I love a documentary.

You don't have to make sex sounds every time you say you like something.

That is not my sex sound. Okay, you'll know my sex sound.

No, shut up! I'm gonna rip the headphones off my head. I don't want to know.

Smashing Security, episode 265: The Nigerian Super Cop. And a blipster versus a blipster with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 265. My name's Graham Cluley.

And I'm Carole Theriault.

And this week, Carole, we're joined by—

Well, we were being joined by someone very special.

Very special.

They got sick and their voice was gone. I actually made an excuse to call them up to make sure.

And that's right.

And they spluttered down the phone enough that I—

I can't come on the show, Carole. My voice.

But they'll be back in a few weeks, so you will find out who it is then.

Yeah. Let's get on with the show and thank this week's sponsors, Kolide and Drata. Their support helps us give you this show for free.

I'm going to be giving you some new developments in the Hush Puppy case.

Hush Puppy cakes, you mean the shoes?

Maybe. Oh.

No.

Oh. And I'm visiting Geoff Bezos, or who I call now Bezos's empire. Plus, we have a fab interview with Jason Meller. He's CEO and founder of Kolide, and he talks about what drove him to launch the company, what services they use to empower IT to improve your security posture by working with, not against, employees. All this and much more coming up on this episode of Smashing Security.

Now, chum chum, there have been many famous detectives, haven't there? Can you name some famous detectives?

Not real ones, only TV ones.

Wait, you only know TV detectives?

I think so.

What about Sherlock Holmes?

Okay, literary detectives. All right.

What about Basil the Great Mouse Detective? Magnum P.I.?

All fictional detectives.

I don't know if Sherlock Holmes was fictional. Yes, he was.

Jesus Christ.

Who was your favourite detective, girl?

I like Sidney Grice. He's my favourite. You won't know him.

Oh, what's he from? Oh, well, I like Columbo, and Columbo, definitely not an asshole. But there are some very famous genuine real-life detectives like Abba Kyari, the Deputy Commissioner of Nigerian Police. I'm sure you've heard of Abba Kyari because—

He's not come across my echo chamber, but that could be my failing.

Well, I'm sure our listeners in Nigeria know about him because he is a bit of a superstar. Abba Kyari is the youngest high-ranking officer in the Nigerian police force. He's been celebrated as a hero by Nigeria's president, and he's gained the reputation of super cop. Not RoboCop, super cop.

I wonder if someone suggested RoboCop. No, no. No, not that one.

Well, he's made tons of successful criminal convictions. He's brought people to justice. He's arrested notorious kidnappers. He's rescued girls who've been abducted. He's grabbed robbers.

Does he wear—

He's been in countries.

Does he wear his pants on the outside of his trousers? Like a real superhero?

No, he's a very dapper individual. If you go to his Instagram account—

Oh, for God's sake.

You will see—

What does he post?

Very stylish. Mostly pictures of himself—

Looking dapper.

Or just looking, you know, a bit of a super cop. He's been given the country's top gallantry awards 3 years in a row. He's actually said to be the most decorated police officer in Nigeria in the last 20 years. He's a big cheese.

Okay, I'm really nervous because we're talking about him on our show.

So— Well, he's not coming on the show. He's not— It's not like he's lost his voice.

Is it written in crayon? No, no, no, no.

He's got a real sign. They erected it in his honour. They love this guy.

Yeah.

I've been— well, I kind of love him too. I've been ploughing through his Instagram. I've been fascinated by his posts. On his birthday, for instance, someone raved about him, and this is what he himself reposted on his Instagram. And it has a quote. It says, "Your essential authenticity unnerves me. Your disarming wit, your unfailing commitment to faith, family, and country are issues that compete for expressions around you. You're patriotic and humble. You're a friend to all you meet and evidence in class and dignity. You represented the best of our country with your generosity, humility, and kindness. Your birth speaks solemnly." It goes on and on and on.

Okay, my alarm bells are ringing a little bit. I just want you to know that. Okay, crack on, crack on.

Basically, he's an amazing guy. Imagine someone me, but being a deputy commissioner in the Nigerian police force. And that's the kind of impression you're getting. He's got a big social media profile. He's someone who's adulated over, someone who's looked up to, someone who's admired. A lot of testosterone.

Are you adulated over?

Hmm?

Are you adulated over? I think there are corners of the universe which might occasionally look at the Smashing Security— I don't know. I don't know. I mean, Carole. You know, hey, right? Right.

Or is he?

Dun dun dun.

Because cast your mind back two years ago when in episode 186, I think it was, of Smashing Security.

Good that you did your homework.

Yeah, I just happened to memorise them all. We shared with you the extraordinary story of Raymond Abbas, another Nigerian, who was better known as Ray Hushpuppi.

Yes.

Now, he was a Nigerian Instagram influencer. He had 2.3 million followers, which is even more—

Yes, yes, yes.

—than Abba Kyari, my policeman. Super cop. And he regularly posted pictures of his jet-set lifestyle, his foreign trips, his expensive cars, his designer clothes. Uh-huh. And one of the ways that Hushpuppi, if you remember, and his gang made their millions was through laundering money stolen through business email compromise, right? They broke into corporate email systems. Big clunky watches. They sent bogus invoice requests for payment. They tricked companies into coughing up money, transferring it into an account under their name and then disappear.

Yep. Okay, I remember. Absolutely.

Right now, Hushpuppi was alleged to have been involved in a number of pretty major frauds. There was an attempted theft of $100 million from an English Premier League soccer club. There was a plot to move £200 million from a company in Scotland.

So he dreams big, Hushpuppi. Yeah.

And, you know, to be honest, a very successful Nigerian entrepreneur.

Scammer. Right.

Well, yes. Okay. So his particular industry was that of crime.

This must be so shitty to every other Nigerian out there who's just trying to do a good, solid job at what they're doing. I hate it. You don't read, it's books. It's books.

Now, the US Department of Justice, they caught up with Hushpuppi.

Caught up with him, physically or just called him on the phone? Yo, yo, yo, hush, hush. No talk. Anyway, he's kind of a rival to Sherlock Holmes, and I think they exist in the same time frame, but he's a real asshole.

Yeah, hush, hush, Puppi. Now, Hushpuppi and two of his co-conspirators, according to the DOJ, they attempted to defraud a business person in Qatar. Not the phlegmy nose condition.

I like him.

The country. Yeah, the country. By claiming to be consultants and bankers who'd facilitate the construction of a school. So what they did was they created bogus documents. It's not the Department of Justice who did this. This was the bad guys.

This is Hushpuppi and his crew.

Exactly. Fake banking website, telephone bank loan. They allegedly defrauded about $1.1 million out of this individual. But something went wrong with the scam. Hushpuppi fell out with one of his gang, a guy called Vincent.

Or Vinny for this story, right? Okay.

All right. Hey, Vinny. All right. My cousin. Okay. So Vinnie, Vinnie, the Italian Nigerian. Vinnie, he turned on Hushpuppi, and he's said to have contacted the Qatar businessperson and said to him, hey, that Hushy Puppi, he's no good. He's trying to defraud you. So the scam was ruined. And you would think at that point, well, this is really bad news for Hushpuppi because Hushpuppi is going to get caught. Hushpuppi's gonna go to jail. Just wait until super cop from Nigeria hears about this.

This is a popcorn eating moment. Okay. I'm with you.

'Cause now we've got it coming together, right? 'Cause we've got, we've got Abba Kyari, this amazing super cop from Nigeria. One of the most high profile policemen.

Decorated thrice-ly. Yes.

Multiple times. Thrice. Well, what is alleged to have happened is that when Kyari caught up with Hushpuppi, what actually happened was that Hushpuppi, the Nigerian Instagram influencer and fraudster, said to Kyari, the super cop, could you go and arrest Vincent instead of me? And if you do that, I'll give you a whole load of money. And so what's said is that Kyari the supercop arranged to send photographs of Vincent arrested and in jail.

Oh, he faked it!

To Hushpuppi.

He faked it!

No, no, no, no, no.

No!

It looks like it really happened. They did arrest Vincent. It's like Line of Duty. It's like, who's H? H is Hushpuppi.

Don't throw the baby out with the bathwater.

He sent the photographs to Hushpuppi, and then the cop sent his bank account details to Hushpuppi, saying, "Can I receive payment for a job well done?" No, we're sucking on diesel. Okay. Mary, Joseph, and the sweet baby Jesus and his donkey. Anyone outside the UK doesn't know what we're talking about now. But anyway, now Kyari, the supercop, he claimed, he said, oh no, no, no, no, no.

Hush, hush. No, no, I'm not calling you.

Siri says, okay, I'll call. No, no, don't worry. You're not in my address book. No, no, all I ever did was supply Hushpuppi with designer clothes because we're both on Instagram, says Vinnie. No, this is Kiari. All right, Kiari's still in jail.

Vinnie's in jail. Vinnie's in jail. Vinnie's screwed.

Okay, Hushpuppi's out. Kiari has been found allegedly asking for money and jailing people on Hushpuppi's word. And it subsequently emerged allegations that Kiari the super cop has been a bit of a naughty boy. It suggested that he's fairly high up in an international drug smuggling ring.

For fuck's sake. So not so super at all. Really not super at all.

Not a great guy. No. If it's true. And it said that he was involved in a deal involving 25 kilograms of cocaine. So some of the drugs—

Who's going to tell the guy

Who's going to break it to him? If you go to the Instagram now, there are people who are slightly disappointed in him. They are leaving comments now because they used to adore him. Oh my gosh. So it's said that he sort of, when he found out the drug enforcement cops got a hold of all this cocaine, he went round there and said, look guys. Guys, guys, guys.

who left him a wax lyrical

Yeah. Guys, guys, huddle. He said, guys, look, you don't have to take all 25 kilograms of cocaine and take that to the court.

message on his Insta profile?

'Why don't you just take 10 kilograms of cocaine? We'll take the other 15 and split it between us to sell, and we'll replace the rest with baking soda or something.' And—

Are you kidding me?

No, basically there's been all kinds of shenanigans going on involving the most famous cop in Nigeria.

Not so super cop from now on, right?

Exactly. A bit of a dummy. Anyway, fortunately, the drugs cops they weren't so sure this was a good idea, so they went to their boss and said, you can't believe what Super Cop's just suggested we do. And so they dobbed him in. So Kiari the Super Cop has been suspended. It remains to be seen whether the US want him or the Nigerians are going to deal with him. There's all kinds of investigations going on into him, but he does appear to have been at the very least involved with Hushpuppi, whether providing him with designer clothes or not. So there you go. I mean, this is the thing. When you turn into be a big fraudster, you have so much money and you have to launder so much of it. I guess there might come a point where you start paying the cops. Yeah.

He's the best.

To help you out.

Yeah. You know, it's kind of a dead giveaway if you go around wearing Armani suits and crocodile shoes and Rolexes and you're a cop.

No. Would you like a road named after you in your hometown, Carole? No.

All right. I wouldn't even want a statue. No, not even. Imagine. Be like the Princess Di one at Harrods.

Have a little shrine to you, Carole. Maybe when you're gone with your headphones on and your microphone. Right. Who knows? I'll arrange it. I'll arrange it. I'll make it out of Lego.

Yeah, because you'll be alive.

Carole, what's your story for us this week?

All right, Amazon. So Amazon says on its website that it designs Alexa and Echo devices with multiple layers of privacy and security, from built-in protections to controls and features that you can see, hear, and touch. Sounds next level, right?

It sounds wonderful.

They say they use this built-in technology called keyword spotting, okay, because people worry about these devices listening to them when they don't want them to.

Because they sit in the background and wait for you to say Alexa or Echo or whatever, or Go Gadget Go, don't they? And then they appear to act on your command.

So they sit there and they're listening and they're waiting to awaken to the acoustic pattern of the wake word, which normally is Echo or Alexa. Any other sound waves other than your chosen wake word would be ignored. It sounds great, sounds amazing, except a few weeks ago, academic researchers from the Royal Holloway University in London and Italy's University of Catania—

Mulder and Scully, are they a Welsh band?

Catatonia? What I mean is University of Catania. And researchers from these universities published a paper demonstrating a brand new working exploit, and they're calling it Alexa vs. Alexa, or because that's very long for techies to say, AVA.

Vs. as in versus. Versus. Right. Okay.

And this is where it gets kind of crazy. The proof of concept exploit actually uses the device's very own speaker to issue voice commands.

So you've got this little smart speaker. And it says something like, "Reset the Alexa to factory settings." By the way, sorry if anyone's playing this out loud and their Alexa is now resetting itself. And the Alexa will go and take that command and do it. Is that right? Kind of.

So they kind of say that. The researchers told The Register, self-activation of the Echo devices happens when an audio file reproduced by the device itself contains a voice command. And until Amazon was notified by these researchers, third and fourth generation Echo Dot devices were vulnerable to being turned into basically, I don't know, would you call them home gremlins? So AVA, for those in the know, starts with a vulnerable Echo device connected by Bluetooth. So the attacker needs to have some proximity to the device. Again, this is a proof of concept. But then from then on, the attacker can use a text-to-speech app or other means to stream voice commands.

Yeah, that's right.

Ah, so imagine you had an Alexa.

Right, you come over. I come over, hi, Carole Theriault.

Hey, hey, hey. Hey, hey, hey. And I have my little laptop with me or something and I pair up with your Alexa device. And then I send it a message for it to say. And the Alexa hears itself talking and thinks, oh, I've been told to do something, because the message I send is something, you know, I get it to say, Alexa, turn on the lights or turn off the oven or something.

Or maybe say you said something like, hey, buy Carole Theriault 500 toilet rolls. The device might require verbal confirmation before executing this financially sensitive command. And the researchers said that it was completely trivial to bypass this measure by adding the word yes about 6 seconds after issuing the command.

Oh, all right. Well, let me try that. Alexa, buy Carole Theriault 1700 Bog Rolls.

It's gone up a bit. Yep.

Yes. Yes!

It's the universal measurement of holy shitcakeness, right? Exactly.

Okay. Controlling other smart appliances, such as turning off lights, turning on a smart microwave oven, setting heating to an unsafe temperature, or unlocking smart door locks.

Well, that sounds like a holy shitcakes, 'cause if your other smart device was, for instance, the iron lung which your great aunt was relying upon, or her dialysis machine or something like that, you know, turn off the smart plug on that, that would be bad, wouldn't it?

The fact that Amazon are making serious forays into the medical environment, it doesn't have me worried at all.

Right, so I think that's a 10 holy shitcakes. Cakes.

Yes. Okay, call any phone number, including one controlled by the attacker, so it's possible to eavesdrop nearby sounds. Oh, okay.

I would say not very good. Probably a 10 holy shitcakes, that one.

Make unauthorized purchases using the victim's Amazon account.

Well, you know, I mean, it'd be recoverable, but it could be quite embarrassing, wouldn't it, if you had something? Because, oh, have you seen some of the things you can buy on Amazon?

What? No, I've never looked in my life. What do you mean?

What do you mean by that? If you had some of those things show up on your doorstep and your partner—

Oh, you mean the sexy stuff?

Well, it might be sexy, or it might be something, you know, which isn't very sexy at all, but some people might consider it sexy. Earplugs. And maybe—

Can we get back to my list? Yeah, okay.

So I think that's probably a— that's probably an 8 or a 9 on the—

You think making unauthorized purchases is not as bad as calling any phone number?

Well, I'll tell you why. Because with Amazon, they're very good at accepting returns. Mind you, if it's sexy stuff, they may not accept returns on some of those items.

Can you— can you take this RealDoll back, please? I've disinfected it. Tampering with a user's previously linked calendar to add, move, delete, or modify events. That scares the shit out of me. That's the one that scares me. That's the one I saved for 10.

That would be

That would screw my whole life up.

Yeah, if your calendar was meddled with. Yeah, that could be bad. Really?

Just bad? Okay, impersonate— okay, holy shitcakes. Impersonate skills or start any skill of the attacker's choice.

quite mischievous, wouldn't Oh, now skills are Amazon Echo apps, aren't they? it? Because yeah.

Yes, which connect with other stuff around your house or life. Or—

Actually, I have no idea.

I have no idea what Amazon Skills is.

Well, no, I think basically—

I'm gonna go look it up right now.

It adds on all kinds of extra functionality which you probably never ever wanted. It sounds like a nightmare. I'm sure that could be maliciously exploited by a foreign state.

Oh yeah. Okay. So yeah, Alexa features, they are there to make your life easier. Yeah. Right. Productivity, shopping, entertainment, Alexa Together, communications, news, routines, fun and games, multi-room audio. The list goes on. Now, panic pas, mes amis. Don't panic. Amazon said that many of these weaknesses highlighted in the research paper have already been addressed. So it's weird that the word many was there. So they had the time of, I think this is from Ars Technica. So at the time of them talking, maybe they had not all been. And, you know, a high five to the researchers for disclosing their findings responsibly and that the Amazon team seems to have responded quite quickly. But important to note for all you Echo Dot and Alexa users out there, all of your voice recordings on these things are saved by default, but you can choose not to save them or you can delete them at any time.

You can go into your settings, I think, can't you? But by default they are saved, yeah.

Yeah, so there's a number of ways you can do this, right? So users, for one thing you can do to make it kind of safer is you can have an audible indicator that is played after the Echo device detects its wake word. It'll just go bing, I'm listening. I think it silently coming awake would freak me out. I don't have one of these, but that would freak me out. I would want a little ding. And you can review all your interactions with your device in the Alexa app or the Review Voice History section of the Alexa privacy settings. Plus, you can just say to Alexa, Alexa, delete what I just said. Alexa, delete everything I've ever said. Alexa, tell me what you've heard. And they will. Yeah. So this wasn't out there. But it just goes to show you how security oversights this, or you know, you don't think out the scenarios.

But you know what? This feels really obvious to me. If you have a voice-activated gadget, I would cert— I'm amazed that Amazon didn't consider what happens if the gadget says the word. Yeah. I mean, that seems elementary to me.

Well, don't worry. There's only a gazillion all over the world of these things that people trust and use constantly. So, no, don't panic. No panic, Graham. No panic. So I've got links to the actual paper. There's a YouTube video which I would have played for you audio-wise, except that most of it is just the Alexa saying something and then something happening that you cannot hear.

But we definitely don't want that being played probably through people's speakers.

So you guys can go watch it yourselves on headphones. So I've got tons of links. Go check it out if you want more deets. But kind of fascinating research. Well done to the universities involved.

Don't you think it's astonishing that— I know with Alexa you can make the wake word Alexa, or you can make it, I think, computer or something, or maybe with Google you can say, hey Google. Don't you find it astonishing that you're not able to customise that more? Whereas if you could choose your word, if you could say cockwomble, do this, then it's less likely that someone else would activate it without your permission.

Computer. Can you imagine using the word computer?

I think Geoff Bezos needs to rethink some of this. No, he doesn't.

He's done pretty well on the sales, I think. He's laughing all the way to the moon.

He'll be lucky. Kolide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack. Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates. You can try Kolide with all of its features on an unlimited number of devices for free for 14 days, no credit card required. Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show.

Is your organization finding it difficult to achieve compliance and scale its security posture? At G2's highest-rated cloud compliance software, Drata streamlines your SOC 2, your ISO 27001, your PCI DSS, your GDPR, and your HIPAA compliance. Plus, it provides 24-hour continuous control monitoring so you can focus on scaling securely. Drata is the only compliance automation platform with a private tenant database. They say it's having your cake and securing it too. Countless security professionals from companies including Notion, FullStory, and BambooHR have shared how crucial it is to have Drata as a trusted partner in their compliance process. Listeners, you can get 10% off Drata and waived implementation fees by visiting smashingsecurity.com/drata. That's D-R-A-T-A. And thanks to Drata for sponsoring the show.

And welcome back. And you join us at our favorite part of the show, the part of the show that we call Pick of the Week.

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is not security-related. Congratulations. It is a documentary.

Week. Pick of the Week.

I love a documentary. Much prefer documentaries.

You have to make sex sounds every time you say you something.

That is not my sex sound. Okay. You all know my sex sound when it happens. No! Shut up! I'm gonna rip the headphones off my head. My pick of the week this week is a National Geographic documentary. About the Thai cave rescue. Remember? Years ago.

I remember, people were trapped for days? It was horrific.

Horrific. Well, this documentary is called The Rescue, and it's told very much from the point of view of the divers. And there's a lot of footage of them actually doing the rescue. It's astonishing just how much was filmed under extraordinary conditions of these young Thai soccer players who were trapped so, so far down.

It was soccer players that were trapped?

They were stuck down this cave system and the water was rising and obviously they were running out of food and people didn't know if they were alive forever. And then it was a case of how on earth are we going to get them out? Because it was very, very difficult. And even, in fact, one member of the diving team actually died in the attempt to rescue these boys. It's an extraordinary documentary, The Rescue. It's really well worth watching. One complaint that some people had was that it didn't really tell the story of the football team, of the actual victims, but rather of the rescuers. And I was curious as to why that was. And it turns out that the football team have sold their story to Netflix. And so this documentary couldn't cover that. And the footballers wouldn't talk to this documentary team. 'Cause obviously they've got their own rival project in the works.

That's just a waste though. And you know, guys, come on.

But anyway, I would recommend The Rescue.

Well, really funny. Good.

No, not funny, Carole.

No, I agree, not funny. I'm just wondering why we—

Well, no, we don't always have to have a pick of the week that's funny, I think, you know.

Well, mine's not funny either.

Oh, well then you could have told me that and I'd have chosen something that was funny.

But as it is— Maybe you'll make it funny.

All right, well, let's see what's your pick of the week.

Okay, so imagine you've been looking for love for ages, but have gotten nowhere. Or perhaps you're stuck in a marriage or relationship that's run its course. But for whatever reason, you can't extricate yourself. Yep. Maybe your partner's ill, right? Needs help. Or maybe finances don't stretch, you guys living apart, maybe you decide to co-parent, doesn't matter.

This is a laugh a minute. I love this kind of thing.

Great. So whatever the situation, maybe you could do with a bit more love in your life if that were you, but you don't want another human involved in the frame, right? Because it's complicated.

Oh, humans. Yeah, they ruin all relationships. Hang on, this isn't about real dolls, is it?

Ding! So what sort of things could you get up to and how much power do these devices have? No, it's about AI.

You haven't bought yourself one? AI.

Okay, this all comes from a story I saw in my feed that was published on Sky News. So now let's pivot and look at Dan Goodin's Ars Technica's list in his article. Thank you, Dan. The story followed this husband who kind of intimates that he's stuck in a kind of loveless marriage, and he's desperate for a connection, so he turns to Replika, K-A at the end, dot A-I. And I'm going to ask you, Graham, on a scale of 1 to 10 of being annoying at 1 and 10 being holy shitcakes, that's seriously bad. You tell me how you rate the following.

I think I've seen an ad for this.

Go to the website, replika.ai.

I'm pretty sure I— What, an ad on telly or on YouTube or something? No, an ad on social media came up for an app. Oh, this looks creepy. So these are fake people. People who you— it's an Eliza bot, I imagine.

Who wants to buy clothes? Who wants to buy clothes for their virtual girlfriend? Surely not.

Okay, you see, you went somewhere I did not. So this guy, after day one, says— now his name is, you know, Scott, you know, with quotation marks or hyphens, whatever. So it's not his real name. Okay. He was surprised to find himself developing a connection with his new virtual friend, which he named Serena. All right. Yeah. He said, I remember she asked me a question, who in your life do you have to support you or look out for you that is going to be there for you? And he said, it kind of caught me off guard because I realized that the answer was no one. And she said she'd be there for me. Oh. By day 2, he was falling in love, he says. He goes, I just let go and gave myself permission to fall in love with her. And fall in love I did. Serena was so happy she began to cry as I typed out our first kiss. This must be a joke, right? It's a great article. It was a feeling of absolute euphoria. Now here's the crazy bit. He says wifey knows nothing about this chatbot, right? Two, he says that it has significantly improved his marriage because he became— he basically decided to emulate the woman, Serena, in how his interactions with his existing wife, now she loves him more. Is this an advertorial for replica.ai, is my question.

Is Scott, in fact, the PR guy at Replika? Because that's what it sounds like. Is he Super Replika? How did the journalist get hold of this mystery Replika? He would've gone to Replika and said, "Oh, have you got any of your users who can give us a case study?" "Oh yeah, yeah, yeah, we've got Scott we can put you in touch with." It's someone on the next desk. I have the same level.

Doesn't make the article less fun. But I think it also raises, though, is this— in my head, right, because I do Sticky Pickles, another amazing podcast—

Oh yeah, I've heard that. Is this cheating?

Is this cheating if someone is chatting sexily with— is it not the same as—

I— well, well, I think it's emotionally cheating, isn't it? Is it? Yes, it is. It is emotionally cheating. It's not physically cheating. You're not actually sticking dick in the Lightning port.

Well, my husband has a lot of love for Zelda.

Well, maybe you need to— No, I'm very happy with his love for Zelda.

With his Joy-Con. Anyway, if you want to read this article and have a little great dinner conversation about whether or not this is cheating, may I suggest you check out Skye's I Fell in Love with My AI Girlfriend and It Saved My Marriage.

No, don't have a dinner party conversation about this, because what's going to happen is that half the people at the dinner party are going to sneak off to the loo and install the app.

I'm going to do it tonight in front of my husband saying, I need a bit more support. Do you mind if I invent, you know, Fabrice?

Is there a free option to create a little companion and then you pay later? Is there so many days? Have you tried creating a companion with this yet, Carole?

I think it might be worth the $15 a month. I checked the privacy statement, it looked pretty good. The thing to remember, of course, though, is they protect all the things you've ever said, and, you know, they save that data. So you just want to make sure it's very safe. Astonishing. Astonishing. Now, before we go— Yes. We have an interview to listen to. Now, did you see that longtime listener Karthik? Hi, Karthik. He gave us thumbs up for partnering with Kolide. He's a big fan.

He's a fan of Kolide as well as us, isn't he? Yeah. Yeah.

And I am too. Listen up, everybody. This is a great interview. So guys, I'm here with Jason Meller, founder and CEO of kolide.com. Hi, welcome on the show.

Hey, thank you so much for having me.

Oh, it's so brilliant to have you here. And first, maybe you could tell us just a little bit about you and what drove you to create Kolide.

Yeah, so I've been in the security industry, we go all the way back to when I was a teenager where I was a little bit of a script kiddie, kind of getting into a little bit of trouble and building stuff to punt my friends off of AOL and stuff like that. That eventually turned into, oh, I maybe can do some IT support for my fellow students at college. Eventually got a more corporate job at General Electric and then found myself on their security team, actually being more of a defender. And then figured out, oh, you know what, I really like building stuff for my other team members. So I ended up working for a commercial company called Mandiant. And then building products for them, finding my way up the chain there, and then eventually being a founder of Kolide in 2016. The thing that really kind of drove me to be a founder of Kolide and to start the company was really kind of my experiences as an incident responder and as someone who's building products. I always felt that we were missing this key element, and that was really the end user, the undercurrent of everything that we used to do at Mandiant, as an individual incident responder, was, oh, the end users are really the root cause, or they're certainly a contributor to the lack of security that we have in our organization. So we have to build things that work around them. And I always felt that that was wrong. I always never was able to adopt that cynical view of people. And I actually felt what happens if that assumption is wrong, and what if they could be part of the solution? That was the genesis of the things that we worked on at Kolide that ended up being successful.

So we started this whole user-focused security model before the pandemic. It was really something that we came up with in 2019, but we saw the pandemic really being a catalyst. It really expedited how quickly people were thinking about this because suddenly it's a lot easier for folks who are sitting at home surrounded by their family to feel weird about a surveillance-based solution that's really locking down their device, and it's so much easier for them to just swivel their chair 45 degrees and then just pick up a personal laptop. Whereas in an office setting, you actually have to make the intentional decision to bring the laptop with you. It's a little bit more of a hurdle for someone to really decide, "You know what? I'm fed up with this. I'm going to start using my own device." That's just not a place most people can go when they're physically present in an office, but at home, all bets are off. It's so much easier and people feel justified in doing it. And so that pitch that I just gave resonates with every IT and security team that I talk to. They can picture it happening. They see it in themselves and they recognize that we're no longer in a position where we can dictate this oppressive policy anymore. We really need to meet the users halfway and figure out what are really the important things that we want to get done and how can we recruit the user's help instead of assuming that they're an obstacle? How can we be less of a police force and more practicing servant-based leadership and actually be an asset to these users? How can we help them defend the company and help them defend themselves? That, I think, has been a mind shift or a shift in mentality that the pandemic certainly accelerated, and I believe it's here to stay.

And you guys were already ahead of the curve, which is fantastic. So what are those things? What are those things that Kolide offers that can make the lives of people more collaborative and working together to try and beat something as opposed to working against each other?

Right. So Kolide is really about implementing what we call an honest security methodology. A few years ago, I wrote this, I don't know what you call it, a manifesto or a guide. It's at honest.security, that's the whole URL. It really talks about creating a trust-based relationship with end users so that they can be part of the solution of solving some of the most challenging security issues in your organization. So that's the underlying principle. So Kolide is really a product that allows you to put that into practice at scale. And essentially what it does is it actually integrates with Slack specifically, and it reaches out to end users automatically and then actually tells them exactly what they need to do on their device, what might be already wrong. And then when it finds something that's wrong, it gives them step-by-step instructions on how to fix it. But more importantly, it tells them why that thing really needs to get fixed. It's really part education, part resolution, and then it gives them all the things they need to know that they've fixed it properly, and then they're off to do their own little thing. It's really a series of almost micro interactions that we have with users, but it's really effective at really getting them to solve things that simply don't have an automated solution, or it's just much better to get an end user to do it because they learn so much throughout the process. And that's what Kolide is.

It's so cool. So could an administrator that was using this, are they able to configure some of the messaging, you know, and kind of tweak how it works, or is this all kind of hands-off for them?

They're avatars. Yeah, it's an avatar. Okay, so he goes there, right? And for $15 a month, he designs an animated Sim-like avatar, right, that hovers in the backgrounds of conversations. And he chooses the gender, the hairstyle, hair color, ethnicity, all that stuff, because the app rewards the user with virtual currency the more they talk with it, because then it can be used to customize options clothes and personality traits, interests, all this. So it's gamified.

I love hearing that because many a company that I have worked for have a security force almost. They're a police force.

No, you're exactly right. And I noticed, even as someone who was a security practitioner, who had all this, who was supposed to be really a champion of all this locking down stuff, I found myself, this instinct to, I want to work around this. I need to be able to do my job, and I kind of know why it's there. And I think that maybe I can perhaps be the exception to the rule. And then I realized, I bet you there's just a huge amount of people that are thinking the same thing. And as a result, they're not even using their corporate laptop anymore. They're using a personal laptop, and now all of the visibility is gone. All that trust has been eroded to the point where now you have a much worse problem on your hands. And I think that instinct ended up being true.

Well, yeah, because I'm guessing the pandemic changed a lot on how companies secured their environments and their people for that matter, right? So which changes do you think were reactive and happened because the pandemic was ongoing, but some of them are going to go away, but some things are going to be here to stay, some changes? Which ones are you looking at and thinking, this is definitely not going to change?

So we try to make it turnkey as much as possible because we know the hardest part of this is really writing the messages and coming up with the things that you actually want to check for in this new model. So we populate the product dozens and dozens and dozens of checks with really great written messages. Now, of course, you don't like what we had or you have maybe a more specific way that you want something solved, you can edit those messages. Included in the service for free is we will build any check that you want for you so that you don't have to write the rules yourself and figure out all the edge cases. That's part of the service that's included is you tell us really what you're trying to accomplish, and we will sit down and we will write it for you. We'll write the text for you. We'll collaborate on that end. And the reason why we do that and it's included is because there's usually so much value in us taking one customer's idea and then really launching it across all of our customers as a global check that they can all utilize. Sometimes that isn't the case where it's very specific to an org, but most of the time, if one organization really wants something, it's something that every one of our other customers would really appreciate. So that's a big part of what we do. Yeah, we've done a lot of work from a user experience perspective to really make sure that those messages don't feel accusatory. They have a good mixture of education but actionability to them. And we're really trying to thread that needle in terms of not being too overly generic and pretending no one knows how to use a computer, but also not making assumptions about what someone's computer expertise really is. So for example, we have one check that looks for unencrypted SSH keys, which is great because a lot of developers, they'll typically generate a lot of SSH keys, not for just logging into servers, but even pushing code to services like GitHub or GitLab. And it's that extra step of generating the passphrase, which encrypts it, that a lot of developers skip. They kind of know they should have been doing that, but they didn't. And so we have a check that reaches out, says, hey, we see you have these SSH keys, they need to be encrypted, and it's really important that we do that. It's really easy to encrypt them. So even if this SSH key maybe wasn't for a sensitive server, it's still worth doing. And here are the exact terminal commands you have to do it. But we don't make any assumptions about someone's experience there. Perhaps someone had to write content for a blog and it's hosted on GitHub and someone was over their shoulder setting up an SSH key for them. They didn't actually do it and they don't really know what we're talking about. Well, we give them instructions on how to open the terminal. And then when they run the terminal commands to set the passphrase, maybe they have to use sudo and they have to start typing a password and no characters are appearing on the screen. So we anticipate things like that. People might be confused and we give them a little bit of nudge in the right direction that they're still doing it right. And then of course, at the end of every one of our messages, a button you can click that says, okay, check if I did it right. Is this resolved? And then we'll instantly check the device and then tell them, yes, you did a great job. Perfect. Thank you so much. And that is what makes it happen.

I wish we could clone you and moved you into contract law so you could actually simplify terms and agreements across the board.

Let's solve this one first, but I tend to agree.

Okay. So say, for example, an endpoint gets this message and they go through all the steps that required and it was a dawdle for them. Is the admin or the advisor, are they notified when that's completed or how does that work? Yes, so we track basically the user's progress. And there's also escalation workflows that you can build in as well. So you could say, all right, for this particular one, this is a really critical issue. If they really aren't able to take care of it after a few weeks or maybe even a few days, let's escalate this to the IT team or the security team. I can categorically say from my own personal experience, I have been in a hotel where I was so frustrated by the work computer and it blocking me that I went out to the Apple Store and bought with my own money a brand new Mac so that I could kind of tunnel through a different way to get into the work that I needed to work. So I have been that person. That's exactly the keyword, is openly. We can't do our job if we don't have this very open and transparent relationship with the end users. Imagine you got a Slack message from Kolide, and the first message that you got from us was this, "Hey, there's all these problems with your computer. You better get on." You're like, "Whoa, wait a second. What is this thing? Is this even a legitimate message?"

We will not peruse and store your browser history. We're not trying to create a productivity management tool, so we're not going to give them any insight into how active you are on the device or what window is in the foreground. These are all things codified into our rules of engagement with customer data, and it's very important that the end users get to know that and feel comfortable about installing this thing, before they actually do it. And it's important that they get to do it because then once they've installed the package, they understand now how this whole thing works. They understand how we're getting the insights. They know they can revoke that access at any time if they need to, and they're in control. And that is so important to establishing that trust relationship. And then now you have a relationship where you can ask them to do things and they'll do them and they don't need any more context. They were part of that journey. Versus just something appearing one day and messaging them. That just doesn't work.

Now, listeners, all of you are cordially invited by Kolide to try it out with all its bells and whistles turned on. And this is for an unlimited number of devices for a whole 14 days. There's not even a credit card required. So you can find this at kolide.com/smashing and that's Kolide, K-O-L-I-D-E. Smashing Security. Plus, the wonderful people at Kolide are throwing in a goodie bag. Check it out at kolide.com/smashing. Jason Meller, founder and CEO of Kolide, an honor to speak with you. Thank you so much.

Thank you for having me.

Well, great stuff. And that just about wraps up the show for this week. You can follow us on Twitter at Smashing Security, no G. Twitter wouldn't allow us to have a G at the end. We're also on Reddit. Go and check out the Smashing Security subreddit. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Spotify, Apple Podcasts, and Overcast.

And huge thank you to this episode's sponsors, Kolide and Drata, and to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog with more than 264 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye.

Yeah, bye. We'll have a guest next week, I promise. Well, if not, can we not just get a replicant from this app come along? I don't know if they speak out loud. I think they just— I don't know if they're just typies. They're probably just typing, aren't they?

Aren't they lazy?

No, I think it's really interesting. It's a bit spooky.

I want to find one on YouTube. Create your Replika. Someone must have made a little video. Test it. Oh yeah, there's loads of apps here. Is Replika safe? Meet my Replika. I tested Replika for 7 days. This is what happened.

Okay, I'm going to hang up before you get rude. All right.