This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

---

GRAHAM CLULEY. I'm just always a bit suspicious of anybody who has a surname which is actually also a first name.

---

CAROLE THERIAULT. Fascinating.

---

GRAHAM CLULEY. Fascinating stuff.

---

CAROLE THERIAULT. I've missed this so much. I've missed this so much.

---

UNKNOWN. Smashing Security, episode 383, The Godfather Club and AirTags to the Rescue with Carole Theriault and Graham Cluley. Hello, hello. Welcome to Smashing Security episode 383. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault. Did you guys miss us?

---

GRAHAM CLULEY. We've been on our holidays and we're back. So, Carole, you're not in your usual place.

---

CAROLE THERIAULT. No, secret mission.

---

GRAHAM CLULEY. You're on a top secret mission and might be for a while.

---

CAROLE THERIAULT. Yep.

---

GRAHAM CLULEY. Good luck with that mission.

---

CAROLE THERIAULT. Don't worry, the Yeti is still onside.

---

GRAHAM CLULEY. That's the important thing.

---

CAROLE THERIAULT. So let's kick this show off and thank this week's wonderful sponsors: 1Password, Sysdig, and Material. Now coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be exploring a very 21st century way of catching a thief.

---

CAROLE THERIAULT. Mm, and I'm going to investigate just why is this hottie so into you. Plus, I had a chat with Maya Levine from Sysdig. She's a product manager there, and this is a company on a mission to make every cloud deployment secure and reliable. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, nothing much happens in Los Alamos, New Mexico. Carole Theriault, are you familiar with Los Alamos? Have you ever been there? Have you ever heard of it?

---

CAROLE THERIAULT. Mm, heard of it. Know nothing about it. Educate me.

---

GRAHAM CLULEY. Do you know why you've heard of it? Because in the 1940s is where the US authorities developed and detonated the world's first ever nuclear weapons. That's the only reason why you would have heard of Los Alamos, I suspect.

---

CAROLE THERIAULT. Is it a fancy suburb now with loads of really rich houses or no one lives there at all?

---

GRAHAM CLULEY. Well, it's a fairly sleepy, dull town by all accounts. The biggest news might involve a pair of mismatched socks. Not much goes on there. As far as I know, there aren't any mutant pigeons or anything as a result of those nuclear tests way back when. But in the last few days, the headlines in Los Alamos have been shaken by a big story, a saga of thievery. Easy for me to say.

And our story begins when there was a fed-up victim, someone who kept on discovering that their mail was being plundered. Their mail was being stolen. So they had a mailbox at the local post office, and they were expecting things to be delivered, and they didn't show up. And they were really determined to find out who was responsible. And so they hatched a cunning plan.

And what they did was they decided to mail themselves something. And what they did was they put in the mail, addressed to themselves, that tiny technological wonder, known as the Apple AirTag.

---

CAROLE THERIAULT. So what do you mean they put— Okay, I don't understand. Okay.

---

GRAHAM CLULEY. Yeah, so they put an AirTag into an envelope, presumably a padded envelope or something, or some sort of package. They dropped it in the post to themselves. So it was going to get sent to their mailbox. And then they could find out where their mail went, if again, it was stolen. And so—

---

CAROLE THERIAULT. So this is not one letter going missing, but all their mail.

---

GRAHAM CLULEY. A lot of their mail was going missing. I guess the interesting-looking mail. Maybe not the boring mail. Maybe not the water bills. No one cares about that.

---

CAROLE THERIAULT. The ones with a little pretty picture on the outside with a little heart or something.

---

GRAHAM CLULEY. None of those ones offering you cruises around the Antarctic or, you know, all the junk which you receive. Well, one Monday morning, the trap had been set. And so this woman, she mailed herself this package containing the AirTag, essentially turning her parcel into a sort of like a homing beacon. So wherever it went, she'd be able to find out where it went, right? And the thieves took the bait.

She went to go to her mailbox, there it's not there. Where's the mail? I should be receiving my— why haven't I received my mail? Is it because the mail service is rubbish or is it because someone has stolen it? Well, the AirTag provided, of course, the real-time coordinates, and it turned out that the stolen package led police deputies— I love this thing about deputies. We don't really have deputies, do we? In the UK.

---

CAROLE THERIAULT. No. So they're second in command deputies, is that right?

---

GRAHAM CLULEY. That's right.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. And they went to the coordinates and they arrested a couple of people. They arrested Virginia Francesca Lara and Donald Ashton Terry. Now, there's a couple of things already a bit suspicious about those names. I don't know if you've noticed.

---

CAROLE THERIAULT. Yeah, they sound completely made-up names to me. I don't even believe they exist.

---

GRAHAM CLULEY. It could just be a random name generator, couldn't it? Yeah. Both of them have surnames which are actually first names. I'm just always a bit suspicious of anybody who has a surname which is actually also a first name.

---

CAROLE THERIAULT. Fascinating.

---

GRAHAM CLULEY. Fascinating stuff.

---

CAROLE THERIAULT. I'm sure you'll— I've missed this so much. I've missed this so much. Okay, cracking on.

---

GRAHAM CLULEY. Anyway, early morning, 7:17 in the morning, in fact, on East Sunrise Drive in Santa Maria, a nearby little town. The sun was shining, the birds were chirping, and these two unsuspecting individuals were blissfully unaware that their light-fingered adventures were about to come to a screeching halt because these deputies—

---

CAROLE THERIAULT. Did I write this?

---

GRAHAM CLULEY. Hmm?

---

CAROLE THERIAULT. You never use this many adjectives when you talk. This is ridiculous.

---

GRAHAM CLULEY. The squirrels were scrambling around the beautiful trees, but everything was going to come to a screeching halt because these deputies, they came along, caught them red-handed with the victim's mail, and they also found a treasure trove of other stolen post from over a dozen other victims. So it turns out—

---

CAROLE THERIAULT. So what, they're just taking them out of mailboxes or what?

---

GRAHAM CLULEY. Well, what it could be is maybe they've got a link to the post office where the mailbox is. Maybe they've been able to access it that way. It's a little bit unclear as to whether the mailbox is actually at the home of the person who wanted the AirTag, or whether it is at the post office. It's unclear what kind of mailbox we're talking about.

---

CAROLE THERIAULT. Okay, so they're just stealing— we don't know how they steal it. They steal all this mail from everybody. And what are they looking for?

---

GRAHAM CLULEY. Allegedly.

---

CAROLE THERIAULT. Allegedly. Allegedly.

---

GRAHAM CLULEY. Well, what they're after probably is— I'm sure we all remember the story about my lost Amazon delivery of the iPhone. So high-value items are being put in the post all the time these days. These are the days of online e-commerce when you're buying all your technology, you're buying expensive things, they're coming through the post rather than you going to department stores.

---

CAROLE THERIAULT. And so are they coming in the post?

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Expensive items, we're doing it through couriers, whether it's signed, sealed, or—

---

GRAHAM CLULEY. Yes, but they're still going to deliver it to somewhere, aren't they? They're going to deliver it to a mailbox wherever you've chosen, because you're out at work or whatever, wherever you want them to leave it.

And so it depends on what your particular setup is. But sometimes it will be the mail service which is doing this, sometimes it will be couriers or whoever it is, but the point is that people are intercepting deliveries. They're stealing packages because they think, well, once we've done this, we'll sell it on the black market, we'll chuck it on eBay, we'll try and make ourselves some money, and maybe the big tech companies will just take it on the chin.

---

CAROLE THERIAULT. I wonder what they were charged with. Is the felony opening someone else's mail or theft or?

---

GRAHAM CLULEY. So they've been charged with intent to commit fraud, fictitious checks. So maybe some of the information they were able to grab from the post allowed them to commit identity theft, credit card theft, conspiracy as well.

Terry, the man, has also been charged with burglary, as well as credit card theft, identity theft, and so on and so forth. But I think what we're seeing now is people being more inventive with their use of technology to confront criminals, to deal with these sort of situations where you have things taken from you. So the sheriff's office, they've been commending this victim, saying, you know, really ingenious, your use of technology.

---

CAROLE THERIAULT. Oh, you mean the fact that she used an AirTag? To prove what was going on, right?

---

GRAHAM CLULEY. Yeah, they put out their little press release. They said this is really clever and everything, and also what they really appreciate is that she didn't go round to the address and face them face to face.

---

CAROLE THERIAULT. She didn't go in with her guns blazing like Arnie style.

---

GRAHAM CLULEY. Exactly. Because if someone's committing criminal acts, which has been alleged here, then there is the potential that they won't take very kindly to you coming up the drive and saying, 'Oi, what are you doing?'

So instead she went straight to the police with the information, who actually went and investigated. She left it to the professionals.

---

CAROLE THERIAULT. And everybody gets good PR.

---

GRAHAM CLULEY. Everyone gets good PR. The only bad news is for this chap Terry — he's been hit with a bail bill of $460,000.

Huge amount. Half a million dollars is his bail because it's been suggested he's been up to so much not-goodery, whereas Lara has only been hit with a $50,000 bail bond. But this is the thing, right? AirTags — AirTags, fantastic for tracking lost items, but they can also sadly be used for tracking living humans as well.

And it struck me that if you were stealing post which contained an AirTag, there is a chance that the AirTag will actually give the game away, because they have built into these things these days a method to actually warn people that they are being stalked, that there is an unknown tracker following them. So if you pick up an AirTag which is owned by somebody else and is not paired with your Apple iPhone, your iPhone after a while will give you a little alert saying, "Huh, seems to be an AirTag near you," and you might even hear the AirTag begin to beep occasionally as well, which makes it a not great device for tracking someone.

So great if you want to stop stalking. Not so good if you want to find something, or if you want to track where something which has been stolen from you has gone. Do you see what I mean?

---

CAROLE THERIAULT. If there's someone with ears and a phone in the vicinity.

---

GRAHAM CLULEY. Well, who hasn't got a phone? Who these days is going anywhere without a phone?

---

CAROLE THERIAULT. I'm assuming that's rhetorical. I don't know.

---

GRAHAM CLULEY. Well, most people are carrying a phone.

---

CAROLE THERIAULT. I don't think I'm used to our show anymore. I find it all a bit strange. Yeah, no, I don't know. I was looking into AirTags for my cat, you see. I thought that would be really useful. They're huge. They're too huge. And then, you know, she's an indoor-outdoor cat. So, you know, she gets caught somewhere. Big AirTag. I don't know. Anyway.

---

GRAHAM CLULEY. Yeah. I don't necessarily think they're great for pets, but people do slip them into the handbags of ex-girlfriends or into people's cars and things if they want to track things.

---

CAROLE THERIAULT. I know loads of parents that do it to their kids.

---

GRAHAM CLULEY. Really? Yeah.

---

CAROLE THERIAULT. Yeah. Well, I'm just thinking they do have a phone. They're not going to leave that behind. You're going to know already where they are.

---

GRAHAM CLULEY. The thing is, it can get complicated because if you have someone in your close proximity, if you have someone riding in your car and they're carrying something that's tagged. So my son, for instance, right, his mum has put an AirTag into his school satchel thing. So if I'm driving him around in the car and his AirTag is not connected to my phone, I get warned that there's an unknown tracker following me. And it's yeah, it's my son next to me. And although I can say, stop those annoying warnings for a day from coming up because I don't care about the unknown tracker, there's no way to permanently shut it off. It'd be really nice if there was a way to mark that individual tag as just ignore that one forever. So I don't have to worry about it.

---

CAROLE THERIAULT. Yeah, totally. Because I could piggyback on your son's AirTag and add another AirTag into your whatever, car or whatever.

---

GRAHAM CLULEY. You'd just be getting these warnings going, "Oh God." Or the other scenario is maybe you catch a coach each day or you catch a train each day and there's some random guy who gets on the train at the same time as you and he's got a tag. And so again, you begin to think that there's someone tracking you, but in fact it's just a guy in the vicinity. And wouldn't it be handy if you could say, "Just don't worry about that one." And the other issue with these AirTags is, well, up until very, very recently, this has really been an Apple thing, right? The Apple AirTag is considered the sort of premier tracking device for lost devices and the rest of it. But Androids didn't really work with it. And of course, many, many people have Androids rather than iPhones. But there is, I can tell listeners, there is an Android app which is actually written by Apple and developed by Apple in the Google Play Store called Tracker Detect. So if you want to find out if someone has left an AirTag in your vicinity, you can open Tracker Detect on your Android phone and ask it to scan for trackers, and it will tell you if there's anything nearby which isn't paired with your devices. Now of course you've got to prompt it to do that, which is kind of inconvenient compared to how Apple phones just warn you if you're being tracked. And it also doesn't track other kinds of trackers those ones from Samsung or Tile and others. But the other good news is earlier this year Apple and Google teamed up to create an industry specification designed cross-platform, cross-industry to detect unwanted location trackers, making it possible to alert users on both iOS and Android if they're being tracked. They announced this, I think it was in May. It's in the latest versions of iOS and it's beginning to roll out on Android as well for some users. It's not completely gone global yet.

---

CAROLE THERIAULT. Question.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Does it include apps that might be surreptitiously installed on said person's phone?

---

GRAHAM CLULEY. No, no. This is purely for sort of the hardware location trackers. So anything on your phone, that's going to have to be handled by something different.

These are for these tags, which you might attach to your cat or put inside your suitcase instead. Now that sort of warning sounds great to me for people who are worried that they may be being stalked, but it's pretty lousy, of course, for people this woman in Los Alamos who wanted to work out who was stealing her mail.

So it's swings and roundabouts, this. What you gain in one area, you lose in another.

This is the problem. These anti-tracking notifications can inform the thief as well as the person who's being stalked.

By the way, my wife says I'm not very good at saying the word thief. She says I've got some sort of speech defect.

---

CAROLE THERIAULT. Are you trying to say teeth?

---

GRAHAM CLULEY. Thief. Apparently I don't say the F on the end of thief.

I should say thief, she says, rather than thief. Is it bad? I don't know.

---

CAROLE THERIAULT. I'm staying out of that for obvious reasons.

---

GRAHAM CLULEY. Carole, what's your story for us this week?

---

CAROLE THERIAULT. Okay, so I'm going to set the scene. I'm going to make you, Mr. Cluley, be our protagonist here.

But you have to cast your mind back to when you were a single man.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. One looking for a little romance.

---

GRAHAM CLULEY. All those weeks ago. Yes.

---

CAROLE THERIAULT. Yeah. Perhaps looking for a hot flame to warm your wrinkly cockles. Something that.

---

GRAHAM CLULEY. My cockles are—

---

CAROLE THERIAULT. See, everyone knows that AI didn't write that, Graham. Everyone knows.

And what does one do in modern times if one wants to launch the search for passion? You hit the apps, right? You go online dating, don't you?

---

GRAHAM CLULEY. That is what the young people are doing, isn't it?

---

CAROLE THERIAULT. That's what you did. You're not that young.

---

GRAHAM CLULEY. It's what I did. Yeah, yeah.

Well, I count myself as a young person still. Really? Yeah.

---

CAROLE THERIAULT. So imagine you, Graham, you're on one of these many popular dating apps, whatever. So, you know, Tinder, Bumble, Hinge, OkCupid, whatever.

And you meet this attractive woman.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. And you're, "Ooh, she looks interesting." And it's your lucky day because she doesn't swipe left or whatever you do, right?

She seems to be into you.

---

GRAHAM CLULEY. Excellent.

---

CAROLE THERIAULT. And I mean, you have to admit you're, you know, maybe not, I don't know. I don't know how to say this.

---

GRAHAM CLULEY. No, go ahead. Just say what you're thinking.

---

CAROLE THERIAULT. No, I'm just saying, let's say you thought she was a 9.5 out of 10, right?

---

GRAHAM CLULEY. Yeah. Okay.

---

CAROLE THERIAULT. And you would maybe consider yourself a what, do you think?

---

GRAHAM CLULEY. No, I'm interested in what you think.

---

CAROLE THERIAULT. 7.5? 7.9?

---

GRAHAM CLULEY. I think that's very generous.

---

CAROLE THERIAULT. Okay. So, but she's into you and you're kind of, so you might be thinking, what's going on here?

Is this a scam or something? Is this feeling a bit weird? So what was—

---

GRAHAM CLULEY. Or maybe she's just very deep. Maybe she's seen my inner beauty.

Maybe that's what she's seen.

---

CAROLE THERIAULT. So as you're an expert here, so what would you do at this stage, right? Just to make sure, because you're kind of thinking she's out of my league.

So why is she interested in me? So what would you go and check?

---

GRAHAM CLULEY. Oh, well, I'd probably do a little bit of OSINT, a little bit of open source intelligence. I'd be Googling around, I suppose.

---

CAROLE THERIAULT. Yeah, reverse image search, maybe?

---

GRAHAM CLULEY. Yes, exactly. So we'd look up her image, see if it's attached to her name. Maybe we'll look at her LinkedIn profile, something like that. Maybe look up her on social media, see if she's left any reviews on any restaurant websites. See if she— I may be able to get an indication of how she expects to be looked after and maintained if she goes to lots of beauty salons or something like that. You know, if she's leaving reviews of all sorts, you know, all I would guess.

---

CAROLE THERIAULT. Okay, so you're going deep, deep, deep. I was thinking more— I'm just thinking more they haven't asked me for money. Reverse image search reveals nothing's fake, for example, in this situation. She doesn't live abroad. She doesn't have a dangerous job. Hang on.

---

GRAHAM CLULEY. Hang on. The image search doesn't find anything at all? So I can't find any—

---

CAROLE THERIAULT. No, it does.

---

GRAHAM CLULEY. Oh, okay. So it's not a fake image. That would be a red flag to me is if there's no one who looks like her out there at all, then I'd think, hmm. How many fingers has she got, you know?

---

CAROLE THERIAULT. Okay, so the lady you found online passes this test of yours. Excellent. And she wants to meet you in person, and she's asked you, Graham, to visit, you know, a well-known area in town. So it's not go down to this dodgy place, or it's in public, you know, nice place. So you get there, right, Mr. Cluley getting there?

---

GRAHAM CLULEY. I'm feeling very bold if I did that. I'd certainly demand a few games of Scrabble online first before we did anything like that. But all right, so I'm feeling bold. Yeah, I'm feeling brave.

---

CAROLE THERIAULT. Yeah, you meet her. She's looking as good as she did on the online, right?

---

GRAHAM CLULEY. I'm looking 7 point, if I'm lucky. Yeah.

---

CAROLE THERIAULT. You suggest the nearby Pizza Express, you know, because you're a class act, but she insists on going to this higher-end place. Let's say it's called the Godfather Lounge.

---

GRAHAM CLULEY. Hang on. Godfather Lounge.

That begins to worry me. Is it called the Godfather Lounge because they've got meatballs stuck inside their inner cheeks and they're talking like Marlon Brando with his cotton wool? Is it some sort of criminal establishment?

---

CAROLE THERIAULT. Well, interesting you should say that. You tell me. So, you know, you're not a super wealthy guy. I mean, you're wealthy, but maybe 7.5, right, on the wealthy scale?

---

GRAHAM CLULEY. Well, not compared to Geoff Bezos. No, I'm going to be 0.000001, aren't I?

---

CAROLE THERIAULT. Okay, so you check the menu. You check the menu at this place, The Godfather Lounge, and it's pricier than Pizza Express, but you know, it's not insane, and you've saved for the situation, and you don't want to come off as cheap because, you know, she's a good 9.8. So you sit down. You sit down. You ogle each other because she, you know, she's hot.

---

GRAHAM CLULEY. Are there tablecloths in this joint?

---

CAROLE THERIAULT. Yes, yes, it's The Godfather Lounge.

---

GRAHAM CLULEY. Oh, sorry, sorry, of course it is. Of course there's tablecloths. I imagine they have to wash them every night to clean up all the blood.

---

CAROLE THERIAULT. She's looking at you, probably fascinated with your ginormous eyebrows, right? And you look at the menu, you look at the menu, and it's a bit more than you expected, but it's okay. It's okay. You order your favorite. You're ordering a cranberry juice on ice, right? And she orders a drink you've never heard of. You know, do you know what a Negroni is or a Sidecar or a Julep?

---

GRAHAM CLULEY. I know they're all cocktails. I wouldn't know what goes in them.

---

CAROLE THERIAULT. Exactly. So you have no idea. You're like, okay, fancy schmancy, whatever. Anywho, you're sitting there sipping your drinks, eyebrow waggling. And she pops off to the loo, right, to check her lippy.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. And comes back and, Graham, it's drama, drama. She comes back all panicked saying, "Sorry, sorry, sorry, emergency at home. I'm so sorry. I gotta go. I gotta go." And she dashes off.

---

GRAHAM CLULEY. Leaving me with the bill.

---

CAROLE THERIAULT. Leaving you with the bill.

---

GRAHAM CLULEY. Is this a scam? Is it just nobody actually goes?

---

CAROLE THERIAULT. No, it's just a fun story. I thought I'm gonna ease myself into Smashing Security. Forget the security angle. Just go with some love thing. Yes, there's a scam coming. Good. So she dashes off, right? And you're sitting there. And then, of course, you're presented with a bill, as you predicted. And so looking at the menu, you could kind of work out that it'd probably be about whatever. Let's say you expected to pay 20, 30 quid. The bill is 600 quid. Yeah.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Have we eaten anything at this stage? Has this just been the drinks?

---

CAROLE THERIAULT. You just had your cranberry soda, right? And she's ordered a few drinks.

---

GRAHAM CLULEY. That's quite expensive.

---

CAROLE THERIAULT. A few shooters, maybe a few shooters. Yeah, it's expensive.

---

GRAHAM CLULEY. It's quite expensive.

---

CAROLE THERIAULT. It's quite expensive, right? So what do you do now? So you're in this Godfather lounge. What do you think happens?

---

GRAHAM CLULEY. I'm terrified. What do the waiters look like? Are they heavies? Are they— have they got cauliflower ears?

---

CAROLE THERIAULT. You get some staff and bouncers cracking their knuckles, shifting their stance to more imposing.

---

GRAHAM CLULEY. But wouldn't you leave a bad review on TripAdvisor? To the restaurant afterwards, warning, 'cause I would definitely have to— Would you?

---

CAROLE THERIAULT. Would you?

---

GRAHAM CLULEY. Yes, but—

---

CAROLE THERIAULT. Godfather Lounge.

---

GRAHAM CLULEY. Well, yeah, but if— Godfather Lounge.

---

CAROLE THERIAULT. Okay, you might.

---

GRAHAM CLULEY. You don't think I should? You don't think I should?

---

CAROLE THERIAULT. No, I was just questioning whether, 'cause I know you are a committed runner, right? You've talked about that in the show before. Would you just try and escape, you know, lightning fast, Clark Kent style?

---

GRAHAM CLULEY. I don't think I'm quite as fast as Clark Kent. No, I'm not Superman.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. So, and I'm also, I'm not very lithe, to be honest. I'm not sure, I'd have to sort of oil myself down in cod liver oil or something, you know, just to slip past.

---

CAROLE THERIAULT. Yeah. What do you think the scam is?

---

GRAHAM CLULEY. Well, the scam is that she's obviously in cahoots with the restaurant. Her job is attract gullible podcast hosts to come on a date. And then cough up an inordinate amount of money when she's just run off, probably to get the next guy in the door.

---

CAROLE THERIAULT. Yes, this is called being tabled. And journalist Deepika Bhardwaj took to Twitter to expose the scam just last week. Our journalist accuses this upscale Mumbai club, the Godfather Lounge, and other nearby high-end drink places of being kind of, I guess, grand poobahs of this scam. The girls seem to be responsible for luring in the tables, or the victims, the male dates.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. And reportedly get 15 to 20% of the total bill as a kickback. So it's if y'all have 15 drinks, 15 shots. And in some ways, this seems really old school to me, right? Get some hot women to lure men into clubs, then fleece them for all you can.

---

GRAHAM CLULEY. Oh no, that's never happened before, Carole. That's— it's never happened that a beautiful woman has scammed a gullible, overweight, middle-aged man.

---

CAROLE THERIAULT. And thanks to this online spotlight, because of this journalist, the authorities are now investigating this club. So typically, we— I think we think of romance scam victims as being women, don't we, as the prime target, not men. Would you agree with that?

---

GRAHAM CLULEY. Oh, that's interesting, actually. I wonder what I do think. No, I think— I think it's pretty much even.

---

MAYA LEVINE. Hmm.

---

CAROLE THERIAULT. Well, I always thought it was more women that were the big prey for this. But it turns out, according to Barclays Bank, published a report late July, right, a few months ago.

And they say, yes, romance scams are definitely on the rise. But 60% of the reports were made from male victims and 40% from women. However, women lose 2.5 times more money than men do. So men might give you 50 quid and say, go to the movies. Women are they're, let me save you forever.

---

GRAHAM CLULEY. Right, right. And I think there are a lot more men on dating apps than women as well, is the impression I've always had.

---

CAROLE THERIAULT. They also say that 1 in 3 are more open to dating during the summer months. So you guys in the Northern Hemisphere, if you think you need some love in your life, you better get your skates on or your roller skates on.

Not winter yet. And if you are doing all this and you want to do your due diligence, check the episode show notes. I'm sharing a few checklists to make sure you're as safe as possible when you're navigating these dangerous dating waters.

---

GRAHAM CLULEY. It's a great reason, though, isn't it, to say to your date, oh no, let's go to KFC or Burger King.

---

CAROLE THERIAULT. I want to make sure you're not scamming me.

---

GRAHAM CLULEY. Exactly. I'm going to go somewhere really cheap and nasty. Rather than that Swiss restaurant that you fancy.

---

CAROLE THERIAULT. Okay, but if it's a first date and you're fancying the person, you might do some smoochy-woochies.

---

GRAHAM CLULEY. On a first date, Crow?

---

CAROLE THERIAULT. With KFC breath? Barf.

---

GRAHAM CLULEY. Does your email security solution fit your alert budget? Relying on built-in controls or traditional blockers will inevitably lead to more noise than your instant response team can handle. Well, Smashing Security takes a pragmatic approach to email security, stopping new flavors of phishing and pretexting attacks before reaching the user's mailbox, while searching through everyone's mailbox for similar messages in a campaign.

What gets surfaced to your team are the highest-value cases to investigate, with all the context and reach consolidated into a single view. Remediations are a breeze with Material Security.

So go try it out for yourself at smashingsecurity.com/material. That's smashingsecurity.com/material. And thanks to Material Security for supporting the show.

Modern threat actors have weaponized cloud automation to accelerate taking only 10 minutes to fully execute an attack in the cloud. As organizations continue to shift into larger and more complex cloud estates, legacy detection and response frameworks are no longer sufficient at stopping cloud attacks.

Well, Sysdig delivers fast and effective multi-cloud detection and response, or CDR, capabilities to empower analysts against these accelerated and complex cloud threats. Powered by Falco, analysts gain the visibility, context, and real-time security capabilities traditional EDR and on-prem tooling fail to deliver.

Learn more about how to stop advanced attacks at cloud speed. Visit smashingsecurity.com/sysdig for more information. That's smashingsecurity.com/sysdig. And thanks to Sysdig for supporting the show.

Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.

So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well, 1Password has an answer to this question, and it's called Extended Access Management.

1Password Extended Access Management helps you secure every sign-in for every app on every device, because it solves the problems traditional IAM and MDM can't touch. Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like.

Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my Pick of the Week this week is a bit of a nitpick actually. So my wife's been watching a show on Amazon Prime.

I'm sure you've heard of it, Carole, called The Boys. Yeah, you've seen The Boys?

---

CAROLE THERIAULT. I don't like it. I'm not a big fan of it.

---

GRAHAM CLULEY. Well, you know what? I've got a bit— I enjoy elements of it, but sometimes it goes a bit over the top, doesn't it?

It's very gory and it's also kind of pervy. It's also a bit— I find it a little bit— maybe I'm just too old for it.

---

CAROLE THERIAULT. Yeah, it's just not my thing at all. I'm not into the Marvel stuff though. I'm not into any of the superhero stuff.

---

GRAHAM CLULEY. Well, it's got a bit of a twist on the regular superhero thing because the central premise is that there's this corporation which basically owns all the superheroes and they're adored by the public, but in reality, the superheroes are really dreadful human beings. And I like that bit of it, but there's something else which, other than the sex and the over-the-top gore, which really pulls me out of the drama.

And that is one of the actors. So there's an actor in it, Karl Urban. You may remember him.

He played Bones in the Star Trek movies, the modern Star Trek movies. Probably aren't that modern anymore. And he plays a character called Billy Butcher in The Boys.

---

CAROLE THERIAULT. The guy with the beard.

---

GRAHAM CLULEY. That's right. Yep.

---

CAROLE THERIAULT. Yeah. Yeah.

---

GRAHAM CLULEY. And he's known as Monsieur Charcuterie by the character Frenchie.

---

CAROLE THERIAULT. He's Riker. He's Riker from Star Trek.

---

GRAHAM CLULEY. No, no. That's Jonathan Frakes is Riker.

---

CAROLE THERIAULT. No, I'm not mixing up the actors. I'm saying he's playing that kind of character, don't you think? The big kind of beardy.

---

GRAHAM CLULEY. Wait, they've both got big beards? Yes. Is that what you're saying?

---

CAROLE THERIAULT. I like the hirsute gentleman. So, you know.

---

GRAHAM CLULEY. Yes. Okay. All right. Yes. So anyway, the issue I've got with Karl Urban playing this character of Billy Butcher is that his accent is nothing I've ever heard before. I was watching—

---

CAROLE THERIAULT. It's the worst.

---

GRAHAM CLULEY. It's terrible. I was watching it and I thought, is he American? Is he meant to be British? Is he Australian? And I actually had to search on the internet to find out what this character was supposed to be, because I couldn't work out what on earth accent is that meant to be.

And apparently he's speaking with a Cockney accent, according to the internet, from the East End of London.

---

CAROLE THERIAULT. Yeah, just, just, I know. My husband watches it occasionally. The accent is terrible.

---

GRAHAM CLULEY. It is terrible.

---

CAROLE THERIAULT. Terrible, terrible.

---

GRAHAM CLULEY. Just so listeners at home can appreciate this, I'm going to play you a little bit of audio. Oh, there he is. You were spot on about him. There I was filling up the motor, I turn around, the little git had done a runner. There he was, filling up the motor. It's even bad by Guy Ritchie standards. I've never heard a Cockney accent this ever before in my life, and for that reason, this accent and the fact that it's completely making it impossible to watch this show if it weren't even for the sex and the gore as well.

That is my nitpick of the week. Whoa.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Carole, what's your pick of the week?

---

CAROLE THERIAULT. I'm chilling out with a family member the other day, right? And I can see something her hair, kind of around her eyes or whatever. And they're these little wee nodes in front of her ears.

---

GRAHAM CLULEY. What do you mean wee nodes?

---

CAROLE THERIAULT. I don't know. So I'm, what is that? And she's, oh, I'm listening to classical music while we chat. I'm thinking, whoa, rude, right?

---

GRAHAM CLULEY. Background music, I guess.

---

CAROLE THERIAULT. But I'm like, I can't hear anything. And these things are not going into her ear holes. These were bone conduction headphones.

So I was like, oh my God, I'm so excited. I've been wanting to try these. Let me try. Let me try. Let me try. They are amazing.

So the product I tried is by a company called Shokz, S-H-O-K-Z, because we're street. And they are Bluetooth-enabled headphones that are connected with a thinnish tube at the base of your neck.

And then the headphones curve around the back of your ear, basically a reverse pair of glasses. And they come, and the node sits right in front of your little ear hole, that wee bone on the side of your face.

And typically sound vibration travels through the air down the ear canal, causing your eardrum to vibrate. We all know that.

But using bone conduction, the sound waves bypass your eardrum and they head directly to the cochlea, a.k.a. the inner ear. And Beethoven's the one who discovered this because he had hearing loss as he grew older. And apparently—

---

GRAHAM CLULEY. Beethoven had a pair of these.

---

CAROLE THERIAULT. Not a pair of Shokz, but he used a conducting baton between his teeth as he played the piano. And the baton allowed the sound vibrations made by the piano to travel through to his inner ear so he could still hear the notes.

---

GRAHAM CLULEY. Ah, don't you love Beethoven?

---

CAROLE THERIAULT. Well, I just love that story.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. So why do I love these? Now, there are other brands. These are the only ones I've tried.

They are fab if you don't want to be isolated in an environment, say you're driving or you're running or you're biking or hanging out chatting to boring people like me.

---

GRAHAM CLULEY. So that's why I was going to ask. So unlike headphones, which sort of take your attention and isolate you a little bit, so these are just kind of giving you background music and you just—

---

CAROLE THERIAULT. Yeah, they're fab if you want to protect your ears from noise damage.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. And they're fab if you have hearing loss. Now, the ones I tried, I think it was an earlier model, or maybe there's lots of different types.

They all have different things. The one I had had no microphone, right?

So, and I think I bought them for about $100, $150, something like that. I bought them for a friend, but I don't want them for me because I really need a mic if I'm going to be using these.

---

GRAHAM CLULEY. What do you need a mic for? What, do they link up to your phone as well?

---

CAROLE THERIAULT. Yeah, it's all Bluetooth, right? So you can then—

---

GRAHAM CLULEY. Oh, I see. Okay.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Right. Okay. So then you can— Yeah.

---

CAROLE THERIAULT. So then if I'm listening to whatever, and then you call me to go, "Carole, let's talk about the show," I can ignore it. No, no, I can, but I can just transfer over and I can talk with you and I have to hold my phone microphone to my face.

---

GRAHAM CLULEY. So would you prefer to have these than those? I don't know if you have a pair of AirPods at the moment or don't you? You would rather have this?

---

CAROLE THERIAULT. Because I keep losing one AirPod. I don't know, don't ask me why, it's ridiculous, but at least these are connected as one.

So they're Bluetooth, they're wireless, but they sit around your neck. So it's a one-piece affair, which I much prefer over the AirPods.

I like not having my ears isolated. Anyway, this sounds cool. Check them out. I'm pretty amazed by them.

They're called Shokz, S-H-O-K-Z. I saw them in Best Buy. I was able to try them out there. Quite fun.

So there you go. There's my pick of the week.

---

GRAHAM CLULEY. How long do the batteries last?

---

CAROLE THERIAULT. Different levels, it seems, for different buys, but there's a brand new pair coming out imminently from what I saw today. And I think I saw 12-hour battery life.

---

GRAHAM CLULEY. Oh, okay. So you could charge them every couple of days maybe. And how much do these kind of things cost? Is this hundreds of dollars or is it—

---

CAROLE THERIAULT. No, no. I think the lower-end ones maybe are about $100, $150, and then the higher-end ones maybe up to $300. But no more than that. I think I saw the brand new ones in the UK for, I think I saw them for £170 when I was looking online today.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. Very cool though, Cluj. Try them. I think you'd be really impressed.

---

GRAHAM CLULEY. Do you think?

---

CAROLE THERIAULT. I don't know.

---

GRAHAM CLULEY. I think I'm thinking, would it be bad for their image if I started wearing them and using them?

---

CAROLE THERIAULT. Now we have an interview.

---

GRAHAM CLULEY. Yes, we do.

---

CAROLE THERIAULT. Yes. Chatted with Maya Levine. She knows everything cloud. She's from Sysdig and she talks about the complexities and the differences of securing the cloud. Check it out. So listeners, today we welcome Maya Levine, a product manager at Sysdig, the company on a mission to make every cloud deployment secure and reliable. Maya Levine, thank you so much for being here on Smashing Security. It's an honor to chat with you today.

---

MAYA LEVINE. Thank you so much for having me.

---

CAROLE THERIAULT. Well, we want to learn about you, so maybe first you can tell us a bit about you and how you ended up in your current role as product manager at Sysdig.

---

MAYA LEVINE. Sure. So I studied computer science at university, and out of university, I took a role as a security engineer at a different cybersecurity company called Check Point. I moved into technical marketing engineering and then eventually into product management here at Sysdig. So it's been a journey all around, but in cybersecurity, and a big focus is cloud security for me.

---

CAROLE THERIAULT. What's the best thing about being a product manager?

---

MAYA LEVINE. I think it's just working with people. You have to really kind of communicate and be at the center of so many teams. So you really get to establish relationships with different people.

---

CAROLE THERIAULT. Yeah, right, right across departments. Most people are kind of stuck in their fishbowl, but you're going across everywhere. That's— okay, so the cloud, that's your thing. I remember when that term was brand new, and today I think everyone uses it, right? Everything makes use of it, and it's still growing all the time. It's like, is it different from a traditional environment, or are there big differences?

---

MAYA LEVINE. There are definitely big differences, and with the shift of going to cloud, which now almost everybody is at least, at least has some kind of cloud presence. I think we also, as an industry, need to be shifting our mindset about the security. The old secure the perimeter mindset is not really as relevant for the cloud where everything is so interconnected and you have all of these different services and applications that are all talking to each other in different ways.

---

CAROLE THERIAULT. The cloud is complicated, right? And we often try when things are complicated to provide a kind of simple interface to allow people to get over that hump. But do you think that actually people think it's much simpler than it actually is, in terms of an environment? Because you're right, it talks to everything, right? There's so many different passwords and different identities that can get in and out of it.

---

MAYA LEVINE. I mean, I don't know many people who think of it simple, it's easy to deploy things, right? The speed is there.

---

CAROLE THERIAULT. Yeah.

---

MAYA LEVINE. The automation is there, and that's a huge benefit of the cloud. It allows us to build applications in a really quick and resilient way. But the con of that is that you have all of these things that are happening and maybe deploying and maybe running that you don't even know about.

---

CAROLE THERIAULT. Yeah, totally. So maybe you can tell us a bit about the types of attacks you typically see, how do bad actors typically get in into a cloud resource of some sort?

---

MAYA LEVINE. Sure. Before I talk about kind of the techniques, I will say that one major difference and major challenge of being in the cloud is that we're seeing that the average cloud attack takes about 10 minutes to execute start to finish.

So often attacks start with some kind of compromised credentials or identities or secrets or keys. I love the metaphor of attackers are looking for the keys under the mats.

---

CAROLE THERIAULT. Mm-hmm.

---

MAYA LEVINE. In the cloud, people are leaving their keys all sorts of places, in exposed text that they're uploading to GitHub, in serverless code files and infrastructure as code file templates and all of these places that seem a little bit obscure, maybe you don't think about, but attackers actually know to look for them there. So typically that's how they start is they get some kind of access.

Once they're in your cloud environment, then they start what we call enumeration or reconnaissance. It's basically, what can I access with the current credentials I have? What other credentials can I get access to? They're trying to spread like a virus. They're trying to get as far as they can, as deep as they can into your cloud assets.

And then usually the motivation is financial. So they'll execute crypto mining or ransomware or phishing, data exfiltration that they'll sell on the darkweb. Whatever it is, there's usually a financial motivation behind kind of their end goal there.

---

CAROLE THERIAULT. Security has been around for a long time. Does this environment require us to think about security differently than we would have in a traditional kind of network server environment?

---

MAYA LEVINE. Yeah, because cloud attacks are so fast, right, within 10 minutes, that means that our ability to detect and respond to attacks also need to be quick. And so there's two real elements of security that everybody needs to think about.

There's the prevention part of it, which how can I configure my environments in a strong way to prevent anybody from being able to get in in the first place? And then there's the detection part of it, which is the harsh reality is you can't prevent everything, right?

There's new methods that attackers come up with all the time. There's vulnerabilities that haven't even been disclosed yet. There's the concept of zero-day attacks, which is things that we don't necessarily know about.

So we do actually need the ability to detect when things are happening that are malicious and that are suspicious in the cloud very quickly. Within 5 seconds, you really need to be alerted of something happening so that you can take maybe 5 minutes to correlate and then 5 minutes to initiate some kind of response.

The truth is that we need to defend at the same speed that they are attacking. So that gives us about 10 minutes, right, that we need to be able to respond.

---

CAROLE THERIAULT. And if you act that fast, I mean, you could basically save your customer's data being taken or a huge bill on ransomware or prevent, you know, not giving away to the ransomware and having the data just be leaked somewhere.

---

MAYA LEVINE. Yeah, I mean, there's all sorts of things that you could probably prevent and contain and stop kind of the spread of these attackers within your environments. But the point here is that if you're being alerted an hour later, even 15 minutes after something happened, that's almost too late to be able to actually stop and make a difference.

And I don't want to pretend that being able to respond this quickly is easy, right? But we do need to kind of take advantage of automation in the cloud, just like attackers are taking advantage of it for their attacking purposes. So where possible, try to do automated response actions, make sure that you get all of the data and deliver it to the right people if you do need manual actions happening. But basically, the speed at which you need to be notified about something wrong and be able to respond to it, that's going to be a huge challenge for people in the cloud.

---

CAROLE THERIAULT. So, you're a product manager at Sysdig and an expert in cloud. So, tell us, how does Sysdig approach this that you think is really cool and that you think listeners really need to know about?

---

MAYA LEVINE. The actual live, real-time detection piece, right? Being able to know about something actually in real time and having that information be pushed to whatever the systems are that you use, that's key. That's a big part of it.

I also think that we're doing interesting things around correlation. So a lot of attacks are taking advantage of mismanaged identities or secrets or that kind of stuff. And if you're following a user's actions, you can often see, really paint the picture of what the attacker did, right? If they logged in or managed to get credentials of a specific user and then use that user to execute all of these things, being able to put that all together and kind of show you in consequential order, these are the actions that were taken, really helps incident responders be able to understand what happened, what other resources they maybe need to look at, what's the scope of this attack.

---

CAROLE THERIAULT. You know, I imagine there's a lot of guys and gals listening to this going, oh, God, if only I could convince my C-levels to understand how important this is and to give me the budget and the resources to make this happen. What advice would you have for them in that instance?

---

MAYA LEVINE. There are many, many documented cases in the past few years of companies who had to pay millions and millions of dollars daily in fees. I mean, I can think of MGM Grand a couple years ago, right there, they had an attack that happened which brought down so many of their systems, and I think it was over $8 million in damages per day for them. So if you're comparing numbers, right, I don't love saying coming at it with the fear factor, but the truth is, is that if you're not investing in security, you might end up having to pay much more in damages.

But it is, it's a complex thing and I would say not just investing in tools is important, but also investing in your people. And the complexity of environments that we're asking people to understand just keeps increasing, right?

And so really getting the time to train and learn and understand all of the intricacies of different environments can help. I mean, I can think of an attack recently that the Sysdig Threat Research team discovered where they were— these victims were— they did everything right.

They had a policy in place to not allow users to create new access keys, but one of the parts of the policy was case sensitive. So they ended up— they wrote the right policy.

They just had a lowercase a instead of an uppercase A. And so the attacker was able to use the user anyway.

So that's just an example that I can think of where even when you're trying to do the right things and you're putting these security things in place, there's all this level of detail that you really need to get into to be able to actually have the prevention in place. And that's why I emphasize the— you can't always prevent everything.

The good news is that on the detection side, often attackers are doing the same kinds of actions, right? They're following kind of the same playbooks.

So we know what to look for, basically.

---

CAROLE THERIAULT. If someone was listening right now and they're going, oh, Sysdig sounds pretty good, but I bet it's really hard just to get it on board, you know, get it infiltrated into our system so that we can actually, you know, get some return from it, what would you say to them?

---

MAYA LEVINE. I would say that we have many different types of, you know, onboarding connections that you can do to integrate security into your systems. We have an agent that you can deploy, but we also have an agentless connection method.

So it's pretty easy to test out, and no matter what security vendor that you have, I just wanted to really emphasize how important it is to be thinking about security in the cloud as its own beast, as its own different thing. It is not the same as your on-premise environment.

We've seen many threat actors be able to move laterally from your cloud systems onto your on-premise servers. So yes.

---

CAROLE THERIAULT. Yeah, scary stuff. Totally.

I have to say, I have to commend you because I was taking a look around your site, the Sysdig site, and you are very, I think, generous both in the amount of information you share about how to better protect yourself, both on your blog and other places on the site. And I thought that was really good.

You know, listeners who are listening to this thinking they're interesting, they can actually just go there and read up, right? And that's Was that a conscious decision on your end to kind of share so much?

Because it's unusual, you know, to have actual information rather than marketing spiel.

---

MAYA LEVINE. This is an industry where we can help each other. We are stronger if we are supporting each other. Nobody should be shamed for undergoing a breach, right?

We can all learn from what was the thing that tripped you up, what was the thing that allowed the attackers to kind of take control of your systems. And I'm very proud of Sysdig's threat research team, which discovers new attacks all the time and always kind of shares that information.

We had one recently where attackers were targeting people's AI models in the cloud and we called it LLM jacking. Basically what they did was they managed to get into cloud environments through credentials and stuff.

And then once they were there, they're targeting these LLM models that were hosted by cloud providers, things like Anthropic's Claude. And then they would sell access to these compromised LLMs and leave the cloud account owner to foot the bill for that.

That's new, right? That's using new technologies. But sharing this kind of thing, I think, is critical for the industry as a whole so we can all learn from it.

---

CAROLE THERIAULT. Power in numbers. I agree. Maya, this has been such a fascinating conversation. Is there anything you want to add before we wrap up?

---

MAYA LEVINE. The last thing I'll just say is that almost every single breach involved some kind of insecure identity or secret or key. I would urge people again to invest in security, invest in real-time detection, and invest in actually narrowing down the amount of permissions that you give the people in your company. So if those credentials get leaked somehow, the impact is not going to be as high.

---

CAROLE THERIAULT. Brilliant advice. I couldn't agree more. Listeners, you can learn how to stop advanced attacks at cloud speed, Sysdig style, by visiting sysdig.com/smashing.

That's sysdig.com/smashing. And this was Maya Levine, product manager at Sysdig Security. Thank you so much, Maya, for taking the time to speak with us today.

---

MAYA LEVINE. Thank you for having me.

---

GRAHAM CLULEY. Super stuff. And that just about wraps up the show for this week. You can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G.

And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And huge thank you to our episode sponsors, Materia, Sysdig, and 1Password. And of course, to our wonderful Patreon communities.

Thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 382 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye. Bye.

-- TRANSCRIPT ENDS --