This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

CAROLE THERIAULT. You know, Graham, I've got to take you to task here because you have an issue with people like Piers Morgan, which, you know, I can sympathize with.

---

GRAHAM CLULEY. I'd run him over.

---

CAROLE THERIAULT. Right? But Thom Hanks has done nothing to you. You can just avoid him. He's done nothing. He's just a nice guy. Is he a nice guy? Maybe that's what threatens you.

---

UNKNOWN. Is he? I don't know. Smashing Security, episode 342. Ransomware, Ransomware Family Attacked, Keyless Car Theft, and a Deepfake Thom Hanks with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 342. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And Carole, we are joined this week by a special guest, someone who's been on the show many, many, many, many, many times before. It is, of course, the one, the only Maria Varmazis. Hi.

---

CAROLE THERIAULT. I'm glad you had to say it in an approximate Greek accent, I think. That was very nice.

---

GRAHAM CLULEY. I liked it. Hi.

---

MARIA VARMAZIS. Yasas.

---

GRAHAM CLULEY. Hi, everybody.

---

CAROLE THERIAULT. Welcome back. It's been a while.

---

MARIA VARMAZIS. Yes.

---

GRAHAM CLULEY. Welcome back.

---

MARIA VARMAZIS. Thank you. The badass space bitch has returned.

---

CAROLE THERIAULT. Do you have a t-shirt with that?

---

MARIA VARMAZIS. No, I should though. I really should.

---

CAROLE THERIAULT. I like that.

---

MARIA VARMAZIS. That feels right.

---

GRAHAM CLULEY. Not just a space bitch, but also you, well, both of you actually have been pickling some stickies lately, haven't you? Your other podcast is back in town.

---

MARIA VARMAZIS. Yeah, Sticky Flippin' Pickles.

---

CAROLE THERIAULT. Sticky Pickles, just in case people are trying to Google what it is. It's called Sticky Pickles. It is back.

---

MARIA VARMAZIS. It is back.

---

CAROLE THERIAULT. It is back indefinitely, and it's great fun.

---

GRAHAM CLULEY. So it's not security related necessarily. Definitely the most important.

---

MARIA VARMAZIS. Better not be. Yeah, sticky pickles. Although, should we kick this show off, people?

---

CAROLE THERIAULT. Actually, first, maybe we should thank this week's wonderful sponsors: Gigamon, Devo, and Hunters. It's their support that helps us give you this show for free. Now coming up in today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be going deep, deep into threat actors.

---

CAROLE THERIAULT. Oh, okay. What about you, Maria?

---

MARIA VARMAZIS. A PSA on car hacking.

---

CAROLE THERIAULT. PSA on car hacking. I don't know what that means. And I'll be looking at a royal mess. Plus, we have a featured interview with DEVO's very own CISO. I love how that sounds. Kayla Williams. And we're going to talk about all things SOC with security analytics platform ransomware form, Defo. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, what is the worst Christmas movie of all time, in your humble opinion?

---

MARIA VARMAZIS. The worst?

---

GRAHAM CLULEY. The worst?

---

CAROLE THERIAULT. You don't really remember the worst?

---

GRAHAM CLULEY. Oh, I do.

---

MARIA VARMAZIS. There are a lot of bad ones.

---

CAROLE THERIAULT. Okay, come on, name one, name one, name one.

---

MARIA VARMAZIS. I was gonna say The Snowman, but I actually really love that film.

---

CAROLE THERIAULT. Yeah, I like The Snowman. I think if there were anything with the Chipmunks, I would not be a fan.

---

MARIA VARMAZIS. Yeah, anything Chipmunks, yeah, agreed.

---

GRAHAM CLULEY. Wasn't there a Star Wars Holiday Special as well or something?

---

MARIA VARMAZIS. One doesn't talk about the Star Wars Holiday Special. No, we don't talk about it.

---

GRAHAM CLULEY. The actual answer is The Polar Express.

---

KAYLA WILLIAMS. Oh, stop.

---

MARIA VARMAZIS. Oh no, no, no, I'm with you on that actually. Why?

---

CAROLE THERIAULT. That movie's awful.

---

MARIA VARMAZIS. Please.

---

CAROLE THERIAULT. I've seen it. It was all right.

---

GRAHAM CLULEY. Well, was it all right? Was it all right?

---

MARIA VARMAZIS. Everybody's kind of rubbery and Gumby-like.

---

GRAHAM CLULEY. Yes, exactly. Oh, Maria, absolutely correct. Came out in 2004, directed by Robert Zemeckis, who also did the Back to the Future movies, which we like. Yeah.

---

MARIA VARMAZIS. Yeah.

---

KAYLA WILLIAMS. Yeah.

---

GRAHAM CLULEY. Polar Express. Polar Express was this computer-animated fantasy movie about this kid making a magical train journey to the North Pole to meet Father Christmas. And what makes it bad is the uncanny valley.

It's a grotesque horror is the reality about The Polar Express, because it's going to give kids nightmares if they watch. In fact, as an adult, it's going to give you the creeps because you're watching this dead-eyed animated train conductor with the voice of Thom Hanks.

---

CAROLE THERIAULT. Yeah. Yeah.

---

GRAHAM CLULEY. And it's creepy. It is creepy.

---

CAROLE THERIAULT. I have seen this. I don't remember it. I wouldn't say it's a great film or anything, but—

---

MARIA VARMAZIS. Your mind blocked it out. The trauma just said no.

---

GRAHAM CLULEY. It is traumatic. Thom Hanks, he earned $40 million. That's all?

No, it wasn't all. He earned $40 million for providing the voice of various characters in the movie. And he also said, you know what? I want an extra 20% of the gross takings.

---

MARIA VARMAZIS. Smart man.

---

GRAHAM CLULEY. In all. I think this is the way he often does it, actually. He takes a lump sum, but also gets some more as well if it's a success.

---

CAROLE THERIAULT. Thom, you may want to come on Smashing Security because we get paid a lot better than that over here.

---

GRAHAM CLULEY. Oh yeah.

---

MARIA VARMAZIS. Oh, easy peasy.

---

GRAHAM CLULEY. Easy peasy. Yep. He earned in total over $100 million for that movie. And there's been plenty of other movies where he's done the same as well.

---

MARIA VARMAZIS. And—

---

CAROLE THERIAULT. Man, that movie.

---

GRAHAM CLULEY. Just for doing a bit of voice work. Just for, you know, doing a bit.

---

MARIA VARMAZIS. And he's kind of shouty in the movie too. Is that my imagination? I remember him being very shouty. And I was sort of like, yo, Thom Hanks, just back off.

Yeah, I don't know.

---

CAROLE THERIAULT. I can say Graham did not research the story properly by watching the film. I assure you of that.

---

GRAHAM CLULEY. I have seen part of the movie before, then I realized it was Thom Hanks and turned it off. And that's my general approach on—

---

CAROLE THERIAULT. Yeah, you have a Thom—

---

MARIA VARMAZIS. Yeah.

---

GRAHAM CLULEY. I've got a Thom problem.

---

MARIA VARMAZIS. You're not a fan of Thom Hanks, of America's Uncle?

---

GRAHAM CLULEY. No, I'm not a fan of Thom Hanks, no. Oh, really? I have a problem.

---

MARIA VARMAZIS. I have, I have.

---

GRAHAM CLULEY. Some kind of problem, frankly, when it comes to Thom Hanks. There's something which just simply stops.

---

CAROLE THERIAULT. Do you mean Cary Grant as well?

---

GRAHAM CLULEY. No.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Cary Grant's great.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Jimmy Stewart.

---

CAROLE THERIAULT. He's all right. All right.

---

MARIA VARMAZIS. Yeah.

---

CAROLE THERIAULT. Yeah. I love them.

---

GRAHAM CLULEY. Love them. Anyway, so you would think after Thom Hanks earned all that money from The Polar Express, that he'd be absolutely fine with people creating animated versions of himself. But no, he's not happy.

He's not happy. He's a big grumpy. He's a grumpy man sitting on top of hundreds of millions of dollars.

---

CAROLE THERIAULT. Tell me how he feels, because you're closest to him in terms of that.

---

GRAHAM CLULEY. I am. I am. In terms of age.

---

CAROLE THERIAULT. And also, you know, deportment. Deportment.

---

GRAHAM CLULEY. Right.

---

MARIA VARMAZIS. You look the most like Thom Hanks of the three of us.

---

GRAHAM CLULEY. How dare you? There's something about Thom Hanks. I'm sorry if there are any Thom Hanks fans out there.

---

CAROLE THERIAULT. Yeah, there's not going to be one in the thousands and thousands and thousands of listeners we have.

---

GRAHAM CLULEY. There's not one. There's something about him. I don't want to encourage violence, especially against someone who Trump would— Oh, okay, Trump.

---

MARIA VARMAZIS. But—

---

GRAHAM CLULEY. Geez.

---

MARIA VARMAZIS. Wow, shit just got real. All right.

---

GRAHAM CLULEY. Anyway, Thom Hanks has just warned his 9.5 million Instagram followers. Who's doing that? Who's following Thom Hanks on Instagram? I have the one, but anyway— I'm sure loads of people are.

---

CAROLE THERIAULT. People follow you, don't they? Apparently 9.5 million people. Yeah. How many do you have on Instagram?

---

GRAHAM CLULEY. Not as many as 9.5 million.

---

MARIA VARMAZIS. No, not as many. It's very generous.

---

GRAHAM CLULEY. It's comparable. Thom Hanks has told everyone, he says, there's, you may have seen an advert, which is using my face. But it's not me who's promoting this dental plan, he says.

There's a video out there promoting some kind of dental plan, he says. And they are using— Dental plan? They are using an AI version of me. And he says, I've got nothing to do with it.

---

CAROLE THERIAULT. He does have nice chompers, though.

---

GRAHAM CLULEY. He'd probably been getting 20% of the proceeds, I expect. That's what he's grumpy about.

Anyway, so Thom Hanks, despite appearing in The Polar Express and ruining many children's Christmas and some adults as well.

---

MARIA VARMAZIS. Some other parents. Yes, yes.

---

GRAHAM CLULEY. Yep.

---

CAROLE THERIAULT. I'm sorry, listeners.

---

GRAHAM CLULEY. He's got an issue with this. And it's not the first time he's had a bit of a whinge about the wonder of artificial intelligence.

Earlier this year, he was on the Adam Buxton podcast. I quite like Adam Buxton. I don't know why he invited Thom Hanks on, but anyway, he was on the Adam Buxton podcast and he said that AI could be used to extend the careers of actors. Here's what Thom Hanks said. I can't do a Thom Hanks impression.

---

CAROLE THERIAULT. Thank God.

---

MARIA VARMAZIS. You could use AI for this though.

---

CAROLE THERIAULT. Yeah, you need some acting skills to be able to do that.

---

GRAHAM CLULEY. 'Anybody can now recreate themselves at any age they are by way of AI or deepfake technology,' he said. 'I could be hit by a bus tomorrow, and that's it. But performances can go on and on and on and on.' And I thought—

---

CAROLE THERIAULT. That's not exactly an endorsement of AI.

---

MARIA VARMAZIS. No, I don't think it was meant as one. Yeah.

---

GRAHAM CLULEY. I thought that was a terrible thought. The thought that his performances could go on and on and on and on. Even if I do get a job as a bus driver and one day run him over.

---

CAROLE THERIAULT. You know, Graham, I've got to take you to task here because you have an issue with people like Piers Morgan, which, you know, I can sympathize with.

---

GRAHAM CLULEY. I'd run him over.

---

CAROLE THERIAULT. Right? But Thom Hanks has done nothing to you. You can just avoid him. He's done nothing. He's done— he's just a nice guy.

---

GRAHAM CLULEY. Is he a nice guy?

---

CAROLE THERIAULT. Maybe that's what threatens you.

---

GRAHAM CLULEY. Is he? I don't know. It's a bit like saying, is Carole Theriault a nice guy? I don't know. I mean, a lot of people—

---

CAROLE THERIAULT. I don't think she is.

---

GRAHAM CLULEY. I'm not sure. Is she or isn't she? I don't know. I don't know.

---

CAROLE THERIAULT. I don't know.

---

GRAHAM CLULEY. In this, in this country, kind of new reality we live in. I just don't know. I don't know what to believe anymore. All I know—

---

MARIA VARMAZIS. He's a deepfake all the way down.

---

GRAHAM CLULEY. So all his fakery goes deep is what I'm saying. Because I saw his Oscar acceptance speech all those years ago when he gets all emotional, a bit like Gwyneth Paltrow. And I think, oh, come on, this is just too much.

---

CAROLE THERIAULT. Was this for Philadelphia?

---

GRAHAM CLULEY. I can't remember.

---

CAROLE THERIAULT. That cheery, cheery movie about AIDS?

---

GRAHAM CLULEY. Well, look, don't make me feel bad because it was a worthy movie.

---

CAROLE THERIAULT. I think he just needs to step off a little bit. It's just a little bit too cray-cray.

---

GRAHAM CLULEY. Let's move on from Thom Hanks. Let's go on.

---

CAROLE THERIAULT. Let's do that.

---

GRAHAM CLULEY. To Robin Williams. Now—

---

CAROLE THERIAULT. You better not have a problem with Robin Williams. Just saying.

---

GRAHAM CLULEY. Okay, look, listen, Zelda Williams, who's the daughter of Robin Williams, she's posted on Instagram in the last week that deepfakes are at their very best a poor facsimile of greater people. And she says, at worst, they are a horrendous Frankensteinian monster.

I think she could just say Frankenstein monster. Cobbled together from the worst bits of everything this industry is. And I thought, hmm, interesting. The worst bits of the movie industry. That would be things Flubber, I expect, from Robin Williams. And some of those—

---

MARIA VARMAZIS. Listen, the man's dead.

---

CAROLE THERIAULT. Can you leave him alone?

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Well, no. He was funnier than you. I'm sorry.

---

MARIA VARMAZIS. Everybody has flops. It happens.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. So there's lots of stars, as we know, who are getting upset about the use of AI and deepfakery. Last month, there were reports.

I think The Telegraph reported that Bruce Willis had sold his face. Not Nicolas Cage and John Travolta swapped faces. Face Off. But apparently they reported that Bruce Willis had sold his face to a deepfake company called Deep Cake, which is a great name.

---

CAROLE THERIAULT. And that's really hard because he's not well, right?

---

GRAHAM CLULEY. Well, he's not well. Anyway, it's been denied. Apparently Bruce hasn't sold his face. So that's good.

But he has recently done an advert with Deep Cake, which uses a deepfake for him for a Russian telecoms company. So he is doing a bit of acting, as it were, without actually having to do anything because they're just using the— James Earl Jones, the great James Earl Jones.

---

CAROLE THERIAULT. Oh, we him.

---

MARIA VARMAZIS. We this guy.

---

GRAHAM CLULEY. Okay. We him because he did Darth Vader's voice.

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. Apparently he's retired now, but they're using tech to keep doing Vader's voice alive and making him sound younger because he obviously is. Did you see him in that episode of The Big Bang Theory? James Earl Jones. Anyway. No.

---

MARIA VARMAZIS. Okay.

---

GRAHAM CLULEY. Didn't miss much. So what's clear is that actors really care about this, right?

Thom Hanks, who's the governor, he's the Godfather, he cares about this. And the current Screen Actors Guild strike, that is in part, not entirely, but in part about the dangers of new technologies AI, digital recreation, leaving them out of pocket. And I have sympathy for that.

I have sympathy for that because all of us potentially, if there were, for instance, 342 hours worth of me just prattling away into a microphone, or maybe you, Carole, as well.

---

CAROLE THERIAULT. I don't prattle.

---

MARIA VARMAZIS. Who would listen to that though? Honestly.

---

GRAHAM CLULEY. Who would? They could potentially create new content and that could be used to make all kinds of money for dental plans and things this.

What sucks— So I wondered—

---

CAROLE THERIAULT. Can I just say, sorry, I'm just interrupting for a sec, but what I think really sucks about this is, okay, so there's some people out there doing deepfakes that are not approved, right?

---

MARIA VARMAZIS. And then deep—

---

CAROLE THERIAULT. But the way in which you handle it right now is by having to get involved in the foray and actually call attention to it and say, you know that thing that you might have seen, but maybe you didn't, but you might go look for it now, but it's not me, but it looks like me, but it's not me, just letting you know.

---

GRAHAM CLULEY. And that means the media then gonna write about it if you're famous like Thom Hanks.

---

CAROLE THERIAULT. And you then cover it on the show, yeah.

---

GRAHAM CLULEY. Exactly, and people will replay that fake dental ad or whatever it is that uses the AI, giving that particular promotion even more oxygen, right?

---

MARIA VARMAZIS. It's the Streisand effect.

---

CAROLE THERIAULT. Thank you very much, Graham.

---

GRAHAM CLULEY. Yeah, no one could fake— no one could fake Barbra Streisand.

---

MARIA VARMAZIS. I'm sure someone has tried that.

---

GRAHAM CLULEY. I love Barbra.

---

MARIA VARMAZIS. You hate Thom but you love Barbra? Okay. I mean, Barbra's great, don't get me wrong, but yeah, it's a consent issue, is it not?

I mean, really, if Bruce Willis's face— yeah, I mean, yeah, right? It's just a basic thing. If you say it's okay for you to do it for this one instance, then fine, but if you do it without the other person's permission, you're just stealing someone's essence.

I mean, you're putting words in their mouth, literally you're making their fake mouth say the fake words. Who wants that? Nobody. I mean, that's just creepy.

---

CAROLE THERIAULT. You got your AI hand up their butt and making them spout out garbage like a little puppet. That's what you're doing.

---

GRAHAM CLULEY. It sucks.

---

MARIA VARMAZIS. Beyond the Black Mirror episode. My God, it's creepy beyond all hell. It's gross.

---

GRAHAM CLULEY. So I'm not sure what the answer is to this, but obviously AI and deepfakes lots of people are talking about it. So there will be technology companies who are now claiming that they've got the solution.

I've seen companies saying what we need to do is proactively tag real genuine content.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Probably involving the blockchain, I'm guessing, as well. They'll introduce that in some way.

---

CAROLE THERIAULT. Oh boy.

---

MARIA VARMAZIS. That's okay.

---

GRAHAM CLULEY. Yep. Maybe. Or maybe the things which generate deepfake, they could embed some sort of signature.

But again, people are going to get round this, aren't they? I can't see how this is going to— Simply detecting it after the fact isn't gonna be strong enough because deepfakes are gonna get more and more convincing and so forth.

---

MARIA VARMAZIS. I know some chipmakers are working on that, having real-time deepfake and AI video detection capabilities. It's a thing that many of them are trying to do for this reason.

But I'm just thinking, I'm gonna flip the coin 'cause I completely understand why the actors don't want this and I wouldn't want it either. I'm thinking of a situation where there's this podcast I listen to sometimes called Doodsie where it's two comedians. I'm not gonna bother naming them 'cause either you know, you don't, that use AI and they're very explicit about the fact that they are using AI to write these crazy episodes that they are sort of reacting to.

And they actually had AI Thom Hanks, video and audio of AI Thom Hanks saying this crazy pitch for a fake movie like Ghost Train or something really ridiculous. And it's hilarious because it's obviously a fake version of Thom Hanks. They're very upfront about the fact, hey, this is fake, this is not real, this is AI. And for that, it's really funny.

---

CAROLE THERIAULT. But if it were you, if it were my face being used without my consent to do something super funny in my voice that I didn't—

---

GRAHAM CLULEY. We would be able to detect it was a deepfake in your case overall if it was being really funny.

---

MARIA VARMAZIS. Wow.

---

GRAHAM CLULEY. I think—

---

CAROLE THERIAULT. I know, and I'm in the same camp, I think, as Thom Hanks at the moment.

---

MARIA VARMAZIS. Yeah, he's so famous. People have been doing this since before AI, you know, impressions.

---

CAROLE THERIAULT. And granted, he got $40 million, right, for a job that I'm sure is easier than, you know, packing fruit every day, you know, for 12 hours every day.

---

MARIA VARMAZIS. So those are your only options.

---

CAROLE THERIAULT. No, I'm just saying it's a lot of money. Don't you think it's a sexy amount of change for the work? Does that mean we own him completely? That's the correct question.

---

MARIA VARMAZIS. No. Yeah, no, no, no, definitely not. So yeah, it is a consent thing in the end, but I'm just thinking of that random podcast where I'm making sure everyone knows that it's fake, but it is an AI version of him. So I don't know, does that make it okay?

---

GRAHAM CLULEY. I want to know what dental company chooses Thom Hanks.

---

CAROLE THERIAULT. He's got great gnashers.

---

GRAHAM CLULEY. We talked about that.

---

MARIA VARMAZIS. Does he? Yes. The best Hollywood can buy. See this Instagram thing. It looks like him from 30 years ago though.

---

GRAHAM CLULEY. Oh yeah, they de-aged him as well. They de-aged him.

---

MARIA VARMAZIS. That's almost weirder. It's where did this come from?

---

CAROLE THERIAULT. And I love that he has to go, "Hey guys, that's not me, by the way." I didn't record this dental plan ad when the internet didn't exist.

---

GRAHAM CLULEY. Maria, what's your story for us this week?

---

MARIA VARMAZIS. Well, mine is a bit of a PSA or a public service announcement for our listeners today about a thing that I didn't really know existed or didn't take terribly seriously. So I'll sort of walk you through my thought process on this. So what do you both think of when you hear the phrase "What is car hacking?"

---

GRAHAM CLULEY. Oh, normally I imagine Charlie Miller maybe hacking into a vehicle as it goes down the highway and hijacking its radio or its steering or something. Something a little bit dangerous.

---

MARIA VARMAZIS. Something like that. Yes.

---

GRAHAM CLULEY. Yeah.

---

MARIA VARMAZIS. Something maybe with Wi-Fi or something like that. What about you, Carole?

---

CAROLE THERIAULT. Yeah, no, I don't know a lot because I have an old car, right? So I just don't really know a lot about modern fangled stuff.

---

GRAHAM CLULEY. Carole's got an old car, so it's got a crank at the front and a man running in front of it with a red flag.

---

MARIA VARMAZIS. And every 30 feet you have to get out and re-crank it. Oh, when I was hearing the phrase "car hacking," I was thinking it was something basically Wi-Fi-enabled cars, or Graham, sort of along the lines of what you were saying. But I saw something on X, formerly known as Twitter, and it showed a video of a car being stolen from someone's driveway, and it took just moments, and I was sort of "what the heck is going on here?" So I wanted to read up about it. So it basically— that one form of car hacking that's really on the rise has been over the past few years, it involves keyless entry systems. So those little key fobs. And Carole, you sort of mentioned this. So since you don't have a newer car, I don't know if you know how these work.

---

CAROLE THERIAULT. No, no, explain it to me. Explain it to me. I'm gonna—

---

MARIA VARMAZIS. I'm gonna ladiesplain it a little bit. So the new keyless entry systems that cars have where you basically don't need to take your key out of your pocket or your purse or whatever. You just walk up to your car, press a little button, and the car unlocks just by being in proximity to your car with the key.

Well, attackers figured out that's a kind of nifty little attack surface, and maybe we can use it to our advantage to steal a car. Because essentially, the car and those little keyless entry system key fobs are always talking to each other — even when you're not pressing a button, they're still sort of engaging with each other.

---

CAROLE THERIAULT. "Are you there? Are you there?"

---

MARIA VARMAZIS. "Are you there? Are you there?" Yeah, essentially, yeah, they're checking for each other all the time. So, okay, second question for you both. Where do you keep your car keys?

---

GRAHAM CLULEY. Well, I need my car keys in order to start the car.

---

MARIA VARMAZIS. Because I want to steal them right away, right?

---

CAROLE THERIAULT. That's how old school I am.

---

GRAHAM CLULEY. So Maria, I haven't had my car stolen this way. My ex-wife has had her car stolen through this method.

---

MARIA VARMAZIS. Oh my God.

---

GRAHAM CLULEY. And as a result, I keep my car keys in a little box, which is basically a Faraday cage. Oh my goodness, the device to communicate with the outside world, because this is a genuine, really serious problem. So I always put my car keys in one of those.

---

MARIA VARMAZIS. I didn't know this was a thing. And so essentially, so I'm going to be telling you stuff that you already know, but maybe our listeners don't know.

---

GRAHAM CLULEY. That's right. I'll act dumb — I'll pretend I don't.

---

MARIA VARMAZIS. Pretend you didn't know about any of this. Yeah, this is keyless car theft, or relay attacks is apparently the more formal name. There's a couple of different names for this.

It's becoming very popular, very popular way to steal cars. And apparently in the UK it's especially popular, so I was noticing that when I was doing the research on this.

---

MARIA VARMAZIS. Seems in the UK this is happening a lot. The UK National Police Chiefs Council says it's been on the rise last several years — they've been doing a lot of studies about it.

Less is known in the US. Essentially the car manufacturers know it's a thing, but I don't think anyone's tracking it aside from AAA.

---

MARIA VARMAZIS. But I couldn't find any numbers — maybe listeners will find it. But essentially, if you keep your car keys on a hook near your front door, or maybe on a hook near your garage, or on a table near a door or an external wall, that can sort of be a way for a car thief to sort of hijack the signal.

It's an easy way for them to hijack the signal because the key is so close to where they are standing. So let me walk you through how the attack actually works — it's kind of fun to look at, not so fun to be the receiving end of it, though.

---

MARIA VARMAZIS. They use this thing called a frame antenna, and it's super basic. It looks kind of like a square coat hanger.

And the criminal stands outside your front door where they think your key is — in many cases it's a good bet — and they nab the signal from the car key fob that's continuously talking to the car. And then they've got a second friend who's standing near the car holding a portable device, and then that second friend can then receive the signal from the first guy, unlock the car, and then use that device to start the ignition and drive the car away.

---

GRAHAM CLULEY. That's exactly it.

---

MARIA VARMAZIS. Yeah, so there's no smashed glass left on your driveway the next morning. There's no car alarms to go off.

All you know when you wake up next morning is your keys are exactly where you left them. You had definitely locked your car, but your car's just gone.

---

CAROLE THERIAULT. And then everyone's like, "Did you really lock your car?"

---

MARIA VARMAZIS. "Are you sure?"

---

CAROLE THERIAULT. And you're like, I saw— come to percent sure.

---

GRAHAM CLULEY. Yep.

---

MARIA VARMAZIS. And you call the police and they ask you that question and they're like, well, there's no evidence of a crime or whatever. And you're just like, what the hell is going on here?

---

CAROLE THERIAULT. Right, Graham? That's how you guys felt, I'm guessing.

---

GRAHAM CLULEY. Yeah. It didn't happen on my watch, can I stress?

But so happened to my ex-wife. But obviously, you know, she was very shocked by what happened.

And it is so easy to do. And it is very common, at least here in the UK it is.

And people are typically stealing cars to order or high-value cars. So she had quite an expensive car, which is what they stole.

And it is as though someone has walked up to a car with the keys in their pocket because it's relaying the signal from the key, which is still inside your house when it happens. And that's why I keep my key in one of these little special boxes to prevent people from working.

---

CAROLE THERIAULT. Would you buy it online or something?

---

GRAHAM CLULEY. You can buy them online or you can buy them at shops and you can test that they actually work because you can put your keys inside the box, then walk up to your car with the box. And if your car won't open until you open the box, then you know that the box works.

---

MARIA VARMAZIS. Ah, that's a very good way to test it. Yeah, because apparently earlier this year on everyone's favourite social media channel, TikTok, there was a viral car theft challenge.

Oh my goodness. Teaching people how to actually steal cars with this relay attack method.

And if you want to buy the kit online for basically the frame antenna, it's 80 pounds, $100, right? So not expensive.

And the range that these antennas can usually pick up the key fobs from is 5 to 20 meters. So it's actually, that's more than I would have thought.

So I was thinking, man, even if your key's not by the front door, it's 60 feet. Your keys can be pretty far into your house and they could potentially find the signal.

And the UK car security company Tracker said 92% of cars that recovered last year were taken without using the keys. So I'm not saying it's all with this attack, but this is the problem with this country because very few villages have driveways, right?

---

CAROLE THERIAULT. Their houses are right on the roads with a tiny front garden. So we're— No wonder it's going ripe here.

In the States, at least a lot of people live in the, you know, have a bit of front lawn to give them some distance.

---

MARIA VARMAZIS. Well, people just walk up to people's cars and driveways, even in the US. I've seen videos of it here.

They'll just walk up at night when people are sleeping.

---

GRAHAM CLULEY. I think the real problem here is the car companies. Because why do we have this keyless entry to vehicles?

Why, when I walk up to my car, if I've got my keys in my pocket, why does my car start to unlock? And expect me just to press a button?

Why isn't it that I have to press a button on the actual key for it to send the signal to communicate with the car to unlock it?

---

CAROLE THERIAULT. Well, that's how it worked when my car was alive and remains alive.

---

GRAHAM CLULEY. Yeah, yeah, yeah. With your car, absolutely.

But what they've done is they've introduced this feature and there's no way to turn the bloody thing off. Because I, for security reasons, would like to turn that off in my car so that I don't have keyless entry.

---

MARIA VARMAZIS. Of course.

---

GRAHAM CLULEY. I want to be— They have to press the button or something.

---

CAROLE THERIAULT. And they have no other option. They don't have a dumb option.

---

MARIA VARMAZIS. No. And for several years now, because apparently this started really becoming an issue at the beginning of the pandemic, and it's only gotten worse. Apparently, several trade groups have written to the car manufacturers, and they've responded, the manufacturers, saying we're aware of the issue, and haven't really promised any action necessarily.

Although, as far as I know, Ford has said that its newer models are going to have the option to put the car into sleep mode. So essentially to toggle this off, but it sounds like it's not always off. I don't really understand what the sleep mode necessarily, how sustained that is, but it is an option.

But a lot of the other ones are kind of well, the convenience of being able to unlock your car easily without having to rustle your things out of your bag is worth it for our customers. So when I was trying to figure out what I should do about this, 'cause my cars are very close to the front of my house, I live in a small house.

Small driveway, 20 meters.

---

CAROLE THERIAULT. Same, same.

---

MARIA VARMAZIS. Yeah, that's basically the extent of my home. So anywhere I put a key is not going to be terribly safe.

I was reading the suggestions online. Some people were saying put it in a Mylar bag, which I don't think Mylar is really the solution there, but maybe people are it's shiny, so that will do it. A lot of preppers really love wrapping things in tin foil as their favorite Faraday cage, or lining a shoebox with tin foil completely.

I've heard that as a homemade Faraday cage in the prepper community. I've always thought that was funny, but that doesn't really work either. Another suggestion was to put your car keys in the refrigerator.

---

CAROLE THERIAULT. Oh, that's not— that's not dumb, actually.

---

MARIA VARMAZIS. It's not. I'm just—

---

CAROLE THERIAULT. I would never—

---

MARIA VARMAZIS. I would forget they're in there, and I'd be it's next to the lettuce.

---

CAROLE THERIAULT. I know, you have to pick them up.

---

MARIA VARMAZIS. Yeah, cold keys, everybody's favorite, especially winter. My favorite is put it in a cookie tin, a little metal cookie tin, which historically was what grandmothers would put sewing supplies in. So I'm just imagining kids looking at the cookie tin and going, "Oh, there's cookies!" And instead of it being sewing supplies.

---

CAROLE THERIAULT. Yeah, an old dictionary, you could dig out the middle and—

---

GRAHAM CLULEY. You can do that. Is that gonna stop— I mean, that's the thing. Whatever you choose, you've got to test that it properly works.

---

MARIA VARMAZIS. Yep.

---

GRAHAM CLULEY. And also you've got to make it easy enough that you don't have to always remember, "Oh, gotta get some more tinfoil and wrap it up," because you won't. So I think just buy yourself a little box and put it somewhere convenient. And just make it a habit of always putting your key in there.

---

CAROLE THERIAULT. Good advice.

---

MARIA VARMAZIS. Yeah, they sell Faraday pouches or wallets that you can use. So they're available.

But you can also just keep— if you have a larger property, I suppose you could keep your car keys away from a front door, especially if your front door is near your car. I don't know if that'll actually help, but that is an option.

---

GRAHAM CLULEY. Let the air out of your tyres, maybe. There'd be another suggestion.

---

MARIA VARMAZIS. I've actually read suggestions of literally putting a metal boot on your car when you park it. Oh, clamp it. Yeah, yeah, yeah.

---

GRAHAM CLULEY. Clamp it. Yeah, yeah.

---

MARIA VARMAZIS. Literally just make it impossible.

---

GRAHAM CLULEY. Not inconvenient at all.

---

CAROLE THERIAULT. I used to have a wheel clamp, a steering wheel clamp. It was a massive thing.

---

MARIA VARMAZIS. Oh, the club.

---

CAROLE THERIAULT. Yeah. And I used to have a little fast nippy car for a little while. And yeah, anyway, it was a pain in the ass to use, but no one stole it. I did use it all the time.

---

MARIA VARMAZIS. I also had a club in the '90s. I drove a little shitbox and that was the only way it never got stolen.

---

CAROLE THERIAULT. Exactly.

---

GRAHAM CLULEY. Yup, yup.

---

MARIA VARMAZIS. Well, FYI for listeners, I didn't know about any of this, so I hope it helps somebody not get their car—

---

CAROLE THERIAULT. Great story—

---

MARIA VARMAZIS. Not have their car get stolen.

---

GRAHAM CLULEY. That is a terrific PSA. Well done.

---

CAROLE THERIAULT. I thought you were talking about a prostate exam. That's what she said. That's what I did. That's why I was all confused at the beginning when she gave her title. PSA on that. I'm what do prostates have to do with anything. This show's insane. No, it's just me.

---

MARIA VARMAZIS. That feels a challenge for next time I'm on. I have to make a prostate-related story. I'm not doing that though. I'm not.

---

GRAHAM CLULEY. Carole, what's your story for us this week?

---

CAROLE THERIAULT. Do you remember, of course you will remember, the old days when we used to talk about DoS attacks or denial of service attacks or distributed denial of service attacks? And this is typically when an unauthorized third party or a baddie dings a website over and over and over and over again, you know, effectively flooding the server so it can't deliver actual content to actual visitors.

---

MARIA VARMAZIS. Yes. Graham, I think you had a really great way of describing that back in the day of 15 fat men going through a rotating door or something at once.

---

GRAHAM CLULEY. I think I changed it to hippopotamuses because I didn't want to upset anyone who was large.

---

MARIA VARMAZIS. It was a very good explainer.

---

CAROLE THERIAULT. That's perfect. So everything gets squeezed and nothing gets in or out and it's a big old mess. And there are a few better known DDoS attacks. Do you guys remember February 2020 attack reported by Amazon services, AWS?

---

GRAHAM CLULEY. Ah, this was the attack on Dyn, the DNS service or something, was it?

---

CAROLE THERIAULT. No, no, Dyn's another one. That was another one. Yeah, that was in 2016. No, this one was known because at its peak, this attack saw incoming traffic at the rate of 2.3 terabits per second. Wow. Now, I have some unreliable visual from Quora. So this poster claimed to have worked out what a terabyte in terms of Webster Dictionaries. Okay.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. Okay. So he says 100 Webster Dictionaries would fill a gigabyte and 100,000 would fill a single terabyte. And assuming a dictionary is 5 centimeters thick, 100,000 of them would make the stack approximately 5 kilometers high and weigh 250 metric tons. Dictionaries, paper dictionaries.

---

GRAHAM CLULEY. It's kind of beautiful though. If you were to put badgers on top of each other, how high would that clump of badgers be?

---

CAROLE THERIAULT. I think that would probably be about similar.

---

MARIA VARMAZIS. Crystal clear. Crystal clear, yes.

---

GRAHAM CLULEY. Okay, I think now everyone understands just that this is a big deal is what you're saying, yeah.

---

CAROLE THERIAULT. And then you were mentioning the DDoS attack. Do you remember it, Graham? What can you tell us about it?

---

GRAHAM CLULEY. It was a big DDoS attack against lots of websites. Wasn't it the one which exploited IoT devices? Yes.

---

CAROLE THERIAULT. Right. Mirai, exactly. So the cameras, smart TVs, radios, printers, even baby monitors, they were compromised. And then these devices were all programmed to send requests to a single victim.

So all the big sites got affected: Airbnb, Netflix, PayPal, Visa, Amazon, New York Times, Reddit, GitHub, on and on and on. And basically, these type of DDoS attacks at the heart is about rendering a website or service useless, which is the exact opposite of the attacks we see today, where someone's trying to sneak in and take loads of stuff away from you that you own, right?

But there are occasionally motivations for taking down a website, right? What motivations come to mind if I told you that earlier this week, the Royal Family in the UK, their website was taken down?

---

GRAHAM CLULEY. Was it Harry and Meghan who did it? Was it them who attacked the Royal Family?

---

CAROLE THERIAULT. Thom Hanks was probably in on it as well.

---

MARIA VARMAZIS. Yeah, probably. That would figure.

---

CAROLE THERIAULT. No, no, it turned out there was a distributed denial of service attack targeted at the royal family, flooding the online service with an overflow of, well, fake users, if you want, or fake pings. And why would anyone want to do that to ready King Charles and plucky Camilla?

---

GRAHAM CLULEY. Why would anyone be going to the royal family's website anyway?

---

CAROLE THERIAULT. Can you go there now? Okay.

---

MARIA VARMAZIS. Yeah. What do they have?

---

CAROLE THERIAULT. I actually didn't even go and visit the website, which is outrageous. So it's royal.uk. Royal.uk. Which I didn't even know.

---

MARIA VARMAZIS. Ooh. Nice URL. It's behind Cloudflare. Cloudflare. Yeah, I just got that too.

---

GRAHAM CLULEY. They must have turned that on. Yes.

---

CAROLE THERIAULT. Good on. Yeah, maybe they hit it real quick.

---

GRAHAM CLULEY. Well, you can just turn it on if you're suffering an attack. That's true. So maybe they did that. Anyways, there's some lovely pictures there of the King and Queen Camilla.

---

MARIA VARMAZIS. Their website's very nice and responsive. Nice design. They put some money into this.

---

GRAHAM CLULEY. Yes. Some press releases. So a state visit by the President of the Republic of Korea. Excellent. South Korea, I imagine. Excellent. Good, good.

---

CAROLE THERIAULT. Anything about France?

---

MARIA VARMAZIS. France, yes. State visit to France. Yes.

---

GRAHAM CLULEY. They did a visit to France.

---

CAROLE THERIAULT. Yes. Keep that page. Keep that page. We're going to come back to that. We're going to come back to that.

---

GRAHAM CLULEY. Okay. There's a picture of President Macron and his old drama teacher there. That's right. Who's— yes.

---

MARIA VARMAZIS. Kind of a terrifying photo of her.

---

CAROLE THERIAULT. Anyway, so someone claimed responsibility for the attack, and they go by the name of Killnet. Does that ring any bells? Killnet? Killnet reportedly heads up the Killnet group, a group that seems has pretty close ties to Russian political agendas.

Okay, yep. So according to the Five Eyes intelligence network— that's, you know, agencies in Canada, Australia, New Zealand, US, UK— they warned last year that Killnet was one of several hacker groups that had pledged to support Russia and threatened to attack anyone who attacked Russia or supported Ukraine.

These are the guys that attacked the Eurovision Song Contest last year. Do you remember that? Because they were in an attempt to stop Ukraine winning.

---

MARIA VARMAZIS. Oh yeah, that day will go down in infamy. Yes, yes.

---

CAROLE THERIAULT. So why would the royal family website royal.uk be taken down last Sunday morning? Turns out just days after King Charles condemned the invasion of Ukraine, the site was taken down.

See, King Charles, in what some are calling a wholly unprecedented move, dished some strong words speaking out against Russia's invasion of Ukraine during his landmark speech in the French Senate last Thursday morning, mere days before the royal family's website was targeted.

---

GRAHAM CLULEY. Okay. How scandalous of him to have an opinion and to express it.

---

CAROLE THERIAULT. He described the war as horrifying. King Charles also reported saying Ukraine must win its war and invoked the unity of Britain and de Gaulle's Free French movement in the Second World War as an example of the need to stand together against unprovoked aggressions on our continent.

Oh, I was, what are you doing? Because I guess I'm used to the Queen's cool head. His mom had a cool head. You're the only true Brit here, Graham.

---

GRAHAM CLULEY. What do you think? Well, I think we need to modernize the royal family.

And if that— what he said doesn't seem controversial to me. It seems quite legitimate. I mean, you wouldn't— you would expect the head of state to probably have that point of view regarding the war in Ukraine. I'd be more surprised if he went the other way.

---

MARIA VARMAZIS. Yeah. Goodness.

---

GRAHAM CLULEY. You were surprised that he had an opinion or that he expressed an opinion. I was surprised that—

---

CAROLE THERIAULT. No, no, of course I'm not surprised he has an opinion. I'm surprised that he vocalized it. Yes. And in the way that he did.

---

GRAHAM CLULEY. I guess it sets a precedent and maybe we're going to hear more outpourings of opinions from Charles in the future about other countries too.

---

MARIA VARMAZIS. I'm reading his— I mean, maybe there was some other statement that he made, but I'm reading his speech and he mentions Ukraine in light passing. It's not he went on and on about it.

But he did enough to upset this Killnet group.

---

CAROLE THERIAULT. So what a lame thing to do.

---

MARIA VARMAZIS. It's not even, okay, yeah, you DDoSed a website. Good job. What is it, 1997 all over again?

---

CAROLE THERIAULT. Big whoop. The upshot is the site was taken down for 90 minutes, displaying an error message on Sunday morning to those desperate to find out what people were up to on royal.uk, which would be the first place I would go on a Sunday morning.

---

GRAHAM CLULEY. It's my homepage normally. Yeah.

---

CAROLE THERIAULT. And in a way, you say, it's not a big deal, right? Buckingham Palace did the right thing. They got it back up and running. They told the world in a timely manner. Ransomware.

---

MARIA VARMAZIS. I would have been more impressed if they'd hacked their social media. DDoSing a website, no. Hacking the social media, okay. Yeah.

---

CAROLE THERIAULT. Does Prince Charles— or sorry, King Charles— have social media?

---

GRAHAM CLULEY. Oh yeah, yeah, they're on Twitter and Instagram and all that stuff. I don't know if they're doing TikTok dances yet.

They're not twerking? Oh geez, no.

---

MARIA VARMAZIS. I think you're mixing them up with Fergie now. She's no longer a member of the royal family.

@theroyalfamily has 13.1 million followers on Instagram. Wow.

---

GRAHAM CLULEY. More than Thom Hanks. If your SIEM is causing an endless cycle of noisy alerts, manually writing generic detection rules, and limited data ingestion and retention, your SOC might need an upgrade. Well, Hunters is a SaaS platform purpose-built for your security operations team.

With Hunters, you can ingest and normalize as much data as you have at a predictable cost without having to compromise on visibility and retention. Automatically cross-correlate data logs from your entire security and IT stack to connect and track events throughout your organization without switching screens. And leverage out-of-the-box SOCs and always up-to-date detections that cover 80% of security use cases.

Solaris Group, a leading German fintech, they implemented Hunter's SOC platform to eliminate the burden of redundant detection engineering and manual event correlation, allowing SOC analysts to focus on higher-value tasks. Visit hunters.security to learn how your SOC can move beyond SIEM. That's hunters.security, and thanks to Hunters for supporting the show.

---

CAROLE THERIAULT. And we thank DEVO for sponsoring the show. SOC analysts are often overworked and underappreciated. In fact, many consider leaving their jobs or changing careers altogether.

DEVO is hosting the 3rd annual SOC Analyst Appreciation Day. This year's program includes presentations and discussions from some of the InfoSec community's most prolific thought leaders, including the likes of YouTube creator Jon Hammond, CISO Olivia Rose, and unpopular opinion guy Joss Copeland.

This event will cover everything from real-life use cases to SOC automation, managing your mental well-being, and more. You won't want to miss it.

Join DEVO and other cybersecurity industry professionals on October 18th, 2023 for sessions and panels focused on destressing, SOC career development, and more. Visit smashingsecurity.com/devo to register. That's smashingsecurity.com/devo.

If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common: It's employees.

Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps.

Here, credentials are useless to hackers, and you can manage every OS—even Linux—from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for IT.

The good news is you don't have to imagine this world. You can just start using Kolide.

Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps. Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.

---

GRAHAM CLULEY. And welcome back and join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.

It doesn't have to be security related necessarily. Better not be.

Well, I've got a question for both of you. What's the best Christmas movie of all time?

Die Hard.

---

CAROLE THERIAULT. Polar Bear Express.

---

GRAHAM CLULEY. Polar Bear Express. A different— Polar Bear Express.

That's the porn version, the Polar Bear Express.

---

CAROLE THERIAULT. My husband's away, I miss him.

---

GRAHAM CLULEY. I would like to argue that the greatest Christmas movie of all time—

---

CAROLE THERIAULT. It's a Wonderful Life.

---

GRAHAM CLULEY. No, it's not It's a Wonderful Life. It is the 1940s rom-com The Shop Around the Corner with James Stewart and Margaret Sullivan. I don't know if you've— have either of you ever seen it?

---

MARIA VARMAZIS. No, I've never even heard of it. I may have.

---

CAROLE THERIAULT. I gotta look.

---

GRAHAM CLULEY. It's set in beautiful Budapest, and they work in a shop together, and they're kind of, you know, those rom-coms where they don't get along at first and they're kind of having a go at each other, and then they fall in love right at the end. You know, those sort of rom-coms which are sweet. Well, in this particular one, they both have an anonymous romantic pen pal.

And what they don't know is the wonderful person who they're chatting to is the other person. So they're actually secretly— Now, it is a great movie and a wonderful thing, and it has only ever been tarnished by one thing, which is my nitpick of the week. Because I was recently required to watch a Thom Hanks movie.

---

MARIA VARMAZIS. It all comes out now. All right.

---

GRAHAM CLULEY. It all comes out called You've Got Mail.

---

MARIA VARMAZIS. Oh, for fuck's sake.

---

CAROLE THERIAULT. You've Got Mail. How can you? Isn't that Nora Ephron?

---

GRAHAM CLULEY. Yeah, Nora Ephron. That's right. She did Harry Met Sally. We love that one. You've Got Mail is loosely based on The Shop Around the Corner.

In fact, Meg Ryan's shop in You've Got Mail is called The Shop Around the Corner. Can I tell all of you, go and watch The Shop Around the Corner from the 1940s, which is wonderful and doesn't have Thom Hanks in it, because it is a great, great thing. So my pick of the week is The Shop Around the Corner, which is a wonderful movie. My nitpick is this constant remaking of perfectly good movies and producing inferior versions.

---

MARIA VARMAZIS. I love that this explains your Thom Hanks animosity. This is great. Came full circle.

---

GRAHAM CLULEY. Maria, what's your pick of the week?

---

MARIA VARMAZIS. Okay, I'm gonna do— okay, I'm gonna start with my nitpick. We're going back to naked security again.

---

GRAHAM CLULEY. Last week we were chatting about it.

---

MARIA VARMAZIS. Yes, a bunch of names were mentioned and I was not one of them, and I felt sad.

---

CAROLE THERIAULT. So Maria was a very important part of naked security.

---

MARIA VARMAZIS. I was not. I just was a small part of it, but I was part of it. I was very unimportant, to be clear.

But there were a lot of us who worked on it, but I was— I'm sorry. All good. I've done my drama. For my pick of the week is something very geeky nerdy because I am in the throes of Halloween season. Oh yeah, my kid wants to be the Light Dragon from Tears of the Kingdom. I was like, you want to be what for Halloween?

---

GRAHAM CLULEY. Oh, for that from the Zelda game?

---

MARIA VARMAZIS. From the new Zelda game? Yeah, she's obsessed with that Light Dragon, and the Light Dragon glows those, as the name might imply, there are lights. So I have been learning how to incorporate LEDs into costuming for this costume that I'm making.

And this website I came across to buy the LEDs is called evandesigns.com, and it is very old school in a way that I love, and that it's a little niche part of the internet for hobbyists, and it's full of a lot of good hobbyist information, exactly what you need. How do I build this thing? Or how, if I'm trying to, I don't even know what I don't know. Can you please walk me through it? A top to bottom guide. Oh, wow.

And it's very competently done. And it's meant for people who do hobby trains, train sets, but he's got a bunch of stuff for people who do costuming. And for someone who has a very basic understanding of circuitry, but very basic. But even I was reading through this. I'm like, I can definitely handle making, you know, a string of LEDs, something like this, thanks to his help. So I'm just giving a shout out to that, evandesigns.com, because I really appreciate their help.

---

CAROLE THERIAULT. Cool. We need pictures. They've got some very cool looking stuff here.

---

GRAHAM CLULEY. For just $15, the equipment you can, I imagine, put on your car or maybe on your toy car to give it a Knight Rider style LED.

---

CAROLE THERIAULT. I should do that on my car. That'd look amazing.

---

MARIA VARMAZIS. And if you want to light up your TARDIS, they have a kit for that as well. Yes, no, yes they do. And they have Geiger counter sounds and, yeah, all sorts of stuff. Yeah, yeah. So all your LED needs are at Evan Designs, but they also have a lot of resources on how to actually make the stuff work in the way you want it to, which is nice to see that people are still sharing that information. And it's not video, it's written. God bless it. I can just read it. Beautiful.

---

GRAHAM CLULEY. Carole, what's your pick of the week?

---

CAROLE THERIAULT. So mine's a book that I've experienced, right? I love a good whodunit. It's I was looking and someone described a whodunit as a book full of manners and intrigue. And I love that. That's kind of true. It's your Sherlock Holmes kind of thing. And it's rare that you get a good one. So often they can just be a bit predictable. And maybe it's great for new readers to the genre. But if you've been around the detective block a lot, it's hard to be surprised.

So my pick of the week is a book I'm enjoying called The Eight Detectives by Alex Pavesi, P-A-V-E-S-I. And I'll quote The Guardian here because they say it so well. So it is a set of seven Golden Age style mysteries where an abundance of brutal slayings in genteel surroundings are rendered in a heightened pastiche of the form. So, in my terms, rollicking fun read. And it's surprising how the attacks transpire. There's this one scene where a victim is killed with a detachable tine from a fork. Right? Crazy. So, all kinds of cute things.

And even better, all of these short stories, these 7 short stories, are nestled within a greater narrative where you have this fictitious author, Grant McAllister, and he's discussing his own set of detective rules for how you write a detective story with an editor. And this leads to the 8th murder mystery, which I'm getting to this evening.

If it sounds like your thing, it's great. I'm enjoying it a lot. Eight Detectives, a novel by Alex Pavesi. And that is my pick of the week.

---

GRAHAM CLULEY. No nitpicks. Very good. Well done on no nitpicks. Nope.

---

MARIA VARMAZIS. Not a single nitpick. Nope. Everything's perfect.

---

GRAHAM CLULEY. Now, Carole, you've been having fun this week chatting to the guys from DEVO.

---

CAROLE THERIAULT. Yes, I spoke with Kayla Williams, Devo's very own CISO, and we talk about SOC Analyst Appreciation Day. This is where you'll be appreciated, guys. Listen up, listeners. Today on Smashing Security, I am chatting about all things SOC with security analytics platform Devo's very own CISO, or I should give the whole title, Chief Information Security Officer, Kayla Williams. Very warm welcome to you, Kayla. Thanks for coming on the show.

---

KAYLA WILLIAMS. Thank you so much for having me. I'm really excited to be here.

---

CAROLE THERIAULT. Cool. Now, Devo Technology is a cloud-native platform designed to defend all the nasty stuff out there. But more than that, the Devo team are the people behind the SOC Analyst Appreciation Day. But we're going to get to that in a second. First, Kayla, I would love if you could tell us a little bit about you, your background, and maybe how you ended up at Devo as their CISO.

---

KAYLA WILLIAMS. Yeah, wow, where to start? So I'm Kayla Williams. I have been the CISO here at Devo for a little over a year and a half now. The way I got here is a very curvy road, if you will. I wouldn't say bumpy, I'll say curvy, because I am not a traditional technology technologically sound CISO. I am what I like to call a GRC CISO because that is my background. As we all know, the laws and regulations and the privacy, technical privacy landscape, everything is changing so rapidly. And really, GRC or governance, risk, and compliance is the foothold of a security program because they're able to easily pivot. So my background, I graduated with a bachelor's degree in accounting. Went on—

---

CAROLE THERIAULT. That's good, you got to know your numbers.

---

KAYLA WILLIAMS. Yeah, I went on to become an external auditor, and I hated it after a while, which I'm sure many of you who are listening have worked with auditors before, and you're like, oh my God, they're driving me crazy. Try being one. So I did that for a couple years because my track in my mind was I was going to get my CPA, Certified Public Accountant, certification, and then move on to being a CFO eventually. And since I didn't like it, I decided to move out of that field into the wildly different field of internal auditing. And I worked at a financial services company for 8 years. And in that time, I was an internal auditor for 3 years and then moved into security because they were looking for folks who understood process. And that's something that auditors do very well. You give credit where credit's due.

Yes, I was able to come in and understand process and the risks associated with if a process goes wrong. And I was in that company for 5 years, moving into various roles doing security consultancy, security program management. The team acquired the enterprise risk management team and it became a CISO or information security and risk officer organization. So then I moved into an enterprise risk management role for North America. And after that, I was like, well, there's really nowhere else for me to go here.

So I moved over into a director of GRC role at LogMeIn, which is now GoTo. So GoToMeeting, GoToConnect. They used to have LastPass, that company there. And I did that for 3 years. And it was great. There was 20— at the time, there were 23 SaaS products in the portfolio. And that gave me SaaS experience because all the teams are doing something different, right? The CI/CD pipeline was different. The processes were different. The output was different. I ended up at Devo because our chief operating officer at LogMeIn came over to Devo as the CEO, and I ended up following him here.

---

CAROLE THERIAULT. Aha, that is a really interesting background though to a CISO. I don't think I've heard anything similar, and I can see how those building blocks would help you be such a great asset because you understand risk, you understand process, and you understand security.

I wondered if you could help me understand the role of a security operations analyst because we use this term SOC, right? SOC analysts. And just for some of our listeners, I know most of them totally know what this is, but there's gonna be some of them that are gonna really appreciate an explanation from you—what's in their day-to-day, what are they responsible for?

---

KAYLA WILLIAMS. You know, it's very much like all the other roles in security. The SOC analyst role can vary depending on the organization or the industry that you're in.

However, you know, the day-to-day is really logging in and checking for any potential incidents or events—anomalies, if you will—that you're not expecting to see. And then investigating that, each company has their own risk that they're willing to take. You have to take risk just to have a company going, right?

So every company's going to be a little bit different, but logging into your SIEM, which I hope it's Devo, and seeing what's happening, what's been triaged or not triaged yet, and then doing your investigation. Unfortunately, there is a lot of monotony there, especially for the level 1 SOC analysts who come in typically—the ones that are moving into the field for the first time that are in school or have just graduated and want to get their hands dirty with security.

You're gonna be going through a lot of your alerts, looking to see for any potential indicators of compromise or IOCs, and kicking off your own—I would call it a mini investigation on your own—before you escalate it up your chain of command to say, okay, I've now identified something. And I think that is exciting when you identify something.

It's not always great when you identify something, but for the company, I mean, but for the individual, that's exciting. It's like, hey, I'm noticing something that's—this is an anomaly. This pattern isn't following patterns.

There's maybe some user behavior that isn't expected. Or one of my favorites that I hear a lot about is the impossible traveler—Kayla logged into Boston, she lives in Boston, that makes sense. But all of a sudden, 20 minutes later, she's logging in from Alaska.

---

CAROLE THERIAULT. You're spotting anomalies. It's almost needle in the haystack work.

But when you find that needle, it can be really glorious for the person because, you know, you've done your job.

---

KAYLA WILLIAMS. Exactly. And that gratification of actually finding something and then also helping your organization to reduce its risk. And that's really where I feel the SOC analyst is underappreciated, which will come into the day that DEVO has to celebrate them.

But this team, the SOC team, is really your first line of defense. They're your eyes on glass. They are seeing things that it's coming in and out of your environment with precision and accuracy. And are mistakes made? Sure, but mistakes are made in every role.

Things do get by, but they're really the unsung heroes of your corporate defenses and having those folks understand the business, understand what's normal, what's not normal, expected, unexpected, however you want to phrase it, really arms them with the knowledge to reduce your risk profile. They are essentially preventing financial loss, reputational risk, regulatory risk, obviously information security risk as well.

The branding piece and the reputational risk is something that's often discounted. And that's where people say, oh, security is a cost center. Absolutely not. In my opinion, maybe I'm the only one that feels that way, but no, security is not a cost center.

They're saving your brand. They're saving your customers, saving face, if you will.

---

CAROLE THERIAULT. Listeners are going, we're with you, Kayla. We agree.

---

KAYLA WILLIAMS. And you know, when the renewals come up or when new prospects are asking about your defenses, that's your SOC. Number one is your SOC.

And yes, we are a very expensive team to have, but balance that with your brand that you're protecting, whether it's a multi-million, billion-dollar brand, it's well worth the cost to keep that going.

---

CAROLE THERIAULT. But, you know, ultimately this isn't an easy job though. Oh, absolutely not.

---

KAYLA WILLIAMS. And because of coming into this role here and now having the SOC Analyst Appreciation Day, I'm very much aware of little in the past where I've worked it's been acknowledged because it is, you're always on. There's always alerts, there's flooding of alerts, the monotony of having to go through them and make sure that they're, you know, if they're false positive, marking them as that, opening an investigation, writing rule sets to make sure that, you know, if you're seeing patterns that are all false positives, making sure that those are marked as such and removed from your product. Processes, and it's just constant bombardment of noise.

---

CAROLE THERIAULT. So tell me a little bit about the upcoming 3rd Annual SOC Analyst Appreciation Day.

---

KAYLA WILLIAMS. So we are hosting it, socanalystday.com. If you have not registered, it's October 18th.

Please do, even if you are not in the SOC and you were just thinking about coming into security. It is a fantastic way to learn about the field because I think something that's often overlooked is people are, yeah, I want to get into security, there's a lot of jobs.

You have to be mentally tough to be in this field. I think we all deserve credit for that. The event is our third year, as you mentioned.

From year one to year two, we nearly doubled the number of people that attended. So this year we're hoping to have another record-breaking event. It is all online, but it is all day.

So you can come in, you can, you know, obviously being in a SOC, you probably have to have eyes on screen. You can listen to it in the background. You will hear my voice, unfortunately or fortunately, I don't know.

---

CAROLE THERIAULT. You have a great radio voice. I think they're going to be in heaven. But it's a wonderful event.

---

KAYLA WILLIAMS. This is my second year co-hosting it. I'll actually be in the studio recording all day. But I do have an event that I'm co-hosting, the full event all day, but moderating a panel for There's a Seat for Everyone in Cyber that will touch upon what you and I just discussed a few moments ago around complementary skill sets and being able to transfer people in from other fields because that non-traditional background that I have has really opened up my eyes to how many other people could be in this field but maybe lack a cybersecurity degree or engineering background. And it's certainly a way to address some of the shortages that we're seeing across the board.

---

CAROLE THERIAULT. Absolutely. And it also gives people out there that maybe are feeling stuck in a rut, maybe you're in accountancy and you're thinking this isn't for me, and you might find that cybersecurity desperately needs your risk assessing and your number crunching, right? We need all those skills.

---

KAYLA WILLIAMS. I couldn't agree with you more. And I actually spoke at Blue Team Con in Chicago about a month ago on the non-traditional paths into security, and I did a segment on those complementary skill sets where I put them up on the screen and was drawing arrows between, you know, being an accountant and what kind of skill set is. So having the attention to detail, being able to quickly analyze two sets of data and having the wherewithal to see those discrepancies that might be there, those patterns that have changed. And my favorite story is that I talked about it at the event.

A friend of mine hired a former bus driver as an incident response manager because this individual was used to having to write reports, being very detailed, and also de-escalating situations. Another session that is extremely important to me is the mental health session that Peter will be running from CyberMinds.

I had the pleasure of meeting Peter at RSA and at Black Hat. He came over from Australia, did his US launch back at RSA, and CyberMinds is amazing. They have a program that is for cybersecurity professionals like all of us, and they come in and they teach you how to be better.

Deal with stress because we have more stress than some people that were on the front lines during the pandemic in our day-to-day. And 77% of the survey respondents that DEVO did with Wakefield Research have said that their stress levels at work directly affect their ability to keep customer data safe.

They're making mistakes, they're not seeing things, they are so stressed out because they're so afraid they're going to make a mistake, that anxiety. And as someone who has anxiety, and I talk about it openly, I do take anxiety medication.

It is certainly a session that I highly encourage folks to attend. That's with CyberMindZ, one word with a Z at the end. And then of course, John Hammond has SOC Hacks.

So John is on my television screen, on my YouTube every time I turn it on. My husband's like, who is this guy?

---

CAROLE THERIAULT. I'm like, oh, that's John. And this is free to attend, right? So yes, absolutely, October 18th, 2023, and this is the SOC Analyst Appreciation Day brought to you by DEVO and hosted by our very own Kayla Williams.

---

KAYLA WILLIAMS. Yes, very much looking forward to it. I hope everyone can register. Please do.

As we said, it's free all day. You can have it on the background and get some appreciation, much deserved and much needed SOC Analyst Appreciation Day.

---

CAROLE THERIAULT. If anything ever sounded like a mental health day, this does, because you're going to get all the love that you need. Now, if you guys want to register, this is where you go: smashingsecurity.com/devo.

That's D-E-V-O. So smashingsecurity.com/devo. And is there anything else you'd like to add, Kayla, before we wrap up?

---

KAYLA WILLIAMS. No, I think this covers everything. Thank you so much for having me. This was a pleasure and such a great time talking to you. Thank you.

---

CAROLE THERIAULT. Thank you for coming on the show and for talking to us all. It's been amazing. And I think we're going to get lots of signups, right, listeners?

---

GRAHAM CLULEY. Super stuff. And that just about wraps up the show for this week. Maria, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

---

MARIA VARMAZIS. Well, if you want to hear my voice in your ear holes every day, and I'm sure—

---

CAROLE THERIAULT. Of course you do, of course you do—

---

MARIA VARMAZIS. My very own show, it is called T-Minus Space Daily. We talk about space, all things space, space industry, commercial space, all the good stuff, and a little bit of space cybersecurity too. So you find it wherever fine podcasts are purveyed, or at space.n2k.com. And I'm also @mvarmazis on Twitter and @Varmazis on mastodon.social, M-A-S-T-O-D-O-N dot social. Super duper.

---

GRAHAM CLULEY. And you can still follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G, and we have a Mastodon account as well. Look for us up there. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

---

CAROLE THERIAULT. And huge, huge thank you to this episode's sponsors, DEVO, Hunters, and Collide, and of course to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 341 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye. Bye-bye. I feel I might have given Thom Hanks a bit of a hard time in here. It was perhaps a little— you definitely did.

---

MARIA VARMAZIS. You did. You did. You think you ate his guts?

---

GRAHAM CLULEY. I just— I did see one movie I Thom Hanks in. Well, other than Toy Story. Toy Story's all right.

---

MARIA VARMAZIS. But— You didn't Castaway or anything that?

---

GRAHAM CLULEY. I know I can't watch it because it's got Thom Hanks in it. I saw the movie—

---

MARIA VARMAZIS. That's a tautology though.

---

GRAHAM CLULEY. Yeah. I saw the movie The Post, which I thought was really good. And it was only three-quarters of the way through when I realized one of the actors was Thom Hanks. And I thought, oh, this is actually all right. So maybe it's only when I recognise Thom Hanks that I've got a problem. Forrest Gump? Never watched it. It's got Thom Hanks in it. Yeah.

-- TRANSCRIPT ENDS --