This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. And it also knew every time it thought he might have entered a competitor's premises. Shut up! For real, if you went to KFC or Subway or Starbucks or McDonald's, it knew about it.

---

CAROLE THERIAULT. Do they call you up and go, "What are you doing?" And you're like, "I'm just getting a chicken drumstick. No coffee, I swear, no coffee."

---

GEOFF WHITE. Not as good as our donuts.

---

UNKNOWN GUEST. Smashing Security, episode 278. Tim Hortons, avoiding sanctions and good faith security research with Carole Theriault and Graham Cluley.

---

GRAHAM. Hello, hello and welcome to Smashing Security, episode 278. My name's Graham Cluley.

And I'm Carole Theriault. And we are joined today not just by podcast royalty, but also author extraordinaire. It's The Lazarus Heist's Geoff White. Hello, Geoff.

---

GEOFF. Hi, Graham. Hi, Carole. How are you guys?

---

CAROLE. Fantastic. Now, you're launching your book in two days or today?

---

GEOFF. Yes, Thursday the 9th. Depending on when people are listening, it could be in the past. But Thursday the 9th is the key date for that, yes.

So what is this book about? What's it called, Geoff? What's it about, for those who don't already know?

The book is called The Lazarus Heist. It's the inside story of North Korea's cyber war. It's how North Korea became a sort of global cyber threat and the sort of really bizarre activities that North Korea's hackers get up to and the kind of bizarre relationships they have, not just with organized cybercrime, but with organized street level crime.

It's got, I don't know, hapless philanthropists in Sri Lanka, Instagram influencers in Dubai, shonky Japanese used car salesmen. It's got it all. It really does.

It's going to be a movie. It's probably going to be a documentary at some stage, but yeah.

---

GRAHAM. So the Lazarus Heist started out as a podcast, but there's much more than what was in the podcast in the book, isn't there?

---

GEOFF. That's right. So basically the podcast is still on BBC Sounds. Sorry to promote an alternative platform.

But BBC Sounds, Lazarus Heist podcast, still there. Series one stopped last year. And that narrative of that podcast kind of ended in 2017 with WannaCry, which probably needs no introduction to your listeners.

So then there's five years more hacking to cover. A lot of that's in the book. All of the stuff they did with ATM jackpotting, making cash points spew out cash around the world.

Cryptocurrency, the huge, huge, huge cryptocurrency attacks they've been involved in. All that's in the book. It's great.

Then after I finished the book, there's a whole bunch more stuff they did, including the recent Axie Infinity Ronin Bridge $625 million hack. It's been attributed to North Korea. What's useful is all that stuff isn't in the book.

Very recent stuff isn't in the book, but we're working on series two of the podcast, which is going to be out later this year.

---

CAROLE. Oh, cool. You chose the right pony, Geoff White, eh?

---

GEOFF. A horse that keeps kicking. I wish they'd kind of just stop for a little while so we could all catch up. Because whenever we close, you know, you finish the book or you finish the series or whatever, they keep going on doing more stuff that's attributed to them.

So I just wish they'd have a little hiatus while we catch up.

---

GRAHAM. Now, anyone listening who enjoyed your previous book, they know that this is going to be another great read from you. Crime.com, wasn't it, your previous book?

---

GEOFF. It was, yes. Yes, yes.

---

GRAHAM. So anyone who wants a copy of this book, this book is called The Lazarus Heist?

---

GEOFF. It is called The Lazarus Heist, yes.

---

GRAHAM. Okay. Anyone who wants to read this book, we are able to offer a free copy to a lucky winner. What we're asking people to do is if you email us at with the subject line Lazarus, because we want our email to be able to find other emails.

So you have to use the subject line, Lazarus, and explain why you want to read Geoff's book. We will pass your messages on to Geoff, and he will choose a winner who will get a free complimentary copy of the Lazarus Heist book. Hot off the presses.

---

GEOFF. I will even sign it. How about that? I will sign the thing, which is weird, because I didn't realize this.

When you sign it, you cross out your name on the title page, and then you sign underneath it.

---

GRAHAM. Oh, really?

---

GEOFF. And the other day, somebody said, "Why have you crossed out your name?" And I had to say, "Well, that's kind of how you do it." I didn't know that either, though. I just think it's a bit weird because it looks like you're going, "No, I did not write this." And then below saying, "Yes, I did." Very weird.

I changed my mind. I did write.

---

CAROLE. Today I learned, you see.

---

GEOFF. But I have to say, one thing I am looking forward to about launching the book, and this is going to sound slightly strange, is I'm really looking forward to not having to talk about the sodding book anymore. Because I really, that will come as a shock to people who've been looking at my social media as I relentlessly plug myself and the book.

But I don't like this stuff. I'm not a marketer and I do it through gritted teeth. So after the book's gone out, you can quiet down a bit.

You don't have to mention it at every breath.

---

GRAHAM. So, Carole, what have we got coming up this week?

---

CAROLE. Well, let's thank this week's sponsors, Bitwarden, Snyk and Kolide. It's their support that help us give you this show for free.

Now, coming up in today's show, Graham, what do you got?

---

GRAHAM. I'm going to be telling you all about a misbehaving app.

---

CAROLE. Geoff, what about you?

---

GEOFF. I'm going to be taking a somewhat circuitous route around the Evil and LockBit ransomware gangs. Ooh,

and there's been a cybersecurity policy change in the US of A, and I'm going to tell you all about it. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM. Now, chums, what has Canada ever done for us?

Outrageous Celine Dion there you go Celine Dion I'm just going to put that out there for goodwill Celine Dion what has Canada ever done for us Leonard Cohen okay Leonard Cohen other than Leonard Cohen Michael J. Fox Mike Myers Tar Sands

---

GEOFF. Is Tar Sands a third thing called Tar Sands don't they getting tar from sand that sounds impressive I can't even remember his name Star Trek numero

---

CAROLE. Uno Shatner Shatner how can you forget Shatner's name I don't know I just did.

---

GRAHAM. So you might think from that that Canadians are lovely people.

We are. Right, Carole? You might think of that. But they're an odd race, aren't they, the Canadians? Race. I have in-laws in Canada. Thank you very much. They're an odd bunch. Going out and about, drinking maple syrup, apologising all the time. Tim Horton's coffee.

---

CAROLE. I used to work at Tim Horton's. That was my first job.

---

GRAHAM. Oh, interesting. You used to work at Tim Horton's.

---

CAROLE. Mm-hmm.

---

GRAHAM. You know, what does Tim Hortons sell for people who haven't experienced Tim Hortons?

---

CAROLE. So it's like a donut shop, right? You have lots of fresh donuts open 24 hours and Tim Hortons coffee, which I think, I don't know if this is true, but the rumour was that they had put MSG in it, which made it very yummy for people. So you would go on a street in the city and there'd be five coffee shops, but only a lineup at Tim Hortons. So that could be total conspiracy theory.

---

GRAHAM. My extensive research hasn't found out about the MSG, but it has said that nearly eight out of every 10 cups of coffee sold in Canada are poured at a Tim Hortons.

---

CAROLE. Right. Whoa. It's because I work there, you see? That's why.

---

GRAHAM. Because of you, Carole, because you are such an efficient, great team member.

Well, you might think that Canadian companies are composed of lovely Canadian people and they wouldn't possibly do anything bad whatsoever. And because of that, because Canadian people are so extraordinarily trustworthy like Michael J. Fox or William Shatner, you probably would willingly give them your home address, your work location, hand them your vacation plans, because you know you can trust a Canadian. Because they're lovely people. And you do so willingly. But I imagine you wouldn't be as happy if you were doing it unconsciously without realising that you were going

---

CAROLE. Like you're lying in a ditch, passed out. MSG overload

---

GEOFF. That's passed out actually

---

GRAHAM. Well in June 2020 an article by Canadian journalist James McLeod writing for the National Post he discovered that a firm had been tracking his movements without his conscious knowledge

---

CAROLE. Without him being aware

---

GRAHAM. Without him being aware exactly

Right. And the article revealed that this Canadian company knew where he slept, where he worked, even tracked his longitude and latitude when he went on vacation to Morocco.

---

CAROLE. Can I guess how? Or I'm not allowed.

---

GRAHAM. Go on, you guess how, you guess how. Tim Hortons app.

Yeah, you're not allowed to guess. You're not allowed to guess. Carry on, you're doing great. Yes, you're absolutely correct, Carole, of course you knew because you are Canadian, the Tim Hortons app.

---

CAROLE. Well, I wouldn't know that.

---

GRAHAM. Well, you guessed it correctly. People who installed the Tim Hortons app onto their smartphone were being tracked. And according to this journalist, James McLeod, this was happening even when he had told it to track him only when the app was open.

Right. So some people want the app to identify his location because then it tells you where you can get your nearest donut.

---

CAROLE. Yeah. Apple fritter, by the way, is the best one.

---

GRAHAM. Oh, is it?

---

CAROLE. To this day. Yeah, it's delicious.

---

GRAHAM. So what did you actually do at the Tim Hortons, Carole?

---

CAROLE. I emptied the dishwasher, cleared the ashtrays because people could smoke in there at the time. Cleaned the bathrooms. That was a really fun job.

---

GEOFF. So you were executive level from the sounds of it?

---

CAROLE. Oh, yeah. I was high up. I was about 15. I was 15. Employee number 15. I used to work 11 to 7. 11 at night to 7 in the morning.

---

GEOFF. Oh, the night shift as a 15-year-old. Wow.

---

CAROLE. I know, right? It was a different time, Geoff. It was a different time.

---

GRAHAM. Well, this journalist, he found that the app was tracking him hours or even days after he'd used the app. So even when he wasn't using the app, it was still grabbing his precise location. In fact, it grabbed it over 2,700 times in less than five months.

Question.

---

CAROLE. Yes. Is this an official Tim Hortons app?

---

GRAHAM. This is the official Tim Hortons app.

---

GEOFF. See, apps, this is why I don't have apps on my phone. I've never trusted apps. I've never liked this thing of, oh, put this program on your device and it'll just run and that'll be fine. I don't know. Don't trust it.

---

CAROLE. Yeah, you want a one-stop shop to yell at people. That's why browsers are good, right?

---

GRAHAM. Well, the journalist, James McLeod, he said that the app knew he was using an Android Pixel 3 XL. That got uploaded to Tim Horton's servers. They knew his IP address. It was logging that. His Android advertising ID. his carrier. It knew they had Bluetooth enabled. It knew how much free space he had on his device and his battery charge at any time. You know, it's like maybe it could pop up a message if you're running low on battery.

---

CAROLE. Yeah. Plug in quick. We'll lose contact.

---

GRAHAM. Yes. And it also knew every time it thought he might have entered a competitor's premises. Shut up. For real. If you went to KFC or Subway or Starbucks or Second Cup or McDonald's, it knew about it. Do they call you up and go,

---

CAROLE. What are you doing? And you're like, I'm just getting a chicken drumstick. No coffee, I swear, no coffee. It's not

---

GEOFF. As good as our donuts. But what's interesting about that is, of course, all of those outlets would have their own Wi-Fi networks. So if the app is allowed to look at available Wi-Fi networks nearby, as soon as you walked into a McDonald's and it saw McDonald's free Wi-Fi or whatever, that's how it would be able to identify if you're in a competitor's place. I mean, that's possible.

---

GRAHAM. That'd be one way to do it. But it seems what Tim Hortons had actually done is they had basically mapped all of their competitors across Canada. And so they were looking at your latitude and longitude, and they knew you've actually entered the building. You haven't just walked past it and picked up the Wi-Fi. You've actually dared to cheat on Tim Hortons and go into a competitor. The only way to stop it collecting data was to stay completely stationary. If you didn't move, because you've eaten too many apple fritters, then... Don't move. Don't move. Horton's on you. God, so creepy. I wonder what the apple fritters had in them if it was MSG in the coffee.

---

GEOFF. It's like dispatching Carole to follow you around and make notes of which other place you've been to.

---

CAROLE. I need to correct something because you started this story bitching about Canadians. No, I'm sorry. I said they were lovely. They're very nice, but actually look at this. Do you know who owns Tim Hortons? Who owns Tim Hortons since 2014? Burger King. Burger King is not a Canadian originated company. So up yours as we say in Canada.

---

GEOFF. And presumably it was a Canadian journalist who exposed this, which means isn't the Canadian journalist the hero of this? As in Canada strikes back.

---

GRAHAM. Yes. Now, according to Tim Hortons, this information it was collecting was only used to tailor marketing and promotional offers to users inside the Tim Hortons app. So, hey, did you know that our chicken fries or whatever they do are better than KFC's? But it wasn't just that. They also knew when you were at home or when you left your home or visited your ex-girlfriend's house or the journalist found that they knew when he'd visited a baseball game or visited his parents at a rural farm in Oregon or visited Manitoba for his cousin's wedding. How did he figure

---

CAROLE. Out that they knew? Because they would pop up and say, hey, don't you want to grab a coffee right over here?

---

GRAHAM. This was the thing. He didn't at first know that his app was tracking him at all. And it was only when an Android operating system update had been pushed out onto his phone with a new security feature, which occasionally popped up a message saying, hey, this app you've got here is continuing to grab your location data in the background. And that's what made him wonder why and why he sent a sort of data access request saying, what information have you actually collected about me? And he got reams and reams of data, thousands and thousands of lines of JSON, which then when it was analyzed, told him quite a lot. And he got an independent analyst to look at this data and he said, look, what could you make from this data? And this chap said, well, I've looked at the data and what I notice is that you head out from work on Fridays about 2 p.m. So you leave the office at 2 p.m. on Fridays. And apparently the journalist put his hands on it and said, well, it is a bit of a joke in the office that I do like to leave the office early on Fridays, which maybe is a bit of fun, but if you're an assassin, for instance. At Tim Hortons? The deadly Tim Hortons. Yeah, now we're turning it into a murder. If you wanted to silence a journalist and you knew he left the office early on Fridays.

---

CAROLE. You could poison his coffee. Exactly.

---

GRAHAM. Right. So there was an FAQ inside the app about how it was going to handle location tracking, but it wasn't very clear. They've now updated that information to make it a little bit less ambiguous as to what they're collecting and what choices you have and how you need to check your device settings. But in the wake of this article, there were four lawsuits filed against Tim Hortons, which seems very American to me. Is that very Canadian, Carole, to launch a lawsuit? Surely it'd be like, oh, that's okay. Never mind.

---

CAROLE. Should we look and see if there are Tim Hortons now in the States before you continue your complaining?

---

GRAHAM. There are Tim Hortons in the States as well.

---

CAROLE. Oh, and do these plaintiffs live in Canada or the States? Do we know?

---

GRAHAM. That's the kind of detail which obviously I haven't gone into at this stage.

---

CAROLE. Well, then shut your trap about the Canadians.

---

GRAHAM. Anyway, Tim Hortons, they say they're going to defend themselves vigorously against that.

Vigorously? Yes. What was wrong with defending yourself vigorously? I just assumed it would be rigorously, but okay. Oh, maybe rigorously and vigorously. Maybe, maybe, maybe, maybe. For now, though, they haven't deleted the data because of the pending legal action. So the data is still there, sat on the server, because, of course, deleting it might destroy the evidence. They said they're going to when they're allowed to.

---

CAROLE. Yeah, maybe just make sure all the security information on that is all encrypted and hashed and stuff, guys.

---

GRAHAM. Now, when this article came out first, setting off alarm bells, the authorities got involved and they launched an official investigation. The Commission d'Access à la Information du Québec and its equivalents in Alberta. Good skills. Beautiful, beautiful skills. British Columbia. They launched a joint investigation.

The outcome has just been published. They basically said this data shouldn't have been collected. It was unnecessary. Delete. Too sensitive, the information. It wasn't used for its stated purpose. So this was too much of a risk privacy-wise beyond the potential marketing benefits.

So Tim Hortons have had their hands slapped. Naughty Canadians. What? People can now. Again, again, again. Naughty Canadians owned by Americans. Burger King. Yeah.

Geoff, what would you like to talk to us about other than your book? You can talk about your book.

---

GEOFF. Oh, God, not the book again. I would like to pick up on something another journalist has done, which is in bleepingcomputer.com. Other websites are available, but I saw this in bleepingcomputer.

Headline, Mandiant, colon: no evidence, in inverted commas, we were hacked by lockbit ransomware. This is a story by Sergio Gatlan. This is posted June 6th, 3:54 p.m. Keep that in mind, is relevant. Okay, a few days ago, right. Exactly, yeah, yeah. So, yeah, a few days ago, 3:50 in the afternoon.

American cybersecurity firm, Mandiant, it says here, is investigating Lockbit ransomware gangs' claims that they hacked the company's network and stole data. So it's like, oh, shocker, Lockbit have hacked into Mandiant. Obviously, hacking into cybersecurity companies we know has been a thing, and they try and get hold of their tools and so on.

Then it says the ransomware groups, this is Lockbit, published a page on its data leak website earlier today. So this is the sixth, saying that 350,000 files they allegedly stole from Mandiant will be leaked online. This is basically the Lockbit ransomware group saying, oh, we popped Mandiant, stay tuned here.

All available data will be published, exclamation mark, said the gang's dark web leak site, under a timer showing just under three hours left until the countdown ends. Which is why the 3:50 p.m. timeline a few days ago is irrelevant, because you would think, well, three hours has now passed since the article was posted, 6th of June, 3 in the afternoon. What happened? Yes.

Well, it doesn't seem that the data actually leaked out because then Mandiant replied and said, look, we are investigating this, but we've no evidence that they've actually broken into our networks. And it seems that Mandiant earlier revealed in a report that the Russian Evil Corp Cyber Group has now switched to deploying Lockbit ransomware.

So basically, Russian Evil Corp have obviously been doing loads and loads of ransomware, loads of cybercrime for years. Now, the reason they've switched to Lockbit is because, thanks to Russia's reinvasion of Ukraine, the US has now said to victims of ransomware, you can't pay Russia because it's under sanctions. Oh, my God.

So obviously, the Evil Corp guy is like, oh, God, that's going to be a bummer for us. Well, never mind. We'll just hop on the Lockbit bandwagon. And that way, people can still pay us, and it won't be obvious that they're paying Russians. So total rebranding. Exactly.

So this whole thing has been, the Mandiant hack seems to have been a sort of diversion of smokescreen for Lockbit, who are basically now apparently part of the Russian, the evil group hacking gang. So just smoke and mirrors this.

I really think this whole thing of ransomware groups hacking and leaking data on these leaked sites and doing timelines and countdowns, and frankly, journalists covering that and getting involved in that. That is murky territory indeed. And this article just really illuminated that for me.

You know, you've got a claim that isn't substantiated and is actually more about the ransomware gang trying to protect their revenue stream than actually the story they were trying to put out to journalists and others. Fascinating.

---

GRAHAM. So let me get this straight. America has said you can't pay all this money to Russians, right? So under sanctions, you can't give money to Russia at the moment. Evil Corp are obviously Russian. And as a result, Evil Cop have gone, oh, what can we do other than try and get people another way?

Couldn't America therefore say, new rule, everybody, you can't pay cyber criminals money, wherever they might be in the world. And then the cyber criminals will say, oh, well, unfortunately, we can't charge anyone any longer. We'll stop hitting Americans. Would that not be the logical next step? Remarkably, Graham. We've solved the cyber crime problem, surely.

---

GEOFF. Remarkably, Graham, you are not the first person to have had that thought. I hate to piss on your chips, as they say up in Doncaster, but other people have been thinking along the same lines. And yes, the US, I think, is edging close to this.

The problem is, obviously for the US government, their own entities, public sector organisations in the US, they can say, you cannot pay a ransom. And we sort of have the same thing in the UK. I don't think, for example, hospital trusts are allowed to or do pay ransoms. Obviously, that'd be bad headlines.

But to reach out to the private sector and say, okay, we're now going to make it illegal for you to pay these ransoms is difficult because this does happen. Companies do get hit by ransomware attacks. A, do you want to make those companies so that all their data is scrambled and they can't get it back? B, how do you enforce this? How do you sort of police this?

So these sanctions type measures are a sort of way to do it by the back door.

---

CAROLE. Yeah, but think about the things where the actual victim is your customer base. Right? So you're a private company, you've got your customers, they're going to, yeah, that would suck.

---

GEOFF. Exactly. This is the interesting thing about this whole sort of sanctioning Russia type thing is suddenly ransomware payments and the legitimacy thereof has suddenly come under a whole new spotlight. Really, really super fascinating.

And of course, then you've got ransomware gangs turning around and trying to obfuscate which ransomware gang you've got hit by. So traditionally, they had no problem saying, hey, you've been hit by Conti, you've been hit by Lockie, whoever it was. Now, I suspect there's going to be a sort of counter movement where you get hit by a ransomware gang, but they don't tell you who it is. And you can't identify who it is, because they don't want you to know it's Russian, because if it's Russian, you wouldn't be able to pay.

So I think that's going to be the new game in town is lots of affiliates, lots of shadow identities for these ransomware gangs so that you can turn around to the US government and say, hey, we had no idea we were paying Russia. It was this other gang we didn't even know was Russian. So I think that's probably going to be the new game.

---

CAROLE. And why do you think these gangs – oh, excuse me.

---

GRAHAM. Sorry, your house has been invaded by Muppets. What's going on? It's just a phone. As long as your phone hasn't been hacked, Carole. What's your story for us this week?

---

CAROLE. Okay, I'm gonna kick off by describing the plot of a movie, okay, and listeners listen up see if you can beat these two because it's going to be quick. I feel truly madly deeply, no ready? High school student unwittingly hacks into a military supercomputer while searching for new video games and leads the supercomputer to activate a grave national response to his simulation.

---

GRAHAM. Sounds like War Games to me.

---

CAROLE. War Games it is! War Games played by Matthew Broderick when he accessed the computer system control of the United States nuclear arsenal mistaking the system for an interactive video game. Do you remember who his girlfriend was, who the actress was?

---

GRAHAM. I've never seen it.

---

CAROLE. Oh. What? I've never seen... Okay. Ally Sheedy. Sorry, listeners. This is a little embarrassing.

Now, the movie's depiction of the dangers of the computer age, where even nuclear annihilation could be just a few keystrokes away, was not lost on policymakers. According to one report cited by the DOJ, after viewing War Games at Camp David, President Ronald Reagan asked advisors and their chair, Joint Chiefs of Staff, whether the plot of the movie was possible. And apparently the CFAA, America's Computer Fraud and Abuse Act, is sometimes said to be the eventual result of that deliberation.

---

GEOFF. Isn't that amazing? Wow. I'd heard that Reagan story before. Yeah. By the way, I mean, you know, talking of Camp David, there's got to be another tailor in Washington, D.C. He hasn't heard me really. Sorry. Old gag, but a good one. There we are.

---

GRAHAM. Dear me. There's a joke from the 70s.

---

CAROLE. Now, there's a variety of things that are covered under the Computer Fraud and Abuse Act. So you've got things like, I'll name a few and see if you guys can then come up with them. So obviously computer fraud. Yes. Right. Abuse as well. Computer abuse. Yes. Trespassing on a government computer. Yes. Right. Unauthorized computer access. Cyber espionage. Password trafficking, right? Threats and extortion.

So they all seem like, you know, pretty large camps. And here it lies the problemeth. A bona fide security researcher looking for, for example, a vulnerability or looking for any wrongdoing may have to take some of these steps in order to be able to prove or disprove a hypothesis, right? So kind of like you're going to go public with your findings. You want to be damn sure you're right. And the problem is you don't necessarily want to face a jail sentence if you're found guilty of breaking any of these laws.

And to compound the problem, the CFAA's legal lingo is a little wishy-washy in places. And that meant that circuit courts around the US could interpret the laws differently. So it basically meant you would maybe go to jail in some states and in others, you get a slap on the wrist.

And it seems that these issues, among others, have been in part addressed in a recent redraft of the CFAA. The DOJ recently announced that the US government is altering how vigorously it enforces a central cybercrime law by amending its charging policy. Okay, this is all blah, blah, blah, to say basically, we're not going to go after good faith or ethical or security researchers.

---

GRAHAM. Thank goodness. Thank goodness for that.

---

CAROLE. Right. And of course, they define what good faith security research means. And I was interested, Geoff, because you are basically a cybersecurity investigative journalist and author. What's your take on this?

---

GEOFF. It's an interesting question because there have been quite a few security researchers who've been questioned about things. And I think one person who was actually in the end convicted or at least cautioned for having done this.

It is very difficult because the prosecutors don't want to give security researchers that get out where it's like, oh, I was just doing research and allowing hackers in through the back door. So, yeah, I understand. I applaud the sort of the motivation behind it. But applying these things is sometimes somewhat difficult. And look, as a good security researcher, part of your job is to know where the law stops, what you're allowed to do. So, yeah, it's tricky. It's interesting, that one.

---

CAROLE. Yeah. Lettered Bailey, he's the head of cybersecurity unit at the DOJ. He's speaking about these changes at the RSA cybersecurity conference, which I think is happening right now as we speak.

According to SC Magazine, discussion with the information security community did cause Bailey to realize that ethical hackers did have a legit beef with being pursued under the CFAA, but not by federal government. So basically, this is saying, look, if you can prove that you're an ethical or good faith actor, we'll look the other way.

But there's also a civil area in this. And that means it allows for criminal prosecution as well of hackers who violate the law. Oh, that's interesting. Right?

So the CFAA also allows private individuals and organizations to bring legal action against these same researchers. So, for example, if you took someone's username and password to go and expose a company for doing X, Y, or Z, they could say, well, look, you broke the terms and conditions.

Yeah. So, after the DOJ announced its policy, Andrew Cocker, an attorney with the EFF, said that it was welcome but insufficient because it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, or innovators.

---

GEOFF. Well, the other thing that this makes me think of is the SLAPP. This is Strategic Lawsuits Against Public Participation.

So this is basically investigative journalists and investigators generally trying to go after corruption and kleptocracy and that kind of thing. And the target of those investigations is turning around and suing them for libel, but also data protection as well, increasingly.

These SLAPP things are really interesting. And this makes me think that if you're a security researcher trying to find out about a company and expose its wrongdoing or its vulnerabilities or problems, it's a similar sort of thing, isn't it? Of using private prosecutions to try and shut down legitimate debate.

---

GRAHAM. They can tie you up with legal paperwork and they can tie you up with a threat, indeed, of being sued, which just scares you off and silences you. Exactly, exactly.

---

CAROLE. But this is, I think we can all agree, a good step in the right direction, right? It doesn't mean there's not going to be a misstep because, of course, this is policy, so there's nothing to say that a future administration might reverse it, right?

But I think it's a step in the right direction. Do you guys agree? I do,

---

GRAHAM. I do. I think it's generally good news. Yes.

Because there's been some craziness in the past. There was that chap who was being threatened by the governor of one particular state because he'd gone to a website and he'd simply gone view source in order to look at the web page. And that was considered to be hacking. And so, yeah,

---

GEOFF. I mean, look, wherever it ends up, having a debate about it is useful because you can have a discussion about it rather than just passing a law and seeing what happens. Yeah. Interesting.

---

GRAHAM. Really. Snyk is a developer security platform.

Integrating directly into development tools, workflows and automation pipelines, Snyk makes it easy for teams to find, prioritise and fix security vulnerabilities in code, dependencies, containers and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Get started right now with a free forever account at snyk.co slash smashing. That's Snyk, which is S-N-Y-K dot co slash smashing. And thanks to Snyk for supporting the show.

---

CAROLE. Now, you all know that we are big fans of password managers at Smashing Security because it's an important tool for generating and saving secure credentials for every online account. Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments.

Bitwarden is transparent and secure using end-to-end and zero-knowledge encryption with source code that can be scrutinized. Now you can go to bitwarden.com slash smashing and try it for free across devices as an individual user, or you can start a free trial of a Teams enterprise plan.

And the thing I like about this, a good password manager is robust and cost effective, as it can radically improve your chances of staying safe online, all without requiring super high-tech expertise. Go to bitwarden.com slash smashing. Start your free password manager trial today.

---

GRAHAM. Collide sends employees important, timely and relevant security recommendations for their Linux, Mac and Windows devices right inside Slack. Collide is perfect for organisations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Collide educates them about security and device management while directing them to fix important problems.

Sign up today by visiting smashingsecurity.com slash collide. That's smashingsecurity.com slash K-O-L-I-D-E. Enter your email when prompted and you will receive a free Collide goodie bag after your trial activates.

You can try Collide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com slash collide that's smashingsecurity.com slash k-o-l-i-d-e and thanks to Collide for supporting the show.

And welcome back and you join us at our favourite part of the show the part of the show that we call Pick Of The Week. Pick Of The Week. Pick Of The Week.

Pick Of The Week is the part of the show where everyone chooses something. It could be a funny story, a book that they've read a TV show, a movie, a record, a podcast, a website or an app, whatever they wish. It doesn't have to be security-related necessarily.

Better not be. Well, my pick of the week this week is not security-related.

A couple of weeks ago, Ncuti Gatwa was named the new Doctor Who. And I thought, I've never heard of him. Who on earth is he? Why have they given him the Doctor Who job?

I haven't heard of him either. Well, it turned out he is a star of the TV show Sex Education. It's a Netflix series. He plays a character called Eric.

I've seen this show before. and it's good.

You've seen Sex Education? Yeah, it's good.

Yeah, it is good, isn't it? Yeah. So how would you describe Sex Education?

Dirty. Well. In one word. Basically,

---

CAROLE. it's kind of set in high school is what I remember and it was way more advanced than I was at that time. Yes.

---

GRAHAM. So gobsmackingly so. Gillian Anderson is one of the stars. She plays the sex therapist mother of a teenager who has hang-ups about sex. and basically a couple of the teenagers decided to set up their own therapy for fellow students at the school with their sexual and relationship problems.

It's quite funny. It's really well written. Ncuti Gatwa's character is brilliant. He's a great actor. He's going to be a marvellous Doctor Who.

I've been watching series one of Sex Education. I think it's been going for a few years now. So I'm really, I'm way behind the curve, but I've really been enjoying it. And that is why it is my pick of the week.

Yeah, good one. No complaints from me on

---

GEOFF. that. Geoff, what's your pick of the week? I'm going to pick a pick of the week, a Twitter account, which is my guilty pleasure. I'm sure everybody has a comedy Twitter account they turn to as a guilty pleasure.

And one I discovered the other day, which is definitely not suitable for work, is the account Forest Fr1ends. So it's forest, as in normal spelling, a forest the woods, and then friends, but instead of an I, it's a one. So it's Forest Fr1ends with a one.

It is, you know, the Sylvanian families toys, the little, you know, rabbit type things. Yeah, it's those. It's cute pictures of little, they look, I don't know what is the actual Sylvanian families, but they're little rabbit cute little things.

Why do you like this? Because, yes, it's a good question. They are captioned with the most obscene captions.

what they've done is taken setups of forest friends cute little rabbits and then just put the most disgusting captions on them. It is ridiculously funny. I'm not sure how long it's going to, I presume maybe if it is Sylvanian families they'll try and shut it down or something but it is it's a guilty pleasure and it is as I say definitely not suitable for work but they're ridiculously funny some of these

---

CAROLE. oh yeah they're spicy this is spicy guys warning yes yeah Now we know how author and investigative journalist spends his free time. Yes, my guilty pleasure.

---

GRAHAM. Fantastic. Well, check it out while you still can. Carole, what have you got for pick of the week?

---

CAROLE. Okay, so the other day I wanted to make a cake, but I wanted just to make a teeny tiny one just for the two of us, right? For date night, right? And all the cakes were in big volumes. So I went to this trusted site that I use all the time. It's called Inch Calculator.

And on here, you have all the wonderful cooking calculators available. So you can change it from weights to volumes and different measuring stuff. So anyone can figure out how to get around a recipe if you don't have the right measurements that they are saying.

That's

---

GEOFF. really useful because I've got recipes where it's one cup. Yeah. And you're like, what's that? How much is it? I've got big cups. I've got small cups. Give me a bone here, Americans.

Tell us about your small cups, Geoff. Nothing small about my cups.

---

CAROLE. But what's really cool is it's not just about cooking, okay? Inch Calculator is just a bunch of math geeks that just love to create these calculators to make life easier for people, but then also explain the mathematical process. Right. And they have it for everything.

So they have body shape calculators and dog chocolate toxicity calculators and tip calculators. It's an amazing site. So I think everyone will find something they there. So inchcalculator.com is the site.

It's been around for yonks and it just keeps growing. And I think it's great. And that is my pick of the week.

---

GRAHAM. Brilliant. That just about wraps up the show for this week. Geoff, I'm sure lots of our listeners would love to participate in our incredible competition. Let's mention it one more time.

So for a free copy, the chance to win a free copy of the Lazarus Heist book, all they have to do is email us at studio at smashing security.com with the subject line, Lazarus, and explaining why they want a copy of Geoff's book. And we will pick one out of the hat and Geoff will sign the book to you as well.

Geoff, I'm sure lots of people would love to follow you online. What's the best way for folks to do that?

---

GEOFF. Best way is probably on Twitter. I am Geoff White, Geoff with a G, white like the color, and then 247, the number's 247 because I'm Geoff White 24-7.

---

GRAHAM. And you can follow us on Twitter at Smashing Security. No G, Twitter at the last FG. And we're also on Reddit. We have a Smashing Security subreddit.

And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps, such as Overcast, Spotify, and Apple Podcasts.

---

CAROLE. And huge thank you to this episode's sponsors, Bitwarden, Snyk, and Kolide, and to our wonderful Patreon community. It's thanks to them all that this show is free.

For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 277 episodes, check out smashingsecurity.com.

---

GRAHAM. Until next time, cheerio. Bye-bye. Bye. Bye. Bye. Buy the book. Buy the book. Buy the book. Book, book, book, book. Buy the book. Buy the book. Let's stop talking about the book. Oh, God. Thank you.

-- TRANSCRIPT ENDS --