There's monkey business involving cryptocurrency thieves and MailChimp, a stalker exploits his ex-partner's CCTV cameras, and what are the naughty words Amazon doesn't want its staff using?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Zoë Rose.
Visit https://www.smashingsecurity.com/269 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Zoë Rose.
Sponsored By:
- Keeper Security: Keeper Security’s enterprise password management platform locks down logins, payment cards, confidential documents, API keys, and database passwords in a patented Zero-Knowledge encrypted vault. And, it takes less than an hour to deploy across your organization.
- Sign up for a Keeper free trial for your organization today, and get a free 3-year personal plan, at keepersecurity.com/smashing
- Kolide: Kolide is a SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.
- Kolide is perfect for organizations that want to move beyond a traditional lock-down model and move to one where employees are educated about security and device management while fixing nuanced problems. We call this approach Honest Security.
- You can try Kolide on an unlimited number of devices with all its features for free and without a credit card for 14 days.
Links:
- Trezor wallets hacked? Don’t be duped by phishing attack email — Graham Cluley.
- Tweet by Trezor.
- Ongoing phishing attacks on Trezor users — Trezor.
- Hacker accessed 319 crypto- and finance-related Mailchimp accounts, company said — The Record.
- Stalker used woman's own CCTV cameras to watch her at home — Liverpool Echo.
- Operation: SafeEscape.
- Work Trend Index: Microsoft’s latest research on the ways we work — Microsoft.
- Research: A Little Recognition Can Provide a Big Morale Boost — HBR.
- 50% of companies want workers back in office 5 days a week — CNBC.
- New Amazon Worker Chat App Would Ban Words Like “Union” — The Intercept.
- Trust No One — Netflix.
- Smashing Security episode 114: Darknet Diaries, death, and beauty apps — Where we discussed the mysterious case of Gerry Cotten and QuadrigaCX.
- Find QuadrigaCX’s missing $190 million, and you could win a $100,000 bounty — Graham Cluley.
- Hamilton One Essential S1 Magicfold Premium Buggy — Kruidvat NL.
- Infantino 4-in-1 Flip Advanced Draagzak BK-05204 — Bol.
- Cosco Scenera Next Convertible Car Seat, Boulder — Canadian Tire.
- Literature Clock.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. So I wrote about this. Oh, fuck. I've just spilt water all over my keyboard.
CAROLE THERIAULT. Oh, fuck.
GRAHAM CLULEY. Oh dear. Don't panic. Hang on. There's big puddles of water on my desk, Barry.
CAROLE THERIAULT. Oh my God. Do you want to take two minutes to deal with this?
GRAHAM CLULEY. No, no.
CAROLE THERIAULT. Just quickly work one way.
UNKNOWN. Carole, the show must go on. It can't stop for anything. Smashing Security, Episode 269: Trees or Deep Throat, a CCTV Stalker, and Amazon's List of Banned Words with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 269. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And Carole, this week we are joined by a returning guest, someone who hasn't been on the show for a couple of years, but we're delighted to have her back. It's Zoe Rose. Hello, Zoe.
ZOE ROSE. Hello. How are you?
CAROLE THERIAULT. Fabulous to have you back. You are our listeners' favourite voice. So I'm sure many of them are going crazy.
ZOE ROSE. I try not to laugh too hard because I'm not a huge fan of my own voice, but I do appreciate it.
GRAHAM CLULEY. Yeah, there were a lot of people who liked your voice and I think they—
CAROLE THERIAULT. Well, they still do, I imagine.
GRAHAM CLULEY. Well, hopefully.
CAROLE THERIAULT. It's not gone.
GRAHAM CLULEY. Because you've got that weird amalgamation. Everyone's like, where does she come from? What's she doing? I know you've moved about a bit. And the other big news with you, of course, is that since you were on, you've had a child.
ZOE ROSE. I have made a human being. Isn't that shocking?
CAROLE THERIAULT. Incredible though.
GRAHAM CLULEY. Don't go into details as to how you made it. But anyway, so you've— There is a mini Zoe Rose out there now.
ZOE ROSE. Yes, with much more fabulous hair. Oh, it is adorable.
CAROLE THERIAULT. How about we thank this week's sponsors, Collide and Keeper Security? It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. Oh, well, something unpleasant that arrived in my mailbox.
CAROLE THERIAULT. Ew. Okay, Zoe, what about you?
ZOE ROSE. I am also talking about not something super pleasant. It's about a man that has decided to be a stalker.
CAROLE THERIAULT. Oh gosh, okay. And I'm gonna look at ideas from Amazon head honchos on how to boost employee morale. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, I want to tell you about something which happened to me this past weekend. Sunday morning, there I am, I'm I'm thinking, oh, I've got to get out of bed. Another day. Drag myself out from under the duvet.
CAROLE THERIAULT. Is it really that hard?
GRAHAM CLULEY. Well, it's Sunday morning. You sort of think, oh, it's—
CAROLE THERIAULT. You need to put Dolly Parton on when you get up and then—
GRAHAM CLULEY. Really?
ZOE ROSE. Yeah.
CAROLE THERIAULT. Wake up in the morning, stumble to the kitchen.
GRAHAM CLULEY. Oh, very good. Anyway, I stumbled to my office and I saw that I had received an email telling me that Trezor, or I think it's pronounced Trezor, had been hacked. Do you know what a Trezor is?
CAROLE THERIAULT. Well, if it's French, trésor, it's like a treasure.
GRAHAM CLULEY. Oh, oh, maybe that's why they named it that. It is a hardware wallet, something which connects via USB to your computer. And what you do is you store your cryptocurrency wallet on it. So if you don't trust online cryptocurrency wallets, brackets, you shouldn't trust online cryptocurrency wallets because they're getting hacked all the time, then you might choose instead to store it on a USB stick via one of these things, which stores it securely. Now, I've only got about £5 worth of cryptocurrency.
ZOE ROSE. Ooh, you are rich.
GRAHAM CLULEY. So it's not as though it's doing me very much good. But I received this email, which appeared to come from Trezor, and it said, "We regret to inform you that Trezor has experienced a security incident involving data belonging to 106,856 of our customers. And the wallet associated with your email address is within those affected by the breach." Because you have often talked to people about using hardware wallets, right? Absolutely. I think if you, if you're going to dabble in cryptocurrency, it's probably the sensible place to store your wallet as it makes it more difficult for hackers to break in or access it. And this message, which looked pretty legitimate, said that hackers had broken into Trezor's admin servers the day before, last Saturday. And they said, we're looking into this data breach, but we think that there could be a problem for you. So you need to update the desktop piece of software on your computer called Trezor Suite, because otherwise your cryptocurrency assets are at risk of being stolen.
CAROLE THERIAULT. And this came by email?
GRAHAM CLULEY. This came via email. That's right. Came from trezor.us. And I was like, oh, I thought that's, that's a bit worrying. Now, obviously, at first I was thinking, well, it might be real because I do have a Trezor device. So they may well have my email address when I bought it. And I clicked on the link in the message and it took me to what appeared to be the Trezor site. And I thought, well, this is quite a good story. I thought I should write this up for my blog. Quite interesting if Trezor have been hacked.
ZOE ROSE. Yeah, and it sounds like it was quite a professional email as well. Not like the typical poorly spelt, poor grammar. Interesting.
GRAHAM CLULEY. And it's not one of these phishes which is sent out to hundreds of thousands of people who aren't Trezor customers. And I looked online and Genuine Trezor customers are saying, I've received this. What on earth is going on? And my spider senses, I've got spider senses. My spider senses were tingling.
CAROLE THERIAULT. That explains all the arms.
GRAHAM CLULEY. I was like, whoa, what's going on here? And I wondered if the email was genuine. I thought, I'm gonna look at it. So I look at it on my phone and it looks like it's taken me to suite.trezor.com. And I thought, okay.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Looks like the Trezor website's got their logo, it's got their branding. But then I noticed something. And I took a really close look, which isn't easy with my eyesight on a tiny little iPhone SE.
ZOE ROSE. I can relate to that.
GRAHAM CLULEY. But I noticed that under the E of Tresor, there was a little dot. And I thought, is that a dot on my screen? Is it just that I haven't cleaned?
CAROLE THERIAULT. Which is very possible because, yeah, exactly.
GRAHAM CLULEY. The cleaning issue. Right. So is it a dot on my screen?
CAROLE THERIAULT. Is it a piece? Yeah, it's dried food.
ZOE ROSE. Or— I can also relate to that because my screen is full of child's Fingerprints.
GRAHAM CLULEY. So I wrote about this. Oh, fuck. I've just spilt water all over my keyboard.
CAROLE THERIAULT. Oh.
GRAHAM CLULEY. Oh dear. Okay. Don't panic, anybody. So I'm just gonna turn it up. I'm just gonna turn it upside down and put it over here. Hang on. And there's big puddles of water on my desk.
CAROLE THERIAULT. Oh my god.
GRAHAM CLULEY. And I haven't got a drink anymore. Okay. All right.
ZOE ROSE. Oh no.
GRAHAM CLULEY. No, well, let's not worry too much.
CAROLE THERIAULT. Do you want to take 2 minutes to deal with this issue?
GRAHAM CLULEY. No.
CAROLE THERIAULT. Just quickly. We can wait.
GRAHAM CLULEY. Carole, the show must go on, right? We can't stop for anything.
CAROLE THERIAULT. Just don't electrocute yourself.
GRAHAM CLULEY. Zoe's a very important person. She's very busy. We can't—
ZOE ROSE. Okay, but if you die, I would be really guilty.
CAROLE THERIAULT. Is there water where the cables are?
GRAHAM CLULEY. There's a big puddle. There's a big puddle.
CAROLE THERIAULT. Okay, can you please just take care of that? I'm just going to swipe it off.
GRAHAM CLULEY. Hang on, here we go. We're gonna swipe.
CAROLE THERIAULT. Oh my gosh.
GRAHAM CLULEY. 1, 2, 3. Oh, I don't know if you can hear us. Are we? It's very wet here.
CAROLE THERIAULT. Just get a towel, for God's sake.
GRAHAM CLULEY. Okay, okay, I'll get a towel.
ZOE ROSE. I'm responsible for a mini human. I cannot be responsible for you as well.
CAROLE THERIAULT. Exactly. Can you imagine he dies and we have to go to a funeral?
ZOE ROSE. Oh, that would be so much work.
CAROLE THERIAULT. And then it'd be like, well, how did he die? Well—
GRAHAM CLULEY. I'm coming back.
CAROLE THERIAULT. I'm coming back.
ZOE ROSE. He was overwhelmed by Zoe's lovely voice.
GRAHAM CLULEY. Luckily, my office has an en suite bathroom. So I do have a—
ZOE ROSE. Oh, you are fancy.
CAROLE THERIAULT. He is extremely fancy.
GRAHAM CLULEY. Oh my goodness, all this water everywhere. What's this? Okay.
ZOE ROSE. How big was your cup?
GRAHAM CLULEY. It was great big. Oh my goodness. Trough.
ZOE ROSE. Okay.
GRAHAM CLULEY. Right. Okay. So, hello. So, right.
ZOE ROSE. Right.
GRAHAM CLULEY. Right, so yes, there was a dot. Anyway, so I wrote about this on my blog, 'cause I thought, "Ooh," I thought, "No one's really—" I thought, "That definitely isn't the real Tresor website. I don't know what it's downloading, but I thought this is dangerous. I need to warn people, 'cause people are believing this." And so I posted a warning up on Twitter and on Reddit. I linked to my story on my blog, and I found other people had also been posting on Reddit saying, "Hey, I've received this email. What's going on? You know, it could be a bit dodgy." And what was interesting is their messages on Reddit were being downvoted. Someone was choosing downvote, downvote, downvote, downvote.
ZOE ROSE. More than someone then. That would be a lot of accounts for it to make a difference.
GRAHAM CLULEY. Exactly. So, and I thought, why are they doing that? Because this appears to be a genuine warning to people. Who has a vested interest in downvoting a warning about an attack against Trezor users?
CAROLE THERIAULT. People that can financially gain from it. Exactly.
GRAHAM CLULEY. You're so clever, Graham. And then I noticed something else, right? My website was slowing down a lot because as I was trying to update my story about this attack, my website began to time out.
ZOE ROSE. I thought, that's not normal. I'm not that popular. Well, exactly.
GRAHAM CLULEY. At first I thought, oh God, I am so popular. I've been slashdotted, Reddit, they're all coming through to my wonderful article. But I thought my website should be able to handle this. And so I thought, okay, well, I'll just I do is I drop, just drop a line to my web host. So I log in to them, the people who manage my website for me.
CAROLE THERIAULT. Yeah, your hosts.
GRAHAM CLULEY. Yeah, my host, who are hosting hundreds and hundreds of other websites as well. Right. Find out all of their services down as well. And I thought, not just my site. And I thought, that's a bit of a coincidence, isn't it? So I've just written about this attack and suddenly my web host has gone down and my hosts are not in the habit of going offline. I thought, wonder if someone's trying to silence me, just like they're downvoting these other messages on Reddit.
ZOE ROSE. That's really actually quite good. Not only they've got good grammar, very professional email, they've got a whole army of Reddit-ians, I don't know. And now they've got something set up to send off a DDoS. That's interesting.
CAROLE THERIAULT. That doesn't help your relationship with your host very much, I imagine.
GRAHAM CLULEY. I thought I've had that problem with web hosts before. Yeah. Do you think? Don't antagonize them too much. So I went back on Reddit and what I noticed now was that my warning about the scam email, the one which was linking to me, suddenly been massively downvoted by persons unknown. So I thought, okay, there's definitely an attempt to stop people from hearing about this attack that's going on. Did you take to the streets, Graham?
CAROLE THERIAULT. Did you take to the streets?
GRAHAM CLULEY. With a little placard, I went out on the street. I thought, there's no other way to do this. Now Trezor at this time They hadn't said anything, right? There was nothing on their site, there was nothing on their Twitter account. And I wondered out loud in my article, how was it that Trezor customers had been targeted by this scam? You know, had anyone who wasn't a Trezor customer received this email? Had someone hacked Trezor or maybe hacked the service that Trezor used to send out the emails? Maybe Trezor didn't have two-factor authentication in place on their mailing list or what's going on? And it was about now that someone from Trezor contacted me. And he said, look, you know, stop speculating. He said, we haven't done anything wrong. He said to me, what's happened is that Mailchimp, the mailing list service that we use, they are responsible. He said, it's a rogue insider at the firm who has hacked our account and stolen our addresses and is spamming people. And I said, ooh. And he said, can you update your article? And I said, well, I can't update my article at the moment because my site's been DDoSed. I can't log in.
ZOE ROSE. I'm just too popular.
CAROLE THERIAULT. Yeah, and why didn't Treezor go out? Out with that information because they didn't want to be targeted by them?
GRAHAM CLULEY. Well, I said to him, I said, this is really juicy. I said, can I quote you? And he said, no, you can't. I said, well, can I say sources inside Treezord? He said, yes, you can say that. He said, but I don't want my name in it because our official CTO, he's going to want to say something about it and I'll be jumping on his toes.
CAROLE THERIAULT. Should we call him Deep Throat then?
GRAHAM CLULEY. Let's call him Deep Throat. I was able to eventually update my website, although it was still very slow to say Trezor saying, it's not them, their Mailchimp account got attacked by an insider inside Mailchimp.
ZOE ROSE. But if they already know that, they should be warning their customers.
GRAHAM CLULEY. Well, thankfully at that point then they did. So shortly afterwards, they did post something up on their Twitter account.
ZOE ROSE. Ah, your little placard going into the streets worked. Exactly.
CAROLE THERIAULT. And how much time has passed now since you've published the article and all this has happened?
GRAHAM CLULEY. Oh, a few hours.
CAROLE THERIAULT. A few hours. Okay, so this is a few hours of work.
GRAHAM CLULEY. And it was a Sunday. You know, and so, you know, it's not too bad. They're not going to beat them up too much. And on Monday, Mailchimp said that their service had been compromised targeting crypto companies. And it's unclear a little bit as to whether it's a Mailchimp employee or whether a Mailchimp employee had their account breached. But what Mailchimp are saying is that a hacker accessed internal tools at Mailchimp, accessed over 300 Mailchimp accounts used for sending out mailing lists for companies in the cryptocurrency and finance industry. So not just Trezor, but hundreds of other companies. And the hacker ended up exporting the main list for over 100 of those mailing lists to do whatever they wanted.
ZOE ROSE. That is quite clever. Yeah.
GRAHAM CLULEY. So it may not just be a Trezor thing which is going on there. Right. There may be subsequent attacks which are gonna happen, which may look like quite plausible messages from your crypto company or your crypto wallet firm or whatever it might be. Trying to trick you.
ZOE ROSE. Yeah, and also, who's likely to go to the police when they lose, you know, for your example, £5? You're not going to do that. Well, if you did actually lose it. £5, maybe not.
GRAHAM CLULEY. But I fortunately didn't install the software which this email was telling me to install. Yeah. But I did hear from people who said they had literally had their entire cryptocurrency investments absolutely raided. And so they have nothing left. And some people— Really? Yep. Some people told me that they lost everything over the weekend. And what a poop storm as well for Mailchimp. Well, yes, obviously a lot of companies who have been affected by this breach are going to be concerned. And I would hope that those crypto companies are going to be contacting their customers and saying, look, your details may have fallen into the hands of hackers, so be on the lookout for phishing attacks and who knows what.
ZOE ROSE. And from the boring perspective of, you know, in my job I have to deal with not so fun stuff like supply chain and that. And I'm not going to lie, if I was a cryptocurrency company, I wouldn't probably value Mailchimp that high on my making sure that they meet, you know, some security standard. So I could see that there's a bit of a kind of, um, what am I trying to say? There's a bit of a gray area of who's going to be held responsible. One, Mailchimp, did they have the right controls? Right. Two, the cryptocurrency, did they do their due diligence there?
GRAHAM CLULEY. Yeah, it is unclear because Trezor say it was a rogue employee inside. Mailchimp are saying hackers accessed internal tools. It's unclear whether it may have been a legitimate employee who was socially engineered maybe into giving access to someone else. Yeah, totally. Yeah, which is— It's a gray area for sure, but clearly less than ideal. Yeah. What's going on?
ZOE ROSE. Not ideal, yes. That's a very British way of putting it.
GRAHAM CLULEY. Fortunately for me, I didn't lose any money. More damage spilling the water over my desk. Um, Zoe, what story have you got for us this week?
ZOE ROSE. Um, mine is also not so lovely. Uh, it's regarding a man that, uh, was dating someone. They broke up and he was not too happy about that, and he had previously installed her CCTV system and was watching her on it.
CAROLE THERIAULT. Oh, like after post-breakup, like not telling her, just stalking her basically through the camera.
ZOE ROSE. Yes. And then she went on holiday, and so he let himself into the apartment, uh, and, uh, as you do, you know. And even worse is he took pictures of her flat and then when she came back, sent them by email to her. Without context, just pictures of her flat.
CAROLE THERIAULT. Like, what is this, from an anonymous email address? It was. Aha. So he hid his identity.
GRAHAM CLULEY. That's the way to endear someone, isn't it, to you?
CAROLE THERIAULT. You know, a great way to win someone back.
GRAHAM CLULEY. Yes.
ZOE ROSE. And then, yeah, yeah. And then claimed it wasn't him. But when he was interviewed by police, I think he originally had said, um, he had been sent them by somebody and he was sending them on to her because he was concerned, you know. He was concerned for her safety, but he obviously admitted to being the one that took the photos and sent them later when he was interviewed by police. Unfortunately, I've been in a very similar situation. Um, I won't give the full details. It wasn't CCTV and it wasn't photos of the flat, but it was, um, access to, um, one of my accounts, and it was, um, there were pictures involved. I'll give that detail many years ago. And, um, so I've been in that lady's position. Oh my gosh. And it's, it's a sense of control. It's, it's not even— it's not— a lot of people were like, well, that just doesn't seem logical. Why would he take those photos and then send it to her? Because he's clearly showing he's done something, you know.
GRAHAM CLULEY. Do you think it was more a sort of— I'm just trying to get into his head. Do you think it's more of a 'Look what happens when I'm not around. Someone's able to hack into you. If only you had a big manly burly boyfriend who could protect you from this person who's breaking into your house and taking photographs.' Do you think that's the thinking, or— It could be.
ZOE ROSE. I mean, from my experience of investigating these types of incidents, because I do volunteer for an organization in America called Operation Safe Escape, and it's about survivors leaving or have left domestic abuse situations, relationships, and a lot of the times it's a sense of control. It's not logical. It's— in some cases it may— Graham, you may be right— it may be, look, I could have protected this, or look, you're extremely vulnerable, but it also is, you know, I can still control you.
CAROLE THERIAULT. It's a total mindfuck too if you're being targeted, like holy moly.
ZOE ROSE. Yeah, I think from my kind of experience of being the person that's been in that situation, it's terrifying, even if I know what's behind it. Even, for example, in my situation, the person had access to my email account. I knew how to get him off of it. I knew how to check if he still had access, but it's still terrifying because what else does he have access to? Our lives are so online. In her case, it's her bloody CCTV. Like, I think they actually say in the article she had unplugged it knowing he had access to it. When he went in when she was on holiday, he plugged it back in, which is how she knew he was in the flat. Right, so what should you do, Zoe?
GRAHAM CLULEY. I can understand, you know, if you've shared your email password with somebody and you've then broken up— you shouldn't probably share your password anyway, but if you have done, obviously change it. But are there other rules and guidelines and pieces of advice you can offer people?
ZOE ROSE. Yeah, I mean, there's two sides to it. Because it's domestic abuse and violence related, I want to be very clear that sometimes removing the person's access is not the right call. Uh, sometimes it's actually, um, leaving their access because it can escalate, especially if they have intimate access to you, like they're in your home, right? Um, but if it's that you have physically left the situation, most of the time the advice I give is start over, get a new account or get a new phone. Because you never know, especially if you're not a tech person. However, when it comes to things like, you know, you're a bit, a bit more confident, maybe you have an organization like Safe Escape to support you. It would be things like ensuring MFA is in place, multifactor authentication, ensuring you have a strong password. In my case, I did not give them that password. Actually, it was so long ago, I don't even know how he got it. But I'm a security person and I made a mistake and he got it. No matter how much you do, this can happen. It's just being aware of what information you have online and also being aware of what information can be seen in your email.
GRAHAM CLULEY. There's obviously a physical security aspect to this as well because the guy was able to re-enter the house. He must have had a key or a PIN code or something. Scary as fuck.
ZOE ROSE. Scary, scary. It doesn't specify in the article how he got in, I'm making the assumption he had a key because it doesn't say he broke anything, but yeah, that goes to the what's left over. I remember years ago where somebody had put a camera up in their ex's house and the camera was in a private room, you know, so they want control, they want to use anything that they can, and they'll use things that are what you would never imagine, like CCTV accessing your email, or, you know, putting cameras up. So it is, it is scary, but I think the biggest thing is just knowing what you have in your environment, and, um, I suppose figuring out if you can secure it or if you need to remove it. Yeah.
GRAHAM CLULEY. So what's happened to this chap now?
ZOE ROSE. He did receive 12 weeks prison term, um, which is not much, but it's something.
GRAHAM CLULEY. I think, Zoe, his his prison term has been suspended for 2 years. So, I don't think he has spent any time in prison.
ZOE ROSE. Oh, so I think—
GRAHAM CLULEY. Did I read it wrong? Yeah, I think if he misbehaves in the next 2 years, then he'll have to serve 12 weeks.
ZOE ROSE. Bloody hell. Okay, I'm not as positive now.
CAROLE THERIAULT. 2 years suspension. It's kind of really, I think, frightening. I don't know if it's just from a female point of view, but the idea that you can be kind of terrorised, like mentally terrorised in that way. And then it's not considering—
ZOE ROSE. You don't feel safe in your own home, and he gets two years suspension. And the article made it sound like they got a restraining order and they— he has to do volunteer unpaid work. They made it sound like that was such a big deal.
CAROLE THERIAULT. Yeah, like loads of us don't do it.
GRAHAM CLULEY. Yeah. Has to do some community service, like, oh, here is a house which needs to change its locks, so maybe you could change its locks for it. Something like that, which will work really, really well. And we cause any problems in future.
CAROLE THERIAULT. And a mega takeaway in all this as well is like, don't assume the default security settings are best for you. Yes, right. They're not the recommended ones. They are the ones to make it as easy as possible for you to get up and going and running, not necessarily the best.
ZOE ROSE. So go through those settings please when you get a new device that you plug in, especially when it comes to CCTV, because I know of somebody that had a lot of money. CCTV is closed circuit TV, I think is what it actually stands for, but that doesn't mean that it's actually doing what it's saying it's doing. Because a lot of them, they're actually online, they're available, um, on the internet. Yeah. So make sure that what you set up is actually doing what you think it's doing, not just that the default of is it secure, but also is it accessible, uh, for people that you weren't expecting, let's say.
GRAHAM CLULEY. And if you've split up with someone, just don't be a dick, right?
ZOE ROSE. Yeah. I think in this case, when it comes to Stephen King, I think there's a lot of control. It's a lot of possibly mental health issues. You know, there's a lot going on there, but that doesn't excuse his behavior. Like, yeah, please don't be a horrible person. At the very bare minimum, please don't be awful. Yeah, I'm with you.
GRAHAM CLULEY. Much more nicely put than I said. Carole, what's your story for us this week? Okay.
CAROLE THERIAULT. So we're gonna start off with Microsoft because they recently put out some research all about the state of the office post-Rona or mid-Rona, wherever we are in the whole Rona thing. And they interviewed something like 3,000 different business leaders. And half of these leaders intimated that their company already requires or plans to require full-time in-person work. In the year ahead.
GRAHAM CLULEY. You mean people actually in the office? Is that what you mean?
CAROLE THERIAULT. Yeah, bums on seats. Oh, really? Bums on seats. And they also said that time spent in meetings for the average team since February 2020 has increased over 250%. Oh, that's a good thing, isn't it?
GRAHAM CLULEY. Because we needed more meetings. Yeah, I know. That's excellent. I'm glad we've made progress with that.
CAROLE THERIAULT. But if you, if you think about that, it's then perhaps no surprise that 50% of employees are more likely to prioritize health and well-being over work since the pandemic, and that 52% of Gen Z and millennials are thinking about looking for new work during the next 12 months. Interesting. All these stats are concerning, not just for employees, but for companies, right? Both large and small, they have to figure out a way to work with, like, strained budgets and a stressed-out workforce and a lack of resources. And one of the big questions is, what can companies do to boost morale without breaking breaking the bank.
ZOE ROSE. Yeah. I have a suggestion. Is it croissants? It is not. It is not. It is maybe possibly listening to what the workers actually say they want.
GRAHAM CLULEY. Oh, what a namby-pamby kind of thing to do. The last thing you want to do is ask people what they want. Well, I don't know. There's various ways to cheer up staff, isn't there, in the office? I mean, you could hire some mimes, for instance.
ZOE ROSE. Would that make you want to stay at a company that doesn't listen to anything you say?
GRAHAM CLULEY. No, no. It would be horrific. I don't know, just treat me like a normal human being. Don't treat me like I'm an idiot, I think is the general rule.
ZOE ROSE. So treat you like a respectable adult, essentially. Don't be rubbish.
CAROLE THERIAULT. Yes, yeah, yeah, don't be rubbish. Interesting, because the Harvard Business Review published an article recently saying this is how someone might boost morale if they don't have any financial kickback to offer, financial bump. And one is like public recognition. So basically McDonald's Employee of the Month kind of thing, right?
ZOE ROSE. Which, to be fair, to be fair, if we look at intrinsic motivators, sometimes people are motivated that way. Yes, sure. Feeling, you know, like you're making a difference.
GRAHAM CLULEY. But you can also, you can also be demotivated, can't you? Because you can think, why has Bob Middleton been promoted as employee of the month when I know he's useless at everything, can't even carry wood, and he's just a waste of space who we need to get rid of. And for some reason, the bosses have decided he's brilliant, and they have not seen the enormous amount of useful, positive work which I have done this month. You know, you could be demotivated by that kind of scheme, couldn't you?
ZOE ROSE. Oh, completely, completely. I would be absolutely angry of, oh, I can get a Employee of the Month, but I can't work from home, which I've done for 2 years. Right? Right?
CAROLE THERIAULT. What would you say to another one that they recommend is sending thank you notes to your home address? So you'd have like, you know, Dear Zoe, we just want to say that you're such a star. Thank you so much for showing up every day and doing all the stuff you do. Signed, the CEO or someone.
ZOE ROSE. The question Does this thank you note include stickers? Because I may be swayed.
CAROLE THERIAULT. Yeah, there's not a fiver in there. I want at least a few stickers.
GRAHAM CLULEY. You know what I say? I say kind words don't butter parsnips. If you want to cheer me up, if you want to boost morale, then come on, get some money out of your pocket.
CAROLE THERIAULT. They don't have any money!
GRAHAM CLULEY. Slap it— Well, they've got enough money. They've got enough money. Yes, they've got enough money to post you compliments and stickers, or they've got enough money to praise Bob Middleton and frame his photograph on the wall.
ZOE ROSE. Who is this Bob that you're so obsessed about?
GRAHAM CLULEY. You'll find him on LinkedIn. I'm going to look.
CAROLE THERIAULT. Graham, it's interesting because, you know, other companies like you were not really moved by these symbolic rewards that I was talking about. Right. And one of those people is Amazon, right? Because they want a more innovative, more, you know, modern, approach to dealing with this type of thing.
GRAHAM CLULEY. Are they rating their staff out of 5? Out of 5? Hot or not? Star rating. No, it's just like, would you recommend this employee to your friends? Is it something like that?
ZOE ROSE. They're giving people star ratings. I could totally see them doing that. Is that what they did?
CAROLE THERIAULT. It's close, close. So according to The Intercept, and this is according to sources on the inside, last November, Amazon top executives had a little chit-chat about creating an internal social media program. So, and this, this, this social media program would allow employees to recognize co-workers' performances with posts called shoutouts.
ZOE ROSE. You can get that on LinkedIn though, right?
CAROLE THERIAULT. But maybe you don't own all the content then. I don't know.
GRAHAM CLULEY. You don't want a shoutout. You just don't want to be paid minimum wage by a guy who's the richest chap on the entire planet. Jesus. Going up into space on his pneumatic penis thing. It's just, you just want some money. Just pay me properly and then I'll be motivated.
ZOE ROSE. Yeah, I agree with that because I think a lot of people are like, oh, I do my job. I'm not motivated by money. Full disclosure, I'm motivated by money because I have a family and I would like to eat. Absolutely.
CAROLE THERIAULT. Are you sure that I can't sway you because they have a gamified reward system inside their internal social media system here? Where you get virtual stars, not real ones, unfortunately, because that would be cool, but you get virtual ones and badges, which is practically a sticker, Zoe, practically a sticker for activities that add direct business value.
GRAHAM CLULEY. If you paid me more money, I could buy my own stickers and possibly my own star as well.
ZOE ROSE. Oh, actually, you can. That would be a good idea. The underlying thing is you have to meet your employees where they are, and if they're starving or if they can't can't pay their bills, or if they're working to the point of exhaustion, I don't bloody care how many stickers you give them or digital versions.
CAROLE THERIAULT. So you're not sure an intranet's going to help reduce employee attrition and foster happiness? Because they're pretty convinced, right?
ZOE ROSE. But who's the people that are convinced? Yeah, the people that have enough money. They have enough money and don't understand why people aren't being, you know, so thankful that they bolder to give them any money. Well, I don't know.
CAROLE THERIAULT. I think you guys are being short-sighted because these top Amazon execs, right? The kingpins here are going to keep employees happy and productive so they won't look elsewhere for work. But let's assume this person at the meeting, I don't know, we'll call them Bob, right, Graham? Bob. Okay. Yeah.
GRAHAM CLULEY. That's where Bob ended up, right?
CAROLE THERIAULT. Bob at the meeting says, "Hey, hey, Zoe, Graham," because you guys obviously are top execs at the meeting. They're like, "How do we stop disgruntled employees from basically complaining?" screening on the internet, right? How do you do that? Like, you know, because obviously negative blocking keywords—
ZOE ROSE. good bingo! They always do that.
CAROLE THERIAULT. I have provided you guys inside the document the list. These are the words that apparently were being considered to be blocked. For this is dumb. This is dumb. Yeah. Now I have to say Amazon have contested saying, well, you know, if this whole you know, uh, social network does go live, uh, not all these words are going to be blocked.
ZOE ROSE. So like, you know, I can still say rubbish.
CAROLE THERIAULT. What is TOT? What does that mean?
ZOE ROSE. I don't know.
CAROLE THERIAULT. I looked it up and I was just like, have you tried Urban Dictionary?
GRAHAM CLULEY. That's normally quite good.
ZOE ROSE. I might be too old, I don't know. The second one is union.
CAROLE THERIAULT. Yep. I don't care, for example, is a phrase that apparently would be flagged. And what they're saying is that it's called like auto bad word monitor, quote unquote, and it was devised like it's effectively a blacklist that would flag and automatically block employees from sending messages that contained inappropriate keywords. And this is beyond obviously swear words or inappropriate, you know, language. These are kind of like the word prison, for example. Yeah. Right. Or ethics, interestingly, is in there.
ZOE ROSE. Ethics is blocked. Maybe it's because they don't want somebody to say, "This isn't ethical." Yeah, they don't want any ethics on the internet.
CAROLE THERIAULT. It seems ethical's okay though. Ethical might get through. Oh, okay.
ZOE ROSE. Maybe the trick is just not speaking American English, and then you can say anything.
GRAHAM CLULEY. Or maybe being really bad at spelling. If you spell ethics with a K. Oh, maybe. For instance, ethics. You know, or with two double F. F-X, in fact. Oh yeah, that's very clever. I was thinking along the same lines, right?
CAROLE THERIAULT. You'd have to start kind of working on your writing or language skills to get— and I think you guys are both very good writers. So if I wanted to communicate in this intranet, "I fucking hate working here," what could I say instead?
ZOE ROSE. I'd pop over my thesaurus.
GRAHAM CLULEY. I love working at Amazon, brackets, not. Are you allowed to use the word not?
CAROLE THERIAULT. Yeah, I don't know, maybe.
ZOE ROSE. It's not on the list. So TOT, according to slang for old people, I think, on Google, is texting on the toilet. They also blocked restrooms, so that possibly could be it. But they didn't block the loo. So I really think just spell things in the British spelling and use a lot of parentheses.
GRAHAM CLULEY. Or just being I mean, you know what I would do? I'd just be very, very sarcastic. I'd just be so over-effusive with praise. I cannot begin to tell you how much I adore our overlords at Amazon and how they bring lightness and wonder to my life.
CAROLE THERIAULT. Yes, or you could do analogies like, working here is as glorious as being Geoff Bezos's personal proctologist, for example.
ZOE ROSE. That's perfect. I would, I would say something like, um, oh, you know, I had to miss my child's, you know, big development stage thing, but it's okay because working here is my favorite thing in the world. Just something as simple as that because it sounds very positive. Yes, yes, I would definitely choose working here because I love it so much. They've got representation blocked. Wow. They've really put some thought into this.
CAROLE THERIAULT. Well, Amazon are saying, look, look, look, there's no promises we're even doing this. We'll see what happens. It was scheduled to launch later this month, so we will see. If any of you listeners wanna see the list of words, I have a link to the Intercept article as well to a number of articles. Just let you know that all's great out there. Everything's wonderful.
ZOE ROSE. I'm just gonna say, if they put half as much thought into their incentives as they did into this bloody list, they may actually have a couple of happy people.
CAROLE THERIAULT. Yeah, I'm not sure this is the way to make people smile. Yeah, I think I agree with you on that one.
ZOE ROSE. Blocking pay raise? No, that says it all. They even blocking diversity, that, that really says something. Mm-hmm.
GRAHAM CLULEY. Collide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack. Collide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Collide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates. You can try Kolide with all of its features on an unlimited number of devices for free for 14 days, no credit card required. Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show. So imagine this scenario. You're out of the office unexpectedly and a colleague pings you because they need access to some system you have credentials for. Now, listeners would never send passwords over email or Slack, But what about your coworkers? How many organizations out there are sending logins back and forth in plain text? Worse yet, how many just store all of their logins on a shared spreadsheet? We all know that human errors are the biggest threat to your organization's security, but did you know that weak or stolen passwords account for over 80% of all data breaches? There are tools out there that allow you to share credentials, set access permissions, and monitor the data darkweb for stolen logins. Keeper Security's enterprise password management platform does just that. Keeper locks down logins, payment cards, confidential documents, API keys, and database passwords in a patented zero-knowledge encrypted vault, and it takes less than an hour to deploy across your organization. Sign up for a Keeper free trial for your organization today and get a free 3-year personal plan. VPN. So get started by visiting smashingsecurity.com/keepersecurity. That's smashingsecurity.com/keepersecurity. And welcome back. And you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
ZOE ROSE. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, website or an app, whatever they wish. Doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is a little bit security-related because we have discussed this case on the podcast in the past. It's related to the extraordinary story of QuadrigaCX and the death of Jerry Cotten, the company's CEO. If you don't remember, tune in back to episode 114 of the Smashing Security podcast. I knew that off the top of my head where we talked about that case. It is now a Netflix documentary. It's called Trust No One, which you can go and check out. What happened with QuadrigaCX was that they had— they're a Canadian— oh, they're Canadian. Oh, they must be amazing then. Cryptocurrency company who were storing a large amount of money. And what occurred was this chap, Gerry Cotton, went on holiday to India and then he died, or so the company said. And allegedly only Gerry Cotton knew the password which could unlock the cold wallets into which people had put their entire life's savings. So it's a very interesting story at the time. And there were, of course, investors who were deeply disturbed. Some of them you will see in the course of this documentary, very worried about what happened to their money and were thinking that there was some kind of conspiracy going on. I'm not going to spoil anything about the documentary for once.
CAROLE THERIAULT. Good. You don't normally spoil them. You're normally very good at setting it up.
GRAHAM CLULEY. Thank you. Oh, thank you very much. But I thought it was quite interesting. And so I am going to recommend The Netflix documentary Trust No One. Go and check it out, and it is my pick of the week. Nice.
ZOE ROSE. Zoe, what's your pick of the week? Um, yes, so my pick of the week is actually a couple of things. Um, so instead of a go-to bag, or, you know, an emergency bag for whatever incident you're investigating, being a mum, I now have a go-to travel bag for traveling with a child. And you mean traveling, traveling, you don't like going down to Sainsbury's? No, no, I mean traveller, traveller. Um, so I've travelled with my daughter, um, from— I don't remember the first time she moved or she went to a country, but I think 4 countries now. Um, and this is not small travel, this is like not just popping over to Germany because I'm in Holland. She's about 1 year old, right?
GRAHAM CLULEY. So you've done a lot of countries in a short period of time.
ZOE ROSE. Correct, yes. Um, this is also going over to you know, across the pond to North America when she was about 6 months old. So it's been a bit of a journey, and this is traveling by myself with her as well. Wow.
CAROLE THERIAULT. So what, so what's in your travel bag then?
ZOE ROSE. So the most important things are not the small things, not like— I mean, obviously clothes are important, you know, she's a child. Yeah, those are good. Bottles, you know, those are helpful, but But the main points that I think are really key is instead of carrying— because carrying a pram or having a pram with you, or if you might call it a buggy or stroller, I think is the other term, one that's collapsible, so easy to fold down so that they can put at the bottom of the plane and it's light, is key. But also if they break it or lose it, replacing it isn't that difficult because— Oh yeah. Yeah. Well, I've got two prams. Yeah. I've got my travel one and then I've got my main one and the travel one I actually like more, but it costs maybe a third of the other one. Uh, so if it gets broken, not a big deal. Interesting. The other thing that is important is a carrier for the, for my daughter, uh, whilst I'm in the airport. So instead of carrying her in the pram, I actually strap her to my chest essentially. Because that leaves my arms open. I don't have to deal with a crying baby wanting to be picked up. And also, you know, it's just, it's just way more convenient. And then on top of that is a light car seat because the car seat that I have in the car is bloody heavy. I'm pretty sure it weighs the same as me. So this is a specific car seat that is actually clear for air travel. So if you do want to like take it on the plane for children that need their own seat, but also when even, even if you're checking it, you know, walking it in the airport and to the taxis is not going to break your back.
GRAHAM CLULEY. So that sounds very useful. So we'll include some links in the show notes for people to check out your recommendations for these.
ZOE ROSE. These are just suggestions of what I've used. They're not necessarily the best out there, but whatever it is that works for for you, mainly just the foldable and light.
CAROLE THERIAULT. And Graham, are you a little jealous that there isn't man-sized, um, you know, well, baby seat for me?
GRAHAM CLULEY. Yeah, man seat.
CAROLE THERIAULT. You can bring your Lazy Boy with you on the plane. That would be marvelous, wouldn't it?
ZOE ROSE. If I find one, I will let you know, Graham.
GRAHAM CLULEY. Good luck finding one in my size.
CAROLE THERIAULT. Carole, what's your pick of Oh, I have a really sweet pick of the week this week. It comes from one of my very good friends, Andy, and she just shared this with me. I don't even think it's very new, and you guys might be aware of it, but it's new to me. So it's called Literature Clock. It was made originally for the eBook Collective, but there's now also a website that does it. It basically grabs snippets from literature that include a timestamp that aligns with the one that is currently in your time zone. So for example, when I was looking at it today, it just comes up on the website, it says, "It's 12:33 now and I could do it. The station is just down that side road there." And that's from Five Red Herrings, Dorothy L.
GRAHAM CLULEY. Sayers. Ah, Sir Peter Whimsey. Lord Peter Whimsey.
CAROLE THERIAULT. Yes, and then it's not every minute it updates, but every few minutes. Sometimes it's every minute, sometimes every two minutes, because obviously they've gotta find find the right quote, and they add these in and it just refreshes. And it's quite a nice backdrop to either— you can go visit online or to your e-reader.
ZOE ROSE. Oh, that's lovely. That's very cute.
CAROLE THERIAULT. I think it's a Dutch tech journal called Jap Meijers and the English newspaper The Guardian, and it's their brainchild. So it's a perfect site to send to any book lover in your life, Right, so it's called The Literature Clock. It's my pick of the week. Links in the show notes.
GRAHAM CLULEY. Oh, I don't know if I'd go to it again. I mean, I think it's very cute, but would you go to this on a regular basis, Carole? Would you?
CAROLE THERIAULT. I just— I went to it out, like, you know, right after it was like, died 5 minutes ago, you say? He asked. His eye went to the watch on his wrist. 12:43, he wrote on the blotter. And that's like Agatha Christie. So you get some good books as well, like, you know, I think I, I quite like it.
ZOE ROSE. I, I also think, you know, it's, it's well thought out. It's got a dark theme. I also like the skip quotes marked not safe for work.
GRAHAM CLULEY. Yeah, exactly, exactly. I only want the not safe for work ones.
ZOE ROSE. Oh, nice. Maybe that's version 2.0. Um, but no, I think that'd be cute to just have sitting in the backgrounds even. That's quite lovely. There you are.
CAROLE THERIAULT. That's my pick of the week.
GRAHAM CLULEY. Very good. Well, that just about wraps up the show for this week. Zoe, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?
ZOE ROSE. Um, they can follow me on Twitter @RoseSecOps, uh, or they could check my website, which is just rosesec.com, which would link to my Twitter, but that's okay. Cool.
GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter must have a G. And we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode. You should follow Smashing Security in your favorite podcast apps, such as Apple Podcasts, Overcast, and Google Podcasts.
CAROLE THERIAULT. And huge thank you to this episode's sponsors, Kolide and Keeper Security. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 200 episodes, 268 episodes, check out smashingsecurity.com. Until next time, cheerio, bye-bye, bye, see ya, wouldn't want to be ya. I know I would, I would.
ZOE ROSE. You guys, the timing is perfect because my daughter is now home.
GRAHAM CLULEY. Uh, Thank you so much, Zoe.
CAROLE THERIAULT. Yes, you gave us your free hour and we're so grateful.
ZOE ROSE. She is now licking the ferret cage.
CAROLE THERIAULT. You didn't even bring up ferrets on the show. People will think you've given up on them.
-- TRANSCRIPT ENDS --