This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

UNKNOWN. You say no one's paying attention. I think we should blame the patients. I think it's the patient's fault for not spending longer looking at the screens. If they'd paid more attention, then none of these problems would have existed. If the doctors had artificially increased the waiting time, then maybe the patients would have spent longer watching the ads and maybe bought the Viagra-flavoured breath fresheners or whatever it was. That's what they should have done. Smashing Security, Episode 380: Teachers TikTok Targeted and Fraud in the Doctor's Waiting Room with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 380. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. Hello, Carole. How are you? Wow.

---

CAROLE THERIAULT. That's unusual. I don't even know what to say. I'm fine, thank you. How are you, Graham?

---

GRAHAM CLULEY. I'm gorgeous. Thank you very much.

---

CAROLE THERIAULT. Okay. Well, as we do this remotely, I don't get to enjoy that glow.

---

GRAHAM CLULEY. I got married at the weekend.

---

CAROLE THERIAULT. You did? I didn't know if you were going to say anything.

---

GRAHAM CLULEY. Well, I did. And you were there.

---

CAROLE THERIAULT. I was.

---

GRAHAM CLULEY. Well, at the party. It wasn't like I was marrying you, despite the rumors.

---

CAROLE THERIAULT. Turns out it was a super spreader. We've already found out someone had COVID at the party.

---

GRAHAM CLULEY. Oh, don't— some people will find out by listening to this podcast.

---

CAROLE THERIAULT. Well, let's just hope someone we're both very close to as well.

---

GRAHAM CLULEY. Oh boy.

---

CAROLE THERIAULT. Yeah, so fingers crossed. Anything else you want to say about getting married this weekend? Congratulations to you both, by the way.

---

GRAHAM CLULEY. Thank you very much. No, I'm good.

---

CAROLE THERIAULT. Okay, let's kick this show off and thank this week's wonderful sponsors: 1Password, Fanta, and the M-Wise Conference 2024. It's their that help us give you this show for free. So coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm gonna talk about a billion-dollar fraud that was just waiting to happen.

---

CAROLE THERIAULT. Billion, okay. And with me, we are heading to middle school to see what the kids are up to when no one's looking. Plus, we have a featured interview with 1Password's Jason Meller, where we look under the hood of 1Password with extended management. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, let me take you across the big pond to the windy city of Chicago, Illinois, where once upon a time there was a company called Outcome Health. And it was a health technology startup founded by a couple of bright-eyed entrepreneurs, Shradha Agarwal and Rishi Shah, not to be confused with Rishi Sunak. who possibly is looking for a new job very, very soon. But, the two of them, Agarwal and Shah, along with their sidekick and chief financial officer, Brad Purdy.

---

CAROLE THERIAULT. Brad Purdy.

---

GRAHAM CLULEY. Brad Purdy. They set up this company, Outcome Health, and they thought they had a brilliant plan to take the world by storm.

---

CAROLE THERIAULT. Okay.

---

JASON MELLER. Right.

---

CAROLE THERIAULT. Okay, so they're doing health stuff somehow. Okay.

---

GRAHAM CLULEY. Well, yeah, what their idea was, was doctor's waiting rooms. Now, Carole, you must have been hanging out in a doctor's waiting room from time to time. Maybe after the party the other day, we might have more reason to hang out and go and visit the doctors.

I'm not sure. But their grand idea was, you know, it's pretty boring, isn't it, being in a doctor's waiting room, waiting to be seen by a GP. They thought, well, what we'll do is we will install TVs and tablets in waiting rooms up and down America, thousands and thousands of waiting rooms, and we'll offer them for free, and they'll provide health information, but there will also be, of course, adverts.

---

CAROLE THERIAULT. For special drugs.

---

GRAHAM CLULEY. Right. Because you can run educational content on these screens, so that's wonderful, and the doctors will like that, and it replaces all those posters and pamphlets and other things, but, you know, it brings a digital element to this. And we've got this captive audience who can be advertised to.

---

CAROLE THERIAULT. Let's pause for a second though here. So when I go to the States, I am always absolutely shocked by the medical ads that are peppered across the TV.

I don't even know if that's now. That shows how long I've watched, you know, how long it goes since I watched TV in the States. But, you know, they're all this information about the drug. It's a drug company ad. And I don't know if those are allowed in Europe or in the UK.

---

GRAHAM CLULEY. Well, certainly in the UK, we don't get to see that, do we? I've noticed as well in America, it seems to have a huge amount of ads on TVs for drugs and medication and things.

I've noticed that the drugs, it appears to be targeted mostly to a demographic of older people. And I wonder if it's more likely that older people watch traditional television adverts, whereas all the youngsters are watching streaming things, maybe with less ads.

---

CAROLE THERIAULT. Yeah, it's always about hair or stability in the nether regions.

---

GRAHAM CLULEY. Yes. You want a solid one of those. Anyway, fantastic. Doctor's waiting rooms, captive audience.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. You can play pharmaceutical ads for creaky joints, but you know, you don't have to limit yourself there. You could sell all kinds of things, couldn't you, to people in waiting rooms?

You might those universal remote controls for televisions with great big buttons on which you can read without putting your reading glasses on, or bedpans with a built-in karaoke, or compression socks, or musical dentures. There's all kinds of things you could advertise.

So this company, it thought, right, this is what we're going to do. We're going to put the TVs and tablets in there. We're going to sell ads. We're going to make ourselves a huge amount of money. And at one point, this company was valued at $1.2 billion.

---

CAROLE THERIAULT. For putting TVs in waiting rooms?

---

GRAHAM CLULEY. Yes, because it was doing so well and it had investments from the likes of Goldman Sachs and Google's parent company Alphabet. They put something $500 million into this company. What could possibly go wrong?

---

CAROLE THERIAULT. I don't know.

---

GRAHAM CLULEY. It turns out quite a lot because instead of building this health tech empire of TV tablet screens, this trio of people— by the way, they were employing hundreds and hundreds and hundreds of people in a great big skyscraper in Chicago. But these people right at the top, they decided to engage in a little game of smoke and mirrors with their clients, investors, their lenders.

---

CAROLE THERIAULT. Well, they didn't have enough. They didn't have enough money. It wasn't enough.

---

GRAHAM CLULEY. Well, they were claiming the company was doing much, much better than it really was.

---

CAROLE THERIAULT. Oh, I see.

---

GRAHAM CLULEY. Right. Because to make more money, they started selling advertising space that they didn't really have. And they inflated numbers related to how often patients interacted with the screens.

---

CAROLE THERIAULT. They basically lied. Yeah.

---

GRAHAM CLULEY. Yes. Some of the advertisers, they said to them, oh, come on, look, you've got to provide affidavits with screenshots showing your ads running in doctors' offices. You know, you said that you're doing this. Will you actually do it?

And what the employees allegedly did at this company was grab a screenshot of an ad from their own PCs, their own computers, edited it to add a timestamp and a doctor's ID number to make them appear genuine. And they sent that to the advertiser saying, here it is on another computer screen. Here it is on a third computer screen.

---

CAROLE THERIAULT. You're kidding me.

---

GRAHAM CLULEY. No.

---

CAROLE THERIAULT. How many times would you have to do that to kind of value yourself at $5.5 billion?

---

JASON MELLER. Come on.

---

GRAHAM CLULEY. And advertisers said to Outcome, look, we're really keen to know how well our ads are coming across. So they said, can you run surveys on these screens? Survey the patients, survey the doctors to see how they're responding to the ads. And you'll be surprised to hear that these surveys got very little response from people. Not many people engaged with them.

---

CAROLE THERIAULT. I used to do surveys. It is nigh impossible to get someone to fill something in.

---

GRAHAM CLULEY. It's please have chocolates. Just, we won't give you anything. Just please press the button.

---

CAROLE THERIAULT. We need stats.

---

GRAHAM CLULEY. We need stats. So this company made up the numbers.

---

CAROLE THERIAULT. Oh God.

---

GRAHAM CLULEY. And it just said, well, let's just make the numbers bigger. So if Outcome Health was to be believed, their tablets were the hottest thing since Betty White. And between 2011 and 2017, this ad fraudulent scheme resulted in at least $45 million worth of overbilled advertising services.

And that, of course, artificially inflated the company's revenue figures, enabling the three men to raise $110 million in financing one year, the next year $375 million, the following year $487 million, over and over again. And they were paying themselves hundreds of millions of dollars in dividends going into their pockets.

---

CAROLE THERIAULT. This is a ridiculous story. You know what? This just shows you that people just don't pay attention. This is so ridiculous. How could someone say, oh, we're so loaded from TVs in waiting rooms? It's just incredible. And no one would do the math?

---

GRAHAM CLULEY. You say no one's paying attention. I think we should blame the patients. I think that it's the patient's fault for not spending longer looking at the screens. If they'd paid more attention, if they'd bought the goods, then none of these problems would have existed. If the doctors had not shortened the waiting times, if they had artificially increased the waiting times, then maybe—

---

CAROLE THERIAULT. Oh my God, can you imagine?

---

GRAHAM CLULEY. The patients would have spent longer watching the ads and maybe bought the Viagra-flavored breath fresheners or whatever it was. That's what they should have done. So what we've got here, advertisers promising prime ad space they didn't actually have. They underdelivered on their campaigns, they inflated the patient engagement metrics, and then they billed their clients as if nothing was amiss.

---

CAROLE THERIAULT. They're crooks.

---

GRAHAM CLULEY. And they've now been found guilty of being big fat crooks by a jury. They've been hit with a laundry list of financial crimes, including fraud, money laundering, lying to their own auditor. The once-celebrated CEO, Rishi Shah, he has been sentenced to 7.5 years in prison. Shradha Agarwal, she's been chucked in a halfway house for 3.5 years.

So she'll be contemplating the error of her ways. Brad Purdy, the guy whose name you liked, he's off to prison for 2 years and 3 months. So, the Attorney General who was handling this, they're not impressed either.

They say, yet another reminder, you can't fake it until you make it. It's not acceptable for any business to do this or any technology startup. Just because it's easy to lie with statistics and when you're a digital tech company about how successful you are and what you're doing, don't do it because eventually chances are you will get found out.

---

CAROLE THERIAULT. Thank you so much, Graham, for that. I'm sure our listeners out there are thinking, oh, I was contemplating doing something this stupid.

---

GRAHAM CLULEY. Well, it sounds like a fine business idea, doesn't it? Does it?

---

CAROLE THERIAULT. Does it? Just lying? No, they could have just had a fine business.

---

GRAHAM CLULEY. Well, no, not that bit. Not that bit. But the initial idea of having screens in doctors' surgeries with ads and things, I mean, it doesn't sound a terrible idea to me.

It's just they got a little bit overenthusiastic maybe and told a few porky pies. Carole, what's your story for us this week?

---

CAROLE THERIAULT. Okay, Graham, as a parent, any idea what 7th and 8th graders are into these days? These are kids around 12, 13.

---

GRAHAM CLULEY. Yes. Okay. TikTok. Snapchat, all that kind of stuff, I think.

---

CAROLE THERIAULT. Right. It's very interesting you say TikTok because I still have not played with TikTok. Have you? I bet you've checked it out a bit.

---

GRAHAM CLULEY. I have now a TikTok account, although I don't really know what to do with it. But if anyone finds my TikTok account, they can see me doing a crazy dance in Magdeburg, Germany.

---

CAROLE THERIAULT. Wow, guys, run to that. Okay, but you're right. TikTok is the place. And what kids do on it, as far as I understand, is they make little short videos, set them to cool tunes, share them with their friends, look cool.

So I want you to put yourself in the head of a 12, 13-year-old boy.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. And you were chilling at school and, you know, in the caf maybe, right? Eating your poke bowl.

---

GRAHAM CLULEY. What kind of 13-year-old is this eating a poke bowl? Very sophisticated one.

---

CAROLE THERIAULT. Well, you know, kids these days.

---

GRAHAM CLULEY. I would be eating a turkey twizzler most likely, or a Spam sandwich.

---

CAROLE THERIAULT. Mmm, delicious. Okay, so you hear that your teacher is on TikTok. Mrs. Motz, the Spanish teacher, is on TikTok, and the account is @patrice.motz, which is, okay, your teacher's name.

So you check this out.

---

GRAHAM CLULEY. Yeah, because it's going to be hilarious. I mean, fancy an old person being on TikTok. How embarrassing is this going to be?

---

CAROLE THERIAULT. Yeah, right, what's gonna happen exactly? But you soon realize something's a bit odd because on the channel you see a picture of your teacher, your Spanish teacher, Mrs. Motz, but she's not at school, but she's on a beach with her husband and her young children. Then text appears in Spanish over the family vacation photo asking, "Do you like to touch kids?"

---

GRAHAM CLULEY. Okay, that sounds, yeah, it's not very nice.

---

CAROLE THERIAULT. So suddenly gets super dark, right? Now, if you saw this as the 12 or 13-year-old schoolboy and this is your teacher, you'd probably be shocked, right? You would think what? This is a total joke?

---

GRAHAM CLULEY. I don't know, but I think I would probably think this isn't the kind of thing I want to watch on TikTok. I think there'd be a lot of things competing for my attention.

---

CAROLE THERIAULT. This is your teacher. You may not like Mrs. Motz. You may not like Spanish. Yeah, would you share it with your friends?

---

GRAHAM CLULEY. Maybe I would show my friends. I can imagine that people would share it with their friends. Yes.

---

CAROLE THERIAULT. Well, the problem was that Mrs. Motz wasn't on TikTok. This was a fake account created by a student who was about 12 or 13.

Now, according to The New York Times, in the days that followed, some 20 educators, about a quarter of the school's faculty at Great Valley Middle School in Malvern, Philadelphia— this all happened last February— they discovered they were victims of fake teacher accounts rife with things like pedophilia innuendo, racist memes, homophobia, and made-up sexual hookups between the teachers.

---

GRAHAM CLULEY. So this sounds like it's someone who's got a vendetta against teachers at this particular school.

---

CAROLE THERIAULT. Well, it's not just one person. Students reportedly took images from the school's websites or copied the family photos that the teachers had posted in their classrooms, and some they found online, maybe on Facebook and that kind of stuff. And they made the memes by cropping, cutting, and pasting photos and then superimposing text.

Known as cheapfakes rather than deepfakes. And it seems that hundreds of students viewed, followed, commented on the fraudulent accounts— of course you would share that.

I would share that if I was 12, 13. Suddenly my teacher was, you know, I'd be going, oh my God, my God, right? I'd find my friends and go, did you see this?

The whole thing, of course, turned into an utter shitshow. The fallout included teachers feeling that they couldn't call out pupils who act out in school because you might have a target on your back.

---

GRAHAM CLULEY. Oh, I see. Because what you're saying is the teachers were afraid to reprimand children in case they then got some sort of revenge attack on TikTok.

---

CAROLE THERIAULT. Right. And you would, right?

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. I mean, who would want to risk having their family photo associated with some racist meme or some child abuse image? I mean, come on.

---

GRAHAM CLULEY. Right. Okay.

---

CAROLE THERIAULT. There is a growing sense of distrust. So Mrs. Motz herself said she described the whole thing as a kick in the stomach that students could so casually savage teachers' families.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. And apparently this is a significant escalation of how middle and high school students impersonate, troll, and harass educators on social media. Because before this year, says The New York Times, students largely impersonated one teacher or a principal at a time. But this, they went after 20 of the educators, right?

A quarter of the school was targeted.

---

GRAHAM CLULEY. Well, it's horrible, isn't it?

---

CAROLE THERIAULT. There's also concern that social media has helped normalize this kind of anonymous, aggressive posts and memes, leading kids to weaponize themselves, I guess, against adults. You know, it kind of levels the playing field if you were seeing it from their point of view. But there's a worry about kids losing empathy for others, effectively being desensitized to others' feelings because of the online medium, that distance.

So some steps have been taken to address the 22 fictitious TikTok accounts impersonating teachers at the middle school. The punishment was brief suspension for several students and—

---

GRAHAM CLULEY. Who'd been sharing things, you mean? Those ones?

---

CAROLE THERIAULT. They briefly suspended several students. It's worded very carefully, so the kids are not identified in all this. And the principal during one lunch period chastised the 8th grade class for its behavior.

But I don't know, I kind of think that they're getting off pretty lightly there.

---

GRAHAM CLULEY. Well, I think there's— don't you think? There is a difference between being the people who created the content and the people who reshared it.

I'm not saying it's an enormous difference because I think you can be quite guilty retweeting or resharing or forwarding on things. I think that does have a level of responsibility to it and it can be malicious as well, but maybe not as malicious as originating something as well. So I don't know how they would have been able to identify without TikTok's help, or maybe law enforcement's help, who initially created things, but they presumably were able to tell who had liked or who had reshared things or boosted it in the timeline.

---

CAROLE THERIAULT. And yeah, and these are not mastermind geniuses here. These are a bunch of high school kids who might have gone, yeah, super funny.

In the comments, you might have been able to figure out pretty quickly who did it.

---

JASON MELLER. Yeah.

---

CAROLE THERIAULT. How would you stop this? Seriously, this is— I find this super upsetting because who would want to be a teacher?

Who would want to be a teacher?

---

GRAHAM CLULEY. Well, who would want to be anyone in public life? Because this could happen to absolutely anyone, couldn't it?

It could happen to politicians. It could happen to, you know, the librarian. It could happen to the GP. We were talking about GPs earlier. Anyone who's out there who maybe deals with a lot of people and someone takes, you know, someone has a beef with you or is upset with you or is just for some reason malicious and wants to cause trouble. And they do it by the anonymity of the internet and can spread all kinds of malicious stuff. It's really unpleasant. But yeah, of course, I suppose there will be children who are less, you know, have not ethically matured and so perhaps are more likely to engage in antisocial behavior.

---

CAROLE THERIAULT. So you've got all these kids. Some sharing, some creating.

My view would be just no phones in schools.

---

GRAHAM CLULEY. Well, I— well, here in the UK now, most schools are banning phones. So that's the general sort of advice these days.

They're not allowing kids to use their phones inside the schools. I don't know what it's like across America, but it doesn't actually get rid of the problem, though, does it? Because, of course, much of this communication can happen outside of school hours and—

---

CAROLE THERIAULT. No, no, but it's just the temptation. You've just gone to class, Mrs. Motts yelled at you, you're raging with shame and whatever, you know, decide to show her, you know, who's boss.

---

GRAHAM CLULEY. So I've got a different take, which is what on earth are TikTok doing about this? Why are TikTok allowing people to post stuff which is slanderous or—

---

CAROLE THERIAULT. Yeah, totally.

---

GRAHAM CLULEY. Is going to encourage people to launch hate attacks against others. I imagine what they'd say is people can report posts if they want to and they'll investigate.

---

CAROLE THERIAULT. You know what I would do? You know what I would do?

Every single student that shared this would have to go on, you know, training on digital citizenship and cyberbullying.

---

GRAHAM CLULEY. And have their fingers chopped off.

---

CAROLE THERIAULT. On Saturdays for a month, you know?

---

GRAHAM CLULEY. Oh, you're ruthless.

---

CAROLE THERIAULT. Yes, I am ruthless. That's exactly what I would do because it's just not on. Because ultimately what's going to end up happening, the kids are going to just get taught by AI because no one will want to be a teacher and you're going to be sitting in front of a computer with some machine not caring at all what you do.

---

GRAHAM CLULEY. Boy, oh boy.

---

CAROLE THERIAULT. Okay, I'm off my soapbox. Think all security conferences are alike? MWISE is different. Built by practitioners for practitioners, MWISE is an intimate community of frontline experts who gather in a trusted setting to hear from leading minds in the industry. It's a place where real talk and serious knowledge are shared generously and where the focus is on practical, tactical solutions that make sense right now.

Brought to you by Mandiant, now part of Google Cloud, MWISE covers what's most relevant to practitioners. That includes session tracks such as AI, cloud security, threats, intelligence, security operations, and more. The conference is vendor-neutral and not sales-focused. Even better, you'll get ample opportunity to connect one-to-one, not only with your peers, but with the experts. Be part of something truly special. Join MWISE from September 18th, 19th in Denver. Get details at smashingsecurity.com/mwise. That's M-W-I-S-E. And thanks to MWISE for sponsoring the show.

---

GRAHAM CLULEY. Whether you're starting or scaling your company's security program, demonstrating top-notch security practices and establishing trust is more important than ever. Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center all powered by Vanta AI. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and improve security in real time. Get $1,000 off Vanta when you go to vanta.com/smashing. That's vanta.com/smashing for $1,000 off.

In a perfect world, end users would only work on managed devices with IT-approved apps, but every day employees use personal devices and unapproved apps that aren't protected by MDM, IAM, or any other security tool. There's a giant gap between the security tools we have and the way we actually work.

1Password calls it the Access Trust Gap, and they've also created the first-ever solution to fill it. 1Password Extended Access Management secures every sign-in for every app on every device. Includes the password manager that you know and love and the device trust solution you've probably heard of on this podcast, back when it was called Collide.

1Password Extended Access Management cares about user experience and privacy, which means it can go places other tools can't, like personal and contractor devices. It ensures that every device is known and healthy and every login is protected. So stop trying to ban BYOD, or shadow IT and start protecting them with 1Password Extended Access Management. Check it out at 1password.com/smashing. And thanks to 1Password for supporting the show.

And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my Pick of the Week this week is not security-related. In fact, it's not a Pick of the Week. It's a Nitpick of the Week. Yes, I've dug deep into my nitpick drawers once again. What an unpleasant image that is.

---

CAROLE THERIAULT. It's funny that you're saying this. You just got married, as you announced at the top of the show, and you already have a nitpick.

---

GRAHAM CLULEY. It's not a nitpick with my lovely partner. No, it is a nitpick with the English language and a word which I feel should be banned. And it is the word 'indeed'.

---

CAROLE THERIAULT. Indeed.

---

GRAHAM CLULEY. Let me explain.

---

CAROLE THERIAULT. Great telling me this, because you're going to hear it a lot now.

---

GRAHAM CLULEY. Well, let me explain. In particular, where I have a problem. There's been an election in the United Kingdom. I was following it avidly. I had my popcorn. I really, really enjoyed it enormously. The campaigns— Indeed. All right, stop that.

The campaigns from the different parties. I mean, it was quite captivating. Without getting political here.

---

CAROLE THERIAULT. Indeed.

---

GRAHAM CLULEY. There was one party in particular which had an appalling election campaign, and it was truly astonishing, some of the things which would happen. Which made it gripping to watch. So I'd watch the news report and we're going to cross now to our reporter at the, you know, wherever it was.

And they'd go and speak to the reporter at the outside location and then they'd go back, they'd hand back to the studio and the bloody studio presenter would say, well, thank you very much indeed, Brian in Glasgow, or whatever his name was.

---

CAROLE THERIAULT. Did he indeed?

---

GRAHAM CLULEY. Yes, Crow. Just stop that. So I don't know why you need to say, "Thank you very much indeed." I think the "indeed" is something which is only said by radio presenters and TV presenters.

---

CAROLE THERIAULT. Do you indeed?

---

GRAHAM CLULEY. No one else says, "Thank you very much indeed." It is a filler word.

---

CAROLE THERIAULT. What a jolly great time.

---

GRAHAM CLULEY. It is unnecessary. And now I have mentioned it to the listeners of Smashing Security, I expect you all to keep your ears open for this abomination because it drives me up the bloody wall when it is used.

---

CAROLE THERIAULT. Does it indeed?

---

GRAHAM CLULEY. So, yep. You're so juvenile.

---

CAROLE THERIAULT. You're such an idiot. Oh, hand me that on a plate.

---

GRAHAM CLULEY. And that is my nitpick of the week. Thank you very much.

---

CAROLE THERIAULT. Indeed.

---

GRAHAM CLULEY. Oh, I just hate it. I hate it. Carole, what's your pick of the week?

---

CAROLE THERIAULT. So Apple TV is currently showcasing a new miniseries of an old classic.

---

GRAHAM CLULEY. Oh yeah.

---

CAROLE THERIAULT. Presumed Innocent.

---

GRAHAM CLULEY. Oh, that was a Harrison Ford movie or something, wasn't it?

---

CAROLE THERIAULT. Yeah, yeah. How long ago? 34 years ago. Yeah, yeah, yeah. And it's a tale based on Scott Turow's bestselling legal whodunit.

So in this miniseries, we have Jake Gyllenhaal playing Rusty. And Rusty is the hotshot prosecutor and devoted husband and father who finds himself accused of a fellow prosecutor's murder.

---

GRAHAM CLULEY. Ho ho ho!

---

CAROLE THERIAULT. You know, and he is running around going, "Preposterous! This is— No, I had nothing to do with it." But soon we find out that he was embroiled in a big lusty, lusty affair with this now dead lady lawyer.

And so the whole thing, even in the original, was, did it get too heated and did he lose his temper and kill her? Or is he just a philanderer who's being set up? It's juicy. It's a good plot.

---

GRAHAM CLULEY. And they managed to stretch it out over a TV series, don't they?

---

CAROLE THERIAULT. Well, it's 8 episodes. It's only about two-thirds of the way through. So I'm taking a bit of a risk here, making it my pick of the week.

---

GRAHAM CLULEY. Oh.

---

CAROLE THERIAULT. But I'm really liking it.

---

GRAHAM CLULEY. Whereas I thoroughly investigated the word "indeed" before I made it my nitpick of the week. Indeed, yeah.

---

CAROLE THERIAULT. The Guardian newspaper gave it only 3 out of 5 stars, kind of saying, "Meh, you know, good acting, but whatever, we know the story." But I'm really gripped because I love how tortured Gyllenhaal is.

He really plays it well. He really does that whole Harrison Ford thing, but his own style of it.

---

GRAHAM CLULEY. You fancy him, don't you?

---

CAROLE THERIAULT. No, I don't think I do. I find him kind of scary.

---

GRAHAM CLULEY. Oh, okay.

---

CAROLE THERIAULT. Yeah, I think I would cross the road if he was walking around the street.

---

GRAHAM CLULEY. I don't—

---

CAROLE THERIAULT. Yeah. And also, I love how much the wife, played by Ruth Negga, who I love, but she's a really complicated character.

And, you know, she's talking, she doesn't know what to do. Should she leave? Should she stay? And, you know, she keeps getting updates on the latest twists of what's going on. And it's interesting. Anyway, so it gets my vote. It's a new miniseries on Apple TV+, Presumed Innocent. Make some popcorn, some cocoa, sit down to a proper old-school love triangle mystery thriller. That's my pick of the week.

---

GRAHAM CLULEY. Thank you very much.

---

CAROLE THERIAULT. Indeed.

---

GRAHAM CLULEY. You can just leave it. You can just leave it blank. And Carole, you've been chatting to the folks at 1Password this week.

---

CAROLE THERIAULT. Yes, I spoke with Jason Meller all about 1Password with extended management. It's very interesting. Check it out. Okay, well, today on Smashing Security, I am chatting about passwords and beyond with the company's very own Jason Meller. Now, Jason Meller used to be the CEO of Kolide and is now VP of product management at 1Password. Welcome to Smashing Security, Jason.

---

JASON MELLER. Thank you for having me, as always.

---

CAROLE THERIAULT. So this is not your first rodeo with us. We would love to know if you have any key updates since Kolide and 1Password became one?

---

JASON MELLER. Yeah, yeah. So last time we spoke was a few months ago. That was before RSA. So RSA is officially behind us. We had a big splash there where we announced that Kolide is part of this new thing 1Password is doing called Extended Access Management. And we're one of the most critical components of it, which is device trust, which is what Kolide has been about for over the last year, which is effectively giving companies the ability to block devices if they're not trusted. And for every company, that could mean something else. It could mean they want only their managed corporate purchase devices to access their most sensitive apps. Or we can go all the way down to the nitty-gritty. You got to make sure that the device is up to date, that the browser's up to date, there isn't anything sensitive on the device. We can take care of all of that. And not only can we stop those devices from connecting to those apps, we can actually get the end user to fix those problems so that they can regain entry. And that's the key to the whole thing, because if you just block people, it makes the IT help desk just the phone ring right off the hook. You got to give folks the ability to self-remediate. And that's what Kolide has been about since its founding. That's what 1Password has been about in terms of its relationship between security and the human being. And that's why we work so well together.

---

CAROLE THERIAULT. You know, I have a few questions about passwords. We've been talking about passwords for— seems to me forever. Do you feel it's still a key element to infosecurity that people still don't really take them seriously?

---

JASON MELLER. Or, you know, so this is really interesting because I got to go to RSA for the first time, not really as the Kolide CEO, but more in my capacity as just a 1Password employee. I was standing at the 1Password booth I had the 1Password shirt.

And, you know, while we have this extended access management thing, there are folks coming to the booth because they want to talk about passwords. And I was just absolutely floored by the amount of people— and these are senior leaders from brands that I could say and everybody would recognize— that are still debating whether it's a good idea to have any management around passwords.

Like, oh, is this really— we're unaware that there even is a security product category called enterprise password management. Like, we're still— so we're in the security space. So we think of— we're thinking, you know, 5 or 6 years ahead of the general public.

But there's also, you know, on the evolution curve of how people adopt technology, there's also the laggards. And these are folks that are still coming up to speed on that passwords need to be managed, they need to be managed centrally, their users need software to do that well.

And that we're still in that educational phase. There's still a ton of enterprises out there that don't have a solution for this.

---

CAROLE THERIAULT. Yeah. And that's really scary even for us that don't work or, you know, run enterprises because a lot of these companies provide services to us and they hold our information, right? So if they have a crack in their security, it can impact us, the customers.

---

JASON MELLER. Oh, 100%. And so I was grateful to be there, but also really shocked that they're still, you know, it wasn't everybody who came to the booth.

A lot of people were coming to the booth because they actually just love 1Password. I actually got a few hugs out of it, which I've never had in my experience as a B2B software builder.

The fact that there's that much love for 1Password was just as equally shocking to me as it was to hear about folks who just never had heard of enterprise password management. So we see sort of both sides, the super fans who are excited about what we're doing next, and the folks who are coming to the booth in earnest to really understand, oh, I didn't realize that I had to do anything to help my users do the right thing when they're generating and storing passwords.

And they were, you know, they tell stories about their parents and this, you know, oh, I keep my passwords in a notebook. And these are stories I used to tell to my CISO 15 years ago when the stories felt novel and interesting, but they're still happening.

It's still happening out there. It's wild.

---

CAROLE THERIAULT. You know, we might have some listeners out there who are pretty au fait with password security, and they've set rules, right, inside their organization or their enterprise. And, you know, they're making the assumptions employees follow the rules or they're out. Do you feel that people follow those rules?

---

JASON MELLER. So here's what I like to say to folks who say that, because everybody has a policy. In fact, if you want to pass SOC 2 or any of these other more modern audits, you have to have a policy in order to have the auditor feel okay with your situation. But many organizations stop at that level.

They define a policy. They have all of their employees and contractors sign it and swear effectively on the Bible that they'll always do the right thing in every circumstance, and then they feel that that is a good mitigating control for whatever that policy is supposed to prevent. But the truth is, if you don't have measurement and enforcement on a policy, you don't have a policy at all.

You really just have a suggestion and maybe an agreement, but in practice, without measurement enforcement, it means that you're really not serious about that policy. And that might be fine depending on what the policy is, but if the policy is one of the tentpoles of your entire security foundation, like good credentials, secure credentials, you have to do better than that. You need to be able to measure, is this really happening?

And when it's not happening, you need to have corrective intervention to make sure that people are doing it. And that's the thing that we do at 1Password is we try to work with our customers to ensure that they're actually using the software and they're using it correctly and to call them out.

And that's where Kolide and now extended access management can also help. We can get folks to understand, is this really being used in the way that you think it is? You've given them the tools, but are they actually using them? And that's the key question.

---

CAROLE THERIAULT. So how does it work? So you get a kind of centralized report on usage and any problem areas.

---

JASON MELLER. Yeah. So 1Password today does provide a lot of great reporting. Essentially that's one of the reasons to upgrade to the business tier offerings of 1Password is you get a lot of that centralized reporting.

Now when you combine that visibility with the concepts of device trust that Kolide brings to the table, the key isn't just measurement, it's enforcement. And we believe that the key to enforcement is to produce proportionate consequences when people aren't following the really important rules. And in our case, that means for the apps that we do have control over, we're not going to let you sign into them if you haven't demonstrated that you even have the company-approved password manager, if it's not configured properly, if we know that you're not doing the right thing across many areas of your device and personal security, we're not going to continue to let you access the most sensitive data in the organization.

And that's a proportionate and reasonable consequence for not doing the right thing. And where Kolide can get involved here is we not only can detect that that's happening, but we can help that user get on the straight and narrow and say, hey, you need to install this. And the thing about 1Password that's great is there's so many different ways you can use it.

You don't have to have the big app on your dock. You can have the browser extension and you don't necessarily have to have all the bells and whistles on. You just need the ones that make sure that you're going to do the right thing when you're creating a new login for a SaaS app that doesn't support SSO yet.

---

CAROLE THERIAULT. Right, right. Now, what kind of companies are using 1Password with extended management? Does it—is there a sector that you focus on, or is it truly multi-sector?

---

JASON MELLER. You know, I think it's all over the place. So we have a Department of Defense contractor, we have healthcare, we have finance, we have energy, we have a lot of B2B SaaS, and some of these companies are huge and some of these companies are small. So what's the common thread?

These are all companies that want to go beyond just checking that audit compliance box. They understand that we're living in a new era where the tools and the tactics that we were using before to detect and enforce our security program don't really quite work right. And the things that have changed is that many of us are now working hybrid or working completely remote.

That computer that was provisioned to us, I can't tell you the amount of folks that I know just would prefer to use their personal computer, and the one that they got from the company is just in a drawer somewhere. And it's just staying in there and nobody knows that it's not being used.

And so when you're not forcing people to go in the office on a regular basis, some things that felt forbidden are now suddenly not so hard to imagine that they're happening. It would be a far cry for me to feel okay with, you know what, I'm going to make the explicit decision to grab my personal laptop and then physically bring it into the office.

That feels like there's something about that where it's a bridge too far. But when you're working from home and it's just sitting there and you know that the company isn't really putting forth any effort to stop that device from accessing all the SaaS apps anyway, why not use it?

What is the harm? So it's really changed the dynamics of what people think they are willing to do and not willing to do.

---

GRAHAM CLULEY. Mm-hmm.

---

JASON MELLER. But we do want to have some rules — does this device even have disk encryption? Is it infected with malware?

Does it have at least an OS update that isn't going to allow it to be owned remotely? Because it's 5 updates behind, these are basic security hygiene things.

And if you can clear that bar, then yes, some of the apps might be okay on that personal device. And that's the level of nuance that these companies want.

They want to take the paradigms and principles of zero trust, which is we should never trust a device until we've evaluated it, and we shouldn't trust the person until we've evaluated their authentication. Let's combine both of those things together.

Let's make a good decision every time that that combination of objects and people authenticates, and then let's get them to the right apps in the right way based on all of that data and context. And that's what we allow you to do.

---

CAROLE THERIAULT. Mm-hmm.

---

JASON MELLER. We built this product so that the amount of compromises out in the wild go down because there's many compromises where the root source of it is an end user with a totally unmanaged device is doing really, really sensitive work stuff. And it turns out that device gets compromised.

They get credentials, they move laterally in the organization. And then the headlines that are generated from that compromise are embarrassing.

They're, oh, and this employee was just allowed to use their personal device and had all of their credentials on there. They had their password manager on there and the IT team didn't know about it.

Well, most organizations are in that position today, and it's only after the fact when the damaging headline reaches the front page of the newspaper that people are suddenly caring about it. Well, there's now an option to solve this problem holistically and deeply within your organization.

And the question is, do you want to wait for you or your peers to have that moment? Or do you want to take care of it now, recognizing that this now has a much higher chance of happening than it ever did before?

Because the way that we work and your employees work is just fundamentally changed. And we have to do different things now as a result of that.

---

CAROLE THERIAULT. Yeah, I couldn't have said it better. Is there anything that you'd like to add?

---

JASON MELLER. No, I just want to say to everybody out there who's listening, you know, thank you for the opportunity to talk about this because this is tough building security products out there that don't quite align exactly with what the top priorities are of every organization. We're building something here that really is different in that it takes the best resource that you have to solve problems, which is your employees, and gets them to solve all sorts of problems across IT and security that they could never do before.

And that is how we are fundamentally differentiating ourselves from anybody else in the device trust, in the zero trust space. We think that empowering end users to be the source of remediation is the key to unlocking this whole category and this whole industry.

And if you believe that too, then you should reach out to us because there's really no one else out there who's made as big of a bet on that as us.

---

CAROLE THERIAULT. Brilliant. And Smashing Security chums, you can even try it out for yourself, see demos, get questions answered, and there's a special page just for you.

All you got to do is go to 1Password.com/smashing. That's 1Password.com/smashing.

Jason Meller, VP of product at 1Password, ex-CEO of Kolide. Always a pleasure to speak with you.

Thanks so much for your time and expertise.

---

JASON MELLER. Thank you.

---

GRAHAM CLULEY. Terrific stuff. And that just about wraps up the show for this week.

You can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't let us have a G. And don't forget to ensure you never miss another episode.

Follow Smashing Security in your favourite podcast apps, such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And huge, huge, huge thank you to our episode sponsors, 1Password, Vanta, and the M-Wise Conference 2024. And of course, to our wonderful Patreon community.

It's thanks to them all this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalogue of more than 379 episodes, check out SmashingSecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye. Bye.

---

CAROLE THERIAULT. I'm surprised you brought up your recent nuptials.

---

GRAHAM CLULEY. Well, I thought, well, we've got nothing else to say.

---

CAROLE THERIAULT. Do you want to mention a present that maybe a fellow podcaster gave you?

---

GRAHAM CLULEY. No, not really.

---

CAROLE THERIAULT. Are you sure?

---

GRAHAM CLULEY. No, I don't want to mention it. It's really highly—

---

CAROLE THERIAULT. I'm not talking about me.

---

GRAHAM CLULEY. No, no, no.

---

CAROLE THERIAULT. I gave you a very elegant gift.

---

GRAHAM CLULEY. Yes. Yeah. Listeners, if you've made it this far in the podcast, all I can tell you is that the hosts of the Host Unknown podcast sent me and my new wife a very particular present. And I wasn't entirely sure how it was supposed to be used.

I actually imagined you had to hold it by the opposite end to which was the correct one. I thought it was some kind of electric shoehorn.

---

CAROLE THERIAULT. A smart electric shoehorn.

---

GRAHAM CLULEY. I'm—

---

CAROLE THERIAULT. What every above 50-year-old man needs.

---

GRAHAM CLULEY. It was very, very large.

---

CAROLE THERIAULT. It's still large.

---

GRAHAM CLULEY. That's all I can tell you.

---

CAROLE THERIAULT. Right?

---

GRAHAM CLULEY. It's still, well, yes. Yeah. I don't think we need to go into details.

Oh, okay. But, you know, thanks Thom, Jav, and the other guy.

-- TRANSCRIPT ENDS --