This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. So Ubiquiti was clearly knocked off by Krebs' reporting, right? And it coincided with a $4 billion decline in Ubiquiti's market cap. So it had an effect on their share price. Not too good.

---

CAROLE THERIAULT. Wow, Krebs, that's a bit of market muscle.

---

UNKNOWN. It's a bit similar to us, Carole, here at the Smashing Security podcast. Smashing Security, episode 308.

---

CAROLE THERIAULT. Jailbreak.

---

UNKNOWN. Ransomware Fail, Criminal Messaging Apps, and Wolf Crying Watches with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 308. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And Carole, who do we have in the hot seat this week as our special guest?

---

CAROLE THERIAULT. Well, don't you know, Graham? It's Mark Stockley.

---

MARK STOCKLEY. Hi.

---

CAROLE THERIAULT. Fave returnee. Hi, Mark.

---

MARK STOCKLEY. Thank you very much.

---

CAROLE THERIAULT. Welcome back. Thank you very much for being here.

---

MARK STOCKLEY. I'd just say what a polite intro that was.

---

CAROLE THERIAULT. Thank you very much.

---

MARK STOCKLEY. And nobody insulted me, which just made me very suspicious.

---

CAROLE THERIAULT. Do you want to share one tidbit of information before we kick the show off?

---

MARK STOCKLEY. So tidbit of information. I've been conducting a little experiment this year. So on the 1st of January, I deleted the Twitter app from my phone. I haven't stopped using Twitter, but I deleted the app.

---

GRAHAM CLULEY. Yeah.

---

MARK STOCKLEY. I did it because I basically lost the ability to read books completely. I read, I think, two books last year. And I wanted to see, 'cause I think I was spending about 23 hours a day on the Twitter app, achieving nothing. And I have deleted the app and I'm—

---

GRAHAM CLULEY. So what are you doing now, Mark? Are you printing out tweets in order to read them? Have you stapled them together?

---

CAROLE THERIAULT. He's using Scrabble boards to create, recreate them.

---

MARK STOCKLEY. Well, those are much better than the real answers. What I'm doing is I'm mostly ignoring Twitter and I'm reading books instead, and it's going really well. So I'm just here to sell you Delete that app.

---

CAROLE THERIAULT. Thanks for joining us, Graham.

---

GRAHAM CLULEY. Whoa, whoa, whoa, hang on. You've come onto our podcast in order to promote an alternative medium of entertainment. That's a pretty low thing to do, Mark, frankly, isn't it? We don't really want people coming onto this podcast talking about books. And shouldn't you stop doing other things like reading Twitter or listening to podcasts?

---

MARK STOCKLEY. We don't want readers. This is not the podcast for readers.

---

CAROLE THERIAULT. Graham, Graham, why don't you just give yourself a little hug there? Just give yourself a little hug there in your studio, and I'll crack on with the show. But before we kick off, let's thank this week's sponsors, Bitwarden, SecureEnvoy, and NordLayer. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. Oh, I'm going to be talking about whistleblowers and ubiquitousness.

---

CAROLE THERIAULT. Okay, Mark, what about you?

---

MARK STOCKLEY. I've got some really important advice for anyone who's thinking of turning to a life of crime.

---

CAROLE THERIAULT. Fantastic. And I will be talking about the watch that cried wolf. Plus, we have a fabulous interview with Chris Martin. He is the Head of Solutions Architecture at SecureEnvoy, and he's going to talk about identity and access management. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, let me take you back in time, not too far, just about two years, because my story begins in January 2021. Have either of you heard of Ubiquiti? Yes. The tech company?

---

CAROLE THERIAULT. Nope.

---

GRAHAM CLULEY. Okay. Ubiquiti are— they're sort of a high-end, flashy, prosumer Wi-Fi, IoT routers, security cameras, access points. You're paying over the odds, but it's meant to be quality. Is that right, Mark? Quality sort of IoT gear?

---

MARK STOCKLEY. I believe so.

---

GRAHAM CLULEY. Yeah. I think that's it.

---

CAROLE THERIAULT. It's not YubiKey. That's what I was thinking initially.

---

GRAHAM CLULEY. No, not YubiKey. Ubiquiti.

---

CAROLE THERIAULT. Ubiquiti.

---

GRAHAM CLULEY. Different. Yes. And so if you wanted a Wi-Fi hotspot in your business or in your home and you want to cover a big area, they're one of the people you might consider. And they contacted their customers about two years ago saying that there had been, dun dun dun, a security breach. Oh my goodness. They said that somebody had accessed data at a third-party cloud provider that they used to host some of their infrastructure. And as a consequence, a whole bunch of data, gigabytes of data had been accessed. Customers' email addresses, their names, hashed and salted passwords, addresses, phone numbers, et cetera, et cetera. And they said, change your passwords, they said enable two-factor authentication, they said. And you know, it was pretty big news at the time. It was embarrassing for them, obviously. And the cybersecurity journalists wrote this up as a sort of typical breach.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. But some thought that maybe Ubiquiti were perhaps, you know, maybe sort of being a little bit vague as to exactly what had happened, and maybe they were covering up the details.

---

CAROLE THERIAULT. I mean, I would just stop you here and say a lot of companies do that, right? Right. Advanced persistent threat. Details to follow as we research it. And then you never hear anything.

---

GRAHAM CLULEY. Sophisticated state-sponsored hacker, therefore—

---

CAROLE THERIAULT. Right, yeah.

---

GRAHAM CLULEY. We couldn't have been expected to stop it.

---

MARK STOCKLEY. I like the third-party cloud provider. That crops up a lot these days. It's like, hang on a minute, hang on a minute. Did you choose the third-party cloud provider? Did you invite them to be part of your infrastructure? 'Cause if you did, it's a bit like saying, "It was Dave in accounts." But he works for you, right?

---

GRAHAM CLULEY. Exactly. So cybersecurity sleuth Brian Krebs, of course, no stranger to listeners of this podcast, he received a tip-off from a guy called Adam. He called himself Adam, who claimed to be an anonymous whistleblower inside—

---

MARK STOCKLEY. Real name, Dave from accounts.

---

GRAHAM CLULEY. Inside Ubiquiti. And this Adam chap told Krebs that he had tried to raise the alarm about security inside the company. He'd contacted the internal whistleblower hotline. He'd been in touch with European data protection authorities.

---

CAROLE THERIAULT. Internal whistleblower hotline?

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. What is that?

---

GRAHAM CLULEY. Oh, this actually is an increasingly common thing inside companies, sometimes to avoid whether someone's been bribed or something to give money or to, you know, to choose a particular third-party cloud provider rather than another one. In fact, I was just reading today, Tutanota, who are sort of a ProtonMail competitor, they've just developed a service because I think in Austria and Germany, if you have a company of more than 50 people, you have to now have an internal whistleblower hotline.

---

CAROLE THERIAULT. Okay, so you use this line to say— I would call up the internal whistleblower hotline, call up Dave in HR and say, "Psst."

---

UNKNOWN. Yeah, well, yeah, you probably wouldn't phone them up or go, "Psst." Instead, you might want to use some anonymous service to contact them.

---

GRAHAM CLULEY. Anyway, Ubiquiti, it turns out, did have this sort of hotline inside the organization. And this Adam chap said he'd contact them, he'd contact European Data Protection Authorities.

He said that there'd been a catastrophic breach security failure inside the company. And he said that Ubiquiti had not only downplayed the hack to minimize the hit to its stock price, but also when they said it was a third-party cloud provider, that claim wasn't true.

---

CAROLE THERIAULT. As Mark predicted.

---

MARK STOCKLEY. Uh-huh.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. It was Dave and accounts on this USB stick. That's where they'd put all the data.

No, no, no. So Adam also told Krebs that the hackers had sent Ubiquiti a $2 million ransom demand, obviously in cryptocurrency, saying, "Look, pay up and we'll keep quiet about the breach and we'll tell you about all the backdoors we have into your systems."

---

CAROLE THERIAULT. Cheap.

---

GRAHAM CLULEY. So Ubiquiti refused to pay the ransom demand, right? They refused to play ball with the hacker.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. But what they did do is they responded to Brian Krebs. In the form of a lawsuit alleging that he had defamed the company by accusing them of a cover-up when he reported the whistleblower's claim.

---

CAROLE THERIAULT. He wrote about it and they were, screw you, Brian Krebs. You've just ruined our reputation.

---

GRAHAM CLULEY. They're saying that we've covered up the breach and that we've lied about this and etc., etc.

---

CAROLE THERIAULT. And he was basing this on a secret—

---

MARK STOCKLEY. Dave from account.

---

CAROLE THERIAULT. Informant. Dave from account.

---

CHRIS MARTIN. Adam.

---

MARK STOCKLEY. So it's probably the person that did the hack.

---

CHRIS MARTIN. Mark.

---

GRAHAM CLULEY. Mark.

---

MARK STOCKLEY. What?

---

CHRIS MARTIN. What? What?

---

GRAHAM CLULEY. Just hold your horses.

---

MARK STOCKLEY. Hold your horses.

---

CAROLE THERIAULT. It's kind of how it works.

---

GRAHAM CLULEY. So Ubiquiti was clearly knocked off by Krebs' reporting, right? And it coincided with a $4 billion decline in Ubiquiti's market cap.

So it had an effect on their share price. Not too good.

---

CAROLE THERIAULT. Wow, Krebs, that's a bit of market muscle.

---

GRAHAM CLULEY. It's a bit similar to us, Carole, here at the Smashing Security podcast.

---

MARK STOCKLEY. Because that was the thing that didn't really tie up for me earlier when you said that they were covering up this ransomware because they didn't want it to affect their share price. Because I thought that hacking and things like that famously doesn't affect your share price.

It's one of the really inexplicable and slightly depressing things about cybercrime that people seem to be able to get away with. I'm afraid we've lost all of your data.

---

CAROLE THERIAULT. Yeah, our customers are still happy.

---

MARK STOCKLEY. Yeah.

---

GRAHAM CLULEY. So meanwhile, they are working hard to close any security holes. Of course, they've been doing that.

They've been looking into whether other hackers might have breached their systems, whether there are vulnerabilities. They're bringing in all the eggheads, all the brains inside the company.

---

CAROLE THERIAULT. What does Nick mean? Is he a new character in this story?

---

GRAHAM CLULEY. No, well, we haven't mentioned him before, but Nick runs— Oh, okay, you just talk about it with such fondness. I was like, who's Nick?

---

GRAHAM CLULEY. We've got Eric the Egghead, we've got Bob the Brainstrust, we've got Nick who runs the cloud team.

---

MARK STOCKLEY. He runs a third-party cloud. Very good.

---

GRAHAM CLULEY. Exactly.

---

MARK STOCKLEY. He's definitely the guy to fix this problem.

---

CAROLE THERIAULT. Right, okay.

---

GRAHAM CLULEY. So they're not only hoping they can work out what happened and why, but maybe also find out who this whistleblower is inside Ubiquiti. Now, this is a bit of a tangent here. Have either of you ever seen that movie No Way Out with Kevin Costner and Gene Hackman?

---

CAROLE THERIAULT. Yeah, but 20 billion years ago.

---

GRAHAM CLULEY. Yeah, right.

---

CAROLE THERIAULT. You're gonna ask me about plot? I don't know. Frick.

---

GRAHAM CLULEY. Well, it's— Kevin Costner. I enjoy—

---

CHRIS MARTIN. Come on.

---

CAROLE THERIAULT. Dances with Wolves, just, you know, come on.

---

GRAHAM CLULEY. JFK?

---

MARK STOCKLEY. What's wrong with Dances with Wolves?

---

CAROLE THERIAULT. Oh, just don't.

---

MARK STOCKLEY. I mean, apart from the hair.

---

GRAHAM CLULEY. What, the hair on the wolves? What's your complaint?

---

MARK STOCKLEY. It's a brilliant Western with some very, very strange contemporary '80s hairstyles.

---

GRAHAM CLULEY. No Way Out, though, is a great thriller. Bit of a twist in it. But essentially, Sean Young, if you remember her, she's murdered. And a blurred photograph is found.

And that could be evidence of who the murderer is. So, using 1987 computer technology.

---

CAROLE THERIAULT. Enhance, enhance.

---

GRAHAM CLULEY. Exactly. They're trying to enhance that. And it's taken days and days to slowly unravel who this might be a photograph of.

It's a great fun movie. And it reminds me of the Ubiquiti case because the guy they brought in to investigate the breach, Nick, from the cloud team, was actually the person behind the breach himself.

---

CAROLE THERIAULT. How do they find that out?

---

GRAHAM CLULEY. Well, Nicholas Sharp had exploited his access to the company's systems to steal Gigabyte's data from its GitHub and AWS Amazon web servers. He thought he could cover his tracks because he had a VPN.

He had a Surfshark VPN account to hide his home IP address. So he was stealing all this data in the dead of the night.

---

CAROLE THERIAULT. And rubbing his palms together going, "They will never find me." Okay, right.

---

GRAHAM CLULEY. And for one reason or another, the VPN briefly sort of barfed out and stopped working.

---

CAROLE THERIAULT. No, we've talked about this happening before.

---

MARK STOCKLEY. Which, even if it hadn't, this story may have gone the same way. Just—

---

CHRIS MARTIN. Yeah, same person.

---

MARK STOCKLEY. Stopped the concept of invisibility.

---

GRAHAM CLULEY. So the FBI had gone to question him, and he said, it's nothing to do with me. He said, sure, that Surfshark VPN account was paid for with my PayPal account.

---

CAROLE THERIAULT. You have me mixed up with some other Nick. I'm the Nick the Cloud guy.

---

GRAHAM CLULEY. His argument was someone else must have used my PayPal account. Someone else has phished my PayPal account and then bought a Surfshark VPN in order to steal data from the company that employs me.

But having had the visit from the FBI, who were presumably a little bit skeptical of his story, he subsequently, after the FBI had been round to his house, he then went to Brian Krebs pretending to be Adam, saying, I'm a whistleblower inside Ubiquiti. Let me tell you what's been going on there.

---

CAROLE THERIAULT. And did Krebs write it up with saying Adam?

---

MARK STOCKLEY. Yes.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Yes. Adam Krebs wrote, I think, two or three stories about this, which, of course, upset Ubiquiti enormously, who were working with the FBI, who suspected this guy was behind it but couldn't say anything.

---

MARK STOCKLEY. But he did have a VPN, to be fair.

---

GRAHAM CLULEY. Yes. Oh yes, that's true. He had a VPN. Yes. So Krebs has since removed the stories from his website. He realizes, you know, recognizes that his source was not entirely trustworthy and was actually involved in the crime itself when he was claiming, oh, they've been incompetent.

That's why they got hacked. Nicholas Sharp, he's now pled guilty to wire fraud, making false statements to the FBI, Oh, it was my PayPal account, but it's someone else who paid for it. And transmitting malicious code as well. He faces a total of 35 years in prison.

That's the maximum because it's America, of course. And he is scheduled to be sentenced in May.

---

CAROLE THERIAULT. You know, if someone was gonna knife you in the back, right? Wouldn't their name be Nick Sharp?

---

GRAHAM CLULEY. Oh.

---

CAROLE THERIAULT. Right?

---

GRAHAM CLULEY. The Sharp that gave a nick.

---

CAROLE THERIAULT. Well, I'm just saying.

---

GRAHAM CLULEY. Sharpie, maybe.

---

CAROLE THERIAULT. Just tattoo you.

---

MARK STOCKLEY. It was Nick from the third-party cloud team all along.

---

GRAHAM CLULEY. It was him all along. What a naughty boy he was. So here, as normal, is my tip for any budding cybercriminals out there.

---

MARK STOCKLEY. Use a VPN. Always use a VPN.

---

GRAHAM CLULEY. Use a VPN.

---

MARK STOCKLEY. Definitely use a VPN.

---

GRAHAM CLULEY. Don't set it up to cut off the internet connection if the VPN connection dies for any reason. Definitely don't have a kill switch like that. And always, always use a PayPal account connected to your genuine email address.

That's a good idea as well. Mark, what have you got for us this week?

---

MARK STOCKLEY. Well, I have, I've got some very important advice for anyone who is considering a life of crime.

---

GRAHAM CLULEY. Oh, good.

---

MARK STOCKLEY. Now, you're educated and informed cybersecurity folks, so you'll know that for several decades, and the last few years in particular, various governments and police forces around the world have been insisting that the increasing use of encryption is stopping them from doing their jobs.

---

CAROLE THERIAULT. Yes, yes, the Snooper's Bill.

---

MARK STOCKLEY. Mm-hmm. So encryption, as you know, is used to secure communications in apps like WhatsApp and Signal. And so things like wiretaps don't work because while the police can still intercept conversations, those conversations don't make any sense.

It's just random noise and there isn't enough computing power or time in the universe to decrypt them.

---

CAROLE THERIAULT. Okay.

---

MARK STOCKLEY. The only way to defeat this encryption, say the police, is with backdoors. I mean, backdoor's not a great description. It's more like a master key.

So if you imagine, you know, you need a key to encrypt and decrypt information. If the police had a master key, they say, they could use that and they could unlock any conversation and they could do things like wiretaps.

---

CAROLE THERIAULT. 100%.

---

GRAHAM CLULEY. And what could possibly go wrong with that?

---

MARK STOCKLEY. Well, although these requests come from a good place, because, you know, I don't doubt for a second that the police are trying to stop organized crime and terrorism and terrible things like that. There has been near-universal pushback, just as there was just now, from computer security professionals like you, because the mathematical facts are that there simply isn't a safe and secure way to provide a master key.

Unfortunately, although I'm sure this podcast will change things, up to now, those protests from people like you have largely fallen on deaf ears. We seem destined for a world where encryption backdoors exist.

---

CAROLE THERIAULT. So what you're basically saying is because we're saying if you have, if somebody has the master key, you know, it's just a question of time before that somehow gets copied.

---

MARK STOCKLEY. Yes.

---

CAROLE THERIAULT. You keep going with the analogy. Exactly. Okay. Yes. I'm with you.

---

MARK STOCKLEY. Exactly right. There are, yeah, you can't put a vulnerability in something and then say only these people know about the vulnerability.

---

CHRIS MARTIN. Yeah.

---

GRAHAM CLULEY. Yeah, and what happens when some evil state, for instance, says, well, we'd like to police our population as well, please. So can we have a master key too?

---

CAROLE THERIAULT. They probably do.

---

MARK STOCKLEY. And what if?

---

CAROLE THERIAULT. In that case.

---

MARK STOCKLEY. What if criminals said, we won't follow the law.

---

CAROLE THERIAULT. Yeah, exactly.

---

MARK STOCKLEY. And encryption has got the back door. Because the thing about criminals is they have a different relationship to the law than law-abiding people. Anyway, the broader point here is that these sorts of objections that we are raising here, sensible, rational objections, are largely falling on deaf ears, unfortunately. However, there is one group of people that have been doing a really good job of poking holes in the police's argument for encryption-backed calls.

---

CAROLE THERIAULT. Okay.

---

MARK STOCKLEY. And that group is the police.

---

CAROLE THERIAULT. What?

---

MARK STOCKLEY. And it has to be said, criminals. Criminals have also been helping out quite a lot as well. Let me explain. For the last 8 years or so, there has been a repeating pattern in the use of encrypted devices by organized crime. Now, I'm going to start the story in 2016. I could probably start it earlier than that. We're going to start in 2016.

---

CAROLE THERIAULT. Okay.

---

MARK STOCKLEY. In 2016, the Dutch police figured out how to read encrypted messages on BlackBerry phones. And you're going to hear the words Dutch police quite a lot in this, because for some reason, the Dutch police are really good at cybercrime.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. Well, fighting cybercrime.

---

MARK STOCKLEY. Sorry, yeah, they are really good at fighting cybercrime. Anyway, in 2016, Dave from Accounts, in 2016, they figured out how to read encrypted messages on the BlackBerry phones being used by gangsters who were known to be using them for horrendous crimes. Now, they've come up with a variety of techniques or speculated what sort of techniques they might have used, but it was no doubt that they were reading messages. So this spooked some of the criminal underworld into looking for an alternative to their beloved BlackBerrys. Now, some, no doubt, turned to Ennetcom, a company that sold handsets to Dutch criminals for about $1,500, and that couldn't do anything other than sending encrypted messages.

---

CAROLE THERIAULT. Okay.

---

MARK STOCKLEY. This turned out to be a mistake. Although it was used by Dutch gangsters, Ennetcom's infrastructure was in Canada, and it turns out that the Canadian police had been camped out on Ennetcom's servers and managed to decrypt about 3.5 million messages.

---

GRAHAM CLULEY. So this is the thing. It turns out that these criminal encrypted messaging services were actually being run by the Canadian cops, is what you're saying, effectively. Or that they certainly had oversight of them.

---

MARK STOCKLEY. It was being run by a company in Canada, and the Canadian cops said, we wouldn't mind a gander. How about we have a look at those servers, sonny? And so they did, and they managed to decrypt 3.5 million messages, which is probably not what Ennetcom's customers had in mind anyway. So, as a result of Ennetcom being compromised by the Canadian police, criminals were left looking for a secure phone once again. And some may have turned to Phantom Secure.

---

CAROLE THERIAULT. Phantom Secure.

---

MARK STOCKLEY. Phantom Secure. Phantom Secure was a Canadian company that provided modified, secure mobile phones that couldn't do anything other than sending encrypted emails.

---

GRAHAM CLULEY. Okay.

---

MARK STOCKLEY. It was used by high-level drug traffickers, high-ranking organised criminals. That is until March 2018, when the FBI arrested the company CEO, Vincent Ramos, shut down the whole operation, and within three months, Ramos had turned state witness and handed over all the login details to all of the systems for Phantom Secure. Now, the FBI haven't revealed whether or not they were able to decrypt Phantom Secure's messages, but they did certainly stop all those nasty criminals from using Phantom Secure. So that particular avenue of crime was brought to a halt.

---

GRAHAM CLULEY. So I guess the criminals had to go and find something else, I suppose.

---

MARK STOCKLEY. Well, it's funny you should say that, because once again, criminals were left looking for a secure phone for doing crimes. And some may have turned to EncroChat.

---

GRAHAM CLULEY. Oh yes.

---

MARK STOCKLEY. EncroChat is thought to have been developed with money from Dutch organised crime. And at its peak, it had about 60,000 users, pretty much all of whom were crooks.

---

CAROLE THERIAULT. It's so funny, right? 'Cause isn't there this adage that you have to blend in, right? If you want to go undetected. Whereas in this case, they all go to the same club. You know, they're all sitting there in the same shitty club, and everyone's like, "Anyone who's in there is badass." I imagine them all like Dom Joly with a giant button.

---

MARK STOCKLEY. With the name of their super-secret encrypted crime phone written on it. Hello!

---

CAROLE THERIAULT. What?

---

MARK STOCKLEY. No, no, no, no, no! Anyway, so this, EncroChat, 60,000 users, everything was going fine until it wasn't. When in June 2020, it came to sudden and dramatic close, and it was revealed that the French police had been camped out on EncroChat servers for several months, where they had been able to read messages and also read lock screen passcodes, which is very amusing for anybody who understands how passwords are supposed to be stored.

Because, let's just say, if they were able to read lock screen passcodes, they may have been not as secure as the criminals were thinking they were. Anyway, the French police were more than happy to share what they'd learned with the fellow European neighbours, and as a consequence, there were about 1,000 arrests.

---

GRAHAM CLULEY. Mark, I'm sensing a trend here where cybercriminals are using encrypted chat messaging systems, which then get taken over by the cops.

---

MARK STOCKLEY. You may think that. I couldn't possibly comment. Suffice to say that with the demise of EncroChat, once again, criminals were left looking for a secure phone.

---

CAROLE THERIAULT. How can we talk to each other? Shut up, Biddy! We don't have a solution!

---

MARK STOCKLEY. Well, they did have a solution.

---

CAROLE THERIAULT. Aha.

---

MARK STOCKLEY. And that solution was called Anom.

---

CAROLE THERIAULT. Ah.

---

MARK STOCKLEY. Now, Anom provided modified Android phones that had all the normal telephony and messaging disabled, and a specialist encrypted messaging app installed. And Anom was distributed through criminal networks, and you basically only found out about it because a gangster kind of approached you and said, you should use this super secure crime phone. That's for crime. And Anom was extremely successful and very, very widely spread. And I'm thinking, 'cause you sort of said it in the last part of the story, you're thinking that Anom was infiltrated by the police.

---

GRAHAM CLULEY. Yes, yes. That's why I mentioned—

---

MARK STOCKLEY. Anom was never infiltrated by the police.

---

CAROLE THERIAULT. Eh-eh. See, Graham? You see, Graham? You shouldn't assume. You shouldn't assume, Graham.

---

MARK STOCKLEY. No, it was never infiltrated by the police because it was in fact invented by the police. So, Anom was created and marketed by the FBI.

---

GRAHAM CLULEY. Nice little sideline for them, to be honest. I mean, if funding is a problem, it seems there are lots of criminals looking for a decent encrypted messaging service. Fishing system, well, not so much, is it?

---

CAROLE THERIAULT. Right?

---

GRAHAM CLULEY. Why shouldn't the FBI get involved?

---

CAROLE THERIAULT. If I were a criminal, I'd give this 1 out of 5 stars based on everything I'm hearing here.

---

MARK STOCKLEY. Well, as I understand it, the encryption in An0m was perfectly good. The problem was that every time you sent a message, a copy of the message was also sent to the FBI. Well, An0m, in the end, An0m was being used by about 10,000 gangsters in 100 countries and it shared 27 million messages with the FBI.

---

GRAHAM CLULEY. So, did this cause a denial of service at FBI headquarters where their email box was getting full?

---

CAROLE THERIAULT. Smoke coming out of the sides.

---

MARK STOCKLEY. On the 8th of June, 2021, 800 people were arrested in 16 countries as a result of this An0m phone that had been invented by the FBI. And not for the first time, criminals were left looking for a secure phone and some, no doubt, turned to XClue. Now, on its website, which I visited yesterday, XClue says it uses the most sophisticated encryption protocols in the world to ensure that no one gets access to your data.

---

GRAHAM CLULEY. XClue?

---

MARK STOCKLEY. XClue.

---

GRAHAM CLULEY. XClue sounds like one of my old girlfriends or something. What's—

---

MARK STOCKLEY. Are you saying that she's behind a criminal enterprise?

---

GRAHAM CLULEY. Wow.

---

MARK STOCKLEY. Quite secure, but they're criminals.

---

CAROLE THERIAULT. Doesn't say a lot about dating you either, right?

---

MARK STOCKLEY. Ask your legal team.

---

GRAHAM CLULEY. Carry on, Mark, you're doing great.

---

MARK STOCKLEY. Okay, thank you very much. Anyway, website says it uses the most sophisticated encryption protocols in the world to ensure that no one gets access to your data and what it should have said is that no one gets access to your data apart from the Dutch police.

---

CAROLE THERIAULT. 'Cause we created it and—

---

MARK STOCKLEY. The Dutch police announced on Friday that it had been camped out on XClue servers and reading 3,000 criminals' messages for the last 5 months.

---

CAROLE THERIAULT. Wow. Is there any criminals left? I'm just wondering, you must be able— This is a big net, isn't it? Because they all have to talk, right, if they're all using these apps.

---

MARK STOCKLEY. I've a horrible feeling that it just hints at how many criminals there are.

---

GRAHAM CLULEY. Well, maybe the politicians are right, Carole, and they're all now using WhatsApp and Signal. And that's why we need a backdoor into WhatsApp and Signal.

---

CAROLE THERIAULT. Yeah, that's exactly what will be the— Thanks for giving them their marketing campaign.

---

MARK STOCKLEY. So anyway, there've been about 50 arrests so far and not for the first time, criminals are once again left looking for a secure phone.

---

GRAHAM CLULEY. So if my bicycle gets stolen and the police say, oh yeah, you're alright, we'll make a log of it, but they don't come round to investigate the scene of the crime, is it because they're actually busy reading these messages or setting up their own encrypted messaging system to market to criminals? That's what I'm interested in.

---

MARK STOCKLEY. That's what I like to believe.

---

GRAHAM CLULEY. I feel a bit better about it now. Fantastic. So do you have any advice, Mark, for any criminals out there?

---

MARK STOCKLEY. Yes, I do. I do.

---

GRAHAM CLULEY. If somebody approaches you on the quiet and says, "Hello, hello, hello." What's going on here then?

---

MARK STOCKLEY. Somebody in a very large blue hat approaches you and suggests that you use a brand new super secret skunkworks phone that you've never heard of, that's just for doing crimes. Use it.

---

GRAHAM CLULEY. Carole, what have you got for us this week?

---

CAROLE THERIAULT. I am talking about watches. Because you probably know over the last several years, Apple, the smartwatch market leader, added new features to the watch such as fall detection and crash detection. Okay, so one of their ads when they launched this in Apple, I think it was 7 Series, it was called 911, this ad. And it used basically live audio from 3 real-life emergency calls to illustrate the various ways that Apple Watch, you know, could make a difference between life and death.

Right? So in one of them, the audio is of a woman who flipped her car, right? And she desperately, she contacts and she's telling the emergency line that her car is starting to fill with water up to her neck, right?

And another one, there's a paddleboarder who's drifted out to sea. And each caller is unable to reach their mobile phone, but because they have their Apple Watch, huzzah! And it's the help with their watch that these people, Jim, Jason, and Amanda, were rescued in minutes, says the ad.

---

GRAHAM CLULEY. The reason why these are cool is if you do flip the car, if you move in an unusual way, such as being upside down, and maybe are knocked unconscious by the crash or are incapacitated in some fashion, then your phone can alert someone and say, whoa, something really bad has happened here, and could contact the authorities, et cetera, et cetera.

---

CAROLE THERIAULT. Exactly. Exactly. And that's how they're marketing it as well. This is a really useful thing.

So I was looking around for a few, you know, real stories that hit the headlines once this came live. And there was the scariest one that I found.

Was the Seattle couple that were in the midst of a divorce. And then things went really south. And the woman managed to contact 911 using her Apple Watch, right?

Saying, you know, her husband was trying to kill her. And it seems in his blind rage, he ended up putting her into a shallow grave after stabbing her.

---

GRAHAM CLULEY. What?

---

CAROLE THERIAULT. Before the authorities arrived. So she was literally underground.

---

GRAHAM CLULEY. Oh my goodness.

---

CAROLE THERIAULT. And one of the more avoidable ones where this guy was power washing the bricks on his house and he decided to stand on the windowsill as a stepping stone to reach just a little bit higher to get that little bit up.

---

GRAHAM CLULEY. I think we know where this is going to end up. Yeah.

---

CAROLE THERIAULT. Anyway, after a few minutes, after falling right in the window well on the bottom of the house, he stood up and there was a cop, right? And he was, how are you here? And he was, your phone.

---

MARK STOCKLEY. I'm just trying to imagine that Apple marketing team wrestling with story you told.

---

CAROLE THERIAULT. Oh, yes. Yeah, yeah. It's, should we give him a Darwin Award?

So this has been selling hotcakes. Apple Watch Series 8, iPhone 14 now both boast improved crash detection. And because users now can connect with emergency services when cellular and Wi-Fi coverage is not available.

This would all be fantastic if things didn't sometimes go a little bit wrong. Over the past few months, we've seen a kind of growing concern and increasing complaints from really annoyed 911 responders.

---

GRAHAM CLULEY. Ah, so people's Apple Watches are calling the cops when they shouldn't be. They're false alarming, thinking something bad has happened.

---

MARK STOCKLEY. Yeah.

---

CAROLE THERIAULT. And it seems to happen mostly when people are doing snow sports skiing or snowboarding.

---

GRAHAM CLULEY. OK, makes sense. Well, snowboarding, it has sort of got built into it, hasn't it? Falling from a great height or being upside down, tumbling. Yeah, jumping on walls. Yes.

---

CAROLE THERIAULT. Tumbling.

---

GRAHAM CLULEY. Yes.

---

MARK STOCKLEY. I think, to be fair as well, the Apple Watch is probably right on a lot of occasions. Yeah.

---

CAROLE THERIAULT. This person has crash-landed.

---

MARK STOCKLEY. Yeah.

---

CAROLE THERIAULT. And so what happens is if the device detects a crash, it then sends the user a message or an alarm to find out if they're actually in a crash. So the user can then dismiss the message and say, no, no, no, I'm fine, I'm fine. But if 10 or 20 seconds pass, the feature then sends an automated message with the user's GPS coordinates and a callback number to the closest emergency call center.

---

GRAHAM CLULEY. This confuses me because shouldn't the police be busy creating encrypted messaging systems rather than helping people who've fallen off their snowboard?

---

CAROLE THERIAULT. Well, you've got ski patrols, right? And they're really important, if there's avalanches and all kinds of things, but they're getting inundated with calls. So some people reporting a 50% uptick in the last year. And also, if you think about it, if you're bombing down a hill, right, you're hitting the moguls, you know, the wind zipping past your earmuffs, you might not hear or feel your watch.

---

GRAHAM CLULEY. No.

---

CAROLE THERIAULT. And that would lead to incidental calls, wouldn't it?

---

MARK STOCKLEY. I think it's because you have to wear so many clothes.

---

GRAHAM CLULEY. Oh, yeah.

---

CAROLE THERIAULT. Because it's chilly up there. Do you know, seriously, as a Canadian, when I was a kid, I downhill skied, and the first day in the new year where the sun was out and it was just maybe close to zero or near zero Celsius, we would all put shorts on and ski in shorts. It's ridiculous.

---

GRAHAM CLULEY. I'd definitely have called the police at that point.

---

CAROLE THERIAULT. So what happens when these things happen, right, is that dispatchers are required to either send first responders, that's the normal protocol, send first responders to the location unless the person can confirm it was a mistake. And, you know, there's lots of problems with that because there's wasted resources, there's people in real danger that are not, maybe not being prioritized appropriately.

And what's happening is that some first responders are now making a judgment call, right? Because there's too many watches that are crying wolf. So they might be going, "Ah, you know, we called back, they're not responding. They're probably still skiing and fine. Let's not worry about that one." I mean, Mark, I know you're a skier. How would you judge? 'Cause skiing is seriously dangerous. You can die, right? There's loads of things that can lead to that.

---

MARK STOCKLEY. Oh, 100%. Yes. Yeah. I've tried to die many, many times when skiing. I think the answer here is very obvious that Apple have just got to go the whole hog. They've just got to leave the camera on the whole time. Live feed to the first responders. Obviously the first responders are going to have to buy new equipment so that they can see the live feed.

---

CAROLE THERIAULT. Well, there's media reports out there of responders saying, hey, skiers, do you mind just turning off this feature if you're going skiing?

---

MARK STOCKLEY. Yeah, turn off this life-saving feature.

---

CAROLE THERIAULT. Yes, exactly!

---

MARK STOCKLEY. That could save your life in the event of a crash.

---

CHRIS MARTIN. Yep.

---

GRAHAM CLULEY. Exactly.

---

MARK STOCKLEY. The minute you put some skis on, particularly if you put a snowboard on, then essentially you've said, "My life is worthless. I don't care if I die."

---

GRAHAM CLULEY. I wonder if you go to a theme park, to one of those roller coasters which spin you upside down and do horrific things to you, a bit what was it called? That mountain thing we went on in Euro Disney.

---

CAROLE THERIAULT. Space Mountain.

---

GRAHAM CLULEY. Oh my God, that was horrendous. Anyway, so I just wonder if something like that could set them off as well, or whether—

---

CAROLE THERIAULT. I don't know, why don't we do a test, Graham? You've got an Apple Watch.

---

GRAHAM CLULEY. Oh, you know, I'd rather not.

---

CAROLE THERIAULT. Go hit the roller coasters.

---

GRAHAM CLULEY. No, not for me, thank you.

---

CAROLE THERIAULT. There you go. So there's no solutions to this basically other than Apple getting together with the emergency responders and trying to figure out a solution that suits them both, which is apparently what they're doing now.

Seems a little late. You'd think they were involved very early on.

---

MARK STOCKLEY. I don't know. I feel we've managed to get this far.

You know, there's 8 billion people on the planet now. We've been doing okay.

Population doubled since about 1970. We've managed to do okay without our watches calling the police for us.

I accept that there are rare occasions where we might be buried alive where that could be useful. But what if we just didn't have this feature?

---

GRAHAM CLULEY. Well, Mark, that's all very well for you to say, but the people who die or the people who get buried alive, they aren't having their voice heard, are they? So they might be particularly—

---

CAROLE THERIAULT. Literally, you can't hear them with all the snow over them.

---

GRAHAM CLULEY. Yeah. They might have a very strong opinion about this.

It's all very well for you as a survivor to say, well, do we really need this? But, you know, what about the people who are in a pickle?

---

CAROLE THERIAULT. And that's the thing. You've got to make your decision before you get yourself in a pickle, right?

You've got to know to wear the watch. It seems to be the health elements of the watch that everyone loves, all kinds of different automated alerts that happen.

---

GRAHAM CLULEY. Do you know, can I tell you a true story? I was at a chess tournament a couple of months ago.

---

MARK STOCKLEY. You're a chess player. This is news.

---

GRAHAM CLULEY. And I had my Apple Watch on me. And at the end, later on, it sort of did a bleep and said, oh, do you realise that your heart rate was elevated for about 13 minutes?

There was a particular tense point where clearly my heart was getting very, very stressed about what was happening. Really? Yeah, for real.

---

CAROLE THERIAULT. It's almost exercise then, huh?

---

GRAHAM CLULEY. Almost. Yeah, chess is.

---

CHRIS MARTIN. Yeah, yeah, yeah.

---

CAROLE THERIAULT. Get a sweat on.

---

MARK STOCKLEY. Is this elevated for a chess player, or is this— are we, what's the baseline for elevated here?

---

GRAHAM CLULEY. Oh no, no, let me— look, my chess opponents are not people who are likely to get me all hot and bothered. It's more what's going on on the board rather than what's sitting opposite me.

Today's podcast is brought to you by NordLayer. Now, NordLayer safeguards your company's network, but it's much more than just a VPN for business.

As you already know, business networks today are more vulnerable than ever due to remote work, ransomware attacks, data leak incidents. Well, NordLayer secures and protects remote workforces as well as business data, and it can even help you ensure security compliance.

Simply go to nordlayer.com/smashingsecurity and get 1 month free. NordLayer is easy to start at.

It takes less than 10 minutes to onboard your entire business on a secure network. NordLayer is easy to combine as it's hardware-free and compatible with all major operating systems.

And finally, NordLayer is easy to scale as you can choose a plan unique to your business requirements and your rate of growth. So if you want to secure your business network, go to nordlayer.com/smashingsecurity to get your first month free.

And thanks to NordLayer for supporting the show.

---

CAROLE THERIAULT. If you are looking for a multifactor authentication solution, look no further than SecureEnvoy. This is for companies that take authentication seriously because SecureEnvoy takes MFA to another level.

See, the thing is, there's no room to be complacent with the growing cybersecurity threats. Everyone in your organization needs authentication tailored to their specific access needs and risk profile for their role.

But maybe your employees and partners and contractors all need different types of MFA. Some might prefer SMS, some might prefer YubiKey, others a smartphone app.

SecureEnvoy can handle all this for you. Do you want to learn more?

Of course you do. Check out SecureEnvoy's free data guide available at smashingsecurity.com/secureenvoy.

That's S-E-C-U-R-E-N-V-O-Y. And thanks to SecureEnvoy for sponsoring the show.

---

GRAHAM CLULEY. So there's probably a lot of Smashing Security listeners out there who might be concerned after hearing about the data breach which recently occurred at LastPass. Now, that allowed hackers to steal customers' password vaults, and unfortunately there were parts of those password vaults which were astonishingly unencrypted.

There's no doubt a lot of questions users are going to ask LastPass about how that could have happened and why some of that data was left in that insecure state. But one password manager that isn't making that mistake is our sponsor Bitwarden.

Customers of Bitwarden know that their vaults are entirely end-to-end encrypted with zero-knowledge encryption, including unlike LastPass the URLs for the websites which you have saved passwords for. You can learn more about that in the Bitwarden Help Center and at bitwarden.com/privacy.

And if you happen to be looking to switch password managers right now, well, Bitwarden makes it easy. They support importing from lots of other solutions, and there's even a LastPass migration guide available.

Learn more at bitwarden.com/migrate. That's bitwarden.com/migrate.

And stay safe. And welcome back and enjoy us at our favorite part of the week, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.

It doesn't have to be security-related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. And my pick of the week this week is a service called Inoreader. Have you heard of Inoreader?

---

CAROLE THERIAULT. No. Do you want to spell that?

I have no idea.

---

GRAHAM CLULEY. Inoreader. Do you remember Google Reader, which was killed off about 10 years ago by Google?

---

CAROLE THERIAULT. Yeah. RSS feeds, right?

---

GRAHAM CLULEY. Exactly. It was a great way of aggregating all your RSS feeds, reading the latest news, keeping on top of blogs and things.

Google killed it off, much gnashing of teeth. People were really upset.

---

CAROLE THERIAULT. Yeah. Why did they kill it off?

Do you remember what the reason was?

---

GRAHAM CLULEY. There's a webpage listing all the different things that Google has killed off over time. You know, they're doing it all the while, aren't they?

But anyway, since then, I've mostly used a service called Feedly. But I was getting a little bit grumpy about it.

I was paying for it every year and I was thinking, it doesn't really, it's not really satisfying what I want it to do. And so I was looking for an alternative and I found Inoreader.

And with Inoreader, you can not only follow news sites, corporate websites, blogs, anything that has an RSS channel. You can also follow social media accounts if you really want to.

---

CAROLE THERIAULT. Oh my God.

---

MARK STOCKLEY. I don't use it for that purpose.

---

GRAHAM CLULEY. Reddit, you can follow on it, YouTube channels, newsletters. You can even create RSS feeds for web pages which don't have RSS feeds on them, which again—

---

CAROLE THERIAULT. Well, I bet there's hundreds of listeners out there going, "That sounds so cool." It is cool.

---

GRAHAM CLULEY. And Carole, there's a lot, I can see that you're a potential purchaser of this. You're gonna come on board.

---

MARK STOCKLEY. And these people are kind of people, heart rates are elevated when they have to make a move at chess.

---

GRAHAM CLULEY. I like to stay abreast of all the latest developments in this. One thing I can do with Inoreader is I can create customised alerts. So if there's a particular news source, which rarely writes about cybersecurity, you could precede it with a woo-ka, woo-ka.

Well, that is exactly what I do. So my watch will actually ping if there's a breaking humongous cyber story, which has happened, which has been reported by, I don't know, BBC or something like that, just to tell me, oh, this thing's just happened. And you can listen to articles. It does text-to-speech. There's also kinds of automation. It's really cool. Really impressed with it.

---

CAROLE THERIAULT. Sorry, can I ask how long you took to set it up?

---

GRAHAM CLULEY. Oh, it didn't take long at all. I just imported my RSS feeds from Feedly in OPML, I think it is, format. And there I was.

---

CAROLE THERIAULT. And setting up all the rules?

---

GRAHAM CLULEY. I've only got a few rules there. Mostly it's just, you know, I've got things in different folders. It was really easy to migrate from one service to the other. There is a free version if you want to try it out. That's ad-supported, but I choose to pay an annual subscription, because I get a few more features. But I figured, I find this really useful. I use it every day. I like it. And maybe some other listeners would as well. Cool. inoreader.com. Go and check that out, because it is my pick of the week.

---

CAROLE THERIAULT. There we go.

---

GRAHAM CLULEY. Carole, what's your pick of the week?

---

CAROLE THERIAULT. Sorry?

---

GRAHAM CLULEY. Oh, sorry. It's— Mark, what's your pick of the week?

---

MARK STOCKLEY. No, you can go straight to Carole if you'd like. Why, why stick to the same routine that you've had for 8 episodes?

Mark, please share. My pick of the week is a book. So you remember at the beginning I said I've deleted the Twitter app to try and get my head into reading and it's worked. Yes. Well, the second book that I've read this year is called The Social Lives of Animals, which is by Ashley Ward, and it is all about how cooperation between animals works and why it's a wonderful thing. And it is a beautifully written book.

So it sort of goes through a dozen or so different species and explains how they cooperate and why they cooperate. There's a fantastic opening chapter all about krill. So who knew krill which is, you know, we just think of as being prawns that are eaten by blue whales, actually cooperate. And there's some fantastic information about the life cycle of krill and what happens when they lay eggs and things. And oh, it's just mind-blowing. These are particularly interesting.

---

CAROLE THERIAULT. Graham's going, why would I need to know this? Is it useful in chess? No. Doctor Who? No. My podcast?

---

MARK STOCKLEY. No. The chapter's all about these people that are trying to research the life cycle of krill. And it's very hard to research the life cycle of krill, because they live in Antarctica. So it's very, very cold.

---

GRAHAM CLULEY. Or inside the bellies of whales, which is the other place you have to find them.

---

CAROLE THERIAULT. They're not chilling out in there, Graham. They're not having a party. They're swallowed whole. Sure, but you know.

---

MARK STOCKLEY. I presume. Yeah. When they lay their eggs, their eggs sink. So krill will live at the surface of the water. And in order to not get eaten by their parents, the eggs sink.

---

CAROLE THERIAULT. Geez, you see, we complain about our folks and look, at least we're not being eaten by them.

---

MARK STOCKLEY. They sink and they sink and they sink and they sink and they sink and they sink and they end up sinking for about 2 kilometers. When the krill hatches, it's about the size of a full stop. What font size? And the first thing it has to do is swim 2 kilometres up, bang, to the surface of the water.

So, a month of this dot-sized krill's life is the equivalent of doing a marathon every day.

---

CAROLE THERIAULT. And with the end result of getting eaten by a blue whale! Alright!

---

MARK STOCKLEY. Life's beautiful. Anyway, it's a wonderful book, and it is beautifully written. So it's full of interesting stories, but it is also— It sounds gorgeous.

Yeah, it is, it is a lovely thing just to read.

---

GRAHAM CLULEY. Fantastic.

---

CAROLE THERIAULT. Would it be good for younger readers, what do you think in terms of writing style?

---

MARK STOCKLEY. I think some of the subject matter might not be, you know, it's a bit erotic. There's, well, they're going to bonobos. There's a fair bit about bonobos.

I don't know if you know about bonobos. They've got, they're very interesting sex life.

---

GRAHAM CLULEY. Okay, very varied. The Social Life of Animals by Ashley Ward, for all your bonobos information.

---

CAROLE THERIAULT. Crow, what's your pick of the week? I have an unsettling French thriller series as my pick of the week. It's called Les Papillons Noirs, or Black Butterflies.

So, the premise is you've got this gloomy novelist, okay, named Adrian, and he has writer's block. You know, he's trying to write his novel, his great oeuvre. And to get over his writer's block, he agrees to write the memoir for this dying guy, this old man named Albert.

And Albert starts sharing his stories, right, to honor the love of his life, this woman called Solange. But the stories really get dark and almost beggar belief, you're not sure if they're real.

And the writer guy's like, "This is a little crazy. I'm out of this." But he ends up getting sucked in because his wife took a peek at the first draft.

She's hooked. She thinks it's his best work ever. And so, despite his better judgment, he continues to visit Albert and record these stories, which get darker and murkier and bloodier.

And it's great.

---

GRAHAM CLULEY. What format is this in, Carole? Is this a podcast, a TV show, a book, a lithograph? What is this?

---

CAROLE THERIAULT. Oh, I'm sorry. It is on Netflix. I thought I said that.

So, on Netflix, and it's kind of series, so probably 6 episodes, I think. And it came out last year.

---

GRAHAM CLULEY. And it's called Les Papillons Noirs.

---

CAROLE THERIAULT. Yeah, that's exactly correct. Or Black Butterflies for the rest of you. If only Graham did all the French in the show.

You will find it with both because obviously it's available in different languages, Graham. It is dubbed. So, but yeah, you can find it with Black Butterflies.

It's on Netflix. It's great. You'll enjoy it.

It's tense. And there's a really, really serious, serious twist both halfway and at the end.

---

GRAHAM CLULEY. Is it as good as the twist in No Way Out with Kevin Costner and Gene Hackman?

---

CAROLE THERIAULT. I have no idea because I haven't seen that since 1987. What is the twist?

---

GRAHAM CLULEY. Oh, hey, we can't reveal. It's only been 35-odd years. We can't tell people this soon.

Kroll, you've been busy this week. You've been chatting with the folks at SecureEnvoy.

---

CAROLE THERIAULT. Yes, I have an interview with Chris Martin. He's an expert in identity access management. Listen up, folks. Today, listeners, we have a treat. We have Chris Martin, the Chris Martin. He is— thank you for being here. Thank you. I was gonna say, I had no idea that you were interested in technology and security.

---

CHRIS MARTIN. I have to do something during the day.

---

CAROLE THERIAULT. Well, this Chris Martin is the Head of Solution Architecture at SecureEnvoy, and he works with lots of different departments and teams to help define, develop, and execute the company's identity access management strategy. And this is all to make sure that the right people can access your company resources and data, right? Rather than the wrong people. So is that a fair way of putting it, Chris?

---

CHRIS MARTIN. That's a perfect way of putting it. Yes. It's just making sure that people don't get access to really what they shouldn't be getting access to.

---

CAROLE THERIAULT. Maybe we should start with you, Chris. Maybe you can tell us a little bit about you and how you found yourself at SecureEnvoy.

---

CHRIS MARTIN. So I've been in this industry for a long time now, nearly two decades now, and it's always been a fascinating subject for me that users are people that use computers, but it's, it's a stupid statement, but it's, yeah, you have to stop users from using computers sometimes or accessing data. So this idea of security is just fascinating to me, and my career has developed, and I'm fortunate to have found a company, SecureEnvoy, that shares my passion. You say it's a passion and people laugh at you, you awesome geek.

---

CAROLE THERIAULT. I was just gonna ask what makes you passionate about it? What is it that you think is the secret sauce for you?

---

CHRIS MARTIN. As I said, it's a human problem. You think this issue starts because as human beings, we can't remember passwords. We can't remember unique passwords or alphanumeric characters despite what Hollywood says. You know, everyone gives super complicated passwords us as human beings can't do that. So it's a very human problem. I'm not saying I can make the world a better place by doing identity and access management, but it is solving problems for people, solving problems for companies.

---

CAROLE THERIAULT. Absolutely. Even for tiny companies, you know, and for people like me, for example, right? I still have hundreds and hundreds of usernames and passwords that I have to manage. There's no way I would be able to do that without help.

---

CHRIS MARTIN. It's exactly that. I think on average that a user has somewhere around 15 different applications they use regularly for their job. Yeah. And you think that could be 15 different username and passwords. Of course, as an industry, we then came along and said, oh, wouldn't it be better if you just had one? We call it single sign-on. Of course, what that now means is if that credential is compromised, someone now has access to 15 different applications, 100 different applications. Yeah, there's a lot of challenges to this, a lot of different ways to solve it. There's no right answer, which again fascinates me. That's where sort of my curiosity knows no bounds. How can we solve this problem? How can we make it better for companies, for better for users. We're not all IT professionals here. Yes, that's right.

---

CAROLE THERIAULT. And we're gonna talk here, 'cause I'm really interested in the concept of multifactor authentication and the best strategies for companies. So how is it out there? Are companies, is this something that everyone has now? Are all companies just MFA'd up to the eyebrows?

---

CHRIS MARTIN. You would like to think so, 'cause then it's been around for, you know, a couple of decades now. Used to smart cards, biometrics have been around for a long time.

You would think companies have done this, but still, yeah, in my job I talk to customers and they haven't got MFA. So that I find quite surprising.

We all know the danger of passwords. I keep saying to customers, if you don't know about the danger of passwords, can I come and live on your island, please?

Where have you been for the last 20 years? And no one has yet.

So people must be aware. But also it's not just about that.

It's companies that have implemented MFA. You actually find they haven't rolled it out to all of their users, which is quite interesting because I think all users are susceptible.

---

CAROLE THERIAULT. Oh, that's interesting because I was going to ask you that. I was going to ask if you can apply this to the 80/20 rule, you know, that often people use, like it's good enough, you know.

Is that something that can exist in the MFA world or no?

---

CHRIS MARTIN. I think there's difference of opinions there. I believe the answer is no.

If you think there's a term called zero trust, which means trust no one, everyone is a threat, everyone should be protected. If you take, for example, Edward Snowden from many years ago, he basically stole credentials of people working in offices.

You know, for the CIA, I think it was. He did that using social engineering.

He literally asked people for their username and passwords. They gave it to him.

Now, not saying MFA would have stopped all of that, probably would have done, but it just shows how easily, you know, people can be susceptible when they are not protected.

---

CAROLE THERIAULT. Yeah, and it's true. I believe security is a bit like a chain, right?

You know, I know this is a very clichéd analogy, but you know, the weakest link is where it's going to break. And that's the issue, isn't it?

All they got to do is find that weak link if you don't cover all your bases.

---

CHRIS MARTIN. It's exactly that. Yeah, it's a weak link.

Now, the interesting thing is last year I did a survey with another company and we approached around about 100 companies throughout the world, different sizes, different types of organizations. And we said, how many of your users are covered by MFA?

Okay, very, very interesting. The stat was actually just a fraction over 50%.

Really? So that means it's 48% of an organization's users aren't covered, are the weak links.

---

CAROLE THERIAULT. And why is that? How is that?

Is that because it's too much work or is it because of lack of visibility?

---

CHRIS MARTIN. I don't think it's lack of visibility or too much work. It's, you know, MFA technically is a very simple product. It's because companies basically rolled it out to a set of users, a set of use cases, particularly with COVID in the last two or three years. I hate talking about COVID it's a dreadful subject, but companies where everyone started to work from home went, oh, I must protect VPN access to my networks because people are home now. So they gave people who work from home MFA to protect the VPN.

Okay, of course, not everyone works from home, right? Or in offices, people work in manufacturing departments. So where they rolled this out, they were very simple-minded in their approach. They didn't think about all of their different type of users. And if you look at a lot of MFA solutions now, they rely on mobile phone authentication, right? We're all used to that.

An SMS text message or a phone call or push notification is so commonplace now. But what about those people who don't have access to a mobile phone? Yeah, yeah, exactly, for whatever reason. Yeah, if you take healthcare practitioners with sensitive equipment, they can't use a mobile phone. So how do you protect those?

And that's where companies slightly fall down. It's those, I like to say, fringe use cases. They're not, they're half of a company where they don't protect.

---

CAROLE THERIAULT. Yeah, and especially if you think the example you just gave, healthcare, that's a pretty big sector that you don't want to ignore, right? Exactly.

---

CHRIS MARTIN. And say that they're just, every company you talk to, there's so many different examples of where people are not covered because they're not normal.

---

CAROLE THERIAULT. Yeah, their use cases just are slightly left of center. And I'm sure that's true for 99% of companies really, right? Because there's always something slightly different with every different environment there is.

---

CHRIS MARTIN. Yes, yes, and that's again, it's a challenge of it. It's not a technical challenge, and that's sort of a key point I try to make to a lot of customers. It's not a technical challenge Secure Embroidery. We provide 15 different factors, but people only think they need one.

No, no, no, no, no. Why don't you have text messaging for certain people? And why don't you have biometrics for another? And why don't you have physical tokens for another set?

It's got to be mix and match. There's no right way of doing it.

---

CAROLE THERIAULT. So, hey, you must be the perfect person for me to ask this. Imagine if I were the IT guy or girl responsible in a company, responsible for sorting out MFA and multifactor use within the environment - where would I even start?

---

CHRIS MARTIN. It doesn't matter if this is the first time you're doing MFA or you have something already. First stage is really to identify your gaps.

If you're doing this at the start, it's everyone, right? But if you have a solution already, you need to look how people are accessing computers, how accessing applications, the data they are doing, and you build up a picture of these people.

And it's what's called authentication journeys. You look how they do it, where they do it, when they do it.

And you put all this together and you work out what you need for those people. And really, we call this identification.

It is just a manual exercise. You don't need any technology for this.

What you really need is an annoying person who's going to go and ask everyone a lot of questions. I think I'm grateful that I've worked with a lot of annoying people over the years who've taught me all this stuff to go and ask these questions.

So where are these users? What computers are they using?

Just continuously ask these questions. And once you have that picture, really then the second stage is you work out what is the best factor for these people, the best security you need.

And that's really just simply a matter of protecting those and protecting your infrastructure. And the final stage, which is often ignored, which again I find so strange, that IT is a living, breathing organism.

Things change, so your security may need to change, your users will change. So that sort of continuous monitoring, that continuous controlling of how people operate, and it's really just accepting that.

So it's all the feedback loop.

---

CAROLE THERIAULT. And that's what SecureEnvoy helps enterprises do, isn't it?

---

CHRIS MARTIN. Exactly that. Yes, we do it all the time.

We say the technology is so simple, but it's the processes around that sort of technology that understanding is understanding the subject and the problems for what is such a simple problem of protecting users or trying to remove and protect passwords. I've just described the problem in 10 seconds there, but the solution can take a little bit longer to understand, but technically it's very simple.

---

CAROLE THERIAULT. There you heard it, listeners. Chris, is there anything that you'd like to add before we close?

No, it's been great talking to you. It's been great talking with you.

This was Chris Martin at SecureEnvoy. He is the head of solution architecture.

And you can learn all about SecureEnvoy and its services by visiting smashingsecurity.com/secureenvoy. That's smashingsecurity.com/secureenvoy.

Chris, thanks so much for coming on the show.

---

CHRIS MARTIN. Thank you for having me.

---

GRAHAM CLULEY. Fascinating stuff. Mark, I'm sure lots of our listeners would love to follow you online.

What's the best way for folks to do that?

---

MARK STOCKLEY. Well, you can still find me on Twitter @MarkStockley. But I might not pay any attention to you.

---

GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G. We've also got a Mastodon account.

Quickest way to find us is go to smashingsecurity.com/mastodon. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Overcast, and Spotify.

---

CAROLE THERIAULT. And huge shout out to this episode's sponsors, SecureEnvoy, NordLynx, Graham Cluley, and Bitwarden. And of course, to our wonderful Patreon community.

It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 307 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye.

-- TRANSCRIPT ENDS --