Scammers get pwned by a Canadian granny! Don't be seduced in a bar by an iPhone thief! And will the US Marshals be able to track down the villains who stole their data?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Anna Brading.
Plus don’t miss our featured interview with Jason Meller of Kolide.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- They thought they could scam this Windsor grandmother of nearly $10K. She turned the tables on them - CBC.
- Canada grandma helps stop fraud scheme targeting senior citizens - BBC News.
- A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life - Wall Street Journal.
- Ransomware attack on US Marshals Service affects ‘law enforcement sensitive information’ - CNN.
- Hackers steal sensitive law enforcement data in a breach of the U.S. Marshals Service - NPR.
- 9 millionaires and billionaires with the most bizarre spending habits - Business Insider.
- Phishing still the leading way attackers breach security controls: IBM - IT World Canada.
- New White House cyber strategy picks a fight with ransomware - AXIOS.
- Happy Valley - BBC.
- My 80s TV.
- Everything Everywhere All at Once - IMDB.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- Kolide – Kolide ensures that if your device isn't secure it can't access your cloud apps. It's Zero Trust for Okta. Watch a demo today!
- Drata – With over 14 frameworks including SOC2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business. As a listener to Smashing Security you can save 10% off Drata and have implementation fees waived.
Support the show:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.
Thanks:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. Imagine the effect of tears on a grandparent. Their heartstrings being plucked.
CAROLE THERIAULT. You don't know my grandmother. I tell you what, she would kneecap that person with her umbrella. She'd be like, I'll get out of here.
UNKNOWN. It's true, the Terriers are a dangerous lot. Smashing Security, episode 312: Super Grannies, Bar Trolls, and US Marshals. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 312. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And this week on the show, Carole, who are we joined by?
CAROLE THERIAULT. By the lovely Anna Brading.
ANNA BRADING. Hi, I'm back. Thank you for having me.
GRAHAM CLULEY. Finally.
ANNA BRADING. I know.
CAROLE THERIAULT. We used to all work together, listeners, the three of us at one time, and it's kind of nice to be all together.
GRAHAM CLULEY. We all used to not work together as well, as I remember. There were quite a few times where—
ANNA BRADING. No, there was no messing about, Graham.
CAROLE THERIAULT. Well, you can speak for yourself. I work very, very hard.
ANNA BRADING. Exactly.
CAROLE THERIAULT. Anna, what's new? It's been a while.
ANNA BRADING. I know, I know. Well, what have I been doing? I'm still doing what I was doing before, so I'm sort of helping cybersecurity companies with their content. And actually, thank you for asking, Carole. I have a tiny space for another client, so can I use this as a little promo?
CAROLE THERIAULT. Sure, sure.
GRAHAM CLULEY. If I need the invoice, we'll add the ads music underneath you talking. How about that?
ANNA BRADING. If you could, well, just get me on LinkedIn or Twitter if you need help with your content or your social media. Thanks.
CAROLE THERIAULT. Okay, how about we get this show on the road? Before we kick off, let's thank this week's sponsors: Bitwarden, Kolide, and Drata. It's their support that helps us give you this show for free. Now, coming up in today's show, Graham, what do you got?
GRAHAM CLULEY. All the older ladies, all the older ladies, all the older ladies. I'm going to be celebrating the older ladies.
CAROLE THERIAULT. Okay. Anna, what about you?
ANNA BRADING. I'm talking about an iPhone theft that ends up with you losing more than your device.
CAROLE THERIAULT. And aren't going to be talking about ransomware everywhere? What are we going to do? Plus, we have an interview with Kolide's CEO, Jason Meller, where he unveils some exciting news around end-user remediation. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, I don't think it will come as a surprise to either of you that I am well known for my love of the ladies.
ANNA BRADING. Yes.
GRAHAM CLULEY. It's true, isn't it? It's true. I do. I especially like older ladies. Diana Rigg, Ingrid Bergman.
CAROLE THERIAULT. She's dead.
GRAHAM CLULEY. Yes.
ANNA BRADING. Okay, well, she's dead.
CAROLE THERIAULT. So you like dead ladies?
GRAHAM CLULEY. The older, the better.
ANNA BRADING. This got weird.
CAROLE THERIAULT. This got very weird. I'll get out of this room.
GRAHAM CLULEY. If I'm an archaeological diggy, all the better. No, it's true. If I'm at a social thing and I feel a bit awkward and I don't know anyone, I gravitate towards the more ripe ladies for conversation and chit-chat.
CAROLE THERIAULT. Ripe? Yes, yes, the older ones. The ones who've been, you know, the ones who've been around for a bit, because I feel more comfortable with them. I don't want some young lady chatting to her, because I won't know—
ANNA BRADING. Is that why you don't speak to me, Graham?
CAROLE THERIAULT. When you say ripe, do you mean stinky?
ANNA BRADING. You mean slightly squishy?
GRAHAM CLULEY. No, just—
CAROLE THERIAULT. Because I say that about, you know, if I'm near somebody and they're a little bit honky, I might go to Anne and go, bit ripe over there, aren't they?
GRAHAM CLULEY. I just like the more elderly lady, the more experienced lady, because— not because I'm gonna romance scam them or anything like that, not because I'm interested in the inheritance, because I feel more comfortable. I feel there's less testosterone swishing around. There's less, you know— and they've got good stories, right?
ANNA BRADING. They could have some fun things to tell me.
GRAHAM CLULEY. Isn't there more?
ANNA BRADING. Hold on, isn't there more with an older lady?
CAROLE THERIAULT. Yeah, and whose testosterone are we talking about? Basically you're saying you're not turned on by them, so it's much better for you, you can hold a conversation.
ANNA BRADING. You're just ridiculous. I mean, when I was in my 20s and we worked together, your testosterone was just flying about.
GRAHAM CLULEY. I would say—
ANNA BRADING. Hard to avoid it.
GRAHAM CLULEY. I would say the older lady, she's salt of the earth. But if you're ever in trouble, you can always try to find an older lady to help you out. That's some piece of advice that I was given as a child. If you get lost, go and find an older lady. Who'll look after you. Go and find a mum or maybe a granny as well.
ANNA BRADING. Actually, that is the advice I give. I give my son that.
CAROLE THERIAULT. Yeah, yeah. Don't go to the security guard. Go to an older lady. Go to a lady. Yeah. The older bit didn't ever feature in my mind.
GRAHAM CLULEY. That's a good point. I still live by this.
ANNA BRADING. So if you're lost, you will go and find an older lady?
GRAHAM CLULEY. Absolutely. I definitely will. Okay. Which I suppose as I get older, it's going to become more and more difficult. And I may have to ask for ID.
CAROLE THERIAULT. Don't worry, just call up Diana Rigg.
GRAHAM CLULEY. Anyway, so imagine, for instance, imagine you are out with your mate Dave, right? You're in his car, you're driving around in the evening, and you have a car accident. Crash, bang, wallop, right? Imagine, oh crumbs. So there I am, I've had a car accident. The cops come along and the cops say, "Yeah, okay, get out of vehicle," they say. And you step out of the vehicle and they find some suspicious substances. Not easy to say with your teeth in. In the glove compartment. Okay? And you get arrested because there are pills or some sort of narcotic possibly in there. You get arrested, you get put in a little cell for a while, and you need bond money to get out.
JASON MELLER. Right?
GRAHAM CLULEY. In order to—
CAROLE THERIAULT. So you're in jail. You're in jail and you need money. You're in jail.
GRAHAM CLULEY. You're in jail.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. You're in a sticky pickle. And as we know, when you find yourself in a sticky pickle, Carole and Anna, yep, a respectful nod. You're right.
CAROLE THERIAULT. Respectful nod.
GRAHAM CLULEY. What do you do? What do you do? What do you do if you're stuck in a sticky pickle?
CAROLE THERIAULT. Well, you listen to a podcast, first of all.
GRAHAM CLULEY. They could have taken your earphones off you in case you try and hang yourself from the ceiling. They probably haven't let you do that.
CAROLE THERIAULT. You just go, "I have a phone call. Lawyer." Yeah.
GRAHAM CLULEY. Right? You could ring a lawyer.
ANNA BRADING. Do I call an old lady?
GRAHAM CLULEY. I would call up Grandma. That's what I would do. I would ring up my Grandma. You definitely do not—
CAROLE THERIAULT. Is she still with us?
JASON MELLER. Well—
ANNA BRADING. I don't think I could call mine.
GRAHAM CLULEY. No, okay, my grandma isn't still with me, but I'd ring up someone else's grandma, maybe. What you don't do is you don't ring up your parents, because they're your parents.
They're going to be furious with you. What are you doing out with Dave? You know Dave's a big drug head. Why are you doing that? You know what his car's like and his driving's like. You know if he's been sniffing something or if he's been drinking stuff. So, because you don't want earache, you don't call up your parents, you ring up your granny.
And that is what happened to 74-year-old Bonnie Bednarik. She got a phone call out of the blue.
She's a granny. And the person on the line said, "Oh, Granny, I'm in jail.
There's been a crash. Dave's car, pills in the glove compartment.
I need some cash." Did she go, "Who's this?" She did.
She said, "Who's this?" Oh. And he said— and he got really upset.
He said, "Granny! Granny, how can you not recognise me? How can you not recognise my voice?" And so, Bonnie Bednarik, she said, 'Oh, is that Steve? Is that little Steve?' And he said, 'Yes, yes, it's Steve here, and I'm in jail. I need you to get me out $9,300 Canadian. Can you get me $9,300 Canadian?' 'What'd you do there, Steve?' 'Well, what I did was I was just innocently in the car. Dave had a crash. He had some pills in the glove compartment.
I haven't done anything wrong. I just need to get out.
I just need you to pay the bond so I can get out.'
CAROLE THERIAULT. You know what, I'll come. Let me come to you.
Let me come to you. You need a hug from Granny.
GRAHAM CLULEY. No, no, no, Granny, Granny, you stay there. You stay there, Granny.
I'll send my mates round. I'll send my mates round and they'll go and pick up the money and they'll bring it to me.
All right?
ANNA BRADING. Fuck off. Just fuck off.
GRAHAM CLULEY. Now this, this was the third time in the last year that Bonnie had received such a call from one of her grandchildren having a crash in Dave's car. So, the first couple—
CAROLE THERIAULT. How does Carole not recognise her grandkid's voice, first of all? Does she even have grandkids?
GRAHAM CLULEY. Well, this is the thing, Carole.
CAROLE THERIAULT. What?
GRAHAM CLULEY. She did. The first two calls she received over the course of the year, she hung up.
But this time she was feeling mad that they'd rung her again. She thought, I can tell that this is a fishy activity.
And that's why—
CAROLE THERIAULT. Okay, she's on to them.
GRAHAM CLULEY. She's on to them. So, when the person on the other end of the line acted all upset that she didn't recognise her voice, she said, and was saying, "Oh, come on, it's your grandson." She said a name that wasn't her grandson's.
Oh. And so the guy pretending to be the grandson said, "Yeah, yeah, Stevie here.
Stevie here." And so what she said then was, "Look, okay, look, what, $9,300? I'm gonna have to call up the bank," she said.
"I'll call you back in 15 minutes," says Bonnie. So Bonnie picks up her phone.
She hangs up on her so-called grandchild. And instead of ringing the bank, she calls the police.
And the police— this is in Canada, by the way.
JASON MELLER. Oh.
GRAHAM CLULEY. Yes, now I thought— now you're—
ANNA BRADING. Piqued your interest?
GRAHAM CLULEY. Right.
CAROLE THERIAULT. It's a big country. Where, where, where?
GRAHAM CLULEY. Now you're interested. So the fraud unit at the police got mobilised instantly.
So they've constantly got a fraud department waiting. They're on a trigger.
They're just waiting for the bat signal to go off. They will race out.
CAROLE THERIAULT. And go where?
GRAHAM CLULEY. To set up surveillance near Bonnie Bednarik's home.
ANNA BRADING. Oh, really?
CAROLE THERIAULT. Because the people are coming over to pick it up in person?
GRAHAM CLULEY. Because Stevie, in the jail, he can't come round to pick it up, can he? Because he's, quote, "in jail." They're not going to let him out. Yeah, sure, you go out and go and get some money.
So he's using this ruse of, I'll send a couple of my mates round to do this instead.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. So the cops, they set everything up.
CAROLE THERIAULT. And they're dressed in plain clothes, right? So they've got fake moustaches.
GRAHAM CLULEY. Imagine how a normal Canadian looks, right?
CAROLE THERIAULT. Yep, plaid shirt.
GRAHAM CLULEY. Exactly.
ANNA BRADING. Moustache.
GRAHAM CLULEY. Snowshoes.
CAROLE THERIAULT. Canadians are extremely fashionable and practical.
ANNA BRADING. Yes.
CAROLE THERIAULT. And I'll have nothing said about it.
GRAHAM CLULEY. Plaid shirts are— I am wearing one right now. I look like Bryan Adams myself.
CAROLE THERIAULT. Canadians, remove them now. Something changed. No longer on trend.
GRAHAM CLULEY. So she kept him on the line, but then she needed to— She needed to keep him going for a little bit longer. Then she said, "Oh, I have to ring my husband because I don't have the car in order to go out and get the cash from the bank."
Because the cops said, "Waste his time." Exactly, waste his time, because we're going to be putting our shirts on and getting all comfy and buying the doughnuts, you know, for the stakeout. But sure enough, after a while, these two goons showed up at Bonnie Bednarik's house.
CAROLE THERIAULT. Asking for the $9,300 Canadian dollars. And the fraud cops swooped.
GRAHAM CLULEY. They collared them. And as a consequence, two men have been arrested. Apparently the police say they've picked up a fairly large quantity of money.
I don't know what that means. A fairly large— A few envelopes worth.
CAROLE THERIAULT. From our girl? From our granny?
GRAHAM CLULEY. No, no, not from the granny. The granny never got the money, Carole.
ANNA BRADING. From the goons.
GRAHAM CLULEY. It was from the goons. Because they've been doing this on lots of grannies.
CAROLE THERIAULT. Oh. And keeping the money in their wallets.
GRAHAM CLULEY. Well, you know, or they went to their house. They went— I don't know.
I don't know the exact details.
CAROLE THERIAULT. No demand research today.
GRAHAM CLULEY. Well, no, I've tried quite hard.
ANNA BRADING. It does seem like you have.
GRAHAM CLULEY. And I haven't found out where the money was held in an envelope. I don't know exactly where the envelope was.
But they captured these two chaps. This is in Windsor, by the way. Windsor, which is— is that Ontario, Carole?
CAROLE THERIAULT. Yep, Windsor, Ontario. I went to university very close to there.
GRAHAM CLULEY. There you go. So, and they actually rolled out Bonnie Bednarik, the 74-year-old granny, at the press conference where she gave a warning to—
ANNA BRADING. Does she—
CAROLE THERIAULT. Rolled her out?
ANNA BRADING. Literally?
GRAHAM CLULEY. What's wrong? No, not on a gurney.
ANNA BRADING. What?
GRAHAM CLULEY. No, no, no.
ANNA BRADING. I meant in a wheelchair, carry on.
GRAHAM CLULEY. No, no, I mean— No, well, they brought her out in front of the microphone.
CAROLE THERIAULT. They invited her on stage.
GRAHAM CLULEY. She strode out like a conquering hero.
ANNA BRADING. Yes, that's what we like.
CAROLE THERIAULT. Yep.
GRAHAM CLULEY. And she advised all of the senior Canadians that they need to be vigilant. And if you get a call like this, never ever release your grandson or granddaughter's name.
Make them say what it is. And maybe perhaps have a better relationship with your grandchild that you actually recognise their voice.
CAROLE THERIAULT. That could also be a good tip. Perhaps.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And call your family, call the police. But don't, you know, don't obviously have people coming round and picking up tens of thousands of Canadian dollars.
CAROLE THERIAULT. I can't imagine many older people would be like, oh yes, send round some guys I've never met. Well, because I live on my own and that feels great.
GRAHAM CLULEY. The boy was crying, Carole. Imagine the effect of tears on a grandparent.
ANNA BRADING. Well, that is true.
GRAHAM CLULEY. Their heartstrings being plucked.
CAROLE THERIAULT. You don't know my grandmother. I tell you what, she would kneecap that person with her umbrella. She'd be like, "Get out of here." It's true.
GRAHAM CLULEY. The Terriers are a dangerous lot. Anyway, I think so often you will hear people saying, "Oh, the elderly are getting scammed all the time." Well, sometimes the elderly are much, much smarter and much more on their toes. So good for Bonnie. I think—
CAROLE THERIAULT. And good for you, Graham Cluley.
GRAHAM CLULEY. Well, thank you very much. If I am ever in Windsor, Ontario, I may look up Bonnie Bednarik and perhaps want to hang out with her.
CAROLE THERIAULT. No, I just meant you're getting older.
GRAHAM CLULEY. Well, yeah, well, thank you.
ANNA BRADING. It's not long now.
GRAHAM CLULEY. Maybe not.
CAROLE THERIAULT. One day too, you will be bright on these things. Oh, fantastic.
GRAHAM CLULEY. Anna, what have you got for us this week?
ANNA BRADING. Okay, so Graham, I need you to do a bit of roleplay with me for this one.
GRAHAM CLULEY. Okay, fine.
ANNA BRADING. Okay, so can we just set the scene? So you're in a bar with your friend Carole.
GRAHAM CLULEY. Unlikely. Yeah, carry on.
CAROLE THERIAULT. Different tables.
GRAHAM CLULEY. Yeah.
ANNA BRADING. Well, whatever works. And you're dancing, and a sexy lady comes up to you, okay?
GRAHAM CLULEY. Oh my God. Sexy older lady.
ANNA BRADING. Whatever, yeah, fine.
CAROLE THERIAULT. Diana Rigg. Diana Rigg. Diana Rigg, A Weekend at Bernie's.
GRAHAM CLULEY. Oh, lovely.
ANNA BRADING. Someone wheels out Diana Rigg. Okay, so I'm gonna be this sexy lady, okay? So, I'm sorry about this. Hey, I noticed you across the bar. Do you come here often?
GRAHAM CLULEY. Only in the mating season.
ANNA BRADING. Gosh.
CAROLE THERIAULT. If you didn't get a drink in your face at that point.
ANNA BRADING. This is— I think I would've given up. If I was this woman. But anyway, oh, look at my phone case! Look how cracked it is. I'm so, I'm so clumsy. Actually, I need a new one. Oh hey, I bet you've got a cool case. Can I have a look? Show me your phone. What's your case?
GRAHAM CLULEY. With pleasure, with pleasure. Let me bring out my iPhone. Oh, we have the same size iPhone. That's very handy.
ANNA BRADING. Oh yes, and look at the case! That's so cool.
CAROLE THERIAULT. Does it have diamante on it? It's a little blingy.
GRAHAM CLULEY. Has a magnetic catch on it. Do you that?
ANNA BRADING. Oh yes, I that you've got a little holder so that you can take a photo. Actually, is that your friend over there? Do you want me to take a photo of you? Yeah, come on, give me your phone. Oh yeah, take a photo of you.
GRAHAM CLULEY. Oh yeah, me and Carole. Yeah, why not? Yeah, we could use that on the website. Great, thanks.
ANNA BRADING. Not too close.
CAROLE THERIAULT. Okay, not too close.
ANNA BRADING. Ready? Oh, it's great. I love it. I love it. Oh, sorry, I turned your phone off. How did I manage that? I'm sorry, I said I was clumsy. Sorry about that. And cut.
GRAHAM CLULEY. Cut? What? What's happened? Can I have my phone back? Can I have my phone back?
ANNA BRADING. You can have your phone back.
GRAHAM CLULEY. Oh, okay.
ANNA BRADING. So you've had a great night, you've got your phone back, you've danced with your new sexy lady friend, and then you part ways because, you know, you don't put out on the first date. And as you're leaving the club, you step out the door and your phone is swiped from your hand. What?
GRAHAM CLULEY. Oh.
ANNA BRADING. I know. However, disaster doesn't end there, Graham. It's not just your phone that's been stolen. Within seconds, your phone is gone, and the thief has changed your Apple ID. They've taken money from you. They've stolen your contacts and your photos. Your whole digital life is gone. How?
CAROLE THERIAULT. That's very quick of them.
GRAHAM CLULEY. How have they done this so rapidly?
ANNA BRADING. Well, Graham, thank you for asking. When your lady friend accidentally turned your phone off, you, when you turned it back on, even if you've got Face ID or Touch ID enabled, you have to put your passcode back in. Yeah, she was sneaky. She watched you put your passcode in.
CAROLE THERIAULT. So was she nuzzling his neck or something?
ANNA BRADING. She was watching from afar, girl. But, you know, she could have eagle eyes.
GRAHAM CLULEY. Okay, so 1, 2, 3, 4, 5, 6. She saw me enter that, or whatever my code is, right?
ANNA BRADING. Yeah. Shh, don't tell everyone. And, oh, better change it. So all that someone needs in order to change your Apple ID on your phone is your passcode. So when the thief steals your phone, they can use your passcode to get into it, and then they immediately change your password, which is associated with your Apple ID, and then that gives them continuous access to your account because they can force a sign out for everywhere that you're logged in and also disable Find My iPhone. So they've got your entire phone, the contents of your phone, and everything in the cloud.
So they can run charges to your Apple account, they can take anything that's in the cloud, they can change the Face ID and Touch ID, obviously. And if you've stored passwords on your device, then the thief can access other accounts as well. So if your social media account is on there, they can get that too. If you're using Apple Touch or whatever, your fingerprint or biometrics, you can't because when your phone turns off, when you turn it back on, you have to reenter the passcode.
GRAHAM CLULEY. You do. Yeah, that's right.
ANNA BRADING. So they will have seen Graham putting his passcode in.
GRAHAM CLULEY. So, wouldn't it be good if Apple phones, when you switch them off and then switch them on again, rather than just asking for the passcode, if it actually said, "Okay, you've got the passcode right. Now give me your fingerprint."
CAROLE THERIAULT. No, because people like me don't want to give our fingerprints to the phone. And that would be very stupid.
GRAHAM CLULEY. That's your choice, Carole, but I'm just saying, shouldn't— for those people who've—
CAROLE THERIAULT. That could be an option.
GRAHAM CLULEY. For those people who've set up Touch ID or Face ID, why doesn't it ask you then to do that? Just in case someone has shoulder surfed you for your passcode on your phone.
ANNA BRADING. Yeah. Yeah, because Apple say it's rare that this is happening because it requires both the phone and the passcode. But police are saying it's much more common.
GRAHAM CLULEY. How do Apple know it's rare? What a load of old nonsense. How?
ANNA BRADING. I just think.
GRAHAM CLULEY. Well, yeah, who's going to report it to Apple? Who's going to report that I had a woman nuzzling my neck while I entered my passcode? She seemed to like the cut of my cheek.
CAROLE THERIAULT. I find it— I mean, I don't know, maybe I just don't like people very much. I can't imagine it really happening in a bar, that type of thing. But I can totally see it happening on public transport or planes or that kind of thing, or metro, subways, all that.
ANNA BRADING. Yeah, because when you're at an ATM or you're paying for something in the shop, everybody knows you cover your PIN, but you don't on your phone in the same way. Because it's rare for you to put your— have to put it— well, for me, I use Face ID.
Rare for me to have to put my passcode in. And if I was doing it, especially if I had a drink, I'd probably just stick it in quickly.
CAROLE THERIAULT. So do you know, my neighbors are— sorry, I'm digressing, but my neighbors are identical twins and they can open up each other's Face ID.
ANNA BRADING. Can they?
CAROLE THERIAULT. Yep.
GRAHAM CLULEY. Have you identified which one of them is the evil one?
CAROLE THERIAULT. I can actually tell them apart and they're both actually lovely, but I can tell them apart. But maybe that's because I have twin brothers.
I don't know. But I don't find it hard. Weird. Anyway, there you go.
ANNA BRADING. Yeah, so all is that—
CAROLE THERIAULT. I digress.
ANNA BRADING. That's okay, that's fine. So just be careful when you're on a night out, because if you've got to put your passcode into your phone, then cover it.
Yes. And don't fall for the sexy ladies, Graham, even if they are over 80.
CAROLE THERIAULT. Dead.
GRAHAM CLULEY. Yeah. So aside from the theft, there's still nothing going on with the lady, is that right? That's not going to go anywhere.
ANNA BRADING. I'm sorry, that was the ruse.
GRAHAM CLULEY. Because now I'm imagining it's a sexy cat burglar lady, a sexy thief, sort of.
CAROLE THERIAULT. Are you available or something? You're talking a lot about, you know.
GRAHAM CLULEY. Carole, what have you got for us?
CAROLE THERIAULT. Well, pop quiz to start. Do you know what the oldest federal law enforcement agency might be? In the US?
GRAHAM CLULEY. Boston, Massachusetts?
CAROLE THERIAULT. No, more federal. Federal.
GRAHAM CLULEY. Oh, sorry. Oh, federal agency.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. The CIA? The FBI?
CAROLE THERIAULT. No, it's the US Marshals Service.
ANNA BRADING. No.
GRAHAM CLULEY. Of course it's the US Marshals Service.
ANNA BRADING. Right?
CAROLE THERIAULT. Because I remember I watched cowboy movies where they'd be "I'm the US Marshal."
JASON MELLER. Oh, yes.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Can you name some of the responsibilities of a US Marshal?
GRAHAM CLULEY. They marshal crowds if there is a lot of marshalling required.
ANNA BRADING. Yeah, they do marshalling.
GRAHAM CLULEY. Do they pick up wrong 'uns on the street if there's someone doing something? I don't know. I'm not American.
CAROLE THERIAULT. Well, Anna, maybe, you know.
ANNA BRADING. Do they patrol the streets late at night? I'm really shocked, guys. I have no idea what they do.
CAROLE THERIAULT. So they nab federal fugitives. So if someone crosses state lines, for instance, right?
The state cops don't have control over that. And so, and they may not know what state. So they may then get the US Marshal Service involved to help them track down these fugitives.
GRAHAM CLULEY. That's why they have federal people who can sort of follow you across state, but you're not supposed to. I think cops aren't meant to follow you.
Is that? Oh, I don't. Can we have someone American on this show? Who understands these things.
CAROLE THERIAULT. I'm just asking you. I know the answers, so don't worry about it.
GRAHAM CLULEY. Oh, okay, okay. You go ahead. You go ahead.
ANNA BRADING. Carole's American.
CAROLE THERIAULT. Yeah, I'm American. They also manage and sell seized assets acquired by criminals through illegal activities.
GRAHAM CLULEY. Oh, okay.
CAROLE THERIAULT. So can you imagine the scene? You finally got some super duper rich dude who's gone across several states and he's finally arrested by the US Marshal.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And it's their job to manage the seizure and sale of all his assets. Exotic pets, superyachts, and tickets to outer space in some cases.
GRAHAM CLULEY. What? Has this actually happened? Have tickets to outer space been seized?
CAROLE THERIAULT. See, the same thing happened to me when I read that. So I went into this crazy wormhole of what millionaires spend money on. Let me put a link in the show notes for you. Let's take a little break here from the serious stuff, shall we? Here you go. It's in my little section. Check that out. Just do a little quick search of that page and see if there's anything that blows your mind.
GRAHAM CLULEY. So Lady Gaga has spent $50,000 on an electromagnetic field meter to detect ghosts. Nicolas Cage, he's spent $150,000 on a pet octopus.
CAROLE THERIAULT. It's just ridiculous, right?
ANNA BRADING. Mike Tyson's got 3 tigers. $70,000 each.
CAROLE THERIAULT. And they must eat a lot of food, right? You really gotta— Anywho, back to the Marshals, back to the Marshals. So the reason we're talking about it is because the U.S. Marshals have recently suffered a security breach where the attackers stole sensitive information, and it's being described as a major incident. Now, what was very concerning for a lot of people is the U.S. Marshals also run the witness protection programs.
GRAHAM CLULEY. Oh dear. Mm-hmm.
CAROLE THERIAULT. They believe this to be a ransomware attack on the U.S. Marshals Service, affected a computer containing law enforcement sensitive information, including personal information belonging to targets of investigations. So the service learned about the attack on February 17th, and that's when it discovered what it has described as a ransomware attack in which the hackers were actively exfiltrating sensitive files.
ANNA BRADING. There's data on suspects.
CAROLE THERIAULT. Yes, but the Witness Security Program apparently has not been compromised.
ANNA BRADING. Gosh.
CAROLE THERIAULT. They claim the system was not connected to the broader network and was quickly shut down when the breach was discovered.
ANNA BRADING. Right.
CAROLE THERIAULT. But can you imagine that information getting in the wrong hands? Witness protection, that would be just horrific.
ANNA BRADING. Oh my God, yeah.
GRAHAM CLULEY. Oh yeah.
CAROLE THERIAULT. But we know that the US Marshals Service is not the only organization to be affected by ransomware, right? There's been a whole slew of ransomware attacks.
ANNA BRADING. Almost everywhere. Yes!
CAROLE THERIAULT. Even this week we had a Minnesota school district, Washington Public Bus System. All of these guys reported ransomware attacks. And even the FBI and CISA issued a joint warning about the Royal ransomware attacks. They say that they've targeted numerous critical sectors. So it's no surprise then when I was checking out IBM's most recent report that ransomware remains as the second most common action after getting network access. Right? So baddies get in and the first thing they're likely to do is get some ransomware action going on.
GRAHAM CLULEY. Well, it works, doesn't it? It works for the criminals. They make money.
ANNA BRADING. Yes.
CAROLE THERIAULT. And they're getting better at it. So they warn that attackers are continuing to innovate, showing that the average time to complete a ransomware attack dropped from 2 months, you know, so 60 days, down to less than 4 days. That's crazy.
GRAHAM CLULEY. What do you mean by complete? Do you mean complete as in they get their money?
CAROLE THERIAULT. Often it'll probably involve chatting up, getting the details, phishing someone for their account details, getting in, being able to load up your stuff so that you can then— apparently, they often put in vulnerabilities at this time before they start exfiltrating data, right?
GRAHAM CLULEY. Yeah. Because then they can come back again. Yeah.
CAROLE THERIAULT. Yeah.
ANNA BRADING. Yeah. 'Cause they also lock up your data and then they use the data as part of the ransomware. And then if you don't pay up, they'll then post it on forums. Yeah.
CAROLE THERIAULT. Now, with the US Marshals, it isn't clear whether or not they're going to pay the ransom or if they're being threatened about the data being put online.
GRAHAM CLULEY. Hang on, I've had a thought. If the US Marshals are impounding all of this criminal stuff like exotic pets and fast cars and large amounts of bitcoin, couldn't they use some of that to pay the ransom with?
CAROLE THERIAULT. I think it's quite unethical.
GRAHAM CLULEY. Could they say to the criminals, "We'll give you a leopard."
ANNA BRADING. Isn't it in some cases it's illegal anyway, I think, to pay? I think they can't— I don't think they can pay that ransom, can they?
CAROLE THERIAULT. Yeah, I don't think a federal authority will be allowed to even pay. But interesting. Maybe that's what they're wanting to know. "Where's my tiger?"
ANNA BRADING. Right. Don't want to lose that.
CAROLE THERIAULT. So I'm reading all this and I'm thinking, isn't it time for the powers to roll up their sleeves and get some real muscle? You know, put some real muscle into the ransomware problem. You know, because otherwise the situation is looking pretty bleak, right? We're seeing more and more of it.
But maybe the time has finally come, guys. Maybe we're there, because last week the US released its new National Cybersecurity Strategy. And there's one interesting tidbit that I thought I would share here, which is ransomware is now officially declared a national security threat.
And it says it'll be unlocking military intelligence-level cyber tools. Okay, see, these are things that are typically used for state-backed attacks, you know, stuff that we might say Chinese spies or Russian code, and they're gonna be using against the ransomware gangs.
GRAHAM CLULEY. Sounds like things are heating up.
ANNA BRADING. Interesting.
CAROLE THERIAULT. Yeah, don't mess with the US Marshals, right?
ANNA BRADING. So they're just getting heavier on them.
CAROLE THERIAULT. Yeah, it's like they had these tools all the time. They're like, "Oh, okay, fine, we'll dust them off and put them into action here." Yeah, is it going to stop them though?
ANNA BRADING. I feel like they're always a step ahead.
CAROLE THERIAULT. The problem though, of course, is that we're trying to find out, well, what kind of stuff? Well, tell us about these tools. Tell us about this cyber offensive.
And they're like, oh, well, some of these operations are classified. So it's all very vague at the moment on that front. But I'm thinking if all goes as planned, we should expect to hear about many more ransomware takedowns and arrests, right? As this intelligence community gets more involved in the fight.
And hey, that's good for us because we get to report some good news on this show for a change, right? That'd be nice.
ANNA BRADING. Yes.
JASON MELLER. Hooray.
GRAHAM CLULEY. Ah, they're doing it all for us.
ANNA BRADING. That would be nice. We thank you.
GRAHAM CLULEY. Any company can say they're trustworthy, but with this week's sponsor, Drata, you can prove it. With over 14 frameworks, including SOC 2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business. Automated controls, over 75 integrations, and 24-hour monitoring keeps your company in compliance without manual work.
And with a new open API and plenty of customization, you can build your program your way. With over 360 5-star reviews, Drata is the highest-rated cloud compliance platform on G2. Countless security professionals from companies like Notion Lemonade and Bamboo HR have shared how crucial it's been to have Drata as their trusted compliance partner. So listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com/drata.
CAROLE THERIAULT. Our sponsor Collide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance.
GRAHAM CLULEY. How?
CAROLE THERIAULT. If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple. Collide patches one of the major holes in zero trust architecture: device compliance.
Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date. Insecure devices are logging into your company's apps, but there's nothing there to stop them. Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.
The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked. Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance.
Want to learn more? Of course you do. Visit kolide.com/smashing. That's kolide.com/smashing. And thanks to Kolide for sponsoring the show.
GRAHAM CLULEY. Our friends at Bitwarden have been busy this month, adding some fab new features to their open-source password management solution. Now, did you know that you can log into Bitwarden using a secondary device instead of your master password?
Well, now you do. Logging in with a device is a passwordless approach to authentication. It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval. With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden. Very, very cool.
And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default. And of course, existing accounts can also update themselves to the same level. These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers.
Learn more and try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing. And welcome back. You join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
ANNA BRADING. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
Doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, as I mentioned earlier on, I like older things. And what I don't like to do is—
ANNA BRADING. Oh no.
GRAHAM CLULEY. I don't like to—
ANNA BRADING. I'm afraid, Carole.
CAROLE THERIAULT. If only they liked him back is the problem, right?
GRAHAM CLULEY. I don't like to be—
ANNA BRADING. This is a niche website that I'd like to recommend.
GRAHAM CLULEY. I don't like to be too trendy.
ANNA BRADING. All right, Graham.
CAROLE THERIAULT. No danger.
GRAHAM CLULEY. I don't— when everyone's raving about the same thing, I think, oh, I don't really want to check that out because, you know—
ANNA BRADING. You're a subversive.
GRAHAM CLULEY. I am. So I'd like to wait a few years. So I waited. You know that TV series Line of Duty? Everyone was talking about Line of Duty for years and years.
CAROLE THERIAULT. As you did.
GRAHAM CLULEY. Well, no, I didn't for years and years because I didn't watch it for years and years. I got on board on the very final series. And then I started watching number one. I am cool. I'm cool.
ANNA BRADING. Is that cool?
CAROLE THERIAULT. No.
GRAHAM CLULEY. I'm a late adopter. And I have lately adopted, lately, a series called Happy Valley. Now, I've heard about Happy Valley in the past.
ANNA BRADING. Jesus Christ.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. And Happy Valley, I thought it was going to be some sort of gentle kind of northern, lovely bit of drama. Why?
CAROLE THERIAULT. Because there's a nice older lady running it?
GRAHAM CLULEY. No, no, because it's called—
ANNA BRADING. That's why he likes it.
GRAHAM CLULEY. The title, Happy Valley makes you think it's going to be a bit like All Creatures Great and Small or something. And I thought, well, that's not going to appeal to me. I thought, that's not going to be— it's going to be like slipping into a warm bath. I thought, just, you know, very nice if you like that kind of thing, but, you know, not really my cup of tea. Anyway, people kept on talking about it and I thought, oh really, is it such a big deal? So I thought, well, I'll just check out episode 1 of the first series. So I turned on Happy Valley and it has this actress Sarah Lancashire used to be in—
CAROLE THERIAULT. She's glorious.
ANNA BRADING. Raquel.
GRAHAM CLULEY. She used to, yes. Coronation Street, I believe, right? Which is the top British soap, I think.
CAROLE THERIAULT. I'm gonna say EastEnders. Can you believe how bad?
ANNA BRADING. They're all the same.
GRAHAM CLULEY. She was in a Doc Two episode as well. So she's been in, and so I just thought, oh yeah, I can imagine this all being cosy. No, it's not cosy. It's not cosy at all. Oh my giddy aunt. And it starts off a little bit funny before the title sequence comes in, but then it gets really quite dark quite quickly, and I was like, oh my giddyup. Anyway, I've watched the first series, and it's a police procedural. There are wronguns. There are wronguns on the street, and they're doing naughty things, and the police are after them, headed up by an older lady who is a grandmother in the show, Sarah Lancashire. And that is why my pick of the week is Happy Valley, which I'm quite enjoying.
ANNA BRADING. It's so good.
CAROLE THERIAULT. Oh, I'll pretend to be Graham here. Anna, Carole, have you seen it?
ANNA BRADING. Graham, thanks for asking. Yes, I have.
CAROLE THERIAULT. Oh, that's interesting.
ANNA BRADING. It's very good. She is very good. He is very good. The sister, it's all brilliant.
CAROLE THERIAULT. The sister, the relationship between the sister and—
ANNA BRADING. Yes.
CAROLE THERIAULT. It's just, what are their names and the characters' names? I can't remember now.
GRAHAM CLULEY. Catherine and—
CAROLE THERIAULT. Catherine.
GRAHAM CLULEY. Yeah, and I can't remember what the other one begins with C probably. The dialogue is very— I watch it obviously with subtitles because I'm of that sort of age. And the dialogue is really quite witty, written by Sally Wainwright.
And there are bits— it's not for the kids, I'd say that. There's some rather dark stuff going on. I don't know what the next two series are going to be like, but the first series, it was quite dark.
ANNA BRADING. Yeah. Yeah, it's— I mean, obviously, you are ahead of the trend here, Graham, but the boy in it that— who's a tiny boy when you're watching the first series, it's the same boy, and he's in the last series, I think he's about 17 or something. So it's good to see the progression.
GRAHAM CLULEY. That's interesting because he was very good in the first series, and I've only seen the first episode of series 2, and they had a couple of scenes where he's notably not in shot. And they're sort of saying, "Stop kicking that ball against the wall," and you don't see him.
And I thought maybe the actor's got too old, or he's not available. So he is going to come back, is he? He was very good, I thought, in the first series. Right, that's interesting.
ANNA BRADING. Yeah, he's very good.
GRAHAM CLULEY. Okay. Anyway, Happy Valley. You'll find it on BBC iPlayer and, I don't know, other places, I suppose.
CAROLE THERIAULT. Welcome to 2020, Graham.
GRAHAM CLULEY. Thank you.
CAROLE THERIAULT. Thank you.
GRAHAM CLULEY. Anna, what have you got for us this week?
ANNA BRADING. Well, Carole, Graham, do you long for the simplicity of your childhood?
GRAHAM CLULEY. Yes, yes.
ANNA BRADING. Do you—
CAROLE THERIAULT. Some aspects, yes.
ANNA BRADING. Let's not go there. Maybe, do you look back fondly at the TV shows you used to watch after school? What were your favorite ones?
CAROLE THERIAULT. Jem, Truly, Truly, Truly Outrageous.
ANNA BRADING. Oh, that was a song. I remember that.
CAROLE THERIAULT. She was some doll, some singer, pop singing cartoon something.
GRAHAM CLULEY. It was ridiculous, absolutely ridiculous, but I loved I liked The Magic Roundabout, John Craven's Newsround. Rent a Ghost was quite good.
CAROLE THERIAULT. Scooby-Doo.
ANNA BRADING. Newsround was the most boring programme you could watch. And actually, my son started watching CBBC, and he— Newsround came on, he was "this is the most boring show ever." And I said, I know how you feel.
I felt that too. So, but you know, we all have different interests. I preferred the, you know, kid dramas. Anyway, you've got to have a look at my80stv.com.
GRAHAM CLULEY. Ah, that'd be why I've got a problem then, because I'd probably be after my70stv.
ANNA BRADING. Oh, sorry. I mean, I was looking at the my90s, but I meant my80s.
CAROLE THERIAULT. Sorry.
ANNA BRADING. I was unaware of the gap.
GRAHAM CLULEY. I the user interface on this website.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. It's an old-style television with knobs.
CAROLE THERIAULT. Yes. And it says, welcome back to the 1980s. Click on the power button to begin the journey. Okay.
ANNA BRADING. Bush.
CAROLE THERIAULT. Oh, cool.
ANNA BRADING. And so you can— it will shuffle through a load of old videos and you can toggle on which ones you want. So you can say you want comedy and you want cartoons, you can watch all of them. There's adverts, there's movies, and you can— it's not just '80s.
So if you go there, there's a— down the right-hand side you can see there's all the way from the '50s to the '90s, and it goes through all the TV from the decades. And what I about them is that the TV shape changes with each decade, which is a nice little touch.
GRAHAM CLULEY. Yes, I've gone back to the '70s because I saw that was an option. And it's glorious. I love this. This is great fun.
ANNA BRADING. It's so nice. And you can add picture noise to it. I think if you press N, so you can see it, you can fuzz it up or less fuzz it. It's great.
CAROLE THERIAULT. I love how every time I change the channel, it goes, kshh, kshh. Yeah, it's gorgeous. Really good pick of the week.
ANNA BRADING. Yes.
GRAHAM CLULEY. Ah, thank you.
ANNA BRADING. It's perfect for a Friday. Procrastination.
GRAHAM CLULEY. Very good, very good. My80stv.com. Carole, what's your pick of the week?
CAROLE THERIAULT. Well, mine is also a visual thing, so it's a movie, one that is up for many awards right now, like 11 Oscar nominations. So it's been kind of called the film to beat this year, and it's called Everything Everywhere All at Once. Have you guys heard of it or seen it?
GRAHAM CLULEY. Ah, well, it's tipped for the Oscars, isn't it? I think I've seen the trailer. It does seem a bit bonkers.
CAROLE THERIAULT. Were you distracted there for a second?
ANNA BRADING. I think he was.
GRAHAM CLULEY. Oh, sorry. No, no, it's fine.
ANNA BRADING. It's fine.
GRAHAM CLULEY. Did you say it was?
CAROLE THERIAULT. We'll keep that in. We'll just show that.
GRAHAM CLULEY. I was still watching the TV thing. I was, right. Yes, I've seen the trailer, Carole. It's bonkers. It's surreal. It's mad. Michelle Yeoh.
JASON MELLER. Yeah.
CAROLE THERIAULT. And how would you describe it? It's sci-fi. It's a comedy. It's martial-arty. It's actiony. It's thriller-y. And there's also this whole surreal business happening around that.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And yeah, it's Michelle Yeoh. She's the star of— Graham?
GRAHAM CLULEY. Wasn't she in Hidden Tiger, Crouching Panda or something? One of those.
JASON MELLER. Yeah.
CAROLE THERIAULT. Crouching Tiger, Hidden Dragon.
GRAHAM CLULEY. That's the thing.
CAROLE THERIAULT. Smashing.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Now, she plays Ling, who is the owner of a kind of rundown laundrette. But she discovers this ability to connect with parallel universes in order to fight evil.
GRAHAM CLULEY. Yeah, we've all been there.
JASON MELLER. Oh.
CAROLE THERIAULT. Yeah. And Ling does this by teaming up with her other parallel selves to combat a formidable threat, right? One that's kind of closer to her than she realizes. So we have these umpteen different lives that Ling is a part of, you know? When you go through all her different— in some she's glamorous, some are rather scary, some are humdrum, some are ridiculous. In one parallel world, we have Rackacoonie, okay? Instead of Ratatouille. And so I was a raccoon, you know?
GRAHAM CLULEY. Ratatouille Carole isn't made out of raccoon— rats, just so you know. No, I know! But Rackacoonie is. Rackacoonie is made out of raccoons, is it?
CAROLE THERIAULT. No, it's the same story, the same premise as Ratatouille, where a rat is helping you.
ANNA BRADING. Oh, the film, not the food.
GRAHAM CLULEY. Oh, I see.
CAROLE THERIAULT. The movie. I'm sorry. I assume— I didn't even think that. Yes.
GRAHAM CLULEY. So it's Davy Crockett with a raccoon on his head, and he's directing him as to how to cook in Rackacoonie.
CAROLE THERIAULT. Yes, but no. In another weird world, there's people with sausage fingers. It's just so crazy. Another one, we have googly eyes showing up randomly. It's kind of glorious, but it's nuts. As you say, Graham, if you— I haven't seen the trailer. I just watched it last night, but it's completely, utterly nuts.
ANNA BRADING. And so fast. It's a cheese dream.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. And it's so crazy though. I had to keep pausing it every 5 minutes to kind of catch my brain, catch my breath and calm my brain. Catch my brain.
ANNA BRADING. Yeah.
GRAHAM CLULEY. "Come on!" Calm your breath.
CAROLE THERIAULT. It's like an assault though, on the viewer. It's really, it's like a big, long roller coaster, much longer than you expect to be on it at that kind of pace.
GRAHAM CLULEY. Were you throwing up? Were you feeling sick at the end of this?
CAROLE THERIAULT. I think I paused it because it was too much.
ANNA BRADING. Yeah.
GRAHAM CLULEY. Yeah.
ANNA BRADING. Yeah, does it all come together at the— That sounds really mad. I hate it when all this is going on and then it doesn't sort of, I need it to sort of have a nice ending for it to feel like it's worth it.
CAROLE THERIAULT. I'm not gonna be able to answer that without giving anything away. I'm sorry. But I can say there's a good cast. Jamie Lee Curtis plays an incredible, horrible IRS agent.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. And Ke Huy Quan, he was from The Goonies. You remember that? He plays Ling's husband, Waymond, with a W. Waymond. You know, if someone said, "Did you like it?" I'd be like, "I think so." But I'm really impressed by it. And I recommend it just to get a glimpse of the insanity of it all, because now you can stream it, right?
GRAHAM CLULEY. Oh, can you?
CAROLE THERIAULT. Yeah, it's on Amazon at the moment. That's where I found it. But you will be blown away by the amount of work that went into creating it.
ANNA BRADING. But will you like it?
CAROLE THERIAULT. I don't know. So my pick of the week is the movie Everything Everywhere All at Once, which the movie does represent in its style. It lives up to its name. Find it on Amazon streaming services.
GRAHAM CLULEY. Do they wake up at the end and it was all a dream? That's how I'd finish a movie like that. I'm sure that would go down well.
CAROLE THERIAULT. Yeah, I'm sure everyone would line up. You'd be getting all the awards as well. All the awards.
GRAHAM CLULEY. Now, Carole, you've been chatting to the people at Collide this week.
CAROLE THERIAULT. Yes, well, I caught up with Collide CEO Jason Meller. What a passionate guy. He shared some big news with us. So listen up, folks. Listeners, today I am chatting about All Things Collide with its very own CEO, Jason Meller. Welcome again to Smashing Security, Jason.
JASON MELLER. Oh, thank you so much for having me.
CAROLE THERIAULT. We chatted actually last year. Our interview is featured on episode 265 if listeners want to check that out. But yes, it's great to have you back.
JASON MELLER. Wow, it's been a year already. Feels like that was 3 weeks ago.
CAROLE THERIAULT. Time flies when you're busy.
JASON MELLER. That's right.
CAROLE THERIAULT. So just to kick things off, am I right in saying that Kolide champions a zero-trust model when it comes to security?
JASON MELLER. Yeah, absolutely. So this is something that you're going to hear us starting to talk about more and more. Originally, we really shied away from the term specifically zero-trust. The reason why being is that we don't want to see that terminology be applied to individual people, but we do like the aspect of making sure that the devices that you connect to your most sensitive apps are trusted and that you initially don't trust them until they've been properly vetted and essentially we've been able to scan them. So, you know, at the end of the day, Kolide is a zero trust model and we champion that access model not just by working directly with your organization, but through your existing SSO provider. And today for us, that's Okta, and that's what we recently announced.
CAROLE THERIAULT. Okay. You beat me to the punch because I was going to give you— I was going to hand the floor over to you. So tell us about this news. This is all about device trust integration, isn't it?
JASON MELLER. Yes. Yes. So let's take a step back and talk about what we were doing before we announced this integration. So previously at Kolide, we were messaging end users on Slack when their device wasn't up to spec, if they were missing updates, if the firewall was off, or even deeper things like, oh, they have some unencrypted SSH keys or they have some sensitive data on their device.
So we would detect that with our endpoint agent and then we would message your end users directly on Slack. Now that works great, but it has a fatal flaw. And that fatal flaw is pretty obvious once you start thinking about it, it's that the end users, they can actually ignore that Slack app if they want. They could just sort of click mute.
And I had talked about this. This isn't something that was a surprise to us. We actually talked about this in our Honest Security Guide. We actually created this whole manifesto around how to actually encourage your end users and have them be a part of the conversation.
And we wrote about it at this website called honest.security. That's the whole URL. And in that guide, I talk about the importance of proportionate consequences.
So effectively tell users, give them clear expectations on what you really want them to do on their device. And if they don't do them, you really need to have a proportionate, reasonable consequence. So for example, let's say you're an engineer and you have the production database just in your downloads folder, like a backup.
Well, that's really bad. And if after 2 or 3 attempts of asking them to get rid of it, they don't do it, you cut off their hands. Yeah, well, maybe not their hands, but at least don't let them log into AWS anymore to get another fresh copy of that backup. So that's a pretty reasonable stance.
CAROLE THERIAULT. Yeah.
JASON MELLER. The challenge is, though, is actually implementing that is really, really hard for organizations. They have to build a lot of stuff.
CAROLE THERIAULT. Yeah.
JASON MELLER. So Kolide was in this really interesting position where we already could detect the stuff on the computer. We already knew how to talk to the end user. We now just needed a mechanism to prevent folks from getting access to these sensitive apps and services when their device wasn't in a good state.
CAROLE THERIAULT. Right.
JASON MELLER. Yeah, exactly. So to do that, we really wanted to partner with an SSO provider that would allow us not only to implement this sort of blocking capability, but also would allow us to tell the user why they were blocked in situ. So to visualize it, imagine you're trying to sign in to any SaaS app you have. Let's just say for the sake of argument, something like GitHub.
CAROLE THERIAULT. Okay, so I'm trying to get into GitHub, right? Okay.
JASON MELLER. Yep. So you put in your— you go into GitHub, you click into your organization, and then what if you have Okta, you get prompted for your Okta username and for most people their password. So you type again your Okta username, you put in your password, and then that's where Kolide starts to come in.
So we effectively are one of many potential two-factor authentication options in your organization and you can sequence them, right? So if you're already using YubiKeys today, or if you're using some other thing like Okta Verify, you can do that part first and then the users get sent over to us. We check their device right in the browser using the agent.
And then if their device isn't up to spec and you've set those checks to blocking if they're failing, then we stop the end user right then and there from accessing the resource. But most importantly, we tell them why they're blocked and then we give them the path to redemption.
So let's say your Chrome is out of date, right? There was a zero-day exploit, we got to get all these Chrome browsers up to date, you can block people from accessing your SaaS apps until they restart their Chrome, which will apply the update.
And that can be enforced through this mechanism, and then users can do it. And then once they do it, the screen lights up green, and then they can actually get through to the final app that they're trying to access.
And that's fundamentally, in our opinion, the most pure form of zero trust access that you can get is vetting the device every single time, but giving the end user context and step-by-step instructions on how to get in a better state.
GRAHAM CLULEY. Yeah.
JASON MELLER. Here, here's the thing though, is this is something that what we've found now, because we've been running this as a pilot and a beta for several months. And one of the things that we've learned is this isn't just something you should do for the benefit of just your end users, right?
I mean, there's obvious benefits of telling them why something is wrong, giving them a path to fix it. But what we've learned is that this is actually more effective than the existing MDM solutions people employ at certain things like patching.
ANNA BRADING. Wow.
JASON MELLER. That was sort of surprising for us, right? So let's talk about patches specifically. So 3 or 4 weeks ago, Apple had these major high-priority security patches that they wanted you to put out on macOS and iOS, really bad stuff. I'm talking you go to the wrong website and then instantly there's malware on your computer level bad.
That was sort of what happened 4 weeks ago. And if you're a Mac admin, what are you really supposed to do? Well, you want to get your devices patched as quickly as possible. And every Mac admin, when they need to do that, they reach for the tried and true MDM, you know, mobile device management solution.
So they really have some choice in front of them. Choice number 1 is, all right, I have all these devices under management. The first thing I'm going to think about is I can deploy this update to all the devices and then force them to be rebooted right away.
That's option one. That's not a bad choice in an emergency, but the problem is if you do that and you do that at scale, let's say anybody over 200 employees knows when you do this, you have what typically is a really angry email at the end of that exercise, right? It's "hey, just FYI, the CEO was in the middle of an investor pitch and then this computer rebooted right in the middle of it," right?
Every IT person listening to this has been in that scenario where you're doing the right thing, but then you create this massive data loss event. And that's just one person. Of course, it's always the CEO.
That's Murphy's Law. But it's also, you know, that engineer or whatever. And that's the thing with updates, they don't work unless you reboot the computer.
So rebooting is a really tough thing. So you don't do that. You don't do the, let's just reboot everybody's computer in the middle of the day.
What do you do? You nag and nudge people for 3 or 4 days first and say, "hey, we're going to try to automatically apply this update. Please let the system do its thing, but you can defer and ignore if it's not a good time to restart right now."
And what do people do? They always ignore, they always defer. And so now it's day 3, it's day 4, it's day 5, it's week 2, and you still don't have, you have 30, 40% of your fleet that doesn't have this emergency patch on it.
CAROLE THERIAULT. So that's, you're bringing back nightmares for me, really vivid nightmares, right?
JASON MELLER. And it's 2023. This is still the state of the art of how to do it, right? And maybe the nudge screen has gotten a little bit more annoying and maybe the sound effects are a little bit more obvious to hear. But at the end of the day, it's really still the same stuff.
So let's go back to a zero trust access model. Zero trust access and the blocking methodology I talked about a second ago, that provides us with a new methodology for being able to solve the same problem. And the way that you do it is you just go into something like Kolide. You create a check that says, "hey, this device is failing if it doesn't have this specific update applied, we're going to give folks a day to do it." And then when people start logging in, they'll see that message, "hey, you really need to get this update applied. And if you don't by tomorrow, you're going to be blocked from all your SaaS apps."
CAROLE THERIAULT. They're significantly more encouraged to get it done.
JASON MELLER. It's not that they're just more encouraged, which they are, but the thing is they have the agency to decide when to take the disruption. There's a clear consequence at the end of the road that's right on the horizon that they can see and they can visualize and they know is real because they've maybe been blocked before.
And now they have the agency to say, "All right, I need to take care of this tonight and I'm going to do that." And if I don't do it and I get blocked tomorrow, it's not the IT team's fault. It's totally my responsibility.
So you've now taken what is really a responsibility of a small group of individuals, the IT and security team, and you've crowdsourced it out to your entire organization, and you've created a system that can work at scale. So in practice, our customers who had this rolled out already when that patch event happened, they had 90 to 100% of their devices patched within 48 hours without a single complaint, no data loss events.
And that was just by handing the users the reins and giving them a proportionate consequence for not getting it done. That is huge.
The efficacy of this is unbelievable. And that's why we're so excited about that.
CAROLE THERIAULT. It's compliance is kind of key, and if you want to control the environment, and you're kind of doing that in a way that is involving everyone, and it's very cool.
JASON MELLER. It's been really exciting for me personally. You know, one of the things that I founded Kolide to do was to really get end users to be a part of the security solution.
I've always felt deep in my heart that because human beings are the ones that are really using the computer and they're the ones that are using it to further their career, to do something really exciting, they needed to be part of whatever the security story was. These computers that we use every day, they started out— what were they called?
They were called PCs, personal computers. They were never meant to really be managed centrally in the way that we try to manage them centrally at organizations.
They're meant to be used by a single person sitting in front of them, driving them. That is really how they've been designed from the ground up, especially Macs, which they've really bucked the trend of becoming an enterprise-friendly operating system since its inception.
And only very recently, in the last 5 to 10 years, administrators have tried to embrace this idea of centralized management, but it doesn't work very well. And if you've been an IT administrator the last 10 years, you know that.
And so how can we get the end users involved? That's always been something I wanted to do.
And what we finally stumbled upon is a way to do that that works at scale, even with the most stubborn end users who really aren't going to do it out of the goodness of their heart. That's why this is so exciting because even if I meet the most cynical IT person in the world, I can show them that regardless of what you think about the end user and their capability, this is what the numbers show us.
This is what the efficacy of this new way of doing it is, and it is just objectively better. That's sort of the pitch, and that's why it's so exciting to me personally is we found a way to not just make the end users part of it, but to make it better than the status quo.
CAROLE THERIAULT. Yeah, and you get rid of all the politics, all the office politics of begging a department to do stuff. It's brilliant.
It's brilliant. I'm sure our listeners think so too, and they can see it in action if they go to kolide.com/smashing.
That's kolide.com/smashing. It's Kolide with one L, K-O-L-I-D-E, and Kolide CEO Jason Meller, thank you so much for chatting to us and sharing this news.
JASON MELLER. Go to the website. This is a show, not a tell product. You'll actually be able to watch videos of what it looks like when folks are signing in.
So there's a lot of information on there. I highly encourage you. This is something we've sweated over for months and months and months, getting the end user experience exactly right. And if you're someone who uses Okta today and you have zero trust on your roadmap, you should reach out to us. This isn't just some fringe startup thing. This is the best zero trust access solution for people who have Okta. It's better than what Okta has built in. It works on Linux where we have mobile support. So you should really reach out if this is on your roadmap this year and we will get in touch with you right away and make this happen for you.
CAROLE THERIAULT. There you go.
ANNA BRADING. Awesome.
CAROLE THERIAULT. Thanks so much, Jason.
GRAHAM CLULEY. Jason.
JASON MELLER. Thank you.
GRAHAM CLULEY. Terrific stuff. And that just about wraps up the show for this week.
Anna, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What is the best way for folks to do that?
ANNA BRADING. I am @AnnaBrading on Twitter. And if you want to give me some work, LinkedIn.
CAROLE THERIAULT. Not desperate or anything. Hashtag desperate.
ANNA BRADING. Oh, actually, no, but I just—
GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity. No G. We also have a Mastodon account. You can find that at smashingsecurity.com/mastodon. That'll take you there. And look up the Smashing Security subreddit on Reddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps, such as Apple Podcasts and Spotify.
CAROLE THERIAULT. And huge, huge thank you to this episode's sponsors, Kolide, Bitwarden, AndratA, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 311 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio, bye-bye.
CAROLE THERIAULT. Bye.
ANNA BRADING. Bye.
GRAHAM CLULEY. Toodaloo.
CAROLE THERIAULT. Anna, thank you so much for coming on the show.
ANNA BRADING. Thank you for having me. My question is, are you doing something with Apple Podcasts? Because I went to the Smashing Security podcast, your stream, and it asked me if I want to pay more.
GRAHAM CLULEY. Well, no, no, no. So you can now rather than just go to Patreon, you can also pay via Apple Podcasts and get the episodes early and get them without ads.
ANNA BRADING. Oh, okay.
GRAHAM CLULEY. No, but we haven't really publicised this yet.
ANNA BRADING. Well, you should.
GRAHAM CLULEY. I agree, we should. We'll work out the best way to do it.
CAROLE THERIAULT. Anna, you're a rock star.
ANNA BRADING. Thank you.
CAROLE THERIAULT. Good story. Very cute.
GRAHAM CLULEY. Lovely, lovely.
ANNA BRADING. Oh, it's fun.
GRAHAM CLULEY. Right, I'm going to stop.
-- TRANSCRIPT ENDS --