This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

CAROLE THERIAULT. What would you choose? Okay, both of you. You're world-class assassins. What's your name?

---

GRAHAM CLULEY. Clot.

---

CAROLE THERIAULT. Oh, yeah, you'll get calls. Dave?

---

DAVE BITTNER. I don't know, maybe Spike?

---

CAROLE THERIAULT. Yeah, oh, Spike. See?

---

GRAHAM CLULEY. Spike.

---

CAROLE THERIAULT. I think I'd go for something obvious. I'd go Foofy.

---

GRAHAM CLULEY. Foofy. Is that the sound? Does the bomb go foof?

---

UNKNOWN. Smashing Security, episode 347. Trolls, military data, and the hitman and her with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security episode 347. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And drum roll please, because it is once again podcast royalty joining us in the podcast pleasure palace. It's the cyberwise Dave Bittner. Hello, Dave.

---

DAVE BITTNER. Well, hello there. Happy to be back.

---

CAROLE THERIAULT. Wonderful to have you back. You've been here, what was it, six weeks ago or something that?

---

DAVE BITTNER. Something that. Yep. Not too long.

---

CAROLE THERIAULT. That's perfect. I love that. Before we kick off though, let's just thank this week's wonderful sponsors: Kolide, Panoptica, and Vanta. It's their support that helps us give you this show for free. Now coming up in today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to tell you the tale of the hitman and her.

---

CAROLE THERIAULT. Oh, okay. And what about you, Dave?

---

DAVE BITTNER. I'm going to tell the story of data brokers selling information on U.S. service members.

---

CAROLE THERIAULT. And I'm going to touch upon whether or not this is the best way to deal with online trolls. Plus, we have a featured interview. The CEO, aka head honcho of Kolide, Mr. Jason Meller, will come and help us digest his latest findings from their 2023 Shadow IT report. All I can say is some of the results are shocking. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, I want you to picture where you were last June. Actually, no, not last June, the June before that. June 30th, 2022, at approximately 12:47. Approximately.

---

CAROLE THERIAULT. Hold on, hold on, I'm almost there.

---

GRAHAM CLULEY. 12:47 Pacific Daylight Time. Because someone calling themselves Jasmine Brown tried to hire an assassin on the internet.

---

CAROLE THERIAULT. At that time.

---

GRAHAM CLULEY. Well, that's when she did it. That's when she did it.

---

CAROLE THERIAULT. This is hardly the JFK shooting, 'Were you there? Do you know where you were?' You know what?

---

GRAHAM CLULEY. You know what? There could be a grassy knoll involved. There could be a Texas Book Depository. Who knows, right? Let's find out. Let's find out, because there are some mysteries here. So, the person she wanted killed was someone that we only know by the initials B.H. Obviously, when she booked her assassin, she didn't say, "Kill anyone called B.H." I imagine there was a real name there. I was thinking maybe Bob Hoskins, Billie Holiday, Bruce Hornsby, and his range.

---

CAROLE THERIAULT. Okay, two of those people are already dead.

---

DAVE BITTNER. Bob Hope?

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Bob Hope? Bob Hope, yes.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. It could be.

---

DAVE BITTNER. I think Bruce Hornsby's still around, right?

---

CAROLE THERIAULT. Yeah, but Billie Holiday isn't.

---

DAVE BITTNER. Long gone, yeah.

---

CAROLE THERIAULT. Yeah, Bob Hoskins?

---

DAVE BITTNER. I believe he's gone as well.

---

GRAHAM CLULEY. I think he's gone too.

---

CAROLE THERIAULT. Yeah, so, you know, yeah.

---

DAVE BITTNER. Look out, Bruce Hornsby.

---

CAROLE THERIAULT. I think if they were gonna try and kill two people that were already dead, I'm not sure what we're talking about.

---

GRAHAM CLULEY. Maybe she's been very successful. Maybe she's hired a time-travelling assassin going back in time, killing them off. The ultimate alibi.

---

CAROLE THERIAULT. Right.

---

DAVE BITTNER. Go on.

---

GRAHAM CLULEY. Anyway, you are wondering, how did Jasmine Brown try to hire a hitman? How would you try and hire a hitman, Dave Bittner? You're an American. You must have done this.

---

DAVE BITTNER. Oh, sure. I mean, you don't need to hire a hitman here in the US. You just go to the store and you buy a gun and you do it yourself. Come on.

---

JASON MELLER. Yeah.

---

CAROLE THERIAULT. In my neighborhood, you wear those placards, you know, when you're golf this way or pizza that way, right? You just go hitman wanted and just walk around the streets.

---

JASON MELLER. Right.

---

DAVE BITTNER. I would say I most certainly would not attempt to do this online, but that's just me.

---

GRAHAM CLULEY. Well, Jasmine Brown did do it online because you do everything online these days. She visited a website.

---

CAROLE THERIAULT. Why leave the couch?

---

GRAHAM CLULEY. Right? Exactly. She got to this website and a little online form saying you can give us your details, your name, email address, phone number, your physical address, etc. And she filled it in and there was a portion of the form which requested describe what services you would like performed. And Jasmine Brown—

---

CAROLE THERIAULT. Do you have the list?

---

GRAHAM CLULEY. Well, no, it's not a dropdown.

---

CAROLE THERIAULT. It's not a dropdown box.

---

GRAHAM CLULEY. I'd just gutters cleared.

---

CAROLE THERIAULT. Is it just 90 characters? Please explain what you want in 90 characters or less.

---

DAVE BITTNER. Wash my car.

---

GRAHAM CLULEY. She said, "I would like BH dead, since she's trying to kill me," is what she said. Now, the webmaster of this site contacted Jasmine Brown back, asking if she wanted to be put in contact with a field operative for her free consultation.

---

CAROLE THERIAULT. I'd be classy. Has she paid any money so far?

---

GRAHAM CLULEY. Not so far, not so far. This is a free consultation which you can have. So she replied via email saying yes, you know, she would her details to be passed on. And the webmaster looked at the email which he got back from her, which came from the email address . And she said, "I noticed on the form that you said your name was Jasmine Brown, but your email address when you email me—" You know how when you email someone, it can include your name as well, not just in the actual email address? So, her one said Zandra Ellis. And so, the webmaster said, "A little bit confusing this, because your form, you said you're Jasmine Brown, but your email says—" She said, "No, no, no, you don't understand.

---

CAROLE THERIAULT. My name is Jasmine Zandra Ellis Brown." Okay, okay.

---

GRAHAM CLULEY. So, well, she didn't do that. What she did was she said, well, yes, actually my name really is Zandra Ellis, but I've got to be careful on the internet, she says. I didn't want to use my real name. Good. Just in case this isn't real, or if it comes back to me, so I don't want to go and get jail or anything for wanting something done. I just don't want it to fall back on me, she said. So I used a pseudonym when I filled in your form. Smart. Which seems smart to me, right? When you're using an online form, don't always use all the real details because, you know, who knows if there'll be a data breach from the assassin website? Who knows what will happen?

Mm-hmm. Well, a few days later, Zandra Ellis— let's call her Zandra Ellis as that's her real name rather than Jasmine Brown— Zandra Ellis received a phone call from someone who introduced himself as Ace. Of course he did.

---

DAVE BITTNER. Ace. If you're an assassin, you need a sexy name Ace.

---

CAROLE THERIAULT. What would you choose? You're, okay, both of you, you're like world-class assassins. What's your name? Clot. I think I'd be Clot.

---

GRAHAM CLULEY. Clumsy Clot.

---

CAROLE THERIAULT. Something like that.

---

GRAHAM CLULEY. I don't think I'd be a very good assassin.

---

CAROLE THERIAULT. Yeah, you'll get calls. Dave?

---

DAVE BITTNER. I don't know, maybe Spike? Yeah, oh, Spike. See?

---

CAROLE THERIAULT. Spike. I think I'd go for something off, I'd go Foofy. Foofy?

---

GRAHAM CLULEY. Is that the sound as the bomb goes? Just go, Foofy. Ace asked her if she was still interested in the services she had inquired about online. Good.

---

CAROLE THERIAULT. Doesn't mention it.

---

GRAHAM CLULEY. Good. Yes, sir. Exactly. In case the call's been listened to. Yes, she said she was. Ace asked, "When do you want to make the move?" And Zandra Ellis said, "Well, it depends on the price." And Ace says, "It's going to cost you a G, but you'll have to pay 10% upfront." In other words, $100. And Sandra said, okay, look, I'll pay the $100, but it's gonna take a little time to collect the rest, unless I can do instalment, she said. And she went, kind of went, lol, laughed out loud. It's gonna cost me a bit. But anyway, they agreed to meet at the Waffle House on Canal Street, New Orleans. It's the best place to meet.

---

CAROLE THERIAULT. I don't know why, because at least you get a waffle. If it all goes south, at least you get to have some maple syrup. You know?

---

DAVE BITTNER. Second location.

---

GRAHAM CLULEY. And so later that day, Xandra drove up to the Waffle House. She put her kid in the stroller and went into the Waffle House and sat at the counter where she found Ace.

---

CAROLE THERIAULT. She's not seen this guy before?

---

GRAHAM CLULEY. No, no, no. I think she's told him what she was going to wear. She's going to wear, you know, I'm going to have some sports slacks on. I'm going to have a gray blouse, whatever it is, right? And Xandra told Ace how she'd fallen out with this mysterious BH. Bruce Hornsby has upset her. Bruce Hornsby and his range and his hob. She says BH has upset her on social media because the two women— BH is a woman, it turned out— because the two women had children by the same man. And so there was a bit of—

---

CAROLE THERIAULT. Ace is going, Jesus Christ, I knew this was going to get complicated, right? I just thought this would be a clean in and out deal. That's right.

---

GRAHAM CLULEY. And Zandra tells Ace that her real name is Zandra, not Jasmine. Oh, right. Yeah, she hadn't wanted to put her real name into an online form as a precaution, because she's security savvy. She's careful about her privacy. But of course, Ace wasn't Ace.

---

CAROLE THERIAULT. Oh no, he wasn't christened Ace? Okay. No, no, that isn't his real name.

---

GRAHAM CLULEY. No, no, no. He's using the pseudonym as well. Unbeknownst to Zandra Ellis, he is actually FBI agent Michael Heimbach Jr. And he had been contacted— They have a lot of that in America, a lot of juniors. He had been contacted by the webmaster of rentahitman.com, which does exist, but rentahitman.com is a parody website that pretends to help you find a hitman. So this woman had gone to this fake website, which is just a joke.

---

CAROLE THERIAULT. Yeah, hey you, you looking for a hitman? You got an issue that needs resolving? Look no further than Rent a Hitman, your point-and-click solution. Yeah, we're on the World Wide Web. Not the deep web, not the darkweb, the World Wide Web. And you know, tell them Guido sent you. Surf down to the bottom of the page, fill out the web form and submit it, and I'll tell you, I'll personally put you in touch with one of our over 18,000 field operatives that we have worldwide.

And your security and privacy is important to us, and we are 100% compliant with HIPAA, the Hitman Information Privacy and Protection Act of 1964. So check us out, rentahitman.com. That's a pretty clear marketing message. I think a lot of companies could, you know, learn from that.

---

GRAHAM CLULEY. They could, if they're in this business, you could just cut and paste it. Yeah, right. They've got testimonials on their website. Fernando M. in Kansas, for instance, he says, "My business schedule is too busy to get my hands dirty with human resources issues. So I consulted with Rent-A-Hitman and they handled my disgruntled employee issue promptly while I was out of town on vacation. Gracias, Rent-A-Hitman." I thought you were going to say human remains issues.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. So they underline that the darkweb, they say, don't use the darkweb if you're looking for a hitman, they say, for nefarious deeds, because the darkweb, they say, is full of potential risks. It's got viruses and fraud is rampant, they say. There's no guarantee of privacy on the darkweb.

According to rentahitman.com, your information could be leaked, including to law enforcement, they say. So they claim they are completely safe and secure. But of course, when people make inquiries on their website, they just pass them over to the FBI. People who haven't realized it's a joke.

---

CAROLE THERIAULT. Okay. Wow. This is what's gonna really annoy me about your story. Okay. Who is BH?

---

DAVE BITTNER. Well, obviously it's Bryce Dallas Howard.

Oh, Bryce Dallas Howard.

---

GRAHAM CLULEY. Yes, she's alive, right? Yes, she's a BH, right?

---

CAROLE THERIAULT. Is there anyone else? Alive? Bill Hicks, dead for a long time.

---

GRAHAM CLULEY. God, sorry. Bill Hicks. See, I think this is a conspiracy theory. Everyone with a BH is dead. Apart from Bruce Hornsby, who we haven't researched. Maybe Bruce Hornsby is. Sorry, Bruce, if you're out there.

Sandra Ellis has now been jailed for 18 months for various crimes, primarily which are being really, really silly on the internet.

---

CAROLE THERIAULT. For failing to hire a hitman.

---

GRAHAM CLULEY. For failing, but for succeeding in being a complete plonker when it comes to her online privacy.

---

CAROLE THERIAULT. Why couldn't she have come back and gone, "Duh, I know it's a parody website. I was spoofing the spoofer. Obviously." Oh, Carole, very clever.

---

GRAHAM CLULEY. Now we know you're— Is this what you do every time you commit a crime? You just say, "Duh, this is modern art, which I'm doing. This is just a joke. Performance art." Dave, what's your story for us this week?

---

DAVE BITTNER. My story this week comes from the MIT Technology Review. This is an article written by Tate Ryan Mosley, and it is about how some sensitive information about US military personnel is being sold by data brokers. And this is based on some research that was done by Duke University, which was partly funded by the US Military Academy at West Point, which is our Army Military Academy here in the US.

So what they found was that they could go to a variety of data brokers and specifically request "Give me what you got for folks who are in the US military." And they could buy those records for as low a price as 12 cents per record.

---

GRAHAM CLULEY. What? Right. And what information do they have though? What do you get for your 12 cents?

---

DAVE BITTNER. Well, the basics: name, address, rank, serial number, you know, that sort of stuff. But also, some of these brokers sell things like location data, right? Where were you? How much money do you make? How many kids do you have? What's your religious information? What's your health? Things like that.

---

CAROLE THERIAULT. And this is not with the military's blessing, is this?

---

DAVE BITTNER. No, no, no. Right. No, I mean, this is the information that all of us get vacuumed up by these data brokers through our use of online services, but also just the day-to-day. I know certainly here in the US, and I don't know how different it is for you all, under the warm blanket of GDPR, but if we go to the grocery store and buy something, that information gets sold. Our credit card companies sell our purchasing information.

So there's all kinds of stuff that even if you're, even the usual suspects Facebook or Google, who are selling things, there are many different avenues by which this information can be gathered up and then bundled together and then sold for the low, low price of 12 cents. So this is all legal, presumably. These folks have signed off on a EULA somewhere that says, "You permit us to gather this data, bundle it up, and sell it."

But there are concerns that this could be a national security issue, particularly with things location data because what if I'm someone in the military and I have a security clearance and someone tries to blackmail me based on the fact that I've been visiting a cancer treatment center, and perhaps the information about my medical condition could affect my career or affect the government's willingness to maintain my security clearance? Things like that. Where people could get blackmailed with this information. That could provide a national security issue. I'm curious what you all make of this.

---

CAROLE THERIAULT. I'm just surprised first that the military wouldn't have mandated pseudo-anonymization for exactly the points you just mentioned. But also, this must be state by state because some states are much better with anonymizing data that they sell on.

---

DAVE BITTNER. Some are.

---

GRAHAM CLULEY. Is it that this data came from the military though, or is it the individuals inside the military who've shared their data and maybe shared their occupation and who their employer is? And then those huge databases are being sort of carved up and sold and it's "oh well, we can do a little search query and find out everyone who works for the military." Is that how it's getting out there? So it's almost beyond the control of the Army, isn't it?

---

DAVE BITTNER. Exactly. Exactly. It is the side effect of the modern society in which we live where all of this information is being gathered up and bundled up every day, and so you can do a search or you can make a request based on what someone's occupation is, and you can say, "Give me everybody in the US military." Wouldn't surprise me, and I'm speculating here, but it wouldn't surprise me if you could say, "Give me everyone in the US military who has a security clearance." It would give you quite a list.

---

CAROLE THERIAULT. Just grab the Strava information that they've been leaking.

---

DAVE BITTNER. Right. Now, another interesting point here is that the researchers at Duke were also very deliberate in testing the boundaries of what they could do in purchasing this data by deliberately making it seem as though they were purchasing this data from countries in Asia so that they were outside of the United States, and they were interested in buying data about US military personnel from outside the United States, specifically from a country that would be considered to be one of our adversaries. And they were able to buy the information with no resistance, no friction whatsoever. There was very little, if any, vetting as to who's buying this information.

---

CAROLE THERIAULT. Yeah, across the pond on the little gray lily pads within legality and illegality, or ethics and lack of ethics.

---

DAVE BITTNER. Yeah. But I think the main thing here is that it points to the fact that here in the US, we have no federal data protection law, there's nothing preventing these companies from doing it. It's completely legal, and we are desperately in need, in my opinion, of something to put some guardrails on this, and something like this where you can make a good case for there actually being a national security issue, maybe that's something that folks can get through Congress and we could see a real movement when it comes to data protection and privacy.

---

GRAHAM CLULEY. You see, I completely agree with you, Dave, on this, but you're almost assuming that this isn't happening outside the United States as well. And I tend to think, I wonder, because these are big multinational companies who are churning through this data. And we know from past breaches at some of these organizations that they've got data about all of us, haven't they?

---

CAROLE THERIAULT. Yeah, but they don't even have the frameworks of GDPR or anything. Right. No, no. But some states have tried, but federally there's CCPA.

---

DAVE BITTNER. Right. Now, what protections do you all have there in the UK that we don't have when it comes to this specifically? If you were a service member in the UK, you could call the websites and get them to delete all your data.

---

CAROLE THERIAULT. I think you may be able to do that as a US citizen as well. Actually, you can make requests to say, get rid of all my data that you have.

---

DAVE BITTNER. You can, and there are organizations who provide that as a service. Yes. You can pay them X number of dollars per month and they will keep up on that, make sure that you're repeatedly being scrubbed.

---

GRAHAM CLULEY. But in these particular cases, you wouldn't necessarily know which organizations have your data. Right. I mean, if it's companies Equifax, for instance, it's not as though you actually have a personal relationship with them. But they are collecting data about everybody.

---

DAVE BITTNER. Yeah, and you have no choice.

---

CAROLE THERIAULT. Because you do, say you wanna buy a new car, you go on one of these comparison insurance websites, you give all their data, they fire it off to everybody. You have no idea who has it and who doesn't. And so maybe the only way to manage it is with a third-party company that does all this. But how sad is that? Why aren't these companies mandated? If no one's come around here in the last 3 years, we ditch the data. Unless there's cash in there, I suppose.

---

DAVE BITTNER. Yeah, I mean, it's money. That's what it is. The data brokers, as Graham said, these are huge companies now. And so they have a tremendous amount of lobbying power. They hide behind the EULA. They say, listen, we're only doing what people agreed that they would allow us to do. You agreed to let us sell all this information about you, which of course is absurd because no one in their right mind spends time reading any of the EULAs. We just want to use the service. But that's the gap here that needs to be closed.

---

GRAHAM CLULEY. What are you going to do about this, Dave?

---

DAVE BITTNER. Well, I'm going to go to rentahitman.com and tell them that I want them to go after the heads of all of these data broker companies and we'll end this once and for all. Do you think that's a good plan? Do you think that'll work out for me?

---

GRAHAM CLULEY. It's a good way of getting the attention of the authorities and just claim it's performance art.

---

JASON MELLER. There you go. If they give you any trouble.

---

DAVE BITTNER. Done. Done.

---

GRAHAM CLULEY. Carole, what have you got for us this week? We're trolling, trolling, trolling.

---

CAROLE THERIAULT. See, that's a good one, right? It's good. Okay. Online trolls. Generally speaking, someone who intentionally makes inflammatory, rude, or upsetting statements online. Right? I mean, trolls post comments online that bait people.

Yeah, that's a good way of defining it. Yes, I would say so. Yeah, you know, the game plan to typically elicit a strong response from a victim or onlookers or whatever, message board, doesn't matter.

And apparently, I didn't know this, but would you guys say that trolling is distinct from other forms of cyberbullying harassment? Because I kind of would have thought I would have put them all in a similar bucket, but distinct how?

Well, they say that trolls normally do not target any single person and rely on people paying attention and becoming provoked. So trying to rile up a message board perhaps.

---

DAVE BITTNER. I see. Right, right. So they get pleasure from stirring the pot and getting people to react to things. That's the point rather than them trying to convince anyone of any particular viewpoint. They're just having fun upsetting people.

---

CAROLE THERIAULT. Yeah, I guess so. And I guess so, I got this little story for you. And I want to know, do you guys think this is a story about trolling? Or is it more about harassment and cyberbullying?

And also, is there maybe a better way of dealing with this type of unwanted internet communication, which I'm going to regale you with now. So enter our protagonist. His name is Ethan, works in a call center.

And has enjoyed a number of different accounts on TikTok, right? This is all according to Vice. And a little background, he apparently grew up in a strict religious environment.

So quote, I went to a Christian private school. It was very conservative. You weren't allowed to be anything other than straight.

It was actually in our student handbook that being LGBT was grounds for expulsion. I had to kind of hide that part of myself, unquote. Okay, so another thing to note about Ethan is that he's a bit of a tattoo junkie, right?

After a spot of bother with drugs and the law, he got into, you know, inking himself. So fast forward. So Ethan is also an avid TikToker.

He wants to make it big. He wants to get out there. And he says that the first video that popped off, or I guess went successful for him, was some guy saying that Ethan would never have a girlfriend.

Right now, Ethan is outspoken about being gay, so an odd statement to make, but whatever. So say you are this guy, you're an influencer wannabe, and you get a statement going, you're never gonna get a girlfriend. Do you ignore it?

---

DAVE BITTNER. Do you respond? Well, in Ethan's case, I'd say you're absolutely correct. I have no interest in having a girlfriend. Carry on.

---

GRAHAM CLULEY. Yeah, and even if I was interested in girls, you know, in your scenario, I don't think I'd care that very much.

---

CAROLE THERIAULT. What if you really wanted your TikTok to blow up a bit? Could you use this in a way to help you get some more juice?

---

DAVE BITTNER. Oh, well, sure. Nothing attracts the lookie-loos than some sort of online controversy or fight. So, yes. Right, okay.

---

CAROLE THERIAULT. So Ethan didn't pull the Jesus move of turning the other cheek. Ethan decided to retaliate and he decided to troll the troll. So he says he found the guy's Facebook and did a bit of research and then posted saying, I don't want a girlfriend, but I'm now about to hook up with your son.

Oh, okay. Yeah, this included a pic of the son of the guy that was, you know, sent that message that he got off Facebook. So too far?

---

DAVE BITTNER. Well, it certainly made it personal.

---

GRAHAM CLULEY. It does sound like it's going to inflame the situation. I think, yeah, wouldn't recommend it.

---

CAROLE THERIAULT. Yeah. If a troll throws the first punch, are you— if you throw the second punch, are you a troll as well? Another one of his antics is when a TikToker named Christina commented on one of Ethan's videos calling him a waste of oxygen and insinuating that he should end his life. He retaliated again because he found Christina's Facebook page where she had allegedly written claims that her son was taken away by Child Protective Services because the son's father claimed that she was an addict.

So what does he do? Does he stay quiet and do nothing?

---

GRAHAM CLULEY. Yes, that's what he does. He's very quiet.

---

CAROLE THERIAULT. No, you've forgotten. You've forgotten that he really likes tattoos. Oh, goodness. So he is now, in the honor of Christina's comment, he has tattooed the little boy, a picture that he's found as he trolled all our stuff online, put a piece of tape on the mouth of the boy that said, "Property of Child Protective Services." Hang on, hang on.

---

GRAHAM CLULEY. So he's got a tattoo of the child on him now?

---

CAROLE THERIAULT. Yes, yes. Has he? Has he really? Do you want to lean? Not really.

---

DAVE BITTNER. This reminds me of a saying that someone told me once about tattoos, which is that quite often they are a long-term reminder of a short-term feeling.

---

GRAHAM CLULEY. The same you could say of children, actually.

---

DAVE BITTNER. Oh my.

---

CAROLE THERIAULT. Wow. Yeah, so this guy, he gets tattoos of his haters or their loved ones or even babies. And is known for his incredibly intense, in-depth research into the personal lives of the commenters, the commenters whose comments he doesn't like, which he uses to laud personal catastrophes over them, dredging up things from manslaughter charges, bear attacks. I put the link in the show notes. You can see some of his artwork on his body.

---

DAVE BITTNER. He just seems like a creep, though.

---

CAROLE THERIAULT. I mean, above all, he totally seems like a creep. But his whole thing is, you know, he has supporters. He says now he doesn't have to do his own research because he's got supporters that will go out and say, oh, look, someone said something nasty. Here's some shit I've dug up on them on social media.

---

DAVE BITTNER. Yeah. I mean, okay. So his thing, his claim is that he's bullying the bullies, but it seems to me he's doing that by being a bully. Yeah. Yeah. So where does it end?

---

CAROLE THERIAULT. Yeah, right.

---

DAVE BITTNER. Yeah, right. I don't think that's a good justification for what he's doing here. He's doxing people. He's taunting them, he's bullying them, but he's hiding behind the notion that they struck him first. So that thing, "Don't you ever start a fight, but you better finish it." That sort of attitude.

---

GRAHAM CLULEY. Could not anyone who's intending to troll him actually fill their social media with fake photographs of people who aren't their children or aren't their loved ones or whatever?

---

CAROLE THERIAULT. Oh, troll the troll, troll the troll, the troll.

---

GRAHAM CLULEY. Exactly. I'm just thinking we could go round again. Yeah. So he gets tattoos of different people, maybe.

---

DAVE BITTNER. Looking at the pictures that you've shared here, Carole, it looks like he's running out of surface area.

---

CAROLE THERIAULT. Well, that's one of the questions Vice asked. Vice is like, what's going to happen when you run out of untapped skin? Yeah.

---

GRAHAM CLULEY. I'm seeing one tattoo here, which appears to be a dialogue pop-up box saying, your account was permanently banned.

---

CAROLE THERIAULT. Yes, you see that.

---

GRAHAM CLULEY. And so there's— It's not just people's faces. It's also error messages.

---

CAROLE THERIAULT. I know this sounds so insane. There may be issues here with stability or God knows what, but at the time of interviewing—

---

GRAHAM CLULEY. Do you think maybe the journalists who've written about this are actually— I mean, are they helping by writing about this? No, are they? I've talked about it. Yes. I'm just saying maybe we should all just be ignoring this guy. Maybe it's encouraging it.

---

CAROLE THERIAULT. Well, we'd like to, and TikTok have tried. Apparently, they've banned him 20 times since July.

But he keeps starting up from scratch, a new profile every time. And he thought he'd sussed out a technique to stop it by talking in riddles so the algorithms wouldn't be able to find him.

But even while writing this, he's been banned twice more just after hitting 246,900 followers. Talk about performance art.

Because people want to see him cover himself with ink, right? People are disgusting.

They're just like— ink yourself to death. We'll watch.

---

GRAHAM CLULEY. Who's the tattooist making all the money out of this? There must be some guy who's sweating his guts out.

---

CAROLE THERIAULT. Do you think they're doing it for free? Free sponsorship on the show?

---

DAVE BITTNER. Oh my God. What happens when his 15 minutes of fame are up and people move on? I'm just trying to imagine this guy walking into a job interview.

---

CAROLE THERIAULT. Cover-up makeup is getting better and better every year.

---

DAVE BITTNER. I don't think people should judge based on someone inking themselves, but I can't imagine anybody not having a little bit of pause looking at the degree to which this gentleman has covered himself with all sorts of markings.

---

CAROLE THERIAULT. Yeah, with babies saying CPS, and they're basically like, it's not even just that he's covered in ink. They're just all horrific messages of bit of a red flag.

---

DAVE BITTNER. Yeah. A bit of a red flag.

---

CAROLE THERIAULT. Girlfriends out there, maybe not one to jump into bed with. Okay. Onwards.

---

DAVE BITTNER. But he doesn't want girls anyway.

---

CAROLE THERIAULT. Oh yeah, that's right.

---

DAVE BITTNER. Boyfriends, stay away. Yeah, whatever. So what's the endgame here, Carole? I mean, I don't mean to say what's the point, but—

---

CAROLE THERIAULT. Don't incite trolls. Don't troll trolls and don't troll trolls who troll. Don't feed the trolls.

---

DAVE BITTNER. Okay. Don't feed the trolls. That's good. Yeah.

---

CAROLE THERIAULT. Stay away from the trolls. Thank you to Smashing Security sponsors Vanta, where you can shortcut compliance without shortchanging security.

Expand the scope of your security program with Vanta's market-leading compliance automation. Vanta's 5,000+ global customers report saving over 300 hours in manual work and up to 85% of cost for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more.

And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on. From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and improve security in real time.

As a special bonus, Smashing Security listeners get a whopping 20% off Vanta. Just go to vanta.com/smashing. That's vanta.com/smashing.

---

GRAHAM CLULEY. Panoptica provides users with deep visibility prioritized risk assessment, and actionable remediation from development to runtime. This comprehensive cloud-native application protection platform, or CNAPP, provides an essential holistic view to secure the entire cloud application stack seamlessly.

With integration of security into the DevOps and CI/CD pipelines, Panoptica fosters a security-first culture and allows users to detect and resolve security issues at every stage of the development lifecycle. Get more information.

Go and visit Panoptica's website at panoptica.app. That's panoptica.app, A-P-P.

And thanks to Panoptica for supporting the show.

---

CAROLE THERIAULT. If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common: it's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials.

But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for IT.

The good news is you don't have to imagine this world. You can just start using Kolide. Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps.

Visit kolide.com/smashing to watch a demo and see how it works. That's K-O-L-I-D-E.com/smashing.

---

GRAHAM CLULEY. And welcome back. And you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.

---

DAVE BITTNER. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.

It doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is not security related.

You know, I'm a bit of a Beatles fan and—

---

DAVE BITTNER. No, really? No, I don't think I've caught up on that. Have you ever mentioned that on the show?

That's— Carole, did you know that? No. No.

---

GRAHAM CLULEY. Okay. Beatles. Interesting.

Only three things I'm interested in: Chess, Doctor Who, and the Beatles.

---

DAVE BITTNER. That's that band from the '60s, right? The four guys from Liverpool it was, right?

---

GRAHAM CLULEY. That's right. That's right. John, Paul, George, and Bongo. That was them.

---

DAVE BITTNER. I've heard of them.

---

CAROLE THERIAULT. Yeah, and they went over to America in a submarine.

---

GRAHAM CLULEY. That's right. Well, I'm sure it hasn't escaped your notice that they've got a record out. And of course, John Lennon's been dead since 1980.

George Harrison's been dead for about over 20 years now as well. And how do you get the Beatles together to make a record?

Well, what you do is you dig out an old cassette tape of John Lennon recording a demo from the Dakota in New York in the 1970s. And you say, that's good, but we've got to use some Peter Jackson AI magic to get rid of the buzz and remove the piano.

And then we'll get this old recording of George Harrison from when he tried to do it back in the '90s. And, you know, but then he decided that the song was a load of rubbish and refused to put it out.

And we'll get Paul and Ringo in as well, even though they're well into their 80s, to sing along. I'm rather pleased that this happened.

I was familiar with this John Lennon demo as well. There are lots of others out there, but I don't think they're going to do any more records after this.

But what I actually am making my pick of the week is the video. When I first heard Peter Jackson was making a music video, I thought it'd be three and a half hours long.

Thankfully, it's only three and a half minutes, and via the wonder of CGI and wizardry— Actually, it's maybe not quite as sophisticated as it first appears. It's maybe not quite as professional, but it still brings a little tear to the eye.

You can see an old Macca and an old Ringo singing along with George and John from back in 1967 or whenever, and I found it rather lovely and moving. And that is the song "Now and Then," which I believe is racing to the top of the UK charts, albeit probably only for one week.

But well done to them for having their first number one hit since 1969. I was pretty impressed. And that is my pick of the week.

---

CAROLE THERIAULT. You don't think it has to do with anything with a huge marketing budget as well?

---

GRAHAM CLULEY. Well, no, I think this was mostly Paul McCartney wanting to do this because he has a bit of a chip on his shoulder as to how the world views his relationship with John Lennon and maybe they actually liked each other much more than the world apparently thinks. I think Ringo wasn't bothered at all, judging by his drumming track and the fact that he appears not to actually be in the same room as Paul McCartney.

I think there's some green screen involved when you see them sitting next to each other and think they're not in the same room. But the video is really cute.

---

DAVE BITTNER. It struck me as a little bit odd, but mostly cute. There was something ever so slightly unsettling to it to me, but mostly cute.

But the other thing I wondered about was that because, you know, they had to get Yoko's sign-off on this. And so—

---

CAROLE THERIAULT. Yes. What was that like?

Absolutely. You don't love Yoko?

---

DAVE BITTNER. Why don't you love Yoko? Why don't I love—

---

GRAHAM CLULEY. I don't her.

---

CAROLE THERIAULT. Okay, but if she came over and said, Graham, hug me, and that way you've hugged John Lennon.

---

GRAHAM CLULEY. Well, you can't just go around hugging people, Carole, believing that you're hugging somebody else. It doesn't really work that.

---

CAROLE THERIAULT. So you would say no, no hug?

---

GRAHAM CLULEY. Well, it depends. If she's nice to me, then maybe I would give her a little hug if I liked her.

---

CAROLE THERIAULT. She was nice to you.

---

GRAHAM CLULEY. Look, this is a whole different podcast where we can talk about Yoko if you want to. Maybe it's not appropriate for Pick of the Week.

---

DAVE BITTNER. Okay. It's Graham's Beatles Podcast.

Yes.

---

GRAHAM CLULEY. Oh, wouldn't that be wonderful? Oh, Graham, you should.

Why not? Maybe, maybe, maybe.

There's a lot of people starting new podcasts these days, aren't there? Dave, what's your pick of the week?

---

DAVE BITTNER. So my pick of the week was actually recommended to me by my youngest son, Jack. And what I'm recommending is a particular episode, episode 3 of the series The Last of Us.

And the episode is called Long, Long Time. Are either of you familiar with the series The Last of Us?

---

GRAHAM CLULEY. I've heard of it and I know people quite it, but I don't know. I've never watched it.

---

DAVE BITTNER. So it's a zombie apocalypse series. The premise of the show is that there are some mushrooms, mushroom creatures, whatever mushrooms are, mushrooms, what do you call them?

They're not—

---

GRAHAM CLULEY. Fungus.

---

DAVE BITTNER. Fungus, yeah, thank you, fungus among us. They're fungi that have shifted to be able to be supported by humans and take over humans.

It turns humans into zombies, and so it's a zombie apocalypse story. Now, I had my fill of zombie apocalypse stories with The Walking Dead, where I enjoyed the first couple seasons of The Walking Dead.

I thought the whole notion of what do we do when everything goes wrong and now we have to survive was very compelling. And then over time, my sense was The Walking Dead just kind of turned into torture porn where it was just, how can we make these people miserable?

---

GRAHAM CLULEY. It was very gory, wasn't it? I mean, it was technically well done, but it was, yeah, it's not something I to watch.

---

DAVE BITTNER. No, I had my fill. And so after a few seasons, I bowed out of that. And so I was not interested in The Last of Us because I thought, more zombie apocalypse.

I don't need that anxiety and stress when I'm watching things. And also I have a hair-trigger startle reflex.

And so I don't to be scared. However, my son came to me and said, "Dad, I think you really need to watch this one episode.

Yes, it takes place within this zombie apocalypse, but it is really a love story." And it is.

It is what I believe is referred to in the industry as a bottle episode, which is where they keep things self-contained in a very limited number of locations. Partly it's for saving money on production, but it's a little side story from the main story.

---

CAROLE THERIAULT. Yeah, it doesn't impact the main story. That's the one you miss if you want to keep up with the plot.

---

DAVE BITTNER. But— Right. But in this case, this is the one you watch if you don't want to see— Right.

—the rest. And I have to say, it is one of the most beautiful hours of television I think I've ever seen.

It is a love story. Nick Offerman and Murray Bartlett are the two actors who play these characters, Bill and Frank.

And this zombie apocalypse brings them together. They fall in love and the episode tracks them over time, over quite a long period of time.

Their relationship, how it grows as they get older, as they need to take care of each other. And ultimately through the end of their lives.

But it's really quite beautiful, and so I highly recommend it. This is a gay relationship, so if that's something that is not up your alley, then maybe you want to avoid it.

But on the other hand, if it's something that's not up your alley, perhaps you should watch it. Give you better appreciation for this sort of thing.

So, did you cry? I did shed a tear or two at the end.

It's quite lovely. Yeah, it's beautiful.

So again, it's The Last of Us, episode 3. It's called Long, Long Time.

And that is my pick of the week.

---

GRAHAM CLULEY. I remember when this was first aired, actually, although I haven't seen it, I remember people were saying it was absolutely magical and really heartbreaking. So people did single this particular episode out and said it was a fantastic piece of drama.

So, super duper.

---

CAROLE THERIAULT. Carole, what's your pick of the week? I have a fabulous one too.

It's an immersive audio drama called Celeritas. And it's not about celery, Graham, but space travel.

And it's not new. It came out in 2021, but it's new to me.

I just found out about it. And I literally stayed up till 3:30 one night last week, utterly gripped by it.

And there's 10 episodes. So they're short.

They're about 15 minutes each. But on the surface, this is a story of the first manned light-speed flight with astronaut Captain Owen Keating.

And surprise, surprise, things don't go to plan. And we follow our astronaut's desperate attempt to stay alive long enough to figure out what's going on, both with him and everything around him.

But what makes this super great is there's these intense scenes of drama and things going wrong, and then they are juxtaposed by these scenes of complete isolation, where he's trying to relive some of his terrestrial joys and horrors, just reliving his life in this kind of weird bubble. And it's all beautifully woven together by this kind of transcendental music from bands Illuvium and Stars of the Lid and A Winged Victory for the Sullen.

So these are some bands that help play it, but the audioscaping of it, I just found remarkable. I loved it.

So fans of great audio dramas that have a little sci-fi penchant with a bit of introspection, this is for you. Celeritas, it's from Realm.

Get it wherever you get your podcasts. And that is my pick of the week.

---

GRAHAM CLULEY. Carole, I am impressed because you have such a broad taste when it comes to podcasts and audio drama. You're always coming up with recommendations and our listeners, they'd do well to check out a lot of your recommendations, wouldn't they? Oh, a lot of them do.

---

CAROLE THERIAULT. A lot of them do. But yeah, some that are thinking, oh, whatever, whatever, you should, because there's some really good ones. I got a good curated list. We should make a book of it, Graham, for a little Christmas book.

We have got a list.

---

GRAHAM CLULEY. If people go to the Smashing Security website, there is a Pick of the Week page where we have the archive of past Picks of the Week. So if you are ever stuck for something to check out, then that's a good place to go and have a look. Yeah.

Terrific. Now, Carole, you've had an interesting conversation with Jason at Kolide this week, haven't you?

---

CAROLE THERIAULT. Yes, I did. It's a fabulous talk and he reveals the findings of his recent report.

I was surprised. He was surprised, but they have an answer to the problem. Check it out.

So today, listeners, we welcome Jason Meller, founder and CEO of Kolide.com, to Smashing Security. Now, Kolide, as you know, is the champion of zero trust access, meaning if a device is not secure, it ain't allowed access.

Hi, Jason. Welcome. Welcome. Fabulous to have you here.

---

JASON MELLER. Thank you so much for having me again.

---

CAROLE THERIAULT. Absolutely. So today we are going to look at the results of your recent report, the 2023 Shadow IT Report by Kolide.

And you guys found out some pretty surprising findings, which we'll get to in a moment. First, I thought maybe you could set the scene for us, Jason. So you guys surveyed how many people? Why did you decide to do it?

---

JASON MELLER. Yeah, so the reason why we commissioned this report was we were looking for data around what percentage of the workforce is using their personal devices or are they using managed devices? And there just wasn't any good data out there.

There wasn't any structured scientific surveys that were done. So we worked with a partner called Dimensional Research. They do this for a living.

We don't certainly know how to contact, I think it was over 300 different professionals that were part of the survey going all the way from executive management from folks that are in IT to end users. So we really ran the gamut in terms of the diversity of the types of people that we were surveying and across all different types of organizations, from folks that are in finance to healthcare and so on and so forth.

So we wanted as broad and diverse of a survey as possible. So we worked with them.

And one of the things that's really challenging about this is you try to leave a lot of any preconceived notions because Kolide is founded on the premise of we think that there is an unmanaged device problem out there, but we didn't necessarily want to bias the survey in that way. We wanted to just get a good accounting of what the state of the union is around this problem.

Absolutely. Yeah. We put— we worked with them.

They helped us sort of de-bias any of the questions that we're asking and really kind of get to the heart of the matter, which is questions like, you know, does your— do you ever do company work on a personal device? What type of work are you doing? So on and so forth.

One thing I'll just say for anybody out there who wants to do this type of survey or commission their own, the thing that's really always hard about it is you get some of the results back and you're like, oh, I wish I had asked one more question on top of that. But we had at least the foresight to ask, I think, some really interesting questions this time, which I think produced a really interesting report, which we put up for free on our blog.

---

CAROLE THERIAULT. Fantastic. So, what did you guys find?

So you run the survey, you start looking at the data. Yes.

---

JASON MELLER. So the narrative really goes here. The first question, right out of the box is, do you ever do company work on personal devices? And 75% of the workforce indicated that they do work on non-company-owned devices.

So the next logical question, you go from there because I think you want to go from there to, wait a second, are we talking about phones? Are we talking about very simplistic email and chat? Or are we talking about really heavy-duty concerning stuff that is happening from non-company-owned devices?

Interesting. Okay. And so when we dug into that, we had the foresight to ask the question, what percentage organizations are using unmanaged devices to access company resources?

That's a little bit different than non-company-owned because you can have a bring-your-own-device that's on the MDM or something like that. And it was about half of them, 47% of companies reported that they actually allow unmanaged devices to access company resources.

So from there, it's okay, we're not just talking about bring your own device. We're talking about stuff that's explicitly unmanaged, personal devices or things that are outside of the purview of the IT organization.

It's really surprising. Yeah. Yeah. I know, right? It is. And I think there's a little bit of a story that goes with that.

But the next question we wanted to really get to the heart of was, what type of work tests are you doing on these unmanaged personal devices? You know, we wanted to kind of make sure, okay, are we just talking about a little bit of email?

Maybe that's not so bad, although I would have qualms about that because there's a lot of valuable information in email. Yeah. Same thing with chat like Slack.

Yeah. A lot of people discount that as saying, oh, that's not a big deal. Well, probably everything in the world that is important to your company is probably happening in a Slack-based style chat room.

So we'll put those issues aside for a second. So 54% of respondents said they do cloud-based file sharing, 46% customer service style applications, some software development, 29% of respondents said they do software development on their personal device.

The most concerning was managed cloud infrastructure. So we're talking about site reliability engineers, DevOps style people who are pushing things to production. 27% said they access those types of resources from their personal device.

---

CAROLE THERIAULT. I hope you ask them why in the next question.

---

JASON MELLER. Oh, we did. We did. Good, because I'm dying to know.

The answers are not good. They're not good. Okay. So we asked them why.

Why do you use your personal device? And the top answer was— because I figured it was, again, my bias going into it.

It's oh, there's this oppressive mobile device management, and I can't do my work. No, the answer was simply 43% indicated their top answer was, I like my device better.

That was it. I like my device better. Oh, wow.

---

CAROLE THERIAULT. And I wonder if— see, that opens a big can of worms as well. Is it you like the device better because of the OS or, you know, or is it because it just has all your stuff on it or a combination? Yeah.

---

JASON MELLER. And that's where we get into the area of, oh, I wish I had asked one more question to even dive into that one a little bit more. I think you can build a narrative that really explains this phenomenon because these are folks that they've answered this voluntarily on a survey, right?

You know, the survey was anonymous, but they still volunteered this up. And I think there's this sense that it's actually allowed and it's not a big deal to use your personal device.

And as someone who, you know, I'm an elder millennial on the verge of really being a Gen X, that was totally verboten. When I started my work career, you would never bring a personal device into work and start doing your regular job on it.

And I think this transition from these different styles of remote work. So when I started my career, I was at General Electric and we were a very remote company because we just were so big that if you were going to different departments or organizational units, go to New York to go to NBC, or you're going to go to Wisconsin for GE Healthcare or Cincinnati for GE Aviation, you were traveling a lot.

And what you would do is you would just access all of the protected applications, which were all hosted on our own network. None of them were in the cloud, and we would do it via a VPN.

And this was 2010, 2011 was— we were still doing that. It didn't always work very well in my experience, but—

No, no, it certainly didn't. You couldn't stream Netflix, that's for sure.

So when you fast forward now, 10, 11, 12 years later, the world has changed pretty dramatically. Most of the applications now that we access to do our work, they're not only accessible within a private network, they're in the cloud, they're SaaS applications, they're intentionally hosted on the public internet.

So even if your company has a VPN, the likelihood that you need to actually use it every day is diminishing. Continuously to the point where you may not even remember to log into the VPN anymore because of how little of an impact that has on your day-to-day work and the applications you need to access and the data that you need to access.

So that's the first thing that really changed. The second thing that really changed was that folks, once they were working from home, and we now have this new population of people that are new to working from home, they just tried it out.

They got their personal laptop, which was, by the way, probably a nicer laptop than the one that they were provisioned. It was probably a brand spanking new MacBook Pro that they're using for their personal life and this sort of janky, you know, 3-year-old PC on some horrible Intel thing that they, you know, it doesn't work great.

So now they're using a much better computer because they chose the one that they chose for themselves. And they find, hey, I can access all of my stuff and I can even log in via Okta or all the other, you know, SSO environments that I have.

I'm not really prevented from doing this. And because I'm not prevented, perhaps it's fine for me to do that.

Or at least I have the ability to say if I do get in trouble that, oh, I didn't realize this. If this was something that the IT team didn't want me to do, wouldn't they want to stop me from doing that?

And they're not. Putting forth any effort to even discourage this at a technology level.

So why would I, why would I even feel ashamed of doing it?

---

CAROLE THERIAULT. Yeah, because it's easier to use my own machine. I also wonder though, especially during the pandemic, I know a lot of IT people that just were inundated with requests from these people that were working from home.

They weren't used to that environment, you know, pre-pando, and they were overwhelmed. So they weren't getting to people to fixing the problems in a way that was, you know, sensible for the business.

So I think a lot of them were encouraged to use their own machines during that time as well.

---

JASON MELLER. Yes. Yes. And I think that has been a little bit of a genie that it's been very hard to get back into the bottle for a lot of organizations. And the argument that we want to make is that it's not necessarily evil in itself to allow your end users to use personal devices, but it really shows a lack of security operational competency because at the end of the day, these are devices that are gonna be interacting with production-like data.

They're gonna be logging into your HR system, into your support system. And if you don't have basic capabilities on them, like endpoint detection and response, or even basic antivirus, or just some high-level logging about what's going on, or, you know, high-level mobile device management solution, you really have no idea what's going on.

And I think the most recent hacks that have hit the news, you know, we need to really be on high alert for the information that our local devices cache about our authentication sessions to the files that we're downloading. These are all a prime target for folks who are building the malware today that will exfiltrate the data tomorrow that you don't want to be in the hands of folks that could potentially sell it to another person and then leverage that information to access more systems.

So the first step of any competent security program to address this is to let's at least make sure that the folks that are logging into our production apps are actually doing it from a device that has some basic management on top of it. And that requires you to really start reasoning about zero trust and device trust to be able to do that.

---

CAROLE THERIAULT. Exactly. So in other words, you're saying you want to use your own device, fine, but you need to meet these companies' stipulations first if you're going to access our profile. And that's done all automagically working with people you.

---

JASON MELLER. Right, that's exactly what we do. And I think that's the premise of any healthy device trust posture checking program is it's not just, hey, you're on the MDM, so therefore we can implicitly assume that you are all good. That's actually not true in even the most optimistic case, right?

You have MDMs all the time that fail to deploy certain payloads. Oh wait, I have CrowdStrike, but maybe the user disabled it. You can't just assume that a device is in a good state simply because it's under management.

And so the opposite can be true as well. You can have a bring-your-own-style device where you're not necessarily looking for the MDM piece 'cause maybe that's not a requirement, but certainly CrowdStrike is or some kind of robust logging or detection system or whatever the things are that your organization decides are important. And by the way, I'm not even talking about necessarily just tools.

I'm talking about the basics. Has it been updated in the last 3 months?

Has the computer been restarted this year? One of the checks that we rolled out at Kolide was, has the computer been restarted in the last 60 days? And you'd be surprised, we're talking 20, 30% users don't regularly reboot their device unless they feel they have to because of a security update.

And so it's just having those basic checks in there. Yeah, we all do it, right?

It's who has the time? I just think fundamentally we have to wake up as an IT security apparatus.

You know, this sort of optimistic viewpoint that this isn't happening and we haven't dug into it yet as professionals. And this survey, I think, has really illuminated that it's not just happening, it's the norm.

I think if you have an honest conversation with the employees at your own organization and you're assuming that they're using their company-issued devices to do the majority of the work, you should assume that that is not happening. And you need to come up with a plan to force this to happen at a technological level, force them to come into contact with something and say, hey, I'm not going to let you sign in with this device unless it meets certain standards.

That's exactly what Kolide does. And if you're someone who uses Okta today to protect all of these public internet SaaS apps, that's the only gateway that you have.

It's the only central point that you can use to have that type of forced conversation at a technology level. Most of the modern companies we have today, they don't even have necessarily a VPN to do something similar.

And even if they did, most of the apps now are accessible outside of it.

---

CAROLE THERIAULT. And, you know, once this is up and running, I imagine that your IT team will get the first full night's sleep in years because they'll have the sense that, you know, at least everything is not just held together with sticky tape and hope and crossed fingers. You actually have, you know, a process involved that keeps you in a much more secure posture.

Is there anything else that you'd want to add at this stage?

---

JASON MELLER. No, I think folks should check out the survey. It's called the Shadow IT Report, and you should definitely check it out.

It's free. And I think a lot of the statistics in there can drive really important conversations for organizations that have already made that transition to mostly remote.

They mostly have SaaS apps and they're utilizing Okta today and they're looking for a way to actually prevent unmanaged or untrusted devices from accessing those. And then come up with a way for the folks that are accessing these resources from those devices to actually keep them in a trusted state, which is what we spend most of our time on.

Absolutely.

---

CAROLE THERIAULT. This is an extensive report, listeners. There's 17 pages in total, and you can get it at collide.com/smashing. That's collide, K-O-L-I-D-E,.com/smashing. Jason, CEO of Kolide, thank you so much for coming on Smashing Security and sharing your insights.

---

JASON MELLER. Thank you for having me, as always.

---

GRAHAM CLULEY. Brilliant. Great stuff. And that just about wraps up the show for this week. Dave, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

---

DAVE BITTNER. Oh, you can go over to thecyberwire.com and find all of my stuff there. I am also over on Mastodon, no longer on Twitter.

---

GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G. We've also got a Mastodon account. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

---

CAROLE THERIAULT. And huge high fives to this episode's sponsors, Panoptica, Fanta, and Kolide. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show sponsorship info, guest list, and the entire back catalog of more than 345 episodes.

---

GRAHAM CLULEY. Check out smashingsecurity.com until next time. Cheerio. Bye bye.

---

DAVE BITTNER. Bye. Bye. Bye. Bye.

---

CAROLE THERIAULT. Bye bye. My voice is going.

---

DAVE BITTNER. Did you hear that?

---

GRAHAM CLULEY. Bye bye.

---

DAVE BITTNER. Carole, I am so disappointed that I wasn't here on the episode that you talked about Licorice Pizza. Oh, really? Because you hate it. I hated that movie. Oh, I didn't like the premise of it.

---

GRAHAM CLULEY. It sounded kind of creepy to me. It's not creepy.

---

CAROLE THERIAULT. You should watch it. It's so great.

---

GRAHAM CLULEY. Don't think it's creepy. She's a bit old for him.

---

DAVE BITTNER. 25-year-old woman with a 15-year-old boy.

---

GRAHAM CLULEY. Yeah. You think that's not creepy, Carole Theriault? I didn't know you then.

---

CAROLE THERIAULT. Oh, right. Okay. So what? We don't watch anything creepy. We don't read creepy books. We don't expose ourselves to creepy art because we want to live in a weird fricking echo chamber of nothing.

---

DAVE BITTNER. Okay. Well, there's good creepy and there's bad creepy. And I thought Licorice Pizza and it's nothing to do with the creepiness, actually. Creepy crawly.

---

GRAHAM CLULEY. Creepy Crowley. Creepy Crowley.

-- TRANSCRIPT ENDS --