This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Unknown
He said selling data, he said, goes against my principles. But principles, he said, are for the well-fed. He needs some grub on the table.
Can we not just give him a burger rather than $10,000? Smashing Security, episode 464. Rockstar got hacked. The data was junk. The secrets it revealed were not.
With Graham Cluley and special guest Joe Tidy. Hello, hello, and welcome to Smashing Security episode 464. My name's Graham Cluley.
JOE TIDY
And I'm Joe Tidy.
GRAHAM CLULEY
Well, Joe, great to have you back on again. I have to say, author, of course, of— well, I actually have the book on the shelf behind me here.
JOE TIDY
Where is it? Let me see it. Let me see it.
GRAHAM CLULEY
Here it is.
JOE TIDY
Yeah. Thank you very much.
GRAHAM CLULEY
There you are. Within reach.
JOE TIDY
Lovely to see. I'm a little bit echoey, Graham. I don't know if you can tell, because I'm currently in what can only be described as a corridor. But I hope that's okay.
Hope the sound is all right.
GRAHAM CLULEY
The corridors of power, I suspect that's where you are.
JOE TIDY
I'd like to say that, but no, it's just a corridor.
GRAHAM CLULEY
Now, for people who don't know, you are the— what is it? What's your official title? Cyber correspondent at the BBC?
JOE TIDY
That's right. Yeah, cyber correspondent. Yeah, actually, when I got the job at the BBC, ooh, 8 years ago, maybe 9 years ago, it was Cyber Reporter.
And I remember saying to them, that sounds a bit futuristic. Can you just, can you call me cybersecurity? Cause I sound like a robot.
But then over time I've realized that people know what cyber means. And also I do other things. I don't just do cybersecurity.
I do sort of online safety and gaming and crypto, that kind of thing. So Cyber Correspondent kind of covers it all.
GRAHAM CLULEY
It's funny because back in the day, you know, it's like, I don't know, 1999, Cyber, most people thought of cybersex, didn't they?
They thought of the Lawnmower Man and things like that. And now it is all about cybersecurity.
JOE TIDY
Yeah, I wouldn't know about cybersex. Not really my thing.
GRAHAM CLULEY
Nor me, sadly.
JOE TIDY
But yeah, I think the term, when I say I'm a cyber reporter now, most people understand what that means. Whereas when I started, they were like, what on earth are you talking about?
GRAHAM CLULEY
Well, we're really glad to have you here today. And before we kick off, let's thank this week's wonderful sponsors, Meta, Elaspic, and Vanta.
We'll be hearing more about them later on in the podcast.
This week on Smashing Security, we're not going to be talking about how US-sanctioned cryptocurrency exchange Grinex has suspended operations after what they claim was a hack by Western intelligence agencies.
You'll hear no discussion of How hackers are bombarding executives' inboxes with hundreds of emails and then immediately following up with calls posing as the IT help desk, claiming to be there to fix the problem.
And we won't even mention how an iOS 26 update removed a Czech keyboard character, locking out any users who had it in their iPhone passcode.
So Joe, what are you going to be talking about this week?
JOE TIDY
I'm going to be talking about a fascinating data breach at Rockstar Games, the absolutely enormous games maker. They're the guys behind Grand Theft Auto and Red Dead Redemption.
Don't know if you're a gamer, Graham, you play these games?
GRAHAM CLULEY
I'm not a gamer, but Red Dead Redemption is extraordinary.
JOE TIDY
Brilliant.
GRAHAM CLULEY
Absolutely amazing game.
JOE TIDY
Yeah, absolutely amazing.
GRAHAM CLULEY
And I'm going to be asking, is it wise to leave a tip? Plus, we're going to be chatting to Ryan Benson of Meta, find out what they've been up to.
All this and much more coming up in this episode of Smashing Security. Time for a quick word from one of our sponsors today, Elastic. So here's a familiar scenario.
Something suspicious hits your network. You need answers and you need answers fast.
So your team logs into tool 1 and then tool 2, and then the thing that doesn't quite talk to either of them. By which point, whatever was happening has happened.
Well, Elastic unifies your security data so analysts can focus on detecting and responding to threats, not herding different dashboards, which is probably why over half of Fortune 500 companies use Elastic.
Find out more right now at smashingsecurity.com/elastic. That's smashingsecurity.com/elastic. And thanks to Elastic for supporting the show.
Now, I've got a tip for any company that handles sensitive data. My tip is to never ever boast about how good your security is, because it might bite you in the bottom one day.
Could be a problem.
JOE TIDY
I mean, the amount of times that these companies say, we are unbreakable, unhackable, that kind of thing. And then of course, that just it's a red rag to a bull, isn't it?
To the cybersecurity world, because you want to break it. If you're told you can't break it, you want to break it.
It actually reminds me when I was at BBC Oxford, which is a regional BBC news program.
There was a guy, a local guy, a local company said, we've made a USB stick that's basically indestructible. So my team were, quick, Joe, go and do a video report with these guys.
And I filmed it all on my own. And we did the interview and everything. And they were kind of giving it the big one about how this USB stick is indestructible.
And I said, "Just for fun, can I run it over with my car?" And the guy's, "Yeah, okay." And I ran it over with my car, and I filmed everything, and it completely obliterated the USB stick.
GRAHAM CLULEY
Did you broadcast that or not?
JOE TIDY
Absolutely we did. It was great.
GRAHAM CLULEY
End of that company. They won't be ringing up BBC Oxford again, will they?
JOE TIDY
No, they will not.
GRAHAM CLULEY
Well, one company was rather proud of its boast that it had never suffered some kind of security breach. And it was an outfit called P3 Global Intel.
On its website, the company actually advertised that it had been in business for over 20 years with, in their words, zero security breaches. Zilch. Nought.
A marvellous, unblemished record. I think from your little chortle there, Joe, you can sense where this story is going already.
JOE TIDY
Yeah. Again, it sort of reminds me of those, you know, the factory so-and-so days since the last accident or whatever, you know? And it's, at the moment we're good.
There's been X amount of days before something went wrong. Yeah. It's, you're foreshadowing, aren't you, Graham? I can tell you're a storyteller.
GRAHAM CLULEY
I am. That's right. That's right. So you may be wondering, what does this company P3 Global Intel actually do?
And they run what's called a fully integrated and state-of-the-art tip acquisition and tip management solution.
In other words, it runs anonymous tip lines, Crime Stopper programmes, school safety hotlines, that kind of thing.
And it is used, and this is extraordinary to me, it is used by 35,000 American schools.
JOE TIDY
Wow.
GRAHAM CLULEY
Obviously American schools desire having a hotline.
JOE TIDY
Yeah, I didn't even know this was a thing. But clearly it is.
GRAHAM CLULEY
Apparently it is. Students are encouraged to anonymously report if a classmate's being bullied, or if someone has brought a weapon to school, or if a friend is suicidal.
So, you know, very serious stuff.
JOE TIDY
Absolutely, yeah.
GRAHAM CLULEY
So that's great that there's that facility, because obviously anonymity is the whole point.
If you are able to leave a tip anonymously, that's going to encourage students to submit a tip, which could be very, very important.
So it's rather unfortunate that a hacktivist going by the name— and brace yourself here, Joe, I know you are a seasoned cybersecurity reporter, so you've heard a lot of hacking names.
This is someone who goes by the name Internet Yiff Machine.
JOE TIDY
Yiff Machine? What is a yiff?
GRAHAM CLULEY
I don't know what yiff is.
JOE TIDY
I'm looking it up. Have you looked it up?
GRAHAM CLULEY
I haven't looked up what yiff is. Maybe it's something that the youngsters understand. I mean, there was Jif, which became Cif, which was the bathroom cleaner.
JOE TIDY
It's that.
GRAHAM CLULEY
I don't know if it's that or yiff.
JOE TIDY
So apparently, according to Wiktionary, yiff is the bark of a fox. Slang, vulgar, informal.
GRAHAM CLULEY
Oh, hang on.
JOE TIDY
Hang on.
GRAHAM CLULEY
Hello.
JOE TIDY
Sexual intercourse.
GRAHAM CLULEY
Ding dong.
JOE TIDY
Between furries.
GRAHAM CLULEY
Yes, they are a bit noisy, foxes, from what I've heard.
JOE TIDY
Right. You've messed up with my internet history now. Thanks for that.
GRAHAM CLULEY
Yes. Well, you could be in trouble with your employer, but anyway.
So this chap, Internet Yiff Machine, he scooped up 91 gigabytes of data containing 8.3 million of those supposedly anonymous tips. Now, how did he do this?
And this is the worrying thing. It wasn't a sophisticated nation-state attack?
JOE TIDY
Zero-day?
GRAHAM CLULEY
It wasn't a zero-day that no one had seen before. This was a simple cross-site scripting vulnerability in the LeverTip chat box.
So it turns out this company, P3 Global Intel, had failed to set some flags on their cookies properly.
So it was trivial for Internet Yiff Machine to steal a member of staff's session cookie through a little bit of social engineering, get him to click on something. Bam!
They've got the cookie. And once inside, they found it was child's play to exfiltrate vast amounts of data which should have been held securely.
In fact, they made 8.3 million requests over the course of 4 days without apparently P3 noticing anything at all had gone wrong.
JOE TIDY
This is a bit of a catalog of errors here, isn't it?
GRAHAM CLULEY
It really is. So I mean, this wasn't a sophisticated vulnerability that was being exploited. It's the kind of thing that you learn on day one of web security school.
It's the kind of thing that's been documented for years in the OWASP Top 10 of the things that you have to make sure your web application doesn't suffer from, the most common vulnerabilities on websites.
So basically someone left the front door open, the windows unlocked, and they put out a big sign in neon outside saying, nobody's ever broken in here. Try your luck.
JOE TIDY
Yeah. And hackers will do that.
GRAHAM CLULEY
Of course they will.
JOE TIDY
Yeah. If you tell them you can't hack me, yeah, you're going to get hacked.
GRAHAM CLULEY
Yeah. It's about so many times internet companies have made really big boasts and everyone out there is thinking, oh, you know, I'd love to prove them wrong.
I'd love, I bet it's possible if I put in enough effort. Turns out Internet Yiff Machine didn't have to put in very much effort at all.
Anyway, he grabbed all this data and he handed it over to an outfit, a whistleblower outfit called DDoSecrets. Are you familiar with DDoSecrets?
JOE TIDY
Oh yes. Oh yeah, they've been around a long time.
GRAHAM CLULEY
Yeah, yeah, they have, haven't they?
JOE TIDY
And sort of linked to WikiLeaks, I think.
GRAHAM CLULEY
Yeah, it was like a WikiLeaks offshoot, I think.
And they rather like WikiLeaks, they've certainly had their fair share of controversy over the years as to whether they're doing the right thing or not and whether they're disclosing too much information and maybe working too closely with the hackers, you know.
Controversial outfit. Anyway, they dubbed it BlueLeaks 2.0.
And those of you with longer memories may remember in 2020, there was a breach of US law enforcement agencies and the data—
JOE TIDY
Was that based around the George Floyd protests?
GRAHAM CLULEY
I think it was exactly that.
JOE TIDY
I think that, because there was lots of DDoS secrets activity around there. Lots of police forces were hacked around that time, I think. So it may have been linked to that.
GRAHAM CLULEY
I think it was.
And that original BlueLeaks incident involved the doxing of police officers and law enforcement agents, which obviously people were concerned that they could end up, you know, their families being put at risk and so forth.
Anyway, the good news is this data has not been published publicly, but the hacktivist has listed it for sale on a hacking forum for $10,000.
JOE
And—
JOE TIDY
Doesn't sound like a hacker, does he?
GRAHAM CLULEY
Well, now, no, he doesn't, does he really?
Unknown
No.
GRAHAM CLULEY
And there's some sensitive information in there. So a researcher asked Internet Yiff Machine about this, said, you know, what are you doing?
And he said, look, he basically said, I'm paraphrasing, he said, selling data, he said, goes against my principles. But principles, he said, are for the well-fed.
JOE TIDY
Oof.
GRAHAM CLULEY
No, he needs some grub on the table. Can we not just give him a burger rather than $10,000? And he says, unfortunately, he's not doing very well financially.
He says, don't worry though. He says, I only intend to sell one copy. I'm gonna keep the exposure limited.
And that they're very, very sorry about this, but they're gonna have to do it.
JOE TIDY
Because that's how things work, isn't it?
GRAHAM CLULEY
Yes.
JOE TIDY
There's only ever one owner. Because you can't just copy it.
GRAHAM CLULEY
No, nobody's ever copied data. It's not like the— It's like, what? Come on, how are you going to control how this information is used and abused? It's ridiculous.
I mean, I suppose it is better than the attitude of most ransomware gangs, but it's not really any comfort at all, is it?
JOE TIDY
It's far off. Far off. No, not at all, no.
GRAHAM CLULEY
Well, at least the ransomware gangs tell you quite often these days how they got in. They offer to sell additional services.
JOE TIDY
Yeah, that's true. Yeah, yeah. But also, this is really, really sensitive data, isn't it? You can imagine some of the stuff in it.
GRAHAM CLULEY
It is. I mean, there was information about people self-harming. There was information about abuse and, you know, all kinds of ghastly information.
And the data apparently goes back as far as 1987. Some of this data, it goes back decades.
JOE TIDY
Wow.
GRAHAM CLULEY
And one researcher who saw the data was able to identify someone who had had something happen to them when they were a toddler, and they were able to contact them today about it because this data had been breached.
I mean, it's ghastly to think that it could have been pieced together like that. Yeah. So very disturbing, some of this. Last month, Portland police took some action.
They told local residents to stop using Crime Stoppers while the hack was being investigated because they said, we just can't be confident it's safe anymore.
And as of this recording, P3's parent company, Navigate360, they have not publicly confirmed that a breach has occurred.
They haven't notified any schools or any individuals, hasn't responded to press inquiries. There's already a class action suit being revved up against them.
But the claim on their website that they've suffered zero security breaches has been updated. It's been removed. They just quietly shuffled that to one side.
So rather than in the last 20 years, it's, don't ask about that. Don't ask about that.
JOE TIDY
Yeah, yeah. Everything's fine.
GRAHAM CLULEY
But it's pretty unacceptable that they haven't communicated at all about it, isn't it?
JOE TIDY
Oh yeah. As a journalist, this really, really bugs me because of course, it's really difficult when you cover these cybercrime incidents because the victim here, is it P3?
Is that what they're called? P3? So, you know, they're a victim. They've been hacked by a criminal. However, they're also the custodians of this really important sensitive data.
So in a sense, they're kind of culpable for doing bad security at the same time.
So it's really hard when you kind of, I haven't covered this story myself, but there are journalists that have, they'll be wanting to get answers from this company.
And the company have been clearly really, really terrible in transparency.
And those people who have done tips, who've used the tip line, they need to be told, by the way, that tip you gave us anonymously, that might be out there now.
Someone could find that and put your name to it. It's really, it's a really nasty breach. It's a really nasty bit of PR from them.
GRAHAM CLULEY
This is the interesting thing. If the tips are anonymous, presumably they don't know who the people are who've left the tips?
JOE TIDY
Well, hopefully in that sense, that protects them a little bit, doesn't it? Because you could say, I'm in year 3. Did you know that this kid here is bringing a knife into school?
Whatever. If that was anonymous, then you'd be a bit more, okay, that's safe. But what if names are left on there?
GRAHAM CLULEY
Well, exactly, because the tip is probably going to contain information which is actionable. So, it could be people who've never had any interaction with this tip hotline as well.
People who the company doesn't have any contact details for, who have been impacted by this.
JOE TIDY
That is such a good point. Yeah. Yeah. They're more likely to be impacted than the actual tip givers, aren't they?
GRAHAM CLULEY
Yes. And of course, this goes back decades.
So, even if you did have contact information, piecing together who these people are, I'll tell you the comparison I was thinking of was, of course, the Julius Kivimäki, the Vastamo.
You wrote a book all about it.
So, the Vastamo Psychotherapy Clinic hack in Finland, where he then went on to blackmail these people after their psychotherapy notes ended up in his lap, effectively, after he did a hack.
This is information which potentially could be pieced together and used for blackmail purposes as well.
JOE TIDY
Absolutely, yeah. Well, to be honest, you know, if they can, they'll find any way to get paid, won't they?
GRAHAM CLULEY
Yeah.
JOE TIDY
These cybercriminals, and they'll stoop lower and lower and lower.
So I wouldn't be surprised if this person isn't given $10,000 for their, almost reminds me of the Wu-Tang Clan, where they did one album and they sold it to one person to try and keep it exclusive.
If they're not gonna do that and they're not gonna get their 10 grand, I'm afraid some of those people in that dataset might be approached by them.
GRAHAM CLULEY
Might be.
JOE TIDY
Which would be very scary and very troubling for them. It's unusual, isn't it, for hackers to reach out directly to data breach victims?
But we know it does happen in the Vistoma case.
GRAHAM CLULEY
Yeah, we do.
JOE TIDY
It also happened recently here in the UK with the Kiddos nursery hack.
GRAHAM CLULEY
Yes.
JOE TIDY
There was this really weird, everyone went crazy for it in terms of it was a real nasty nadir in cybercrime where some teenagers hacked into Kiddo Nurseries, which is a chain of nurseries, stole all the data, particularly the kids' pictures and profiles and stuff, safeguarding notes.
And then the company Kiddos wasn't paying, so then the hackers called up some of the families, some of the mums and dads and said, "We've got your kids' profile pictures" to scare the parents.
Absolutely horrendous and hideous.
GRAHAM CLULEY
Yeah, horrible stuff. I was just thinking, if someone does pay the $10,000, of course, to access this information, they're going to want to then monetize it, aren't they?
JOE TIDY
That's a great point.
GRAHAM CLULEY
They are going to.
JOE TIDY
What are you going to do with it? Yeah, of course. Unfortunately, the chances of those people being victimized further increases, doesn't it?
GRAHAM CLULEY
Yeah, it's not collecting butterflies if you're collecting data.
JOE TIDY
Absolutely not. No, good point there. Yeah, I think this is probably just the start of it, isn't it? What a nasty one.
GRAHAM CLULEY
Well, time now to talk about one of our sponsors, Meta. Joe, have you ever had to set up a network for a new office?
JOE
Once. I've since sought therapy.
GRAHAM CLULEY
Ah, right. Well, Meta exists to make all of that someone else's problem. They are a network as a service company, but a proper end-to-end one.
You hand them a physical address, a floor plan, they handle everything.
They sort out the ISP, they design and deploy the network, they turn up on the site, they rack their own hardware, kits that they've actually designed themselves, not just rebranded someone else's gubbins.
JOE
So I don't have to spend 45 minutes on hold with the telecoms company only to be told they've misspelled our company name on the contract.
GRAHAM CLULEY
Right, right. Yeah, not a single minute of that. And once you're up and running, you get one dashboard for monitoring, security, VLANs, firewall, DNS security, the whole works.
Full control without any of the soul-destroying groundwork.
JOE
This begs the question, what's the catch?
GRAHAM CLULEY
Genuinely, no catch. It's a straightforward subscription model. They even have a hardware buyback program if you've already blown the budget on equipment from another vendor.
JOE
So they'll take away the evidence of my previous terrible decisions?
GRAHAM CLULEY
Right, basically, yes. So find out more at mita.com/smashing. That's m-e-t-e-r.com/smashing. And thanks to Meta for supporting the show. Joe, what have you got for us this week?
JOE TIDY
I have got a story about Rockstar Games, which was hacked again.
I was particularly interested in this one because, as you mentioned my book earlier, at the end of my book, I talk about a gang called Lapsus$.
Which in about 2022, 2023 were a really big deal.
And one of the guys from Lapsus$ hacked Rockstar Games and stole a huge amount of data and source code, got into the Slack, I remember, of the company and posted pictures of penises.
GRAHAM CLULEY
Like you do.
JOE TIDY
Because he's a teenager and why not?
Yeah, anyway, and then he also published some 90 clips of GTA 6, the forthcoming GTA game, which by all accounts will be the biggest game, biggest entertainment product ever.
GRAHAM CLULEY
They've been working on it for like 10 years or something, is it? I mean, it—
JOE TIDY
Yeah, the hype is incredible. $2 billion have been spent on it, something insane. Anyways, so that was that hack, and it cost Rockstar $5 million in disruption and cybersecurity.
Now we find out that a group, again, we think teenagers, called Shiny Hunters, you might have heard of Shiny Hunters, they've been quite prolific in data breach extortion attacks in the last couple of years.
They have got into Rockstar Games using a third-party provider of, I think it was a bit of API that manages their cloud storage, that kind of thing.
And they have stolen quite a chunk of data. But the interesting thing here is that neither the hackers nor Rockstar thought it was really worth much. I spoke to the hackers.
They said, oh, we've got this data. We are extorting Rockstar. They're not paying though. And I said, well, what is it? And he goes, eh, it's junk data, to be honest.
But we tried to get paid. And what's funny is, of course, they've admitted it. Rockstar has said, the quote that we reported at the BBC was, this isn't going to impact us at all.
So, you know, the data's gone, but we're not going to pay the criminals, which is of course what everyone says, don't pay, don't pay, don't pay. So that's good in a sense.
But what I think is fascinating here is the data has now been published and put online on the Shinyhunters darknet website. It's now being sent around and being shared.
And although most of it is, in their words, junk, there's a few tidbits of information which have ended up being a massive talking point in the gaming world.
GRAHAM CLULEY
Right.
JOE TIDY
Anything to do with GTA is a talking point because of the size of it.
But what's really interesting is that the financials of how much GTA Online makes and how much Red Dead Redemption makes have been released as well.
So you've got these Reddit threads full of gamers talking about, oh my God, I can't believe it makes this much. The headlines are GTA Online.
Bear in mind, this is something like a 13-year-old game.
GRAHAM CLULEY
Yes.
JOE TIDY
It still makes half a billion dollars a year.
GRAHAM CLULEY
Bloody hell.
JOE TIDY
I mean, we knew it was big. We didn't know it was that big.
This is another thing that's come out of the data breach, is that only a very small fraction of people who play that game actually spend in that game.
GRAHAM CLULEY
Right.
JOE TIDY
And they buy these, you know, shark vouchers or tokens, you know, the in-game currency type stuff.
JOE
Yes.
GRAHAM CLULEY
Is this to pimp up their vehicles or to wear a fancy suit? I think so, that kind of thing. Or have a more dangerous weapon or something.
JOE TIDY
Yeah, I think it's all cosmetic stuff. So I think it's like to upgrade the visuals of your character, like Fortnite does with V-Bucks and that kind of thing.
But the interesting thing about it as well is that Red Dead Redemption, which people kind of had a feeling it wasn't that popular, it's not got anywhere near the kind of size of GTA following.
But because of this data breach, we now know just how little people spend in Red Dead Redemption.
And the reason possibly why Rockstar Games isn't really putting much effort into Red Dead Redemption according to the data breach, whereas GTA Online is making about $500 million per year, unfortunately Red Dead is only pulling in about $26.4 million per year.
Still not bad, is it?
But what gamers are saying is that this really does say a lot about where the money and effort and design is going, which is GTA, because that's where the money is.
And this article I love from PC Gamer, it says, maybe Red Dead isn't Red Dead, it's just dead, dead because there aren't many players.
GRAHAM CLULEY
So unlikely we'll get a third incarnation of it perhaps.
JOE TIDY
And no, but again, people are a bit worried now because of the data breach, because they're saying that is GTA 6 going to be aiming for that online audience?
Is it not going to be a buy it once and play it forever? Is it going to be a live, constantly updated game?
Because now they've seen the financials and it makes so much sense business-wise.
And perhaps people are saying, maybe that's why Rockstar isn't rushing with GTA 6, because they're making so much money on GTA Online.
The reason I bring this up, you know, I know it's not a gaming podcast, but in terms of data breaches, I think this is a real fascinating case study in the unintended consequences of letting data that you think isn't that interesting into the public.
And I love the PC Gamer article title is Rockstar hackers release their stolen data, reveal that Rockstar was probably right not to pay anything for it.
But perhaps maybe Rockstar might be thinking that again because there's this information, you know, maybe it was already out there through investor calls and things like that, but no one really paid any attention.
But now it's out there and people are really poring over it and analyzing it and reading lots and lots between the lines.
GRAHAM CLULEY
Well, we've got time now to talk about one of today's sponsors, Vanta. Joe, what keeps you up at 2 o'clock in the morning?
JOE
The dog next door, mostly.
GRAHAM CLULEY
Oh, right. Well, yeah, but I'm talking professionally. What keeps you up?
JOE
Oh, whether we've got the right security controls in place, whether our vendors are secure, how to escape the nightmare of outdated tools and endless manual processes.
GRAHAM CLULEY
Exactly. Which is where today's sponsor comes in. It's Vanta.
JOE
Fanta, the fizzy orange drink. How can this possibly be true?
GRAHAM CLULEY
No, no, Joe. It's Vanta with a V. It's a trust management platform.
It's not a drink full of sugar, it automates all of that tedious manual compliance work so you can stop drowning in spreadsheets, chasing audit evidence, and filling out questionnaire after questionnaire.
JOE
Lush. I hate questionnaires.
GRAHAM CLULEY
Well, who doesn't? Vanta continuously monitors your systems. It centralizes your security data. It keeps your program audit ready all of the time.
It also uses AI to streamline evidence collection and flag risks. It automates compliance for SOC 2, ISO 27001, HIPAA, GDPR, and more.
JOE
So basically it handles the boring stuff so we can focus on the interesting stuff.
GRAHAM CLULEY
Exactly. Precisely that. And for a limited time, new customers can get $1,000 off. $1,000? Yep. $1,000.
Head to vanta.com/smashing That's V-A-N-T-A dot com slash Smashing and get started today.
JOE
And maybe get a decent night's sleep for once. Oh, and unlike fizzy drinks, Fanta isn't bad for you. That was a fruit twist.
GRAHAM CLULEY
And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.
JOE TIDY
Pick of the Week.
GRAHAM CLULEY
Pick of the Week is the part of the show where everyone chooses something that could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Well, my pick of the week this week is not security-related. I'm sure you're like me, Joe. I used to love Twitter.
JOE TIDY
Oh, I miss it.
GRAHAM CLULEY
Don't you just?
JOE TIDY
I miss it so much.
GRAHAM CLULEY
I mean, it wasn't perfect, but as a news junkie, and I am a news junkie, it really appealed to me.
JOE TIDY
Yeah, same. It was the place where everyone was. Every morning you would know, okay, this is where people are.
GRAHAM CLULEY
It's great. And it appealed to me much more than any other social media platform. And then it all went terribly wrong.
And I don't think we need to name anyone in particular, which coincided with it going terribly wrong. But I think we recognise that Twitter changed and not only changed its name.
They want us to call it X for some ridiculous—
JOE TIDY
Yeah, I find it hard to call it X.
GRAHAM CLULEY
I can't really call it X to this day because I'm not 13 years old. It just seems like a stupid name.
JOE TIDY
It just sounds, yeah.
GRAHAM CLULEY
So I deleted my account. I said goodbye, moved to other places like Bluesky and Mastodon, which aren't really as great as Twitter was in its heyday, but—
JOE TIDY
No, not at all. And you actually left behind a decent following as well, Graham, didn't you? So was that an ethical sort of moral standpoint for you?
GRAHAM CLULEY
It's hard to believe, isn't it? Yes, I did. So yeah, I had, I think I had about 120,000 followers.
Unknown
Wow.
JOE TIDY
That was a big decision then. Do you?
GRAHAM CLULEY
Well, yeah, I decided I didn't want to be there. I didn't want to encourage other people to be there. A bit like closing down your Facebook account or something like that, really.
So I went elsewhere.
But the thing is, sometimes I still have reasons to go to Twitter because sometimes someone posts up something like, you see these AI videos with Lego characters during the current conflict in Iran, for instance, and they're being posted up on Twitter and you think, oh, I'd quite like to see that, but I don't want to create a Twitter account.
And I don't want to link to Twitter from an article because it's full, you know, it's horrible and it's bile-filled and it's full of bots.
You know, I just don't feel right linking to it. And that is when I discovered a site called Xcancel.
And Xcancel is a third-party interface that allows people to view and link to, you can't post to Twitter via it, but you can view and link to content which is on Twitter without directly using Twitter or X itself.
Does that make sense?
JOE TIDY
So it's using X with really thick rubber gloves on or wearing a hazmat suit.
GRAHAM CLULEY
Yes, exactly. Exactly. You won't publish anything, but you can see what's going on there.
You don't have to create an account, which means I can replace x.com with xcancel.com in all of my URLs to access content through it.
I can even use a browser extension that automatically redirects any links to the old Twitter to go to xcancel.com instead. Or I don't use Google as a search engine.
I use something called Kagi, which is something you pay for, but it has some nice benefits.
And I can tell Kagi to always change search results which go to X to go to Xcancel instead automatically.
JOE TIDY
That is smart.
GRAHAM CLULEY
So I feel I'm doing my little bit.
JOE TIDY
Yeah.
GRAHAM CLULEY
My little tiny chink to chip away from their number of page visits every month by doing that.
So my recommendation to people, I don't know if other people are gonna like it or whether they're as obsessed about this kind of thing as I am, but my pick of the week is xcancel.com.
JOE TIDY
Nice. What would it take for you to get back on Twitter? Let's say a certain CEO maybe stood down or handed over the reins to someone else.
If there was some sort of declaration or something, would you go back on?
GRAHAM CLULEY
Fool me once, shame on me.
JOE TIDY
Yeah, yeah, yeah.
GRAHAM CLULEY
Oh no, shame on you, isn't it? Anyway, but yes, you know what I mean? There's a lot of shame going around as well. I think I'd always be nervous about it.
And to be honest, from what I've seen, a lot of it is bots or a lot of it is porn or AI content. And it's just this isn't actually valuable. Yeah.
Although Mastodon and Bluesky aren't as great as Twitter used to be, I do find them more pleasant places to hang out. I'm quite happy being there, to be honest. Anyway, xcancel.com.
Joe, what's your pick of the week?
JOE TIDY
I'm probably going to choose a book I'm reading at the moment, which is We Are Anonymous by Parmy Olson. It's an old one.
I think it probably came out where— so the events of the book are about Anonymous, the hacking collective. So she's writing about things that happened in 2009, 10, 11, 12.
I think it came out in '14.
GRAHAM CLULEY
I think it was earlier than that.
JOE TIDY
Well, I'm late to the party. But the good news is the party's still swinging. It's fantastic. I'm really enjoying it.
It's a really good page-turner and it gives us the type of cyber writing and reporting that I really is where you get to know the individuals and you get to find out what makes them tick.
And I'm really enjoying it. And she's a great writer, American. I think she was at Wired and now I think she's a Bloomberg tech columnist or something.
GRAHAM CLULEY
Yeah.
JOE TIDY
And she's written another book called Supremacy, which is about Sam Altman and Demis Hassabis of DeepMind in Google, and that's really good as well.
But yeah, I'm really enjoying it. We Are Anonymous is the book, and check it out if you haven't already.
GRAHAM CLULEY
And it's a real blast to the past, isn't it? About some of those old hacking gangs who are making the news.
I think LulzSec are covered in it quite a lot, for instance, who were a very prominent, primarily British hacking gang back in the day.
JOE TIDY
Yeah, and they feature in my book as well, 'cause my book is about teenage hacking.
And I realize now, too late, that I should have read her book while I was, or before I was writing mine, because it would've helped inform my reporting.
But luckily, I haven't got anything wrong, but I could've just got some really nice detail from the sort of stuff that she got.
Because as you say, she follows a small group of the Anonymous core, which turn out, lots of them, to be part of this really world-changing group that was LulzSec.
GRAHAM CLULEY
Does it feel another time now? Does it feel, do you think, a different age?
JOE TIDY
I don't think so, actually. I think there's a lot of stuff that just keeps coming around.
So, some of the character beats, some of the things that make these hackers tick, you could see that in the book that Parmi wrote 10 years ago, and you could also see it in the book that I wrote last year.
There is a certain number of character traits that you see in these young hackers who like anarchy and chaos, and that really does come through.
And I think in a sense, it goes all the way back to the Hacker Manifesto of the, was it the late '80s, mid-'80s, where you had this idea of the smartest people in the room, they think faster than everyone else, and they want to show everyone how clever they are by doing crazy magical things with computers.
So it does feel almost timeless, that type of story. And that's been really interesting to notice as I've been reading it.
GRAHAM CLULEY
Well, thanks very much. Good pick of the week there.
Unknown
Right.
GRAHAM CLULEY
Well, we've got some time now to have a featured interview with a special guest.
Well, if you've ever had to set up networking for a new office or you've watched an IT team try to bolt security on top of infrastructure, that was never designed for it, you'll know it's rarely pretty.
Well, Ryan Benson is from Meter, a company that thinks that there's a better way. Ryan, thank you for joining me.
RYAN BENSON
Oh, thank you for having me, Graham.
GRAHAM CLULEY
So IT teams, they're constantly being asked to do more with less resources, aren't they? So what does it actually look like out there on the ground?
What corners are people ending up cutting?
RYAN BENSON
Well, Graham, I've been doing this for almost 25, I don't want to admit how many years. And until I joined Meter, I was always asked to design to mediocrity, right?
I would come up with a great network design and I'd have redundant firewalls and I'd have powerful switches and what have you.
And then inevitably we'd go to the money folks and they'd say, uh-uh, you know, rip out 30% of it or whatever, right. And so we would rip out this SKU or this box or whatever.
And that would take oftentimes weeks of my work and working with the limited resources at those IT teams to come up with something that would fit the budget and yet also keep the business running.
So we designed to mediocrity, rip out a bunch of cool design that I spent all this time working on.
And in the end, we'd have something that works, but really isn't the greatest and might have some holes or what have you.
And then 3 to 5 years later, we'd have to come back around and say, okay, well, here's some new boxes with some new chips or some new technology.
GRAHAM CLULEY
Right. So the existing approaches seem to fail, don't they? They don't do so well. There's always trade-offs being made.
If it's hardware or you're sacrificing redundancy or you're working with lots of different vendors and there, all sorts of problems can occur, can't they?
RYAN BENSON
Correct. Correct.
So you might have not only just single points of failure, but in kind of the traditional way of doing these things, you might go for a lower tier software license that doesn't have as many features or something like that.
And that's kind of the way that we've done things for a long, long time. Well, what if we didn't have to do that? What if we always put our best foot forward?
GRAHAM CLULEY
And there is a temptation, I think, inside some companies to treat every security gap, you know, it's like, how are we going to deal with this? It's well, we'll buy another tool.
But sometimes that's not always the best approach, is it? Right.
RYAN BENSON
Because you know, you can have a whole bunch of tools, but if you're not equipped to manage them or to log in to a bunch of different dashboards or constantly be looking at them, it's not really a great approach to security because you might have the best tool, but if you don't know how to pick it up and use it, right, or if you don't have the time to pick it up and use it, it's not useful to you.
GRAHAM CLULEY
So Ryan, for listeners who haven't come across Meta before, how do you sum it up?
RYAN BENSON
Well, Graham, we're an enterprise networking company that delivers wired, wireless, security, cellular, even as a subscription.
So the idea is that we deliver world-class networking and security so the customer can go and enjoy whatever it is they want to do with their life and not have to worry about any of the technology.
The idea is that everything, not just the boxes in the closet or the APs on the wall or whatever, all of it is a service.
The support, day 2 and beyond, the design before we ever put anything in the building, the way that we configure the gear, all of that is done from Meteor.
And then supported, you know, in year 2, year 3, if there's some new Wi-Fi that comes out, you know, we deliver all that.
GRAHAM CLULEY
So I've heard that Meta's position is that security needs to be designed into the network from the ground up. So it's security built in, not bolted on, not added afterwards.
But what does that actually mean in practice? What's different about how you guys build things?
RYAN BENSON
Yeah, I think it's, you know, some people use the term positive security model.
Our default position when we deploy a new network to have security baked into the design of the network.
So when something gets deployed, we've already designed it to be Zero Trust in terms of, you know, traffic flowing east-west within the network and things like that in the actual physical design and the software configuration of the network.
GRAHAM CLULEY
So phrases like Zero Trust and NAC and others, these get thrown around a lot, don't they, by the marketing teams? I think they love all that.
RYAN BENSON
Oh, yes. Yeah.
GRAHAM CLULEY
In non-jargony terms, what does enforcement actually look like at the network level? How would you describe it?
RYAN BENSON
Not to get too jargony or too technical, but one of the things that we do is block traffic east-west by default in the actual switching infrastructure that gets delivered or the wireless infrastructure, you know, we isolate clients from talking to each other and then open those things up as needed, as the customer desires.
So if there is an application that needs to talk east-west or what have you, we define that before the network ever even gets delivered.
We do something called a digital twin where all of it is designed, you know, in the cloud before the physical gear is ever delivered.
And then we all agree with the customer and we do a validation step.
It doesn't sound like maybe the sexiest thing in the world to sell, but it is pretty cool that, you know, we go through the whole process of implementation and design, and then we shake hands and say, yes, you know, we agree that this is how we want to run our business or our school or our government or whatever.
And then we say, all right, well, now we can actually physically build it. So I think a lot of that is what makes us capable of delivering a secure network from day one.
GRAHAM CLULEY
Now, a lot of companies, I would think, have already got some kind of security stack that they've invested in. So it could be an EDR or a SIEM, identity tools.
RYAN BENSON
Sure.
GRAHAM CLULEY
If Meta comes in, does all that get replaced or does it sit alongside that?
RYAN BENSON
Well, I would say that some of it gets replaced. Obviously, the physical network, the management of that network and what have you.
But no, the existing SIEM, the IDP and all of that stuff, we integrate deeply with all of those things. In fact, they're critical to delivering a secure network.
So your existing IDP, your existing SIM, those things are going to stay and we're going to integrate in tightly with those things.
So we can do role-based access control, the concept of least privilege, so if you add a new administrator or a new person in your team, they're not going to have keys to the kingdom day one and what have you.
And obviously your MFA and all of that, that you use today with your IDP is still going to be used.
GRAHAM CLULEY
So your existing investments, they are preserved. You're not chucking all of that out.
RYAN BENSON
Yeah, that's a good way to put it.
GRAHAM CLULEY
So let's look at a typical customer and the sort of what's happening in the real world. What does their situation look like before you come in? And what's changed afterwards?
RYAN BENSON
Yeah, I think it's what we talked about just a few minutes ago is that the incentives change.
And I think that's one of the biggest differences that I could possibly say about Meter is that it doesn't necessarily matter if our APs are the strongest or the switches are the coolest or fastest or whatever, which of course I would say they are, but I might be biased.
But it does matter that we care very much about the outcome.
So if you're a hardware store and you want to run that hardware store efficiently and take obviously point of sale swipes and you want to have your folks with their inventory scanner guns be able to scan the inventory and fly around forklifts at 35 miles an hour and whatever else we care about that as much as we care about delivering an access point or a switch or what have you.
So what that means is instead of worrying about what switches go in the closet and what firewalls are plugging into the ISPs, or even what ISPs there are, right?
We care very much about your hardware store running and operating as best as it can. And we contractually obligate ourselves to that. So we deliver an SLA.
We're not delivering a SKU, but we're delivering a network. And I think that's the big difference is that for me, I love this stuff and you probably love it as well.
And that's why we talk about it on podcasts and why we talk about it with friends and other network folks.
GRAHAM CLULEY
Right.
RYAN BENSON
But really the rest of the world sees the internet now as plumbing and it just needs to work. And that's what we're delivering.
And I think that is the big difference for our customers, is that they can rely on a great outcome that also is secure because we put it in the contract.
GRAHAM CLULEY
So you said that this isn't the sexiest thing in the world, Ryan, but then you start talking about plumbers. I mean, I think you are painting a picture now. Anyway.
RYAN BENSON
Well, Graham, when people go to visit Rome, they go and what do they see? The Trevi Fountain. They see the aqueduct.
GRAHAM CLULEY
Yes.
RYAN BENSON
That's 2,000-year-old plumbing. So that's true.
GRAHAM CLULEY
That is true. We've been running ads for METER on the podcast for a while now.
And one of the things that's been absolutely fascinating to me is that you guys even get down to the floor plans, right?
You're working at that kind of level with some of your customers.
RYAN BENSON
Well, it's not just some of them, it's actually all of them.
And I think I was just talking with someone about this yesterday, that is one of the biggest differences is that, you know, once again, we were talking about earlier, instead of me being a nerd and putting SKUs and bills of material together and a Visio drawing that takes me a month to do and all that, all that goes away.
If we talk to a customer and they say, hey, we, you know, we your idea, you know, what's the price?
Instead of going through all that, we're just, hey, send us a floor plan of your most painful location, you know, something that maybe you need to look at lately.
RYAN BENSON
That's it. We just need a floor plan or sometimes even just square footage and the type of building, right?
And then we know based on our experience building networks for a warehouse or for a school or for a high-density office or whatever, we know how much it's going to cost us to build a state-of-the-art, great, secure network.
And so we can just give you a price.
RYAN BENSON
And so that reduces so much friction because at some point we can say, hey, here's what it is, you know, you want to do business or not?
GRAHAM CLULEY
So there's no extra SKUs, there's no add-on licenses for advanced features.
RYAN BENSON
None of that.
GRAHAM CLULEY
Is that genuinely sustainable as a business model or does the catch arrive later?
RYAN BENSON
Well, it's funny you ask that because I don't think I can say I've had a bad meeting since I've joined Meter.
But, you know, the only pushback we get is usually this seems too good to be true. Where's the catch?
GRAHAM CLULEY
Right.
RYAN BENSON
Or wait a minute, if you do all this, it's probably too expensive. I can't afford it.
And, you know, I would say that's probably true if you own two coffee shops or something, you know, that's not really a great fit, I guess, for Meter at this time.
But, you know, if you own 100 coffee shops, we are absolutely your best option.
GRAHAM CLULEY
Right.
RYAN BENSON
The idea of it being a consistent spend to say you're always going to have the best network and you can just forget about networking and go on and sell your coffee or whatever it is your mission is.
That's really our promise is to say, hey, hire the experts at this. We'll deliver the best and you can go on about your mission.
GRAHAM CLULEY
So one final question for you, Ryan.
If a listener's out there listening right now and thinks, oh, crumbs, you know, we could do with help with this, what's the right first step that they should take?
RYAN BENSON
Well, they could certainly head to our website, meter.com/smashing, and see if they what they see.
And if they do, obviously they can reach out to us, you know, either there or or heck, even email me, .
I'll be happy to align you with the right folks.
GRAHAM CLULEY
Great stuff. Well, it's been great talking to you, Ryan. Thanks so much. There you have it, listeners.
GRAHAM CLULEY
You can find out more, just go to meter.com/smashing. That's M-E-T-E-R.com/smashing. And thanks as always to Meter for supporting the show and for you, Ryan, for coming on it.
RYAN BENSON
Well, thank you, Graham, for having us. It's been an honor.
GRAHAM CLULEY
My pleasure. Well, that just about wraps up the show for this week. Thank you so much, Joe, for joining us. Always a pleasure to have you on.
GRAHAM CLULEY
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for people to do that?
JOE TIDY
Well, Twitter obviously is the greatest website ever, so you should be— no, I'm actually working really hard to do more and more social stuff.
So my Instagram and my TikTok, just my name. In fact, my Instagram is MrJoeTidy, and then I'm also on Blue Sky and LinkedIn as well. But I'm, OnlyFans, of course.
Yeah, you know my OnlyFans, just put I'm going to put a little, what's it called?
GRAHAM CLULEY
Aubergine?
JOE TIDY
Affiliate link.
GRAHAM CLULEY
Oh yeah, okay, well. You can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Reddit or Bluesky or Mastodon as well.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
Episode show notes, sponsorship info, guest lists, and the entire back catalog of 464 episodes. Go, I know, I know. Go and check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
RYAN BENSON
See ya.
GRAHAM CLULEY
You've been listening to Smashing Security with me, Graham Cluley, and I'm ever so grateful to Joe for joining us this week and to this episode's sponsor, Sophos.
Sponsors Elastic, Vanta, and Meta. And also, of course, the following patrons who've been plucked out of the hat. So who have we got this week?
Skur Imtiaz Ahmed, a name of real gravitas, that. I imagine he's read all of the Ts and Cs and actually understood them. The magnificently monikered Urs Schoenhoser.
Lewis, just Lewis, so confident he doesn't need another name. Trustworthy sidekick to Inspector Morse. The solid and trustworthy Robert McCurdy.
Benjamin Harouth, the kind of guy who's never once clicked remind me later on a software update. Who else?
Kennethingham gives the vibes of being the most knowledgeable person in any given room, but too polite to mention it. We appreciate that, Kenneth.
Marvin71, yep, Marvin with a number. The 71 could be a birth year, I suppose, a high score, number of times he's explained to someone why they shouldn't reuse passwords.
We're guessing it's all 3.
And finally for this week, Karen Reynolds, the most organized person on the incident response team and the one who brought homemade biscuits to the debriefing session.
Those are just a few members of Smashing Security Plus, which means that they get their episodes ad-free, earlier than the general public, and can be pulled out of the hat at random to have their names mocked at the end of the show.
If you'd like to join Smashing Security Plus, just head over to smashingsecurity.com/plus for all of the details.
You can also support the show in plenty of other ways, and they aren't going to cost you a single penny.
You can like, subscribe, leave a 5-star review, but most important of all, go and tell your friends.
Go on, go and tell them that you listen to Smashing Security and encourage them to do the same. Well, until next time, that's just about it for us.
So I'll say toodloo, cheerio, bye-bye.
EPISODE DESCRIPTION:
A company that ran anonymous tip lines for 35,000 American schools - handling reports of bullying, weapons, and self-harm - boasted on its website that it had suffered zero security breaches in over 20 years. A hacker called Internet Yiff Machine thought that sounded like a challenge, with predictable results...
Meanwhile, Rockstar Games gets hacked again - and the stolen data turns out to be less embarrassing than the financial secrets it accidentally revealed. GTA Online is still making half a billion dollars a year. Red Dead Redemption is not.
All this and more in episode 464 of the "Smashing Security" podcast with cybersecurity keynote speaker and industry veteran Graham Cluley, joined this week by special guest BBC cybersecurity correspondent Joe Tidy.
Plus! Don't miss our featured interview with Ryan Benson of Meter.
Elastic – AI is transforming security operations, but security is still a data problem. Learn how context-rich data drives faster, more reliable defence.
Meter – Network infrastructure for the enterprise. Get a free personalised demo.
Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.