Ooh la la! Horreur Wi-Fi en France! Some folks have experienced the drawbacks of Web 3.0 as their NFTs are stolen, and should computers own the copyright over the art they produce?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley.
And don't miss our featured interview with Sean Herbert of baramundi.
Visit https://www.smashingsecurity.com/263 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guests: Mark Stockley and Sean Herbert.
Sponsored By:
- Kolide: At Kolide, we believe the supposedly Average Person is the key to unlocking a new class of security detection, compliance, and threat remediation. So do the hundreds of organizations that send important security notifications to employees from Kolide’s Slack app.
- Collectively, we know that organizations can dramatically lower the actual risks they will likely face with a structured, message-based approach. More importantly, they’ll be able to engage end-users to fix nuanced problems that can’t be automated.
- Try Kolide Free for 14 Days; no credit card required.
- baramundi: Optimize your IT processes with the baramundi Management Suite and make optimal use of resources by automating time-consuming routine tasks.
- Stay in control and maximize your productivity by automating routine tasks. The Unified Endpoint Management Software can be installed and implemented quickly, is intuitive to use, has a modular structure and offers a high level of usability and transparency.
- Try out the free 30-Day full version for yourself today at baramundi.com/smashingsecurity
Links:
- Les dents, le brouilleur et au lit! — ANFR.
- Dad takes down town's internet by mistake to get his kids offline — Bleeping Computer.
- TV licenses and detector vans in the United Kingdom — Wikipedia.
- My first impressions of web3 — Moxie Marlinspike.
- Graham or Carole? - NFT for sale — OpenSea.
- $1.7 million in NFTs stolen in apparent phishing attack on OpenSea users — The Verge.
- Art Copyright, Explained — Artsy.
- The US Copyright Office says an AI can’t copyright its art — The Verge.
- Ruling on "A Recent Entrance to Paradise" — Copyright Review Board.
- Appeals court blasts PETA for using selfie monkey as ‘an unwitting pawn’ — The Verge.
- 'Monkey selfie' case: Photographer wins two year legal fight against Peta over the image copyright — The Independent.
- What I Wish They Taught Me about Copyright in Art School — Library of Congress.
- Who is Banksy and why did he lose the trademark for four of his most famous works? — Sydney Morning Herald.
- The Tinder Swindler — Netflix.
- You Can’t Make This Up: The Making of a Swindler (Part one) — Podcast going behind the scenes of "The Tinder Swindler."
- Why insects do not (and cannot) attack healthy plants — YouTube.
- Eye of the Storm — BBC iPlayer.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. When he came back the next day, knock, knock, knock, knock, knock. Bonjour. Bonjour. Comment allez-vous? Oui, bien, gracias. Avez-vous une jamme de Radio-Française?
MARK STOCKLEY. Carole, if you could just fade that bit down and just provide a translation over the top like they do on the news.
ROBOT. Smashing Security, episode 263. Problemes de Bitdefender et Artiste en Duet 3.0, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 263. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And this week, Carole, we're joined by a special guest. He's returning to the show live from his chicken shed. It is Mark Stockley. Hello, Mark.
MARK STOCKLEY. I'm back.
CAROLE THERIAULT. Welcome back, Mark.
MARK STOCKLEY. Thanks.
CAROLE THERIAULT. So any chicken updates or?
MARK STOCKLEY. Well, we had a very interesting episode, uh, last week. Where I learned an entirely new noise that chickens make, which is, I have to say, quite a disturbing noise.
GRAHAM CLULEY. Is it the noise when you tread on a chicken? That's quite a disturbing one. Or the one where it falls inside a shredder? No, not those noises.
MARK STOCKLEY. Is there something you want to tell us, Graham?
GRAHAM CLULEY. I used to keep chickens, not any longer.
MARK STOCKLEY. Well, until the shredder incident.
GRAHAM CLULEY. Anyway, carry on, carry on.
MARK STOCKLEY. Well, it turns out all the chickens are okay, but I think it was the sound of a fox trying to pull a chicken through the wall of the chicken coop. And our little dog, bless it, like you have to imagine, like I'm running down the garden path.
GRAHAM CLULEY. You called your dog Bless It?
MARK STOCKLEY. Yeah, Brian.
GRAHAM CLULEY. Brian Bless It.
MARK STOCKLEY. Our little dog Daisy is the bravest dog in the world. The chickens are making all sorts of like just weird noises they've never made before, which is obviously just their way of saying, oh my God, there's a fox. Dog trying to pull us through the cage. And you've got to imagine I'm running down the path, I'm basically dressing myself as I run down the path barefoot, and this little dog just runs into the darkness barking its head off to go and fight off whatever the thing is that's causing the chickens problems. And whatever it is, like, the dog is tiny, so whatever it is is going to be 10 times bigger than the dog, and it just ran fearless at the problem. Aw, Daisy girl.
GRAHAM CLULEY. Aw.
MARK STOCKLEY. We don't deserve them. We just, we don't. Anyway, all the chickens are okay and the dog's okay.
CAROLE THERIAULT. And Daisy's a hero.
MARK STOCKLEY. And Daisy's a hero.
CAROLE THERIAULT. Maybe she needs some fillet steak for dinner or something.
GRAHAM CLULEY. That's a bit much.
MARK STOCKLEY. She didn't rescue them from a burning building.
CAROLE THERIAULT. Well, let's thank this week's sponsors, Collide and Baramundi. It's their support that help us give you this show for free. Now coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. I'm jamming, I'm jamming, I'm jamming, jamming, jamming, jamming.
CAROLE THERIAULT. Sorry. Okay.
MARK STOCKLEY. I'm not even going to ask.
CAROLE THERIAULT. Mark. Mark, what are you talking about?
MARK STOCKLEY. This is going to shock you, but mine is about some NFT shenanigans.
UNKNOWN. Oh God.
CAROLE THERIAULT. All right.
UNKNOWN. All right.
CAROLE THERIAULT. And I'm doing a bit of art, a bit of tech, and some copyright stuff. Plus, we have a featured interview with Sean Herbert of Barramundi. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Maintenant, mes amis, mes amis. Come with me, allons-y, on a trip across the Channel to la belle France.
MARK STOCKLEY. Oh, we're going to France, sorry.
CAROLE THERIAULT. Brie, Camembert.
MARK STOCKLEY. I have literally no idea where we're going.
CAROLE THERIAULT. Où est la piscine?
GRAHAM CLULEY. Avez-vous familiarité with la belle France et le ANFR? Have you heard of the ANFR?
CAROLE THERIAULT. Yes, but I can't for the life of me remember what it stands for.
GRAHAM CLULEY. Oh, well, it is the French Agence Nationale des Fréquences. I'm sorry. The National Agency for Frequencies. They are the people in charge of radio frequencies across la belle France.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And earlier this month, it was reporté in the newspapers.
CAROLE THERIAULT. Are we doing this fake French the whole way through?
GRAHAM CLULEY. Yes, about—
CAROLE THERIAULT. I'm sorry, listeners. Trust me, it's harder for me than you.
MARK STOCKLEY. I was just thinking that.
GRAHAM CLULEY. It was reported about les incidents étrangers occurring in the French town of Messanges, which is in southwest France. So something odd was going on in Messanges, and the residents of Messanges. They were complaining. They were grumbling. Oh my goodness. They were moaning to their mobile phone operators all the time. They're saying, for goodness' sake, why are our mobile phone connections keep on disappearing? Why can't we get a signal? Why is not even the Wi-Fi working?
CAROLE THERIAULT. So I understand why you were interested in this story, Graham, with all your connectivity issues.
GRAHAM CLULEY. Well, that's right. As listeners found out last week, I've had Lots of connectivity issues over the last 18 months or so. All kinds of problems, different times a day, recording the podcast. You know, when kids come out of schools and they go on their video consoles or their smartphones, my internet disappeared. And I've now had to get satellite links, you know, via Starlink.
CAROLE THERIAULT. It's been all smooth sailing since then, actually, hasn't it?
GRAHAM CLULEY. Yeah, it has been, hasn't it? Anyway, so people were claiming, oh, my wifi, it's been cut off. Every night between midnight and 3 AM.
CAROLE THERIAULT. Interesting.
GRAHAM CLULEY. Quelle étrange. Très peculiar.
MARK STOCKLEY. Very precise.
GRAHAM CLULEY. Yes, isn't it? How peculiar. What's it? So the mobile phone operator, they said, "There's nothing wrong at our end. There's no problem at all." Which I have to say was the response I was getting from Vodafone on the many times when I made contact with them.
MARK STOCKLEY. I don't think you're alone.
CAROLE THERIAULT. Yeah, I can imagine anything you complain about to any authorities, like, "Nope." We don't see that. Good luck.
GRAHAM CLULEY. Not our problem.
CAROLE THERIAULT. Yeah.
MARK STOCKLEY. Well, I think it's even bigger than that, isn't it? Any form of technology problem at all. I mean, if you've ever worked in a company with an IT department, you will know that the front desk of the IT department's job is basically to find out why your problem isn't their problem.
CAROLE THERIAULT. That's right.
MARK STOCKLEY. It's not to solve your problem. It's just to point out that actually that exists elsewhere.
GRAHAM CLULEY. My mobile phone operator, they were basically saying, have you tried turning the printer off and on again? For my mobile phone connection.
CAROLE THERIAULT. And then you're like, do you know who I am? Do you? Do you?
GRAHAM CLULEY. And they'd only speak to me online, which was a challenge as well, because I couldn't get online to complain about the lack of— Anyway, those days are past.
MARK STOCKLEY. It's not about you, Graham.
GRAHAM CLULEY. No, hopefully now Elon Musk has fixed everything. Anyway, so the mobile phone operator, they saw no problems. And so these aggrieved residents of Messanges in southwest France, they called in the big guns. They called in the ANFR, the French Agence Nationale des Fréquences.
CAROLE THERIAULT. So they went national and said, look, our local guys are not playing fair.
GRAHAM CLULEY. Yeah, we need to get this looked into. And so a member of the ANFR— so just like you have TV detector vans or—
MARK STOCKLEY. Do you though?
GRAHAM CLULEY. Well, no, actually, that's a whole different story I could tell you. So for the last 18 months, I've been getting letters from the TV licensing people telling me You don't have a TV licence. Our van is definitely coming round.
MARK STOCKLEY. We definitely have detector vans that can definitely detect passive receiving devices. This is definitely a thing that exists.
GRAHAM CLULEY. Well, I bought my TV licence the day I moved into this property, and somewhere on their database, they have not entered my address properly. And so they send me letters constantly saying, you don't have a TV licence. It's like, I do. I do. I want them to show up.
CAROLE THERIAULT. No, no, you don't. You don't. I was just going to say, I've read about this. You do not want to allow them into your house. House apparently.
MARK STOCKLEY. They're not fire ants. Like, what happens if they come in your house?
CAROLE THERIAULT. I don't know. I can't remember that bit of the article. All I know is they apparently doorstop you and will try and come in and use many, many different techniques to try and enter the premises to do their checks.
GRAHAM CLULEY. Well, Carole, I have a TV licence. I want to show it to them.
CAROLE THERIAULT. That's fine. Okay, you can bring it to the door.
GRAHAM CLULEY. No, but— well, all right. Okay, maybe I do that. That's— but the thing is that every time I try and call them up or contact them electronically, ironically to say, "I do have a TV licence. I can't get through to a human to explain I do have one. So I want them to come round because then they will stop sending me letters." Yeah, okay.
CAROLE THERIAULT. Just breathe. Breathe.
MARK STOCKLEY. So if you're listening to this and you work for TV licensing—
CAROLE THERIAULT. Graham, I'm really thinking you need to calm down just a bit.
GRAHAM CLULEY. Okay. Anyway, the ANFR, they do have a little van, unlike the TV licensing people. And they went out to try and investigate this mobile connection.
CAROLE THERIAULT. Basically, do we have a signal between 12 and 3 o'clock as we drive around the area? It's not high.
GRAHAM CLULEY. Yeah. So the guy was driving around, he's thinking, oh, he's thinking there's nothing wrong. It is all fine here until the stroke of minuit, midnight, when his analyser spectrum, his spectrum analyser, it showed.
MARK STOCKLEY. Thank you for translating it. I was getting a bit lost there.
GRAHAM CLULEY. It showed the telltale signs of interference. Now, this investigator, he knew his onions, and he recognized—
MARK STOCKLEY. That's a bit racist.
GRAHAM CLULEY. That a prohibited—
MARK STOCKLEY. Fine up till now, but that bit.
CAROLE THERIAULT. Fuck Graham.
GRAHAM CLULEY. A prohibited wave jammer was being deployed. Right?
MARK STOCKLEY. A wave jammer.
GRAHAM CLULEY. A wave jammer. And it was knocking out all mobile phone frequency bands in the town. And he thought, 'Quelle horreur,' he thought. 'What on earth is going on here?' So, can you locate the jammer?
CAROLE THERIAULT. Oh! Okay.
GRAHAM CLULEY. You can if you work for the Agence Nationale des Fréquences Air, and you have one of his vans. Because his van has a radio detection finder on the roof. Oh my God.
MARK STOCKLEY. Presumably they would need two vans.
CAROLE THERIAULT. What, to triangulate, you mean?
GRAHAM CLULEY. Maybe they have two aerials on the top or something. I'm not sure. But anyway, he obviously—
CAROLE THERIAULT. Very tight triangle.
GRAHAM CLULEY. Anyway, he wanted—
CAROLE THERIAULT. That's aigu, aigu, Graham. Triangle aigu.
GRAHAM CLULEY. He wanted to know where the jammer was, who was running it. So he tootled around, and he attempted to locate the source of the disturbance. Maybe it became stronger as he, you know, hotter, colder, you know, maybe, anyway. He had a little time on his hands.
CAROLE THERIAULT. I think it's like a submarine where you'd have that screen inside your van with a little dot, and it's going, doot, doot, doot, and you're getting closer and closer and closer and closer. Mon Dieu.
GRAHAM CLULEY. Okay. Eventually, eventually he arrived at a solitary house in a neighbouring town by the coast where he could tell the jamming signal was definitely coming from. But by this point it was 1:30 in the morning. He couldn't go barging into the house. He had to return in the morning with a member of the gendarmerie to assist him, right? You can't just go clouting in and saying, what on earth's going on?
CAROLE THERIAULT. Exactly, TV licence people.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. I would love it if the police came round. I would show them.
CAROLE THERIAULT. Call the police.
GRAHAM CLULEY. I would say, arrest these TV licensing people for wasting my time and sending me so many letters when I do have a licence. Anyway.
CAROLE THERIAULT. Yeah.
MARK STOCKLEY. It's very cute that you think that's a person.
CAROLE THERIAULT. Yeah, I know.
MARK STOCKLEY. And not some two-line Java programme. Sorry, there are no two-line Java— some 200-line Java programme.
GRAHAM CLULEY. When he came back the next day, knock, knock, knock, knock, knock. Bonjour. Bonjour. Comment allez-vous? Oui, bien, gracias. Avez-vous un jammer de radio-française?
MARK STOCKLEY. Carole, if you could just fade that bit down and just provide a translation over the top like they do on the news.
GRAHAM CLULEY. Anyway, he asks him, do you have a jammer de radio-française? And this man says, oui, I do. He says, yes, I do have a jammer, a radio jammer.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. He admitted he had a multiband jammer. Which can neutralize both mobile telephone and Wi-Fi signals. So you might be asking yourself, why was he running it each day?
CAROLE THERIAULT. Can we guess? Can we guess? Of course, you can. Was he worried about the Wi-Fi frequencies affecting his health? So he was blocking them from coming into his—
GRAHAM CLULEY. So he's blocking them with a much stronger signal.
CAROLE THERIAULT. With another much stronger thing. Let's not point out the irony of that, but—
MARK STOCKLEY. But it's going the other way.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. No, that wasn't what he was doing.
MARK STOCKLEY. Had he recently had his COVID booster? And he was concerned about the effects of 5G mind control.
CAROLE THERIAULT. From the lizard people.
MARK STOCKLEY. From the lizard people.
GRAHAM CLULEY. No, the reality is rather more mundane. He was fed up with his teenage kids. Not just fed up with teenage kids generally, although that would be understandable. He was fed up with his kids using their smartphones rather than sleeping at night. And so he had acquired a jammer. To completely knock out all mobile phone signal.
CAROLE THERIAULT. Is this man ridiculous? He's the father. Just take the phones away. Just take the phones away.
GRAHAM CLULEY. Do you realise how scary teenagers are, girl? They are petrifying. They're hairy.
CAROLE THERIAULT. For God's sake.
GRAHAM CLULEY. They smell. It's bad. His kids have become addicted to social networks, he said, and other apps. In particular since they were all locked down because of COVID And so he went on the internet as to how can I jam the signal?
MARK STOCKLEY. Right, there's your problem.
CAROLE THERIAULT. Did he not realise the radius of jamming might impact everyone around him?
GRAHAM CLULEY. Well, it turned out it was a bit stronger than he'd intended. And so it hadn't just knocked it out in his house, but also his rest of his village and the neighbouring town as well. And he now faces a fine of up to €30,000. And 6 months in jail as a consequence because—
CAROLE THERIAULT. I hope he doesn't go to jail. I mean, I don't mind him being slapped on the wrist, kind of going, don't do this. And, you know, to warn others.
GRAHAM CLULEY. He won't have to worry about his kids anymore, will he, if he's in there?
CAROLE THERIAULT. Why are these industrial-sized jammers available on Amazon.fr?
GRAHAM CLULEY. Wherever he bought it. I think they are prohibited to own unless you have Maybe a license or something. Maybe you're going to use it in some sort of approved way. So I think just owning one can actually give you a penalty. But obviously he knocked out— and there's a serious problem because if you knock out the radio signals, if there were low-flying aircraft, for instance, it can apparently interfere with them and all kinds of things by just blasting out this really strong radio signal to drown out everything else.
CAROLE THERIAULT. Yeah, he needs to go to parenting classes, I think.
MARK STOCKLEY. I feel like if his children are teenagers, then—
GRAHAM CLULEY. It's too late.
MARK STOCKLEY. The damage may already have been done. I love the irony of, you know, he was doing this to protect his children from the evils of the internet.
CAROLE THERIAULT. Yeah.
MARK STOCKLEY. And in order to protect them from the evils of the internet, he went to the internet and bought something he would have no chance of buying that in the local shop.
CAROLE THERIAULT. Yeah.
MARK STOCKLEY. Like if he goes to his hypermarket.
CAROLE THERIAULT. That's true.
MARK STOCKLEY. You know, live tracks.
CAROLE THERIAULT. Hypermarché is the play.
MARK STOCKLEY. Carrefour.
GRAHAM CLULEY. Yeah.
MARK STOCKLEY. Giant radio frequency jammer. Not gonna find one.
GRAHAM CLULEY. Mark, what do you have for us this week?
MARK STOCKLEY. Well, I am going to delve into the murky world of NFTs once more.
CAROLE THERIAULT. Oh, good. Yuck. Yeah.
MARK STOCKLEY. I was doing this one for you, Carole Theriault. Yeah. I'm gonna talk about Web3. 'Cause Web3 is grating on me at the moment. Have you heard of Web3?
CAROLE THERIAULT. Yes.
MARK STOCKLEY. I have.
GRAHAM CLULEY. What is Web3?
MARK STOCKLEY. So Web2 is the era we're in now. Okay.
GRAHAM CLULEY. Right.
MARK STOCKLEY. So Web2, Web 2.0, as it was called back in sort of 2000, is all about consolidation of the internet around giant centralised services. Okay. So think Facebook, Amazon, things like that. Okay. So that's Web2 and exists Broadly speaking, because people don't want to run their own stuff. So everything is kind of centralized around Amazon Web Services and, you know, Facebook owns social media. Anyway, so that's Web2. We're going to talk about Web3. I'm going to start my story with something that I think will tickle you, Graham, because I have noticed that there's nothing that you love more than a chuckle about an amusing name. So I'm going to start my story with one of the best names in information security. Mr. Moxie Marlinspike.
GRAHAM CLULEY. Oh yes. Moxie, yes.
CAROLE THERIAULT. Nice. Beautiful.
MARK STOCKLEY. Not his real name.
CAROLE THERIAULT. Oh, surprise.
MARK STOCKLEY. Anyway, Moxie's quite famous. So he's the inventor of SSL stripping, which is not a form of entertainment. It's a type of attack.
GRAHAM CLULEY. And he was the chap behind Signal, wasn't he?
MARK STOCKLEY. He was. He's the creator and CEO of Signal, which is a secure messaging app that probably you guys all use. I use. No doubt lots of listeners use. He's also the former head of security at Twitter. So basically he's a man whose opinions about security and cryptography are worth listening to. And on the 7th of January, he published an article that sort of beautifully exposed some of the nonsense that people say about Web3 called My First Impressions of Web3. And because he's a very clever chap, he didn't just go and read about Web3. He actually built some stuff. So he built some distributed apps and he made an NFT in order to learn about it, to sort of form an opinion. And then his opinion is written in this, in this article.
CAROLE THERIAULT. Okay.
MARK STOCKLEY. So anyway, so Web 2 is all about this consolidation. It's all about big platforms, and, and Web 3 is not that. So Web 3 is all about decentralization, okay? Because people don't trust companies like Facebook, Google, or Amazon and that sort of thing with their stuff. It's Web 3. It's all built on blockchains, which are distributed, and so it's resilient and immutable and free from those large players that get to dictate the game.
CAROLE THERIAULT. Yeah, the information hoovers.
MARK STOCKLEY. That's the theory, okay? But Marlin Spike's article says in fact it really isn't like that at all. Hmm, shock horror. So the paper's well worth a read, but the main argument goes something like this, okay? So things that are decentralized evolve very slowly because you have to get everybody to do the same thing. You have to convince every individual they want to do the same thing. And things that are centralized evolve very, very quickly. And if you want to win in technology, then you have to quickly. And that is why people spend millions and millions of dollars on things like agile development and DevOps and DevSecOps and stuff like that. And you may have noticed that Web3 is actually evolving very quickly.
GRAHAM CLULEY. Hmm.
MARK STOCKLEY. Because I mean, who had heard of NFTs 6 months ago, right?
GRAHAM CLULEY. Ah, lovely days.
MARK STOCKLEY. So even though it's decentralized, Web3 is evolving very quickly. So how is it doing this?
CAROLE THERIAULT. By using Web2? Yes. Oh, oh, gorgeous.
MARK STOCKLEY. The answer is, although Web3 is decentralised under the surface—
CAROLE THERIAULT. in order to compete—
MARK STOCKLEY. the things you actually interact with, like the websites and the apps, are very, very Web2 indeed. And in fact, there's a layer of things underneath those webs and apps, which is also very, very Web2, in fact. And those are the things that are evolving.
CAROLE THERIAULT. Wow.
MARK STOCKLEY. So this supposedly decentralized Web3 ecosystem is basically just a Web2 ecosystem with a really, really, really slow and inefficient database buried far beneath the surface.
CAROLE THERIAULT. Hmm. So it's almost like they're repackaging Web2 in a way to make it sound cutting edge and to give people a sense of better privacy or security?
MARK STOCKLEY. Yes, it is. But I don't know that there's any malice in it. I don't know that it's— I think what he's saying is that things naturally centralize in order to move quickly.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Which makes— I've never thought about that before.
GRAHAM CLULEY. It's easier.
MARK STOCKLEY. Well, the example he gives in the paper is if you compare email, which has been around for almost 50 years, email still doesn't have end-to-end encryption.
CAROLE THERIAULT. No.
MARK STOCKLEY. Okay. But WhatsApp, which has been around for 6 minutes, does have end-to-end encryption. Like it went from not having end-to-end encryption to having end-to-end encryption because all that needed to happen is that WhatsApp needed to decide that that was a thing. Whereas with email, every SMTP server in the world and every email client in the world all had to adopt the same form of encryption, which is why it's really hard.
GRAHAM CLULEY. Okay. So there are lots of people talking about Web3 and what they may not be talking about is the fact that its foundations are actually Web2 and it's very reliant on the old centralized—
MARK STOCKLEY. Well, it's the other way. So its foundations are Web3. So where the data is stored is Web3.
GRAHAM CLULEY. Yes.
MARK STOCKLEY. Okay. But, but the sort of Web3-ness is being kind of robbed and abstracted by the Web2-ness that's on top. So I'll give you an example. According to Marlin Smite, almost all distributed apps, which are sort of Web3 apps, actually interact with the blockchain, the distributed bit, by using just one of two services called Infura and Alchemy. So they're these giant central points of failure, but also fantastic places to track people if you want to, and also quite useful places to attack if you wanted to. So the whole sort of resilience from being distributed doesn't exist if you just channel everything through one gatekeeper. Similarly, the Web3 poster child, you've probably heard of non-fungible tokens.
GRAHAM CLULEY. NFTs.
MARK STOCKLEY. Is massively reliant on one website called OpenSea.
CAROLE THERIAULT. Mm-hmm.
MARK STOCKLEY. So OpenSea is like the eBay of NFTs. You go there to create and sell and trade your NFTs, and it is so important in fact that it's actually valued at $13 billion. Okay. It's just ridiculous. But I just want to dwell for a second on the fact that the decentralized Web3, in its nascent decentralized ecosystem, has a property worth $13 billion.
GRAHAM CLULEY. Oh my goodness.
MARK STOCKLEY. Like, how decentralized is that? So they're trying to avoid these giant Facebook and Amazon-like platforms, and they've got a platform that's worth $13 billion.
CAROLE THERIAULT. Well, not worth.
MARK STOCKLEY. Look, someone will pay $13 billion.
UNKNOWN. Will they?
MARK STOCKLEY. Will they? Yes, Facebook will.
GRAHAM CLULEY. Yeah.
MARK STOCKLEY. OpenSea just got to rename themselves like OpenMetaSea or something, and then Facebook will buy them. Anyway, not only is everything NFT-related, almost everything NFT-related flowing through OpenSea, but OpenSea is even filling in some of the missing functionality that doesn't exist in the slow-moving Web3 bit. So some of the functionality around things like paying royalties. Basically, some of the functionality that you think you're getting from the Web3 bit, you're actually getting from OpenSea, which means that your NFT is completely tied To the existence of OpenSea.
UNKNOWN. Yeah.
MARK STOCKLEY. And OpenSea is also the home of an NFT that I created the last time I was on this show.
CAROLE THERIAULT. We're so pleased.
MARK STOCKLEY. Called Graham or Carole.
CAROLE THERIAULT. Tell me it sold for millions.
MARK STOCKLEY. I have some bad news, I'm afraid.
CAROLE THERIAULT. Oh.
MARK STOCKLEY. So on Saturday, 19th of February, attackers stole 254 NFTs from OpenSea. Worth a cool $1.7 million.
CAROLE THERIAULT. Estimated, estimated. I think we should use these words here.
MARK STOCKLEY. Yeah, yeah. It's something between zero and $1.7 million.
CAROLE THERIAULT. Yeah.
MARK STOCKLEY. Sadly, oh, it pains me to say that the Graham or Carole NFT, oh no, was not one of them.
GRAHAM CLULEY. Oh, damn.
MARK STOCKLEY. I still own that. If you want to buy it, it's still there. Yes.
CAROLE THERIAULT. Run, run, don't walk, people, run.
MARK STOCKLEY. If you want to steal it, actually, just like go ahead. Anyway, the fog on the attack is clearing now. In the beginning, nobody really, nobody seemed to know what happened. And in fact, because this is the upside-down world of NFTs, nobody can even agree if what happened was actually theft. In the beginning, so in the beginning, the rumor mill was like, it was insistent that the attacker had exploited a vulnerability in a new type of smart contract. That OpenSea was asking everyone to upgrade to.
GRAHAM CLULEY. Right.
MARK STOCKLEY. So the day before, on the 18th, the site had given everyone a week to upgrade their NFTs from version 2.2 of the Wyvern protocol to version 2.3 of the Wyvern protocol. Because, because we're in that sort of weird Web3, Web2, neither one nor the other space, they couldn't just upgrade everyone. They want everyone to upgrade, but they couldn't just upgrade everyone by pressing a button. And they had to get everyone to agree to upgrade their NFTs. Um, but, but, but because, but because it's their kind of Web 2, they, they, it's like, okay, you have to upgrade your NFTs because it's distributed. But if you don't upgrade your NFTs, you can't be on our website because we're the £800 gorilla and we get to decide what's going on.
CAROLE THERIAULT. Wow.
GRAHAM CLULEY. Well, Web 3 is really wonderful, isn't it?
CAROLE THERIAULT. No, but come on, come on. I think anytime you go through a technological change, there is a period of unrest. Right? And like, what the hell is going on? I'm not really surprised by that.
GRAHAM CLULEY. Yes, but there are lots of online services where you don't have to, you know, if this is— someone else could have just pulled a lever and it could have happened automatically.
CAROLE THERIAULT. I agree. I agree. But I think this is an interesting dilemma, like the idea that people want distribution, people kind of consider distribution a way of preserving their privacy. And we've been spoonfed that for, I don't know, 5 years at least, you know, strongly. And at the same time, We're saying, yeah, but centralized is way faster.
MARK STOCKLEY. But I think actually what the money is saying is that people don't care about being distributed.
GRAHAM CLULEY. Yeah. So Mark, the initial reports, a lot of them said that OpenSea had been hacked or something.
UNKNOWN. Yes, that's right.
GRAHAM CLULEY. But it turned out that wasn't the case.
MARK STOCKLEY. That's correct. So OpenSea say there wasn't a vulnerability in the new protocol. It says all the victims were phished, which is very Web 2.0. So according to an analysis of the attack about a month ago, an attacker created a smart contract which was designed to steal other people's NFTs, and then they sent phishing emails with links to fake websites that told those users to sign a message that would help them to migrate to the new type of smart contract. So I guess OpenSea must have trailed the fact that they were going to do this. But in actual fact, what those people were signing, uh, was a private sale of their NFTs to the attacker. So they were effectively signing like a web Web3 blank check. People who send phishing emails these days, they're pretty good at fooling people. And I'm not at all surprised that people fell for this, cuz as you say, it's all brand new technology.
GRAHAM CLULEY. Mm-hmm.
MARK STOCKLEY. So, but so basically what these people were signing was a blank check, which would allow the attacker to fill in the details of what was actually being sold and how much it was being sold for later on. Wow. So when OpenSea announced on their blog that users had a week to upgrade, the attacker executed the smart contract and that transferred ownership of all the victims' NFTs. Without payment.
GRAHAM CLULEY. Yeah.
MARK STOCKLEY. And it pulled in about, as we said, between $0 and $1.7 million worth of NFTs depending on your valuation.
CAROLE THERIAULT. Yes.
MARK STOCKLEY. Some of the NFTs were from famous collections like the Bored Ape Yacht Club, which we spoke about last time. And the more expensive ones sold on very quickly. So some people are saying like, well, why didn't they sort of try to, like, you know, freeze the wallets that were involved and stuff. And as you will recall from our last conversation, stuff on OpenSea, like, it can all be listed automatically by bots and it gets sold if somebody— you know, there are bots looking for bargains, and if they think they find one, it'll just get bought. So the expensive NFTs are gone. At first it was thought that there were 32 victims, there were 32 people who interacted with it. There were actually 17 victims, so there weren't many people who were affected by this. But you know, Um, there's 254 NFTs. The most interesting thing about it though, for me, was the range of responses that you see. So OpenSea itself and other sort of responsible players were very concerned with the affected users. You know, are they okay? Because whatever you think of NFTs, those people have lost a lot of money. Not everybody was that kind. Um, Within the sort of Web3 culture, there's this idea that code is law, meaning that if the code allows a thing to happen, then that's perfectly okay. And so if you're dumb enough to click, yes, I'm going to sign this blank check, then, you know, essentially all the people who are attacked gave the attacker permission to steal their NFTs, in which case was it—
GRAHAM CLULEY. and the transaction presumably is now recorded on the blockchain.
MARK STOCKLEY. Yes, it is now immutable, cannot be erased, although it can be because because, you know, what happens in these situations is that people are all for decentralization until there's a problem, and then they realize there's no one they can complain to. And then there's a lot of, I want to talk to the manager. And suddenly the idea of a central authority becomes very, very attractive.
GRAHAM CLULEY. So Mark, are people going to be able to get their pointless NFTs back? No.
MARK STOCKLEY. Well, I mean, obviously they can just sort of screenshot them.
GRAHAM CLULEY. Yeah. Because they didn't really ever own them anyway, did they? They didn't.
MARK STOCKLEY. That's a whole other thing. But I think the TL;DR is no, no, they didn't.
GRAHAM CLULEY. Well, what a great advert for NFTs this whole OpenSea phishing attack has been. Marvellous. Carole, what have you got for us this week?
CAROLE THERIAULT. Well, we are heading into art land. Now, in the document, I have put two images for you to look at. So one, we have like a largely cloudy dawn or dusky sky in front of like a bit of land. And then the other one, we have like a sun-dappled train track covered with, I don't know, wisteria, vines, I don't know, stuff. Mm-hmm. Mm-hmm. So any thoughts on these?
GRAHAM CLULEY. I think I recognize the artist on the first one. Do you? I can, I, yes, I just know her style. I think it could be carole.wtf who did that one. Would that be right?
CAROLE THERIAULT. Yeah, so one of them is mine and the other one?
GRAHAM CLULEY. The other one? You want me to identify who did this other one?
CAROLE THERIAULT. No, no, no. I just— do you have any views on it? Do you like it?
GRAHAM CLULEY. Well, it's obviously not as good as yours, Carole. Well, thanks very much, but— No, it seems very competent.
CAROLE THERIAULT. Do you think you could do it?
GRAHAM CLULEY. No, no, no. I definitely couldn't do that.
CAROLE THERIAULT. Mark could probably do it, though.
MARK STOCKLEY. Mark's an artist. Oh, hang on. I'm just— I'm looking now. I'm looking now. The first one's really good. I love the first one with the big moody sky.
CAROLE THERIAULT. Well, good, because it's probably going in my art show in May, which I'm now signed up to do. So good.
MARK STOCKLEY. I like you like that one. The second one looks like one of those Magic Eye puzzles.
GRAHAM CLULEY. It does a bit.
MARK STOCKLEY. Which I have never, ever, ever been able to do. Or I've just stared at these things for hours without—
CAROLE THERIAULT. Maybe there's a different meaning in this picture than I actually have seen.
GRAHAM CLULEY. There is something with the colours and yeah, there is something a bit Magic Eye about it.
CAROLE THERIAULT. Well, the thing is, is when an artist creates a work, you are basically recognized as the copyright holder. The copyright is recognized as belonging to the creator. And according to arty.net, they shorten the legalese in the US to copyrights gives artists who have created fixed tangible works a bundle of rights. The rights provide the artistic protection and ensures the artist can profit from what they've made. So for example, with a painting I did, I could create copies or create prints, postcards, whatever, and make them available to people for profit.
MARK STOCKLEY. NFTs. You're thinking of NFTs. Yes, I could do stupid NFTs.
CAROLE THERIAULT. I could make prints. I can display it publicly. But if you bought the painting from me, you would only get copyright if I transferred it and intended to transfer it to you. So if you bought it, that would not mean that you'd have permission to take pictures of the piece, make postcards of it, and sell my piece to anybody. Right. Okay? So the painting of the train tracks is having trouble establishing copyright. And the problem is weird because we know who the creator is. We know that the image is an original. We know that it exists. It's not just an idea or a thought, you know, an idea to do something in the future. And the problem is because the creator is not human.
MARK STOCKLEY. It's an AI. Crow, you're not an AI.
GRAHAM CLULEY. Don't be ridiculous. You're just an eye.
CAROLE THERIAULT. Just an eye.
GRAHAM CLULEY. No, I think just an A actually.
CAROLE THERIAULT. Do you mean asshole? No. Just, I don't know what's going on, Clue. Do we need to take this offline?
MARK STOCKLEY. I thought when actually, when you were saying it was created by dot dot dot, I thought you were going to say alien. And I was quite excited for about half a second there.
CAROLE THERIAULT. You know that maybe it is kind of like an alien. Let me just recap this backstory. Back in 2018, Stephen Thaler filed an application to register a copyright claim in this work, the work that I showed you, the train tracks. Yeah. And the author of the work was identified as the AI algorithm Creativity Machine. That's the name of the AI algorithm. And Thaler listed himself as the claimant alongside a transfer statement of ownership of the machine. And the reason he wants to do this is for this concept of work for hire. So you do work for a company, you make original work, and then the company owns that because effectively in your contract you're saying, yeah, you can profit from my work as an organization. Yeah. Yeah. So effectively that's what Thaler was trying to get. He wanted to be able to, I guess, sell images of this wonderful painting or make money off it. In his application, Thaler left a note for the office stating that the work was autonomously created by a computer algorithm running on a machine, and he was seeking to register this computer-generated work as a work for hire for the owner of the creativity machine. Okay, so that all makes sense. In 2019, a year later, the Copyright Office registration specialist refused to register the claim, finding that it lacks the human authorship necessary to support a copyright claim. Okay. Now, we've kind of talked about this. You might remember that Banksy got himself into a similar pickle. So he has images that a greeting card company basically took and started making cards to sell. And he was like, hey, those are mine. And they're like, well, who are you, Banksy? You need to register yourself. We need to know who you are to prove that you own the copyright. But because he was I don't know, this kind of anonymous character, he wouldn't come forward and claim the works. Therefore, they were just operating in this weird bubble because they were saying, Banksy, you can't go and complain about this by using the laws that you've complained about not to register any of your stuff.
GRAHAM CLULEY. On the subject, Banksy, he does drawings on the sides of walls of buildings and things like that, right?
MARK STOCKLEY. Which I believe he asks permission first before he does that. It's very important to respect other people's rights. If—
CAROLE THERIAULT. I don't think many people would complain though, if they— Oh, I would. Would you?
MARK STOCKLEY. I would. You're massively overrated. Yeah, just, I don't get it at all.
CAROLE THERIAULT. Still though, it'd be worth a pretty penny.
MARK STOCKLEY. Yeah, I mean, obviously, you know, he can come and just staple a million dollars to my wall if he likes. Exactly. Yeah.
GRAHAM CLULEY. If I came by, if I ran a greeting cards company and I took a nice artistic photograph of his art on my wall. So it's my photograph. Yeah. Can I then put that on my greeting cards?
CAROLE THERIAULT. I think it would probably— you could probably argue if the photograph included your living room to— you know what I mean? What if I put—
GRAHAM CLULEY. if my cat was in front of it? If my cat was in the picture as well? So it's not just his art.
CAROLE THERIAULT. Well, I hope your cat doesn't actually take a selfie of the art, because that too is a problem, because they're not a human. We had a macaque Who a nature photographer said grabbed his camera and took his own selfie. And then he was trying to make money off this picture. And PETA went after him saying, how dare you? You have infringed the monkey's copyright by releasing The Wildlife Personalities, the self-published book of photography that included the famous monkey selfie.
MARK STOCKLEY. That does sound like a very important use of PETA's time. Doesn't it?
CAROLE THERIAULT. I agree with that. Okay, so let's back to AI creating work. So effectively, Stephen Thaler went back twice to try and get this application or this copyright ruling amended. And he's not been successful. So a few days ago, he was told for the third time, no, you can't do this, because they concluded that the work lacked the required human authorship necessary to sustain a claim in the copyright. 'cause he provided no evidence or sufficient creative input or intervention by a human author in the work. So basically they're saying there's no human.
MARK STOCKLEY. Well, has he explained anywhere why he didn't just put his own name on the copyright claim?
CAROLE THERIAULT. Yeah. Yeah, you could. I think I would've just refiled, right? And said, actually, I created the AI.
MARK STOCKLEY. How many times do they have to tell you this has to have a human on it before you go, hmm, I'm a human.
GRAHAM CLULEY. Is it ordinary for an artist to have to prove that they humanly created a work of art? Because where's the evidence that Da Vinci or someone else like that— he might have just used a printer out or something.
CAROLE THERIAULT. Yeah, probably used a printer. Yeah, yeah, I know. Yeah, those canons have been around a while.
GRAHAM CLULEY. And, well, you know, it's just, you know, used an Instagram filter or something. It's not that good anyway, the Mona Lisa.
CAROLE THERIAULT. She doesn't have eyebrows. Okay, so they lack personhood. Actually, to your point, Mark, I think he wants to be the first to try and break this copyright rule for human only. Right. I mean, I'm sure that's what's driving him rather than owning the actual copyright.
MARK STOCKLEY. Yeah. So he wants to make sure that this computer program gets its fair dues. The money that's due to this computer program should go to this computer program. And then as soon as it develops the ability to understand money and use it, it can do something with the money it's earned. I've got a question for you. If I make a pencil and then you draw a picture with the pencil, can I claim that the pencil is the originator of the artwork? Well, yeah.
CAROLE THERIAULT. Or the brush.
MARK STOCKLEY. Or yeah. Yeah. Yeah. Or Photoshop.
CAROLE THERIAULT. Yeah. Or yeah. Procreate.
MARK STOCKLEY. Well, I want to know who wrote the program. Yeah. Because to me, the program is like a really, really good pencil. Like, I mean, it's not—
GRAHAM CLULEY. well, okay. Maybe Adobe own everything. Yeah. What's all going on in there?
MARK STOCKLEY. I feel like there needs to be some sort of barrier to entry, like a literal barrier to entry, where you say, if a computer program can get past this barrier, like if it can walk itself, well, that would be one. I don't know. I was thinking more like if it could get itself to the courthouse. And argue its case.
CAROLE THERIAULT. Well, that's not that— I mean, all he needs is a few wheels. What if— can I push them in a wheelchair?
MARK STOCKLEY. You see? Well, I suppose, but like, at some point it has to be able to engage the services of a lawyer. Yeah.
CAROLE THERIAULT. Graham just not playing. Okay, so there you go. AI, AI.
GRAHAM CLULEY. I'm just conscious of time.
CAROLE THERIAULT. Well, you know, sorry, I talked for 10 minutes.
GRAHAM CLULEY. No, I'm not blaming you. I'm just thinking we need to—
CAROLE THERIAULT. No, no, it's always my story. This is why I go, maybe we should swap places, Graham. You can go last and I will go first. I think that's a great idea.
MARK STOCKLEY. Maybe that's the way to do it.
CAROLE THERIAULT. Baramundi offer unified endpoint management from a single platform. Think of it as an all-in-one solution, consolidated endpoint management, under a single interface. For example, with baramundi JOBS, you can control and monitor all tasks in the management suite, including software deployment, automation, and operating system installation. baramundi also offer vulnerability detection and patch management, so you're ready to deploy updates and patches for Microsoft and third-party applications. And you can centrally manage any number of devices, no matter where they're located. And that means you can distribute all the necessary updates to smartphones, tablets, notebooks. Excited to check it out? Well, we don't blame you. Our pals at Barramundi are offering Smashing Security listeners a 30-day full version free trial. Check it out at barramundi.com/smashing. That's barramundi.com/smashing.
GRAHAM CLULEY. Collide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack. Kolide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates. You can try Kolide with all of its features on an unlimited number of devices for free for 14 days. No credit card required. Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Smashingsecurity.com/kolide.
UNKNOWN. And thanks to Kolide for supporting the show.
GRAHAM CLULEY. And welcome back and enjoy our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
MARK STOCKLEY. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, my pick of the week this week is a little bit sort of security related. I switched on Netflix and I found a documentary, a lovely documentary about a beautiful romance of how a Norwegian woman working in London finds a guy on Tinder and she thinks, oh, I like the look of him. So she swipes right, I think is the direction and it turns out that he is Simon Leviev, who is a wealthy jet-setting son of a billionaire diamond dealer. It's like, oh, too good to be true. But she meets him for a lunch date at a posh London hotel, and he's romantic, he's funny, he's charming, he's very, very rich. And later that day, she jumps into his chauffeur-driven Rolls-Royce and is whisked off in his private jet to Bulgaria. And it sounds like a beautiful romance. But it's not actually a beautiful romance because things take something of a turn for the worse in this Netflix documentary, which is called The Tinder Swindler. And I was watching it agog. My jaw was down on the floor going, oh my goodness. Why didn't I think of that? This is too much. Have either of you seen this? No. No. Well, apparently it's quite popular on Netflix at the moment. I would recommend it, particularly if you're interested.
CAROLE THERIAULT. The Tindler Swindler.
GRAHAM CLULEY. No, not the Tiddlers. The Tiddlers. Wouldn't it be great if Tinder was called Tiddler?
CAROLE THERIAULT. Has Tindler Swindler come into your feed on Netflix, I wonder?
GRAHAM CLULEY. Well, it's one of the top things to view at the moment. It's been extremely popular. Really? It was initially brought to my attention by a friend of the show, Ray Redacted, who tweeted about it. Anyway, it is a story with plenty of twists in the tale, and it's quite, quite astonishing what occurs. Is it worth watching? Yes, it is worth watching. I think anyone who enjoys Smashing Security will enjoy the Tinder Swindler. So that is my pick of the week.
CAROLE THERIAULT. Thank you, Ray, for the suggestion.
GRAHAM CLULEY. Mark, what's your pick of the week?
MARK STOCKLEY. Well, if your suggestion is going to appeal to a mass audience, you know, everyone who's got Netflix, I think mine is probably going to appeal to maybe one listener. I don't know which one. I'm sure there's somebody out there that will enjoy this as much as I did. And so this is for you, whoever you are. Mrs.
GRAHAM CLULEY. Trellis of North Wales, make a note now of what Mark's going to talk about.
MARK STOCKLEY. My pick of the week is a presentation, hour and a half long presentation called Leaf Bricks and Insect Herbivory. What the fuck? And this is— I'm serious. This is like my love letter to YouTube. Okay, so I think like, you know, YouTube and social media, they'll get a really, really bad press. But the really wonderful thing about the internet and YouTube in particular is that whatever you are interested in, whether it is, you know, the effect of COVID vaccines and 5G mind control or, uh, whatever, or insect herbivory, there is stuff for you. And if you're into insect herbivory, there is a presentation by a guy called Thomas Dykstra, Dykstra with a Y. And he has rethought why insects eat plants. He has rethought. Okay. He's— this is his life's work, right? Is to research why do insects eat plants. And his conclusion is that insects only eat unhealthy plants. And different insects eat different plants based on how unhealthy they are. So if you've got locusts eating your plants, then your plants are healthier than if you have got scale insects eating your plants. And basically there's an hour and a half of this stuff, and he goes on to explain why if he's right, then kind of everything we think we know about insects is wrong. And it has all sorts of interesting things to say about—
GRAHAM CLULEY. because we, we used to think it was just because insects were hungry. But now, right. Exactly.
CAROLE THERIAULT. And what they are— But they're attracted to different—
MARK STOCKLEY. But they're picky. They are picky. And so you can learn about your crops or your garden based on what kind of insect is attacking what. And he's done another presentation where he talks about citrus growing in Florida, because there are records going back over 100 years. And he sort of charts the decline of the citrus industry in Florida through the different waves of insect attacks. That have happened to it.
CAROLE THERIAULT. Wow, I think that's super cool.
MARK STOCKLEY. So there you go. So we have identified our one listener, and it's Carole Theriault.
CAROLE THERIAULT. Yes! Well, I'd like the idea of it. I wanna go educate myself. I like it.
MARK STOCKLEY. Anyway, link's in the show notes. But I love the fact that you— like, if this is your thing, 'cause I'm very specific about what I wanted to watch, and I loved this presentation. But, you know, there are probably only 3 of us in the world.
CAROLE THERIAULT. Well, that's okay, I'm one of them.
GRAHAM CLULEY. Very cool. Carole, what's your pick of the week?
CAROLE THERIAULT. Well, let's carry on with my art theme. So my pick of the week actually comes from a rock-solid recommendation from my mother-in-law, and it's a TV show or a documentary on iPlayer called Eye of the Storm, and it's on for the next 8 days only. Okay, so it's a documentary of acclaimed Scottish artist James Morrison. He was born in 1932 and recently passed away at the start of the pandemic. And near the end of his life, the BBC spent two years with him, you know, on and off documenting his last days as a painter. He is an extraordinary landscape painter, and a lot of his work focuses on skies. I like sky work as well, so— and I really love his stuff. Like, it's sublime. And you'll see many, many of his works in the documentary. But what's just so heartbreaking is that he's losing his sight. And he is becoming, you know, he's 92 near the time of his death, right? So he's getting weaker and weaker, and he can no longer go outside and paint, which is what James Morrison did most of his life. And he can't see as much. And, you know, there's all these talks of, you know, Matisse used to have to paint on the walls from bed when he was too weak to get out of bed, or Monet continued painting even though he lost his own sight, or Beethoven composed while deaf. So it's a beautiful way of someone coming to terms with losing the thing that they love most. And I found it touching, but also very beautiful. So it's called The Eye of the Storm on BBC iPlayer. And it's a story of James Morrison, Scottish painter.
GRAHAM CLULEY. It sounds delightful. His art is incredible. It is. And it's not just about art. It's also about aging from the sound of things.
CAROLE THERIAULT. And that's And leaving a beautiful, beautiful legacy, right?
GRAHAM CLULEY. As we have done with the Smashing Security podcast. Yes. Not that this is the end yet, because first of all, Carole, we've got a featured interview, haven't you?
CAROLE THERIAULT. We do. Let's hear it. So today we are talking patch management and how to communicate it simply to our C-level folks. So today I'm talking with Sean Herbert. He's Barramundi's UK Country Manager and a trusted advisor when it comes to managing and securing organizational networks from threats. Thanks so much for talking to us, Sean. Thank you very much for having me. So first, maybe we should start with you telling us about Barramundi, a name I love to say, by the way. It just rolls off the tongue so beautifully. Hey. Yeah.
UNKNOWN. I mean, the, the, the common thing is for people to ask, is it like the fish? But it's not. We're a unified endpoint management provider, so it's It's all about the control of all of your endpoints in your environment, regardless of where they are. You know, first step to being able to control or secure anything is knowing where it is and what's actually out there. And that's fundamental to what we do. And within it, we're a modular setup. So there's plenty of different bits and bobs, whether it be inventory, deploying of software applications, patch management, vulnerability scanning, MDM, all of that is within the UEM scope. And that's what we do at Barramundi.
CAROLE THERIAULT. And you've been there, what, 5 years now?
UNKNOWN. 5 years. 5 fantastic years, actually. Best company I've worked for in a— yeah, ever, actually, I think I would say. That's saying a lot.
CAROLE THERIAULT. Just been through a pandemic, right?
UNKNOWN. Yeah, indeed. Well, you know, that's— and that's a very quick and easy way of measuring the worth of a company is how they treat their employees during what can fundamentally be the hardest times. And Bramundi really, really excelled at that. There was no furloughs, nothing. It was just, you know, push on forward.
CAROLE THERIAULT. That's so lovely to hear because often in this show, we cover companies companies that don't always do the right thing by their employees or their partners. So, yeah. So maybe we can talk first about patching vulnerabilities because it remains a key vector for much of the bad stuff that's hitting us. And I'd love to know what your take is on this issue.
UNKNOWN. Yeah, I mean, it remains the key vector because it's the easiest route in. And a lot of the time, those gaps are advertised, you know, it's patches onto secret and the vulnerabilities that they are patching onto secret either. So as an entry point, point, they become a lot easier as an attack vector. And I've always looked at patching as the fundamentals, the what you should be doing first and foremost before you're doing anything weird and wonderful on top of that, or, you know, particularly massively innovative from a, from a security standpoint. Yeah. If you, if you have, if you have all of these, you know, incredibly innovative products and you're not doing the bare basics like patching, for instance, it's essentially like leaving the house, turning on the lasers and CCTV camera, but leaving the front door unlocked and wide open. That's essentially what patching is, you know, it's, yeah, lock the windows, lock the doors before you're even thinking about anything else. Yeah.
CAROLE THERIAULT. Do you think most companies have that baked into their minds or do they just over, like, it's just an oversight? They just don't think about patching as a prime security mechanism?
UNKNOWN. No, I think most, our IT managers, network managers, and admins know that patching is, is what you need to be doing. But essentially, it's to what degree they're doing it that really differs across different companies. Now, what you tend to find is the bare minimum, or you'd hope the bare minimum, is that people have auto-updaters on. And I say bare minimum because it's not what I would consider best practice by any stretch of the imagination, but patching something is better than patching nothing at But you find a lot of companies are using WSUS and handling the Microsoft side of things. But what tends to get overlooked a lot of the time is the third party, the patching world, the Adobes, the Googles, the Javas of the world, which are consistently adding new patches to the vulnerabilities that are found. And that really counts towards things like the Cyber Essentials framework and those sorts of things that people really need to have in place.
CAROLE THERIAULT. The thing is, though, IT and admins, as far as my experience goes, are very beholden to what the, you know, the board or the senior management team feel is vital. So, do you feel that C-levels really force this issue home, talk to people about patch management and kind of say, what's going on? What are we doing here? Talk to me about it, guys.
UNKNOWN. You tend to find with C-level CEOs and the like, they don't tend to come from the more techie side of the business. Finance, sales tends to be where the CEOs lay, and certainly the the CFOs who are holding the purse strings a lot of the time. So being able to communicate why you need toolsets in place to be able to do these things, that can be difficult. Myself, I'm lucky enough to understand the requirement for patching and the requirement for good tools to be able to help to do that. But being able to translate that to language that is understood by somebody who's essentially not a techie for something that is also essentially not particularly sexy. It's not a super sexy thing to talk about the patching aspect. You know, it doesn't, it doesn't light people's hearts up and, you know, that sort of thing. So finding a way to be able to communicate that effectively to those people who want techies is key. I've done speaking slots in the past at places like DTX or IP Expos— it used to be— and I really put an onus on trying to do that as well. So putting different scenarios in people's minds to be able to understand it, not just the C-level, but also for the, for those techies, those, those IT managers and those network admins to be able to understand that actually I need to frame this in a way that somebody who who isn't me, who isn't qualified the way I am, understands it. So I've done talks where I've, you know, likened it to like the Death Star. Oh, really? How do you do that? Talk to me. Essentially what I did was remind people of the story. Now, most people in the tech world, I'm sure, don't need to be reminded of the story of the initial Star Wars, where the Empire built a big old weapon that was designed to destroy planets, but the designer created a flaw in that, and those designs were stolen, and the rebels then were able to manipulate that flaw in order to then destroy the weapon. Then relating that to actually what could the Empire have done better to ensure that these things wouldn't have happened. So it's looking at things like employee actions, control of assets out there, audits, reporting on the things that they're doing, learning from their mistakes. I mean, they went and built a second Death Star and left this one with loads of gaps open and just stuck a shield around it. It's trying to relate it in that way to say, if they'd only patched up that small hole in that exhaust valve, then the first Death Star would have been out there And who knows, the empire could have still been going to this day, he says, living in a fictional world in his head. So it's trying to frame it in those sorts of ways where people think. And not necessarily take that scenario and go and speak to your CEO about it, but understand that you need to frame it in a way that they will understand, get on the same page as them, and be able to— if you're going to talk to the CFO, talk to them about why it's important from a costing point of view, what saving is what's that investment then later going to make to them? From a CEO, obviously, it's, you know, it's mitigating risk and those sorts of things to ensure that the, the company isn't then held accountable for being hacked or whatever it may well be.
CAROLE THERIAULT. You're, you're absolutely right. You could apply the logic to any real scenario. So if, like, you know, the CEO is a car buff, or the CEO, you know, is into any sport or any hobby, you could apply the kind of moral of the story of we need to lock everything down in order to stay, you know, to lower our risk, in a way that they Exactly right.
UNKNOWN. If you're a football fan, you talk about where all the players are positioned on the pitch to fill holes there. And you could say, well, that's like patching and making sure there's no vulnerabilities that people can take. You know, you can, you can apply it to pretty much any situation. I've done it with, like I say, the Death Star, Independence Day. I did one that was speaking about the whole of the UEM and Unified Endpoint Management suite and how that relates to things like the Fellowship of the Ring and how different people relate to different modules and what they did. Those sorts of things. And not only is it useful for them to be able to then translate that and talk to their C-levels, those who hold those purse strings, but also especially at events, whatever it may well be, InfoSecs of the world, a lot of the time you're sort of pummeled to death with tech demos and tech speak. And sometimes it's nice to just have a little bit of a reprieve from that and be able to take a moment to have a bit of fun with it and, you know, have a smile on your face. You know, the metaphors aren't gonna work every single time with these sorts of things, but people tend tend to be very forgiving with that sort of side of things when it's an enjoyable presentation at least, and the key message is being delivered.
CAROLE THERIAULT. The other cool thing about it is it's actually memorable. Like narratives are much more memorable than key facts.
UNKNOWN. Yeah, yeah, absolutely.
CAROLE THERIAULT. That's part of what we do Smashing Security for, right? Try to educate people through storytelling.
UNKNOWN. Yeah, storytelling is powerful, absolutely. You know, being able to relate that to yourselves as well, you know, it's the power of the hearth, isn't it? People gathering around the hearth to share stories about their lives and all that sort of thing. It was what was fundamental to us as human beings, to be able to relate anything out there, especially if you don't understand it, to a story, to a metaphor, or to a simile. I think our brains are just made to do that, you know.
CAROLE THERIAULT. Sean, I don't know if you're up for this. I'm gonna test you. I'm gonna say, give us a takeaway. Imagine our listeners are all CEOs that are tangentially interested in IT. Is there some key takeaway of why it's important to, you know, look at your patches and your patching vulnerability?
UNKNOWN. Key takeaway for CEOs on why patching is important or why they should be doing patching or looking at patching as a key aspect to their security. One, first and foremost, it's the easiest thing to get sorted. You know, there's plenty of tools out there that do it, none as good as Barramundi, obviously, but there's plenty of tools out there that you can do it. And even if you're doing the bare minimum, as I say, auto-updaters or using WSUS or whatever it is, Windows Update Online, all of those are providing patches. There's really no excuse for you not to patch something at least within your environment. And it's a big tick in the box. If you take away local admin rights and patch your environment, you're mitigating a lot of the risk within your environment straight off the gate. Because as I said, those who are looking to infiltrate your system, they don't want to sit down and write the most complex hack in the world. I mean, some people take joy in that, but if they're trying to make money out of the situation, then they're going to want to do it in the easiest way possible. And in order to mitigate that is to take away those easy routes in, lock your doors, lock your windows before you leave the house and turn on the cameras, the lasers, the smoke detectors, the movement detectors, et cetera, et cetera. So that's, that's what I'd say.
CAROLE THERIAULT. Now you guys have also made a white paper available free to our listeners, all about patch management called Automatically Detect and Quickly Eliminate Vulnerabilities. You guys can get your free copy at baramundi.com. Smashingsecurity.com/smashing, and that's BaraMundi, B-A-R-A-M-U-N-D-I. It's great. Yeah, just note not two Rs because then it is a fish.
UNKNOWN. Singular R for BaraMundi. But absolutely, yeah, that paper's fantastic. As you say, it's free for your listeners to download as well. Covers off the capabilities not only within the suite, but also just general best practices for vulnerability scanning and patch remediation, which both of which can be handled out of the BaraMundi UEM suite. Suite, which actually sets us apart from, from a lot of other products out there. A lot of the time when you're, you're looking at the vulnerability status as when it, when it is applied to the patching status, a lot of the time these patch providers say, oh yeah, you've patched up to date with all of the content we provide, therefore you're not vulnerable. Yeah, you know, that's falling short of the mark somewhat because no patch provider can provide every single possible patch you might possibly need within your environment. Environment. So that's why we took it a step further with having a vulnerability scanner alongside that to compare your environment with a huge portfolio of CVEs and CCEs to say, great, you've patched up to date with all the content we provide you. However, outside of that, these vulnerabilities still need addressing. So go out and manually get them or take remedial action as you see fit. Or sometimes there's no patch available for some of these CVEs or vulnerabilities that are found out there. So, you know, rolling back to a previously known good state, uninstalling, whatever it may well be, at least you are aware of your vulnerabilities ability status and able to take action as a result of that. And we think that's key and fundamental to being able to secure your environment.
CAROLE THERIAULT. Yeah, as always, the most important approach is preventative, right?
UNKNOWN. Rather than reactive. Absolutely, absolutely. And then patching is exactly that. You know, it's, like I say, there's no excuse really to not be patching, especially the Microsoft stuff. So you should absolutely be doing that. Don't be the person caught out and say, oh, well actually we got infiltrated by XYZ malware because we didn't patch this vulnerability within, you know, within Microsoft. WannaCry was, you know, the big key one many, many years now. We're looking back where that was exactly the case where the vulnerability was discovered and the patch released for it, I think in February of the year. And then the vulnerability or the way to take control of that vulnerability or to access that vulnerability was then released in April, and then the WannaCry situation happened in May. So there was almost a two-month gap between patch happening and then the WannaCry situation happening where— Preventative measures could have saved the day. Exactly, exactly that.
CAROLE THERIAULT. Sean Herbert, UK Country Manager, Firemondi, thank you so much for coming on the show. And again, you can get your free copy of this white paper called Automatically Detect and Quickly Eliminate darknet vulnerabilities at barramundi.com/smashing. And all I have to say now is may the Force be with you, Sean Herbert.
UNKNOWN. And with you. Thank you very much. Thank you.
GRAHAM CLULEY. Very cool. Well, that just about wraps up the show for this week. Mark, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
MARK STOCKLEY. Well, you, you can find me on Twitter @MarkStockley.
GRAHAM CLULEY. And you can follow us on Twitter @SmashInSecurity, no G, which will mouse to have a G, and we're also on Reddit in the Smashing Security Reddit. And don't forget to ensure that you never miss another episode by following Smashing Security in your favorite podcast app.
CAROLE THERIAULT. And huge, huge thank you to this episode's sponsors, Kolide and Barramundi, and to our wonderful Patreon community. It's thanks to them all the show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 261 episodes, check out smashingsecurity.com.
MARK STOCKLEY. And also, if you're a fan of Wordle, don't forget that when you tweet your Wordle score to @GrahamCluley, because he loves them. Yeah. No, I don't.
GRAHAM CLULEY. Until next time, cheerio. Bye-bye. Bye.
CAROLE THERIAULT. Hey listeners, Mark's not lying. Frame does actually really love getting the Wordle scores tweeted at him. Loves it.
-- TRANSCRIPT ENDS --