Listen early, and ad-free!

281: Debug ransomware and win $1,000,000, period-tracking apps, and AI gets emotional

With , , ,
June 30, 2022
Read the transcript

A new version of the LockBit ransomware offers a bug bounty, women uninstall period-tracking apps in fear of how their data might be used against them, and Microsoft's facial recognition tech no longer wants to know how you're feeling.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Thom Langford from The Host Unknown podcast.

Plus don't miss our featured interview with Bitwarden founder and CTO Kyle Spearrin.

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Episode links:

Sponsored by:

  • Kolide - the SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.
  • Bitwarden - Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
  • Snyk - Find, prioritize, and fix security vulnerabilities in your code.

Support the show:

You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Become a Patreon supporter for ad-free episodes and our early-release feed!

Follow us:

Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. You would be the sort of person who would be to test gravity. You would jump off a cliff and say, let me test this for you to see if it works or not, and you'd go splat at the bottom of the cliff.

THOM LANGFORD. Or the guy who jumped off the Eiffel Tower to test his flying suit.

CAROLE THERIAULT. You know what, my brother did that, although he was 7.

GRAHAM CLULEY. What?

CAROLE THERIAULT. So a little bit younger.

GRAHAM CLULEY. Your brother climbed— jumped off the Eiffel Tower?

CAROLE THERIAULT. No, he jumped off the roof of our house. My mum sewed him a Superman outfit when he was about 6 or 7.

THOM LANGFORD. Technically a flying suit.

CAROLE THERIAULT. And he went up on the roof, launched himself, and then fell promptly to the ground anyway. So, you know, he was 7 though, so, you know.

UNKNOWN. Your genetics, girl. Your genetics. Smashing Security, Episode 281: Debug Ransomware and Win a Million Dollars, Period Tracking Apps, and AI Gets Emotional with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 281. My name's Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. And Carole, this week we've got a very special guest. Who have we got in the hot seat today?

CAROLE THERIAULT. The award-winning Thom Langford.

THOM LANGFORD. Award-winning? I like the sound of that. Thank you very much.

CAROLE THERIAULT. Yes, well, Thom, and your podcast has recently won an award. Do you want to tell our audience about it?

THOM LANGFORD. Yes, please. The, uh, the Host Unknown podcast. It releases every week.

CAROLE THERIAULT. I couldn't remember the name.

THOM LANGFORD. I know you couldn't. I know, I know, because you don't give us a second thought, but you guys live rent-free in our heads, so.

CAROLE THERIAULT. We've appeared on the show.

GRAHAM CLULEY. We've actually sponsored your podcast.

THOM LANGFORD. You have.

GRAHAM CLULEY. We actually gave you money.

CAROLE THERIAULT. We've come on the show as well.

GRAHAM CLULEY. Yes.

THOM LANGFORD. I think you give us less thought than we give you, because you're all we ever think about. What would Smashing do?

CAROLE THERIAULT. Is this like Chicago? Are we your inspiration?

THOM LANGFORD. Of course you are. We look up to you. We look up to you. We really enjoy it when we win awards, but you know.

CAROLE THERIAULT. Well, congratulations.

THOM LANGFORD. Yes, thank you very much.

GRAHAM CLULEY. So what award did the Host Unknown podcast win, Thom?

THOM LANGFORD. From memory, the most entertaining podcast.

GRAHAM CLULEY. No, well, that's incorrect.

CAROLE THERIAULT. That's obviously.

UNKNOWN GUEST. Yes.

THOM LANGFORD. What was it?

GRAHAM CLULEY. Yes, you've won the best non-vendor cybersecurity podcast.

THOM LANGFORD. Oh, that's right, that's right. You won the— the most entertaining blog, didn't you? Yeah.

GRAHAM CLULEY. Yes.

THOM LANGFORD. Interesting.

CAROLE THERIAULT. It's a stellar award system.

THOM LANGFORD. Yes.

CAROLE THERIAULT. Should we go to our sponsors? Let's thank this week's wonderful sponsors, Bitwarden, Sneak, and Kolide. It's their support that help us give you the show for free. Now, coming up on today's show, Graham, what do you got?

GRAHAM CLULEY. I'm going to be talking about an unpopular software update that could earn you $1 million.

UNKNOWN GUEST. Okay.

CAROLE THERIAULT. And Thom, what about you?

THOM LANGFORD. I'm going to talk about unintended digital consequences to laws.

CAROLE THERIAULT. And I'm calling mine, are you crying or just cutting onions? Plus, we have a featured interview this week with Kyle Spearrin of Bitwarden. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chums, chums. Do you love a software update?

CAROLE THERIAULT. That's the best thing ever. It's better than Christmas.

THOM LANGFORD. I like doing them just before going live on a podcast.

GRAHAM CLULEY. That is exac— You know what, Thom? That's exactly what I imagined you would do. I would— I thought if there was a new version of macOS which came out 20 minutes before recording your podcast, you were the sort of— How can I put this politely? Complete blithering idiot Who would click apply updates?

THOM LANGFORD. And done it. I've done it. In fact, we mentioned it on the show. Not the operating system, just my entire sound deck system for a podcast. Done it just before the show. Delayed us by about 45 minutes.

CAROLE THERIAULT. Of course you did.

THOM LANGFORD. But I got new free stuff.

GRAHAM CLULEY. Yes, but sometimes it can have unintended consequences, can't it? I mean, I must admit, I'm a slight addict to installing updates as well. I do have to resist. I think maybe some other people should beta test them before me.

CAROLE THERIAULT. Can I ask though, do you have it all set up automatically, or do you jump the gun and go and get it before it's handed out for the automatic rollout?

GRAHAM CLULEY. Well, it depends. On my phone, they automatically install.

CAROLE THERIAULT. Right.

GRAHAM CLULEY. Don't really care about that. On my desktop computer, where it's a little bit more work-oriented, I try to have some manual involvement, so I choose when to do it. And obviously in the workplace as well, people are staggering the rollout of patches and security updates to make sure they don't conflict with anything. You know, they can be a problem, can't they, security updates? Because they may introduce some sort of clash or a new vulnerability, or you may be thinking, well, I have to install this to protect against a vulnerability. Oh my goodness, what am I going to do? Is it going to be worse installing the patch, or is that going to introduce a vulnerability, or is that going to fix a vulnerability? Dither, dither, dither.

UNKNOWN GUEST. Wow.

CAROLE THERIAULT. Okay. I don't put that much thought in it. I mean, I obviously, things can go wrong, but I just think they're probably 99% good. So just rock on because it's better to have them than not.

THOM LANGFORD. Do you do beta updates?

CAROLE THERIAULT. No.

GRAHAM CLULEY. No.

THOM LANGFORD. Really? Why not?

CAROLE THERIAULT. Because I'm not needy.

GRAHAM CLULEY. Because they're bloody betas.

THOM LANGFORD. That's early free stuff.

GRAHAM CLULEY. But if you—

CAROLE THERIAULT. I love that people like you exist though, Thom. Like, I'm not even kidding. I love that people go out and they're beta— because we need beta testers. We need alpha testers. We need those people. But no way would I do it.

GRAHAM CLULEY. You know what, Thom? If you'd been around when Isaac Newton was around, which possibly you were, and he invented gravity, of course. Gravity didn't exist before the apple fell on his head. Yeah. You would be the sort of person who would be to test gravity. You would jump off a cliff and say, "Let me test this for you to see if it works or not." And you'd go splat at the bottom of the cliff.

THOM LANGFORD. Or the guy who jumped off the Eiffel Tower to test his flying suit. You know what?

CAROLE THERIAULT. My brother did that, although he was 7.

GRAHAM CLULEY. What?

CAROLE THERIAULT. So a little bit younger.

GRAHAM CLULEY. Your brother climbed and jumped off the Eiffel Tower?

CAROLE THERIAULT. No, he jumped off the roof of our house.

THOM LANGFORD. He—

CAROLE THERIAULT. yeah, my mum— my mum sewed him a Superman outfit when he was about 6 or 7.

THOM LANGFORD. Technically a flying suit. 'Cause he was in love with Christopher Reeve's Superman.

CAROLE THERIAULT. And it was all during that series. And he went up on the roof, and it was not very high. It was a very low-sloping roof at this stage, but still, he had to put a good 6 feet to fall.

THOM LANGFORD. And when you're only 3 foot 2, that's kind of a big deal.

CAROLE THERIAULT. Right! Launched himself and then fell promptly to the ground and didn't understand it. And then everyone was like, Superman never had to go off buildings. And then he showed us in the VHS where he does, 'cause he does go off a few buildings, doesn't he? He flies off. Yeah. Anyway, so, you know, he was 7 though, so. You know?

THOM LANGFORD. Yeah.

GRAHAM CLULEY. Your genetics, girl. Your genetics. Anyway, I want to talk to you today about an update to a very unpopular piece of software.

THOM LANGFORD. Ooh.

GRAHAM CLULEY. Not unpopular because hardly anyone runs it, but nobody wants it. I'm not talking about Clippy. Some people might even like Clippy. I'm talking about an update to a notorious piece of ransomware. LockBit, of course. LockBit. Has been at the heart of some 40% of all known ransomware attacks last month.

CAROLE THERIAULT. 40%, really?

GRAHAM CLULEY. 40%. Worldwide. According to reports. According to reports. Yes.

CAROLE THERIAULT. Reports.

GRAHAM CLULEY. Yes.

THOM LANGFORD. Ransomware du jour.

GRAHAM CLULEY. And a new version of LockBit has been beta testing for a while. Have you been running the beta test of LockBit on your computers?

THOM LANGFORD. It's cost me a fortune. Cost me a fortune. But yes.

GRAHAM CLULEY. Well, LockBit 3.0 has now been officially released. Huzzah! Or maybe not. So what is new about LockBit 3.0? Well, Bleeping Computer reports that there are some interesting new developments in LockBit aside from all the, you know, the core stuff of encrypting your data and exfiltrating your data and demanding the money from you. So one of the new things is that the LockBit gang is now running a bug bounty program.

CAROLE THERIAULT. Oh my frickin' Lord. Of course they are. You know why? They're streamlined.

THOM LANGFORD. It's very efficient.

CAROLE THERIAULT. They're agile.

THOM LANGFORD. Yeah.

GRAHAM CLULEY. It's really impressive when you think of how many legitimate companies aren't running a bug bounty. And now the criminals are running bug bounties saying, if you find a bug in our software, in our ransomware, please let us know. And you can earn anywhere from $1,000 up to $1 million.

CAROLE THERIAULT. Yeah, yeah. I'll wait to see that be paid out before.

THOM LANGFORD. Do they take that off your bill as well? That's right.

GRAHAM CLULEY. You've hit us, you've hit us hard, but we found a spelling mistake or we found that your files were slightly crashed. So in the announcement, the LockBit gang are saying that they are inviting all security researchers, ethical and unethical hackers on the planet to participate. So they want to know about bugs which are basically costing them money or bugs which are meaning maybe they're less efficient and they've clearly got the funds. They're claiming. So in theory, someone could find a vulnerability or a weakness in their encryption algorithm, maybe a way to get back the data without paying the gang. And you've then got a choice. Do you tell that to the good guys or do you tell it to the bad guys? And now the bad guys are saying, well, tell us and we'll pay you for it.

THOM LANGFORD. I guess that really depends on if you are an ethical or an unethical hacker or security researcher.

GRAHAM CLULEY. Yes, exactly.

CAROLE THERIAULT. What would happen though, if you do it ethically? Okay. So where do you go? So do you go to your local federal cop? Sophos, is that where you would go?

THOM LANGFORD. Yeah. Or publish it publicly.

GRAHAM CLULEY. Or there's organizations like No More Ransomware, that group, different security companies and researchers.

THOM LANGFORD. I'd give it to Graham. He'd know what to do with it.

CAROLE THERIAULT. Are we saying we don't agree with responsible disclosure at this time?

GRAHAM CLULEY. Well, it puts us in an awkward position here, isn't it? Because normally we're saying, well, you know, you should really tell the software vendor about the bugs so that they can fix them. But when the software is written by bad guys, Maybe—

CAROLE THERIAULT. And seriously, locking down hospitals and schools and— Yeah.

THOM LANGFORD. Well, I was going to say we shouldn't be helping organizations that are ripping millions of dollars off of organizations globally, but that's not really a clear definition of whether they're a criminal enterprise or a regular enterprise, really, is it?

CAROLE THERIAULT. I think globally you can add a B to that, not millions, but billions. Yeah.

GRAHAM CLULEY. Well, I think the other thing is, of course, if you help a criminal organization like the guys behind LockBit, it might be frowned upon by law enforcement in your particular country. They may think, well, you're basically in league with them, aren't you? You are part of their enterprise. If you're assisting them making their software, quote, better.

THOM LANGFORD. You're receiving stolen funds.

GRAHAM CLULEY. Yes, I would imagine so as well.

CAROLE THERIAULT. And we're kind of circling back to your argument, though, of should there be laws to prevent people from actually paying bad guys in these situations?

GRAHAM CLULEY. Well, this is the way of getting your money back, I suppose, isn't it? I wonder if there's any scams which— I wonder if it's possible to scam the ransomware guys. If you could somehow convince them that there is a vulnerability which isn't really as bad as they thought, or if you say, look, I've looked at your code and I found a way to improve it. If you apply this patch to your ransomware and in fact, the patch means that any funds people pay go into your bitcoin wallet rather than theirs, and you can then—

CAROLE THERIAULT. You could be more glorious than that. You could just lock up their data and ask for payment for it, and then return the payments to the people that have paid up in the first place going, "Don't do that again." So they're not just interested in bugs and vulnerabilities in their ransomware, they're also looking for brilliant ideas on improving their operations.

GRAHAM CLULEY. So if you've thought of a new way that they can make even more money, they're interested in that, and they will pay out, they say, for those. And they're saying, They will give out exactly $1 million, no more and no less, for doxing their affiliate program boss. So LockBit, like other ransomware operations, is ransomware as a service. You basically, if you're a criminal, you work as an affiliate of theirs and they have this chap who's sort of running the affiliate program, right? They don't want his true identity to become public knowledge. And so they're saying, if you've worked out who our bad guy is, and they say whether you're an FBI agent or a very clever hacker who's found out how to do this, let us know his name and we will give you $1 million in bitcoin for that information. So they're actually saying to law enforcement, hey, if you think you're on the trail of us, we'll give you a million dollars. Thanks for the heads up. And then we'll go and hide in Monte Carlo or wherever.

CAROLE THERIAULT. But you do have to set up a bitcoin account, right?

GRAHAM CLULEY. Well, yes, you would need some sort of crypto.

CAROLE THERIAULT. I know, there's some costs.

GRAHAM CLULEY. There's some costs. I think people would be able to work out how to do it.

THOM LANGFORD. And also, you're going to get paid $1 million in bitcoin, which tomorrow is going to be worth $800,000 in bitcoin. Yes, $1 million in bitcoin. And the day after that, it's going to be worth $750,000 and so on. It's not the most stable of, of currencies at the moment.

GRAHAM CLULEY. No. Anyway, ransomware is evolving and so are the campaigns to distribute it. There was a recent Lockbit campaign which arrived as an email claiming copyright infringement. So if you were to run, for instance, an award-winning cybersecurity podcast and you regularly infringed the copyright of another cybersecurity podcast, maybe by using their jingles or something like that, yes, and you received an email from them, I would suggest, Thom, that you be very, very careful about opening the attachments.

THOM LANGFORD. Okay. I'm glad we use open source music then.

GRAHAM CLULEY. Thom, what's your subject for us this week?

THOM LANGFORD. This is talking about the very recent decision by the US Supreme Court to rescind the Roe versus Wade ruling, which allows for abortion rights for women in the US. And that's across the US. It's now down to individual states to decide. And that's broadly speaking, that's now made up upon party lines. So, you know, red versus blue parties and whichever states are run by which. The actual ethics, morals behind all of that is not what I'm going to be looking into in this point. That's for an entirely different show. What I want to look at is actually the impact that something, and I don't want to say something as innocuous as this because it's far from it, but something that feels very, very unrelated to technology can actually have some big technology impacts. So there's a couple of layers here. So firstly, it's about, you know, we in InfoSec and also the privacy professionals have been saying for years that privacy is a vital component of security. Security and privacy are two different things. You can be secure but not private. The two need to go hand in hand, and it's important. You know, we talk about mass surveillance and things like that, and many people who support surveillance— and ostensibly I do in a sort of benign environment— but the argument is, if you've done nothing wrong, you've got nothing to hide, which sounds great until what's defined as wrong changes, which is what's happened here, right? So the law has changed in this instance. So enter, with the advent of smartphones and digital watches and the health tech environments, there's many period tracking apps. Apps that are just used not just for convenience sake, women wanting to know when their period is likely to come on, but it's also very useful for medical conditions, when's the best time to fall pregnant, and generally allow women to be more informed about their health.

GRAHAM CLULEY. I don't know why you need an app to work out what's the best time to be pregnant. I would think normally probably about quarter past 1 in the morning would be my advice.

CAROLE THERIAULT. I can't believe you reproduced.

THOM LANGFORD. I was going to— I was just wondering where you were going with that, Graham, and I was thinking that's probably because you don't have a uterus. But, you know, how do you know?

GRAHAM CLULEY. I might have. You medically qualified?

CAROLE THERIAULT. You definitely 100% do not.

GRAHAM CLULEY. Oh, okay.

THOM LANGFORD. But this data is stored somewhere, right? And many, many apps, many, many different providers, etc. And the data is put into, into these apps and lots of insights and data mining and blah, blah, blah. But that data is very often sold or passed on or requested by medical organizations. The key thing here now is a lot of women in the US and actually globally as well as, you know, in support of of the environment that they've seen themselves faced with, are boycotting these apps, primarily because this data could be used to determine if a woman falls pregnant and then within the following 9 months is suddenly not pregnant. And there could be a multitude of reasons for that. But that data, it has been made clear, can, can be used for legal proceedings against that woman in case that, you know, laws in those particular states have been, have been broken. So this link here is fascinating. And I think it really drives home the drum that many privacy advocates have been banging for a very, very long time, which is we have to protect our data. Now, I know as a 51-year-old balding short fat cis white man who's had two kids.

GRAHAM CLULEY. Come on, Thom. Come on, Thom. Come on. You're not 51. You're much older than that.

THOM LANGFORD. Exactly. And who is no longer able to sire children. This has got very, very little to do with me personally, but I think that the fact that such a change in a law could alter how we interpret or how we accept our data to be used and how actually we should become far more conscious about where our data goes. I've been fairly open with this stuff. Yeah, I'll accept those cookies. Yeah, you can take my data. I've got nothing to hide, you know, because I'm in a privileged somewhat, you know, position. This really highlights the fact that the environment in which we live in can change at any moment and will actually put any one of us at risk. So there's a link in the show notes to just one of these stories. You know, there's plenty of stories out there. You just have to Google them. But folks, really think hard who you're giving your data to, which devices you're using, which companies you are giving your data to, and what is their standard? What is their approach to how they're going to manage your data?

CAROLE THERIAULT. I would plug right now, if it's okay, I'd plug Firefox's Privacy Not Included site. So you can put in different devices or apps, 'cause they do all the legwork for you by reading all the terms and looking at all the features and reading the website.

THOM LANGFORD. Yeah.

CAROLE THERIAULT. And giving you a kind of educated, you know, feel of how they're handling data.

THOM LANGFORD. That's a really good one. Yeah, that's a really good one.

GRAHAM CLULEY. Yeah, and this is really a problem. I've been reading on Vice recently, they've been, tracking some of the response to this, and they've been investigating some of the tech companies who run, for instance, period tracking apps. And they found the number one period tracker on the App Store is handing over data to police, no warrant required.

THOM LANGFORD. Oh, wait until the law against being a short, bald, wok smuggling male is going to come in. It's—

GRAHAM CLULEY. Sorry, wok smuggling? What, you've been smuggling woks? What does that—

THOM LANGFORD. Yeah.

GRAHAM CLULEY. What?

THOM LANGFORD. Under my shirt.

GRAHAM CLULEY. I don't even know what that means.

THOM LANGFORD. What does that— If you were to put a wok up your shirt, what would it look like?

GRAHAM CLULEY. Like I had a great big chest, I suppose.

THOM LANGFORD. Well, it depends how high up you put it, yes.

GRAHAM CLULEY. Oh, I see. Oh, right, okay. I see, yes.

CAROLE THERIAULT. This is great radio, guys.

GRAHAM CLULEY. Carole, what have you got for us this week?

CAROLE THERIAULT. We start with me asking you guys a question in two different ways, and I want you to try and categorise each question based on what you hear. Okay. I know where you live.

THOM LANGFORD. I know where you live. But you don't come and visit me.

CAROLE THERIAULT. So from those two, Would you say there's any difference?

THOM LANGFORD. Yes.

GRAHAM CLULEY. Yeah, yeah. Well, yes, the second one sounded rather aggressive, I thought.

CAROLE THERIAULT. A little threatening?

THOM LANGFORD. Exactly.

GRAHAM CLULEY. A little bit, yes.

CAROLE THERIAULT. I was going for that. I was going for that.

GRAHAM CLULEY. Well done, girl.

CAROLE THERIAULT. Thanks. And the first one?

GRAHAM CLULEY. I know where you live. It was kind of a bit sexy.

CAROLE THERIAULT. Yeah.

UNKNOWN GUEST. Oh.

CAROLE THERIAULT. But the whole point here is that it was easy for you to decipher between two emotional states. It's possible to get it wrong, right? Of course, we all get occasionally wrong. But we have these like built-in mechanisms to help us navigate the emotional tone of a speaker, right? Even if you don't speak a language, I suspect you can get the emotional tone because the tone goes beyond the language barrier. Like, if you closed your eyes and thought of the Swedish Chef, who's not even speaking any Swedish at all, or any language at all, but on the Muppets, you would know whether he was having fun or whether he was freaking out just by his tone.

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. Right, even if your eyes were closed, you'd know.

THOM LANGFORD. Yep. Yes. It would explain why I wasn't able to buy anything when I went on holiday in Sweden though. I learned all my Swedish from the Muppets.

CAROLE THERIAULT. And with all things labeled artificial intelligence or AI, we also have a component called emotional AI. Do you guys know anything about that?

GRAHAM CLULEY. Emotional? No. Oh, tell me.

CAROLE THERIAULT. Very interesting. So it's called emotional recognition technology, and it typically relies on software to look at loads of different qualities. So if it's visual, it'd be facial expressions, or if it was audio, it'd be speed of speech, tone of voice, word choice. You'd gather all this data to automatically detect an emotional state.

GRAHAM CLULEY. It sounds awfully clever.

CAROLE THERIAULT. It does sound awfully clever, and it is awfully clever. And in order for an AI to be able to classify this information it's getting, it needs a glut load of practice, doesn't it?

GRAHAM CLULEY. So it's going to need a huge amount of data of people looking angry or happy or smiling or sounding.

THOM LANGFORD. Yes.

GRAHAM CLULEY. Or orgasm face or whatever it might be that—

THOM LANGFORD. Vinegar strokes.

GRAHAM CLULEY. No, it might need—

CAROLE THERIAULT. I don't want to know.

GRAHAM CLULEY. I don't ask anymore. Is it to do with the wok? No, don't tell us, Thom.

THOM LANGFORD. Like, you know what, the face you pull when you've got a mouthful of vinegar.

GRAHAM CLULEY. Oh, right.

CAROLE THERIAULT. But the thing is, emotions are a little bit more complicated than happy, sad, right? There's like how happy, how sad, or sarcasm, like satirical happiness or fake sadness, right?

GRAHAM CLULEY. Yes, yes.

CAROLE THERIAULT. Because, you know, like, we've all been— you know, if anyone who's been in a failed relationship, we know this kind of I'll take the bin out then. You're angry.

THOM LANGFORD. No, I'm not.

CAROLE THERIAULT. Yeah, you are. No, I'm not. I can tell you're angry. I am not angry. I can, and it goes on and on and on.

GRAHAM CLULEY. Yep, that rings a bell.

THOM LANGFORD. About 9,000 of them.

CAROLE THERIAULT. So why, why am I talking about this? Well, this week we learned that Microsoft is moving emotion recognition features from its facial recognition tech in Azure. And they're doing this because they say the science of emotion is far from settled. Like, duh. So Microsoft announced this change in a blog post last week. And while they kind of buried this news at the bottom, like they had like 5 points they were making, this was number 5. So this was Natasha Crampton, a Microsoft Chief Responsible AI Officer, who wrote the post. She says, quote, finally, right? Number 5. Finally. We recognize that for AI systems to be trustworthy, they need to be appropriate solutions to the problems they're designed to solve. As part of our work to align our Azure Face service to the requirements of Responsible AI standard, which they've written, we are also retiring capabilities that infer emotional states and identity attributes such as gender, age, smile, facial hair, hair, and makeup. Because basically I'm sure they were shit at it. That's what I'm assuming.

THOM LANGFORD. Okay.

GRAHAM CLULEY. It's good to know, by the way, that Microsoft also have a responsible AI department, just like we've discovered last week, Google have one as well.

THOM LANGFORD. Begs the question, who heads up their irresponsible AI department?

CAROLE THERIAULT. Yes, indeed, yes. Quote unquote, yes. So Microsoft are kind of pulling away from it saying like, there's basically a lack of scientific consensus on the definition of emotions, very similar to last week, and the challenges on how these inferences generalize across use cases, regions, demographics. So basically, we don't really know what we're doing is what they're saying. And, and, and they're pulling away from it. They're kind of going, we've played with this. It turns out we're going to get in hot water. We're, we're pulling back.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. But it led me to think like there must be a lot of other firms maybe dabbling in this, right? Because there's a lot of wonga here. If you can target someone emotionally, we all know that we're more likely to be engaged and therefore more likely to like pay attention to that service or buy that product or whatever. So NBC News writes that many companies, and they had a few listed, so I just wanted to, and I went around like Googling, I got into a rabbit hole of who uses emotional AI and why. Can you think of any reasons why anyone would want to use it before I list any? Okay, I'll kick off a few and then—

THOM LANGFORD. Give us a few seed ones.

CAROLE THERIAULT. Yeah, I'll give you a few seed ones. Okay, hold on. Okay, so Cognito Dialogue. This is a call center emotional intelligence and customer service. And they claim to provide live analysis of the emotions of the caller because you're obviously not listening, right? On customer service lines so that employees in call center can alter their behavior accordingly. So imagine like I call up, right? And I like, everyone's like, I'm labeled super pissed off, super pissed off. And it just turns out I've got a cold. Right? And they couldn't read me properly.

GRAHAM CLULEY. Oh, yeah.

CAROLE THERIAULT. I might get some free stuff and I'd give it to you, Thom, because you love free stuff.

THOM LANGFORD. I do love free stuff. I mean, in essence, any kind of interaction with AI at the moment is a fairly flat experience. You know, it's all very, very discreet in the sense that it's very specific in what it does. I guess what this is doing is it's actually going to allow you to interact with an AI in a way that will respond to how you are behaving and talking and presenting and respond back in an appropriate manner.

CAROLE THERIAULT. Maybe. Let me give you some more examples and see if you're still comfy, right? So Brazil's Yellow Line of São Paulo Metro deployed AdMobilize emotion AI analytics technology to optimize their subway interactive ads. Ads according to people's emotions. So you walk by feeling a little bit pissed off because someone with BO's armpit was in your face the whole ride, and they then show you like a happy clappy ad to try and make you happy and therefore engage you.

THOM LANGFORD. Oh, they can fuck right off.

GRAHAM CLULEY. Okay.

CAROLE THERIAULT. What about this? Okay, so Skyscanner, this is a meta search engine and travel agency. They deployed Sitecorp's Emotion AI tech to their Russian website. So basically, if a user displayed sad emotions that was interpreted by the AI, the API would suggest a fun travel destination. Like imagine your partner's just died and you go on going, I need to go to, and they're like, Disneyland for couples and loved ones. Like, yeah, this could—

THOM LANGFORD. Scatter their ashes.

CAROLE THERIAULT. There was even one during the pandemic to track consumers' sentiments and trends about the pandemic and the spread of COVID-19. There is tracking emotions of students during classroom video calls so that teachers can measure performance, interest, and engagements, or rather their bosses could do it. See, that's my worry. It's not that teachers can do it. It's so that the principal can measure the teacher's job and how good they are.

THOM LANGFORD. I think we're at the very beginning of this process. So right now, this feels extraordinarily artificial and forced and not natural in the slightest because that's not how we expect advertising hoardings to behave or for our school to be able to say, oh, your child looked disengaged. No, his dog just died this morning. So it feels very unnatural. But I imagine in 10 to 15 years' time, this is going to be rolled out in a way that is much more invisible and yet more effective. So at the moment, I think it's horrible.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Exactly as you say. Right now, there are issues. Like, for example, there's that nasty bias thing going on, right? So there have been studies from the University of Maryland that found that emotional AI is manipulative and discriminatory. So it would read, one AI would read Black subjects as angrier than white subjects. And even Microsoft's AI read Black subjects as betraying more contempt.

GRAHAM CLULEY. Oh my goodness.

THOM LANGFORD. Well, just like when they put their AI onto Twitter and Twitter managed to turn it into a raving Nazi. Well, a raging Nazi. A raving Nazi is quite a happy one because they're dancing.

CAROLE THERIAULT. But a raging Nazi.

THOM LANGFORD. Subtle difference, but important one.

GRAHAM CLULEY. They did used to put their hands in the air, didn't they? A bit like ravers.

THOM LANGFORD. They did. Like, they just didn't care.

CAROLE THERIAULT. And like, but this is the thing, to your point though, Thom, you were saying, like, you're saying, okay, when 10, 15 years, this could happen. But like, Sandra Watcher, she's an associate professor and senior research fellow at University of Oxford, and she's saying like, there's no proven basis in science to what they're doing. At absolute worst, this is pseudoscience. And she says, quote, even if we were to find evidence the AI is reliably able to infer emotion that alone would still not justify its use. Our thoughts and emotions are the most intimate parts of our personality and are protected by human rights, such as the right to privacy. Let's not pave the road for it, because I don't like the idea that a camera can look at me and decide how I feel.

THOM LANGFORD. But you're all right with a human deciding that?

CAROLE THERIAULT. I would like them to go, how are you? That's kind of the question we ask each other, right?

THOM LANGFORD. Yeah, but not, not, not everybody. A shop assistant won't ask you how you are, or at least not in a way that they do.

CAROLE THERIAULT. Me, I obviously have a better relationship than you do.

THOM LANGFORD. Well, yeah, but like, they mean it, you know?

GRAHAM CLULEY. Yeah.

THOM LANGFORD. When they say, "How are you?" they really don't want to know.

GRAHAM CLULEY. Well, I always tell them, I'm like, "Well..." And sometimes people don't want to be told, "Oh, you know, smile, love, it may never happen," or something. Or, you know, they don't want to know.

CAROLE THERIAULT. You don't have to do that. You don't have to say any of that. You could just say, "Can you get out of the way, please, so I can get into the store?" for example. You don't have to kind of go, "How are you?" to people you don't care about asking. But if you care and you want understand that, you can ask them. Anyway, I agree with Sandra Watcher and emotional AI. Interesting but scary stuff.

THOM LANGFORD. When you opened with the Swedish chef, it reminded me of the Swedish chemist joke. Do you remember that one?

CAROLE THERIAULT. No.

GRAHAM CLULEY. Is it about the deodorant?

THOM LANGFORD. Yes.

CAROLE THERIAULT. Tell me.

THOM LANGFORD. So a guy walks into this Swedish chemist, says, "Do you have any deodorant?" And the guy behind the—

GRAHAM CLULEY. Well, hang on. We both know it. We can do the parts of this, Thom. We can do it between us. Yeah. You be the customer.

THOM LANGFORD. I'll be the customer. Hello. Do you have any deodorant?

GRAHAM CLULEY. Yes. Ball or— Oh, I've forgotten what it is now. Oh, yeah. I know. Okay. Yes. Ball or aerosol?

THOM LANGFORD. No, it's for my armpits.

CAROLE THERIAULT. So good, guys.

THOM LANGFORD. That's our favourite time of the show.

CAROLE THERIAULT. Swedish listeners, please write in.

THOM LANGFORD. Alright then.

GRAHAM CLULEY. Snyk is a developer security platform integrating directly into development tools, workflows, and automation pipelines. Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit. Get started right now with a free forever account at snyk.co/smashing. That's Snyk, which is S-N-Y-K,.co/smashing. And thanks to Snyk for supporting the show.

CAROLE THERIAULT. Now, you all know that We are big fans of password managers at Smashing Security because it's an important tool for generating and saving secure credentials for every online account. Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments. Bitwarden is transparent and secure, using end-to-end and zero-knowledge encryption with source code that can be scrutinized. Now you can go to bitwarden.com/smashing and try it for free across devices as an individual user, or you can start a free trial of a Teams Enterprise plan. And the thing I like about this, a good password manager is robust and cost-effective as it can radically improve your chances of staying safe online, all without requiring super high-tech expertise. Go to bitwarden.com/smashing. Start your free password manager trial today.

GRAHAM CLULEY. Kolide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack. Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates. You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show. And welcome back. Can you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

THOM LANGFORD. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.

CAROLE THERIAULT. Better not be.

GRAHAM CLULEY. Well, my Pick of the Week this week is not security-related. Super Mario, Legend of Zelda, Red Dead Redemption. These are all fantastic video games. And up there, right at the top of all of the greatest video games of all time, is of course Alley Cat. Have either of you played Alley Cat?

CAROLE THERIAULT. No. No. I hardly play any video game though.

THOM LANGFORD. I've not heard of this. What platform was it?

GRAHAM CLULEY. Well, it came out on the IBM PC. So that, the very fact I call it the IBM PC gives you a hint.

THOM LANGFORD. Yes.

CAROLE THERIAULT. 1988, people.

THOM LANGFORD. Also available for the Amstrad 1640 and 1512.

GRAHAM CLULEY. Actually, a little bit earlier than 1988. It was the, I think about 1983 it came out.

CAROLE THERIAULT. Wow.

GRAHAM CLULEY. Written by the late Bill Williams. It has the best theme tune of any video game ever. Long live 8-bit. Alley Cat is a game where you are a cat and you want to make a bit of romance with a lovely lady cat who lives in an apartment complex. And so you have to sort of avoid dogs and jump into windows. It's a great fun game, as listeners will be able to find out, because you can play it on an emulator, which I will link to at the Internet Archive. You can play the old MS-DOS version of Alley Cat, even if you don't have MS-DOS. Now, why am I talking about Alley Cat other than it is one of the great games of all time is that there was a new imagination of Alley Cat, which came out for Windows, released a few years ago for free, which I will also let— I can't believe— Thom, I thought you were old. You must have played Alley Cat.

THOM LANGFORD. I don't. You see, I remember things like, you know, on the Spectrum 48K, you know, Nodes of Yesod and Jet Set Willy and stuff like that.

GRAHAM CLULEY. Oh, Jet Set Willy, yeah.

THOM LANGFORD. I don't remember this. Manic Miner.

GRAHAM CLULEY. Yeah.

THOM LANGFORD. You know?

UNKNOWN GUEST. Yeah.

GRAHAM CLULEY. Well, those are all Those are all good too. Well, anyway, I am recommending Alley Cat as my pick of the week, albeit being about 40 years old. You can also check out Alley Cat, the Re-Meow Edition for Microsoft Windows. I haven't tried that one, but I'm sure it's jolly good as well, written by true fans of Alley Cat. And that is why it is my pick of the week.

THOM LANGFORD. Very good.

GRAHAM CLULEY. Thom, what's your pick of the week?

THOM LANGFORD. So as you know, I'm a bit of a raging nerd or even a raving nerd as well, for that matter.

CAROLE THERIAULT. Thank God he said nerd.

THOM LANGFORD. Nerd. So I thought I'd do a little bit of tech this week. You may have heard, or if you're on Reddit or Twitter or any of these internet browsery things, of the Remarkable E-Ink Notepad. It's in version 2 now. Version 2 came out last year. I think it was around about March or so last year. It was great for distraction-free writing, note-taking, drawing. There's different sorts of types of pencils it can next to your computer so you can synchronise notes and all that sort of thing. And I did not fall in love with it. I actually sold it.

GRAHAM CLULEY. Does it feel like you're writing on paper though? Is that a similar sort of tactile experience?

THOM LANGFORD. Yeah, it has that kind of— I don't want to say scratchy feel, but that textured feel, I think is probably the right word. It's very good. It's very good. Well, Alex, see, you can have a play with mine.

GRAHAM CLULEY. I would love to play with yours, Thom.

THOM LANGFORD. One of the reasons I didn't like it was the software wasn't quite there. It was a bit slow and clunky. It didn't always connect, etc. But I kept on reading that it was getting that it had massively improved. So I took the dive into it again and had it delivered a couple of weeks ago now. And I love it. Really, really good. Far more responsive, much more intuitive. And you can, you know—

GRAHAM CLULEY. What do you do with it, Thom? It's not something you install apps on, is it?

THOM LANGFORD. No, no, absolutely not. And that's one of its features is it does one thing and it does it very, very well. And it's distraction-free. So you're not going to get a little pop-up of an email, you know, coming in or a tweet or whatever. It's literally a notepad and it comes with different types of, you know, virtual stationery. So different lines, items or layouts or whatever. You can upload PDFs or ebooks to it and read those as well if you wish.

GRAHAM CLULEY. Have you thought of buying a regular paper notepad? Have you tried one of those?

THOM LANGFORD. I have, you know, I used to be a fan of the old Moleskine books.

CAROLE THERIAULT. Oh, but I still am, as you well know, right, Carl?

THOM LANGFORD. But I have got cupboards full of them, and I can't find anything. With this, if you're writing in it, you can also convert your text, your handwriting, into text. Unless, like me, you've got the handwriting of a prison doctor. But, you know, aside from that, two-week battery, very, very slim, very thin. And actually, frankly, I think it's come of age. It's that great balance between I want a notebook, but I don't want to be carrying around this thing that's, you know, I want to have all of my notes all the time, and I want to be able to read a book occasionally or read an article, etc. But I don't want to carry my iPad because that's just going to be distracting. I'm not going to actually get the thing I need doing done.

CAROLE THERIAULT. Yeah, I'm still in the old school. I like having sketchpads, notepads. I like all that, but I can see the value.

GRAHAM CLULEY. There is some benefit here. If you can turn it into text and make it searchable.

THOM LANGFORD. Yes.

GRAHAM CLULEY. That's—

CAROLE THERIAULT. But how often do you write stuff? Like, I write stuff every day. I do a little list. I do a little list with squares, you know, like with little checkboxes every morning.

THOM LANGFORD. Absolutely.

CAROLE THERIAULT. And I write down all the stuff I got to do. And then I do a number check of like, I got to do this one first. I got to do this one second. I'm going to, you know, whatever. And then I go through my list. I'm an 80/20 normally, like I get no shit done, but not everything.

GRAHAM CLULEY. And because it's e-ink, it will work outside in the daylight as well, won't it?

THOM LANGFORD. Absolutely. Yeah, absolutely. There's no—

CAROLE THERIAULT. Like a pen.

THOM LANGFORD. Like a pen and a pad. That's right. And that was my pick of the week.

GRAHAM CLULEY. Crow, what's your pick of the week?

CAROLE THERIAULT. I actually chose this one for Thom, actually, because Graham will roll his eyes and fall asleep during this. This, but it's a podcast, a 12-parter sci-fi podcast called Solar. It's from a company called Kirkco, came out in April this year. Okay? And here's the gist. So, the mission, you're on a mission. There's a manned solar research probe that is sent to explore temporal distortions around the sun. But disaster, of course, strikes, right? And now the crew are both disconnected from Earth, trapped in separate parts of the spacecraft, and they're facing some dire crunches if they don't get their chickens in a line.

GRAHAM CLULEY. They took chickens with them?

THOM LANGFORD. What? I was going to say, why did they take chickens?

CAROLE THERIAULT. Actually, they don't take chickens. They take ants. They take ants. But it's a top drawer cast.

THOM LANGFORD. You've got Stephanie Beatriz from Brooklyn Nine-Nine.

CAROLE THERIAULT. Exactly. Alan Cumming, Helen Hunt, Jonathan Banks. There's super strong writing, great soundscaping, and it's It's a bit of an emoche ride, which is why I wanted to bring it up today too, because we talked about emotional AI. I wouldn't say it's as good as my all-time favorite podcast of this genre called The Hyacinth Project, but this one comes close. So it's called Solar. Graham, don't even bother.

THOM LANGFORD. I'm going to give it a whirl.

CAROLE THERIAULT. Don't bother. There's time jumps in it. It will be complicated. You'll be like, I don't even know where I am. I don't know if I'm at the beginning. Why are there people? I thought they were dead. I don't understand. It'll just be, just don't, just don't. Everyone but Graham can do this.

GRAHAM CLULEY. Bit too timey-wimey for me.

THOM LANGFORD. Yeah. Yeah.

CAROLE THERIAULT. But it's called Solar. You can find it wherever you get your podcasts. And it is my pick of the week.

GRAHAM CLULEY. Fantastic.

THOM LANGFORD. I think my kids would like that as well, by the sounds of it.

GRAHAM CLULEY. Now, Carole, you've been chatting to our good chums at Bitwarden this week, haven't you?

CAROLE THERIAULT. So I spoke with their founder and CTO, Kyle Spearrin, and he tells us all about how Bitwarden's approach to password management is maybe a bit cooler than everybody else's.

UNKNOWN GUEST. Take a listen.

CAROLE THERIAULT. So today, a treat, listeners. We have Kyle Spearrin, founder and chief technology officer at Bitwarden. Thanks for taking the time to speak to us today. I bet your schedule is busy.

UNKNOWN GUEST. Thanks, Carole.

CAROLE THERIAULT. So Kyle, you founded Bitwarden. Now, may I ask you to cast your mind way back and what was the problem that you spotted and that you wanted to fix? I basically want the origin story.

UNKNOWN GUEST. I was a user of other password management tools for many years. Password management was not necessarily a new concept at this time, and I had been using those tools for quite a while. There were things that I thought I could do better or improve upon, obviously, and many were doing certain things well. There were other things they maybe weren't doing so well. Some had complicated installs and setup procedures, and they weren't across the platforms that I wanted. There were open-source options, but they were fragmented a bit in their implementations, so you had to try to figure out which ones were quality and which ones could you trust. So I set off to kind of build Kyle's password manager, if you will. And this was back in 2015, 2016 timeframe. And I kind of wanted to really appease the desires of someone like myself, I guess, which is a developer and an engineer, a technologist, and while also bringing in some of the aspects that I saw in other tools that made them a bit more turnkey and and simple to use, you know, for kind of the greater audience.

CAROLE THERIAULT. It gives you a lot of flexibility to learn from predecessors who may have heavy-handed certain aspects where you could be much more light-footed.

UNKNOWN GUEST. Yeah, I don't think that I necessarily invented anything. I saw a lot of what others were doing, and some were doing things well and some were doing things not so well in other areas. And I thought that I could kind of bring the best of both worlds together. I guess it was about late 2015, early 2016 at this time, I set out to build the first iteration of, I guess, of what would become Bitwarden. At the time, I was working for another company in a full-time role. So this was more of a side project, if you will, of an idea that—

CAROLE THERIAULT. Project of love.

GRAHAM CLULEY. Yeah.

UNKNOWN GUEST. That I had. And also, my background was mostly in web development. In architecture at the time. I was building cloud-powered web apps and such. And I had actually never built a browser extension or a mobile app or a desktop application before in my career. So I think, in fact, Bitcoin is still the only mobile application I've ever built before, albeit two or three times over by now. But I've always really also enjoyed opportunities to kind of learn new technologies to solve a a specific problem that I'm working towards. So I think I was moonlighting it for, I don't know, I guess about 7 or 8 months building these apps. I was also a new father at the time. I had my first son during this time.

CAROLE THERIAULT. So you had loads of free time.

UNKNOWN GUEST. I wasn't getting much sleep, I guess, if you want to put it that way. Ended up launching the first iteration of Bitwarden, I guess it was in August of 2016 is when those first apps came out. I posted it on Reddit and Hacker News and Product Hunt and other social outlets like that. To my surprise, it got really great traction right from the get-go. I was getting great feedback right out of the gate from people. But I guess it turns out that a lot of people viewed the problem in a very similar way, I guess, and what I had launched and how I had launched it, and it resonated with them.

CAROLE THERIAULT. Yeah, we doubt that a lot, right? When things really frustrate us, we should always remember at least 25% of other people out there that feel exactly the same way.

UNKNOWN GUEST. Yeah, yeah.

CAROLE THERIAULT. So you coming out of the gates in 2016, you have like 4 years to find your feet before the whole world does a little weird 180 and suddenly people are working from home and companies are suddenly facing new challenges all over your customer base, your prospects. Were you guys prepared for that in a way that was better than others, do you think, because you were working in password management and like remote access is key?

UNKNOWN GUEST. Yeah, yeah. So certainly the, the pandemic was, was a bit of a shock when it first all happened, you know, and companies were scrambling to try to figure out the best way to adapt to the needs of what's happening and, and people staying home. Although there was a bit of a freeze in trying to figure out what to do in the beginning, obviously tools that facilitated the use of remote work and how people operate in a remote fashion ultimately benefited somewhat from that kind of shift in the way people are operating. And that was certainly the case for tools like ours. As employees are now staying home and the threat level switches from from being in the office all the time to now kind of being a lot more fragmented and people connecting outside of the company network and having to access a lot more tools and things where passwords are necessary. It worked out a bit in our favor as opposed to what problems our tools were solving. And I think that password management has certainly become a bit more of a focus for companies and the like to add another tool of mitigation towards the threats that they see as a business.

CAROLE THERIAULT. Yeah, it kind of made the whole idea of secure access, like put it in bold and double underlined for a lot of companies when all that happened. So maybe you could tell us a little bit about Bitwarden services. So you guys have a password manager, but it's slightly different than everybody else's.

UNKNOWN GUEST. Yeah, so we've tried to, as I mentioned, take the best— in the beginning, in the origin, I took a lot of the best things from from the different tools that were out there, at least in my mind. But we try to put a little bit of a spin in what we're offering that's a bit different than some of the other options that are out there. I'm not some famous technologist on the internet with a huge Twitter following. So I was looking for ways to— why should people trust our tool and this person that built this tool to store your sensitive data and passwords there?

CAROLE THERIAULT. Ransomware.

UNKNOWN GUEST. And being a developer and a technologist, understanding, you know, some of those problems, I thought open source would be a really good way to approach that problem. And to this day, open source is how we operate as a company. All the tools that we develop and build are all done in the open and transparent about what we're doing. So I chose open source in the beginning to ensure, you know, transparency in what we're I believe that open-source transparency really is around security products like Bitwarden is somewhat of a requirement for these kinds of solutions. And people should have the opportunity to vet how their tools and their sense of data is being handled by a product. And with open source, what I didn't really foresee was the community aspect that naturally came along with being an open-source product. With open-source development, for an application like Bitwarden, you can't help to form a community of people who are interested in what's being built. And we get a lot of feedback from our community and we listen to our community. Much of the fundamentals of how Bitwarden was built are based on the feedback that we get from our community. So open source really enables us to attack the problem from a different angle that really none of the other solutions or the leaders out there around our type of product are really doing. And it's also enabled us to, you know, develop additional features because we're open source that, you know, naturally play into what we're doing. So we're a SaaS-hosted platform turnkey solution that you can just sign up for. But another great aspect of our product is that you can— it's bundled up in a way that you can host it yourself if you need to. So our product is compiled and deployed to you through, you know, platforms that allow you to host host it on your own internal network and infrastructure, uh, if that's the way that you operate and you don't, don't want to, you know, use our, our hosted solution.

CAROLE THERIAULT. It's pretty amazing, I think, because there's still a lot of companies out there, like, so this is a hard question for me because I'm totally bought into password management. I think it's a key, key fundamental thing, and I can't believe there are businesses out there that haven't caught on to the magic. And, you know, that literally it can make life easier for everybody, not just for the IT folks, not just for the high levels, but for the employees as well.

UNKNOWN GUEST. Yeah, so Bitwarden's goal is always to really meet you where you are. Adopting password management shouldn't be some life-altering decision that you have to make. And we're humans and we're creatures of habit and we don't like change. And I think Bitwarden understands that. And in a perfect world, Bitwarden's not really getting in your way. It's not really changing how you use the internet on a daily basis. It's there to help you when you need it, and when you don't need it, we're out of the way. And there's battle between convenience and security in the security world all the time.

CAROLE THERIAULT. Yeah.

UNKNOWN GUEST. And I'm of the opinion that convenience will always win. People will always choose convenience over security. So as a security company and someone building security products, you have to really be mindful of that. If, if it's not convenient, people don't want to adopt it and there's friction there, they're not going to use the tool and they're not going to do things in a secure way. So there's always a trade-off you have to make, I feel like, somewhat between security and convenience. But with a tool like ours, it can also just be a big boost in productivity as well for people. You know, just think about how much time you spend, you know, resetting passwords and trying to remember what your passwords were and talking to the IT admin to reset your password for this system ransomware and, and dealing with, you know, password changes all the time and, and things like that. Um, you know, once you get the hang of using our product, kind of how it works itself into your flows that you already use, it can be a real boost in just general productivity as well for, for users.

CAROLE THERIAULT. I couldn't agree more. Now, listeners, you can find out loads more information at bitwarden.com/smashing. Like, you'll learn about Bitwarden's customizable features. You will see Bitwarden's open-source password manager. Plus, you can unite your existing systems with Bitwarden using SSO authentication, directory services, or powerful APIs. Why not get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing or just Try it for free across devices as an individual user. Your choice. That's bitwarden.com/smashing. Kyle, is there anything else you'd like to add before we close our chat?

UNKNOWN GUEST. Yeah, so if you're, if you're not using a password management tool yet, or maybe you already are using a password management tool, um, I, I would suggest you, you check out Bitwarden. Um, you can go to our website and check out different client applications that we offer and our approach to how we build software and how we deliver that to you in the ways that we think work. And give Bitwarden a try and see if it can make your life better.

CAROLE THERIAULT. Well, there you have it. Thank you so much, Kyle Spearrin, founder and CTO of Bitwarden. Thank you for your time today.

UNKNOWN GUEST. Thanks, Carole.

GRAHAM CLULEY. Terrific stuff. Well, that just about wraps up the show for this week. Thom, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

THOM LANGFORD. So you can get me on Twitter @ThomLangford. That's Thom with an H, because Twitter would let me have an H. And you can also check us out at hostunknown.tv for podcasts, films, and a whole bunch of other stuff. So yeah, check me out.

GRAHAM CLULEY. Super. And you can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G. And we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.

CAROLE THERIAULT. And of course, huge shout out to this episode's sponsors, Bitwarden, Collide, and Sneak. And of course, to our Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 280 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

THOM LANGFORD. Bye. Stay secure, my friends.

CAROLE THERIAULT. See-saw by day, see-saw by night.

THOM LANGFORD. No, I just love ripping off Jav's tagline.

CAROLE THERIAULT. Okay, we made it, man.

THOM LANGFORD. That was very good.

GRAHAM CLULEY. Bravo. It was very good.

THOM LANGFORD. Was that all right? You're not gonna have to cut too much of me out?

CAROLE THERIAULT. No. Uh, no.

GRAHAM CLULEY. Thom behaved himself.

CAROLE THERIAULT. It's a first.

-- TRANSCRIPT ENDS --