Listen early, and ad-free!

338: Catfishing services, bad sports, and another cockup

With , , ,
September 7, 2023
Read the transcript

AI news is bad news, an online service to catch your cheating partner, and an IoT-enabled dick cage fails to keep a grip on its own security.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley.

Plus don't miss our featured interview with Alex Lawrence, principal security architect at Sysdig.

Warning: This podcast may contain nuts, adult themes, and rude language. May? Who are we kidding...

Episode links:

Sponsored by:

  • Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
  • Sysdig – Is your cloud secure? Not without runtime insights! Sysdig delivers the industry’s ONLY complete, consolidated Cloud-Native Application Protection Platform (CNAPP) – powered by runtime insights – to prioritize critical risks and stay ahead of unknown threats. Learn how runtime insights reduces fatigue so developers can focus on delivering software and your security teams can focus on other demands.
  • ClearVPN – Hide your IP address, browse without geo-restrictions, and stay private online with a 30 day free trial of its premium plan.

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!

FOLLOW US:

Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. It's a male chastity device. So it attaches itself quite firmly and securely around your private parts, preventing you from performing certain functions.

CAROLE THERIAULT. What could go wrong, to quote you, Graham?

MARK STOCKLEY. What could go—

GRAHAM CLULEY. Well, I'll tell you what went wrong. They discovered flaws, which meant that someone could remotely lock all of the devices and prevent people from unlocking themselves. The actual advice on the site was you're gonna have to use bolt cutters or an angle grinder.

MARK STOCKLEY. What? I think I'd rather not. I'll just stay in it.

UNKNOWN. Smashing Security, episode 338: Catfishing Services, Bad Sports, and Another Cock-up, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 338. My name's Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. And Carole joining us today, pretty— I was about to say a pretty common regular. That's quite rude really, isn't it?

CAROLE THERIAULT. It's, maybe start that again.

GRAHAM CLULEY. So joining us today, Carole, who've we got?

CAROLE THERIAULT. We have a guest for the first time in a few weeks. Mr. Mark Stockley is joining us. Hi, Mark.

GRAHAM CLULEY. Hi.

CAROLE THERIAULT. Welcome back to Smashing Security.

MARK STOCKLEY. Thanks very much.

GRAHAM CLULEY. Great to have you back, Mark.

CAROLE THERIAULT. It's brilliant. And we have a big show today, so we should crack on. Are we ready to go?

MARK STOCKLEY. Let's go.

CAROLE THERIAULT. But first, let's thank this week's wonderful sponsors: Collide, Systake, and ClearVPN. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

GRAHAM CLULEY. Oh, it's another right cock-up.

CAROLE THERIAULT. Okay, Mark, what about you?

MARK STOCKLEY. I am going to talk about the worst sports reporter in the world.

CAROLE THERIAULT. And I'm going to be looking at a catfishing enterprise. Plus, we have a featured interview with Alex Lawrence. He's the principal security architect at Sysdig, and we're going to dive into Sysdig's brand new threat report and find out what we should be looking out for. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chums, chums, can you believe how time has flown by? Flown by, not only if our kids got older over the summer and grown about 3 foot taller, not only are they sprouting hair out of their nostrils and all sorts of unpleasant places like that, but it's also 4 years or so since episode 199 of Smashing Security.

MARK STOCKLEY. Wow.

GRAHAM CLULEY. Yeah, you may remember we had Zoe Kleinman from the BBC on and we reported on how security researchers had found serious security flaws in the Key Cellmate, which is a Chinese-made IoT device made of polycarbonate and toughened steel. A very specific kind of IoT device. It comes in both long—

ALEX LAWRENCE. Oh no.

GRAHAM CLULEY. What? It comes in both long and short models. When I investigated it back then, I found the short models had sold out on the website.

CAROLE THERIAULT. I remember the name Cellmate, actually. I remember what it does. Okay.

GRAHAM CLULEY. What do you remember about it, Carole? Could you describe what it does? Because that would save me.

MARK STOCKLEY. Is this something to do with prison?

CAROLE THERIAULT. Yeah, basically it is with prison. It prisons up your junk, if I remember correctly, and you give your special someone the key. And it's a digital key. Am I right? Is that right? Or am I just dirty?

GRAHAM CLULEY. It's a male chastity device. So it attaches itself quite firmly and securely around your private parts, preventing you from performing certain functions.

CAROLE THERIAULT. Who does this? Actually, I don't want to know.

GRAHAM CLULEY. I do not want to know. Unless your partner via the internet unlocks it.

CAROLE THERIAULT. What could go wrong, to quote you, Graham?

GRAHAM CLULEY. Well, I'll tell you what went wrong. The penetration testers at Pentest Partners, appropriately enough, they discovered flaws in Cellmate's API. Which meant that someone could remotely lock all of the devices and prevent people from unlocking themselves.

The actual advice on the site was you're going to have to use bolt cutters or an angle grinder.

CAROLE THERIAULT. Can you imagine?

MARK STOCKLEY. So what?

CAROLE THERIAULT. It's got to be an internet joke.

MARK STOCKLEY. I think I'd rather not. I'll just stay in it.

GRAHAM CLULEY. So aside from imprisoning your penis, also the API was leaky. Which you don't want.

So it would leak your location data, your personal information, your private chats, and what was called your member code.

CAROLE THERIAULT. You have private chats through your—

GRAHAM CLULEY. Well, yes, but via the— Not on that. There was no screen on it, a keyboard.

CAROLE THERIAULT. There's a big microphone?

GRAHAM CLULEY. No, but via the app, you could chat with partners saying, oh, please unlock me, you naughty boy.

CAROLE THERIAULT. Let's not use Signal or WhatsApp or something. Let's use Cellmate's own chat service.

GRAHAM CLULEY. So, yeah. Okay.

Cybercriminals did eventually exploit this flaw, and they demanded a ransom from people they'd locked up. Now, surprisingly, years have gone past.

The Qkey Cellmate, I've done some Googling today, it's still on sale. You can go to its online store.

The motto is "Love Hurts." You can buy them on Amazon.

You can even get them on eBay. I'm not sure you'd want a pre-loved sex toy from eBay, but if you—

CAROLE THERIAULT. Reconditioned.

GRAHAM CLULEY. If you wanted—

MARK STOCKLEY. As long as they delete the chat history.

GRAHAM CLULEY. Anyway, that's all yesterday's news, right? That's from a while ago.

Because surely by now everyone's been put off the idea of chastity cages. People have decided that's not a good— Well, not so.

Not so. Because I don't know, Mark or Carole, if you read the Dear Deirdre Agony Aunt column in The Sun newspaper.

MARK STOCKLEY. Paper.

CAROLE THERIAULT. That's still going. Is she still alive? Does she exist?

GRAHAM CLULEY. That's very interesting, because when I was reading this Dear Deirdre column online about male chastity cages from last month, it's actually got someone else's name on the byline. So the brand is Dear Deirdre, but there's someone called Sally who's actually answering questions.

CAROLE THERIAULT. They fired Deirdre.

GRAHAM CLULEY. Yeah, so Deirdre, she's been sent off in the wheelchair. Anyway, someone wrote in saying, my sexual urges are so out of control, I'm considering buying myself a chastity cage.

And this chap, he said he was in his mid-20s. He said he had a bit of a wandering eye, but he loved his girlfriend.

He's been going out with her for two years. She's wife material, he says.

But because he keeps on looking at other girls and thinking, well, I'd quite like to have sex with her, he has secretly bought himself a metal chastity cage to lock up his penis to prevent him from doing anything untoward with it. And he was saying 'Do you think this will stop me cheating?' he said to dear Deirdre.

CAROLE THERIAULT. Surely. Okay, I'm wondering if she defines cheating now, because my story has to do a bit with cheating as well. So this is quite interesting because, yeah.

GRAHAM CLULEY. Well, I'm thinking that chances are she's going to spot this, isn't she? If he's clanking around the bedroom wearing one of these.

CAROLE THERIAULT. I don't think it's medieval, right? I know what you're picturing.

GRAHAM CLULEY. Have you seen these things, Carole?

CAROLE THERIAULT. No, I haven't. I haven't.

GRAHAM CLULEY. But you have to take an angle grinder to them. They are quite substantial. Anyway, she said, get a grip, pleasure yourself. That's what you have to do. Stop being ridiculous. Just stop trying to have sex with me.

CAROLE THERIAULT. A lot of bathroom breaks.

GRAHAM CLULEY. Anyway, so chastity cages are still being sold. Now word reaches us via TechCrunch of another dick cage that has serious vulnerabilities. An anonymous researcher — anonymous, because he doesn't like to mix business with pleasure — he has found a different internet-connected male chastity device is exposing users' email addresses, plaintext passwords, home addresses, IP addresses, and in some cases — and this one really surprised me — GPS coordinates due to flaws in its servers.

Now, why these things are beaming out their GPS coordinates, and how precise do you need to be with something? You surely don't need to know within a few metres, which apparently the device claims.

MARK STOCKLEY. Well, if you're using an angle grinder, I think very, very precise.

GRAHAM CLULEY. You need great precision. Yeah, a few metres doesn't cut it. No, you want, you know —

CAROLE THERIAULT. Well, it could.

GRAHAM CLULEY. A centimetre could make a big difference. So apparently, your partner who's in control of your chastity device can follow your movements and see where you're going while you're clanking around. This researcher has found, via these flaws, he's found records of more than 10,000 users. And so he did the responsible thing — he contacted the company back in June about the vulnerabilities. They didn't respond.

CAROLE THERIAULT. Quelle surprise.

GRAHAM CLULEY. Now, this is the interesting bit. He then, because he couldn't get a response from them, he defaced their website. He put up a message on their website. He said, this site's been disabled by a benevolent third party and the vendor's name has been redacted, right? There's no one saying who the vendor is.

He says they've left the site wide open. It's allowing any script kiddie to grab all this customer information, including plaintext passwords and shipping addresses. And he says, if you've paid for a physical unit and now can't use it, I'm really sorry, but there are thousands of people have accounts on here and I couldn't leave it up for grabs.

CAROLE THERIAULT. Hope you weren't wearing it at the time.

GRAHAM CLULEY. Well, exactly. I mean, does disabling the website prevent you from unlocking it? I don't know. Maybe it does — maybe it prevents someone from logging in and doing that.

How do you feel about that, Mark? What do you think — do you think that's right, that he should have defaced the website and put up this message?

MARK STOCKLEY. I'm going to say no.

GRAHAM CLULEY. Right. After careful consideration.

MARK STOCKLEY. Because I don't want to think that anything would rely on the website being there because websites being there is a —

GRAHAM CLULEY. Websites are very transient.

MARK STOCKLEY. They are. They're not difficult to affect. But having said I wouldn't want that to happen, that doesn't mean that it doesn't happen. And we're talking about the IoT here, so I think actually probably did happen.

GRAHAM CLULEY. So you don't think it's right for him to deface the website and put the message up there, even though he's frustrated and he wants to get the message out to those users? Should he have emailed those users instead, or what do you think would have been a better course of action?

MARK STOCKLEY. I think put it on Reddit.

GRAHAM CLULEY. Right. And they'll DDoS the site by all traveling there.

MARK STOCKLEY. If you want people to read something, put it on Reddit. Yeah, Google will pick it up.

GRAHAM CLULEY. But he was worried that naming the company would actually get people exploiting it. And that's why TechCrunch haven't named them either. TechCrunch say they've tried to contact the company, which is based in China, like the Qiui Cellmate. Similar lack of response.

They have removed the defacement message from the website. And so I was curious. I immediately thought this must be the Qiui Cellmate, but the one we spoke about a few years ago.

I thought it must be the same one. And I thought, why are TechCrunch being so coy?

I thought, oh, I saw it. I went to the Internet Archive. I was looking at Qiui Cellmate's store, looking to see if, you know, they'd been defaced or anything like that.

So Qiui Cellmate's still running, but it isn't the Qiui Cellmate because according to TechCrunch, the vulnerable device only has an Android app. There's no iPhone app. So I imagine iPhone users who have a chastity cage around their penis, they don't have to worry because this is only affecting androids instead.

CAROLE THERIAULT. I just think this is one of those things that if you definitely want to have your cocks in a block, I guess, why wouldn't you just go old school and get dumb tech?

GRAHAM CLULEY. With a key.

CAROLE THERIAULT. No tech. With a key. Just don't lose the key.

GRAHAM CLULEY. Or maybe a good fisherman's knot would be good. If you could— Tie a knot in it, tie a secure knot, and that'll prevent anything bad from happening. Mark, what have you got for us this week?

MARK STOCKLEY. Well, I am going to talk about the worst sports reporter in the world.

GRAHAM CLULEY. Okay.

MARK STOCKLEY. So, do you like sports? You're pretty athletic, Graham. Do you like sports? What are you into?

GRAHAM CLULEY. I am keen on badminton. And chess. I consider badminton not really a sport. I consider that a game.

MARK STOCKLEY. Yes.

GRAHAM CLULEY. But I consider chess to be a sport.

MARK STOCKLEY. Yes. I think other chess players do too, don't they?

GRAHAM CLULEY. Yes, they do.

CAROLE THERIAULT. That's why they get all sweaty when they're playing.

GRAHAM CLULEY. Yeah. I think anything which has a random element is a game. So, football, cricket, badminton, anything like that. That's just a fun game. But chess is a serious sport.

ALEX LAWRENCE. Let's see.

GRAHAM CLULEY. Yeah.

MARK STOCKLEY. Well, I was going to say they also love sports in the USA, but I'm not sure you actually love sports. I think there's a whole other discussion to have there. But in the USA, they definitely love sports, like actual proper sports. Sports like, you know, NFL, NBA, college sports, even high school sports.

And the local newspapers are only too happy to add these sports-mad fans to their readership with penetrating and insightful analysis of all the latest goals, baskets, and touchdowns.

GRAHAM CLULEY. Yeah.

MARK STOCKLEY. However, something strange has been happening at local papers in the USA. See if you can tell what it is. So this in-depth bit of sports reporting came from a recent edition of the Milwaukee Journal Sentinel.

Okay. It said— I'm gonna butcher this name now— the Waukesha West Wolverines defeated the Hartford Orioles 42-14 in a Wisconsin high school football game, "On Friday, Waukesha West recorded a big victory over Hartford, 42-14, during this Wisconsin football game." That's a really high score for a football game, isn't it?

GRAHAM CLULEY. How big were the goals?

MARK STOCKLEY. They may be talking about—

CAROLE THERIAULT. American football.

MARK STOCKLEY. American football.

CAROLE THERIAULT. Oh, okay.

MARK STOCKLEY. But anyway, so that was perhaps not the peak of journalism there. What about this one from The Tennessean? The Christ Presbyterian Lions defeated the Brentwood Academy Eagles 17-16 in a Tennessee high school football game on Saturday. Christ Presbyterian eventually took victory away from Brentwood Academy 17-16 in a Tennessee high school football matchup.

CAROLE THERIAULT. Oh, it makes no sense.

GRAHAM CLULEY. Oh, it's weird. Yeah, it's a bit garbled, isn't it? It's an odd way of phrasing things.

MARK STOCKLEY. Both teams were shut out in the first quarter. The Eagles took a 7-3 lead over the Lions heading to the halftime locker room.

Clintwood Academy enjoyed a 16-3 lead over Christ Presbyterian to start the fourth quarter. A 14-0 scoring edge in the final quarter fuelled the Lions' defeat of the Eagles.

CAROLE THERIAULT. I think I know what's going on here.

MARK STOCKLEY. Okay, well, the final one might give you a clue. This is my favourite from the Columbus Dispatch.

The Worthington Christian bracket bracket winning underscore team underscore mascot bracket bracket defeated the Westerville North bracket bracket losing underscore team underscore mascot bracket bracket 2-1 in an Ohio boys' soccer game on Saturday. Worthington Christian edged Westerville North 2-1 in a close encounter of the athletic kind for an Ohio boys' soccer victory on August 19th.

GRAHAM CLULEY. A close encounter of the athletic kind.

CAROLE THERIAULT. It's like the first time you listen to the shipping forecast in the UK. You know, you're like, what?

MARK STOCKLEY. Worthington Christian drew first blood by forging a 2-1 margin over Westonville North after the first half. The scoreboard was in hibernation in the final half with neither team scoring.

The last two lines, I think what they're saying is—

CAROLE THERIAULT. Hibernation.

MARK STOCKLEY. Worthington Christian drew first blood forging a 2-1 margin over Westonville North after the first half. But in the final half, which if I remember correctly, there are two halves.

GRAHAM CLULEY. There are normally two halves, yes.

MARK STOCKLEY. Neither team scored.

GRAHAM CLULEY. Yes, that would be a simpler way of wording it, wouldn't it? Has all this underscore bracket bracket stuff, could there possibly be some sort of computer cock-up occurring?

CAROLE THERIAULT. Perhaps.

MARK STOCKLEY. You're close. You're very close.

GRAHAM CLULEY. Right.

MARK STOCKLEY. So there are two little letters that join all of these terribly written articles together. Can you guess what they are?

GRAHAM CLULEY. AI.

MARK STOCKLEY. That's how we're going to say AI from now on.

ALEX LAWRENCE. Yep.

MARK STOCKLEY. This year's NFT AI. All of these reports were written by an AI called Lead AI, which is being tested out by a newspaper chain called Gannett, which owns a bunch of local newspapers.

According to Axios, Gannett-owned newspapers published dozens of lead AI game recaps. And CNN reports that the experiment has now stopped following ridicule on social media.

And soon podcasts. The thing is that the reports are actually generated. There's a, I forget what the system's called, it's something like Scorebox.

There is a system that actually generates this was the score after the first quarter and this was the score after the second quarter. And so all this thing is doing is it's taking that information and putting it into sentences rather than into bullet points.

GRAHAM CLULEY. Right.

MARK STOCKLEY. But the sentences are AI garbage.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. So, and I suppose the AI to try and make it appear more human is thinking, well, we won't use those other words. We'll go to the thesaurus, we'll find synonyms.

CAROLE THERIAULT. Like hibernation.

GRAHAM CLULEY. Like in hibernation or Close Encounters of the Athletic Kind. It's just trying to add a little bit of colour and coming across as freaky.

MARK STOCKLEY. Now, this is not the first time that the myth of AI journalism has faced public scorn. So last year, I don't know if you remember, but CNET, massive publication, started publishing articles under the byline CNET Money Staff.

So these articles, look, they were probably made for search engines rather than for people. But this CNET Money staff with its AI pseudonym and Wired reports that a torrent of embarrassing disclosures followed with more than half of the articles containing factual errors and 41 out of 77 requiring quote, sometimes lengthy corrections.

Now, I don't know about you, but wherever you look, AI is just making stuff up at the moment, which is really bad for everyone. I mean, it's bad for information and disinformation, It's bad for the internet and ultimately it's even bad for AI, 'cause AI is using the internet as training data. So if the internet—

GRAHAM CLULEY. Well, that's right. The more AI generates, the more it's feeding itself worse information, isn't it?

ALEX LAWRENCE. Yes.

GRAHAM CLULEY. And there are some news sites now which are specifically blocking these AI chatbots from scouring and scooping up information from their sites, because they don't see why they should be helping them. You just make a change to robots.txt to block some of these things from coming through.

CAROLE THERIAULT. But I use a chatbot. I've been playing around with it for a few weeks, and I have not run into it being incorrect that I've noticed.

MARK STOCKLEY. Hahaha.

CAROLE THERIAULT. But I guess I'm not asking for, you know, right or wrong answers. I'm asking more for fleshing out ideas, I guess. Really? Yeah.

MARK STOCKLEY. What, turning sports scores into sentences about sports scores?

CAROLE THERIAULT. I'd ask them something "tell me about this term. Tell me I don't know what this term means."

MARK STOCKLEY. Yeah.

CAROLE THERIAULT. You know, and then I might learn something about it, but it's—

MARK STOCKLEY. Well, you might, or you might learn something about something else.

CAROLE THERIAULT. Yeah. I've just not seen any cock-ups on the ones I've been using. I know they've happened, but I've seen that more in the press than me seeing any blatant, oh my God, mess.

GRAHAM CLULEY. It sounds a bit though, Carole, you're not really asking it to generate anything new, create a report.

ALEX LAWRENCE. That's true.

GRAHAM CLULEY. You're more saying, "Define something," or, "Explain this to me." Yeah.

CAROLE THERIAULT. "Tell me what happened at this," you know, whatever, a historical thing, or, you know, "What does this mean?" That sort of thing. Yeah. So you're right. I'm using it like this.

GRAHAM CLULEY. Maybe that's more straightforward for it. I don't know.

MARK STOCKLEY. Mm.

GRAHAM CLULEY. Yeah, that's true. So did these sports articles not say, "This article has been written by a stupid robot rather than a human," or did they?

MARK STOCKLEY. They did actually. The sports articles did. They said the byline was "Lead AI."

But I think expectations are set by decades and decades of history of human journalists. And so I don't know if it matters so much that it was written by an AI.

I think it's more that it was just really bad. I don't think anybody would've minded if it was written by an AI and it was good.

But I think the badness and the fact that it was made by an AI are now kind of joined in people's minds. I don't know about you, but I sense a significant lowering of expectations this year after a sort of explosion of hyperbole around generative AI last year.

GRAHAM CLULEY. Right.

MARK STOCKLEY. I've got a colleague who went to the RSA security conference, which is sometime earlier this year, and he said you couldn't move for AI. I went to InfoSec in the UK in June, and honestly, I didn't see anyone talking about AI. Everyone was just talking about real-world problems, and nobody was suggesting that AI was the solution. Apparently, the mood at Black Hat, where they are talking about AI, is much more, okay, well, what can it actually do?

You know, it's taken us a year or so, but I think we're actually now coming to a much more sensible place about, all right, maybe it's not going to replace everybody, but maybe it's going to be, as Carole described, a sort of useful assistant.

CAROLE THERIAULT. Yeah, really cool tools.

MARK STOCKLEY. Yeah.

GRAHAM CLULEY. And the astonishing thing is that if they were doing this experiment, getting AI to generate these sports reports, if it was an experiment, why weren't they having someone human in the process just to have a look over?

MARK STOCKLEY. Oh, they did. Oh, they did. Yes.

GRAHAM CLULEY. Yes.

MARK STOCKLEY. The editorial guidelines for Gannett.

CAROLE THERIAULT. Were they underpaid?

MARK STOCKLEY. Well, I think, I don't know, I can't speak for them, but the editorial guidelines say something like they're checking for factual errors. And I think the things that I read are actually factually correct.

CAROLE THERIAULT. They're just nonsense.

GRAHAM CLULEY. Drivel.

MARK STOCKLEY. Yeah. Yeah.

CAROLE THERIAULT. You'd think that a researcher would spot that though. No offense, but.

GRAHAM CLULEY. So what does this tell us about the future of AI? Does it tell us anything? Does it just tell us to manage our expectations a little more rather than?

MARK STOCKLEY. Well, I think what it tells us is that we're going to have, you know, we've had 20 years of reading garbage articles written by people trying to target for SEO. I think now the future is going to be much, much, much, much, much more of the same, unfortunately.

CAROLE THERIAULT. Okay, well, thanks for that.

GRAHAM CLULEY. Fabulous. Carole, what have you got for us this week?

CAROLE THERIAULT. Okay, so as we know, there are some people that are in relationships that sometimes get distracted by what I'm going to call a third party, someone outside the relationship. And this can happen because maybe someone has a philandering style about them, or their relationship problems, or whatever.

We know that not every relationship, whether budding or long-term, is rock solid, right? And we know about cheating, a la, you know, let's sneak off and do some sexy stuff without the knowledge or consent of the long-term partner. But we also have heard about emotional cheating. Which, as far as I understand, is someone having risky, you know, risqué, flirty conversations with another person, but no body fluids are exchanged. Is that fair?

GRAHAM CLULEY. Having a little daydream about someone, maybe?

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. Is that an emotional cheating?

GRAHAM CLULEY. I would think so.

CAROLE THERIAULT. If you're having a daydream about someone else other than your long-term partner, you've got to go, "Whoa, whoa, stop that." You know, I mean— I'm not going to tell my husband about my Geoff Goldblum obsession.

GRAHAM CLULEY. There is a difference, surely? Yes, because it could all be going on in your head. Whereas if you actually physically participate, then yeah.

CAROLE THERIAULT. Okay, I have a scenario.

GRAHAM CLULEY. I'm not saying one is right and the other one is wrong.

CAROLE THERIAULT. I'm going to give you a scenario and I want you to tell me if you feel this is emotional cheating. Okay, perfect. Perfect. Okay, so we have a woman who lives in South America somewhere. We're gonna call her Carla. And Carla is chatting with someone online, you know, yik yak, yik yak, yik yak. And she happens to mention the city where she lives.

And the someone she's talking to says, oh, I've never been there before, but I'm actually planning a trip quite soon. And this guy she's chatting to eventually asks if she would show him around when he arrives in her city.

GRAHAM CLULEY. Very friendly. Yes.

CAROLE THERIAULT. You know, and she's like, that'd be cool. Right?

MARK STOCKLEY. Yeah.

CAROLE THERIAULT. More chitchat, more chitchat. And then he says, you're kind of cute. And Carla calls him cute back. And then later on the conversation, at one point, she says she can't wait for him to get there.

Okay, can't wait being the key word. And that's it. Yeah, that's it. That's the scenario. So where on the scale of emotional cheating do you feel this flies?

GRAHAM CLULEY. Well, does Carla or the other guy have another partner?

CAROLE THERIAULT. Yeah, Carla does. Carla does.

GRAHAM CLULEY. Carla has a boyfriend. Yeah. Oh, I see. I didn't know that. Okay.

CAROLE THERIAULT. Well— I mean, it's not like they're discussing sexting or whatever.

GRAHAM CLULEY. Oh, for God's sake, we're all right.

CAROLE THERIAULT. No, but you know what I mean? It's not—

GRAHAM CLULEY. It's always that with you, isn't it?

MARK STOCKLEY. Has anybody invested in an IoT chastity belt yet?

CAROLE THERIAULT. Right? These are questions I want to know the answers to now.

GRAHAM CLULEY. I think it's— You know, I think probably they need to be careful about saying, "Oh, you're pretty cute yourself." You know?

CAROLE THERIAULT. Really? I say people are cute all the time.

GRAHAM CLULEY. Do you?

CAROLE THERIAULT. Yes.

GRAHAM CLULEY. I've never heard that from you.

CAROLE THERIAULT. Well—

MARK STOCKLEY. Yeah, sorry, Graham. Yeah. Other people. Cuter people.

CAROLE THERIAULT. I'm going to say maybe for some people, this type of chatter, right? If your partner was having this type of chatter with a third party would be considered not cool, right? Okay.

GRAHAM CLULEY. Does the guy who's chatting with her know that Carla has a partner? If she hasn't revealed that, then that's a bit—

ALEX LAWRENCE. What?

CAROLE THERIAULT. We should all be wearing "boyfriend" tattooed across our foreheads?

GRAHAM CLULEY. Yes. Yes, we should. Absolutely. That's exactly where I was taking it, Carole. You're absolutely right. Yes, of course, that's what I meant.

CAROLE THERIAULT. So for people that, you know, don't think this is cool, there is hope. In the form of a small online company, one that is offering a specific service to couples, or at least one member of the couple. And this is where a party pays, right, a small online company to do some very serious assessing in order to discover whether the, you know, relationship is— or the person is loyal to the relationship and the person.

GRAHAM CLULEY. How do they do that?

CAROLE THERIAULT. Catfishing. Oh, so according to a New York Times article, you pay this company called Loyalty Test, and one of their testers will get in touch with you, with your person of interest, and do some flirting. Like in some cases, pretty innocently, like Carla's, right?

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. But as soon as Carla wrote that she, quote, can't wait, right, referencing his arrival to the city, our loyalty test worker grabbed a screenshot of the conversation, blocked Carla on all accounts, and immediately reported what happened to Carla's boyfriend?

GRAHAM CLULEY. Oh, I think that's a bit extreme.

CAROLE THERIAULT. And that is how this company even sells itself. So Carla's sitting there, I'm guessing, going, what just happened? Meanwhile, the guy goes and tattletales to the boyfriend, right?

According to the New York Times, loyalty tester said, I just texted the boyfriend and was, hey, she says she wants to go out. So I sent him screenshots and he said, okay, that's enough, thank you.

CAROLE THERIAULT. And this loyalty test worker, okay, who is this guy? A 19-year-old college student from West Palm Beach, Florida, making ends meet by testing the loyalty of relationships. Apparently he'd been cheated on. He's trying to save the world from the pain he went through.

And he's just one of many workers, right? So they work like rideshare drivers, right? So they basically are free to take on as many clients as they wish. And you can go check out the site. Why don't you go check out the site?

GRAHAM CLULEY. So can I sign up? How much would I get paid for doing this?

CAROLE THERIAULT. You can sign up for free. You can charge whatever you like. But Brandon Balasingham, the 27-year-old site founder, will take 10% of every transaction.

So you can go to loyalty-test.com. And the strapline here, listeners, is hire one of our testers to DM and flirt with your significant other. Catch a cheater today.

GRAHAM CLULEY. So it's not telling me how much he's going to pay me if I become a tester. I'm not—

CAROLE THERIAULT. Well, some people in the article say that they charged around $100 per session. It depends because sometimes it just takes one DM exchange, apparently. Other times it's 2 or 3 days of online conversation.

So our Florida student loyalty tester determines what's included in his flat fee on a case-by-case basis. And he says he only tests women, he says.

GRAHAM CLULEY. Right.

MARK STOCKLEY. Do you think people ever sign themselves up?

GRAHAM CLULEY. I did wonder that, because I received a— so I had to join WhatsApp the other day, right? I've always refused to be on WhatsApp. And I had to get on WhatsApp because of various groups my son is a member of.

And that's how they communicate, is only via WhatsApp. Bloody hell. So I had to join WhatsApp. I've started receiving spam from people saying, oh, I'm 28, I'm lonely. And I was wondering, who actually responds to these?

CAROLE THERIAULT. Who would get in touch with me?

GRAHAM CLULEY. No, no, I think who would actually reply to these things? Someone, some nut? Then I thought, well, there probably are people who are lonely and might start it as a bit of fun and then begin to believe they are in a relationship.

But I suppose if I was a tester, I could create a social media platform of myself with a hot, you know, not the genuine photograph of me, but I could create my own hot young profile, couldn't I? With a strapping body.

CAROLE THERIAULT. Graham, you'd be great at this, I think. This could be your next thing. You'd be excellent.

GRAHAM CLULEY. I think I would too. I think I'm going to give up this cybersecurity life.

CAROLE THERIAULT. Because you have no morals and you're effectively setting up a honey trap. Don't you think? I mean, is this— okay, is this the same thing? Is this the same thing?

Is this the same as someone being on a diet, right? And your boyfriend or girlfriend or partner sticks a bunch of fresh, delicious, amazing pastries, right, from a top bakery in the fridge all over the kitchen and sets up video surveillance just to see if your resolve will weaken. I mean, isn't that what it's like? If you go to the website loyaltytest.com, you'll see the people that are apparently calling you.

GRAHAM CLULEY. I have had that happen. I have had people plant food in my fridge and then booby trap it because they know I can't resist. Yeah, that's—

MARK STOCKLEY. Were there small lenses poking out?

CAROLE THERIAULT. And what does it tell you of the partner? Like, would you not be more pissed that your so-called partner paid a hottie to catfish you instead of just being a wonderful partner?

MARK STOCKLEY. I think if this is happening in your relationship, then you probably have bigger problems than whether or not your partner would respond to an approach from a stranger. And the thing that kind of bothers me most about this is what of these testers?

CAROLE THERIAULT. Well, it doesn't take much to be approved. An active Instagram account, it seems, and you don't even have to use a real name there. And you have an agreement to abide by the Loyalty Test terms. But how do we know that they don't keep the information on their, you know, 'cause it's all their devices and stuff, right? So all the stuff that they're screenshotting and taking. Anyway, it's—

GRAHAM CLULEY. So nice advert for loyaltytest.com. Well done, Carole. You've promoted their service.

CAROLE THERIAULT. I'm just thinking if you're doing this, asking the private info of someone you supposedly care about, right?

GRAHAM CLULEY. Yes, yes.

CAROLE THERIAULT. By inviting someone with little to no verification to seduce them, all in the name of catching them out. Like, ain't love great?

GRAHAM CLULEY. And someone could sign up for this service and then become a scammer, right? You know, having got themselves into this situation.

CAROLE THERIAULT. No, no, no, stay well clear of this. None of this nonsense.

GRAHAM CLULEY. Okay, okay. Kind of tempted to sign up though.

CAROLE THERIAULT. I knew you would.

GRAHAM CLULEY. This week we're sponsored by ClearVPN, developed by MacPaw, a software company from Ukraine with more than 30 million users worldwide. ClearVPN is incredibly user-friendly, ensuring that even non-tech-savvy users can easily protect their online privacy without any extra technical skills required. ClearVPN has a free plan for all users worldwide. It can hide your IP address and browse without geo-restrictions. And the best part is, you don't even need an account to start using ClearVPN's free plan. It's entirely anonymous. ClearVPN works on Mac, Windows, Android, and iOS. And with its premium plan, you can be teleported to 40 other countries to unlock content on the top streaming services such as Netflix USA, Hulu, HBO Max, BBC iPlayer, and more. To make your life online more safe and private with ClearVPN right now, you can try out 30 days of free trial premium. Head over to smashingsecurity.com/clearvpn, click Start 30 Days, go through the registration, and then download ClearVPN to your device. That's smashingsecurity.com/clearvpn.

CAROLE THERIAULT. If you work in security or IT and your company uses Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world. You can just start using Kolide. Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps. Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.

GRAHAM CLULEY. Feeling like you have too many alerts, overwhelmed by vulnerabilities, and at the end of the day, not deploying apps as quickly as you'd like? Well, Sysdig delivers the industry's only complete consolidated cloud-native application protection platform, CNAPP, powered by Runtime Insights. To prioritize critical risks and stay ahead of unknown threats.

With Runtime Insights, you can level up your cloud visibility, shift left the right way and start scanning for vulnerabilities earlier, shield right to protect your production environment, and keep dev teams innovating securely at cloud speed. Now is the time to transform your cloud security. So visit sysdig.com/cloudsecurity to learn more. That's sysdig.com/smashing.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like. It doesn't have to be security-related necessarily.

CAROLE THERIAULT. Better not be.

GRAHAM CLULEY. Now, a few weeks ago, my pick of the week was not pick of the week. My pick of the week was in fact a nitpick of the week.

MARK STOCKLEY. Mm-hmm.

GRAHAM CLULEY. Everyone loved my nitpick of the week, all about EV chargers, and it put to mind that maybe some of my other grumbles in life could be used as a nitpick of the week. So I am, I've recently moved house. And there've been a couple of teething problems.

One of my teething problems is with the hob on my oven, right? There's the hot plates.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Right. And it's an electric hob. And it has this touch interface.

We have to press down on that to turn on, and then you choose the hot plate, and then you have to go blink, blink, blink, and blink to try and turn it up or dink, dink, dink, to turn it down all the time. Your food is bubbling over. Everything's going everywhere, it's making a mess.

CAROLE THERIAULT. Do you not have handles on your receptacles to move them?

GRAHAM CLULEY. This is a typical female response to the problem.

CAROLE THERIAULT. Female? Wow. Okay.

GRAHAM CLULEY. Whoa.

CAROLE THERIAULT. Welcome back in 1980s.

GRAHAM CLULEY. My partner had the same response, which is why sample size of two.

CAROLE THERIAULT. Yeah, sample size of two, and they both have teeth.

GRAHAM CLULEY. Rough.

MARK STOCKLEY. Okay.

GRAHAM CLULEY. Why did you bother turning it down or trying to turn it down rather than pick it up? In this particular instance, I wasn't quick enough to pick it up, or I thought turning it down would be enough. It was not sufficient.

And the thing is, these touch—

CAROLE THERIAULT. Eh!

GRAHAM CLULEY. So this is, this is just a piece of ceramic glass or something, right, on the hob. And they don't give you knobs. And my nitpick of the week is, why do induction hobs not have knobs?

CAROLE THERIAULT. So your whole stories, both your stories have to do with domes this week. Wow.

GRAHAM CLULEY. So it turns out the one I have at the moment is a pure electric. I was wondering why, because the previous place I was at was an induction hob with touch buttons, and it really, really annoyed me that it was so awful. The new one is even worse.

And so I have gone on a search on the internet for induction hobs with knobs, and it turns out no one's making them. No one's doing them because they say, oh, but it's so much easier to clean the hob if you don't have a knob on it. Well, yes, but it's also a whole lot easier to make great things happen.

CAROLE THERIAULT. Are your fingers too flat for, too wide for the button? I don't really understand. Can I just say, my suggestion to you, right?

ALEX LAWRENCE. Yes.

CAROLE THERIAULT. Is to touch the touchscreen gently rather than cramming your finger on it and pushing as hard as you can, thinking it's not registering.

MARK STOCKLEY. Your massive sausage finger.

GRAHAM CLULEY. It doesn't matter.

CAROLE THERIAULT. Yeah, just gentle, gentle touch, touch, gentle touch.

GRAHAM CLULEY. Doesn't work. And if your fingers are wet because maybe you've dared to wash your hands before doing the cooking, and not drying them, because— And still, or maybe your fingers are a little bit sweaty because you're feeling the heat of the kitchen. All these hot plates, all these hot plates going off at once. And so you can't control the thing.

So I've done lots of searching. I've only managed to find two hobs of the size I need, which actually have knobs. They're very, very rare. There's one called by a company called Smeg. I want Smeg with knobs on the hob. I don't want that. And it costs £800.

Or there's another one from Cookology. I'm not very happy. I've decided I'm going to risk buying the one that's affordable with knobs. And I will report back. But I suspect there are other people out there.

CAROLE THERIAULT. Why don't you buy— Why don't you just buy an induction stove? An induction hob?

GRAHAM CLULEY. That's what I am getting.

CAROLE THERIAULT. Okay. Because you said electric everywhere. I heard electric, 19— you know, with the coils.

GRAHAM CLULEY. What do you think induction is powered by? Clockwork or little mice running around in a turnstile?

CAROLE THERIAULT. Look, I'm worried about you having a heart attack with all your nitpicks.

GRAHAM CLULEY. Well, so I am getting an induction hob, but they've all got touch interfaces which are bloody awful. Some of them have this special— oh, we've got this magnetic knob which you can just drop down on the top and it will— you can turn it. It's you're going to lose that and that's no good. Just having one knob. I want four knobs for the four hot plates.

I'm buying one. If anyone's interested, follow me on Twitter and I'll tell you what the results are when it comes through. But I'm really angry about this.

CAROLE THERIAULT. Sorry, X.

GRAHAM CLULEY. Don't even get me started on that.

CAROLE THERIAULT. Can we move on? This has been great. Get off the soapbox here.

GRAHAM CLULEY. That was my nitpick of the week. And now, Mark, what's your pick of the week?

MARK STOCKLEY. Well, I think you need my pick of the week.

CAROLE THERIAULT. Oh!

MARK STOCKLEY. My pick of the week is a book.

GRAHAM CLULEY. Yes?

MARK STOCKLEY. It's called Longevity Simplified by Dr. Howard J. Lukes, who is an orthopedic surgeon and a bit of a personality on the website formerly known as Twitter. And he's written a book about how to lead a long and healthy life by staving off metabolic syndrome, which is the umbrella condition that manifests as heart disease, diabetes, and the other sort of chronic illnesses of the Western world. They're all actually just aspects of the same metabolic syndrome.

And now he writes about what makes the biggest difference to your longevity and why. And he explains how to do really big things sleeping and eating and exercising better. And it isn't what you might think. So, for example, if you think about exercise, most exercise programs are actually optimized for some type of athletic performance. So they're about making yourself faster or stronger or building stamina.

You know, if you run a marathon, right, you're not actually trying to make yourself healthier, you're trying to make yourself able to run 26 miles. But his exercise program in this book is about doing lots of things— look, it's about doing lots of fairly easy activity very, very consistently. And by consistently, I mean over decades.

CAROLE THERIAULT. All right. You can catch up, Graham. Don't be put off.

GRAHAM CLULEY. I'm not sure I've got another decade.

MARK STOCKLEY. That's what you need if you want to live a long and healthy life, if you want the healthy portion of your life to be longer. What I really like about the book is, although it goes into some depth about the science, so if you're a bit nerdy like me and you want to know, okay, well, why does it work?

Why does that help? But it's actually, despite all of that, it's a really easy read. And you can see that they've actually put lots and lots of effort into making it something that's very easy to read and digest.

CAROLE THERIAULT. So digest, hehe.

MARK STOCKLEY. How many words are on the page? You know, the size of the margins and then the text itself, it's full of things like repetition and recaps and stuff like that. So it's very easy to kind of take notes as you're reading it.

CAROLE THERIAULT. I have to ask you, have you read it? Have you read the whole book, or you're halfway through or something?

MARK STOCKLEY. I'm halfway through.

CAROLE THERIAULT. Okay, so you must have at least 3 takeaways for Graham.

GRAHAM CLULEY. For Graham? For Graham? What, for his knob situation?

MARK STOCKLEY. Takeaway number 1 is look after your sleep.

CAROLE THERIAULT. Oh, I'm screwed.

MARK STOCKLEY. Sleep is massively important. It's the number 1 thing in the book. It's the thing he goes into first because it underpins everything else.

That's when your body does all of its repair work.

CAROLE THERIAULT. Work.

MARK STOCKLEY. That's when everything gets better, basically. All the exercise that you do, you know, you stimulate your body with exercise and then you become stronger, fitter, more athletic, blah blah blah.

That all happens while you're asleep. And also, you know, the sleep is where your brain does its maintenance and things like that.

MARK STOCKLEY. So sleep is massively important. Food— it's all about unprocessed food.

Now that's not news, probably, but it's still true. And then the exercise, it's, he talks about these Nordic skiers, like people who are very, very good Nordic skiers in their 20s, and they were tested by some university, I can't remember who, as they got into their 80s and 90s, and they still had cardiovascular systems equivalent to sort of college-age kids.

CAROLE THERIAULT. And wow, you're gonna live forever, Mark.

MARK STOCKLEY. Yeah, what that comes down to is the fact that these guys, they never ever trained hard, but they trained consistently for 30, 40, 50 years.

CAROLE THERIAULT. Yeah, a bit too late, Graham, out there doing low-level exercise.

MARK STOCKLEY. So it's a different kind of exercise. But anyway, it's just a super, super readable book.

CAROLE THERIAULT. Yeah, give us the name one more time. Yeah, yeah, give us the name and the author.

MARK STOCKLEY. So it's Longevity Simplified by Dr. Howard J. Lukes, and he's worth a follow on the website formerly known as Twitter as well, because he actually tweets out a lot of the stuff from the book and answers questions and so on. Have you ever seen the Huberman Labs podcast and things like that?

CAROLE THERIAULT. No.

MARK STOCKLEY. Are you familiar with Andrew Huberman? He's one of these optimizers, so he runs a lab and he goes into enormous depth about things like meditation and supplements. And Howard Lukes is like the anti-Huberman, right?

I saw Huberman described as an optimizer, like, you know, what is the absolute—like, what 100 supplements should you be taking every day? Like, how do you meditate for an hour every day? If you break your life down into thousands and thousands of different aspects and then try to optimize every single one of them, you don't have any time left to actually have your life.

And, you know, this kind of stuff is massively popular. I know all the guests on Joe Rogan and things like that. Huberman's got his own podcast. And Howard Lukes is kind of like the total opposite of that—like, these are the general patterns you need to follow in your life, don't worry about all that, don't worry so much about the detail, get the big stuff right. Anyway, give it a read, Graham.

CAROLE THERIAULT. Amazing.

GRAHAM CLULEY. Sounds interesting. I like that it's simplified. The way you've described it, it does sound like it's easy to digest, as you said. So it's an interesting one. Carole, what's your pick of the week?

CAROLE THERIAULT. Oh my God, you guys are gonna love my pick of the week this week. It's me.

GRAHAM CLULEY. Woo!

CAROLE THERIAULT. No, you know, like people know that I do art, right? And I do a few exhibitions, just very nascent in the whole thing. But the Oxford Art Society is currently having its open exhibition for 2023 where people like me get a chance to show their work.

And I'm proud to say that one of my entries got in again. And you can go see it online—it's called Sophie's Piano Lesson. There's a link in the show notes so you can go see not just my piece, but all the other—there's hundreds of great works. Like, we've got a really amazing set of artists in Oxford, just huge. And you can even see my art buddy Sally Ann Stewart—she's a linocut artist. Graham, I think you bought one of hers before.

GRAHAM CLULEY. I did. I went to an exhibition where you were exhibiting as well, and I bought one of her pieces. Yeah, it's very nice.

CAROLE THERIAULT. And the best news is now that I've exhibited in two exhibitions, I'm now eligible to become an Oxford Art Society member. And I'm waiting for the invitation, guys. So yay me, I'm the pick of the week. And if you want to see other works from me, where should they go, Graham?

GRAHAM CLULEY. Carole.wtf. Yay.

CAROLE THERIAULT. I just want to make sure you do it. And that is my pick of the week.

GRAHAM CLULEY. Well done indeed. That's brilliant news. Sophie's Piano Lesson—I'm looking at it right now. It's one of your ink and watercolors, isn't it?

CAROLE THERIAULT. The problem was, this year they wanted to do it online. There was some bit of a disaster with the location where they normally hold this. And so I suddenly panicked and I was thinking watercolor is so difficult to really appreciate online. And so I sent in both works of ink and then I didn't—I don't regret sending this one in, but I just, yeah, anyway, I don't know.

GRAHAM CLULEY. It looks great. I really like it. Brilliant.

CAROLE THERIAULT. Thanks, buddy.

GRAHAM CLULEY. There you go. Now, Carole, you've been speaking to the chaps from Sysdig this week, haven't you?

CAROLE THERIAULT. Yes, I have with Alex Lawrence. He's the—well, you're going to hear from him in a few seconds and we're going to learn all about their findings in their threat report. And we're going to be focusing on the cloud. So listen up.

Today, listeners, I have the pleasure of speaking with Alex Lawrence, a principal security architect at Sysdig. This is a company on a mission to make every cloud deployment secure and reliable. So welcome, Alex. Thanks for chatting with me.

ALEX LAWRENCE. Yeah, thanks for having me.

CAROLE THERIAULT. Now, we have a lot to cover today, but first, maybe you can just tell us a little bit about Sysdig and your role there as principal security architect.

ALEX LAWRENCE. Yeah. Sysdig, as you said, we have a mission to secure the cloud, right? We are a kind of weird startup, I suppose. But our overall goal has always been to figure out how to instrument and how to secure things in the most native way possible.

So for workloads, that's system calls. For the cloud, that's logs. For applications, that might be streaming data sources. Right. And so it's kind of whatever is the appropriate way to approach looking into that application's information. That's the way we go.

CAROLE THERIAULT. It sounds very like a good approach. Not many people do that.

ALEX LAWRENCE. Yeah, it's a little bit more work upfront, but it has some pretty rich results on the end result of that. At Sysdig, for me specifically, I've been here about 5 years now, maybe 5 years and 2 days or something like that.

And my overall goal is to just help people figure out how to deal with the complexity of the cloud and how to deal with securing all of those diverse assets.

CAROLE THERIAULT. Okay, good. You're the perfect person to talk about your Global Cloud Threat Report 2023 from Sysdig.

I had a glance at the report, a little read, and it seems that the main focus is the amazing speed and swiftness of cloud attacks. To quote the Sysdig report, "opportunistic attacks average under 2 minutes to find a publicly exposed credential and 21 minutes for credential discovery to attack initiation." So this seems ridiculously fast for me for an average attack.

ALEX LAWRENCE. Yes, it is extremely fast. That's probably the single biggest change in the attack surface when it comes to cloud versus on-premises or things is just how quickly an attack advances in the cloud.

And a lot of that comes down to the reason we all use it in the first place, right? We abandon traditional data centers as a global IT group, mostly just because of how quickly we can get things done, right? That's the main driving factor of moving to the cloud. And it benefits us. It also benefits the attackers.

And so you don't have that same kind of time to find things anymore. The stuff on the cloud is significantly faster. I think the threat report calls it cloud automation weaponized.

CAROLE THERIAULT. This is so crazy because whilst it's a big benefit to organizations, and I can totally see that it allows people to work collaboratively across geographies and everything. I mean, it's an amazing tool, but I guess there's also weaknesses in that design that help attackers.

So before they actually initiate an attack, what goes on on the attacker side? They must do some recon or something.

ALEX LAWRENCE. Yeah, yeah, they certainly do. So there's this wonderful blog we put out about this really interesting attack called Scarlet Eel. So if you just Google like Sysdig Scarlet Eel, you'll find the blog. But basically it goes through kind of a story about how these things happen in the cloud and how much more complex they actually are.

And so for that initial access, traditionally it's exploiting something, right? That could be exploiting credentials that were exposed in an S3 bucket. That could be exploiting a vulnerability in an application.

That could be finding some misconfiguration in your cloud assets, maybe in a region you don't typically use. There's any number of ways they'll gain access and they'll look at pretty much everything under the sun to find that one spot that has kind of the weak point, so to speak, to break in and start doing something.

There's a lot of recon that happens and it's a lot around misconfiguration. And honestly, it's typically purely by accident in terms of how that misconfiguration made it to production.

So if you think about all the different tools involved in creating cloud applications, there's about a bajillion of them. And all it takes is one, you know, developer or one admin, one ops person to try to get their job done too quickly and they forget to go sanitize something or make this change or they push the thing from stage into production and suddenly all of those credentials are exposed and it just takes minutes to find those things these days.

CAROLE THERIAULT. So, okay, am I being hyperbolic in saying that any organization that has a cloud that is unprotected is at risk? Because a lot of this, I don't know, initial stages is automated, I guess, on their side, correct?

ALEX LAWRENCE. Yeah, no, they absolutely are at risk. Right. And again, these things are just surely from, for the most part, accidents, right? One of the wonderful things about the cloud is that it has all this automation built in and we know all these defined endpoints and ingress and egress.

We know how to access all of our content on the cloud. Most of these public, these ranges, IP addresses, accessible things, they're all published out there, right?

It's all on documentation. That also means all the attackers know where to find everything, right? You can set up scanners, just go look for exposed S3 buckets.

And if it was just up for a few minutes, you know, it's going to get compromised.

CAROLE THERIAULT. And what do they do? So they grab all this data. What do they do? They're just selling it on or what?

ALEX LAWRENCE. They could, right? There certainly is a market for selling stolen credentials. And I would say that that's predominantly focused in kind of the you know, the Fortune 500, Fortune 1000 around the world, the biggest of the bigs, those are the ones who are at risk for having their stuff sold.

If you're kind of a smaller startup or a mom-and-pop shop, you're just doing something, you're selling pizzas, salads, who knows, whatever it might be. Those are the folks who are kind of more opportunistic, right? And so it kind of depends on your profile for what matters the most.

But at the end of the day, you know, they could be monetizing the credentials. They are more likely taking those credentials themselves and then accessing your environment, right?

So if we look at kind of step 2 of Scarlet Eel, it's really about doing installation of tools, doing, you know, basic crypto mining, stealing credentials, stealing access to things. It's basically trying to get more information, kind of sitting and persisting in that environment, looking for what can they do with what they now have access to.

CAROLE THERIAULT. And what about ransomware? You mentioned crypto. See, I don't know, my— in my world, crypto is kind of dead, but maybe it's not.

ALEX LAWRENCE. Yeah, crypto's here to stay. So yeah, there certainly is ransomware issues, right? That's probably one of the things that's top of mind for most CISOs.

So someone gets in my environment and they encrypt everything and I lose access to it, what do I do? Right, that's what backups are for. So hopefully people have good strategies.

You still got to have backup plans even in the cloud. If you can get your content back, great.

But that doesn't mean that that's where it ends, right? You know, if they truly got access to your content, then that means they also can distribute it. Right, and so that whole notion of ransomware is a particularly interesting one.

But there's far more than just that that crypto means, right? Crypto could mean securing the stuff or could be encrypting the stuff. It could also be crypto mining, right?

They could be just looking to get some bitcoin off your environment. And what's interesting there is that it's pretty low cost or low benefit to them, but pretty high cost to the person that's being attacked.

I think in the threat report last year that we put out, it was roughly for every dollar they make, it costs you $53 on your infrastructure. Wow, so to put it differently, you know, $1,000 to them is $53,000 to you.

CAROLE THERIAULT. That's pretty crappy ROI.

ALEX LAWRENCE. Yeah, for the person being attacked, it hurts.

CAROLE THERIAULT. Yeah, not only your reputation, but— OK, so this is pretty bleak. And I'm hoping you have a silver lining to this cloud to help us understand how the people that use the cloud, all these organizations around the world, can better protect themselves.

ALEX LAWRENCE. Yeah, I mean, it should be top of mind, right? Like, a lot of people used to think that, hey, I'm in the cloud. I don't have to worry about security quite as much, right?

We are the kind of random people out in the world. That's not really the case anymore. I think it was an IBM report that came out a few years back that as of 2020, the cloud is attacked more often than on-premises, right?

So even if you move to the cloud, it's not security by obscurity. It's the standard way of operating these days.

And so you have to think about how do I do all of the things I used to do in a completely different environment? When you had on-premises, it was really simple because you could have a firewall, you could have defined ingress points.

So you knew exactly where data was flowing in and out of that. That's not what the cloud looks like, right?

We typically use the analogy that if the on-premises data center was a castle, the cloud was a carnival. And so it's significantly harder to deal with.

And so what do you do? How do you secure all of those things?

You have to adapt with the times. And so we use the analogy of a camcorder.

Right? If I can have something that looks at all of my different permutations of my environments in the cloud, and it does it in a way that makes sense for that application, that service, that whatever it is, I can then have full visibility across that entire thing.

And so from Sysdig's perspective, if we can instrument the cloud logs, if we use Amazon as an example, if we can instrument CloudTrail, if we can look at all of that data about how configuration changes are happening in your cloud infrastructure, we can look for misconfiguration in real time. We look for attacks in real time.

We can look for people exposing credentials in real time. And that real-time piece is the key, right?

As you said at the start of this, people are being attacked extremely fast, right? That dwell time, that amount of time that they take from the moment they get in to the moment they start doing something is extremely fast, right?

It's way lower than it ever used to be. And so if you're not looking at stuff in real-time context, you're exposing yourself to a risk.

So one of the things that we put in this threat report that I think is interesting, it's point 3 or something in it, that supply chain security isn't safe enough. Right.

Most people will do things scanning their images. They will scan for configuration problems.

They'll look at all of the static analysis components of their infrastructure. And that catches about 90% of all of the vulnerabilities that they're exposed to.

There's 10% that doesn't catch, and they ignore that 10%, right? That's the runtime things.

So 10% of all threats don't show up until the application actually starts running. And that's when the interesting things start to happen, right?

That's when crypto mining happens. That's when you start having access to credentials being hit.

And so if you're not looking at that 10%, you're missing a humongous piece of the puzzle. It sounds pretty small.

But when we start talking about, you know, $1,000 to them is $53,000 to us, that 10% matters an awful lot.

CAROLE THERIAULT. See, what I is that you kind of put security first and foremost. And I think many clouds are about ease of use or ease of onboarding, really quick onboarding and not worrying about the details of security.

And not that every individual wants to worry about it, but I'm glad someone is there in the chain, right? You want someone there to look after this stuff for you.

What do you feel about IT security folks out there that have to secure this stuff? What things could they do right now to kind of look and see if they've got an issue or a problem that they need to address quickly?

ALEX LAWRENCE. Yeah, the first thing they can do is never stop learning. And that's probably the single most important thing you can do in this industry is to try to do everything you can to stay on top of the way things evolve.

Because if you don't, you're going to get left behind. One of the things I'm very passionate about is trying to help change the way we view our security models at our organizations.

So traditionally in the commercial sector, people have viewed their security posture as a competitive advantage, which to some degree it certainly is, right? But that lends them to not wanting to communicate too openly about how they are handling breaches, how they are handling attacks, how they're handling their security posture.

Because that's privileged information to the company. I guarantee you our adversaries are not doing that, right?

Our adversaries are leveraging open communication platforms. They're leveraging working with each other, right?

They're acting like an open community to talk about how they're exploiting things. And we aren't doing the same in kind, right?

We're trying to keep that information to ourselves. That is a disservice to everybody in the industry.

And so the biggest thing we can do is be more open in our communication. Be more open to working together.

We vehemently believe here at Sysdig that open source is the future of cloud security, and that's a large reason why, right? If we are leveraging open standard tools to do a lot of these things, we can react as fast to the attacks as they are in coming up with new ways and novel ways to break into our infrastructure.

And it starts by being open to learning and being open to communicate with each other and being able to work together to up all of our security posture as opposed to keeping it as a secret to ourselves.

CAROLE THERIAULT. Yes. Your secret weapon is collaborate and be open.

ALEX LAWRENCE. Correct. Correct.

And so if you look at the foundation of the entire security tooling that we bring to the market, it's all built on open source, right? Falco is the runtime detection engine that we use.

Rego is our policy engine that we use for CSPM type stuff. All of the things that we do are out in the open because we fundamentally believe that's the way to get the competitive edge in security as time goes on in the cloud.

CAROLE THERIAULT. I love that. And what would you say to someone, for example, a CISO or a CIO who really needs to get buy-in from the board but is having trouble communicating their requirements?

ALEX LAWRENCE. Yeah, I think if there were one particular way to do that, that person would be making an awful lot of money.

CAROLE THERIAULT. Your advice then, because you must have seen or heard of these situations much more than the average person?

ALEX LAWRENCE. I mean, honestly, I think the best way to do it is to not try to use that whole scare tactic technique. It's just about, again, being open and honest about the threats we're facing and the reasons that we have to change the way we think.

It's basically that we need to adapt to the times. We need to be able to address threats in the way that makes sense with the way cloud operates.

CAROLE THERIAULT. And trust me, it's a lot less pain to. Oh my gosh.

Than to mop up the mess.

ALEX LAWRENCE. Yes.

CAROLE THERIAULT. Because I've been in that situation too, and it's not fun. Yes.

Listeners, you can learn even more about cloud-based attacks and everything that Sysdig does to try and prevent them by going to sysdig.com/smashing. That's sysdig.com/smashing.

And thank you so much, Mr. Alex Lawrence, Principal Security Architect at Sysdig for chatting with us.

ALEX LAWRENCE. No problem. Thank you for having me.

GRAHAM CLULEY. Terrific stuff. And that just about wraps up the show for this week. Mark, I'm sure lots of our listeners would like to follow you online, find out what you're up to. What is the best way for folks to do that?

MARK STOCKLEY. You can find me on the website formerly known as Twitter @MarkStockley.

GRAHAM CLULEY. Easy. And you can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G. We've also got a Mastodon account. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

CAROLE THERIAULT. And massive thank you to this episode's sponsors, Sysdig, Kolide, and ClearVPN. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 337 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

CAROLE THERIAULT. Bye.

MARK STOCKLEY. Bye.

CAROLE THERIAULT. Both of our stories had to do with, yes, controlling cheaters in some way.

GRAHAM CLULEY. What does that say? What does that say? I've been looking at loyalty tests some more. So what I hadn't appreciated is I basically set myself up. I can choose how much I charge people for this.

CAROLE THERIAULT. Yes.

GRAHAM CLULEY. This service that I'm going to offer.

CAROLE THERIAULT. You'd be very good. I think people should pay a lot of money.

GRAHAM CLULEY. I think I'd be brilliant at this.

CAROLE THERIAULT. I think you would be. And then you get to snapshot it and send it to the husbands and the wives.

GRAHAM CLULEY. Oh yeah, and ruin people's lives.

CAROLE THERIAULT. I knew it, I knew it.

GRAHAM CLULEY. Well, what a wonderful thing. Yes, it's something to tell the grandchildren, isn't it? So they can be proud of. What did you do during the great Brexit disaster, Dad? Oh, I tried to ruin people's relationships online. Poor old Carole. Yeah, wonderful.

-- TRANSCRIPT ENDS --