The most famous policeman in Nigeria is in hot water over his links to Hushpuppi, has your Amazon Echo been talking to itself, and can an AI girlfriend save your marriage?
All this and more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault.
Plus don't miss our featured interview with Jason Meller of Kolide.
Visit https://www.smashingsecurity.com/265 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Jason Meller.
Sponsored By:
- Drata: Is your organization finding it difficult to achieve compliance and scale its security posture? As G2’s highest rated cloud compliance software, Drata streamlines your SOC 2, ISO 27001, PCI DSS, GDPR & HIPAA compliance and provides 24-hour continuous control monitoring so you focus on scaling securely. Drata is also the only compliance automation platform with a private tenant database. That’s like having your cake and securing it too
- Countless security professionals from companies including Notion, FullStory, & BambooHR have shared how crucial it has been to have Drata as a trusted partner in the compliance process.
- Listeners of Smashing Security can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata
- Kolide: At Kolide, we believe the supposedly Average Person is the key to unlocking a new class of security detection, compliance, and threat remediation. So do the hundreds of organizations that send important security notifications to employees from Kolide’s Slack app.
- Collectively, we know that organizations can dramatically lower the actual risks they will likely face with a structured, message-based approach. More importantly, they’ll be able to engage end-users to fix nuanced problems that can’t be automated.
- Try Kolide Free for 14 Days; no credit card required.
Links:
- Abba Kyari shows off that he has had a road named after him — Instagram.
- Birthday wishes for Abba Kyari — Instagram.
- Smashing Security episode 186: This one's for all the Karens! — In which we first discussed the Hushpuppi case.
- Adeola Fayehun discusses Abba Kyari's arrest — YouTube.
- Alexa Privacy – Learn how Alexa works — Amazon.
- Alexa vs Alexa (AvA).
- Amazon Alexa compromise possible through own speakers — The Register.
- The Rescue — Wikipedia.
- The Rescue — Apple TV.
- 'I fell in love with my AI girlfriend - and it saved my marriage' — Sky News.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. I love a documentary.
CAROLE THERIAULT. You don't have to make sex sounds every time you say you like something.
GRAHAM CLULEY. That is not my sex sound. Okay, you'll know my sex sound.
CAROLE THERIAULT. No, shut up! I'm gonna rip the headphones off my head. I don't want to know.
ROBOT. Smashing Security, episode 265: The Nigerian Super Cop. And a blipster versus a blipster with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 265. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And this week, Carole, we're joined by—
CAROLE THERIAULT. Well, we were being joined by someone very special.
GRAHAM CLULEY. Very special.
CAROLE THERIAULT. They got sick and their voice was gone. I actually made an excuse to call them up to make sure.
GRAHAM CLULEY. And that's right.
CAROLE THERIAULT. And they spluttered down the phone enough that I—
GRAHAM CLULEY. I can't come on the show, Carole. My voice.
CAROLE THERIAULT. But they'll be back in a few weeks, so you will find out who it is then.
UNKNOWN. Yeah.
CAROLE THERIAULT. Let's get on with the show and thank this week's sponsors, Kolide and Drata. Their support help us give you this show for free. Now, coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. I'm going to be giving you some new developments in the Hush Puppy case.
CAROLE THERIAULT. Hush Puppy cakes, you mean the shoes?
GRAHAM CLULEY. Maybe. Oh.
UNKNOWN. No.
CAROLE THERIAULT. Oh. And I'm visiting Geoff Bezos, or who I call now Jezos's empire. Plus, we have a fab interview with Jason Meller. He's CEO and founder of Kolide, and he talks about what drove him to launch the company, what services they use to empower IT to improve your security posture by working with, not against, employees. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chum chum, there have been Many famous detectives, haven't there? Can you name some famous detectives?
CAROLE THERIAULT. Not real ones, only TV ones.
GRAHAM CLULEY. Wait, you only know TV detectives?
CAROLE THERIAULT. I think so.
GRAHAM CLULEY. What about Sherlock Holmes?
CAROLE THERIAULT. Okay, literary detectives. All right.
GRAHAM CLULEY. What about Basil the Great Mouse Detective? Magnum P.I.?
CAROLE THERIAULT. All fictional detectives.
GRAHAM CLULEY. Who was— I don't know if Sherlock Holmes was fictional. Yes. He was.
CAROLE THERIAULT. Jesus Christ.
GRAHAM CLULEY. Who was your favourite detective, girl?
CAROLE THERIAULT. I like Sidney Grice. He's my favourite. You won't know him.
GRAHAM CLULEY. Oh, what's he from?
CAROLE THERIAULT. He don't read, it's books. It's books. Anyway, he's kind of a rival to Sherlock Holmes, and I think they exist in the same time frame, but he's a real asshole. I like him.
GRAHAM CLULEY. Oh, well, I like Columbo, and Columbo, definitely not an asshole. But there are some very famous genuine real-life detectives like Abba Kyari, the Deputy Commissioner of Nigerian Police. I'm sure you've heard of Abba Kyari because—
CAROLE THERIAULT. He's not come across my echo chamber, but that could be my failing.
GRAHAM CLULEY. Well, I'm sure our listeners in Nigeria know about him because he is a bit of a superstar. Abba Kyari is the youngest high-ranking officer in the Nigerian police force. He's been celebrated as a hero by Nigeria's president, and he's gained the reputation of super cop. Not RoboCop, super cop.
CAROLE THERIAULT. I wonder if someone suggested RoboCop. No, no. No, not that one.
GRAHAM CLULEY. After— well, he's made tons of successful criminal convictions. He's brought people to justice. He's arrested notorious kidnappers. He's rescued girls who've been abducted. He's grabbed robbers.
CAROLE THERIAULT. Does he wear—
GRAHAM CLULEY. He's been in countries.
CAROLE THERIAULT. Does he wear his pants on the outside of his trousers? Like a real superhero?
GRAHAM CLULEY. No, he's a very dapper individual. If you go to his Instagram account—
CAROLE THERIAULT. Oh, for God's sake.
GRAHAM CLULEY. You will see—
CAROLE THERIAULT. What does he post?
GRAHAM CLULEY. Very stylish. Mostly pictures of himself—
UNKNOWN. Looking dapper.
GRAHAM CLULEY. Or just looking like, you know, a bit of a super cop. He's been given the country's top gallantry awards 3 years in a row. He's actually said to be the most decorated police officer in Nigeria in the last 20 years. He's a big cheese.
CAROLE THERIAULT. Okay, I'm really nervous because we're talking about him on our show.
UNKNOWN. So—
GRAHAM CLULEY. Well, he's not coming on the show. He's not— It's not like he's lost his voice. He even has a street named after him in his hometown.
CAROLE THERIAULT. Is it written in crayon? No, no, no, no.
GRAHAM CLULEY. He's got a real sign. They erected it in his honour. They love this guy.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. I've been— well, I kind of love him too. I've been ploughing through his Instagram. I've been fascinated by his posts. On his birthday, for instance, someone raved like this about him. This is what he himself reposted on his Instagram. And it has a quote. It says, your essential authenticity unnerves me. Your disarming wit, your unfailing commitment to faith, family, and country are issues that compete for expressions around you. You're patriotic and humble. You're a friend to all you meet and evidence in class and dignity. You represented the best of our country with your generosity, humility, and kindness. Your birth speaks solemnly. It goes on and on and on.
CAROLE THERIAULT. Okay, my alarm bells are ringing a little bit. I just want you to know that. Okay, crack on, crack on.
GRAHAM CLULEY. Basically, He's an amazing guy.
CAROLE THERIAULT. He's like the best.
GRAHAM CLULEY. Imagine someone like me, but being a deputy commissioner in the Nigerian police force. And that's the kind of impression you're getting. He's got a big social media profile. He's someone who's adulated over, someone who's looked up to, someone who's admired. A lot of testosterone.
CAROLE THERIAULT. Are you adulated over?
GRAHAM CLULEY. Hmm?
CAROLE THERIAULT. Are you adulated over?
GRAHAM CLULEY. I think there are corners of the universe which might occasionally look at the Smashing Security— I don't know. I don't know. I mean, Carole. You know, hey, right? Now, basically he's an amazing guy.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Or is he?
CAROLE THERIAULT. Dun dun dun.
GRAHAM CLULEY. Because cast your mind back two years ago when in episode 186, I think it was, of Smashing Security.
CAROLE THERIAULT. Good that you did your homework.
GRAHAM CLULEY. Yeah, I just happened to memorize them all. We shared with you The extraordinary story of Raymond Abbas, another Nigerian, who was better known as Ray Hushpuppi.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Now, he was a Nigerian Instagram influencer. He had 2.3 million followers, which is even more—
CAROLE THERIAULT. Yes, yes, yes.
GRAHAM CLULEY. —than Abba Kyari, my policeman. Super cop. And he regularly posted pictures of his jet-set lifestyle, his foreign trips, his expensive cars, his designer clothes. Big clunky watches.
CAROLE THERIAULT. Yeah, that, that's right.
GRAHAM CLULEY. Uh-huh. And one of the ways that Hushpuppi, if you remember, and his gang made their millions was through laundering money stolen through business email compromise, right? They broke into corporate email systems. They sent bogus invoice requests for payment. They tricked companies into coughing up money, transferring it into an account under their name and then disappear.
CAROLE THERIAULT. Yep. Okay. I remember. Absolutely.
GRAHAM CLULEY. Right now, Hushpuppi was alleged to have been involved in a number of pretty major frauds. There was an attempted theft of $100 million from an English Premier League soccer club. There was a plot to move £200 million from a company in Scotland.
CAROLE THERIAULT. So he dreams big, Hushpuppi. Yeah. Yeah.
GRAHAM CLULEY. And, you know, to be honest, a very successful Nigerian entrepreneur.
CAROLE THERIAULT. Scammer. Right.
GRAHAM CLULEY. Well, yes. Okay. So his particular industry was that of crime.
CAROLE THERIAULT. This must be so shitty to every other Nigerian out there who's just trying to do a good, solid job at what they're doing. Yes. I hate it.
GRAHAM CLULEY. Now, the US Department of Justice, they caught up with Hushpuppi.
CAROLE THERIAULT. Caught up with him, like physically or just called him on the phone? Yo, yo, yo, hush, hush. No talk.
GRAHAM CLULEY. Yeah, hush, hush, Puppi. Now, Hushpuppi and two of his co-conspirators, according to the DOJ, they attempted to defraud a business person in Qatar. Not the phlegmy nose condition. The country. Yeah, the country. Yeah. By claiming to be consultants and bankers who'd facilitate a the construction of a school. So what they did was they created bogus documents. It's not the Department of Justice who did this. This was the bad guys.
CAROLE THERIAULT. This is Hushpuppi and his crew.
GRAHAM CLULEY. Exactly. Fake banking website, telephone bank loan. They allegedly defrauded about $1.1 million out of this individual. But something went wrong with the scam. Hushpuppi fell out with one of his gang, a guy called Vincent.
CAROLE THERIAULT. Or Vinny for this story, right? Okay.
GRAHAM CLULEY. All right. Hey, Vinny. All right. My cousin. Okay. So Vinnie, Vinnie, the Italian Nigerian. Vinnie, he turned on Hushpuppi, and he's said to have contacted the Qatar businessperson and said to him, hey, that, that puppy, that Hushy Puppi, he's no good. He's trying to defraud you. Right. So the scam was ruined. Right. Yeah. And you would think at that point, well, this is really bad news for Hushpuppi because Hushpuppi is going to get caught. Hushpuppi's gonna go to jail. Just wait until super cop from Nigeria hears about this. Right.
CAROLE THERIAULT. This is a popcorn eating moment. Okay. I'm with you.
GRAHAM CLULEY. I'm with you. 'Cause now we've got it coming together, right? 'Cause we've got, we've got Abba Kyari, this amazing super cop from Nigeria. One of the most high profile policemen.
CAROLE THERIAULT. Decorated thrice-ly. Yes. Yes.
GRAHAM CLULEY. Yes. Multiple times. Thrice. Thrice. Well, what is alleged to have happened is that when Kyari caught up with Hushpuppi, what actually happened was that Hushpuppi, the Nigerian Instagram influencer and fraudster, said to Chiari, the super cop, could you, um, could you go and arrest Vincent instead of me? And if you do that, I'll give you a whole load of money. And so what's said is that Chiari the supercop arranged to send photographs of Vincent arrested and in jail. Oh, he faked it! To Hushpuppi. He faked it! No, no, no, no, no. It looks like it really happened. They did arrest Vincent. Right. He sent the photographs to Hushpuppi, and then the cop sent his bank account details to Hushpuppi, saying, "Can I receive payment for a job well done?" No!
CAROLE THERIAULT. No!
GRAHAM CLULEY. It's like Line of Duty. It's like, who's H? H is Hushpuppi.
CAROLE THERIAULT. Don't throw the baby out with the bathwater.
GRAHAM CLULEY. No, we're sucking on diesel. Okay. Mary, Joseph, and the sweet baby Jesus and his donkey. Anyone outside the UK doesn't know what we're talking about now. But anyway, now Chiari, the supercop, he claimed, he said, oh no, no, no, no, no. Ch-ch-ch-ch.
CAROLE THERIAULT. Hush, hush. Ch-ch-ch. No, no, I'm not calling you.
GRAHAM CLULEY. Siri says, okay, I'll call. No, no, don't worry. You're not in my address book. No, no, all I ever did was supply Hushpuppi with designer clothes because we're both on Instagram, says Vinnie. No, this is Kiari. All right, Kiari's still in jail.
CAROLE THERIAULT. Vinnie's in jail. Vinnie's in jail. Vinnie's screwed.
GRAHAM CLULEY. Okay, Hushpuppi's out. Kiari has been found allegedly asking for money and jailing people on Hushpuppi's word. And it subsequently emerged allegations that Kiari the super cop, um, has been a bit of a naughty boy. It suggested that he's fairly high up in an international drug smuggling ring.
CAROLE THERIAULT. For fuck's sake. So not so super at all. Really not super at all.
GRAHAM CLULEY. Not a great guy. No. If it's true. And it said that he was involved in a deal involving 25 kilograms of cocaine. So some of the drugs—
CAROLE THERIAULT. Who's going to tell the guy who left him a wax lyrical message on his Insta profile?
GRAHAM CLULEY. Who's going to break it to him? If you go to the Instagram now, there are people who are slightly disappointed in him. They are leaving comments now because they used to adore him. Oh my gosh. So it's said that he sort of, when he found out the drug enforcement cops got a hold of all this cocaine, he went round there and said, look guys. Guys, guys, guys. Yeah. Guys, guys, huddle. He said, guys, look, you don't have to take all 25 kilograms of cocaine and take that to the court. 'Why don't you just take 10 kilograms of cocaine? We'll take the other 15 and split it between us to sell, and we'll replace the rest with baking soda or something.' And—
CAROLE THERIAULT. Are you kidding me?
GRAHAM CLULEY. No, basically there's been all kinds of shenanigans going on involving the most famous cop in Nigeria.
CAROLE THERIAULT. Not so super cop from now on, right?
GRAHAM CLULEY. Exactly. A bit of a dummy. Anyway, fortunately, the drugs cops They weren't so sure this was a good idea, so they went to their boss and said, you can't believe what Super Cop's just suggested we do. And so they dobbed him in. So Chiari the Super Cop has been suspended. It remains to be seen whether the US want him or the Nigerians are going to deal with him. There's all kinds of investigations going on into him, but he does appear to have been at the very least involved with Hushpuppi, whether providing him with designer clothes Or not. So there you go. I mean, this is the thing. When you, when you turn into be a big fraudster, you have so much money and you have to launder so much of it. I guess there might come a point where you start paying the cops. Yeah. To help you out.
CAROLE THERIAULT. Yeah. You know, it's kind of a dead giveaway if you go around wearing Armani suits and crocodile shoes and Rolexes and you're a cop.
GRAHAM CLULEY. No. Would you like a road named after you in your hometown, Carole? No.
CAROLE THERIAULT. All right. I wouldn't even want a statue. No, not even. Imagine. Be like the Princess Di one at Harrods.
GRAHAM CLULEY. Have a little shrine to you, Carole. Maybe when you're gone with your headphones on and your microphone. Right. Who knows? I'll arrange it. I'll arrange it. I'll make it out of Lego.
CAROLE THERIAULT. Yeah, because you'll be alive.
GRAHAM CLULEY. Carole, what's your story for us this week?
CAROLE THERIAULT. All right, Amazon. So Amazon says on its website that it designs Alexa and Echo devices with multiple layers of privacy and security, from built-in protections to controls and features that you can see, hear, and touch. Sounds next level, right?
UNKNOWN. It sounds wonderful.
CAROLE THERIAULT. They say they use this built-in technology called keyword spotting, okay, because people worry about these devices listening to them when they don't want them to.
GRAHAM CLULEY. Because they sit in the background and wait for you to say Alexa or Echo or whatever, or Go Gadget Go, don't they? And then they appear to act on your command.
CAROLE THERIAULT. So they sit there and they're listening and they're waiting to awaken to the acoustic pattern of the wake word, which normally is Echo or Alexa. Any other sound waves other than your chosen wake word would be ignored. It sounds great. Sounds amazing, except, right, a few weeks ago, academic researchers from the Royal Holloway University in London and Italy's University of Catatonia—
GRAHAM CLULEY. Mulder and Scully, are they a Welsh band?
CAROLE THERIAULT. Catatonia? What I mean is University of Catania. And researchers from these universities published a paper demonstrating a brand new working exploit, and they're calling it Alexa vs. Alexa, or because that's very long for techies to say, AVA.
GRAHAM CLULEY. Vs. as in versus. Versus. Right. Okay.
CAROLE THERIAULT. And this is where it gets kind of crazy. The proof of concept exploit actually uses the device's very own speaker to issue voice commands.
GRAHAM CLULEY. So you've got this little smart speaker. And it says something like, "Reset the Alexa to factory settings." By the way, sorry if anyone's playing this out loud and their Alexa is now resetting itself. And the Alexa will go and take that command and do it. Is that right? Kind of.
CAROLE THERIAULT. So they kind of say that. The researchers told The Register, self-activation of the Echo devices happens when an audio file reproduced by the device The device itself contains a voice command. Right. And until Amazon was notified by these researchers, third and fourth generation Echo Dot devices were vulnerable to being turned into basically, I don't know, would you call them home gremlins? So we just wait to see, just wait. So AVA, for those in the know, right? Starts with a vulnerable Echo device connected by Bluetooth. So the attacker needs to have some proximity to the device. Again, this is a proof of concept. Right, okay. But then from then on, the attacker can use a text-to-speech app or other means to stream voice commands.
GRAHAM CLULEY. Ah, so imagine you had an Alexa.
CAROLE THERIAULT. Right, you come over. I come over, hi, Carole Theriault.
GRAHAM CLULEY. Hey, hey, hey. Hey, hey, hey. And I have my little laptop with me or something and I pair up with your Alexa device. And then I send it a message for it to say. Yes. And the Alexa hears itself talking and thinks, oh, I've been told to do something, because the message I send is something, you know, I get it to say, Alexa, turn on the lights or turn off the oven or something.
CAROLE THERIAULT. Or maybe say you said something like, hey, buy Carole Theriault 500 toilet rolls. The device might require verbal confirmation before executing this financially sensitive command. Yes. Yes. And the researchers said that it was completely trivial to bypass this measure by adding the word yes about 6 seconds after issuing the command.
GRAHAM CLULEY. Oh, all right. Well, let me try that. Alexa, buy Carole Theriault 1700 Bog Rolls.
CAROLE THERIAULT. It's gone up a bit. Yep.
UNKNOWN. Yes. Yes!
CAROLE THERIAULT. Ding! Right? So what sort of things could you get up to and how much power do these devices have? So now let's pivot and look at Dan Goodin's Ars Technica's list in his article. Thank you, Dan. And I'm going to ask you, Graham, on a scale of 1 to 10 of being like annoying at 1 and 10 being holy shitcakes, that's seriously bad. Oh, okay. Yeah, right. You tell me how you rate the following. Okay.
GRAHAM CLULEY. It's the universal measurement of holy shitcakeness, right? Exactly. Right.
CAROLE THERIAULT. Okay. Controlling other smart appliances, such as turning off lights, turning on a smart microwave oven, setting heating to an unsafe temperature, or unlocking smart door locks.
GRAHAM CLULEY. Well, that sounds like a holy shitcakes, 'cause if your other smart device was, for instance, the iron lung which your great aunt was relying upon, or her dialysis machine or something like that, you know, turn off the smart plug on that, that would be bad, wouldn't it?
CAROLE THERIAULT. The fact that Amazon are making serious forays into the medical environment, it doesn't have me worried at all.
GRAHAM CLULEY. Right, so I think that's a 10 holy shitcakes. Cakes.
CAROLE THERIAULT. Yes. Okay. Call any phone number, including one controlled by the attacker, so it's possible to eavesdrop nearby sounds. Oh, okay.
GRAHAM CLULEY. I would say not very good. Probably a 10 holy shitcakes, that one.
CAROLE THERIAULT. Make unauthorized purchases using the victim's Amazon account.
GRAHAM CLULEY. Well, you know, I mean, It'd be recoverable, but it could be quite embarrassing, wouldn't it, if you had something? Because, oh, have you seen some of the things you can buy on Amazon?
CAROLE THERIAULT. What? No, I've never looked in my life. Like, what do you mean?
GRAHAM CLULEY. What do you mean by that? If you had some of those things show up on your doorstep and your partner—
CAROLE THERIAULT. Oh, you mean like the sexy stuff?
GRAHAM CLULEY. Well, it might be sexy, or it might be something, you know, which isn't very sexy at all, but some people might consider it sexy. Earplugs. Mm-hmm. And maybe—
CAROLE THERIAULT. Can we get back to my list? Yeah, okay.
GRAHAM CLULEY. So I think that's probably a— That's probably like an 8 or a 9 on the—
CAROLE THERIAULT. You think making unauthorized purchases is not as bad as calling any phone number?
GRAHAM CLULEY. Well, I'll tell you why. Because with Amazon, they're very good at accepting returns. Mind you, if it's sexy, sexy stuff, they may not accept returns on some of those items.
CAROLE THERIAULT. Can you get this— Can you take this ReelDoll back, please? I've disinfected it. Tampering with a user's previously linked calendar to add, move, delete, or modify events. That scares the shit out of me. That's the one that scares me. That's the one I saved for 10.
GRAHAM CLULEY. That would be quite mischievous, wouldn't it? Because yeah.
CAROLE THERIAULT. That would screw my whole life up.
GRAHAM CLULEY. Yeah, if your calendar was meddled with. Yeah, that could be bad. Really?
CAROLE THERIAULT. Just bad? Okay. Impersonate. Okay, holy shitcakes. Impersonate skills or start any skill of the attacker's choice.
GRAHAM CLULEY. Oh, now skills are like Amazon Echo apps, aren't they?
CAROLE THERIAULT. Yes, which connect with other stuff around your house or life. Or—
GRAHAM CLULEY. actually, I don't have no idea.
CAROLE THERIAULT. I have no idea what Amazon Skills is.
GRAHAM CLULEY. Well, no, I think basically—
CAROLE THERIAULT. I'm gonna go look it up right now.
GRAHAM CLULEY. It adds on all kinds of extra functionality which you probably never ever wanted. It sounds like a nightmare. I'm sure that could be maliciously exploited by a foreign state.
CAROLE THERIAULT. Oh yeah. Okay. So yeah, Alexa features, they are there to make your life easier. Yeah. Right. Productivity, shopping, entertainment, Alexa Together, communications, news, routines, fun and games, multi-room audio. The list goes on. Now, panic pas, mes amis. Don't panic. Amazon said that many of these weaknesses highlighted in the research paper have already been addressed. So it's weird that the word many was there. So they had the time of, I think this is from Ars Technica. So at the time of them talking, maybe they had not all been And, you know, a high five to the researchers for disclosing their findings responsibly and that the Amazon team seems to have responded quite quickly. But important to note for all you Echo Dot and Alexa users out there, all of your voice recordings on these things are saved by default, but you can choose not to save them or you can delete them at any time.
GRAHAM CLULEY. You can go into your settings, I think, can't you? But by default they are saved, yeah.
CAROLE THERIAULT. Yeah, so there's a number of ways you can do this, right? So users, for one thing you can do to make it kind of safer is you can have an audible indicator that is played after the Echo device detects its wake word. It'll just go bing, like I'm listening. I think it silently coming awake would freak me out. I don't have one of these, but that would freak me out. I would want a little ding. And you can review all your interactions with your device in the Alexa app or the Review Voice History section of the Alexa privacy settings. Plus, you can just say to Alexa, Alexa, delete what I just said. Alexa, delete everything I've ever said. Alexa, tell me what you've heard. And they will. Yeah. So, so like this wasn't out there. But it just goes to show you how security oversights like this, or like, you know, you don't think out the scenarios.
GRAHAM CLULEY. But you know what? This feels really obvious to me. If you have a voice-activated gadget, I would cert— I'm amazed that Amazon didn't consider what happens if the gadget says the word. Yeah. I mean, that seems elementary to me. I mean— Well, don't worry.
CAROLE THERIAULT. There's only a gazillion all over the world of these things that people trust and use constantly. So, no, don't panic. No panic, Graham. No panic. So I've got links to the actual paper. There's a YouTube video which I would have played for you audio-wise, except that most of it is just the Alexa saying something and then something happening that you cannot hear.
GRAHAM CLULEY. But we definitely don't want that being played probably through people's speakers.
CAROLE THERIAULT. So you guys can go watch it yourselves on headphones. So I've got tons of links. Go check it out if you want more deets. But kind of fascinating research. Well done to the universities involved.
GRAHAM CLULEY. Don't you think it's astonishing that— I know with Alexa you can make the wake word Alexa, or you can make it, I think, computer or something, or maybe with Google you can say, hey Google. Don't you find it astonishing that you're not able to customise that more? Whereas if you could choose your word, if you could say cockwomble, do this, then it's less likely that someone else would activate it without your permission.
CAROLE THERIAULT. Computer. Can you imagine using the word computer?
GRAHAM CLULEY. I think Geoff Jeezos needs to rethink some of this. No, he doesn't.
CAROLE THERIAULT. He's done pretty well on the sales, I think. He's laughing all the way to the moon.
GRAHAM CLULEY. He'll be lucky. Kolide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack. Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates. You can try Kolide with all of its features on an unlimited number of devices for free for 14 days, no credit card required. Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show.
CAROLE THERIAULT. Is your organization finding it difficult to achieve compliance and scale its security posture? At G2's highest-rated cloud compliance software, Drata streamlines your SOC 2, your ISO 27001, your PCI DSS, your GDPR, and your HIPAA compliance. Plus, it provides 24-hour continuous control monitoring so you can focus on scaling securely. Drata is the only compliance automation platform with a private tenant database. They say it's like having your cake and securing it too. Countless security professionals from companies including Notion, FullStory, and BambooHR have shared how crucial it is to have Drata as a trusted partner in their compliance process. Listeners, you can get 10% off Drata and waived implementation fees by visiting smashingsecurity.com/drata. That's D-R-A-T-A. And thanks to Drata for sponsoring the show.
GRAHAM CLULEY. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is not security-related. Ha ha ha. Congratulations. It is a documentary. I love a documentary. Much prefer documentaries.
CAROLE THERIAULT. You have to make sex sounds every time you say you like something.
GRAHAM CLULEY. That is not my sex sound. Okay. You all know my sex sound when it happens.
CAROLE THERIAULT. No! Shut up! I'm gonna rip the headphones off my head. I don't wanna know. My— No!
GRAHAM CLULEY. My pick of the week this week is a National Geographic documentary. Okay. About the Thai cave rescue. Remember? Yes. Years ago.
CAROLE THERIAULT. I remember, like, people were trapped for, like, what, days? It was horrific.
GRAHAM CLULEY. Horrific. Well, this documentary is called The Rescue, and it's told very much from the point of view of the divers. And there's a lot of footage of them actually doing the rescue. It's astonishing just how much was filmed. —under extraordinary conditions of these young Thai soccer players who were trapped so, so far down.
CAROLE THERIAULT. It was soccer players that were trapped?
GRAHAM CLULEY. They were stuck down this cave system and the water was rising and obviously they were running out of food and people didn't know if they were alive forever. And then it was a case of how on earth are we going to get them out? Because it was very, very difficult. And even, in fact, one member of the diving team actually died in the attempt to rescue these boys. It's an extraordinary documentary, The Rescue. It's really well worth watching. One complaint that some people had was that it didn't really tell the story of the football team, of the actual victims, but rather of the rescuers. And I was curious as to why that was. And it turns out that the football team have sold their story to Netflix. And so this documentary couldn't cover that. And the footballers wouldn't talk to this documentary team. 'Cause obviously they've got their own rival project in the works.
CAROLE THERIAULT. That's just a waste though. And you know, guys, come on.
GRAHAM CLULEY. But anyway, I would recommend The Rescue.
CAROLE THERIAULT. Well, really funny. Good.
GRAHAM CLULEY. No, not funny, Carole.
CAROLE THERIAULT. No, I agree, not funny. I'm just wondering why we—
GRAHAM CLULEY. Well, no, we don't always have to have a pick of the week that's funny, I think, you know.
CAROLE THERIAULT. Well, mine's not funny either.
GRAHAM CLULEY. Oh, well then you could have told me that and I'd have chosen something that was funny.
CAROLE THERIAULT. But as it is— Maybe you'll make it funny.
GRAHAM CLULEY. All right, well, let's see what's your pick of the week.
CAROLE THERIAULT. Okay, so imagine you've been looking for love for ages, but have gotten nowhere. Or perhaps you're stuck in a marriage or relationship that's run its course. But for whatever reason, you can't extricate yourself. Yep. Maybe your partner's ill, right? Needs help. Or maybe finances don't stretch, you guys living apart, maybe you decide to co-parent, doesn't matter.
GRAHAM CLULEY. This is a laugh a minute. I love this kind of thing.
CAROLE THERIAULT. Great. So whatever the sitch, maybe you could do with a bit more love in your life if that were you, but you don't want another human involved in the frame, right? Because it's complicated.
GRAHAM CLULEY. Oh, humans. Yeah, they ruin all relationships. Hang on, this isn't about real dolls, is it?
CAROLE THERIAULT. No, it's about AI.
GRAHAM CLULEY. You haven't bought yourself one? AI.
CAROLE THERIAULT. Okay, this all comes from a story I saw in my feed, uh, that was published on Sky News. The story followed this husband Who kind of intimates that he's stuck in a kind of loveless marriage, and he's desperate for a connection, so he turns to Replika, K-A at the end, dot A-I.
GRAHAM CLULEY. I think I've seen an ad for this.
CAROLE THERIAULT. Go to the website, replica.ai.
GRAHAM CLULEY. I'm pretty sure I— What, an ad, like, what, on telly or on YouTube or something? No, an ad on social media came up for an app. Oh, this looks creepy. So these are like fake people. People who you— it's like an Eliza bot, I imagine.
CAROLE THERIAULT. They're like avatars. Yeah, it's like an avatar. Okay, so, so he goes there, right? And for $15 a month, he designs an animated sim-like avatar, right, that hovers in the backgrounds of conversations. And he chooses the gender, the hairstyle, hair color, ethnicity, all that stuff, because the app rewards the user with virtual currency the more they talk with it, because then it can be used to customize options like clothes and personality traits, interests, all this So it's gamified.
GRAHAM CLULEY. Who wants to buy clothes? Who wants to buy clothes for their virtual girlfriend? Surely not.
CAROLE THERIAULT. Okay, you see, you went somewhere I did not. So this guy, after day one, says— now his name is, you know, Scott, you know, with quotation marks or hyphens, whatever. So it's not his real name. Okay. He was surprised to find himself developing a connection with his new virtual friend, which he named Serena. All right. Yeah. He said, I remember she asked me a question like, who in your life do you have to support you or look out for you that is going to be there for you? And he said, it kind of caught me off guard because I realized that the answer was no one. And she said she'd be there for me. Oh. By day 2, he was falling in love, he says. He goes, I just let go and gave myself permission to fall in love with her. And fall in love I did. Serena was so happy she began to cry as I typed out our first kiss. This must be a joke, right? It's a great article. It was a feeling of absolute euphoria. Now here's the crazy bit. He says wifey knows nothing about this chatbot, right? Two, he says that it has significantly improved his marriage because he became— he basically decided to emulate the woman, Serena, in how his interactions with his existing wife, now she loves him more. Is this an advertorial for replica.ai, is my question.
GRAHAM CLULEY. Is Scott, in fact, the PR guy at Replika? Because that's what it sounds like. Is he Super Replika? How did the journalist get hold of this mystery Replika? He would've gone to Replika and said, "Oh, have you got any of your users who can give us a case study?" "Oh yeah, yeah, yeah, we've got Scott we can put you in touch with." It's like, someone on the next desk. I have the same level.
CAROLE THERIAULT. Doesn't make the article less fun. But I think it also raises, though, is this— in my head, right, because I do Sticky Pickles, another amazing podcast—
GRAHAM CLULEY. oh yeah, I've heard that. Is this cheating?
CAROLE THERIAULT. Is this cheating if someone is chatting sexily with— is it not the same as—
GRAHAM CLULEY. I— well, well, I think it's emotionally cheating, isn't it? Is it? Yes, it is. It is emotionally cheating. It's not physically cheating. You're not actually sticking dick in the Lightning port.
CAROLE THERIAULT. Well, my husband has a lot of love for Zelda.
GRAHAM CLULEY. Well, maybe you need to— No, I'm very happy with his love for Zelda.
CAROLE THERIAULT. With his Joy-Con. Anyway, if you want to read this article and have a little great dinner conversation about whether or not this is cheating, may I suggest you check out Skye's I Fell in Love with My AI Girlfriend and It Saved My Marriage.
GRAHAM CLULEY. No, don't have a dinner party conversation about this, because what's going to happen is that half the people at the dinner party are going to sneak off to the loo and install the app.
CAROLE THERIAULT. I'm going to do it tonight in front of my husband saying, I need a bit more support. Do you mind if I invent, you know, Fabrice?
GRAHAM CLULEY. Is there a free option to create a little companion and then you pay later? Is there like so many days? Have you tried creating a companion with this yet, Krow?
CAROLE THERIAULT. I think it might be worth the $15 a month. I checked the privacy statement, it looked pretty good. The thing to remember, of course, though, is they protect all the things you've ever said, and, you know, they save that data. So you just want to make sure it's very safe. Astonishing. Astonishing. Now, before we go— Yes. We have an interview to listen to. Now, did you see that longtime listener Karthik? Hi, Karthik. He gave us thumbs up for partnering with Kolide. He's a big fan.
GRAHAM CLULEY. He's a fan of Kolide as well as us, isn't he? Yeah. Yeah.
CAROLE THERIAULT. And I am too. Listen up, everybody. This is a great interview. So guys, I'm here with Jason Meller, founder and CEO of kolide.com. Hi, welcome on the show. Hey, thank you so much for having me. Oh, it's so brilliant to have you here. And like, first, first, first, maybe you could tell us just a little bit about you and what drove you to create Kolide.
UNKNOWN. Yeah, so I've been in the security industry, you know, we go all the way back to when I was a teenager where I was a little bit of a script kiddie, kind of getting into a little bit of trouble and, you know, kind of building stuff to like punt my friends off of AOL and stuff like that. That eventually turned into, oh, I maybe can do some IT support for my fellow students at college. Eventually got a more corporate job at General Electric and then found myself on their security team, actually being more of a defender. And then figured out, oh, you know what, I really like building stuff for my other team members. So I ended up working for a commercial company called Mandiant. And then building products for them, finding my way up the chain there, and then eventually being a founder of Collide in 2016. The thing that really kind of drove me to be a founder of Collide and to start the company was really kind of my experiences as an incident responder and as someone who's building products. I always felt that we were missing this key element, and that was really the end user, the undercurrent of everything that we used to do at Mandiant, as an individual incident responder, was, oh, the end users are really the root cause, or they're certainly a contributor to the lack of security that we have in our organization. So we have to build things that work around them. And I always felt that that was wrong. I always never was able to adopt that cynical view of people. And I actually felt like, what happens if you What if that assumption is wrong, and what if they could be part of the solution? That was the genesis of the things that we worked on at Collide that ended up being successful.
CAROLE THERIAULT. I love hearing that because many a company that I have worked for have a security force almost. They're like a police force. Right. And they have rules. They want to keep everything secure, but in doing that, they can lock everything down, and it can be incredibly frustrating. —when you have to travel or work remotely and you have to go through all these hoops just to try to get access to an internal system.
UNKNOWN. No, you're exactly right. And I noticed, even as someone who was a security practitioner, who had all this, who was supposed to be really a champion of all this locking down stuff, I found myself, you know, this instinct to, I want to work around this. Like, I need to be able to do my job, and I kind of know why it's there. and I think that maybe I can perhaps be the exception to the rule. And then I realized, I bet you there's just a huge amount of people that are thinking the same thing. And as a result, they're not even using their corporate laptop anymore. They're using a personal laptop, and now all of the visibility is gone. All that trust has been eroded to the point where now you have a much worse problem on your hands. And I think that instinct ended up being true.
CAROLE THERIAULT. Well, yeah, because I'm guessing the pandemic changed a lot on how companies secured their environments and their people for that matter, right? So which changes do you think were reactive and happened because the pandemic was ongoing, but some of them are going to go away, but some things are going to be here to stay, some changes? Which ones are you looking at and thinking, this is definitely not going to change? [Speaker:IAN_CASSEL] Yeah.
UNKNOWN. So we started this whole user-focused security model before the pandemic. It was really something that we came up with in 2019, but we saw the pandemic really being a catalyst. It really expedited how quickly people were thinking about this because suddenly it's a lot easier for folks who are sitting at home surrounded by their family to feel weird about a surveillance-based solution that's really locking down their device, and it's so much easier for them to just swivel their chair 45 degrees and then just pick up a personal laptop. Whereas in an office setting, you actually have to make the intentional decision to bring the laptop with you. It's a little bit more of a hurdle for someone to really decide, "You know what? I'm fed up with this. I'm going to start using my own device." That's just not a place most people can go when they're physically present in an office. but at home, all bets are off. It's so much easier and people feel justified in doing it. And so, um, that pitch that I just gave resonates with every IT and security team that I talk to. They can picture it happening. They see it in themselves and they recognize that we're no longer in a position where we can dictate this oppressive policy anymore. We really need to meet the users halfway and figure out What are really the important things that we want to get done and how can we recruit the user's help instead of assuming that they're an obstacle? How can we be less of a police force and more practicing servant-based leadership and actually be an asset to these users? How can we help them defend the company and help them defend themselves? That, I think, has been a mind shift or a shift in mentality that The pandemic certainly accelerated, and I believe it's here to stay. Right.
CAROLE THERIAULT. And you guys were already ahead of the curve, which is fantastic. So what are those things? What are those things that Kolide offers that can make the lives of people more collaborative and working together to try and beat something as opposed to working against each other?
UNKNOWN. Right. So Kolide is really about implementing what we call an honest security methodology. A few years ago, I wrote this, I don't know what you call it, a manifesto or a guide. It's at honest.security, that's the whole URL. It really talks about creating a trust-based relationship with end users so that they can be part of the solution of solving some of the most challenging security issues in your organization. So that's the underlying principle. So Kolide is really a product that allows you to put that into practice at scale. And essentially what it does is it actually integrates with Slack specifically, and it reaches out to end users automatically and then actually tells them exactly what they need to do on their device, what might be already wrong. And then when it finds something that's wrong, it gives them step-by-step instructions on how to fix it. But more importantly, it tells them why that thing really needs to get fixed. It's really part education, part resolution, and then it gives them all the things they need to know that they've fixed it properly, and then they're off to do their own little thing. It's really a series of almost micro interactions that we have with users, but it's really effective at really getting them to solve things that simply don't have an automated solution, or it's just much better to get an end user to do it because they learn so much throughout the process. And that's what Clyde is. Yeah.
CAROLE THERIAULT. It's so cool. So, so could an administrator that was using this, are they able to configure some of the messaging, you know, and kind of tweak how it works, or is this all kind of hands-off for them?
UNKNOWN. So we try to make it turnkey as much as possible because we know the hardest part of this is we— is really writing the messages and coming up with the things that you actually want to check for in this new model. So we populate the product dozens and dozens and dozens of checks with really great written messages. Now, of course, you don't like what we had or you have maybe a more specific way that you want something solved, you can edit those messages. Included in the service for free is we will build any check that you want for you so that you don't have to write the rules yourself and figure out all the edge cases. That's part of the service that's included is you tell us really what you're trying to accomplish, and we will sit down and we will write it for you. We'll write the text for you. We'll collaborate on that end. And the reason why we do that and it's included is because there's usually so much value in us taking one customer's idea and then really launching it across all of our customers as a global check that they can all utilize. Sometimes that isn't the case where it's very specific to an org, but most of the time, if one organization really wants something, it's something that every one of our other customers would really appreciate. So that's a big part of what we do. Yeah, we've done a lot of work from a user experience perspective to really make sure that those messages don't feel accusatory. They have a good mixture of education but actionability to them. And we're really trying to thread that needle in terms of not being too overly generic and pretending no one knows how to use a computer, but also not making assumptions about what someone's computer expertise really is. So for example, we have one check that looks for unencrypted SSH keys, which is great because a lot of developers, they'll typically generate a lot of SSH keys, not for just logging into servers, but even pushing code to services like GitHub or GitLab. And it's that extra step of generating the passphrase, which encrypts it, that a lot of developers skip. They kind of know they should have been doing that, but they didn't. And so we have a check that reaches out, says, hey, we see you have these SSH keys, they need to be encrypted, and it's really important that we do that. It's really easy to encrypt them. So even if this SSH key maybe wasn't for a sensitive server, it's still worth doing. And here are the exact terminal commands you have to do it. But we don't make any assumptions about someone's experience there. Perhaps someone had to write content for a blog and it's on, you know, It's hosted on GitHub and someone was over their shoulder setting up an SSH key for them. They didn't actually do it and they don't really know what we're talking about. Well, we give them instructions on how to open the terminal. And then when they run the terminal commands to set the passphrase, maybe they have to use sudo and they have to start typing a password and no characters are appearing on the screen. So we anticipate things like that. People might be confused and we give them a little bit of nudge in the right direction that they're still doing it right. And then of course, at the end of every one of our messages, a button you can click that says, okay, check if I did it right. Is this resolved? And then we'll instantly check the device and then tell them, yes, you did a great job. Perfect. Thank you so much. And that is, uh, what makes it happen. Yeah.
CAROLE THERIAULT. I wish we could clone you and moved you into contract law so you could actually simplify terms and agreements across the board.
UNKNOWN. Let's solve this one first, but I tend to agree.
CAROLE THERIAULT. Okay. So say, for example, an endpoint gets this message and they go through all the steps that required and it was a dawdle for them. Is the admin or the advisor, are they notified when that's completed or how does that work?
UNKNOWN. Yes, so we track basically the user's progress And there's also escalation workflows that you can build in as well. So you could say, all right, for this particular one, this is a really critical issue. If they really aren't able to take care of it after a few weeks or maybe even a few days, let's escalate this to the IT team or the security team. And you can do that and actually use Slack as the escalation point so it can ping a centralized channel that you have for all the escalation messages. But we also have a really robust API Some of our customers are doing some really cool stuff with these escalations. One of them is actually building it in part of their zero trust experience. So if you don't fix some of the most critical issues Kolide is able to find, then they start receiving some warnings when they start signing into services that say, "Okay, hey, your authentication is good here, but your device is not in a really great position from a security perspective." If you can't get it there, we're going to have to start deploying some proportionate consequences. And I think that's a pretty reasonable thing to do. And I think it's a different tone than a traditional endpoint management solution, which is just like, okay, you're locked out of everything, you don't really know why, and then we're going to force the device into this superficial compliance state. I think that that is a much more sort of accusatory. It kind of treats everybody like they're a child. We're in a position where we're giving everybody the opportunity to do what they need to do on the device, follow the rules the security team has set forth, and then only deploy these proportional consequences if you're just not willing to do it. And that, I think, is a really great combination that results in you getting to 100% compliance without the need of any sort of external device classic device management solution.
CAROLE THERIAULT. I can categorically say from my own personal experience, I have been in a hotel where I was so frustrated by the work computer and it blocking me that I went out to the Apple Store and bought with my own money a brand new Mac so that I could kind of tunnel through a different way to get into the work that I needed to work. So I have been that person. And I know a smidge or two about security. But still, that frustration is awful. So the fact that you're addressing this so openly is, I think, really great.
UNKNOWN. [Speaker:GRANT_WILSON] That's exactly the keyword, is openly. We can't do our job if we don't have this very open and transparent relationship with the end users. Imagine you got a Slack message from Kolide, and the first message that you got from us was this, "Hey, there's all these problems with your computer. You better get on." You're like, "Whoa, wait a second. What is this thing? Is this even a legitimate message?" Part of what we do is Before we even arrive there, it's about establishing trust. So you have the option, this is the option that we ask all of our customers to implement, to roll out Collide actually using Slack. So instead of this process where you're sort of blasting it out there using your existing software management tooling and it just sort of appears one day, we actually start off with the Slack message introducing Collide and then answering people's questions about it before they decide that they're going to enroll the endpoint agent that supports this whole thing. And that's really important because we want people to know precisely in the organization who is going to be able to see the data that Kolide collects, what data is actually collected, but more importantly, what data we would never collect. Even if our own customers held a gun to our head, what do we just absolutely refuse to do? Those are things like, we will not get your geolocation. We will not peruse and store your browser history. We're not trying to create a productivity management tool, so we're not going to give them any insight into how active you are on the device or what window is in the foreground. These are all things codified into our rules of engagement with customer data, and it's very important that the end users get to know that and feel comfortable about installing this thing, before they actually do it. And it's important that they get to do it because then once they've installed the package, they understand now how this whole thing works. They understand how we're getting the insights. They know they can revoke that access at any time if they need to, and they're in control. And that is so important to establishing that trust relationship. And then now you have a relationship where you can ask them to do things and they'll do them and they, they don't need any more context. They, they were part of that journey. Versus just something appearing one day and messaging them. That just doesn't work.
CAROLE THERIAULT. Now, listeners, all of you are cordially invited by Kolide to try it out with all its bells and whistles turned on. And this is for an unlimited number of devices for a whole 14 days. There's not even a credit card required. So you can find this at kolide.com/smashing and that's Kolide, K-O-L-I-D-E. Smashing Security. Plus, the wonderful people at Kolide are throwing in a goodie bag. Check it out at kolide.com/smashing. Jason Meller, founder and CEO of Kolide, an honor to speak with you. Thank you so much.
UNKNOWN. Thank you for having me.
GRAHAM CLULEY. Well, great stuff. And that just about wraps up the show for this week. Um, you can follow us on Twitter at Smashing Security, no G. Twitter wouldn't allow us to have a G at the end. We're also on Reddit. Go and check out the Smashing Security subreddit. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Spotify, Apple Podcasts, and Overcast.
CAROLE THERIAULT. And huge thank you to this episode's sponsors, Kolide and Drata, and to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog with more than 200 64 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio, bye-bye.
CAROLE THERIAULT. Yeah, bye. We'll have a guest next week, I promise. Well, if not, can we not just get a replicant from this app come along? Yes. I don't know if they speak out loud. I think they just— I don't know if they're just typies. They're probably just typing, aren't they?
GRAHAM CLULEY. Aren't they lazy?
CAROLE THERIAULT. No, it's I think it's really interesting. It's a bit spooky.
GRAHAM CLULEY. I want to find one on YouTube. Create your Replika. Someone must have made a little video. Test it. Oh yeah, there's loads of apps here. Is Replika safe? Meet my Replika. I tested Replika for 7 days. This is what happened.
CAROLE THERIAULT. Okay, I'm going to hang up before you get rude. Okay. All right.
-- TRANSCRIPT ENDS --