This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

CAROLE THERIAULT. Why do they think that's a good idea, to play the same song over and over again? Over and over again. Over and over again.

---

GRAHAM CLULEY. Smashing Security, Episode 283 Disney's social dumpster fire and on phones and TikTok tragedies with Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security episode 283. My name's Graham Cluley.

---

CAROLE. And I'm Carole Theriault. And this week on the show, Carole, who do we have lined up? We have the wonderful Anna Breding. Welcome, Anna.

---

ANNA BREDING. Oh, hello. Thank you for having me. Thank you for making the time out of your busy schedule, actually. I am very busy, but, you know, always make time for you too. Do you have a busy schedule, really? I mean, what sort of things? I mean, I have to clean the house. I mean, I basically don't do anything, Graham. I think you're fine. I do a lot.

---

CAROLE. She does do a lot. How about we get this show on the road and thank this week's sponsors, Bitwarden, Sneak and SoulCyber. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM. I'm going to be talking about a super hacker living in a very small world.

---

CAROLE. Okay. Anna, what about you?

---

ANNA. I'm going to be talking about the Anom phone.

---

CAROLE. And I am going to see how we can hold social media giants accountable. Plus, a great featured interview with Scott McGrady. He's the CEO of Soul Cyber, and he talks quite frankly about cyber problems specific to small and medium-sized organizations. Very interesting stuff. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM. Now, chums, chums, I'm going to start, as I quite often start, one of my sections with a little bit of a song or some poetry.

---

CAROLE. Okay, hold on, I'll just get the mute button. That wouldn't actually change anything. That would just mute me, wouldn't it?

---

GRAHAM. Yeah, just mute you. Stop you from joining in. Darn it. It's a world of laughter A world of tears It's a world of hopes And a world of fears There's so much that we share That it's time we're aware It's a small world after all Was that the Shatner version? I couldn't remember the tune at first It's a song that will strike fear Into the hearts of many I've often woken up in the middle of the night In a cold sweat having a Vietnam-style flashback to the time I found myself at Euro Disney, tormented by that tune.

---

ANNA. I was there. I was there with you. You went to Euro Disney together.

---

GRAHAM. We did. Well, we went there for work, didn't we? Yes. We went there for work. We went to give a talk.

---

CAROLE. I see.

We had to give a talk in the amphitheater. It was really quite scary because kids were all the way up, way above us, all around us. There were 1,500 of them.

---

CAROLE. You gave a talk to kids?

---

GRAHAM. Yes. It was a steep incline, yes. It was a Nuremberg-style rally that we were the guest stars at. And we had a bad experience. Do you remember the bad experience I had, Carole, at Disneyland?

---

CAROLE. What, that I talked you into coming on to a really cool rollercoaster?

---

GRAHAM. Yeah, so you said there's this thing called Space Mountain, and I didn't know what Space Mountain was. I thought, oh, we're going to sit in a little train or something, and we go chug, chug, chug, and it'll be just a gentle funicular, is what I imagined.

---

ANNA. I don't know what Space Mountain is. I've never been to Disneyland. Tell me, Graham.

---

GRAHAM. It's hell. It's hell. It starts off. It starts off pleasant enough. A funicular, you're in a little train going up a slope. And I think, well, this is fine. This is very nice. We're going up a mountain. But then it careers inside the mountain in the dark, rollercoastering around, upside down at high speed. And you don't know which direction to vomit in. It is the most unpleasant experience ever. But memorable.

---

CAROLE. You're welcome for that memory that I gave you.

---

GRAHAM. Still vivid. I had to have a sit down with a fizzy drink in order to feel better afterwards, as I recall.

---

ANNA. And that's not you, is it?

---

GRAHAM. No, no, exactly. It was extreme circumstances. So other people have had negative experiences at Disneyland. It's not just me. For instance, one chap who has is someone who's possibly the greatest hacker turned biological weapons engineer that the world has ever seen.

Okay, carry on. David Doe, or maybe it's David Doe, if that is his real name. He is, of course, as we all know, the person who created COVID-19. I know he created COVID-19 because he posted a message on Instagram announcing that he was responsible for it.

---

CAROLE. Yes, you remember this?

---

GRAHAM. I don't. I don't. I was obviously doing something important at the time.

He's also posted on Instagram that he's now working on a follow-up virus, that difficult second album, that he has called COVID-20. Now, despite being... 2022? Yeah, exactly. Despite being a biological weapons expert, he hasn't twigged that COVID-19, it's called COVID-19 because it came out in 2019, rather than it being the 19th version.

---

ANNA. Maybe it is the 19th. Did he invent the other 18 before that?

---

GRAHAM. And they just flopped. He just put them into beta but didn't fully release them. Maybe. Who knows? But it's a bit like Windows 95. It wasn't the 95th version of Windows. Although Windows 3, you know, that didn't come out in 3 AD.

So it's confusing sometimes, version numbering, isn't it? Companies can be inconsistent.

Anyway, David Doe, he went to Disneyland, he says. And he claims that some of the staff were rude to him.

Maybe they mocked him for his version number for his virus. I don't know.

And he doesn't go into specifics as to how they were rude, but he got very upset. And that is why he plans to release a brand new virus of the coronavirus pandemic.

This is what he posted on Instagram. And he makes these claims on both Facebook and Instagram.

And normally I'll tell you to ignore everything you read on Facebook and Instagram, right? I'll tell you, look, it's probably not true because it's been posted on Facebook and Instagram. It's probably the reverse is true, whatever you're reading.

---

ANNA. That's what you would say.

---

GRAHAM. Yeah, that's what I would say.

---

ANNA. You're part of the mainstream media.

---

GRAHAM. Well, should you believe anything in a podcast? In this particular case, he posts those messages, including some rather racist and homophobic things. Not from his own Facebook and Instagram accounts, but instead the official social media account of Disneyland.

---

CAROLE. So what, he hacked in?

---

GRAHAM. Yes. He hacked into the official social media accounts of Disneyland on Facebook and Instagram, posting about coronavirus 20, which he's been working on in his lab release, and how he was insulted and various unpleasant things of a racist and homophobic nature.

Now, it's very hard to know if David Doe was really the person who did this. He claims his name is David Doe, or David Do. Probably not both, not Do Doe.

---

ANNA. So what you're saying is poor David Doodoo has been working on the next version of coronavirus and someone has hacked into Disneyland social media accounts and they're framing him.

---

GRAHAM. They also posted a picture of someone who claims to be David Doe or David Doodoo, but who knows who that is? I mean, it's not the normal behaviour of a hacker to post his photograph as well as his name when he does this.

So we have to be a little bit suspicious as to whether he's really the one responsible for the defacement. It may be an innocent party who he's naming here, but it does provide a potential clue worthy of investigation.

Should law enforcement agencies be so inclined? I mean, they're probably busy, right? They're probably investigating who created coronavirus or who hacked the Instagram account of Disneyland. You know, maybe the same team are working on it. I don't know.

---

CAROLE. I kind of feel maybe David Do is suffering from a bit of mental issues, perhaps.

---

GRAHAM. Well, which can be caused, of course, by going to the Disney resort and hearing that do-do-do-do-do-do-do-do-do. And maybe he went on Space Mountain as well. You know, my brain was fairly rattled by that. Never recovered.

---

ANNA. I understand. That's why I'm here. Explains a lot.

That's why I'm here. I had this at Legoland. I don't know if you've seen the Lego movie, Graham.

---

GRAHAM. Oh, yeah.

---

ANNA. Everything is awesome. That song. Just over and over.

And I stayed there when it was sweltering heat. I stayed in the hotel and just for 48 hours, I just had that constantly. So I understand your pain.

---

CAROLE. Why do they think that's a good idea to play the same song over and over again? Because my child loved it. I hated it.

---

ANNA. They're making them addicts.

---

GRAHAM. I've stayed in the Lego hotel as well. And it's horrendous.

---

ANNA. It's just a lot of stimulation at all times. It's just too much. If you're over four foot tall, then you're not going to enjoy it.

---

CAROLE. I know. Did it crawl in everywhere?

---

GRAHAM. I don't know. It's just all a bit bright and noisy.

---

CAROLE. Anyway, we digress, Greg. We digress. Sorry.

---

GRAHAM. So this attacker, he claims to be a super attacker. I think that's probably about as accurate as his claim that he created COVID-19.

It's much more likely someone at Disneyland was sloppy with their password. Maybe they got phished. Maybe they used the same password as somewhere else. Maybe they hadn't enabled multifactor authentication.

---

CAROLE. I thought we were gonna play that game of guess what the password for the Disneyland account was.

---

GRAHAM. It's disappointing isn't it. It was probably something fairly goofy though I think we can agree.

---

CAROLE. Of course.

---

GRAHAM. Millions of people follow these accounts and some of them weren't very happy and they were saying it's outrageous, I've been grossly offended by these messages. And Disney have now secured the accounts and they are conducting an investigation with their security team.

And you can imagine that Disney security team, they're going to be pretty shit hot, aren't they? Well, they probably aren't shit hot. You can't use words like that on Disney, but they're going to be pretty tough. They're going to go in and try and get to the bottom of it.

So this can happen anywhere even in the Magic Kingdom. Everyone needs to be on their guard for super hackers like David Doe.

---

CAROLE. He doesn't sound like a super hacker.

---

GRAHAM. He claims it, Carole. I mean, why would we disbelieve him? Why would we disbelieve him?

---

CAROLE. Maybe he just needs a hug and a sandwich or something. I wouldn't—

---

GRAHAM. I always recommend hugging a hacker.

---

CAROLE. Oh yeah, especially in COVID times. Hug a hoodie, hug a hoodie hacker hashtag.

---

GRAHAM. Anna, what have you got for us this week?

---

ANNA. So Graham, Carole, imagine that you're a master criminal. Are you in character?

Yeah, so you need a way to get in touch with your other master criminal friends. Maybe you need to set up your drug deal, maybe you need to order a hit on someone, Carole, anyone you're thinking of?

Yep, I am definitely. You got a picture in your mind?

Yeah, so how are you going to do that? You're not going to do it on your regular iPhone, maybe your Nokia 3210. That's not going to cut the mustard, is it?

So you know what you need? A pigeon.

Do they, can they order hits? I mean yeah, carrier pigeons could carry the message over, send the message.

That's true, okay fine. So the end of my story, that's it, done.

---

GRAHAM. No, what have you got for us this week?

---

ANNA. If there are no pigeons, all the pigeons are dead, I don't know what I would do. Imagine your pigeon, your carrier pigeons died.

Okay, you need an ANOM phone, except the ANOM phone isn't exactly what it seems. It looks very normal, so it could be a Google Pixel. It can be unlocked with a PIN just like all phones are. It has apps on it like Tinder, Instagram, Netflix, except the apps don't work and tapping on them does nothing.

So they're more like a sort of wallpaper covering over a secret door. So if you reset the phone and you type in a different PIN, it opens up the secret door into a separate section of the phone with different apps like a clock and a calculator. And the calculator is another front, and opening up that app takes you to another login screen.

It's very complicated.

---

GRAHAM. On the calculator, do you have to enter 5138008 and turn it upside down so it says boobies?

---

CAROLE. Yes, you do. 6006, which wouldn't work at all.

---

GRAHAM. That's your boobies, girl. That's not going to work.

---

ANNA. Isn't it poop? Mine's more like 1-0-0. Oh no, hold on, ignore that.

---

GRAHAM. Can we stop entertaining the listeners with ASCII art of your breasts, please? It's not going to work.

---

ANNA. I'm sure there's an app where you can upload pictures and get it to turn into ASCII art. I'll do that.

---

GRAHAM. Links in the show notes.

---

ANNA. On it. Back to the calculator.

So I think you do have to type in something to get it to open up the special login screen, which logs you into the ANOM messaging app. Very cool.

So the app uses XMPP to communicate, which is pretty standard for instant messaging, but then wraps those messages in a layer of encryption. And XMPP works by having each contact use a handle that looks like a sort of email address.

But one of the contacts in the ANOM phone, handily for the criminals, for you Carole, for a customer support channel that you can use if you're having problems with your phone. But another contact is one called Bot, which works like a ghost contact and hides itself from the user's contact list. So they wouldn't even know it was there.

And Bot is sneaky. It does things like copy users' messages along with any location information it can gather. So in many cases, that was actually the precise GPS location of the device when it sent the message.

---

GRAHAM. What could possibly go wrong?

---

ANNA. I know, right? So it's a bit like when those people were Zoom bombing at the beginning of COVID, but just with fewer boobs and a bit more stealth.

It just sort of hangs out and listens and then sends everything back to the FBI. And the end-to-end encryption doesn't need to be broken because Bot is inside the walls sending the information back.

---

GRAHAM. So the FBI are running ANOM or they've compromised the Bot? They're running ANOM, right.

---

ANNA. So Bot is what the FBI is using and other law enforcement to eavesdrop on the criminals, take their messages and take the GPS location as well.

---

CAROLE. So why do the bad guys get a hold of these phones? So they, on the street, they're the best?

---

ANNA. Yeah, I mean I guess there are other phones like that that we've seen organized criminals using before, but I guess it's just one of many.

But last month, the FBI announced hundreds of arrests as a result of the ANOM phone and said that they had intercepted 27 million messages from 11,800 devices. So it's like big time drug traffickers and they seize a load of stuff like weapons, cash, drugs.

One of the drug deals apparently included smuggling cocaine in cans of tuna and hollowed out pineapples. But other interesting things on the phone: so it allows for PIN scrambling, so it rearranges the numbers so it's much harder for someone watching you to work out what you're typing in, which I think all phones should have.

And there was a status bar at the top of the screen which had a shortcut to wipe your phone. And you could also set a wipe code that you type in from the lock screen, which wipes the phone.

So when the police say, "Hey, what's your PIN?" you say the secret PIN code and that wipes your phone.

---

CAROLE. You know, I just did the maths on your numbers. For each phone, that's 2,500 messages or so on average. So I'm surprised they can do anything else but sit there on their phones.

---

ANNA. Well, they probably have a similar screen time to me, Carole.

---

GRAHAM. It would be quite fun to look at a criminal's phone, wouldn't it? Because even if they're, well, yes, because I suspect we all imagine that it's always like, have you got the hollowed out pineapples or whatever?

They're talking about the drugs deal. We have their secret language. But I'm sure there's also a fair amount of sharing cat GIFs and just jokes and all the social media memes. Texting their wife.

---

CAROLE. Right. Okay, so I'm guessing Anom is going to tank now with this news story. They've lost that phone.

---

GRAHAM. Well, the FBI will just rebrand it, I suppose, won't they? They'll just come up with some other name.

For all those people annoyed that the Anom phone was run by the FBI, here's the new FBI phone or something. They'll just give it a different name. They'll never guess. They'll run the same scam again. What a brilliant way it is to snoop on criminals and what they're up to.

---

ANNA. Well, it means you don't have to break into the phone, doesn't it?

---

GRAHAM. Very crafty. Very crafty. Have you bought one of these, Anna?

No. Because you've always reminded me a bit of a gangster's moll. Because, you know, you live down in Reading and things, which is a bit dodgy. What was my nickname? Chugsy Malone? Chugsy Malone. Links to the ASCII art in the show notes. Anyway, moving on. Carole, what have you got for us this week?

---

CAROLE. Last week, the New York Times reported that parents, two sets of parents, had just filed a lawsuit in a Los Angeles court, calling out TikTok for how it affected their young daughters. And the suit revolves around the blackout challenge videos. Do you know anything about those?

---

GRAHAM. I don't know about them. Oh, my goodness. I think I may have read something about this. Is this where kids are trying to encourage each other to sort of do a Michael Hutchins?

Yeah, to asphyxiate themselves. And, of course, some people actually hurt themselves as a consequence or die even. Is that right?

---

CAROLE. Exactly. Exactly. So it encourages people to intentionally hold their breath until they pass out due to lack of oxygen.

Oh, my God. And now brace yourself. These girls, okay, these girls were eight and nine. Oh, my God. Okay? And they both died. For God's sake. Eight and nine. I was playing with my Lite-Brite toy and trying not to, you know.

---

GRAHAM. I loved that. The mind boggles what a Lite-Brite toy is, but yeah.

---

ANNA. It was Lite-Brite here, I think.

---

CAROLE. Right. No, come on, Graham. Don't make it gross.

I don't know what a Lite-Brite toy is. You had these little plastic kind of coloured nibs that you would put in perforated paper, and then you'd light it from the back. So it'd be on a dark black ground, you'd have these little lights. A bit Christmas tree, basically. Yeah, it was very cool. It was cool. The light bulb was very hot and you'd burn yourself on it. So, you know, 1970s toy. Fires all over the place. Exactly. Now, the suit claims that TikTok knew or should have known that its product was addictive and that it was directing children to harmful content. Okay. And the suit highlights this For You page on TikTok, saying that it showed a stream of videos selected by an algorithm developed by TikTok that is based on a user's demographic, likes, and prior activity on the app.

---

ANNA. Yeah, it's the feed, isn't it? The For You page, I think. Right.

---

CAROLE. So how the heck does this get into an eight or nine year old girl's feed? So what's interesting is after one of the girl's death, the police looked at her device and told the guardian that she did not commit suicide.

According to the lawsuit, a police officer showed the videos of the blackout challenge and said the girl had been watching the videos on repeat. Oh, no. She did seem to be online a lot. The article talks about a 20-hour car ride where she was effectively online the entire time, hoovering up things TikTok. So, okay. So, right now at this point, I would say to you, what does your brain say? Do you feel TikTok is responsible in some way or not responsible at all?

---

ANNA. I think TikTok is definitely responsible in some way. It's difficult. I mean, they're obviously built to be addictive, aren't they?

A 20-hour car ride on TikTok is difficult, isn't it? But then also, kids are so annoying in the car. Kids are so annoying. You know, sorry, that's what I meant. It's really hard. It's awful.

---

GRAHAM. Just put them on Space Mountain for 20 hours. That's what I'd recommend.

---

ANNA. Yeah, subject them to everything is awesome.

---

CAROLE. Well, TikTok is kind of, I would say, ducking from blame. Let me see what you guys think. So according to the New York Times, this has been the response so far.

So, quote, this disturbing challenge, which people seem to learn about from sources other than TikTok long predates our platform and has never been a TikTok trend. And it linked to a federal report about deaths from a choking game from 1995 to 2007. Then they say, we remain vigilant in our commitment to user safety and would immediately remove related content if found. Our deepest sympathies go out to the families for their tragic loss.

---

ANNA. I feel just because it happened all those years ago, it doesn't mean that you can sort of wash your hands of it if it's right.

---

CAROLE. Yeah I was gonna ask you guys to rate the sincerity of their sympathies there.

---

ANNA. Zero. Yeah exactly. What's the age range for TikTok? Because Facebook and Instagram is 13 isn't it? I don't know what that's, that's interesting. I don't even know that answer.

---

GRAHAM. I would think you have to be 13 plus.

---

ANNA. I was at a park the other day and a dad was filming his children that were very much younger than 13 doing TikTok dancing.

---

GRAHAM. I think you have to be over 13 and under 23. I think there should be an upper age limit for some of these apps because I see grown men who are addicted to TikTok as well. I just think, for God's sake, you know, really.

---

ANNA. I can't get into it.

---

CAROLE. Yeah, it seems to be 13 and above. So that's interesting. I didn't consider that before. That's an interesting point. But I mean, parents are worried, right?

Parents are worried about their kids being online all the time. And in fact, there's a new social media bill that California is currently working on.

And it's kind of interesting because of how it's going to approach social media giants. So the bill is aimed solely at social media companies that make more than 100 million in the previous year.

So the big guys. And Bill is trying not just to protect those under 13, but all kids.

So what they're claiming under 18s. And their argument is basically this, or one of their arguments certainly is like social media platforms earn substantially all of their revenue through ads.

And the more time users engage with the platform, the more ads the user sees, and the more valuable they become to the advertiser, right? And ipso facto, addicted consumers are particularly profitable because of their consumption behavior.

For these profit-driven reasons, social media platform companies intentionally invent, design, and deploy features that are intended to make it hard for users to stop using the platform.

---

ANNA. Which makes sense, right? Yeah, there was that research not that long ago about how Facebook intentionally designed it to be addictive.

I'm sure they all do. The Facebook files.

---

CAROLE. That's right. Right. Let's segue to that a bit because the Facebook files basically said that Facebook was absolutely aware that it had a negative impact on teenage users of Instagram.

And harmful content had been known to be pushed through Facebook algorithms reaching young users. They were aware of that.

And that included anorexia posts and self-harm photos. So California is trying to deal with this by saying that when a social media platform creates designs or implements or maintains features for users, including child users, right, that the company knows is addictive to children, they should be held liable for the harms that result.

And that's interesting because there's other bills out in the States that are going on. There's one in Minnesota that would prevent platforms from using recommendation algorithms when it's targeting children.

And in the US Senate, there's a sweeping bill called the Kids Online Safety Act, which would require social media companies to create tools that allow parents to monitor screen time or turn off features like autoplay. But I think that the US Senate bill seems to make it the parents problem.

---

GRAHAM. I think parents play their part, but so do the social media companies as well. There's some social media sites, some video playing sites, YouTube, for instance, there's a YouTube kids, isn't there?

Which I think is supposed to be a more pleasant, friendly place for kids to hang out. I'm sure that occasionally some bad stuff might sneak through there.

---

ANNA. But do you know if there's ads? No, there isn't ads.

Oh, they're not? No, but there was a video that we wrote about the other day.

I think it was a horror show, but it was called something for kids or something and YouTube just passed it through and then they couldn't reclassify it. It was really hard to reclassify it as not for kids, even though the developer was like, hey guys, this is not for kids.

So yeah, it's all difficult.

---

CAROLE. It is. There's this child advocacy institute at the University of San Diego and they say that parental controls can't be the answer to what effectively seems to be an addiction, right?

They compare it to tobacco companies giving parents nicotine patches to have them halt their kids smoking.

---

GRAHAM. There's a bit of me which thinks wouldn't it be great if these social media companies rather than funding themselves through advertising actually got you to buy a certain amount of access to their site. So you might say I would like to pay you ten dollars per month in order to access I don't know twenty thousand videos or however many it is that you want.

However many it is, right? To see you by that requirement.

And then once you hit that, in order to see more than however many videos, because TikTok, I think you can just swipe through them really quickly. If you want to see more, then you're going to have to pay more and then you can control the addiction a bit.

And I think that's a great idea until you begin to think, well, hang on, what about people who don't have very much money and might feel like they're being excluded from social media and aren't able to get information because they cannot afford to pay. I mean, we pay for our cell phone data, don't we?

And we don't have a problem with that. It's not like our cell phones are interrupted when we're on mid-call with an advert or here are other similar phone calls you might have enjoyed.

Maybe you'd like to listen to other people's calls. There isn't anything like that.

So you pay for however much data that you require.

---

ANNA. Yeah. And you pay for Netflix, you pay for Disney Plus, you pay for all that.

---

GRAHAM. So it's an understandable subscription model. So maybe something like that would be better.

But how you'd enforce it and how you'd make sure there isn't some digital divide, meaning that people who don't have the funds can't participate. That's where it really gets problematical.

But ads generally and what that causes these tech companies to do in terms of targeting is really, really ugly.

---

CAROLE. You know, in the 2020 leaked document from Facebook, inside the document, there's a question. Why do we care about tweens? And the answer to that question is they are a valuable but untapped audience. Right? So they're all over it because of money. So in short, until there's legislation that can catch up with these social media kingpins who seem happy to make a buck, even if it's from a tween, parents might have to do their best to control the content flow. Don't trust social media giants to do the right thing by you and, more importantly, your kids. Because they're not going to do it unless they're forced. Just like Graham, right?

---

GRAHAM. I'm not going to do what unless I'm forced? Be nice to me. Oh, well.

---

ANNA. Go on, Graham. Say something nice. Carole, I think you're fabulous. Thanks, Matt.

---

GRAHAM. Like all of you lot out there, we love security podcasts, and we want to bring one to your attention today that you may want to check out. The Secure Developer is a conversational and insightful podcast that bridges the gap between dev and sec. Hosted by Guy Pajani, one of the guys behind Snyk, The Secure Developer is a security podcast that developers will enjoy listening to and learning from. They've already released over 100 episodes, and I think many of you would like it too. So, what are you waiting for? Check out the Secure Developer podcast from Snyk at smashingsecurity.com/thesecuredeveloper. And thanks to Snyk for supporting the show.

---

CAROLE. Only does Bitwarden offer enterprise-grade security, conducting regular third-party security audits, and is compliant with Privacy Shield, HIPAA, GDPR, CCPA, SOC 2, and SOC 3 security standards. This is pretty slick stuff. You can get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing. That's bitwarden.com/smashing. Or you can try it for free across devices as an individual user. That's bitwarden.com/smashing. And massive thank you to Bitwarden for sponsoring the show.

---

GRAHAM. They include ransomware assessment and training, advanced email protection, endpoint detection and response, active directory abuse prevention and lateral movement detection, and 24 by 7 security operations center capability. As a SolCyber foundational customer, you also get access to expedited cyber insurance coverage and discounts of up to 30% off your premiums. Mention Smashing Security and you'll get one month free for every 12 months you subscribe to SolCyber's foundational coverage services. Visit smashingsecurity.com/solcyber to learn more. That's smashingsecurity.com/S-O-L-C-Y-B-E-R. And thanks to SolCyber for sponsoring the show.

And welcome back and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week is the part of the show where everyone chooses something - it could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily.

My pick of the week this week is not security related. My pick of the week this week is all about the trolley problem. We've spoken about the trolley problem before on past podcasts. If you remember the trolley or the tram as maybe we call it in the UK, you've got it coming down a line and it's about to run over someone, and you've got a lever which means that you can push the trolley or the tram onto another track and maybe there's a grandmother on the other track or something. You've got a young person on one track, grandmother on the other. Are you going to pull the lever or not? And it gives you this interesting moral dilemma as to whether you kill six people or kill one, kind of thing.

Now, if you go to the link I've included in the show notes to a site about absurd trolley problems, it will give you a selection of trolley scenarios. And they start off - it's animated. So you see the trolley coming down the track and you're given the opportunity to pull the lever. So for instance, it may be the trolley's heading towards five people. You can pull the lever to divert it to the other track, killing one person instead. What do you do? And it collects statistics.

---

ANNA. Their little mouths, they're screaming, their mouths are moving. It's so sad.

---

GRAHAM. So you're given these scenarios and then you see an animation of the trolley. And at first it's fairly easy and you'll probably go with the flow - you know, I'll kill one person rather than five, you know, that sort of thing. But then the questions get - as you go through it - then says for instance, trolley's heading towards five people, but on the other track is the original copy of the Mona Lisa which will be destroyed. What do you do? You're an artist, imagine it's one of your works.

---

CAROLE. Yeah, one of my works.

---

GRAHAM. Would you have five people killed or?

---

CAROLE. Can I choose who those people are or is it random? I'm at one right now which is my life savings or five people. I'm keeping my life savings I think. Is that outrageous? Would you?

---

GRAHAM. I don't know. There's another one which says a trolley's heading towards one guy. You can pull the lever to divert it to the other track, but then your Amazon package will be late. What do you do?

---

CAROLE. Oh that one's obvious. I've got one here where I'm on the track versus five other people on the other track. Oh, I'm definitely doing nothing. I'm not dying. No, no, no.

---

ANNA. I was playing with this the other day because I saw it on Twitter and I was surprised about how much I did nothing. Even it. Yeah. Just couldn't be asked. Story of my life.

When it was five versus four, I just thought, well, you know, I don't, if I do nothing, I don't have to take any sort of responsibility for it. So I could just. I don't want my fingerprints on the lever. Yeah, exactly. Ooh, five lobsters or a cat.

---

GRAHAM. Obvious yeah what you wrote yeah obvious bye.

---

CAROLE. Lobsters see ya dinner give some to the cat good one Graham I like it so.

---

GRAHAM. Absurd Trolley Problems link in the show notes is my pick of the week Anna what's your pick of the week.

---

ANNA. Okay so also one in the show notes for you guys to click on this is weirdorconfusing.com so I always try and find something interesting for pick of the week especially since you criticized my TV program choice once Graham I haven't got over that yet yeah you did I think you said it was a rubbish choice so yes I thought I'd have a Google see what I could find and I found weirdorconfusing.com so you can describe it so I've dropped it in the chat.

---

CAROLE. Yeah do you want me to describe what I have. Yeah, you describe it. So I've got prison bed glasses to allow you to read or watch TV lying down. So first of all, when you go to the website. You haven't really described.

---

GRAHAM. What it is. Yes, you have to describe what weirdorconfusing.com is. No, you go back. Before you click the link, describe what happens first. Why don't you go ahead? You go ahead, Greg. So what's happened? Let me jump in. So okay. So if I click on the link, weirdorconfusing.com, I'm taken to a web page where it says, sell me something weird or confusing. And there's a little button and it's going to take me to a random place to buy something weird or confusing. Okay. So I'm clicking on it now and I've been taken on eBay. I've been taken on eBay to a book, which is called Crafting with Cat Hair. Cool things you can make with the hair of cats. Perfect idea for Carole. Perfect. Perfect.

---

CAROLE. Okay I've just got a one and I think this is just too marvelous very good Anna so this is nose aerobics basketball glasses game.

---

ANNA. Perfect it's see present ideas galore yeah you are going to be spoiled on.

---

CAROLE. Your birthday which is coming.

---

ANNA. Up so I too the cat hair one because you can you you basically take the cat's stray hair and you can you can it's a book that shows you how to put it into soft and adorable handicrafts and it's summer at the moment cats are losing hair all over the place also one for you Graham maybe subtle butt what subtle butt so it's a fart pad you put into your pants and it neutralizes your bum odor why would you it says simply stick one in the right place and you're ready for a chili cook-off and all you can eat Indian buffet.

---

GRAHAM. Why would you say that on the why would you say that on the podcast sorry Graham but it's.

---

ANNA. You know we spent a lot of time working together. I just thought this might be handy for you. What? Don't say anymore.

---

CAROLE. It's activated carbon. Graham, it could be very useful. You're getting on in years.

---

GRAHAM. This is really unfriendly. This is really. When's your birthday, Graham? This is just a bit arsy. What year were you born? Oh, oh. We've got 40,000 odd people listening to this podcast. And you've just told them that I go around farting. You just don't the butt of a joke. Right.

---

CAROLE. Carole, what's your pick of the week? Okay, I have a cute YouTube channel for you this week as my pick of the week. Well, actually, it's a subsection of a YouTube channel. This is Jay Foreman. Okay, he's got this YouTube channel. And the playlist is called Unfinished London. And he does these short vignettes looking at London's kind of design eccentricities. Right. So videos focus on the unfinished northern tube line. Why hasn't it been finished? What happened? Or unfinished motorways that just stop? Or why does London have so many airports? He puts tons of work in these, right? They're scripted, punchy, funny, kind of a bit silly as well, but also informative. I think it's something you could watch with your kid, Graham. Actually, I think you'd find it really good and he'd learn some stuff. And he does loads of on-site videoing and he also sources loads of historical visual content underpin his, you know, essay. For example, there's one on why London has so many airports. It has six airports. It has more than any other city in the world, apparently.

---

GRAHAM. Yes, but some of London's airports aren't actually in London. There's an Oxford London airport. There's Luton London airport. And you think- Gatwick's quite far. Yeah, and isn't it basically to trick Americans into thinking they're flying into London? In fact, no, no, no. You've got another three hours to get into London.

---

CAROLE. But he refers back to the 1930s, where he calls what was going on was plane mania. And he says there was even a suggestion of an aerodrome in the middle of London on top of King's Cross Station, right? It would have six runways facing in all directions with planes taxiing around the edge hamsters on a wheel. And the idea behind it was everyone could commute to central London by plane. So all kinds of funny, wacky things to learn. And there are 13 of these videos currently on this playlist. And it could be a very entertaining night in for someone who wants to learn a bit more about London's planning and failures.

---

GRAHAM. I this. This sounds very interesting. I am going to watch some of these videos. I think you'll it a lot. I think you'll the guy too. So his name is Jay Foreman.

---

CAROLE. Yeah, Jay Foreman. It's his YouTube channel and the playlist is called Unfinished London and that is my pick of the week.

---

GRAHAM. Well, Carole, you've been busy this week. You've been speaking to Scott McCready of SoulCyber.

---

CAROLE. I have. He talks about the massive problems with securing a network efficiently and effectively and the SoulCyber approach to streamlining the whole process. It's pretty interesting. Check it out.

So listeners, today we are speaking with Scott McCready. He is the CEO of SoulCyber, a managed security service. So Scott, let's start with you. What can you tell us about you and how you became the CEO of SoulCyber?

---

SCOTT MCCREADY. Sure. Hey, Carole. I've been in the managed security services space most of my career. I was an engineer actually coming out of university. So I was deploying networks and security devices. And I actually ended up spending a bunch of time overseas in London deploying security equipment way back in the early days.

And what they realized was the security devices generated a lot of information and the traditional sort of network operations center didn't have anything to process that. And so the very first MSSP was built out of the US and the DC area. And having tried to get analytics going around these security devices, I got hired by them. I was a young guy and that started my managed security services career about 20 years ago.

And through that time, I built out businesses in Europe, businesses in Asia. And then obviously, I ran at one of the largest global MSSPs for a period of time as well. So it's been in the DNA for a while, I guess.

---

CAROLE. Do you mind if I ask you to kind of spell out MSSP for some of our listeners who haven't worked in managed services and all that stuff?

---

SCOTT. Sure. The traditional model around managed security services is the fact that organizations have an ability to get their IT operations handled. That could be either from a service provider, their telco, or an MSP, a local provider that does break-fix, maybe ships laptops, deploys gold images.

But there is usually a gap around the high-end 24 by 7 security analytics. And so if you deploy even some basic security technologies, somebody has to gather the data that's being created by these technologies. And you want to look at it and analyze it and then hopefully be able to detect when a bad guy is doing something so you can find them and you can stop them.

And that's a very traditional model. There are some gaps in that model, which we'll talk about why SoulCyber is here. But yeah, you go out and buy, the customer goes out and buys a bunch of security technology. Once they do all that, they deploy it, then an MSSP will monitor it and they'll let the customer know when something bad's happening.

---

CAROLE. What a perfect time to introduce SoulCyber and explain what services you provide?

---

SCOTT. So when I created SoulCyber, there was really, we believe, a really big gap in the market. And the way I describe it was, I just felt security, especially for the small, medium enterprises, was stuck in the 1990s or the 2000s.

And what I mean by that is, imagine that you wanted on-demand video entertainment. Right. Well, the security model today is sort of like movies from 15, 20 years ago. You'd have to go out and buy 500 DVDs. You'd have to buy a storage network. You would have to buy a computer. You'd have to buy software. You'd have to buy a TV. You'd have to buy cables. You'd have to string it all together. Then you'd have to take your DVDs and put them onto your hardware. And then you would sort of have on-demand video. And then 2 years later, Blu-rays would come out. You'd have to literally upgrade everything because there's more storage, more space.

That's right. That is literally what we do in security. We tell a company, weave your way through the 3,500 vendors out there. You can consider those your DVDs. Find the stuff that's interesting to you. Build it all. Deploy it all. And once you're done, wrap a managed security service around it. And we were like, that just doesn't work very well for mid-market companies. Sure, if you're Bank of America and you've got the tech stack and the people and the time, why not?

So our view was, we just sort of need to bring a security outcome into the 2020s, right? We call it the Netflix of security or your favorite streaming service of security. In so much that what you get from SoulCyber is you get, just like Netflix, you get everything. You get all the best top-tier security products. You get it all deployed. You get it all monitored. You get it analyzed. If we detect something bad happening, we'll respond to it for you. And we package that all up in a subscription model. That's just a monthly fee. There's no install fee. There's no upfront fees. It's just a monthly fee for customers. And so that's really the goal here.

In the same way that Netflix didn't build their content originally, they went out and got, you know, let's go and get some Star Wars from action. Let's get some comedy, right? In the same way, we use best-of-breed technology. So the things we use are literally Gartner Magic Quadrant technologies, but we just pull it all together into a seamless solution that gets you an outcome of amazing security. And that concept seems to really resonate with customers.

---

CAROLE. Yeah, because that's really interesting because a lot of larger enterprise really want the granularity and being able to configure things to just fit in within their very, very complex environment. But if we're talking about your target market, which is the small to medium sized business, they don't even necessarily have a strong security knowledge within the firm, let alone, you know, nowhere to look. So I really appreciate that point of yours of having to go out and hunt down the best thing when you're not an expert in the area. It's really frustrating, I imagine.

---

SPEAKER_00. It is. And the other thing we find is we also find a set of customers that actually do have decent security expertise. They just don't have the time.

So if you just take one piece, which is endpoint, there's dozens of endpoint providers. So a standard model for these midsize organizations would be to do a proof of concept amongst at least three that they whittled down from usually 10. That process for most of these organizations is a 6 to 12 month process to actually get it deployed. You have to deploy them independently.

So even if they have the security expertise, just the time and the effort is not usually something they want to spend. They've got a job of trying to be nimble and be fast to make sure their product that they're competing with on a very competitive market is working. And customers are buying it.

And so, spending tons of time trying to get your security working is very difficult. And Carole, one of the other things, this is also really applicable to the mid-market when it comes to cyber insurance.

And so, cyber insurance is really a challenge for the mid-market on two aspects. It's very time consuming to get cyber insurance. And there's about a one in three response rate that's negative that they get denied. And then two, prices are going up about 50% year on year.

And so because of the fact that we pull everything into an outcome, the insurance companies love it. And so as far as I know, we're the first company in the U.S. anyway, that has a partnership with the insurance industry, where if you're using what we call our foundational coverage, you get pre-approved for your cyber insurance coverage and you get a 30% discount on the cyber insurance price.

And the reason is, they go, well, we know the stuff that we're doing is really top tier level security and it's all in one package. So instead of having to recommend maybe eight different pieces of technology, you can use our cyber foundational coverage and that's good. And we'll recognize that security effort that you're putting in as a customer and we'll reward you with making this process easy and making renewals or your new policy much, much more cost effective.

---

CAROLE. That's a really interesting angle that I haven't heard brought up before, the idea of cybersecurity insurance. Are most SMBs taking it seriously and taking out coverage?

---

SPEAKER_00. We are seeing a significant uptake in the mid-market, the SMEs wanting cyber and needing cyber. As you know, they recognize that the threats against them have changed and that it's not uncommon anymore.

Ransomware hits about one in three customers in the mid-market. So every year you're playing dice with the fact that this may be the year. So the assumption is if you're not doing the right things around security, you're going to get a breach within the next 24 to 36 months.

---

CAROLE. And I wonder if somebody was listening to you now and thinking, I like the sound of this. I want to learn more. What steps would they go through if they got in touch with you? What would typically happen?

---

SPEAKER_00. Sure. So one of the things we really try to do is we call it sort of modern. And modern to us is as transparent, as authentic as you can get. So our website has a ridiculous amount of information about what we do, including our pricing.

Our pricing is just right out front. I love that. In the same way, you wouldn't go to Netflix and say, well, I have to call a salesperson to figure out how much they're going to charge my family. That's silly in today's world.

So our pricing is literally listed on our website. There's contact sales listed on the website. You don't even have to work through sales teams.

You can actually do things online. So we try to make it really simple.

So one of the things that is not common in the managed security services space is what I call the business side. So you have to sign a contract.

And then that contract gets put in email or in your contract storage. And of course, mid-market companies are tracking contracts often is in email and places like that.

And so what we do is we just take all the information and stick it on the portal. So you say, well, this is how much you're spending per month.

And these are the services you purchased. And if you want more or less, you just click a button.

And so the easiest thing is to pop onto the website. You can check the pricing.

We describe what we do out there, and we're happy to have somebody contact you and walk you through the basics. A lot of times it's a daunting thing to try to get your security program in place.

And we do a lot of consulting just to make customers understand what's happening out in the world. And if there's anyone listening that's just, I need to get this problem taken care of, give us a call, contact us.

We're incredibly non-pushy from a sales standpoint. We try to be really helpful.

Again, a lot of our information is on the website. And we can have this problem sort of done and dusted for you in, you know, 14 to 30 days.

And so we get a lot of customers that are, wow, Scott, I've had this on my plate for six months, nine months. I know I needed to take care of it.

It was just, I was building up these frameworks and walking through my plan. And then when they found us, they just, you know, we just did work together and they were up and running in two weeks to four weeks.

And they're, and it's done. Now they have a good security program in place.

I mean, we're talking security awareness, phishing simulation, really a proper, fantastic ability to get you to some amazing security. And on top of that, if you're struggling with cyber insurance, if it's getting really expensive or if you're getting your application rejected, we can really help with that as well.

---

CAROLE. Now, listeners, you've heard Scott. If you are a small to medium-sized business and you think you need a little tune-up or you're excited by anything you heard here, please go to smashingsecurity.com slash soulcyber.

That's smashingsecurity.com slash soulcyber, S-O-L-C-Y-B-E-R. And Scott McGrady, CEO of Soulcyber, thank you so much for talking to us today.

---

SPEAKER_00. Yeah, I appreciate it. And thanks as always to the listeners who tune in.

Brilliant.

---

GRAHAM. And that just about wraps up the show for this week. Anna, I'm sure lots of our listeners would love to follow you online, find out what you're up to.

What's the best way for folks to do that?

---

ANNA. You can get me on Twitter at Anna Braiding.

---

GRAHAM. Juggsy Malone. I'm going to reserve that now.

And you can follow us on Twitter at Smash Insecurity. No G. Twitter wouldn't last ever G.

And we also have a Smash Insecurity subreddit. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify and Google Podcasts.

---

CAROLE. And mega thank yous to this episode's sponsors, Bitwarden, Sneak and SoulCyber. And of course, to our wonderful Patreon community.

It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists and the entire back catalog of more than 282 episodes, check out smashingsecurity.com.

Until next time. Cheerio.

Bye bye. Bye. Bye. All right okay this site is so weird Anna what

---

ANNA. the hell I know I've also got another one but I'll put in the show notes because I thought it wasn't interesting it wasn't as funny so you can you might like this for I don't know if it's old quick draw with google but you draw and then and then it guesses but I think it's quite old I think we've had that on the show before oh have you okay good it's good

---

CAROLE. I have now a chia pet Bob Ross

---

ANNA. yep black monster beast werewolf killer ape adult hand gloves sexy

-- TRANSCRIPT ENDS --