kind of the difference between going in front of a judge and saying, hey, we suspect that this person was reading this article, and we would like to have a subpoena just to verify that as part of the investigation we're doing. As opposed to saying, we want to search every house in the neighborhood, right? Because we think the bad guy might have driven through this neighborhood, so we want to search every house in the neighborhood. We just want to throw this web out there. And you can't do that.

GRAHAM CLULEY. Yeah, we have seen these sort of dragnet, sort of scooping up of data in the past, haven't we? I remember there have been some cases where there have been physical bank robberies. And the FBI has requested information from technology companies regarding who might have been in the location around about that time in order to narrow down the potential list of suspects, which has caused some controversy in the past.

DAVE BITTNER. We had cases back here years ago where folks were trying to get the lists of books that people signed out from libraries. And, you know, are you entitled to the privacy of knowing— of other people knowing what books you've signed out from a library?

GRAHAM CLULEY. So that could be embarrassing for you, Dave, if you took out like an erotic romance or something, or some sort of bodice ripper?

DAVE BITTNER. Well, not just one, but yes, absolutely. Absolutely.

GRAHAM CLULEY. Carole, what have you got for us?

CAROLE THERIAULT. So picture it.

GRAHAM CLULEY. Your iPhone.

CAROLE THERIAULT. You're both iPhone users. IPhone users, aren't you?

DAVE BITTNER. Yeah.

CAROLE THERIAULT. Now imagine it started acting all buggy, like not the way you expect it to work. And you're getting frustrated and you panic a little bit. You push a lot of buttons. You might even decide to turn it on and off again, but to no avail, right? So you have options in this case, don't you? So what would you do? You might, like, say you've run out of ideas. You can't fix it. Your friends can't fix it. So you need to get it repaired somewhere. Now, where would you go typically in that scenario when one of your Apple products do not perform appropriately?

GRAHAM CLULEY. First choice would be the local Apple Store or Apple sort of partner, yeah.

CAROLE THERIAULT. Like, so like with my car, I just take it to any old, well, not any old garage, but like not the official whatever company garage. But with my phone, I tend to go to the Apple Store too. I once had insurance. It was covered under some insurance that we had, some bank insurance or something, and I dropped my phone phone anyway got soaked.

GRAHAM CLULEY. And, uh, what did it fall— what, what, honestly, I'll tell you, you won't believe me.

CAROLE THERIAULT. It fell into a bucket of water outside. Like, I was outside working and it got too hot, and then I was trying to open the door and it just fell right off the top of my book, slid right into this. Yeah. Anyway, so, so anyway, so, so I sent it off and they sent me back a phone, but it was like a— it was— anyway, it wasn't very good. So I've always thought, go Apple, go Apple, go Apple. So, so this story is all about someone who did exactly this. It starts on January 14th, 2016. Right. And our main character is an unnamed 21-year-old student. And it becomes pretty crystal clear why she's unnamed. So, so this student, we're going to give her a name. Should we give her a name? Wilhelmina. Let's call her Wilhelmina. Okay. Wilhelmina. She, her phone was all buggy. So she sent her phone off to repair. So you know how there's two ways you can do it, you can go to the Apple Store, or you can send it off, right? And you put it in the mail and they go and take care of it. And the phone was then given to a repair facility run by Apple. So Apple don't do all the work necessarily themselves. They have contractors that do some of the work. So in this case, it was a contractor called Pegatron in Sacramento, California.

DAVE BITTNER. By the way, I just want to, just for the record, point out that Pegatron is widely considered to be the kinkiest of the transfer I didn't even know it was a Transformer.

CAROLE THERIAULT. Is that true?

GRAHAM CLULEY. No, it's not true. She's so innocent.

CAROLE THERIAULT. Okay, so we have this Apple contractor that is looking after the phone now.

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. And during that time, two technicians got access to the phone. And while they were quote unquote repairing the phone, they found some sensitive information. Now, As app tech repair folk, this must happen like all the time.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Someone comes in with a problem, like, I can't get my photos, or my phone's like frozen. I can't get any information off it.

GRAHAM CLULEY. It's a bit like when the boss's laptop stops working, right? And the IT team, he gives it to the IT team and he sort of says to them, or he goes to the head of IT and says, look, I need you to be discreet with this, right? Right, right. Something funny's happened on it. I don't want you letting every member of IT looking at this laptop. Could you just handle this yourself?

DAVE BITTNER. We don't have to talk about my browsing history.

GRAHAM CLULEY. Yeah, exactly right.

CAROLE THERIAULT. So these guys must be expert at averting their eyes, you know, from notifications or texts or emails or pics or whatever. So, okay, so Wilhelmina sent off her phone for repair, you know, via the appropriate Apple channels. And it wasn't like she was standing over them. She wasn't at the Genius Bar or anything. She sent it via the mail. But according to legal findings seen by The Telegraph, these two unnamed technicians that found the sensitive content— when I say sensitive, I mean like pictures of her in various stages of undress and a sex video. And not only found it— so say, say you were this kind of person, Graham.

GRAHAM CLULEY. What, the one with a sex?

CAROLE THERIAULT. No, no, no, the one that has received— you're working, you're in tech support, whatever. And you see these big sexy, sexy videos.

GRAHAM CLULEY. Um, do you— dum dee dum? Yes.

CAROLE THERIAULT. I hate the idea, but I can almost imagine they might load it up for their own enjoyment somewhere. Like, that would be like the worst thing I can imagine. Like, oh, I'll keep this for later if it's sexy, sexy.

DAVE BITTNER. Mm-hmm. When I was in college, I had a friend who worked at a Fotomat. You know what a Fotomat is?

GRAHAM CLULEY. Right.

DAVE BITTNER. So the Fotomat was a little photo booth in the middle of a parking lot where you would drop off your photos and then you'd come back the next day and they were developed. And for the young members of our audience, this was a thing that used to happen. You took photos on this thing called film, and then the next day it would be developed and you get your pictures back. Anyway, he worked at the Fotomat, and he said— he told me that in the little booth there, they had a binder that they called the Who's Your Daddy binder. And that was where whenever someone would come in with photos from, say, a bachelor party or something like that, they would run off extra copies of the spicy photos, and they would go in the folder for the employees to enjoy. So there's a long history of this.

CAROLE THERIAULT. Closer to home than you even know. I can't even tell you. But anyway, um, we're not going into that on another show, perhaps. All right, right. Okay, so, so what these guys do, instead of just putting it into their who's your daddy photo album, post it up on her own Facebook account.

GRAHAM CLULEY. What?

CAROLE THERIAULT. Making it look like she had uploaded the content herself.

GRAHAM CLULEY. Oh my goodness.

CAROLE THERIAULT. And Wilhelmina—

UNKNOWN GUEST. wow—

CAROLE THERIAULT. our unnamed student, some of your name, okay, none the wiser, only finds out when her friends contact her and go, probably say something like, hey, did you mean to have a pic of your hoochie coochie all over the public newsfeed?

DAVE BITTNER. Mm-hmm.

GRAHAM CLULEY. So Why would, why would they do that? Do you think it was an accident? Do you think they meant to post it to their mates from their Facebook account and they accidentally logged into hers from her phone?

CAROLE THERIAULT. So it's like a colossal fuck-up as opposed to, uh, just complete ridiculous insanity.

GRAHAM CLULEY. That's all I'm thinking is that they must have—

DAVE BITTNER. it must have been a mistake on their part because clearly I don't think so.

CAROLE THERIAULT. They must have shat themselves both simultaneously.

DAVE BITTNER. Imagine, if you will, that Beavis and Butt-Head are working at this repair shop, and they are incredibly bored, right? And these two guys just, they hang out together, and they're the two goofballs, and they just, and they're always looking for things to do to fight the boredom and keep themselves interested, and as they say, one thing led to another, and Beavis said to Butt-Head, "Hey, wouldn't it be funny? Look, I can access her Facebook. I've got an idea. Watch this." And they had a good laugh before they realized what they had actually done.

CAROLE THERIAULT. I think it's very heartwarming to know that Apple spent a lot of time vetting their contractors that take care of these very important devices that have become instrumental to our lives.

DAVE BITTNER. Right?

GRAHAM CLULEY. So what's happened to these guys?

CAROLE THERIAULT. Wilhelmina, most likely mortified and furious, right? And she's like, "I don't even have my fucking phone. It's at Apple." She probably was fielding a bunch of calls from her Auntie Jean and ex-boyfriends and all the— Anyway, so she lawyers up. She lawyers up and takes on Apple. And lawyers for Wilhelmina threatened to sue Apple, citing invasion of privacy and severe emotional distress, right? And apparently, reportedly, reportedly demanded $5 million in damages during the negotiations.

GRAHAM CLULEY. Yeah, sure. Why not?

DAVE BITTNER. I mean, that's the—

CAROLE THERIAULT. we don't know how much she got.

DAVE BITTNER. That's the money Tim Cook has in the couch in his office. I mean, right, at Apple, just probably nestled within his, his budget.

GRAHAM CLULEY. Sure.

CAROLE THERIAULT. Right.

GRAHAM CLULEY. I don't think, I don't think it's that outrageous an amount of money to request, actually.

CAROLE THERIAULT. No, me neither. Me neither. Apple, I think it, you know, and we don't know how much she actually got. We don't know how much, uh, We don't know how much she actually ended up getting. But the thing is, she's not allowed to speak about this. She had to sign an NDA to get the wonga. I really don't like the whole, you know, "STFU if you want this cash." I don't really like that.

GRAHAM CLULEY. Well, I guess that's the bargain you do, isn't it? Is that you can either take them to court and have it decided by a judge, which will then all be public, or you can settle on the steps of the courthouse, and they say, "Look, we'll give you more than you wanted." 'If you agree to do this.' It's just a business relationship.

CAROLE THERIAULT. For life? I think there should be a limit of 3 years or something. I can understand, but I don't think you should be able to erase stuff from history by paying people off. And it'd be illegal. Yeah.

GRAHAM CLULEY. Hey, Carole, you found out about this somehow.

CAROLE THERIAULT. Well, exactly. How did I find out about it? Right?

GRAHAM CLULEY. How do we know? You're Wilhelmina.

CAROLE THERIAULT. Well, the settlement only came to light because Pegatron, this was the intermediate company, the contractor for Apple, had gone to their own insurance company to get the money to pay for whatever they decided they were going to pay for this. And their insurance company said, "No, we're not going to compensate you for the amount." So it refused to pay. And in that, Apple said, "You have to call us the customer." But during a bunch of legal fights going back and forth, it eventually became clear that the customer was Apple. So it leaked.

GRAHAM CLULEY. And are Pegatron suing Beavis and Butt-Head?

DAVE BITTNER. No, they're fired, right? I mean, they're just gone.

GRAHAM CLULEY. They're fired, but they've caused a lot of damage.

DAVE BITTNER. Yeah.

CAROLE THERIAULT. Yeah, they're fired. They've been fired. Yeah. They've been eradicated from the organization. Apple confirmed the incident statement to The Guardian Monday, and the woman, of course, has not responded to any of it. So she can't. She can't say anything. She can't say that's bullshit. She can't say that's true. She can't say anything. Apple spokesperson, of course, says, "We take privacy and security." What do you think? What are the next words?

DAVE BITTNER. Very seriously. Extremely seriously.

GRAHAM CLULEY. So can we decide who the victims are here? Who are the victims, right? Obviously Wilhelmina, right?

CAROLE THERIAULT. Wilhelmina?

DAVE BITTNER. Yes.

CAROLE THERIAULT. Definitely a victim.

GRAHAM CLULEY. I would argue that maybe Apple are a victim because they've been let down by Pegatron. Yeah.

DAVE BITTNER. By a third party. Yep. Third party vulnerability.

GRAHAM CLULEY. I think in a way, Pegatron are a victim because they've been let down by Beavis and Butt-Head who did something utterly, utterly moronic and unethical and immoral. Maybe. And maybe, maybe Pegatron should have had, I mean, even if you have rules in place, if people are doing that kind of diagnostic work to fix a phone, Is there any way to prevent them from—

CAROLE THERIAULT. Yes. Ah, yes, there is.

UNKNOWN GUEST. Right.

CAROLE THERIAULT. Yes, there is. Okay, number one, say your phone's screwed. Now, this is— this, of course, all depends on the fact of how screwed or fucked up your phone is. If you happen to dump it in a big pile of water, you're not gonna be able to do any of this stuff.

GRAHAM CLULEY. Who would be dumb enough to drop it into some—

CAROLE THERIAULT. Exactly, only a numpty. A numpty. Okay, so if possible, back up your iOS device. You should be doing this anyway, right, to the cloud, but have a backup of your device, your iOS device, and then erase your iOS device before you send it off.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. So it's Settings, General, Reset, Erase All Content. And then Apple get a device that has nothing on it, and it's okay, they can fix the inside components of it. And then all you do when you get it back is you can reload up all your information from your backup.

DAVE BITTNER. Right.

CAROLE THERIAULT. There's also advice about making sure the activation lock is disabled because of course you can't send a locked device. Device over. Because, and in fact, even if you go into the store, they'll often ask you to disable your password. Right. So yeah, you want to think again, like that's, and they take the phone to the back. And the reason they do that is they don't have to come back and forth every, you know, whatever, two minutes to, you know, can you reactivate? Can you have your fingerprint? Right. So, you know, erasing your device before you bring it to an Apple Store if possible sounds to me like a really smart idea. And the other thing you do is remove the SIM card. From the device. Also, if you're mailing it in, remove the case, screen protectors, and keep your cables and chargers. Apparently people sometimes send them in, never see them again.

DAVE BITTNER. See, I would, I would think if I had this sort of material on my phone—

CAROLE THERIAULT. what, sexy, sexy naked videos of you?

DAVE BITTNER. Okay, exactly, exactly.

CAROLE THERIAULT. Dancing to some show tune.

DAVE BITTNER. Yeah, as if that were even possible. I would just write off the phone. I would just get a new phone. If I had a backup, you know, the phone's broken, okay, it's not worth sending off to someone else and risk that falling into the wrong hands. If I could afford it, right, I would just buy a new phone and restore from backup.

GRAHAM CLULEY. Exactly, Dave. Not everyone's as rich as the host of the Cyberwar and Hacking Humans. Not everyone's dripping in diamonds like you guys are, right?

DAVE BITTNER. Lighting cigars with $100 bills. Yes, absolutely.

CAROLE THERIAULT. Exactly. Walker walking around with a faux fur coat.

GRAHAM CLULEY. Your big-ass sponsors.

DAVE BITTNER. Now, the other thing I will point out is that there are apps available that allow you to store this sort of stuff under a separate password from the main password on the phone. So if you want to have this sort of thing on your device, perhaps you want to have it under a second layer of protection so that if the repair folks need access to the phone, that's fine, but they won't have access to this secure folder where you keep this sort of thing.

CAROLE THERIAULT. Yeah, or just don't keep that kind of stuff. I don't know.

DAVE BITTNER. Well, let's not be hasty, Carole. I mean, everybody's, you know—

CAROLE THERIAULT. Just be pure as driven snow like me.

DAVE BITTNER. It's been a long time under lockdown, Carole. People have needs. They have impulses.

CAROLE THERIAULT. I know, they don't have to save the stuff. There is a web browser. Geez. So what's a con game? It's a fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors KnowBe4 can tell you, human error is how most organizations get compromised. Where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. And to do that, they need new school security awareness training. KnowBe4, the provider of the world's largest security awareness and simulated phishing platform. See how your security culture stacks up against KnowBe4's free phishing test. Get it now at knowbe4.com/freetest. That's K-N-O-W-B-E and the number 4 dot com slash free test. Think of KnowBe4 for your security training.

GRAHAM CLULEY. Around 80% of business data breaches result from weak or reused passwords. Using 1Password can close the gaps in your company's security, combat shadow IT, and help your employees stay both productive and secure wherever they are. 1Password makes the secure thing to do the easiest thing to do. Quickly deploy 1Password to a single team, multiple teams, or your entire enterprise. Provision employees using trusted systems, respond rapidly to domain breach reports, and offer every business user a free 1Password Families account for work-from-home security. Find out more and try 1Password for free for 14 days at 1password.com. And thanks to 1Password for supporting the show.

CAROLE THERIAULT. Deep Secure Threat Removal is a very cool product which takes incoming poisoned Word documents ransomware documents, booby-trapped PowerPoint slides, and the like, and creates brand new files with just the good stuff and none of the bad. It is a neat way of handling brand new threats coming into organizations via web, email, or file sharing, and it can run along your existing antivirus. Threat Removal gives you the good stuff by delivering files that are 100% threat-free, fully functional, and fully revisable. Adding Threat Removal to your defense can help you reduce administrative costs as it doesn't require signature updates or security ransomware patches and reduces the time your security team spends on false positives and remediation. Visit deep-secure.com/smashingsecurity. That's deepsecure with a hyphen dot com smashing security for more information and to set up your free trial today. And deep thanks to Deep Secure for sponsoring the show.

GRAHAM CLULEY. And welcome back Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

DAVE BITTNER. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.

CAROLE THERIAULT. Better not be.

GRAHAM CLULEY. Well, my Pick of the Week this week is not security-related. I remember as a child, child, loving a series of books which I've recently been reading with my son. Sometimes I read them, sometimes he reads them. They are called the Three Investigators books.

CAROLE THERIAULT. Ooh, okay.

GRAHAM CLULEY. They came out in the '60s, I think, originally. And there's something like over 40 of them. It features Jupiter Jones, Pete Crenshaw, and Bob Andrews of Rocky Beach, California. Jupiter lives on a scrapyard with his uncle and aunt, and they have a base hidden behind a pile of rubbish. And what happens is these 3 teenagers, they get mysteries to solve. So they're running a little detective agency and they investigate anything, sometimes with the help of their English chauffeur who drives them around in a Rolls-Royce.

CAROLE THERIAULT. Is there any ladies in this? Any girls?

GRAHAM CLULEY. There's no lady. There are very few lady folk.

CAROLE THERIAULT. Oh yeah, we don't really exist. I keep forgetting.

DAVE BITTNER. Well, back in the '60s you didn't, Carole.

CAROLE THERIAULT. We were only 20% of the population back then.

GRAHAM CLULEY. Right. Right, exactly.

DAVE BITTNER. Yeah, no girls allowed.

GRAHAM CLULEY. These are just 3 guys, 3 guys solving mysteries.

DAVE BITTNER. If you want girls solving mysteries, that's what Nancy Drew is for. Come on.

GRAHAM CLULEY. Exactly. Exactly. Now, sometimes the Three Investigators is known as Alfred Hitchcock and the Three Investigators because through some sort of shady marketing arrangement, Alfred Hitchcock would sometimes frame the books or frame the story. So he'd have a chapter at the beginning just introducing the characters. And then at the end of the story, they would go and explain the mystery to him and tie up the loose ends. But, uh, he didn't write the books. A lot of people thought Alfred Hitchcock wrote books. He didn't write the books. The early ones were written by a chap called Robert Arthur, and then they were written by others as well. They are great stories, like The Mystery of the Green Ghost, The Whispering Mummy, The Stuttering Parrot. I still love them to this day, and I found a fan website At 3investigatorsbooks.com, we can find out more. In fact, Carole, I don't know if you remember, when we used to work for a certain computer security company—

CAROLE THERIAULT. I hardly remember, it's hazy.

GRAHAM CLULEY. All those years ago, I was, I was on eBay, and I had a bookshelf behind me, which I was slowly filling up with old Three Investigators books in order to complete my collection. And so I've loved them a long old time, and they're great And that is my pick of the week.

CAROLE THERIAULT. Do you think that's why you're not great with women? Because all the books you read just had boys in them? You just never learned about them?

GRAHAM CLULEY. What do you mean I'm not great with women?

CAROLE THERIAULT. Maybe.

GRAHAM CLULEY. What do you mean?

CAROLE THERIAULT. Maybe I should buy you some— Yeah, maybe I'll buy you some Nancy Drew.

GRAHAM CLULEY. Miss Marple. Dave, what's your pick of the week?

DAVE BITTNER. So back in the day, and by the day, I mean 1994, there was a game called SimTower. And this is when— Remember when The Sims were spinning off all sorts of different types types of games. You had SimLife, you had, I don't know what, SimZoo. There were all sorts of—

GRAHAM CLULEY. SimCity.

DAVE BITTNER. SimCity, right, right. So SimTower was a game where you were trying to build this, an office building, a mixed-use office building. So you could have, part of it was a hotel and part of it had, you could put a movie theater in and you had to build in parking garages and all sorts of things.

GRAHAM CLULEY. Yeah, I remember it. It was great.

DAVE BITTNER. Yeah, it was a fun game. And the key to success in the game was managing your elevators, was moving people around. 'Cause that's how you scored points in the game, and if people got angry that they couldn't get to where they were going, that was bad for your score in the game. So that, I think, kicked off my fascination with games that involve moving people around efficiently and those sorts of things.

CAROLE THERIAULT. Logistics, basically.

DAVE BITTNER. Yes.

CAROLE THERIAULT. Travel, transportation logistics.

DAVE BITTNER. Absolutely, absolutely. So there is a game that popped up in my Apple Arcade subscription, and it's called Mini Motorways. And it is similar to SimTower in that you are building little roads to connect people's homes to little shopping malls and parking garages. And as the game goes on, more and more homes spawn into this world, and more garages and malls spawn into this world. So it gets faster and you have to connect more cars and you get traffic jams and you get bridges and you can build little freeways and things like that. It's a game that's very simple from the outset, but as you play it, you start to figure out ways to get higher and higher scores and deliver more people to their destinations. It can get a little fast and furious towards the end because there are so many cars and you're trying to manage them. So it's a lot of fun.

CAROLE THERIAULT. And are you addicted?

DAVE BITTNER. Well, yes. Addicted is a strong word, Carole. I would say that at the end of a busy day, if I'm looking to unwind, I will often fire up Mini Motorways and sort of disengage my brain and spend 20 minutes or so building a little community and trying to get cars to their destinations. And that is why Mini Motorways is my pick of the week.

CAROLE THERIAULT. No worries about you sending your phone off to Apple to get repaired, right?

GRAHAM CLULEY. No.

DAVE BITTNER. Hey, we got a weirdo here. He's playing Mini Motorways. Yeah.

GRAHAM CLULEY. And that's it. So it's on Apple Arcade.

DAVE BITTNER. It's on Apple Arcade. It's on other— I think it's on Steam.

CAROLE THERIAULT. It's—

DAVE BITTNER. there are desktop PC versions of it. So it's probably been out for a while, but it's new to me and I enjoy it very much.

GRAHAM CLULEY. It looks very cute. Carole, what's your pick of the week?

CAROLE THERIAULT. Okay, mine is a TV anthology called Love, Death Robots. Have you guys seen it? Either of you?

GRAHAM CLULEY. No.

DAVE BITTNER. No.

CAROLE THERIAULT. Okay, so animated anthology series. It started back in March 2019, and I remember hearing about it, but I never watched at the time. But season 1 has a whopping 18 episodes. Some of them are as short as 6 minutes and others are as long as about almost 20. And the idea is that you have different animators, different storytellers delivering standalone sci-fi stories. And I'm guessing the, you know, what they were told is make it about love, death, and robots. That was it, right? Season 2 has just recently come out, which is why it's hit the news again. Unfortunately, it's a lot shorter, less contributors, But it's really quite great. I found it fantastic. Now, the press, when I went looking about this to cover it for today, a lot of them were like, "Oh, God, it's mediocre." Some of them are stupid, and there's a lot of, "Uh-uh, uh-uh." I don't agree with it. Obviously, I like some of the stories better than others. I like some of the animation better than others. Some were a bit gruesome, indulgently so. You know, there's, like, sex bots in some. So, it's not for kids or anything. And it's a bit gratuitous, but it doesn't matter. The animation is just mind-blowing.

GRAHAM CLULEY. Oh, really?

CAROLE THERIAULT. Like, there's one story where these people— and this is the only one where there's actual people. Everybody else is computer animated. But there's these two people and they open up their fridge and there's a tiny world inside their freezer and they can see— and it's basically just civilization occurring from the beginning.

GRAHAM CLULEY. That's not that unusual, actually.

DAVE BITTNER. College dorm rooms all over the world.

CAROLE THERIAULT. But you can take your pick. Now, if you're a little bit chicken shit or scaredy-cat, 'cause some of them are a little bit like, "Eek!" In the show notes, I have put a Vulture write-up about each episode. You can take a read and watch those that you fancy, 'cause there's no tie between them. Anyway, I say check it out. I loved it. Love, Death Robots on Netflix. LastPass is my pick of the week.

GRAHAM CLULEY. Terrific. Now, Carole, you've been chatting with Simon Wiseman from Deep Secure, right?

CAROLE THERIAULT. Yes, Simon Wiseman. Okay, this is such an interesting interview. He basically talks us through the idea of how you can deliver malware-free, like zero malware, any chance of malware. In our world, that's like, really? Well, maybe you need to listen to see how he's done it. It's pretty clever. So today I am pleased to be joined by DeepSecure CTO, Dr. Simon Wiseman. Welcome to Smashing Security. Thank you for speaking with us.

UNKNOWN GUEST. Well, thanks for having me along.

CAROLE THERIAULT. Now, um, I have to say before we start that you do have the best name I've ever So Simon's obviously a smart person's name, probably because of that brain game Simon Says when we were kids. But you also have Wiseman as a surname. It's genius.

UNKNOWN GUEST. I know, it didn't do me well at school. That's not what they call me there. No, I got ribbed rotten for it.

CAROLE THERIAULT. Well, not anymore. Who's laughing now?

UNKNOWN GUEST. I guess so.

CAROLE THERIAULT. So DeepSecures is a pretty interesting and innovative cybersecurity company. It says you're trusted with safeguarding some of the most uncompromisable systems around the globe. So that is what we were gonna dig into today. But let's first maybe set the stage. What can you tell us about you and Deep Secure?

UNKNOWN GUEST. Well, Deep Secure, we're a tech company based in the UK, and we're really dedicated to cybersecurity. That's all we do. We create software products, we provide services to defend organizations of all sizes, you know, across all sectors, really defending them against malware. And our core technology is threat removal. And that just exists to stop malware. And it really does work. We once put it to the test. We put over 30 million examples of known malware in front of it, and that batch included malware of every kind. It was executables, macros in Office documents, PDFs, image files, the lot, right? And every one of those files was either made safe or blocked. And we've even had highly skeptical customers do similar tests, including some government agencies who didn't just try publicly known malware. And, you know, Threat Removal just won out every time.

CAROLE THERIAULT. Really interesting, because a lot of companies say, you know, we stop malware, but no one says all. So how are you confident with saying that all malware is stopped?

UNKNOWN GUEST. Well, actually, that's easy for us, uh, because Threat Removal doesn't use detection to spot the malware, so we're not able to be fooled by an attacker hiding it from us. Everyone else is looking for the bad things so that they can be blocked. That's just not a winning strategy because those bad guys are actually really good at They're really good at hiding their malware and inventing new ways of getting past you. And in the end, they will always win.

CAROLE THERIAULT. Yeah. So what you're saying is Threat Removal is the name of DeepSecures technology. And this technology, it doesn't use detection to spot malware, but it just removes what? All the stuff that can make malware exist?

UNKNOWN GUEST. Yeah, it delivers you the kind of information that you need, but without the data that was carrying it, and then which is where the malware lives. So we give you what you want, right? But without the malware.

CAROLE THERIAULT. Right, right, right. How did you come up with this idea?

UNKNOWN GUEST. It goes back quite a way, actually, because I started life doing cybersecurity research in the defense sector.

CAROLE THERIAULT. Okay.

UNKNOWN GUEST. And as you can imagine, there were a lot of projects there in that, in that community where we're looking for ways of defeating malware. And the best idea that was had was to convert complex sort of data files into something simpler that just couldn't carry smashing security, the usual malware. But the big problem with it is that the users didn't get the information they really needed because everything had to be simplified. So like a document might get turned into a series of images of the pages, which is okay if you want to read the document, but it's no longer editable. So not, you know, not half as useful as it needs to be. And even then, you know, it doesn't necessarily stop all the malware because an attacker might do something new. Find a way of fitting malware into that simple data that you allow in. And, you know, even simple images can contain malware. So the idea was good, but, you know, really not close enough to be generally useful. But that's what we wanted to do at Deep Security. We wanted to find a way of delivering the users all the information that they need without leaving the attackers with a way in. And then, you know, eventually the lightbulb moment came. Really, it was pretty simple in the end. We just— you just throw away all the data and make completely new data to carry the same information as the original had. In other words, kind of like you give the users all the information, but you make a new box to put it in.

CAROLE THERIAULT. So there can't be anything sitting in the corner lurking in another corner, because you created the box, you know the box is safe.

UNKNOWN GUEST. Interesting. That's exactly right, yeah.

CAROLE THERIAULT. Huh.

UNKNOWN GUEST. And, you know, we don't— we're not trying to work out whether the data is safe or not. We always throw it away. And that means the attacker has no opportunity to fool us. They can't sneak the malware past our check because we're not checking for bad things. And that's why we can end up with that 100% effectiveness claim.

CAROLE THERIAULT. Okay. Okay. So, okay. Can we walk through how this works in practice? Do you mind?

UNKNOWN GUEST. Well, yeah, this is, of course, the tricky bit. The theory is nice and simple. Yeah. But I think that's the breakthrough that we made here. You know, DeepSecure, we've managed to engineer that theory into something that's like workable in practice. This. I mean, you've got to have something that's effective and scalable and easy to deploy. Otherwise, no one can adopt it. And it's got to be like fast and unobtrusive. So it doesn't get in the way of the user's day job. And all that's pretty tricky stuff. But that's what we've got with threat removal. You know, it stops the malware but doesn't stop you working. Now to do that, the first thing we have to do is to get into the data flows. Because we need to get every file 100% malware-free before it gets delivered. So we need to be inside the delivery mechanisms. And so we've built the interfaces needed to add this into your email, web, file-sharing gateways. And we've provided interfaces so you can integrate it into your internet portal. And, you know, and once we're in these places, then we can get to work on the data, which is where the proper threat removal process kicks in.

CAROLE THERIAULT. Yeah.

UNKNOWN GUEST. So that's where, you know, a file contains data and it carries the information you need. That data is like a pile of bytes encoding the text and graphics you see in a document or the numbers and formulas that you work with in a spreadsheet. But the data is where the malware hides, right? The data doesn't go in the information, it goes in the data. So if we deliver you the information but not the data, you get what you want, but you don't get any malware. Fun bit is that even if the data is clean, we still don't give it to you because we're not trying to figure out whether the data is infected or not. We always throw it away, and because we know that if we try to decide, the bad guys would just find a way of beating us.

CAROLE THERIAULT. It makes you so unique because does— is there anyone else that approaches it this way?

UNKNOWN GUEST. No, this is unique, I think. You know, everyone else is looking for what's bad. We're just getting out what you need, and it's a completely different paradigm.

CAROLE THERIAULT. Is this all done in the cloud and then it's sent to me if I were the user, for example?

UNKNOWN GUEST. For example? It can be in the cloud, it can be on-premise gateways, it can be in all sorts of places, just as long as we can get into the data flow. So we need to get in to the— get to the data before it gets to you, and then so we can clean it up.

CAROLE THERIAULT. And this basically means the recipient or the user just never receives malware using this type of approach.

UNKNOWN GUEST. Well, that's right.

GRAHAM CLULEY. Yeah.

UNKNOWN GUEST. Everyone else is trying to do better detection and that's never going to stop the bad guys completely. They're always going to find a way to evade detection. They're just going to be beating you. And that's why at Smashing Security, we decided we really needed to stop the malware, not just slow it down. And, you know, we want to give the user what they want. That's the information. And we don't give them any malware. And even if it's zero-day malware, you know, which is so hard to detect, all because we throw the data away, whether it's— whether there's any recognizable malware in it or not. That's why we defeat zero-day. They malware as well.

CAROLE THERIAULT. It's like a bit like an old house with maybe sneaky mold in the corners, right? And you could send the experts in to try and find the mold and get rid of the mold, or you could just take all the furniture out and put them in a brand new house and say, here, look, no mold here at all, you're safe.

UNKNOWN GUEST. That's perfectly, uh, perfect analogy for what we're doing. Definitely.

CAROLE THERIAULT. Yeah, you can have it. Yeah, it's yours. Um, so what about the user experience? Okay, so I'm, say I'm your customer and I I think this is fantastic and I want to use this. What do I see? What do I, what do I do?

UNKNOWN GUEST. What do you see? Well, this is the real joy. The user doesn't know anything about this. They don't know any of this is happening because it's completely invisible. They get the information they were sent and they get it immediately. So they don't see anything odd. The files that arrive, you know, they look and feel just the same as the originals, except of course, there's any malware might be missing. But all the details there, you know, you, if you download a PDF, it looks pixel perfect. It's searchable like the original. It's no different. If you get emailed a Word document, you know, you get all the text and formatting and graphics and stuff that's in it, everything that was in the original, but it's just different data. But you can't tell that. They look and feel the same.

CAROLE THERIAULT. And is it slower though? Is there like a delay?

UNKNOWN GUEST. Oh, well, no. I mean, that speed's the other thing, you know, which you would perhaps notice. But no, this is blisteringly fast, right?

CAROLE THERIAULT. Blisteringly fast.

UNKNOWN GUEST. I love that. If you're browsing the web, all this happens as you download data. There's no slowdown and there's no delay while, you know, you have half a dozen antivirus scanning engines check the data over. It just arrives. And if you sent an email, it just turns up immediately. There's no waiting 10 minutes while it sits in a sandbox being analyzed. And, and there's no prospect of it getting parked in a quarantine queue just because it smacks of some known malware. And then you have to wait ages for the administrators to work out that it's okay for you to have it. Have it. You know, your email just turns up and it's clean. And that's, you know, that's what's revolutionary, really. You know, that's fantastic.

CAROLE THERIAULT. You know, it is because I'm thinking from it from an IT person's perspective where they're overworked, under-resourced, the whole gamut. And this kind of takes that whole problem of their users opening something that they shouldn't or having the wrong settings or because if all the files come through this way, they're all they're all clean. And then it just takes that whole worry away from them.

UNKNOWN GUEST. Well, yeah, the other beneficiaries, if you like, are the security operations team. Now, they're the ones who sit at the back looking after the antivirus defenses. And, you know, what they don't get now is an endless series of alerts where some malware's got past those outer defenses and now they've got to go and track it down. Or they don't have to spend time looking at that quarantine queue, you know, checking out the important files that have been wrongly blocked. And that, you know, that frees them up so they can focus on security issues other than malware, which are the ones that really need their skills and analytics, you know, like identity theft and insider attacks.

CAROLE THERIAULT. Yeah. So tell me a bit about like, like the organizations that are showing tons of interest. Like, it seems to me that any organization would benefit from this.

UNKNOWN GUEST. But yeah, well, I mean, ultimately, who on the planet wants to be a victim victim of a cyber attack, right? But threat removal is sort of meant for enterprises, and that's because it sits in the infrastructure, right? So it doesn't help the people at home unless, of course, it gets built into the services they use.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. So you're talking to Google then, right?

UNKNOWN GUEST. Well, yeah, yeah, that'd be great. But just because it's like the ultimate defense against malware, it doesn't mean it's only for the super paranoid. You know, because it's fast and efficient, it's good for any organization that's fed up with their anti-malware defenses letting stuff in. Commercial organizations now are routinely targeted by cybercriminals, right? And these criminals are now tooled up with the kind of malware that hostile nation states use to attack defense systems. The really bad stuff is hitting ordinary organizations now.

GRAHAM CLULEY. Yeah.

UNKNOWN GUEST. These organizations, they're not super paranoid, but they're being hit by all sorts of things. Poisoned Word documents and booby traps spread spreadsheets, images with hidden extras that you'd rather not have, you know, the full works. And as they go through digital transformation, things are just going to get worse as they expose an ever larger attack surface, get more and more connected, and become more reliant on the systems that they use working properly all the time. And that, I think, is generating a real need for this guaranteed malware-free business information across all sorts of organizations. So it's the kind of enterprise who really doesn't want to fall victim to malware but has to connect to other people that they don't trust.

CAROLE THERIAULT. That's all of us really these days.

UNKNOWN GUEST. Well, yeah, I mean, but they really want to do it. And that includes, you know, defense, intelligence, other high-risk government systems for sure. But there's also parts of the critical infrastructure where malware could lead to really disastrous loss of service. So, you know, think about banking, for example. If the banking system was taken down, we're in a mess. But increasingly, we're winning over customers more in the sort of private sector who are just They just understand that blocking 95% of known malware just doesn't cut it anymore. And I'm saying 95% here because that actually is the typical success rate of antivirus detection.

CAROLE THERIAULT. I think most people would say 99% is not good enough anymore.

UNKNOWN GUEST. Well, indeed. If you think about that, 99% actually means 1% gets through, right?

CAROLE THERIAULT. Yeah.

UNKNOWN GUEST. Which explains why your security teams spend all their time mopping up the mess. So some organizations want to think differently there. Threat removal is giving them a real alternative, you know, something that's just simply better, faster, cheaper. The other, the other thing you mentioned there was the cloud. Now, the cloud, the move to the cloud is really helping drive adoption of this because it lets customers add it in easily into their existing defenses. We've already got a service that lets developers build threat removal into their web applications and portals in the cloud. Cloud, and we've just started delivering protection for web cloud gateways. So that's all pretty neat, but even better, actually, just around the corner, coming up soon, we've got a really neat solution for a cloud solution for email coming as well, which will be really, be really knocking people's socks off, I think.

CAROLE THERIAULT. Wow, brilliant. Okay, I know that loads of our listeners are going to try this out for themselves, and you guys can. All you need to do is visit deep-secure.com. Deepsecure.com/smashingsecurity. So that's deepsecure with a hyphen dot com smashing security. And there you can learn loads of information about what threat removal is and even download a free trial of the tool. And that leaves me to say thank you, Dr. Simon Wiseman, CTO of Deep Secure. Really appreciate you coming on the show.

UNKNOWN GUEST. That was great. Thank you.

GRAHAM CLULEY. Oh, that's certainly an interesting approach to things, isn't it? Well, we've just about wrapped it up for this week. Dave, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

DAVE BITTNER. On Twitter, I am @Bittner. That's B-I-T-T-N-E-R. And everything else you can find over at thecyberwire.com.

GRAHAM CLULEY. Tremendous. And you can follow us on Twitter at Smashing Security, no G. Twitter must have a G. And we're also up on on Reddit as well. Look for our subreddit up there. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Spotify, Google Podcasts, and Pocket Casts.

CAROLE THERIAULT. And thanks to this episode's sponsors, 1Password, KnowBe4, and Deep Secure, and to our wonderful Patreon community. It's thanks to all of them that this show is free. Now for episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 230 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

CAROLE THERIAULT. Bye-bye.

DAVE BITTNER. Bye-bye.

CAROLE THERIAULT. Hey everybody, Carole Theriault here. We've got yet more fantastic reviews to share with you. Sent last week from BabaMall1980, they write, "I found this during lockdown. I've listened to them all now." Well done. "Just gutted. I've got to wait a whole week between episodes now." Off to sign up to Patreon as I can't believe this is free. Geez, you really wanted to make sure I'd read this out. Well, kudos, I did. We've also got one from 425Slam who says, discovered this great show during last year while working from home and commenced to binge. Fun and informative. I especially love Pick of the Week. Those picks led me down so many great rabbit holes. Thanks so much. You are welcome, 425SLAM. There was a few snafus with my audio this week. The regulars of you will know that. And it took a lot of work to edit to make it sound good. And so these reviews mean particularly a lot this week, especially when we're struggling. So huge thank you. Thank you to you all, and keep them coming. See you next week.

-- TRANSCRIPT ENDS --