This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

CAROLE THERIAULT. Oh, no, I do remember. What I remember about our conversation with him was that he was so warm and charming and calm and very reasonable, I thought. You know?

---

GRAHAM CLULEY. This was an exact Facebook, wasn't it?

---

CAROLE. Yeah, it's not that he pulled out the huge guns and started going, da-da-da-da-da-da! He would never have done that, and I'm really pleased that he didn't do that. That's right, yes.

---

GRAHAM. Smashing Security, episode 285 Uber's hidden hack, tips for travel and AI accent fixes with Carole Theriault and Graham Cluley Hello, hello and welcome to Smashing Security, episode 285 My name's Graham Cluley And I'm Carole Theriault Hello, Carole And also hello to our special guest this week who is Carole Well, no, he isn't Carole, but Carole, who is it? Definitely

---

CAROLE. not me It is the wonderful, the fantastically funny Paul Ducklin from Sophos.

---

PAUL DUCKLIN. Well, with that introduction, Carole, Graham made a slight mess with his commas in that sentence. They're quite hard to do vocally. He's still learning. They're very kind words anyway. I suppose I could be witty now by being deeply dry and boring throughout so that everyone goes, what a fun story.

---

CAROLE. Thanks to this week's sponsor, Bitwarden, Gigamon and SoulCyber. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM. I'm going to be taking a ride back in the recent past to talk about a data breach.

---

CAROLE. Oh, it's hot tub travel something time again. No,

---

GRAHAM. not hot tub time machine. Not that again.

---

PAUL. Oh, God, it's not going to be Doctor Who, is it?

---

GRAHAM. No, no, no. Just hold your fire until I start my story.

---

PAUL. What about you? I am going to be talking about how you can travel with digital devices more safely by remembering a few simple

---

CAROLE. tips. That's cool. And I'm looking at the future of global call centers. Plus, we have a great featured interview with Iain from Gigamon, who shares the results from his latest resurgence to ransomware. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM. Now chums, ever taken a lift in an Uber? Of course you have, you must have. Have you not? No, no, you won't do it, you refuse on principle. I'm not, you know, absolutely so. Why don't need that in my life. Why will you not take a ride in an Uber?

---

PAUL. Just don't see the point, plus I'm not really into cars anymore, right. Okay, I get on the train, I take my bicycle with me and then I can always get close enough that then I get a nice ride, do a bit of the tourist stuff, it's great through London and then you arrive right at the door and you don't have to listen to somebody else's conversation along the way telling you how fantastic it is to understand and agree with their political viewpoint or whatever it is.

---

GRAHAM. Well, in which case, you also were never at any risk of having your confidential data stolen if Uber were perhaps maybe possibly couldn't possibly imagine that this would ever happen if they were hacked, if they suffered some kind of security breach. And it's recently been announced that the United States Department of Justice is not going to prosecute Uber about its 2016 data breach, which occurred after two hackers found that Uber's software engineers left some of their login credentials lying around on GitHub. As you do.

---

CAROLE. Is that hard to do? You guys are techier than me. Is that something that you just, one does? Or is that just colossally dumb of them?

---

PAUL. It's something that one should not do. Yes. And GitHub, bless their hearts, now try to detect because they look for the obvious directories that you weren't supposed to upload and go, whoa, no. But if you're determined to upload private data to a public place, it's very hard for anybody to stop you.

---

GRAHAM. If you're a developer, you might write a piece of test code and you might hard code into it some passwords for your testing purposes, and then whoops-a-daisy, you've left it somewhere public where someone else can scoop them up and abuse them, which appears to have happened in this particular case.

---

PAUL. It's worse than that with GitHub-type things, Graham, because you could have a whole directory tree with your code in, and when you go to sync it back, you go, oh, new project, upload everything, and you upload the hidden directories, including on Unix the ones that start with a dot, that might include the subdirectory that has all your private stuff in it that you didn't mean to upload. So you upload everything rather than a subset of everything. So you could even include the private keys that actually give access to the whole account. Just that.

GRAHAM. Private keys are exciting, Carole. They're not quite that exciting, although they might also open back doors into your system, who knows. But anyway, back in 2016, these two hackers, they got hold of the password and that allowed them to access data which Uber had stored on AWS servers and they stole confidential data related to 57 million customers and drivers.

Chump change these days. That's so disgusting to even say that.

Well, what the hackers then did is they contacted Uber and said, hey, we've got your data. If you don't want us to release it, if you want us to permanently delete it, just pay our ransom effectively.

And what do you think Uber, that rather controversial organization, might have done when faced with that? I'm imagining they paid immediately.

Well, what they did was, yes, they did pay. They paid in a special way. They paid the hackers $100,000 in Bitcoin.

But controversially, they also didn't go public about the security breach. They didn't tell the world. They didn't tell the affected individuals. They paid the hackers and they said to the hackers, look, shh. They said, keep it quiet. Keep it under your hat. Delete the data.

---

CAROLE. Which breaches convention, right? Because you're mandated to inform people when this happens, right? You're supposed to, aren't you?

---

PAUL. Yes. Particularly if you write it up on a special piece of paper headed with the words bug-bounty. Sort of after the effect.

---

GRAHAM. Yes. So Paul has remembered exactly what actually happened here because Uber's security team headed up by a guy called Joe Sullivan. I wonder where we've heard of him before. Joe Sullivan used to be in charge of security at a little company called Facebook.

He did such a good job.

---

CAROLE. Uber snapped him up.

---

GRAHAM. Yeah, right. So he was heading up a team. And what happened was they identified one of the hackers. They worked out that he was a chap called Brandon Charles Glover.

But rather than telling the authorities we've found out who one of the hackers is, Uber popped round to his place to go and have a chat with him. With baseball bats and stuff. Maybe they took an Uber to get there. I don't know.

What they did bring, rather than a baseball bat, was a confidentiality agreement. Shut the fuck up. Well, more than that, they said, can you sign this?

And according to prosecutors, the NDA signed by the hackers falsely stated that they had never taken nor stored Uber's data. And they agreed that the payment would go down on Uber's bug bounty. So Uber security team disguised the payment saying this was just a regular bug which had been found, was reported via our bug bounty program.

---

CAROLE. We decided to pay very, very generously for it because we're those kind of people. And responsible disclosure for the win. Yeah.

---

GRAHAM. So it appeared as though it was the work of ethical bug hunters. And according to the DOJ, the hackers actually used their success in extorting money out of Uber as a bit of a selling point.

They went to lynda.com, you know, that online training site. Shut up. I think it's owned by LinkedIn. Yeah.

What did they do there? They also hacked into them via a similar route, via the GitHub route. And they said, look, we expect a big payment. This was hard work, which we did. And we've already had one big corporation pay us close to seven digits, they said. And it all went well.

---

CAROLE. Close to seven digits. I suppose six is close to seven. Six is close to seven, isn't it? Close to five.

---

PAUL. Orders of magnitude, eh? It works for physicists. Why shouldn't it work for irresponsible bug bounty disclosure folk?

---

GRAHAM. So Uber subsequently, they agreed to pay $148 million as a settlement for concealing and badly handling the data breach.

---

CAROLE. And where does that money go? It goes to the DOJ? Well, I think, oh, the FTC, I think so. I don't think it ends up in the pockets of the—

You don't bring it back to the poor people whose data has been stolen.

---

GRAHAM. I mean, maybe there was actually one of these suits filed, you know, where you get a class action. A class action suit. Yeah, representing people who may have been affected.

But still, you know, with so many millions of people, what was it? Fifty seven million people affected. One hundred and forty eight million dollars. Yeah. Is only two bucks each. Yeah. Yeah. It's two, two.

Well, a number, a number close to three bucks each. Yes. You can't even get yourself a Starbucks.

So what we've got here, Uber seemingly concealing the theft of personal information of 57 million customers and drivers. And rather than informing the people who are affected, they paid the hackers over $100,000 to keep quiet.

---

CAROLE. Yeah, and not only not telling their customers, who probably may be sharing passwords different places, so really naughty on that front, but not also telling the regulators.

---

PAUL. Yeah, exactly. Well, I think there's a bit of the story that you've missed, Graham, that apparently when this happened, it was right in the middle of a period where Uber was working with the regulator to come clean about a previous data breach. Yes. I'm pretty sure that's in the story.

So obviously, if this had come out while they're in the middle of going, oh, no, no, no, we've now got it all tickety-boo. We've ticked all the boxes. It's all great. Right at the cusp of resolving the previous one, this thing came as, oh, golly, we can't have two. Let's reduce it to one.

So it seems that there's – I don't know whether that makes it better or worse, but it certainly makes it more complicated. So

---

GRAHAM. Prosecutors allege that Uber's security honcho, Joe Sullivan, deliberately concealed the hack from drivers to stop them defecting to drivers, right? He had his business head on. That's probably what we said, I can imagine.

---

PAUL. Exactly. Get out of this shit.

---

GRAHAM. And the prosecutors claim that drivers were defrauded because money kept flowing into Uber, although naturally you would expect people maybe to switch. They also say that Sullivan kept the hack secret due to his own ego.

He didn't want to admit failure on his watch because it looked bad on his CV. Now, Carole, I don't know if you remember, we've actually had dealings with Joe Sullivan.

---

CAROLE. Oh, no, I do remember. And he was so, what I remember about our conversation with him was that he was so warm and charming and calm and very reasonable, I thought.

---

GRAHAM. This is the news at Facebook, wasn't it?

---

CAROLE. He pulled out the huge guns and started going, he would never have done that. And I'm really pleased that he didn't do that. That's right.

---

GRAHAM. Yes. So what we've got here is two cases which have been going on.

So the government have been investigating Uber and they've also been investigating Joe Sullivan. Uber has been cooperating with the government and they are not a named defendant in the case against Joe Sullivan.

So Joe Sullivan is now being prosecuted. Uber, now under different management than when the hack happened, have washed their hands of him.

They've agreed with the DOJ. They've accepted and admitted responsibility for the acts which its employees did regarding the breach.

They say that they're going to run a comprehensive privacy program for the next 20 years. They're assisting with the investigation and with the ongoing case against their former security chief, Joe Sullivan.

Oh, my God. So he hasn't got very much support from his former employer. He's sort of been thrown under the automotive device that's technically not a taxi.

---

CAROLE. I don't know if I feel very nicely about that, though, either. It bugs me when companies just kind of point the finger at one solitary individual, where obviously this must have been discussed at some levels.

Or do you think it was just Joe that was in on this?

---

GRAHAM. Well, I believe the claim is that Uber's senior management didn't necessarily know, and it was just Joe Sullivan and one of his colleagues who had sort of done this on the side. Because, again, it is alleged that he wanted bad things not to happen under his watch.

And wouldn't it be if the bug bounty were to handle all this?

---

CAROLE. You know what? He's a great, charming guy, and I'm sure he'll sail through this with no issues.

---

GRAHAM. He could, if he's convicted, face as much as 20 years in prison. But his sentence, chances are, if he is convicted, will be much lighter than that.

He is, by the way, a former federal prosecutor himself. So he'll understand what's going on the whole time.

---

CAROLE. Yes, he does have a legal background, which maybe occasionally he tried to use against us in our past conversations. Maybe.

He wouldn't. No, no, he's not. Duck, what are you going to talk to us about this week?

---

PAUL. Well, it's vacation season and you're definitely if you're going overseas from Britain going to either have packed or wish you packed all your digital devices to keep the kids quiet in the car while you're waiting to get on the train or the boat.

---

GRAHAM. Just keep you occupied when you spend three days in Kent trying to get on the ferry, yes.

---

PAUL. Yeah, why don't people just go to Kent for a vacation? It's a lovely place and then you just worry, just go anywhere else.

But the point is that wherever you're going these days you're almost certainly going to pack one, three or 12 digital devices possibly one or more for every member of the family. Like who would risk leaving the thing to distract the kids behind?

Who would risk, you know, let's take the PlayStation. Why not? It'll fit in the boot.

And everyone's got a mobile phone. I know someone who took a Roomba once.

---

CAROLE. What? They just didn't want to sweep or anything.

So they just said, well, why not? I'm putting my stuff in the hole. So I'll take my Roomba.

PAUL. Yeah, okay. Well, I think that makes my argument stronger for thinking about what you do before you travel.

And so on Naked Security, we put together some travel tips. Now, they're often the same every year, do the obvious stuff. The problem is that people don't, and then they get alarmed.

So the first two tips go hand in hand. One is, should I back up before I go? Well, that's a rhetorical question. Of course you should. You should be backing up anyway.

And the really important thing about making a decent backup, particularly if you make it onto, say, a removable drive and put it in the cupboard at home, it means you're not relying on having a whole life say on your phone. You can remove some of the content from the devices you're taking with you so that if they get lost or stolen or inspected at customs or whatever it is, you have less on there.

So you're not trying to cheat anybody. You're just saying, why take absolutely every bit of information that I've got about myself with me when I don't need to?

And the flip side of that is, of course, don't think, well, I'm going on vacation. I might really need my phone. I'll need it for boarding cards. I don't want to forget my lock code. I'll just go with 1234 or something that I'll easily remember in a hurry.

And so when you're going away, you might as well set yourself a decent lock code before you go. You're allowed to write it down while you're at home and practice it for a few days or a week or so until you're comfortable with something which keeps your phone properly locked. So if someone runs off with it, they can't just guess what your code is, go in and see everything you've got on there.

---

CAROLE. Do you know, once my code for years was the phone number of my first boyfriend. For real. Yeah.

---

PAUL. So whoever had got that phone number, was that in the landline days? It was their childhood

---

CAROLE. phone number, right? It was when, you know, so I doubt that it wasn't a mobile. Mobiles didn't even exist at the time. The idea that even if

---

PAUL. you left off the area code, that's going to be seven digits. So, and given that if that was your first phone, that was by the standards of the day, when people have lock codes like 1, 1, or 3, you know, one digit, let alone 4, that was probably quite good because at least it can't be guessed.

But, you know, people going, oh, well, who needs a long lock code? The problem on your phone is that the lock code is protected by the hardware on the phone. So, for example, on an iPhone, you can say after 10 wrong ones, wipe the phone.

And I think we all agree it's largely impossible to extract the lock code from the phone or to bypass the lock code because of the hardware protection that exists these days in modern devices. But that lock code, it can't be attacked offline. So someone can't take the phone and try a million times to still only get 10 goes.

But if they can guess the lock code, then they can pretty much get in and that unlocks the decryption key for the device itself. And lots of people just stay logged in in all their apps. They never actually log out. So if you can open somebody's Facebook app or Twitter app or Instagram app or WhatsApp app or whatever, you kind of get straight into their account. And

---

GRAHAM. there's nothing to stop a mugger or something if they wanted just to brandish a knife or a screwdriver or something sharp and say, tell us your password so we can get into your phone. I mean, that's the real weak link.

---

CAROLE. Would you, Graham, or would you lose an eye? I just want to know what your level of security, what your level is. I'd hand over my phone. Of course I would. You'd hand over your whole life rather than just give an orb. Yes, I don't want to lose my

---

GRAHAM. eyesight. I don't want to be stabbed. Yes, I'd say willingly, go and please take this.

---

PAUL. Well, there is that. And, of course, there's a famous XKCD cartoon about that, isn't there? Do you spend millions of dollars building password cracking tools or do you buy a shifting spanner costing $5?

So it's hard to regulate for that. But as I said at the start, if you've backed up your stuff and you've removed data that you genuinely don't need from your phone, then that minimizes that risk as well.

And you can also go to apps that you don't use often and actually log out on the phone, which means if someone does steal your phone and does force you to unlock it and then runs off with it, when they try and use those apps, they'll be faced with having to log into the apps all over again.

---

CAROLE. And I think that works well, but you do need a password manager in order to do that because I have no problem if I go away of deleting apps off my phone because I can just reinstall the app, put back in my username and password, I'm bish bash bach, I'm back where I was, right? The app doesn't live on my phone. The data doesn't live on the phone. Do you see what I mean?

---

PAUL. Yes. Now, password manager wasn't in the tips that we did for vacations in particular, but I agree with you. I think that it's hard to do without one these days.

So I don't say that people look, they're compulsory. You have to use one. You might have some kind of fear about, well, what happens if my password manager gets compromised?

And the answer to that is there's no law that says if you use a password manager, you have to put every single password in the world into it. So you might decide, well, accounts only use occasionally, like my mortgage account or my this or my that, my pension account that I check up, say, once a month.

I'll log into those deliberately using something that I've locked away at home, for example. So the nice thing about a password manager to me is not just that it picks great passwords every time and doesn't use your cat's name with two digits on the end or your first second nth boyfriend's phone number.

The great thing is that it also protects you against old school phishing attacks which still work really well because the password manager can't be seduced by the fact that the site looks correct. Oh look it's got that it's got exactly the right pixel perfect backdrop it's got exactly the right logo it looks exact it doesn't care what the site looks like it just says wrong URL never heard of it.

So it's not just that it won't help you, it can't. It goes, don't even, never heard of it, can't put in a password. And so that's a great thing as well.

And then the third thing that goes along with those two, of course, is that if you are traveling internationally, then you do have to think in advance. Don't worry about it, prepare for it.

You do have to think in advance how you will conduct yourself at an international border if you're asked to reveal information that in your own country, or even once you were inside the country that you're planning to visit, you might have every right to say, I refuse to disclose it. In other words, privacy rules can be quite a gray area in that sort of gray zone between leaving one country and entering the next, you know, at border control.

And certainly I know that the US and the UK, and they're by no means the only countries in the world, many countries have this, that they can ask you to show information, say, on your phone or your laptop. They can ask you to unlock it.

In fact, in some countries, they might even say, look, we're going to make a forensic copy of your hard disk. So we want you to unlock it.

And you may decide that you don't like that and you're going to stick up yourself from a privacy point of view. But you need to research in advance what the side effect of that is likely to be, because you might just find that the immigration official is perfectly polite about it and says, that's your choice, but it's also our choice to refuse you entry to the country.

So we will securely transfer you to the departure lounge and you are welcome to get the next flight home. And of course, once you've been refused entry to a particular country, that can make it very complicated to visit in the future.

So don't be afraid about what's going to happen. Just do your research beforehand.

And if you're going to a country where you find, wow, I don't like their privacy rules. I don't think I can agree with these. I think I'm going to shoot my mouth off and it's not going to end well.

Well, maybe pick a different destination. Or just stay home. Stay home. Or go tell the truth and only take the data you need.

You're not trying to cheat anybody when you do that. When you're going on vacation, you don't go to your safe deposit box and get out all the documentation, physical documentation you've ever acquired in your life from your birth certificate, your marriage certificate, your passport, your previous passport, your mortgage documents, all of it.

You don't get that and put an envelope and take it with you generally because you're worried you might lose it. So my simple advice is if your life's on your phone, why not leave it at home.

---

CAROLE. Ooh, I see the t-shirt slogan now, Paul.

---

PAUL. It's my theory that, you know, if you're going somewhere with beachfront cocktail bars, the cost of buying a burner phone for your trip is probably going to be lower than the first round of drinks that you have on day one shortly after you arrive. And, you know, you're perfectly entitled to do that.

Another thing that many countries apparently do know, I haven't travelled internationally well since before lockdown, is that you know how they'll say, well, what's the address that you're going to? And you're obliged, supposed to put the name of the hotel you've got booked.

So they know you've got somewhere real to go to and they want to know your home address and everyone's used to writing that down and they want your passport number and they want your phone number, you know, a land line if you've got one. But increasingly, countries are saying, and we also want your email address and your social media handles.

And again, you need to decide, what am I going to say when I get to the border? Because if you go, oh, no, I don't have any social media accounts, just write not applicable.

And then you're on your vacation and you're sharing stuff on your actual social media account with all your buddies. When you come to leave the country, two and two might not make four if you entered making a formal claim no I don't have any social media accounts and then it's obvious that while you were there you were publishing stuff for the world to see.

Exactly, you know, you would understand why an immigration or a security official in that country might up their suspicion of you even if you haven't really done anything wrong. Well, you have if you've made a false statement when you entered the country.

So think before you do that. Good advice, Paul. Good advice.

---

GRAHAM. And never reveal you've participated in a cybersecurity podcast. Or don't, just boycott them. I think don't appear on them. That'd be the most sensible piece of advice because there may be all kinds of bad things you've said in the past.

Carole, what's your story for us this week?

---

CAROLE. So my story was actually suggested to me by Dave Bitner. He put the seed in my head. Dave Bitner from the show CyberWire host and it all revolves around call centers.

So we have this globe of humans right, billions of us and all of us with different native languages. And somehow it's been accepted by most that English is the preferred international digital language of choice. Can I say that? Would you guys agree with that?

---

GRAHAM. It's my first choice. It's my preference.

---

PAUL. It's strange when you listen to people speaking a language that you don't understand at all, how much you can understand when they suddenly start talking about computers and phones and apps. In amongst incomprehensible words where you can't even figure out where the word boundaries are. And then suddenly you start hearing familiar words like Facebook, 2FA.

---

CAROLE. And I don't care really who you are, but if you're over, I don't know, 30, you've had to negotiate a call with someone that you found difficult to understand because maybe they have a different native language than you do, or they have a very strong regional accent that's different from yours. And it can all make it a struggle to understand what you are trying to understand. And you guys have had this, right?

---

PAUL. I'd say that on support calls, the main language problem I've had is that the person on the other end wants to reach a different conclusion to you, whereby they can prove that it was your fault and close the call. I haven't found the English to be a problem. I've found the jargon and the direction of the call to be tricky. That's the hard part.

Even in English, it seems that we've learned how not to speak plainly, quite deliberately, you know, in order to sort of disguise what's really going on.

---

CAROLE. But the thing is, you can't really do much about your accent. I certainly have been living in the UK for 20 years, still sound as Canadian as the day I was born, you know.

---

GRAHAM. Oh, you're not from America. I believe, Carole, a lot of your Canadian friends, people back in the homelands, back in the plains of Manitoba.

---

CAROLE. Quebec, but yeah.

---

GRAHAM. Think you sound like Her Majesty the Queen. They think you're terribly posh sounding. They think you're like Helena Bonham Carter or something.

---

CAROLE. Okay, yeah. I'm not sure about that. But you know what we're going to do? We're going to go back to the story now.

So it's kind of something that's been a problem for a while. So as far back as 2008, I found an article in Computer World saying that IBM was looking to change or to address this problem. So IBM's Indian Research Lab developed a web-based interactive language technology. You can see the language has changed so much, right? This is 2008. To help people improve their English speaking skills.

And according to IBM, the system was based on advanced speech processing techniques that the company had devised for call centers in India to help improve the capability of its agents. So it would evaluate grammar and pronunciation and comprehension, other spoken language skills, and then provide a detailed score for each category. Interesting, huh?

---

PAUL. All right. Okay. And this was years ago? Yeah, 2008. Years and years ago, yeah. The understanding or the deliberate misunderstanding process? Because sometimes it feels like that's what the other end is instructed to do. I don't think what could have given me that idea.

---

CAROLE. And then I found this other company, Florida-based outfit called Accent Advisor. And this is all about accent reduction.

So they say on their site, quote, "If you speak English as a second language, there's a good chance that your accent will stand in your way of communicating fluently with native speakers. So many people assume that a mastery of English grammar and excellent vocabulary is enough to communicate in America. This is not often the case." So they go on to say correct native level pronunciation or a firm grasp of the American accent is important for anyone who want to live, work and enjoy life in America.

Thoughts on that, guys?

---

GRAHAM. I think you'll find it's pronounced pronunciation, Carole, rather than pronunciation. Do you want to be properly English?

---

CAROLE. I don't. I'm happy to be a lady of the world.

And then the way they worked basically is they had accent coaches, right? And they'd have accent reduction classes for private individuals and companies. And it's training, right? Just to help them with speech analysis and all this.

---

PAUL. Every 12 minutes, they burst into song like they're doing My Fair Lady. It sounds like a sort of trope that's been an issue since the Industrial Revolution, isn't it? Where, you know, your accent makes a big difference to how you're perceived rather than how you're understood.

---

CAROLE. Exactly where we're going with this. So, I want you guys to think a little bit outside the box because I want to talk about this new approach to dealing with this problem. And I want you guys to think what could possibly go wrong, Graham, to use your catchphrase.

So, this newer approach, thanks to three Stanford undergrads. So, these guys started a company to help the world understand. That's their catchphrase. And the pain point that instigated this whole company was that after the pandemic kicked off, these students or all the students at Stanford had to go home, right? And one went back to Guatemala and decided to be a tech support guy. And his mates were like, quote, we told them that he'd be the best tech support person they'd ever had because there's the smartest guy we've met and always had a smile on his face. But it totally didn't work out because the locals couldn't understand his accent.

So a team of students dedicated their empty pandemic hours to building a solution. They did a lot of research on what people have done in the past. So people have done voice conversion for deep fakes. And that technology is pretty advanced, they say. But there's been little done in accent translation.

So this company is called Sanas. The name like that, it could be a bidet company, but anyway. And I've put a link in the show notes so you can actually see a demo of this working because they say they have an algorithm that can shift English to and from American, Australian, British, Filipino, and Spanish. And they've developed it using a neural network trained with recordings made for the most part by professional voice actors. But I want to see what you guys think.

---

PAUL. Well, you know, Carole, I think you're speaking like a galah. I think that's the most stupid thing I've ever heard.

I think my concern with trying to control what people say exactly and just how they pronounce it, which you can usually work around if you do have some common understanding, is much less important than techies learning to speak or being willing to speak in plain English.

---

CAROLE. But plain English is difficult because there's no accent. There's no language that has that. But the point

---

PAUL. is, you could have the plummiest, the weirdest, the uppest, the downest, the leftist, the rightest, the northern hemispherist, southern hemispherist accent in the world. But if the phrases you've been instructed to trot out to, I'm making giant air quotes, close the call, are just there to kind of make the conversation go your way, then does your accent really matter?

Graham, what about you?

---

GRAHAM. I'm sorry. While Duck's been saying all that, I've been participating in the demo. And it's, I mean, it is very good at neutralizing the accent, at least in the demo, which they're claiming is how their technology works. But what comes out does sound rather robotic and characterless.

---

CAROLE. Yes, it does. And I was thinking about that as well. But then I had another thought because I was thinking, we don't need to do this. This is just too much.

This could be misused. You could then, you know, this could be used by all kinds of phone people calling up, pretending to be in the neighborhood, putting on a regional accent, and actually they're calling from 5,000 miles away.

---

PAUL. Absolutely. Or vice versa, couldn't they? They could be local, but they could want to convince you that, oh, no, I'm actually, I'm calling from overseas on behalf of, you know, a friend who's had an accident.

You know, the fakery doesn't just go with fitting in with the locals. It goes with fitting in with whatever backstory you've concocted for the scam at hand.

---

CAROLE. Okay, but take this example. I was thinking about this and I was thinking, but you know what? This would be marvelous for the medical field when you're trying to do cutting edge operations or something like that and the expert happens to be based in India, and another expert is based in Bucharest, and another expert somewhere else, and that they're all able to communicate robotically, but extremely clearly.

Or when politicians get together for a global hoedown, they have translators in there to help them understand everything. And those translators obviously have pretty clear accents that are understandable to the person they're meant for. So it's effectively trying to make this ubiquitous, I think, across the web.

I don't know. I thought it was kind of interesting, but

---

PAUL. Scary too. I've heard that in the busy sea lanes, the sort of shipping motorways that run through the English Channel, which are, I believe, the busiest sea lanes in the world, and the sea can get quite rough in there, and you've got all the ferries and other boats trying to cross from England to France, and then boats steaming through in the other direction, that there's English is the basis of the language that ships use for communicating. But the vocabulary has been stripped down so that even for native English speakers, so that there is no chance of you using a phrase that could be misunderstood.

So that, you know, there's no politeness and there's no room for ahoy, matey. No, it's not pirate speak. Apparently, if you don't hear the person, then you don't say, oh, I'm terribly sorry, old chap, could you say that again? You just say, say again. And there's no other way to ask the person to repeat themselves.

And that way, the chance, you know, with huge ships closing in on each other and unable to stop quickly. You know, you can see that in some cases I can imagine that just simplifying the vocabulary rather than how you say it could be much more important because that means that, you know, politeness is all very well when you're chatting to someone face to face, but it can lead to terrible misunderstandings when there's a crisis on. And I guess, you know, all emergency responders are used to that as well.

You look at how 911 or 999 people are trained to respond. They use standard phrases that can't be misinterpreted. Do not hang up the phone.

---

CAROLE. But I just want to say that these guys have just gotten a huge amount of money. So it's an investment of 32 million for a company, a startup company that started a year ago.

Okay, so some big, big dogs have gotten involved, including global supply chain companies, because they're very keen to making sure everything is slick and smooth as they try and get goods or services from one geography to another, where there might be language barriers. So, you know, watch the space.

---

GRAHAM. So, Carole, I've got a question. Obviously, I don't need this technology because there's nothing wrong with my accent. I don't have one. But are you going to start using this on the podcast, maybe, to make yourself easier to understand?

---

CAROLE. Yes, because many people have complained, actually, haven't they?

---

GRAHAM. Gigamon is the leading deep observability company. It offers a deep observability pipeline that harnesses actionable network level intelligence to amplify the power of observability tools, enabling companies to conquer blind spots and overcome the threat of today's sophisticated ransomware attacks.

Gigamon's latest report into the state of ransomware reveals how insider threats are evolving, what impact cyber insurance and blame culture are having on the cybersecurity industry, and why deep observability is the new frontier for tackling the ransomware crisis. So, what are you waiting for?

Download the report today at www.gigamon.com/smashing. That's www.gigamon.com/smashing. And thanks to Gigamon for supporting the show.

---

CAROLE. SOC 2 and SOC 3 security standards. This is pretty slick stuff.

You can get started with a free trial of a Teams or enterprise plan at bitwarden.com/smashing. That's bitwarden.com/smashing. Or you can try it for free across devices as an individual user.

That's bitwarden.com/smashing. And massive thank you to Bitwarden for sponsoring the show.

---

GRAHAM. Thanks this week to our sponsor, SolCyber, who believe that it shouldn't just be the Fortune 500 that benefit from top-of-the-line cybersecurity.

They make managed security affordable and accessible to all small-to-medium-sized organizations. Check out SolCyber's foundational coverage services. They include ransomware assessment and training, advanced email protection, endpoint detection and response, active directory abuse prevention and lateral movement detection, and 24 by 7 security operation center capability.

As a SolCyber foundational customer, you also get access to expedited cyber insurance coverage and discounts of up to 30% off your premiums. Mention Smashing Security and you'll get one month free for every 12 months you subscribe to SolCyber's foundational coverage services.

Visit smashingsecurity.com slash SolCyber to learn more. That's smashingsecurity.com slash S-O-L-C-Y-B-E-R. And thanks to SolCyber for sponsoring the show.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick Of The Week. Pick Of The Week. Pick Of The Week.

Pick Of The Week is the part of the show where everyone chooses something. It could be a funny story, a book they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily.

Better not be. And my pick of the week this week is not security-related.

I think everyone really is a big fan of the rude curse word, saying something rude, having some sort of offensive phrase. Not me.

The amount of stuff I've heard coming from your potty mouth over the years is quite extraordinary. And in fact, I thought maybe you need some inspiration. Maybe you need some new ones.

And that is why I have found, and I will include a link in the show notes to a page, which is all about compound curse words. What someone has done is they've taken data from Reddit comments and they've analyzed the frequencies of different compound insults.

So your buttheads, your dirt wads, your weasel boys, your wank puffins.

---

CAROLE. Wank nozzle.

---

GRAHAM. So they've created a matrix, effectively.

---

CAROLE. Douche wit.

---

GRAHAM. Yes. And they've also showing how frequently these different phrases are used.

So something like dumbass, for instance, or scumbag, very commonly used.

---

CAROLE. Of course.

---

GRAHAM. Something like poop goblin, not often used. Do you want

---

CAROLE. that to be? You don't name that clue.

---

GRAHAM. Well, I don't know. And they've also analyzed whether dictionaries are keeping up with all these things, because some dictionaries have included a number of curse words, but some are not being represented in dictionaries and therefore probably unlikely to be accepted on a Scrabble board as well.

And I think that is something which we might want to look into as well. So I am including, I've put into the show notes here some links. You guys can choose your own favorites here as well.

Absolutely. So you can have a Trump nozzle.

---

CAROLE. You can put them in any direction. You don't have to go XY, right? You can go YX as well. Waffle twat.

---

GRAHAM. Waffle twat? Or twat waffle. I don't know, whichever suits you best.

But anyway, I'm a big fan of the wank puffin.

---

CAROLE. Of course you are.

---

GRAHAM. But there's lots of others there as well. It tickled me and I've been playing a lot of Scrabble lately, so I've been looking for some more words to use. And so it's been quite helpful to me.

And that is why it is my pick of

---

PAUL. the week. Have you ever used the word quidgy bow in a Scrabble game yet?

---

GRAHAM. As used by the Melissa virus for a bald North American ape. It comes from a Simpsons episode, doesn't it?

Guys, yeah, so there we go, really nerdy there I know. Paul, what's your pick of the week?

---

PAUL. Well, I had a few, so I had to sort of thin them down. And I decided that I would go, I don't think maritime is the right word because that refers to the sea and where I live is quite a long way from the sea, but it is riverine.

And that is I discovered a delightful pastime which is very enjoyable probably the first second and maybe the third time you do it, and in all my life this is the very first time I've done it so it was great. And that was I happened to be riding my bicycle around a lot, I like to go around the river because this time of year gorgeous wildflowers, birds singing, all of that stuff in the early evening, and a boat was puffing along into a lock. It was Pink Hill Lock actually and I glibly said I'll do the gates and so I got to do the lock gates.

It's not a, they're not narrowboats on the River Thames, the locks are much wider. So they've generally got two gates. And some of them are electrified, but the electricity gets turned off after hours. And this one is still mechanical.

So you have to do all the work yourself by swinging these great... Have

---

CAROLE. you ever done that, Graham?

---

GRAHAM. I messed around on locks. No, I haven't, no.

---

CAROLE. Oh, I did a lot as a kid in Ottawa to get from the Ottawa River up to the canal, the Rideau Canal. There are eight locks in between them, and when I was a kid, they were all hand-cranked.

---

PAUL. Yeah, one of the reasons, Carole, that I didn't want to put this in is I thought, oh, golly, anyone who's lived in the Quebec/Ontario area near what counts for a river in Canada, when you see something like ISIS lock on the Thames, which is seven feet wide and the water's about two feet deep, you must go, that's not a lock. That's not even a ditch. That's not even a puddle. What is this? So I was hoping that you would not mention the St. Lawrence Seaway or Sault Ste. Marie or whatever, the Soo Locks.

But these you can do all by hand. It's all very sort of... It's very cool. And you know what's really weird is the River Thames did not have proper locks, pound locks. It actually seal off a section of water to let it up and down until about the 1920s. Most of the navigation was done with what are called flash locks, which is basically there's just a channel with a weir and you basically run the rapids. That's insane. When you want to come upstream, you basically row your boat up to the water pouring over and attach ropes and a few hefty fellows.

---

CAROLE. Lift the keel, Fred. Lift it all the way.

---

PAUL. Well, that's the thing with canal boats in the UK don't have any keels, do they? Because the canals are only about two feet deep. The water's so shallow that they're basically totally unsteady.

Anyway, I did the lock and I think I left it correct. Upper gates closed, bottom gates open, lock empty so the walls can dry out. Very cool, Doug. And I thought it was great and it'll be great for the next two times. And then I suspect I might start to shirk my duties. I think it does fairly quickly. Eight locks in a row. I think by the third one, you'd be going, oh, no, not even halfway.

---

GRAHAM. Cool. Carole, what's your pick of the week?

---

CAROLE. Well, this past week, I went away to camp in deepest, darkest Constable country near Colchester and Ipswich, all in order to meet one of my watercolor, I don't know, I guess I can say heroes, Andy Evansen. And, you know, to improve what I like doing, painting watercolor.

So I went to this place called Dedham Hall. And it's a place I'd never heard of. But today it is my pick of the week because this is a beautifully amazing, quaint hotel and art retreat in this lovely village of Dedham.

And it's run by Jim and Wendy. So a big hello to you too, if you're listening. And they are the most incredible, welcoming and organized people I've ever seen.

They work all the time. They've been doing it for 30 years and they're just a joy. And Wendy's an incredible cook. Lemon tart night was a big deal. Everyone was going mental for it.

And they also host art retreats is what I was doing. And I met amazing people, students and artists at the top of their game. Steve Hall was there. So he gives classes around the UK and also at Dedham Hall. And he was there because he wanted to see Andy Evansen and paint. So it was all very cool.

I met loads of amazing people. And there's this one guy named Jacek, and he did this LiDAR thing on me, a 3D capture of me on a rock while I was in a boatyard trying to paint a boat, and I did a horrific job. But I've put it in the show notes so you can take a look at it.

---

GRAHAM. So I'm looking at this right now, Carole. And so what we have here is basically you've been sort of photographed in 3D, sat on a couple of rocks or something.

---

CAROLE. Yeah, it's kind of weird without the surrounds, but there you go.

---

GRAHAM. I can zoom in on you in rather extraordinary detail. I've had a good look around. There's nothing rude, so you've chosen well here. You covered yourself up in the appropriate places.

---

CAROLE. It's kind of amazing. He's going to put it on Twitter, so I'll put the link up on the show notes and we'll retweet it out if you want to see it. But it's kind of cool.

---

GRAHAM. How did he do this? Did he have to walk around you or something?

---

CAROLE. It's an app. It's an app. Yeah, we'll connect to him via Twitter. So this is using the LiDAR in a...

---

PAUL. Phone. You don't need special hardware.

---

CAROLE. No, just on his phone. The only problem was I had to sit very still for about two minutes for him to do it.

---

GRAHAM. That wouldn't be easy for you.

---

CAROLE. So it took him three times.

---

GRAHAM. Your hair's looking very purple.

---

CAROLE. It is very purple at the moment. Yeah.

Anyway, the whole thing was a life-changing week for me. I loved it, loved it, loved it. So my pick this week is Dedham Hall Hotel and Artist Retreat. And links in the show notes and check it out because they're amazing.

---

GRAHAM. So no need to catch a ferry. People can just go there.

---

CAROLE. You can just drive. It took two and a half hours to drive there from Oxford. No biggie.

---

PAUL. No environment burning plane trip. No border crossing.

---

CAROLE. Nope. You can even get there by train and they'll pick you up at the train station and bring you over.

---

GRAHAM. They didn't ask for your passwords or anything like that? They didn't ask you to unlock your devices?

---

CAROLE. No, though I helped quite a few of them, some of the artists, because it turns out they're not necessarily super au fait with technology. So once they found out that I did this, I was...

---

GRAHAM. Are they all listening now, Carole, do you think? Do you think they're now loyal listeners?

---

CAROLE. Probably, yeah. Yeah. Hi, guys.

---

PAUL. It's true, isn't it, that sometimes when people find out you're a cybersecurity expert, you get to feel like what I imagine is to be a doctor or a surgeon. You know, can you just look at the appendix? It's been throbbing a bit. I've got a strange rash on the underside of my foot. Do you mind if I take my shoes and socks off and take a quick look at it in public?

You do get a lot of questions. Yeah, but they're extremely grateful. They're super grateful. So I had no problem doing it. And if you can stop even one of them falling for a scam at any time in the future, a job well done.

---

GRAHAM. Right. Now Carole, you've been busy this week. You've been chatting to Iain Farquhar from Gigamon, haven't you?

---

CAROLE. Yes, I have. We talk about all things ransomware and zero trust in deep observability, which is a word I had a lot of trouble saying in the interview. Thank God we edit. Observability, observability, observability. But check it out, guys. It was really fun.

Alright, listeners, today we are talking about the current state of ransomware, and we are with Iain Farquhar. He is global field CTO at Gigamon. Thank you for coming on the show, Iain. I know you must be very busy. I know you've been up since the very early morning today.

---

Unknown. Thank you for having me on. I appreciate it.

---

CAROLE. So Gigamon's paper called State of Ransomware for 2022 and Beyond looks into insider threats, blame culture, which I'm super interested in, and of course, zero trust. And let's be honest, cybersecurity professionals around the world are currently facing some serious challenges. And the exacerbation of ransomware, I'm sure, is not helping reduce pressure. Let's talk maybe about the insider threat first. How is it going inside? I mean...

---

Unknown. The interesting thing about insider threat for me is that this is not new, but it's definitely ramping up in focus. I mean, I used to do DLP years and years ago. I did a huge focus on DLP, 2008 to 2013. A lot of that was about insider threat. And then we pivoted as an industry, and we focused on advanced persistent threats. And we kind of forgot about it, but it never went away.

Now, the focus here is on, of course, ransomware threat actors, ransomware teams, ransomware crews are now using insiders as one more way to get into the organization. But we've always had an insider threat. We need to start focusing more on it.

---

CAROLE. But this insider threat, though, is it fair to say that you can divide it into two different camps, the malicious actor, but you also have the duped actor inside the company?

---

Unknown. Well, arguably, you actually have even three because you also have an actor, the non-malicious insider who just messes up really badly. They write some huge amount of data onto a USB key that they're not meant to do, and then they lose it. Somebody picks it up, and that data is breached.

So you've got this multiple ways of dealing with vectors that a threat could enter your organization through an insider. And, you know, governments have been dealing with insider threats for years. That's what security clearances are about. But we don't really actually look at this out in non-government enterprise. Maybe it's time that we did.

---

CAROLE. Yeah, because I'm guessing what you're describing, if you've all these threats that are inside, that can lead to blame culture, right?

---

Unknown. Absolutely. One of the things that we do is we talk to a lot of CISOs all around the world. And before COVID, I traveled a lot and starting to travel again. And there is definitely an issue of blame culture.

A lot of CISOs feel very, very strongly that they can be held to account. If they have built a solid infrastructure, but they still get breached, they can be tarred personally. And that worries a lot of them. You hear stories, for example, about CISOs who ask for an investment. They get denied. And then they'll say something, right, I need an email from the CFO or the CEO saying, I've told you this. You decided not to invest in it. That's a terrible situation to be in.

The blame culture has really got to win because it is very useful to understand when an organization has been breached. You know, it allows the customers of that organization, the people to respond to it appropriately. If they don't, that's bad.

---

CAROLE. Do you find that there's a lot of companies that try to hide if they get into trouble? And that gets, I mean, I honestly, I'm being honest, I did this when I was, you know, working in a corporation. I might do something bad and then go, oh, God, I shouldn't have done that and try to hide my tracks rather than going to the IT guys and going, okay, I have to be honest. You know what happened? So how do you get around that?

---

Unknown. Well, the standard way is we've got mandatory breach disclosure laws. And generally, they tend to work, you know, in the areas where they are present, that they are very effective. They not only allow people who are affected by breaches to deal with this, but they also support investments.

People don't want to be subject to them because one of the things we found out in this paper is that 33% of organizations actually see ransomware as mostly a reputational issue. So if your reputation is going to be affected by being mandatorily exposed, that's definitely going to drive behaviors. It's going to drive people towards better data governance and better protecting information that they hold.

---

CAROLE. So you're thinking that the head honchos of companies, the board and senior teams, are they taking this super seriously because they're so worried about a reputational kick in the nuts? I'm sorry, I didn't say that. Kicking the shins.

---

Unknown. Kicking the pants, yes. Yes, they are taking it seriously. And the board definitely is looking at ransomware as a risk to the business. You know, 9 out of 10 boardrooms, 89% of boards see ransomware as a priority concern. That was one of the findings of this paper.

---

Carole. That's huge. That's really huge. I think about five years ago, that would have been half that number, if not less. And so reputation is the big key. They're worried about it. Are they investing?

---

Unknown. They definitely are. But exactly what they're investing in varies. So you've got, for example, the top area investment seems to be more cybersecurity tooling. And that's absolutely a legitimate approach. You know, one of the things that I love to see is defense in depth. We tend to forget about that with security tooling, or a lot of people do, I think, in that we kind of assume that security tools are perfect. No, they're not. Therefore, the more coverage we have, the more visibility we have, the more observability of our network we have, the more likely we are to catch the incidents, to catch the issues that are causing it. But that's not the only thing. You've got security awareness and training. That's about half of people are doing that. And security awareness and training is a great approach. And I do a lot of security awareness and training, not only in my job, but also as a volunteer to other organizations. The problem is, is that a really good attacker will still get around that. There was an organization I used to work with many, many years ago. It was a large government supplier in the U.S. that used to use the most punitive, absolutely vicious security training where they would train their staff and then they would have an internal tiger team that would attack their own staff. And you got one freebie. You got one freebie. And if you failed, if they successfully attacked you, you had to go and do a four-hour training course and update. If you did the second one, you had to go and report to a vice president.

---

Carole. It's getting in a speed trap in the UK. If you get caught speeding, you've got to do the courses, you lose the points, you can get fined the whole nine yards. Wow.

---

Unknown. Extremely punitive. Nonetheless, they still were unable to get it below 10%. They're still one in 10. They were still able to hit them. Now, bear in mind, that also means 90% success. So, one in 10 means nine out of 10 they didn't hit. So, it's a useful tool, but it's not the only tool. Defense in depth is so important.

---

Carole. Well, before we get into defense in depth, tell me about cybersecurity insurance. I'm just interested as we're talking about the senior management team, are they buying into that concept? Is that something worthwhile?

---

Unknown. Oh, absolutely. The cyber insurance is a huge issue now and certainly this international survey and in Australia and Singapore, nine out of 10 organizations have cyber insurance against ransomware. In fact, one quarter in Asia-Pacific, that was their only approach. The problem is, we're aware of organizations that simply can't afford it anymore. The premiums are going through the roof. And the cyber insurance companies are asking a huge amount of details about the risk remediations that these organizations have in place. I'm not surprised. We heard of one story of a three-page survey going to 57 pages between last year and this year. And that was the diligence the insurance company was using to determine what premium they should be charging.

---

Carole. And of course, that's very costly to a company because you have to have legal eagles go through that. You have to have technicians to go through all the systems to make sure they're meeting all the stipulations in order to be covered. So, this is why deep observability is so vital. Could you maybe explain that concept for our wonderful listeners?

---

Unknown. So, deep observability is a really interesting concept. There is the existing industry concept of observability, which is the old concept of logs, events, metrics, and tracing. And we've been doing that for a lot of years. And essentially, it reports about the inside of a system, a workload, a cloud instance. Deep observability looks at it from the outside. It looks, say, at a PC, at a cloud image, from the outside, looking at what it is doing on the network. Now, one of the first things a good attacker will do when they break into a workload is they'll turn off logging. I mean, you can go and read the Mandiant report. That's one of the first things the attacker that breached SolarWinds did. They turned off logging and cleared the logs. That's in their reports. The first ever incident response I did, I'm almost ashamed to admit this, in 1989, I saw them turning off logging. They turned off syslog. So, you know, this is an old attacker TTP. On that basis, you've got to look at logging. While it's essential, and I'm not saying don't do it, it's not good at catching attackers. If once they violate a workload, once they get in, they compromise something, be it ransomware, be it an advanced threat actor, they are going to compromise logging. How do we deal with that? We go back to defense in depth. We look at what that workload is doing from the outside. And they can't easily compromise that because that workload still needs to generate traffic. And that's what deep observability is.

---

Carole. I mean, it kind of makes sense in a way, if I can make it more colloquial. If you had a burglar come in, the first thing they'd want to do is turn off CCTV or video recording, right? In order to get away doing with what they want to do without any evidence. It makes perfect sense.

---

Unknown. Indeed. Some burglars will go to the power board and pull the fuse. That is to shut down any cameras.

---

Carole. Right. Exactly. So, talk to me about Gigamon. Talk to me about what you guys can offer to help companies get this deeper insight into their system.

---

Unknown. What Gigamon is about is getting access to the traffic, the network traffic, the deep observability traffic, be that on a physical network from 10 meg ethernet right through to 400 gigabit ethernet in the cloud or in a public cloud or in private cloud. All of these environments have network traffic. All of these environments we can do deep observability in. So, if your environment is on-prem, hybrid, multi-cloud, private cloud, public cloud, it doesn't matter. We can deliver the traffic from those environments and deliver them to the tools needed to detect the ransomware, to detect the insider threats, to detect all of the stuff that are a risk to your organization. And that is what Gigamon does.

---

Carole. And I'm guessing in providing that information, you have to parse it in a way that it's easily interpretable by whoever's receiving that information.

---

Unknown. Yeah, if you don't do that, the tool that is consuming that is wasting its time. It's hard enough as it is to detect threats without dealing with overwhelming a tool with useless data.

---

Carole. And what about the concept of zero trust? What are your thoughts on that, Iain?

---

Unknown. I am absolutely fascinated. I spend a lot of my time doing zero trust, and I think it's an amazing concept because it gets us away from all of those security assumptions like good people inside, bad people outside that just aren't realistic. One of the things I will say is that if you are doing zero trust with just normal observability, well, you're probably not looking at it. You should be looking at normal observability, deep observability, and as much information about risk as you can derive. Then you will achieve a really good outcome.

---

Carole. Amazing. You can learn more about all this by getting your mitts on their latest research. This is Gigamon's paper, State of Ransomware for 2022 and Beyond. And it looks into insider threats, blame culture, and of course, zero trust. And it's yours for free by visiting gigamon.com forward slash smashing. That's gigamon, G-I-G-A-M-O-N dot com forward slash smashing. And all that I have to say is thank you so much. Iain Farqua, Global Field CTO for Gigamon

---

Unknown. Thank you so much for having me. It's been awesome.

---

Graham. Well, that just about wraps up the show for this week. Duck, I'm sure lots of our listeners would love to follow you online or find out what you're up to. What's the best way for folks to do that?

---

Paul. They can find me on Twitter at DuckBlog, or they can find me on the web at nakedsecurity.sophos.com. Oh, my old baby.

---

Graham. Terrific. And you can follow us on Twitter at Smash Insecurity. No G. Twitter on the last have a G. And we also have a Smash Insecurity subreddit. And don't forget to ensure you never miss another episode. Follow Smash Insecurity in your favorite podcast apps, such as Overcast, Spotify, and Apple Podcasts.

---

Carole. And massive shout out to this episode's sponsors, Bitwarden, Gigamon, and SoulCyber. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes and sponsorship information and guest lists and the entire back catalog of more than 284 episodes, check out smashingsecurity.com.

---

Graham. Until next time. Cheerio. Bye bye.

---

Carole. Bye. Last show next week for the summer. Bye. Who's crying? Don't cry, guys. Don't cry. Don't cry.

---

Graham. Well done. Thank you very much, Duck.

---

Carole. You're a rock star, Duck. I learned some rude words. More like ass monkey or whatever.

-- TRANSCRIPT ENDS --