This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. Let me get my head around this so there is this non-profit group called Cyber Security Council of Germany which isn't to be confused with the Cyber Security Council of Germany.

Exactly right so there's two of them, they have dashes in different places. So Protellion, they're members of the Cyber Security Council in Germany as well.

---

CAROLE THERIAULT. Yeah but they're not part of the Cyber Security Council in Germany.

---

GRAHAM. No no don't get confused with Cyber Security Council Germany. And there's this bigwig who somehow set up the Cyber Security Council of Germany, not to be confused with the Cyber Security Council of Germany.

---

CAROLE. Actually, I think he's part of both. This is very good.

---

UNKNOWN. Smashing Security, episode 294, The Virgin Trained Swindler, Cyber Clowns and AirTag Election Day Bargle with Carole Theriault and Graham Cluley.

Hello.

---

GRAHAM. Hello, and welcome to Smashing Security episode 294. I'm Graham Pooley.

And I'm Carole Theriault. And who have we got joining us this week Carole on the show?

---

CAROLE. We have the CEO of Run Zero, Chris Kirsch. Welcome to the show, Chris.

---

GRAHAM. Hello, and thanks for having me. Now, last time you were on, Chris, you were the CEO of a differently named company. What's happened?

Yeah, why did you lose your job, Chris? What happened?

It's always nice to have softball questions like that right. No we changed the company name from Rumble to Run Zero. There is another company called Rumble that we thought would never cross our paths because they're in a very different space and they decided to go public on the NASDAQ so we decided to rename and we're now Run Zero.

So they were the right wing video site or something. Is that right? You didn't want to be associated with them.

---

CAROLE. But it's business as usual for you guys other than the name.

---

GRAHAM. Yes, absolutely. And Run Zero is a great name.

Thank you. Yeah. It was bloody hard to find a good name. I actually wrote a blog post about that just for any founders out there who are trying to figure out how to name their company. You can find that up on our blog.

Oh, links in the show notes.

---

CAROLE. But you know what, boys? I think we digress. I think we need to kick this show off.

But before we do that, we need to thank this week's sponsors, Bitwarden, Akamai and Collide. It's their support that helps give you the show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM. I'm going to ask the big question. The big question being, am I a bit of an arse?

---

CAROLE. Okay, done. Okay, next.

What about you, Chris?

---

GRAHAM. I've got a new Cold War story for you.

Ooh, okay.

---

CAROLE. And with me, we are going to be jumping on a train and hoping it arrives on time. Plus, we have a featured interview with Patrick Sullivan.

He is CTO of Security Strategy at Akamai. So all this and much more coming up on today's episode of Smashing Security.

---

GRAHAM. Now chums, chums, I feel like I've already shot my load on this one but I'm gonna ask the big question. Am I a bit of an arse? I think I might be.

---

CAROLE. I can't believe you've mentioned us and shooting your load at the same time.

---

GRAHAM. But I mean Chris you don't know me that well. I mean you've just heard me on the podcast. Do you think I'm a bit— You know, am I?

I do want to get invited back to the show. Let's move on.

Anyway, I'll tell you a story. I'll tell you a story about something that was happening to me a few years ago.

A few years ago, I was living somewhere else. And I'd take the dog out for a walk. And, you know, there we go. La-di-da. You know, it's wonderful.

And I'd go past the village notice board. And there was something tacked onto the village notice board, which I didn't like.

I thought, I don't like that.

---

CAROLE. You're not going to tell us what it is?

---

GRAHAM. All right. I'll tell you what it was.

What it was was an invitation for people saying, are you interested in philosophy and economics? Would you like to come along to a friendly get together where we'll have tea and coffee and cakes and we'll talk about philosophy and economics?

---

CAROLE. Do they also serve Kool-Aid?

---

GRAHAM. Well, exactly, Chris. Exactly. I recognized what group had actually put this together.

---

CAROLE. Okay, it's not that all philosophers are Kool-Aid drinkers. Not necessarily. I was just making sure.

Yeah, okay.

---

GRAHAM. But I'd read a book back in the 1990s, written by a couple of investigative journalists about this innocuous sounding group, which claimed to be a school of economic science. And I didn't really like what I read.

And I was reading this pamphlet on the notice board. And I thought, that's from this group.

I thought, they're just claiming to be handing out orange juice and talking about philosophy. But I know it's— So I thought, right, I'm going to take down that poster because I don't want anyone going along to that meeting.

So I would take it off the notice board, right? And then I'd go by again a few days later with my dog and the person had put up a new poster and stuck it on.

Maybe they'd use staples this time. And I think, right, I'm taking that down, right?

So I'd rip it off, I'd shove it down the front of my trousers and off I'd go on my dog walk. And I'd do this every few days, I'd see another one.

So there was this battle going on.

---

CAROLE. So you're wondering, because you were deciding for everybody else that this was inappropriate and you were taking it down and it was obviously pissing off the original person and they didn't know why you were taking it down because you hadn't contacted them to tell them anything.

---

GRAHAM. I hadn't, no, because I was scared.

---

CAROLE. Okay. And you're asking if you're an ass, right? Is that the question?

Yes, that's what I'm asking. Okay. Yep. Yep. Carry on. Carry on. Yeah.

---

GRAHAM. Well, so do you think I

---

CAROLE. am or not? Graham, you're putting me in a very difficult position here. I purport to be a buddy of yours.

Yes. Yes, this is the wrong show.

---

GRAHAM. Yes, but as my buddy, you can tell me if I've been inappropriate. Anyway, I don't know whether I was right to do it or not.

Yes, of course I was right to do it. But I was reminded of what I'd done when I read this story on Forbes this week about signs that some people had put up in their front gardens and that evaporated. They disappeared.

So we have to travel over to North America, where there is apparently an affluent suburb northwest of Philadelphia, where hundreds of political campaign yard signs have been going missing. People have their yard sign up in their front garden.

We don't do it as much over here in the UK. I mean, we do a bit. We

---

CAROLE. do a bit, but we tend to put them inside windows because our houses are much closer to the roads and cities.

---

GRAHAM. Yeah, you don't have a front lawn, right?

---

CAROLE. Yeah. Yeah, yeah. Or a very small one compared to America. But

---

GRAHAM. over there in this rather schmaltzy neighbourhood. Leafy. Yeah, it's probably delightful.

People put out their little things saying who they want people to vote for. They go to bed and it's still there. They wake up in the morning, it's gone. It's vanished.

And some of the people who noticed that their signs had disappeared were contacting the cops to file a report saying, hey, you know, this thing has disappeared from my front lawn. And obviously the cops leap into action.

---

CAROLE. If you were a police officer, you'd be like, yes, yes. Okay, that is priority. I have a few murders, but you know what? Let me put them on ice and I'll come and deal with this. We

---

GRAHAM. won't worry about the Philadelphia Strangler. We're not going to worry about him or anything else that's going on. We're going to send some cars around. They'll fingerprint the place.

---

CAROLE. Yeah, priority number one. We'll be there in five minutes.

---

GRAHAM. Yeah, yeah. Well, anyway, when people filed a report, the cops said, oh, yeah, yeah, we know where they are. Oh. Yeah. What you've got to do is go to the local strip mall and you know where the nail bar is. Well, go behind the nail bar and there you'll find this large dumpster. And that's where all the signs are.

Said the cops. Said the cops. They knew where they'd gone. Not because the cops had put them there, but because someone else had already found out about them.

And this information went to 75-year-old Arlene Talley, who's a member of the Chester County Democratic Committee. She was interested as to what happened to the signs. She went to where the police said, she found the dumpster and she found 118 stolen political signs.

All of them supporting Democratic candidates. Of course. All those, you know, horrible progressive causes like reproductive rights and Black Lives Matter or really offensive stuff. We should definitely want to clear up a sign if it was proposing that sort of, oh, goodness me.

Anyway, so all the signs, which were obviously, you know, sort of slightly left of, well, left of right. Now, how did the cops know they were there? Well, it's because one victim had had the foresight to attach a $30 Apple AirTag to their sign, perhaps realizing.

---

CAROLE. There's the technology angle. I was waiting.

---

GRAHAM. Perhaps realizing that they might be stolen. Yeah. So remember, I think it was last time I was on, I brought you the story of how somebody sent a letter to the German intelligence services and unmasked their location and who was connected to whom. Yes. So I guess it works all around.

That's right. My question, though, is if the police knew that they were in that dumpster, why didn't they just hang out by the dumpster and wait for somebody to come by to drop them off?

Because they're very busy dealing with the strangler. I mean, it's not obviously the top priority. Seriously, if you were in charge of the cops.

They could have gotten their nails done at the nail salon at the same time. You know, it's not a hardship posting.

---

CAROLE. Exactly. Exactly. And also, what's irritating about all this is the cops say, oh, yeah, we know where they are. They're in the dumpster on 49th and 50th or whatever, wherever it is. But then you have to go get them yourself. Yeah. Right? You're not. Well,

---

GRAHAM. you think they should send a squad of police cars, right? And how are they going to know who to deliver them to?

No, I just

---

CAROLE. think, do they know who is behind it?

---

GRAHAM. They haven't found out yet. They are apparently examining CCTV footage, but so far it hasn't caught any of the troublemakers.

They think. The police theory is it's mostly kids, as some homes also had their mailboxes damaged.

---

CAROLE. I can't believe someone's Google Nest or whatever, you know, Amazon Ring doorbell didn't catch these idiots.

---

GRAHAM. Yeah. Well, it would be good if they had, wouldn't it? It'd be good if they had. So we're all familiar with this idea of air tags being used to help find lost items like bikes, lost luggage, and of course being used to track and stalk people, or that story which Chris gave us before, extraordinary story from Germany about finding out where top secret departments may actually be based. But, you know, these air tags can be used in all kinds of ways. So my son, it turns out, I didn't know this, my son has got an air tag. He's got it on his phone or his school bag or something. And so they built into air tags this means by which you can be warned if a tag is following you? Yeah? So if someone's planted one in your car, for instance.

---

CAROLE. Exactly. We've done that story before as well. Yeah.

---

GRAHAM. And then it'll go bleep, bleep, bleep, bleep. So I'm finding this really annoying because I'm obviously carting my son around all the time with his school bag, getting him to school or to his tutor or something. And all the time I'm getting these messages popping up on my phone saying, oh, there appears to be an air tag, which is tracking you. It's been traveling around with you. It's like, well, yeah, I know it's been, this is my, and I've got no way of saying, well, don't bug me about that one. Stop bleeping at me all the time.

---

CAROLE. Oh, really? No, there must be a way. There's going to be a listener who's going to get in touch. You could get an Android. No, no, that is not the, that's not what you should do. Are you crazy? I think you need to Google how to stop an air tag blinking at me. I'm doing it right now for you. Right. Well, yeah. Go to settings, Bluetooth, and turn Bluetooth on. Go to find my app, tap the me tab, turn on tracking notifications, and turn on airplane mode. Done.

---

GRAHAM. Oh. All right. I'll give that a try. Yeah, just put your phone in airplane mode all the time. You'll also have fewer scam callers. I do it. I do it a lot. Melissa Schusterman, she is a state representative, hoping to be re-elected the next month's midterms. And she's one of those who had her sign stolen. She has said she's blaming it all on MAGA, make America gruesome again. She says, we will not let the radical MAGA right intimidate us. Double the amount of signs taken will go back up. Now, that seems to me we could end up with an exponential rise of signs on people's front lawns if this keeps on happening. And I don't know what's going to happen with the dumpsters either, but it's just going to keep on and on. Yeah, but, you know, you also took down that sign on the notice board all the time. So, you know, that seems like escalation that doesn't help either side. Do you think they should have kept on putting up two signs for every one taken down and then four? Just to keep me busy. Just make them bloody heavy. My trousers would be bulging from the number I'd stuffed into my pockets.

---

CAROLE. You could have done two things, I think, that would have been better. One, you could have put up your own sign explaining what that sign meant and why you thought it was a bad idea and gotten a little bit of controversy going on in town. Right? Or you could have gone to the local newsletter, newspaper, whatever, and said, this is why I think this sign should be taken down.

---

GRAHAM. Oh, yeah. You should have talked to me. Yeah, that's a great idea. Thanks, Chris. But the real question, though, is the UK is the capital of the CCTV surveillance system. So I can't even find people who pick up signs all over the city and put it in a dumpster.

Oh, this was in the US, right? Yes. Yeah, yeah, yeah. This is great stuff for you to cut out of the podcast. Of course. Just cut out all the stuff where it's a dumb stuff right we do that for all every week wow wow I am an ass aren't I yes Chris what have you got for us this week?

So I live in the US so it's not as close to me as it is to you, but there is this thing going on with Russia and Ukraine and everything right now. So, you know, things have cooled off a little bit with Russia and they're not invited to the party anymore.

And there have been some weird things happening in Germany, for example, the German railway system was halted for three hours earlier this month due to a failure of the digital train radio system. They chalked that up as sabotage. And, you know, maybe that's big brother Boris meddling with things, right? Just to set the scene for...

Oh, that Boris. Sorry. Sorry, when you're British. Yes. We had a horrible flashback to another one. I was like, ah! Should we call him Ivan, Vlad? Yeah, anyway.

So the story I'd like to tell today is one about a German software company called Protelion. They're based in Berlin.

They make all sorts of things like VPNs, endpoint security. I think they have a managed detection and response service. So finding anomalies on your network. And they're the typical small or medium-sized German company selling German software to German enterprises and, you know, sometimes around the world.

And so this German TV station looked at them. They had a lead somewhere and they saw that the Protelion software was also sold by a company in Russia called Infotex. And so they're like, hold on, this is a little weird. Shouldn't that be under sanctions? And, you know, is that still allowed?

And so they wanted to phone them, but they thought, no, no, we'll just go by their offices and, you know, ask them in person, you know, and tell them hey, the Russians have pirated your software. They're selling that in Russia and trying to figure out what's going on.

So when they arrived at the offices in Berlin to warn them that their software was being sold in Russia, the Protelion doorbell says, please ring the bell for Infotex. So that's a bit weird.

The name of the Russian company. The name of the Russian company. This is, I think, another callback to the story I told last time. Yes. What is it with people who are trying to hide their tracks that they are in the same building and referencing each other's bells, you know? You know, tradecraft's really gone downhill.

So, also what was weird is that if you look up the CEO of Protelion, he is formerly the head of Infotex Germany. So, they actually just rebranded Infotex Germany as Protelion. You've got to be careful of these companies which rebrand themselves, don't you, Chris?

---

CAROLE. There can be difficulties. Who knows what they might be hiding?

---

GRAHAM. Yes, I've been caught. Okay. And by the way, the German army was also in their building in that same building, which is also a tad weird.

So it turns out Infotex is not reselling the German software. Infotex is the original equipment manufacturer of the Protelion software.

It gets more interesting. Infotex also supplies the software to the FSB. And the Russian intelligence services also help develop the encryption algorithms for that software. Doesn't that make it feel warm and fuzzy?

Hang on, but this is VPN software and endpoint security software is what we're talking about here. Excellent, right? Awkward. Yeah, the founder of that company is actually an ex-KGB officer. Of course he is. Who recently got a medal from our friend Vlad. Oh, stop. For over 10 years of excellent services to the country.

This is another sticky pickle. Oh, my God, yeah. There is so much more to unpack, though, Carole. Okay, I'm listening.

Okay, so Protelion is also a member of the, and repeat after me, Cybersicherheitsrat Deutschland e.V., so the Cybersecurity Council of Germany.

---

CAROLE. Okay, Cybersecurity Council of Germany. Okay.

---

GRAHAM. That's easy to repeat, yeah. So, there is a Cybersecurity Council of Germany, Cybersicherheitsrat, which is part of the German Ministry of Defense. But it's not that one.

So we'll do a little pub quiz, Carole and Graham. You know, you're used to pub quizzes, right? In the UK, you can ask who won the Eurovision Song Contest 1974 or something like that? ABBA, Waterloo at Brighton. Yes, exactly. Wow. I am impressed.

So in Germany, our pub quizzes aren't as much fun. Our pub quizzes are more like, what does E.V. stand for? Oh, this is part of their name. Part of their name, yeah. Of the Cybersicherheitsrat Deutschland. I have no idea. Does it mean not really, or we're actually Russian? Or something like that? Fake, fake.

So it means Eingetragener Verein, which means it's a non-profit, right? So it's not part of the government. Today we learned, good.

So it's actually a private lobbying group by the same name of the Cybersecurity Council of Germany as part of the Ministry of Defense. So no room for confusion at all there, right?

---

CAROLE. Right. And yes, they're not taking advantage of that confusion either. No, no, no, they wouldn't. So Chris,

---

GRAHAM. When you had this sort of name dilemma yourself with your company, where your name was also being used by this company, you just changed your name. Whereas this organization appears to almost be exploiting the fact.

You might say that. Yes, you might say that. Right. So this lobbying group, there's a few of those in Germany, and they typically include both vendors of security solutions and very large enterprises. And they kind of collaborate and they try to influence government legislation and hold events and all of that jazz.

So same with this group here. Some of the very large German enterprises were in there. And it's very hard, as you said, to distinguish the two cybersecurity councils of Germany for anybody in Germany or even abroad. Right.

Especially because their founding president is a gentleman by the name of Arne Schönboom. Now, Arne, he's the son of a former German minister. Also coincidentally the person who was the first commander who integrated the East German army into the West German army, the Bundeswehr, so you know somebody with a lot of political clout and former East Russia maybe I don't know.

And so his son Arne is now the current chief of the BSI which is the German intelligence agency for cybersecurity.

---

CAROLE. Yeah okay the real BSI. The real BSI, right?

---

GRAHAM. The BSI is quite respected, isn't it?

It is, yeah. Yes. It is respected. Like, it's a very decent agency, and they collaborate a lot with industry and so on to keep industry safe and provide guidelines and so on. So it's a respectable agency.

He himself, not so respected in the industry. He's got no background in information security to the point that he got dubbed as the cyber clown by German media.

---

CAROLE. So he's only there because his dad was powerful.

---

GRAHAM. I would think so. Yes. And so he founded this lobbying group. And then, you know, when it came out that, oh, Protelion had these ties to Russian intelligence, he wrote a little note to his employees at the BSI and said, oh, any BSI employees shouldn't attend any events by the Cybersecurity Council.

---

CAROLE. He's trying to divide the group saying, let's not intermingle.

---

GRAHAM. Let's not intermingle. And by the way, his successor also was interviewed on TV that, oh, you have to stay in touch with all of the relevant players in cybersecurity. And that includes the Russian and Chinese intelligence services. What? Which I thought was a little bit weird.

Okay, let me get my head around this. So there is this nonprofit group called Cybersecurity Council of Germany, which isn't to be confused with the Cybersecurity Council of Germany. Exactly. Right. There's two of them. They have dashes in different places.

So Protelion, who clearly have Russian links and Russian intelligence services help develop their encryption algorithms and they supply software to the FSB, etc., etc., they're members of the Cybersecurity Council in Germany as well.

---

CAROLE. But they're not part of the Cybersecurity Council in Germany.

---

GRAHAM. No, don't get any confusion with the Cybersecurity Council in Germany. And there's this bigwig who's a clown who somehow set up the Cybersecurity Council of Germany, not to be confused with the Cybersecurity Council of Germany.

Actually I think he's part of both. Oh is he on both? This is very what's going on here what's the end game here do you think Chris?

I don't know I think it's intelligence services obviously creating software that might be backdoored might have weak encryption algorithms and so on so the FBI is also investigating Infotex and it's not just an issue in Germany, so this actually should be relevant to a lot of your listeners. But, you know, more importantly, look at your vendors and figure out if they are of good provenance, you know. Maybe drive to their offices, look at the doorbell.

Yeah, ring the doorbell, see what it says. Yeah,

---

CAROLE. Do your supply chain due diligence, right?

---

GRAHAM. And if you are a Russian company working undercover, however, you know, effectively not advertising the fact that you are a Russian company, perhaps. Maybe don't advertise it quite so brazenly and so incompetently.

Yeah, it was. It doesn't say a lot for their security, does it? Their OPSEC is pretty bad. Their OPSEC was really, really bad. I mean, having the same CEO of the German subsidiary, you know, it just boggles my mind that this really worked.

And by the way, the head of the BSI is now probably getting fired per a message of the German interior minister. So that's going to put an end to that. So no more clownery in German cyber.

---

CAROLE. We found, though, we found due to our recent politics that sometimes the replacement or incumbent can be. I don't know what the word is.

You have a point, Carole. You have a point. Watch this space is making better. Yeah. All right,

---

GRAHAM. Carole, what do you have for us? Wait, that's my bit. Oh, sorry. Carole, what have you got for us this week?

---

CAROLE. Okay, so we often talk about scammers breaking into computer systems by either using stolen credentials or social engineering tactics or taking advantage of vulnerabilities. But let's not forget about employees. Some of which can get up to no good in plain sight, and no one's the wiser.

Meet Shahid Anwar. He is a 36-year-old from Rugby England. And yes, that is apparently where the game of rugby was first conceived. How clever. So there's another little fact for you for your pub quizzes. And that is the sport where players get cauliflower ears. And I just wanted to give you a screenshot of a bunch of cauliflower ears in the notes.

---

GRAHAM. Yes, I was very much wondering what you were

---

CAROLE. Sending us here. They're pretty outrageous looking, aren't they? You'd think there'd be plastic surgery for something like that. It can be a pretty rough game.

Now, as far as I know, Shahid did not play rugby or have cauliflower ears. Okay, then why this intro, Carole? I'm really curious.

---

GRAHAM. Because he's from rugby. Because he lives in the same town.

---

CAROLE. You learned a lot of good facts when I put my stories together. You're very welcome. And he was a customer resolution specialist within an agency within Virgin Trains.

---

GRAHAM. What's a good job title? Because he does work in the complaints department. Is that what it means?

---

CAROLE. Kind of. Chris might not know this, but UK trains have a reputation of not always being on time.

---

GRAHAM. I have to say, when Chris said that the German train system had been disrupted for three hours, I just thought, quite a good day. I moved from Switzerland to the UK at one point. And I had lived up in the Alps. And we had a very good train system there. Then I moved to the UK and I think the British rail system divides snow into four categories and they can't operate in three of them. If you think the snow's bad, just wait until leaves fall off trees.

---

CAROLE. So do you want to take a guess at what percentage of trains are delayed in the UK? This is based on the last recorded six month period.

---

GRAHAM. It's probably not as bad as we were saying. Don't come with facts. We like our stereotypes.

---

CAROLE. I'm coming with facts. What do you think?

---

GRAHAM. What does delay actually mean? How do they define delay?

---

CAROLE. They delay it by being a minute or more late.

---

GRAHAM. Oh, my God. I'm going to say 80%.

---

CAROLE. They claim 25%, one in four. And apparently, so I thought Chris is on the show. Let me just compare this to Germany, because in 2021, they were boasting that 82% of their trains were on time. But apparently, due to your crazy flooding and strikes and issues that you've had, your numbers are now in the same boat as ours this year.

---

GRAHAM. Don't come with facts. I love the stereotypes.

---

CAROLE. And because of these frequent delays in the UK, train services like Virgin Trains have a scheme available to offer commuters in the UK what they call a pay and delay scheme, which is a really weird name. But basically, it means that you can apply for refunds if a train is cancelled due to strikes or it's late or whatever. And according to money-saving experts, people are not actually applying for these refunds to the tune of £100 million.

So back to Shahid. Now, Shahid, remember, works in the department. What department, Graham?

---

GRAHAM. The customer resolution thingy.

---

CAROLE. Customer resolution. Yes, that's where he works. And he's looking at all this stuff and looking at all this money that is not being claimed. And something that you may not know because I didn't share it, other than he lives in rugby, is that he's facing personal financial difficulty. So he's looking at all these cash, right? And because he works on customer resolution, he's seen that these legit claims are not being made. And maybe this is where he decides to do something about it.

So this all kicks off in 2016. He starts submitting false refund claims. Some of his tactics include creating Photoshop tickets. He created over 100 PayPal accounts and multiple email aliases to manage this racket. He managed to pull off more than 1,500 refunds by taking advantages of design weaknesses in the pay and delay scheme. Some were as small as £9.10. The biggest one I could see was 746 pounds. These were what he was able to claim.

In all, he did this for three years and amassed £116,000 in this time. And he was working on a further 50K at the time of his arrest. And apparently when arrested, he said he was so relieved to be finally arrested because he felt he'd gotten addicted to the swindle.

So, two things which blew my mind, which I haven't mentioned. One is during this swindle, he actually left Virgin Trains, so was no longer working within the department. But he carried on ripping them off.

---

GRAHAM. He didn't need to work with them anymore, I imagine.

---

CAROLE. He just could guess what trains were late. He just would guess. He just would go, I know the train from Birmingham to London at this time is always late. I'm just going to submit a refund request for it with a fake Photoshop ticket.

---

GRAHAM. My goodness. That's ballsy.

---

CAROLE. So two, okay. So I did a bit of the maths on the money, okay. So let me just get this out to you guys right now. So basically, let's say it's rounded to he made about 100K in three years. So let's say 33 a year. So two and a half K a month or about 600 a week, okay. Those are your numbers. So 600 a week.

So one of his claims when he got arrested is what they were saying, well, what did you spend the money on?

---

GRAHAM. Train tickets.

---

CAROLE. No, that would have been so good. No, he spent it on groceries, he claims.

---

GRAHAM. Cauliflower?

---

CAROLE. Yes, that's how we get back to it. No, he spent it at his two preferred UK food stores, Graham, in the UK £600 a week for him and his wife to spend. Can you guess what the two shops were?

---

GRAHAM. Waitrose, because that's quite expensive.

---

CAROLE. Yes. Waitrose and Lidl. Aldi.

---

GRAHAM. How did you guess? I can't believe you guessed.

---

CAROLE. The second one is Iceland.

---

GRAHAM. Iceland. Same kind of thing.

---

CAROLE. I found that hilarious. Waitrose and, you know, what was he buying those things for his other family members? We have the Iceland stuff. We're getting the really nice rack of lamb.

---

GRAHAM. So Waitrose is high end and the other one is low end?

---

CAROLE. Oh, yeah. Well, Iceland is considered maybe more cost effective. Waitrose is

---

GRAHAM. Lovely. You'll get a little thigh massage when you go in there. And then a bill

---

CAROLE. For 150 quid for a shop that should cost you 40. But it is a lovely experience, right? Oh, yeah, it's gorgeous. So Shahid has been lucky, however, because he got a suspended sentence. The judge was unhappy that he had been arrested in 2019, but only charged in 2022, which, you know, that's a long stress period for not knowing if you're going to be charged or not.

---

GRAHAM. Yeah, it's the pay and delay scheme.

---

CAROLE. But I wonder if the fact that he'd spent the money at supermarkets and that he was very apologetic rather than buying a flashy Maserati and a gold medallion worked in his favor as well.

---

GRAHAM. He helped the economy, he was leveling up.

---

CAROLE. Exactly. So best takeaway here is if you are in the UK and you find yourself in a delayed and cancelled train even if it's due to strikes which we've had a lot of recently, go check up on how you can reclaim a refund. These details are in the episode webpage on Smashing Security.

---

GRAHAM. Because train fares are expensive. I mean, it costs a fortune in this country to be transported like a piece of cattle. Yes! I mean, they wouldn't actually transport cattle in humane conditions as they do people on trains in this country. But yeah, it's a good idea. Good tip, Carole.

---

CAROLE. You're very welcome.

---

GRAHAM. Every day, billions of people around the world connect with their favorite brands online through shopping, gaming, banking, learning, and more. Every second, the internet gets more chaotic, more cyber threats. Securing entire ecosystems, clouds, apps, APIs, and users, that grows more complex, causing friction that slows innovation and hampers agility. With Akamai, cybersecurity can become an engine for innovation and growth. Whether you want to achieve unmatched security with Akamai's suite of app and API protection or embrace a zero-trust architecture, Akamai can help. With insights from the world's most distributed computer platform, Akamai delivers unique security research on the latest attacks and trends on everything from ransomware as a service, gangs like Conti, DDoS attacks, phishing attacks, to help you protect your business. Where else can you take advantage of insights from 7 trillion DNS queries per day? Learn more about Akamai and their security research. Visit their website akamai.com slash smashing. That's A-K-A-M-A-I dot com slash smashing.

---

CAROLE. Bitwarden's open source password manager that is trusted by millions of individuals, teams and organizations around the world has just announced its October release. And it is chock full of goodies, which include password protected encrypted export, which allows you to export your vault in an encrypted format using the password of your choice. Plus, there's the mobile username generator. It's finally here. They also have DuckDuckGo email aliases available. And here's a little insider scoop for you. They're working with DuckDuckGo to get macOS browser integration in the forthcoming DuckDuckGo macOS browser. Want to try these features out? I don't blame you. Visit bitwarden.com forward slash smashing. That's bitwarden.com forward slash smashing. And thank you to Bitwarden for sponsoring the show.

---

GRAHAM. If you're considering a third-party audit like SOC 2 or ISO 27001 then you should be prepared to answer some tough questions about endpoint security auditors want to know that you have a system in place to monitor and maintain compliance across your fleet which means showing that your staff are using things like disk encryption screen locks password managers if you're not quite sure how you'd go about proving all that, then you need Collide. Collide's an endpoint security tool for Mac, Windows, and Linux devices that gives you the visibility you need to meet your third-party and internal compliance goals. Best of all, Collide doesn't resort to spying on workers or locking down devices. Instead, it works with end users to resolve issues and relies on their cooperation and informed consent. You can meet your security goals and pass your audit without compromising on privacy visit collide.com slash smashing to find out how if you follow that link they'll also give you a goodie bag just for activating a free trial that's k-o-l-i-d-e dot com slash smashing and welcome back can you join us at our favorite part of the show the part of the show that we like to call pick of the week pick of the week pick of the week Pick of the Week is the part of the show where everyone chooses to send their like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, my Pick of the Week this week is slightly security related because that is allowed under the rules of Pick of the Week. It doesn't have to be security related. Oh,

---

CAROLE. Gosh. Just because I did it last week,

---

GRAHAM. Honestly. I'm sure you've been following the Fat Bear Tournament, the competition hold on hold on Graham I thought we had a strict no tautology rule on this podcast I'm throwing out really fancy grammar is it grammar terms oh so you think saying fat bear saying fat bear yeah it's unnecessary we don't I mean there is a there is a bear week in Provincetown Massachusetts you know close to where I live and do you know what they mean by bears I do I married one is this is this big cuddly men with a beard big cuddly hairy men yeah yeah yeah

---

CAROLE. Go listen to Sticky Pickles last episode if you want to learn more about them.

---

GRAHAM. So it's an aesthetic that escapes me a little bit, but it's an aesthetic and gorgeous. Carole, thanks for saving the day. I am talking about real animals, that type of fat bear. That's what's kind of, the grizzlies.

---

CAROLE. Because it's because they're about to go into hibernation. So they're all eating tons right now.

---

GRAHAM. Well, look, you know, obviously the bears are gorging around. They're finding any food they can get hold of. The ranger's not going to like it, but if they steal a little, I used to watch TV a lot. I used to watch Yogi Bear and Boo Boo. I know all about bears at Jellystone Park. And so I know the antics which they get up to.

And apparently the rangers at Katmai National Park and Reserve, they have been holding for some years now Fat Bear Week, where they try and work out what the most popular bear is. And they've been running this online as well. You can vote if you want.

A few Sundays ago, there was a semi-final round between a Roly Poly bear, which they've nicknamed Holly, codename 435. So they've all got numbers. And there's also an airplane-sized bear called 747. And you had to decide which was your favourite fat bear.

Now, you're wondering why am I mentioning this. Well, the reason it came to my attention is there has been some election fraud going on.

Oh, dear. There has. This is the word from Katmai National Park they detected attempted election fraud in the poll between these two bears they said that we have discarded the fake votes so apparently they were avalanched with emails lots and lots of emails coming from several IP addresses which were all voting for Bear 435, who did win, to her credit, in 2019, the Fat Bear Week Championship.

Yeah. But they said, no, no, no, a lot of these were actually fake votes. So someone has been trying to rig the Fat Bear competition. And I think that is a warning for all of us.

---

CAROLE. Is there a prize? Do you get to ride the bear? No, come on, come on, come on.

---

GRAHAM. Do you know what a bear is? You don't ride. Have you not seen that movie with Leonardo DiCaprio? You don't mess with a bear.

---

CAROLE. I have stayed in Canada on Vancouver Island, and the place I was at had a hot tub. And right beside the hot tub was this long bear stick. So if you're sitting there in the soup looking delicious, dumplings for a bear, you can try and poke it off with this stick. It's ridiculous.

---

GRAHAM. How did that work out for you? Is that how you met your husband?

---

CAROLE. Yes, I lampooned a great one. No poking in the hot tub.

---

GRAHAM. I think we've had enough of that. That's Chris's type of bear, I think. Anyway, they have now added a capture to their systems to try and weed out fake votes. Capturing bears in the wild. Oh, God. Another one to cut out.

Anyway, I think, well done to that. I the idea of them having this fat bear competition and raising awareness of the bears. It's a little bit of fun. But, you know, why on earth was someone trying to rig the vote? What is going on?

---

CAROLE. I wonder if any berry-men could go there during this week and just wander around the park and try and get captured, you know, and actually have men compared, you know, versus bears, isn't it?

---

GRAHAM. I'm sure there's a website for that, Carole. I'm sure. Rule 34.

---

GRAHAM. Why is someone throwing all this spam at bears as well? What's going on? It's very, very strange. Anyway, what's your pick of the week?

All right, my pick of the week is PimEyes.com. So some of you might know that I have an interest in OSINT, open source intelligence, which is basically using public sources to figure out stuff about companies, people, etc.

And on Twitter, I saw somebody posting a list of, hey, here are some cool new OSINT sources. And PimEyes was one of them.

And it's a reverse image search engine. So you can put in a picture. Instead of typing out a term like you do on regular Google, you put in a picture. And then it shows you other places where that picture is from or similar pictures and so on.

And PimEyes has a particular flavor of reverse image search, which includes face recognition. So you can put in somebody's picture and it'll find other pictures of the same person just through face recognition.

Oh, my goodness. Are they using the Clearview AI to do this? Carole, you're not wrong. Like that's exactly the same kind of application, right? Same kind of technology.

And I actually tested that and I tried to get onto the Clearview platform and I couldn't get in. So that was actually reasonable protection. It's still concerning from a privacy perspective and so on, but at least it wasn't available to your average Joe.

Now, PimEyes, on the other hand, is available to the average Joe at a bargain basement price. So I wanted to try out the platform. It's $30 a month for the lowest tier.

There's also a free search, which means you only see other pictures, but you can't click through to the sources, and they're only the face with everything else pixeled out. So I gave it a test drive and it works surprisingly well.

You can add one, two or three pictures or more to improve the quality of the search. And then you get across the Internet all publicly available pictures of that person.

While you've been speaking, Carole, I have uploaded a picture, a face to it. I chose the face of someone called Carole Theriault.

So I've just uploaded her picture. And it has found a number of other pictures of Carole.

And what I thought, well, maybe they've worked out that that is Carole Theriault in the picture. Maybe they've done with. And so they then search for Carole Theriault.

But they've also found pictures of someone who looks very much like Carole Theriault.

---

CAROLE. My doppelganger?

---

GRAHAM. She does look equally sarcastic in this photograph. She does look very, very unimpressed.

It's quite extraordinary. I'll just put it in the show notes, Carole.

There you are. That looks like you. I've just Googled. I don't know if you can see that, but there you are.

Oh, it's coming. Oh, yeah. Oh, yeah. It doesn't look like Carole there. You can, you know, but.

I need to find her. I've also seen something which is tagged as a potentially explicit result.

I can tell PimEyes that most definitely is explicit. It's not potentially explicit. It's quite revolting. No, I'm not going to share that one.

Oh, my God. Anyway.

But yeah, it's extraordinary. Also, I looked at some sites where they found somebody's picture, and it did not have the person's name on it. So that shows me that they really do face recognition and don't just pivot over the name that they might find somewhere.

But it does also, and you've just proven this, Graham, it does also have quite a lot of false positives. So the further down you get in the search, the probability of this being the same person goes down.

And when you get towards the end, a lot of adult sites and a lot of et cetera, right?

---

CAROLE. Yeah, there's so many things that can go wrong with that technology. So for example, you might, as an employment screen, put somebody's LinkedIn picture in here, and you might find some false positives, right? Where you think, oh, this person had some other parts of their career that's not on LinkedIn.

Or you might find some revenge porn on different sites. That's become, unfortunately, very common now. And so just from a professional profile to going to false positives and real leaked nudes is very, very fast now.

But also, if you think about a stalker just out in the public, if they snap a picture of somebody, that means that they can now probably find their Facebook pretty quickly and identify who that person is. And then that could increase stalking.

On the flip side, you could also take a picture of a stalker and identify who they are. You could also think of Charlottesville, January 6th, all of these events where people were trying to figure out who somebody is online. And

---

CAROLE. often getting it wrong. And then vilifying

---

GRAHAM. people. Even with that website, there is no guarantee that they will get it right because they're false positives. So there is also a whole lot of...

---

CAROLE. and are they going to be held accountable if someone is misidentified and there is some kind of weird and then you go to them and they'll go hey it wasn't us we just scraped the web we're just providing this service with nothing to do with us I'm

---

GRAHAM. sure they have plenty of disclaimers but

---

CAROLE. they're charging for that service yeah yeah anyway yeah I feel issue about this I think it's I

---

GRAHAM. think well it's the kind of thing you only really want people maybe in law enforcement to use and with and understanding as to the consequence. I'm now searching for a photo of myself, and I'm finding an alarming number of photos of me.

Thankfully, I... Any naked?

---

CAROLE. Well, not yet.

But... Because there is one that someone took under a toilet

---

GRAHAM. stall once. Oh, let's not talk...

---

CAROLE. Maybe you should load up that picture and see if it's online.

---

GRAHAM. Yeah, this is... Now Chris, I've seen that there is the option to opt out, but in order to opt out it says you have to upload a clear photograph of your face, which presumably they then are going to add to their database.

---

CAROLE. And not that you see it. Yeah, oh well, thanks for that pick of the week, buddy.

---

GRAHAM. Blimey, Carole, what's your pick of the week?

---

CAROLE. I have a spooky pick of the week in honor of our upcoming Halloween season. Now, before I get to that, have either of you ever seen the original Exorcist?

---

GRAHAM. No, from 1973. I'm not good with scary movies.

---

CAROLE. God, it is extremely scary and it was directed by crazy director William Friedkin and written for the screen by William Peter Blatty, who actually also wrote the book. If you don't like scary movies, maybe you like scary books—1971 Exorcist, the book. I watched it when I was quite young.

Of course you did. And I had nightmares for weeks afterwards. The little girl that's fully under the control of evil forces haunted me. It was awful, but it stayed with me. It's considered, I think, one of the scariest movies I've ever seen.

---

GRAHAM. You've never been the same, have you? It scarred you.

---

CAROLE. Now, English film critic, acclaimed, Mark Kermode, has named The Exorcist his favorite film of all time. Now, my pick of the week is not The Exorcist, but Mark Kermode's 1998 documentary on the movie, which has been re-released on iPlayer in full. And it's called The Fear of God, 25 Years of The Exorcist.

What is iPlayer? iPlayer is kind of like Netflix, but for BBC programs.

---

GRAHAM. Is it available internationally? Do you know? There are ways of accessing it. I mean, obviously, who wouldn't know what they might be? There's this great German company called ProtonVPN that offers a VPN service that might be able to help with that.

---

CAROLE. Now, I just watched this documentary. All I can say is flipping heck. Like, A, it is a top, top, top documentary with jaw-dropping moments. Like, the amount of information that Kermode was able to get out of all the interviewees is gobsmacking.

And he manages to interview almost everyone who is either directing, writing, or acting in the film, including an actual priest who is based in New York. Now, I know you guys haven't seen the film, but there's a lot of words I've read and heard about how this movie was cursed, right? Which is great kind of PR for the film itself to think that. But after you watch this documentary, you sure as heck believe it.

Okay, a few things I will cover without ruining the documentary is that, of course, because this was filmed way back in, when was it? 73?

---

GRAHAM. 1970, yeah, about then, I think. 73.

---

CAROLE. Right? There's a lot of stunts. There's a lot of things that happen in the film, right? And they're obviously not digital. And you have the person explain how we decided to do the stunts. And he had to just create and rig up these insane contraptions to throw people around or, you know, to yank them or bounce them or topple them over.

And it's so disgusting how little care was given to the young, especially the young girl who's playing the main girl in it.

---

GRAHAM. I think I've seen a documentary about The Exorcist before. It may even be this one that I saw. It was quite some time ago. And the director was bonkers, wasn't he?

---

CAROLE. Yes. Yes, Friedkin comes across as extremely bronchised. Now, he's quite respected. He did The French Connection, a very, you know, big acclaimed film.

There was a lot of deaths on set during the production. Way, way, way, way, way, way, way, way too many to consider anything close that could normally happen in any kind of situation.

---

GRAHAM. Well, people died while they were making the movie.

---

CAROLE. Yes. And more than one. Like many more than one. And Kermode goes through them all and explains what happened as far as they know.

Yeah, Friedkin and the writer are both really intense and passionate people. And they come across as people that would stop at nothing to get what they wanted. And that's the problem is that everyone else paid the price. And he goes down in the Hall of Fame because now it's an acclaimed film.

Anyway, the documentary is just astounding. I love, love, love, love, loved it. So I would recommend that you try and watch The Exorcist first before you watch the documentary to get a better sense of everything if you can, but it is scary. But the documentary again is The Fear of God, 25 Years of The Exorcist, currently available on BBC iPlayer and maybe even available for sale in other places. But that is my spookiest pick of the week.

---

GRAHAM. Thank you very much, Carole. Now, you've been chatting to the folks at Akamai this week, haven't you?

---

CAROLE. Yeah, I spoke with Patrick. Great interview. We talk all about retail and bots and what you can do to stop them. Check it out.

Well, listeners, today we have Patrick Sullivan. He is CTO of security strategy at tech giant Akamai. Now, Patrick has nearly 30 years of tech experience under his belt and is also a bot expert. And he's going to help us understand how retailers, as they gear up for the holiday season, can better thwart the bot problem.

Patrick, first, welcome to Smashing Security. Delighted you're here.

---

Unknown. Yeah, thank you for having me.

---

CAROLE. Fantastic. Now, honestly, I have never thought about bots in terms of the retail industry. It's because I've never worked in it, I guess. And I know that Akamai has done a lot of research on this last year.

But first, I thought maybe you could just define what a bot is. I mean, are they inherently bad? Just for us to all visualize it.

---

Unknown. Yeah, that's a great question. So a bot is just a bit of automation that's performing a task on behalf of the bot operator. And the bots themselves, obviously, they're not benevolent or malevolent by nature. They really kind of take on the motivation of the operator, right? So it's really the humans that kind of define the motivation. And to your point, we see very benevolent bots that help us crawl the web to search out. And when we commit a search, it helps us find a relevant web page, right? I know on one of your shows, you mentioned people leveraging bots to thwart fraudsters coming to dating sites and that type of thing.

---

Carole. Yeah, that was a few weeks ago. Yeah.

---

Unknown. Hilarious. And, you know, on the other end of the spectrum, you know, we see them leverage pretty heavily for fraud. Unfortunately, they're part of the toolkit for fraudsters. And then between those two extremes, there's a whole kaleidoscope of, you know, shades of gray that are maybe not 100% good or 100% bad. It's a matter of perspective, somewhere in between.

---

Carole. Do we have any idea about how many bots are out there versus people? Is that even a question I can ask in terms of legit accounts?

---

Unknown. It is. So we see, you know, on a daily basis, we're seeing about 40 billion requests from bots. So the good news is, you know, that's a staggering total, but that's still, you know, a minority request. Most interactions are still driven by human beings, you know, on their phones all day or, you know, on their laptop. But that is a massive volume for website operators to deal with.

---

Carole. Absolutely. Okay, so now we know how these things can be used. Maybe you can share some of the research findings that Akamai were able to sniff out in their research and just help us understand what retailers are facing in this space.

---

Unknown. Yeah, absolutely. So, you know, a lot of areas when you're sort of deep into the domain, you know, there are people that live near the Arctic Circle that have dozens of names for snow to describe sort of the different consistencies. It's very similar with bots. We've got all kinds of different names for various types of bots. But maybe in retail, there's probably three big categories we could talk about. One would be scrapers that are coming through and pulling down all the information from the site. There's a category of bots that are really heavily focused on fraud. So there we see account takeover as an area of focus. And then maybe the one that's most visible to sort of the casual web user is what we would call inventory grabbing bots. And you're confronted with these bots when you try to purchase anything online where the inventory is limited, right? So if you're trying to buy concert tickets or a fancy pair of shoes or a handbag, or these days, even much more mundane things, in the physical world, when demand exceeds supply, you get a queue. In the online world, when that phenomenon of demand exceeds supply, you get bots and sort of an arms race to see who can consume that inventory most quickly.

---

Carole. So what would happen in that instance would be I'd be trying to get my hands on this ticket. The bot would beat me and get there first. And then what, try and resell them to me at a premium price perhaps, or I would be more motivated to pay more because there's no supply anymore?

---

Unknown. Correct. So there are entire industries. There are people that operate these bots that go to work in an office every day. But if you think about sort of the arbitrage opportunity for sneakers, that's probably the most visible. There are really limited inventory, extremely popular sneakers. And if you're able to buy them from the retailer, you can instantly sell those on an exchange at a massive markup.

---

Carole. Right. So this annoys the retailers, of course, but it also annoys the consumer because they've got to shell out a lot more cash to get their kids that special Christmas present that they're looking for this year.

---

Unknown. That's right. Yeah. So it does impact the consumer experience. And you're exactly right. The retailers care deeply about this. I mean, obviously, either way, they're making a sale at the full price, whether it's a bot or a consumer. But within the retailers, there are some of the brightest people in security focused on thwarting these bots and helping to ensure that a human being has the best shot possible of buying that. One of their legitimate, loyal consumers, that's who they want to be able to purchase these things. They really don't want to see this secondary market where their loyal customers have a bad experience. That's the worst thing possible for a retailer.

---

Carole. Yeah, of course. And brand reputation might be impacted there as well, of course. Okay, I think I've got the picture now. So this is Cybersecurity Month. We're still in October. And maybe we need to go down the route of what people can do to try and fix this. So should we start with retailers in terms of them and how they can help manage this?

---

Unknown. Absolutely. So I think what we're confronting here is a very determined adversary, these bot operators that are very well resourced. I mean, we kind of touched on the profit motive. So there are very clever people building these bots. So to your point, if you're operating a website, there's a couple steps that you need to do. I mean, first and foremost, you need to be able to detect, is this a human being or is this a bot on the other end? And there's a lot of technology that we've developed over the years here. Everything from looking at passive data to active detections of is the physics of the way the keyboard is being used and the mouse, the way that the phone is being oriented, does that appear to be human as we model that or does that appear to be automation? So there's a lot of work there in detection. And then the next step is categorizing. We've talked about all these different types of bots. Obviously, you want your Google bot that's searching the site to get right through to help your search rankings. The fraudsters, you want to deceive them, maybe send them a misleading message, but you could block them if you wish. And then the gray bots, we see things like airlines where every bot that comes in costs them a little bit of money because they have to go have a paid query to a reservation system. So maybe there you serve them some information that's slightly stale so you don't incur the cost, but the bot gets what they want as well. So you think about sort of that detection, categorization, and then have a menu of responses available to you.

---

Carole. So you actually use subterfuge, basically, with gray bots.

---

Unknown. Yeah. And I think for the really malicious bots, you really want to confuse them. So a lot of what they're doing is they're testing credentials to see if they can take over somebody's account. So if you detect that it's a bot, even if they put in the correct credentials for one of your users, you don't want to tell them that we're blocking you. You would just say, these credentials don't work. You give them the exact same message that you would give them if the credentials were invalid to confuse them.

---

Carole. Yeah. So you're trying to waste their time a bit so they don't just create a new account and go attack in a different way.

---

Unknown. Correct. And also, maybe you can drive up their costs. There are things that you can do that will cause them to burn more CPU and memory to drive up their cost and frustrate them further. Maybe they would go to another site that's less expensive for them. If they're operating these botnets at the scale of millions of requests and you're causing their compute costs to go up a bit, that may be the most damaging thing you can do to them because it gets to the economics of what they're trying to pull off.

---

Carole. And customers that are working with Akamai in order to detect these bots and to categorize them to allow the good ones in and to thwart off the bad ones and to kind of obfuscate the gray ones so they run around chasing their tails. Are they seeing cost savings? Are they seeing streamlining? Because it's such a big deal. They're seeing huge advantages.

---

Unknown. Yeah, I mean, obviously it starts with the user experience that you touched on. You want to make sure that your legitimate, loyal customers have the best possible experience online. That's vital for a retailer. But certainly, there are IT cost savings. If you're having to fight the bots, a human defender versus a manual bot, that's really expensive because it takes a lot of humans. So there are costs there. But for a busy period, if you're having a limited inventory launch or if it's the peak sales period around Cyber Monday. Christmas, which is coming. The last thing you want is a crush of humans and bots to bring your site down. So obviously, if you can pull these bots out of that demand cycle and it's not consuming resource within your data center or your cloud compute, that ensures uptime and good experience for your legitimate users.

---

Carole. And is there any way for retailers who are not sure they have a bot problem? Is it really clear when they have one, or can it be so sneaky that it can actually bypass them and they have no idea?

---

Unknown. Yeah, that's a great question. We often see this phenomenon where a very clever bot operator can operate for a long period of time without being detected. And then often you'll get maybe more of a clumsy bot operator that comes in and they're extremely noisy and they're impacting the availability of the site. So we go in there and, you know, targeting the very noisy bot. But then once you have kind of the precision tools to look, you'll see under the covers, hey, there was several other operators that have been visiting your site and conducting bot activity below the noise floor for some period of time. And those are typically more sophisticated, more of a cause for concern than the really noisy bots that are out there. So that happens all the time where it will be sort of below the radar.

---

Carole. And what about consumers? So, you know, a lot of people are going to be spending hundreds, if not thousands, on the new holiday if they've got the spare cash to buy gifts for their loved ones. How do they avoid getting into a tangle where they lose out on something that they really need or want to get?

---

Unknown. You know, one of the things we touched on briefly was the fraud use of these bots, right? And we call that credential stuffing, where basically, you know, you have an engine that's these bots that somebody either rents or buys or they build themselves.

And then the fuel for that engine is credentials from breach sites. So everybody listening today has seen some site that they visited and establish a login get breached over the last eight, nine years.

Well, what happens is those credentials on those sites are resold, right? So there are researchers say there's about 25 billion credentials up for sale that you can go purchase.

And then that becomes the fuel for these bots where they just test those credentials to see if people have reused their credentials from one site to the next. So probably the primary thing that we could do as consumers is to use a unique password for every site.

That will really limit your exposure to somebody breaching one site that you visit and then attempting that same credential pair across every other site on the internet billions of times a day. And then to help facilitate that, a password manager could be helpful.

There are a number of things you can do there. Avail yourself of MFA if that's an option on the site.

All of those things make it more difficult. But if there's one takeaway, it would be, I know password hygiene is annoying, but unique passwords are probably the number one thing that we could do to thwart the mass scale automated credential stuffing that we see out there.

---

Carole. Yeah, fantastic. Is there anything else you'd like to add before we close, Patrick?

---

Unknown. No, I think that was, you know, the key piece. I mean, I would say, you know, it may be frustrating as a consumer, when you're impacted by these bots, when you're trying to purchase an inventory.

But I can assure you there are people working very hard at retailers to try to give, you know, humans their very best shot at purchasing these things. It's not a cynical effort on the part of the retailers.

They are working very hard to give humans their very best shot, you know, relative to these bots that are out there.

---

Carole. Amazing. Now, listeners, especially those of you in the retail space, I am sure you want to learn more about Akamai and their security research and their services.

And you can do this for free by visiting akamai.com forward slash smashing. That's akamai, A-K-A-M-A-I.com slash smashing.

And Patrick Sullivan, CTO of Security Strategy at Akamai. Thank you so much for sharing your insights with us.

---

Graham. Thank you. Great stuff.

And that just about wraps up the show for this week. Chris, I'm sure lots of our listeners would love to follow you online and find out what your company is up to.

What's the best way for folks to do that? So if you want to follow me personally, Chris underscore Kirsch on Twitter and runzero.com if you want to check out the cyber asset management solution.

We have a free version for companies under 256 assets. So check that out.

Thank you. Super duper.

And you can follow us on Twitter at Smash Insecurity, no G, Twitter at Mouse to have a G. And we also have a Smash Insecurity subreddit.

And don't forget to ensure you never miss another episode, follow Smash Insecurity in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.

---

Carole. And massive shout out to this episode's sponsors, Bitwarden, Akamai, and Collide. And of course, to our wonderful Patreon community.

It's thanks to them all. This show is free for episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 293 episodes.

Check out smashing security.com

---

Graham. Until next time. Cheerio.

Bye. Bye. Auf Wiedersehen.

---

Carole. Graham, you know how you were looking at that, what was it called, PimEyes or whatever it was? Yeah, yeah.

And you were looking at pictures of me and then you made a comment that there was something really naked and nudey. Can you just confirm it was not me?

---

Graham. Oh, yeah, it wasn't you, Carole. Well, I don't know.

I mean, it's a bit difficult to tell. Graham.

From that angle. Graham, it was categorically not me.

It categorically was not you. Yes.

I'm pretty sure. Yeah.

Thank you very much. Just to stress.

Just making underlining and bold. And neither was it me, because possibly it wasn't just one person involved.

-- TRANSCRIPT ENDS --