This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. I saw in The Guardian, The Guardian did a Q&A, and one of their questions was, question, was my personal data at risk? And The Guardian said,

---

CAROLE THERIAULT. has been since 2010. Wait, yes, that's

---

GRAHAM. what they should have said. They said no more than when Facebook's up and running, but I agree with you, Carole. Much better answer. It's like, no, you're actually safer at the moment. Facebook's down. It's when Facebook's out and you've got to worry.

Smashing Security episode 246 Facebook has fallen with Carole Theriault and Graham Cluley hello hello and welcome to Smashing Security episode 246 my name is Graham Cluley and I'm Carole Theriault and Carole we're joined today by somebody who's brand new to the show Chris Kirsch hi welcome Chris thank you it's a pleasure to be on how do you two know

---

CAROLE. each other? What's going on?

From another podcast, a very celebrated podcast, Sticky Pickles. I don't know if you've heard of it. Oh, yeah. Sticky Pickles. Chris gave us an outrageous story. It was fantastic.

---

GRAHAM. Right. Okay. So he's now graduated up to Smashing Security.

---

CAROLE. Well, or he's roughing it. We don't know.

---

GRAHAM. Chris, what do you do when you're not appearing on Sticky Pickles or Smashing Security?

---

CHRIS KIRSCH. So I'm the co-founder of a company called Rumble. You can find it at rumble.run. a bit of an unusual top-level domain. And I co-founded the company with H.D. Moore. He is the creator of Metasploit. And essentially what we're doing is helping people find things that are connected to their network. Pretty important thing.

---

CAROLE. You see, Graham, some people have important jobs. Now let's say thanks to this week's sponsors, 1Password and Attivo Networks. Their support help us give you this show for free. Now coming up on today's show, Graham, what do you got?

It's complicated. Is that really all you're going to give us? Yeah. Okay, Chris, what about you? And please be more descriptive.

---

CHRIS. Okay, I've got a sad story with a lot of ethical problems. So let me put it that way.

---

CAROLE. And in my story, we learn whether collaboration and cooperation is the answer. Plus, don't miss our featured interview with Carolyn Crandall, who is the chief security advocate at Attivo Networks. and you'll hear me get a much needed education in identity security. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM. Now, chums, chums, how's your week been? Fine. Yeah. Yeah, been all right? Yeah. Not disastrous? No. Yeah. Well, I hope it has been good. I hope it's been at least not as bad as Facebook's because Facebook earlier this week, they went on a little holiday for some hours. They dropped off the internet entirely. Did you hear about this? Hardly anyone mentioned it.

---

CAROLE. I did hear about it. It had absolutely no impact on my life other than people started messaging me more regularly saying I'm bored because Facebook's not there. So how are you?

---

GRAHAM. I don't know what to do. My life has lost all meaning. Yeah. I can't like people. I thought they were

---

CHRIS. just taking the week off. You know, wasn't it one of those relax, recharge weeks for Facebook or something like that? Wouldn't that be fantastic? Yeah.

---

GRAHAM. It felt like the good old days, didn't it? A national holiday. Yeah, it did. It did. It felt like the days when we had to study medicine for years to become experts in vaccines rather than learn things on social media sites from postings instead. It was a simpler time, it felt like.

And we've got really Facebook to thank for this throwback through time, because what they did was they made some configuration changes on their little bit of the Internet backbone and they goofed up. They accidentally shot themselves in the foot, a catastrophic failure, wiped them off the Internet effectively, making it impossible for anybody to reach their servers.

---

CAROLE. And so did they not test before going live?

---

GRAHAM. Well, it's a bit hard. I suppose you'd have to create another Facebook, wouldn't you, to sort of test it properly? They

---

CAROLE. must have a virtual Facebook times a thousand. Right, Chris? You're smart. Of course they must have a virtual network. You'd think, right?

---

GRAHAM. Yeah. Yeah, but it's not possible to sort of imagine every dependency and everything which relies upon everything else. And you can still have a finger fumble or copy something into the wrong folder. Mr.

---

CAROLE. Cluley, are you empathizing with Mr. Zuckerberg? who must be happy about this.

---

GRAHAM. Well, I am. No, not really. I can't bring myself to. But Facebook went down, WhatsApp went down, Messenger went down, Instagram went down, all these Facebook entities. And all because... How we live. I know.

Well, some people really did struggle. And some people, of course, their businesses depend upon these sites and services. Payments may come in through these things as well. Ads, right? Yeah, lots of ads.

Imagine the people who will be moaning right now that they paid for AdWords. I don't get enough

---

CAROLE. ads. I don't get enough ads in my life. I wouldn't mind a few thousand more, actually. Maybe that's why I should go to these things.

---

GRAHAM. Yeah, maybe you should install some of these things. Maybe you should sign up. So it was a problem with Facebook's configuration of BGP, the Border Gateway Protocol, which is like a sat-nav system, really. You know here you have DNS and IP addresses which tell you where something is? Well, BGP, it's the kind of thing which tells you how to get where something is, how to navigate the internet to get to it. Because they sort of shot themselves in the foot, everything had simply been wiped. It had just forgotten everything it needed to know about how to find Facebook. And this had an impact on other sites as well. It wasn't just Facebook which wasn't online. One of the sites which went down is a site called isitdownrightnow.com.

---

CAROLE. Okay. Is that related in any way? Well,

---

GRAHAM. isitdownrightnow.com isn't owned by Facebook and it doesn't run off a Facebook server. It's one of these sites which tells you about popular internet sites and whether they're down. So when Facebook et al. went down, lots of people went to isitdownrightnow.com to see

---

CAROLE. DDoS did by accident. Yes, yes.

---

CHRIS. Graham, Graham, I have a fantastic business proposal for you.

Oh yeah, I want you to partner with me on this. Okay? Yeah, I'll do that.

---

CAROLE. Fuck you, Chris. Let's do the idea first.

---

GRAHAM. You might be pleased not being okay. Okay.

---

CHRIS. I think we should start a site that is called is is it down right now.com down right now.com. I think, right? I would register that immediately.

---

GRAHAM. And that will just see whether is it down right now.com is down. Exactly. Yeah, yeah, I love this idea. This is genius. I'm not interested at all. Anyway, yes, it'd be knocked over all the traffic of people trying to find out if Facebook and other sites were still down. And some people also experienced Twitter outage as well, though Twitter wasn't really connected with it. Lots of people suddenly using Twitter more. Some of them experienced problems with the API. Signal said that it had seen an uptick in signups for its encrypted messaging service. And this

---

CAROLE. has happened, what, this week, right?

---

GRAHAM. Yeah, it happened on Monday night. Yeah. Wow.

---

CHRIS. I think, yeah, I mean, that's been part of a long trend, right, where so many people have moved over from WhatsApp to Signal because they didn't like WhatsApp being acquired by Facebook and kind of changing some of the privacy policies, I think.

---

GRAHAM. Yeah, I think a lot of people would like to use a different messaging service than WhatsApp because of the Facebook connection. But of course, you have to get all your mates to switch over as well. And maybe this is a great opportunity to do that. Now, sadly, Zuck, he reportedly lost $7 billion of his personal wealth. Oh, now I have empathy with him.

---

CAROLE. Of his personal wealth? What do you mean the company's wealth, not his personal wealth?

---

GRAHAM. His shares, because he obviously has quite a few Facebook shares, he lost $7 billion. So it wasn't taken from his pocket, obviously.

---

CAROLE. I don't think it's sitting in his current account.

---

GRAHAM. But the share price did fall. I'm sure it will return, however. And the other odd thing was that there are people out there who only use their internet connection for access in Facebook or WhatsApp. They don't do anything else. What a sad life. And you imagine that is the internet for them. The internet is Facebook. And so when they couldn't access Facebook, what they did was they didn't report oh Facebook appears to be broken. They went to their ISPs and cell providers and say the internet appears to be broken. Yeah, they reported that their cell providers were down and suffering an outage instead. So there were all these people saying, oh, the cell providers got it. No, no, no, it's just Facebook. So conspiracy theories began to spread. I know it's hard to believe, isn't it? Conspiracy theories spreading, especially when Facebook is down. Normally conspiracy stories spread when Facebook is up. But this is... I don't even know how the conspiracy stories spread about Facebook being up. But one did about Facebook being down. Some people thought it was linked to the Facebook whistleblower. Did you hear about the Facebook whistleblower? Yeah, we did. Yeah, it's been big news. So she says the site's been misleading the public. I think it was 60 Minutes. Oh, yes. Yeah, absolutely. It's been big news in all kinds of places. The theory was Facebook didn't want the news to spread to its users. So I thought, what should we do? What should we do to stop the news getting to our users? We'll turn off Facebook. Yeah. Okay. Well, that wasn't true. You can believe it, though, because just last month, New York Times, they did a story about how Zuckerberg had personally signed off on an initiative, a program within the company to show users more pro Facebook stories in their news feed, which obviously would push out some of the negative ones. Inline content marketing.

---

CHRIS. Yeah. So it's completely unreasonable that he would switch Facebook off because that's fewer positive stories for Facebook. Right. Yes,

---

GRAHAM. that's true. Although the negative story wouldn't have spread on Facebook because it gets very confusing.

---

CAROLE. How long was the outage for? I just don't have gotten the basics yet.

---

GRAHAM. Hours. Hours and hours. A number of hours. Yes.

---

CAROLE. Did anyone eat their fingers?

---

GRAHAM. Well, I don't know that food supplies were cut off as a result. Although I suppose if you were ordering food via WhatsApp, then – and some people make payments as well, don't they? They rely on these messaging services to make payments too these days, I think. I'm not a Facebook user, so I don't really.

Anyway, there were also stories that maybe Facebook had suffered a data breach. Some people began to spread that story. And this was Facebook's attempt to shut it down. So there's all kinds of bonkers stuff.

I saw in The Guardian, The Guardian did a Q&A. And one of their questions was, question, was my personal data at risk? And The Guardian said.

---

CAROLE. Has been since 2010.

---

GRAHAM. Well, yes, that's what they should have said. They said no more than when Facebook's up and running. But I agree with you, Carole. Much better answer. It's like, no, you're actually safer at the moment. Facebook's down. It's when Facebook's up, you've got to worry.

But all this doesn't really explain why it took Facebook so many hours to bring its systems back up and running. And the reason for that, it turns out, is that Facebook is running everything to do with Facebook through Facebook systems.

So if you want to speak to a fellow staff member at Facebook, if you want to say to them, our server seems to be down.

---

CAROLE. Did they resort to freaking pigeons?

---

GRAHAM. So they couldn't do it. Faxes? If you want to log in remotely to the server room to reboot it,

---

CAROLE. That's going through a Facebook server

---

GRAHAM. You can't access. If you've got a server room which is locked and you need a security badge to bleep you through, the security badge system doesn't work because Facebook's server. So they couldn't physically get inside the server rooms to manually take them and fix them.

---

CAROLE. Suck, suck, suck, suck, suck.

---

CHRIS. Yeah, maybe you should resort to buy overbuild, you know?

---

CAROLE. Just go back and sell skateboards or something. Walk away. That's what I say.

---

GRAHAM. So everything to do with Facebook was down. And also, of course, if you were using a third party site, which uses Facebook login, you know, sometimes sites say, I don't need to know a username and password. Use Facebook login.

---

CAROLE. Why did you suddenly change your voice? Loads of people. Apple have sign-ins. Google have sign-ins. Facebook have sign-ins.

---

GRAHAM. So if you're using one of those, you're dependent on Facebook being up and running in order to let you in. And it didn't work. So you couldn't get in that way either.

So a bad week for Facebook. But things have got worse since because now, there's bad news for the rest of the world. Facebook is back up. Oh, dear. And the holiday is over.

But I think there's a lesson here. There's a lesson, which is don't put all your eggs in one basket. Don't just, you know, and I mean, that poor IT person who made that error or copied the file. Don't put all your eggs in one basket.

---

CAROLE. Doesn't that mean you're now a proponent of polyamory?

---

GRAHAM. Well, I don't have eggs, Carole, to spread around. I think maybe you need to go back to biology class.

---

CHRIS. Graham, I'm going to try and be even more concise than you are with your stories. So this is a story by Kevin Paulsen in The Wall Street Journal. It's quite a sad story. So just a trigger warning. If the story involving the death of a small child is challenging to you, then you may want to skip the next five minutes and continue with Carole's story.

So let me set the scene a little bit. In July 2019, the staff at Spring Hill Medical Center in Alabama saw some vague notices taped across their computer screens. And it said that the hospital's medical record system was down until further notice.

So the staff actually didn't know why, but the hospital had been attacked by ransomware by a Russian-based gang called Ryuk. And they declined to pay the ransomware gang, which, you know, I think you should because otherwise you're perpetuating the problem.

So the systems were down and this put a lot of strain on the nurses and doctors. You know, they were resorting to texting each other and they printed out lab results and ran them across the hospital on foot and all of that stuff. And many of the younger nurses who'd never worked without electronic medical records, you know, it was chaos.

---

GRAHAM. They were probably a fair bit better at texting quickly though, weren't they, than the older medics.

---

CHRIS. Yeah, maybe they should have used Facebook until then that went down. But the hospital denied to a local TV news station that it had any network event that affected patient care.

---

CAROLE. I'm just thinking, I wonder if the person who spoke didn't know at the time, but that seems to be impossible the way you're telling the story. So they did know. And they lied?

---

CHRIS. Yeah, I think they were probably riding the line of, you know, we have a network event, but it doesn't affect patient care, you know, but they didn't express it in that way. So, you know, like the political non-apology apology kind of thing where you're really taking a fine point on something.

---

GRAHAM. I'm sorry, Carole, if you, for some reason I didn't truly understand, took offence at my comments in the podcast the other week, which you clearly failed to properly comprehend.

---

CAROLE. That's basically the, I don't know why you're apologising now, Graham. That's the best I've ever heard from you. Carry on, Chris, please.

---

CHRIS. All right. So eight days later, the ransomware attack is still going on. And that day, finally, the hospital actually admitted publicly on a local TV station that it had experienced a security event.

---

CAROLE. Wow. So they treaded water for eight whole days?

---

CHRIS. Eight days, right? That's a long time. And that same day, a woman by the name of Taran Kidd got to the hospital to give birth. And she was still unaware of the cyber attack. So as part of the cyber attack, as part of the ransomware, the nurse's desk at the labor delivery unit was cut off from the actual heartbeat monitors in the delivery rooms. And so when her daughter was delivered, the heart rate monitors had actually signalled distress for over an hour before the birth, but the nurses didn't receive it.

Oh, my goodness. Yeah. So it's a hard story, right? It's a hard story. And the doctors texted later, hey, I need you to help me understand why I wasn't notified. This was preventable and so on. So it showed that medically this would have been preventable if they'd gotten notified. Right.

Wow. Yeah. So the baby was born with severe brain damage and died nine months later. And so this could be the first confirmed death resulting from a ransomware attack. The lawsuit also said that the hospital should have transferred the patient to another hospital given the circumstances.

And they also said that the doctor should have informed the patient about the ransomware attack. So they're throwing the doctor under the bus a little bit, which I think is a little harsh.

---

CAROLE. I imagine that doctor was probably being told for the whole eight days, say nothing to the patients. We continue providing patient care at the same level.

---

CHRIS. And the doctor said that he believed he could still deliver the baby safely, which is why he didn't mention it. And my understanding is that the legal argument that the mother put forward is that the hospital should have informed her that it was under a ransomware attack and that it had diminished services so that she could have chosen to go to a different hospital.

---

CAROLE. 100%.

---

CHRIS. Right? 100%. And so this makes the whole thing very interesting because the first question is obviously, is the hospital responsible for getting ransomware or is it an act of God, right? If it's an act of God, then okay, then you can't do anything. Like if you get hit by lightning and your hospital is out, there is very little you can do by that. But the question is, is ransomware preventable? That's the first question, I think.

---

CAROLE. Yeah, and who is the onus? Is it on the hospital to provide enough defenses to ward off most ransomware attacks? And this one just snuck in because it was so clever.

---

CHRIS. Yeah, exactly. So did you exercise due care? And I think that's where those were the arguments up until now. And I think those are still valid. But the other question arising from this is, does the hospital have a responsibility to inform patients that they've been ransomware and may not be able to deliver the right care? I think Carole has given her opinion on that.

Yeah. So if we take this away from cybersecurity, the question is would a hospital have to notify you that it's almost out of ICU beds due to COVID, for example, and that you may not receive the right care, right? Does that, if they don't inform you, does that open them up to a lawsuit?

I think this is interesting, not just for hospitals, because obviously in hospitals, any misstep can cause a death. But let's say that you run some kind of business service or private service. Maybe not Facebook. I'm not sure if Facebook is critical enough, right? Maybe it is. I don't know. And you're under cyber attack and you do not notify your current or future customers that your service is impacted. Does that open you up to future lawsuits? And I think that's really the interesting part of the story.

---

CAROLE. Oh, this is so hard because there's a death of a kid involved, right? That's the horror show. And people choose hospitals based on the level of care that they are touting, either in their marketing or all over their website. And if they didn't put a big blazing sign on it saying, we have an event that we need to take care of and it may impact care while we do this, I think that they were in the wrong.

---

GRAHAM. But they obviously felt that it wasn't influencing their level of care, don't you think? I think they thought that it wasn't causing that problem. But the nurses couldn't get

---

CAROLE. Access to the heart monitors.

---

GRAHAM. Well, yeah, maybe their assessment as to whether it was impacting wasn't very good. I think it's hard for the average layperson to, I mean, just being told some computers have been hit by ransomware isn't very meaningful, is it?

I mean, most people aren't computer security experts. They're not going to have enough information about exactly how many systems. But if you shut the doors of the hospital to absolutely everyone, isn't that going to cause chaos as well and maybe have an impact, a domino effect on other hospitals in the area, which will all become?

---

CAROLE. Yes. Okay. Very fair. There's emergency cases, which that's a whole different story. But if something that's planned like a birth, you may have elected to go elsewhere. I completely agree with that.

---

GRAHAM. Yeah. Do American hospitals not have, Carole loves her terms and conditions and all these things that you have to sign before you can use a website. Do American hospitals not have a little form you need to sign before you undergo some sort of medical procedure?

Because I remember when I had a problem with my jaw and they thought, well, they took me into the hospital here in Oxford and they said, okay, what we're going to do is we're going to go inside your mouth and we're going to do a little bit of surgery inside your mouth. But if it's a bit too tricky to do it inside your mouth, we're going to go in from the outside and we'll just have to wire up your mouth for about three or four months afterwards. And they were saying this to me as they were giving me the anaesthetic, asking me to sign this thing.

---

CAROLE. Thank God for deep fakes that that happened, right?

---

GRAHAM. You would have probably liked it, right, Carole? Yeah, I could have put words in your mouth. Made you funnier. Carole, what have you got for us?

---

CAROLE. Okay, so all these ransomware attacks have been putting a little bit of a fire under some national buttocks, so to speak, encouraging them to stand up and help staunch the flow of ransomware. So there's kind of a seminal moment in July when Interpol urged industry partners and police agencies worldwide to work together to disrupt this international criminal industry.

So, Interpol's Secretary General Stock said the best tactic to disrupt a seemingly never-ending stream of ransomware is to adopt the same international collaboration strategy used when fighting organized crime and terrorism. Which makes sense, right? Because the issue, as we all know, is transnational threats.

---

GRAHAM. International, where are they? Makes sense, yeah.

---

CAROLE. Yeah. The problem historically has been that there are ransomware gangs based in some countries where the police turn a blind eye because they're not affecting companies in those countries, but companies overseas.

---

GRAHAM. And it can be difficult to find them even because they're bouncing around across lots of different servers around the world. And it's complicated.

If I called my local coppers to complain about an online scam that I fell for, they'd probably tell me to call Action Fraud in the UK. And then they would probably log it in a system and give me some advice on how I can recoup whatever I can or strengthen my security. But that would be that.

---

CAROLE. Well, they'd file it in the waste paper basket from what I've heard. Yeah, you'd probably never hear anything ever again.

---

GRAHAM. And see, Interpol have strong examples to show that collaboration works. So last year, they published results of a year-long investigative clampdown on worldwide criminal networks in the kind of phone and online fraud biz.

So it was codenamed First Light. And the operation officially concluded in November with the following results. They were able to secure almost 154 million US dollars worth of illicit funds. These were intercepted. There was 21,500 operators, fraudsters and money launderers that were arrested and 10,000 locations raided. And this marked the first time law enforcement had coordinated with Interpol on a global scale to combat telecom fraud with operations taking place on every single continent. Kind of interesting, right?

---

CHRIS. Why didn't they do that before? I thought that's what they should have been doing all along, right?

---

CAROLE. Well, I agree. I do have it in big letters here. About time! So I'm with you. So we have Interpol in July saying, work together on ransomware. See, it worked for us during the scams bit. So I wanted to see, well, did anyone listen? Right? Did anyone listen to Interpol? And I have two events to call attention to today. So the first one is on the 1st of October, President Joe Biden said that the US will bring together 30 countries to jointly crack down on ransomware behind a barrage of attacks impacting organizations worldwide.

---

CHRIS. So is Russia part of that?

---

CAROLE. Well, that's very interesting. He didn't list the countries. He's obviously saying NATO, G7. But, you know, there are a few other countries in there. So it'll be interesting. I think, obviously, they would love to have Russia on board just for the, you know, the muscle. That'd be great. You know, we could all be happy, happy together.

---

GRAHAM. There might be some itsy bitsy countries in there, mightn't there, like Papua New Guinea? I don't know. Maybe. The Isle of Man, you know.

---

CAROLE. Maybe. Because they want to disrupt ransomware networks and they want to work to establish and promote clear rules of the road for all nations in cyberspace.

You can see this is there's a lot of hot air here. There's nothing really actionable that I could see. But then, you know, President doesn't have to put in action in this space.

---

GRAHAM. Yeah, I'm sure underneath it all, law enforcement are talking to each other and trying to become more coordinated.

---

CAROLE. Now, this followed. So in July, President Biden issued a US security memorandum to bolster the nation's critical infrastructure cybersecurity. So he's already basically said, look, here's a baseline of performance goals for critical infrastructure owners and operators, which is kind of scary because you kind of think that would already be in place, right? Scary. So this is good news. This is all good news. It is about time, but it's all good news that this is happening.

Now, across the pond in Ol' Blighty, we've also had a recent announcement, but in a little bit of a different tone. So where Biden said, we are building a coalition of nations to advocate for and invest in trusted 5G tech and to better secure our supply chains, the UK revealed plans to invest heavily in national cybersecurity, creating a, quote, cyber force, unquote, unit to perform retaliatory attacks.

What uniforms

---

CHRIS. does the cybersecurity force have?

---

CAROLE. You hope it's made of latex or spandex.

---

CHRIS. I'm thinking of the Space Force in the US. Space Force, yes. I think LED blinking lights. That's right. That was so funny.

---

CAROLE. So, yeah. So, basically, the news from this new national cybersecurity, Cyber Force, is to perform retaliatory attacks. And the government has earmarked £5 billion to be dribbled out to the cyber force in the next 10 years or so, by 2030.

Oh, golly. Nice uniforms. Yeah, right. And they've now decided where it's going to be based. Right. So you might assume London, maybe, you know, Edinburgh, Glasgow, Manchester, Birmingham, maybe.

Give it to the Dutch. The Dutch police are doing a great job.

Well, this is a UK cyber force, right? It has to be the UK. Yeah,

---

GRAHAM. we're not that close with Europe anymore.

---

CHRIS. Oh, okay. Okay. Yeah, there's that. Oh, I forgot about that thing. We're doing our own thing. It's going jolly, jolly well.

---

CAROLE. They're going to the land that I know to be, land of cheese, hot pots, and… Lancashire. Yes. I was thinking Switzerland and Fondue.

They're going to a town called, I don't know how you say this name. It's S-A-M-L-E-S-B-U-R-Y. So I'm going to try Salmsbury. It's a tiny village of about a thousand people back in 2011 when the census happened. Okay. It's tiny.

---

CHRIS. Do they have internet? What's the broadband? Maybe they don't have internet and that's why it's the safest place for cybersecurity. Maybe.

---

GRAHAM. Hang on. So there's this beautiful picturesque little town up in Lancashire full of men with flat caps and whippets. And they're going to completely ruin it by putting a cyber attack facility in.

---

CAROLE. One of the main attractions is Salmsbury's Hall, right? A historic house in the village. Oh, yes. Well known for it.

Lancashire local press are all, this is amazing for us. This is going to be amazing. We're going to boost our economy. We're going to get loads of jobs. But I'm with you. I think the villagers must be up in arms. And no one's hearing them because they're probably not saying 100% of people in the town hate us. It's more there's a thousand people complaining, but we're fine.

Anyway, Foreign Secretary Liz Truss said this cyber force would confront aggressive behavior from malign actors and demonstrate that Britain is still investing in next generation defense capabilities. How are they going to do that

---

GRAHAM. then? How are they going to do this? How are they going to disrupt? Hire lots

---

CAROLE. and lots of people. Yeah,

---

GRAHAM. but what are these people going to do?

---

CAROLE. And then fight their adversaries with retaliatory action. Now, that was really my question for you. How do you feel? You know, we sit there all the time going, oh, God, we really hate North Korea, Russia, China for doing all these attacks on us. You know, we do have to do exactly the same thing back to them. It kind of feels a bit, I'm happy with them investing in defensives, but retaliatory actions, what do we have to gain from that other than headaches? Okay,

---

GRAHAM. so I think we're all agreed that there's a big problem with malware and hackers taking down critical infrastructure, right? If they're able to do that, so the ransomware attack which forced Colonial Pipeline to shut down the pipeline on the east coast of the States, big problem. WannaCry ransomware which hit the British NHS, big problem.

But something WannaCry, it's not you can attack a server and prevent the attack happening anymore. It's just out there. One thing we know about malicious hackers is they don't use their own computers. So they will exploit other people's computers. So we will then be launching an attack maybe against Belgium. We like them. We do. We love the Belgians. A lot of Belgian listeners. Yeah, we do. They've got delicious chocolates as well in Belgium and other things.

---

CAROLE. I saw my first chocolate boobs in Belgium.

---

CHRIS. So did they specify if the retaliatory action, I think you called it, is that a cyber response or a legal response or a kinetic response? From

---

CAROLE. what I'm reading, cyber response.

---

CHRIS. Cyber response. So they are

---

CAROLE. going to counter with cyber threats in some way. And I just think you may, you know, like as good as it sounds, you're just adding to the pile of shit we all have to deal with by doing this. Now, if they mean we are going to be covert and pay attention to scams as they happen so that we can arrest them, right? That sounds good, you know, but I think go back to Interpol, make sure you work internationally, you know, get some friends because collaboration seems to work.

That's what we need. So anyway, there you go. That's what I think. Who's going to want to live in Lancashire? I don't know. Anyone who wants a job in cyber, it seems. I think a few hundred will be going soon.

---

GRAHAM. But all you've said is that there's a nice town hall or something to go to. Also, cyber force. Do they have a multiplex? Maybe they'll have a helipad.

---

CHRIS. Cyber force. Maybe they just have really good real estate rates compared to London.

---

CAROLE. Top real estate tip from Chris. Let's all get on the Salmsbury real estate market.

---

GRAHAM. For the last 15 years, the great team at 1Password have been helping folks stay protected, private and productive, whether they use 1Password or not. And now, with the launch of 1Password University, they've used their expertise to create fun, dynamic and free learning resources for people of all school levels.

Learn how to make the most of your 1Password account's features, find out how to build a culture of security in your workplace, or discover why reusing the same password across multiple accounts puts you at risk. Broaden your knowledge, starting with the basic building blocks of security. Learn at your own pace and discover the tools and tactics that will help keep you safe on the internet.

Whether you're a business leader, looking to create a culture of security in the workplace, or you're a user trying to understand why you need a unique password for each account, 1Password University's free courses have got something for you. Go check them out right now. Try 1Password University for free at www.1password.university. That's www.1password.university.

---

CAROLE. Listeners, it is time to get serious about preventing and detecting credential abuse, privilege escalation, and entitlement exposures. My friends over at Ativo Networks have tackled this challenge, and I want to share how it works.

The Ativo Identity Visibility Bundle finds exposed admin credentials from the endpoint, conducts over 200 continuous checks on Active Directory, and identifies risky entitlement and over-provisioning in cloud environments. The Ativo Identity Detection Bundle cloaks production credentials and AD objects to hide and deny access and deceives tools like Bloodhound, steering the attacker into decoys for threat intelligence gathering.

If you want to learn more and kick credential attacks to the curb, go to ativonetworks.com. That's Ativo, A-T-I-V-O, networks.com. And thanks to Ativo Networks for sponsoring the show.

---

GRAHAM. And welcome back. Can you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week?

Pick of the Week. Pick of the Week? Is that my cue? Pick of the Week is the part of the show where everyone chooses saying, could be a funny story, a book, that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related, necessarily. Better not be.

Well, my Pick of the Week this week is not security-related, you'll be very pleased to hear. I, like every other parent, am sick to the back teeth of children playing ruddy video games. Yes, they can do it for a little bit, but stop doing it quite so much. Stop watching YouTube quite as much. It's all got out of control.

---

CAROLE. If you were a kid now, would you not be trying to play computer games 24-7?

---

GRAHAM. Of course. Which is why I am going to propose an alternative. Which is that you should be playing board games.

---

CAROLE. Yeah, yeah. We've done this for about four weeks, haven't we?

---

GRAHAM. Yeah, yeah, yeah. We talk about board games, But now I'm going to give you the ultimate resource for finding the best board game for your horrible child to play.

---

CHRIS. That's awesome, Graham, because when your house gets hit by ransomware, you have something offline to do, right?

---

GRAHAM. Exactly. We'll be

---

GRAHAM. Doing it by candlelight as well. Yeah, take that, Facebook. So I would recommend you go to the website BoardGameGeek.com, which lists thousands and thousands of board games. You can search in all manner of ways the vast number of different types of board game which are out there, from strategy to adventure to kinetic games to everything imaginable for all ages.

You can filter it based upon how many people are likely to be playing, the age group. It's a tremendous resource. It links to reviews. It links to videos where you can see a demo of the game in action.

And I've used it in a number of ways. I've both found brand new games and read people's recommendations for things I want to buy. But I've also found some games where I had played them in my childhood and forgotten them or forgotten their name.

I could just vaguely remember, oh, I had something to do with marbles and it sort of looked like this. And then being able to find it via Board Game Geek and then go and buy it on eBay, an old version of it to try and entertain my son with it.

How's that working out? Very, very well indeed. It's not as though he's been playing Red Dead Redemption 2 for the last 18 hours solid. But every now and then I say, let's play a board game. He goes, oh yeah, let's do it. You know, he's quite excited by it.

And I think kids actually enjoy this sort of thing. So go to boardgamegeek.com and why not drop me a line with what you think are your favorite board games? So maybe I will check some of those out as well.

And that is my pick of the week, BoardGameGeek.

---

CHRIS. Graham, I think there is a slight flaw in your plan. So if you've been ransomware and you can't get online, how are you going to check out BoardGameGeek.com? And how are you going to order that game online?

---

GRAHAM. Damn, damn.

---

CHRIS. Chris, what's your pick of the week? All right, Graham. Yes. I expect you to die.

---

GRAHAM. Charming. And Carole, I expect you to die too. You're not a very cheerful person, Chris. Can I say? For the first time on your show.

---

CHRIS. It's all the misery. I get it. I'm off the show. I'm off the show.

---

CAROLE. You know, we do like to do a bit of comedy on this. A little bit.

---

CHRIS. You know. So these are the names of the game and its sequel that I picked for you this week. So I got the Oculus Quest 2 for my birthday. It's a fun little VR headset that's, you know, I understand quite affordable compared to some of the other VR headset options out there.

---

GRAHAM. This is a virtual reality thing which you wear a pair of goggles? Exactly. It looks completely ridiculous and you turn into the lawnmower man. You're in that movie with Pierce Brosnan.

---

CHRIS. Exactly. I look the lawnmower man while my husband actually mows the lawn. So yeah. And so I'm not a huge gamer normally because, you know, when I play ego shooters and especially if it's an online multiplayer game, my life expectancy is about three and a half seconds when playing against, you know, teens.

And so I love the puzzle games, right? Not as in pieces of puzzles, but more you know, escape room kind of things, right?

---

GRAHAM. Yeah, yeah, yeah. Yes, me too. I that stuff.

---

CHRIS. And so this game is called I Expect You to Die, and the sequel, which is I Expect You to Die 2. The best way to describe it, I think, is a 007 style, cartoonish, tongue-in-cheek kind of escape room game that you play by yourself.

And so you find yourself on a mission and you're placed in a submarine or a spaceship or a plane, a train, a villain's lair, and you have to try and get out. And you really, you have the two controllers of your VR headsets in your hands.

So you essentially reach for things with your hands and you see your hands in VR and have to open boxes and push buttons and flip things over and those kind of things. And you have to try and escape all of the lasers and poison gas and assassins and explosives and things that are trying to kill you.

So it's really good fun. And so each time you actually get out of one situation, you graduate up a level and you get to the next situation and so on.

So it's a ton of fun, really well made. I think it's available on other platforms too, but that's just the one that I played on. And it really kept me hooked until 2am, which I usually don't get hooked on games. I play them for a little bit and then get bored and put them aside. But this one was a ton of fun.

---

GRAHAM. Wouldn't you feel a bit nauseous, you know, wearing VR goggles and motion sickness?

---

CHRIS. Yeah, on this one, not so much. I think it depends a little bit. I don't get motion sickness easily. And this game specifically, you play sitting down.

---

CAROLE. Thank god. I was just thinking of Graham right because, you know, he'd come back, he had broken arm, a black eye, he did have a war with the broom or something.

---

CHRIS. It is a little bit challenging to kind of take a sip of your beer or whiskey or something on the side because you've got the thing in your face, right? So maybe straws are in order.

But yeah. Now, there are other games that you do play standing up. So for those, I sometimes feel a little bit queasy, especially if you're walking up the stairs, because your brain says you're moving up the stairs, but your body doesn't, right?

And that's really strange. Moving around is okay, makes me a little bit queasy, but moving up and down stairs is really strange.

---

CAROLE. Right. I suspect it's crazy for the body, the fact that you're kind of disconnecting what you see and what your brain's interpreting and what actions you take, you know?

---

GRAHAM. Chris, I really appreciate that you've basically completely undermined my pick of the week where I was trying to get away from video games by giving them an even more immersive video game, a virtual reality one. That's just great.

---

CAROLE. Is it good for kids?

---

CHRIS. I think this game is actually very good for kids because it's cartoonish. It's not too brutal. I expect you to die. No, Mr. Bond, I expect you to die.

---

GRAHAM. That's how you do it. Carole, what's your pick of the week?

---

CAROLE. So my pick of the week this week is a show on Netflix, a short series, if you will, called Midnight Mass. So this is an American supernatural horror miniseries.

---

GRAHAM. Oh, lovely.

---

CAROLE. Created by Mike Flanagan and has a star that I had to mention. Henry Thomas. Do you know who that is? We haven't seen him since, well, I haven't seen him since the 80s.

---

GRAHAM. What was he?

---

CAROLE. He's of E.T. fame.

---

GRAHAM. Oh, I thought I recognized him. Is he E.T.?

---

CAROLE. Not E.T. He was Elliott. And he is the dad of our main protagonist in this series, Midnight Mass.

Now, the plot centers on an island, an isolated island, small community, and supernatural events start to happen after the arrival of a new and quite engaging priest. Now, this was just released September 24th, 2021.

I've got some good and bad, right? The good, the plot is really interesting. It has a really fresh take on a known horror genre. So I like that. I thought, oh, that's clever. That's interesting. And also it had some good surprises where you're like, whoa, didn't see that coming.

The not so good is there's a lot of soliloquies, rather than sparky conversations. So a character will suddenly start rabbiting on for five minutes about something.

---

GRAHAM. Will they turn to the camera dramatically, Shakespearean?

---

CAROLE. No, no, no. They're talking to their characters. A little bit like Graham?

---

GRAHAM. A bit like Graham. But just go on and on and on, right?

---

CAROLE. So let me just make a note. Chris, never coming back again.

---

CHRIS. I thought that was already decided so I can go all out.

---

CAROLE. Don't you worry, I've got your back, Mr. Chris. Now, I tuned out on these, but luckily my husband didn't. So I got the gist in a much shorter, more interesting format.

---

CHRIS. How much horror is it? Like, how bad is it? Because I'm really cringy, turning off the TV.

---

CAROLE. I think you've got eyelids, right? So that's what I always tell everybody. I think watch it. And when it gets too gross, you either just close your eyes and tell whoever's watching it with you, what happened? What happened? What's happening?

---

CHRIS. I don't have a problem with gore and gross. I have a problem with supernatural things. It's really strange because my rational brain says, oh, this is completely irrational. It's not going to happen, right?

I can watch a movie about some robber coming in and killing everybody and it doesn't faze me because I have the feeling, this is overconfidence bias, I think that at least I could, I have options there, right, of what I could do. But the supernatural stuff, even though my brain says it's irrational, I don't know what I could do to protect myself, if that makes sense.

---

CAROLE. Maybe this one isn't for you. I think that's probably the central question.

---

GRAHAM. Just brandish a carrot. Brandish a carrot or some other vegetable. Imagine that there's some supernatural way of warding off supernatural threats.

---

CAROLE. Oh, that's clever, Graham.

---

GRAHAM. Like an egg whisk. If you just tell yourself that works, then you think, oh, this isn't anything to worry about. And that explains the Daleks, right? With the whisks. And the sink plunger.

---

CAROLE. So anyway, Chris aside, right? I think this might be a perfect thing for a Friday night, date of pizza and Netflix. And I say you can chill during the soliloquies. So there you go.

That is Midnight Mass on Netflix. And it just came out. So it's brand new. So probably most of you haven't seen it. That's my pick of the week.

---

GRAHAM. Tremendous. Now, Carole, before we wrap up, I believe we've got a featured interview this week, haven't we?

---

CAROLE. Yes. We are now going to listen to Carolyn Crandall from Attivo Networks, all about identity security. Take a listen.

So welcome, Carolyn Crandall.

---

CAROLYN CRANDALL. It is awesome to be here. Thanks for having me on your show.

---

CAROLE. So listeners, Carolyn Crandall is the Chief Security Advocate at Attivo Networks. I would love actually to start with your background, if you wouldn't mind.

---

CAROLYN. Yeah, well, it's been a journey. So for myself, I've been in the high-tech industry for a little over 30 years or so now. And it's been fascinating all the way back from when we were trying to figure out how to not have sneaker nets to actually network connected devices to now a world exploding with IoT devices and other things. And so my entree with this particular company and what I do here was really an opportunity to take a look at cybersecurity, how systems were being protected, and realizing that there was a massive gap for detecting in-network activity.

And this company had a really interesting approach by using deception, cyber deception technology to do it. So I knew the CEO from before, and I thought this is a fantastic opportunity to shake things up a little bit and do something different. And so that's when I came on to the company. I've been here for about six plus years now. So it's been a very fun ride watching how things have even changed over the last few years in cyber. Attivo's been on the Fast 500 the last three years that we submitted in, and it's been a fun ride.

---

CAROLE. Now we want to get into the weeds a little bit. Maybe we can start with identity security. So say you had a typical business owner, right? Maybe a CEO who doesn't mainline tech and cyber. How would you describe identity security to them?

---

CAROLYN. Right. Yeah, it's a great question. Actually, I was talking to a friend who was a CISO of mine yesterday. And we kind of boiled it down. It's like a lot of people are going identity, but it nets out to identities as far as me as an individual, my user ID, my password. But when I start to talk about that, people think about consumer identities, right? It's my information, my account I bank with, my credit cards. And what we wanted to do was just to separate it.

So you start to pull apart this big word of identity and you go, okay, well, what is that? And most people are familiar with it from the sense of identity and access management systems. And they may have heard of things like IAM or Privileged Access Management or IGA. And that's the technologies that are really focusing on provisioning, connecting, and controlling identities.

But what's been left out in this is the whole aspect of identity security, which is, well, who protects the credentials? Who protects the privileges, who protects the systems that manage those things? And so there's a whole new aspect of identity security that's emerging this year that's comprised of really two aspects of it.

One is the visibility. So how do you know when things are exposed and vulnerable that you need to go clean up? And then the second side of it is detection. How do you detect when there's a live attack using misused credentials or attacks on an active directory system?

And now when you move into the cloud, too, this whole thing of cloud entitlements with all the non-human identities, which has just exploded the amount of things that people have to understand and manage. And so of that, you've started to come up with visibility and identity detection and response solutions that even though we've talked about identities, we've never really talked about identity security and what can be done here.

And so that's a big initiative. I think it falls under the identity first umbrella that the Gartner folks have been pushing. And it makes a lot of sense because it's a gap that sat between EDR systems, right, on the endpoint. So they protect a bunch of things, but not the credentials and the privileges. And the IAM systems that, again, protect and making sure that you get access, but they don't actually secure the credentials and those systems that manage them. So that's kind of the dynamic that we've seen in this last year and what Attivo as a company is really focused on so that we can help people address that pain point.

---

CAROLE. When a company approaches you, what typically are the main pain points that they would cite? What are things that they are worried about? And they say, look, we really need your help, Attivo Networks. This is the problem.

---

CAROLYN. Well, credentials always comes up as a first. I want to know what credentials are overexposed on my local endpoints. So for example, do I have any administrator credentials? Lots of problems, especially with transient workforces of credentials that are being left out there, just orphaned out on the endpoints and the ability to see those things. Can anybody go from that endpoint and get access to my domain controllers?

So everybody knows you lose domain control and that becomes a big problem and a big mess to have to clean up. And so the first thing we have is this, hey, give me some visibility so that at least I can go clean up the credentials on the endpoint.

But then as you start to get into the folks that are a little bit more sophisticated with it, they're going, hey, well, where does the attacker want to go? And they want to go straight into Active Directory and they want to gain that domain control.

And it was really interesting. I was listening to a webinar the other day. It was from Mandiant and Nick Bennett, who's one of the VPs over there, was talking about it. And the question that I loved is, why does ransomware keep happening?

And the thing that they found is the most common issue was the misconfigurations and vulnerabilities related to Active Directory. And I thought, okay, major, massive problem. It's the keys to the kingdom.

You take it over. You can change security processes. You can download mass amounts of malware so you can lock up the systems and encrypt them. You can do a lot of damage.

And so I think, and a lot of people will say, well, I can't really secure Active Directory because what it does is it gives me access. But you have to figure out a way of being able to detect when somebody is doing things to Active Directory that they shouldn't, like mass account changes or a password spray attack or some of the other SD holder things that they may do in order to change things and give themselves access and control.

And quite honestly, before this year, there really wasn't good technology to be able to see that. And so our conversations have shifted from, hey, let's look at the exposures on the endpoint, to let's look at the most valuable thing that they're going after for access and privileges, and that's AD.

---

CAROLE. I bet people come and speak with you. And then sometimes you might go like, well, let's go take a look and let's get full visibility and see what's going on. And then you can show them and they'll go, oh, my God, I had no idea. So I bet they're not even aware of some of the things that they really ought to be aware of.

---

CAROLYN. Yeah, no, it's a great point because we actually run a free assessment for anybody. You can just go to our website and fill out the form and it'll get set up for you. But we've had people that are like, we just did our audits last week. You're not going to find a thing.

But because we can do over 200 checks and look for 70 different vulnerabilities and we can look for these live attacks, we go so much further than a human can do in the time that they're generally given that you're always going to find new things. It's like the new diagnostic equipment that you can hook up and test your cars, right? You can have a mechanic walk around the car and look at a bunch of things, but there's only so far they can go.

This stuff goes really deep and it's all automated and it does the correlation. So all of a sudden, not only do you have data, but you've got dots that are connected and it becomes very powerful.

So you are absolutely right. There's a lot of surprises. And we've actually had meetings that have been stopped going, we need to go take care of something right now, because they realize that that's a very vulnerable situation.

And it's hard. Everybody's running hard and working hard, but misconfigurations happen. And attackers are stealthy. They're going to change things to hide their tracks. And we look for those activities and the techniques that they're using to go, we see what you're doing. And we're going to tell the defenders about that activity so they can go and drive the remediation.

As I mentioned before, you start to open that up in the cloud and you get people that are replicating their AD environments in the cloud and then turning on all those non-human entities. And you have a multifold of different relationships that are getting set up.

And because of the complexity, all these group policies are getting set up. And we all know what happens there, right? Is you lose track of when one person gets in one group that gets connected to another and another, and you just can't see. And all of a sudden you have, I think the number is like 95% of the entitlements that are given are not used, right? So you've got this massive over-provisioning, which equals a much bigger risk than you intended to take.

---

CAROLE. Do you find there's a lot of companies out there that aren't very good at spring cleaning all their permissions and they're lying around like dust bunnies across the networks?

---

CAROLYN. It's the fact that even if you do spring cleaning, the attackers are not waiting till, you know. That's a good point. They're in there all the time. And even if you did your spring cleaning, it's summer now and now they're going to go and do, you know, go do and look for other things. So you really need that continuous and real-time visibility.

So I love periodic audits. I love pen tests. I think those are all really valuable parts of your strategy. But wouldn't it be great? Like you come in and you have your cup of coffee, you sit down, you get your dashboard up and it tells you where your low, medium and high exposures are.

It tells you if things are problems at your computer, your user, your domain level, and you've got it all in front of you in that morning. So now you can also kind of dole it out and go, okay, I want my experts working on the high severity stuff.

I want my other stuff. At least now I've got a list too, where I can give to other members of the team and say, hey, can you guys go work on this?

And the tools are so sophisticated now that you also get all of the information that you'd normally send a researcher to go do, right? You know, what is this? What do we know about it? How do we address it?

And the reporting is pretty slick on this stuff, right? You know, it tells you CVEs, minor mappings. It tells you what you need to do in order to write the scripts and fix things.

And, you know, sneak peek into roadmap stuff is that automation, full automation with scripts is coming. But right now, most people want to still look at it, but it's all there to write them pretty quick.

---

CAROLE. Okay, so say we have some company owners out there from companies that are thinking this is exactly what we need. But I don't have the language even to understand, to operate this myself. I need to get someone to help me do that. What kind of skill set are they looking for? What kind of manager will be running this at an optimum level?

---

CAROLYN. It's really not hard. I always look at these things like an iPhone, right? There's a lot of sophistication inside of the phone, but you don't see it. You don't have to know how all the apps and everything work in the background. You just have to be able to use it.

And I think from a user standpoint that, you know, any security professional that is involved in incident response and remediation of things will recognize everything that sits inside of this information and will be given information that they can follow and know what to do. I can't replace security training. So you need some base security training to know what's going on.

But once you have that, to be able to make this very actionable, that comes in and makes it very easy for people to respond. And again, different levels of dashboards. And so you can use many times a simple or an advanced dashboard for some of the findings.

And when we look at the sophistication of things. If I'm looking at an active directory attack, depending upon what level I want to go to, maybe I just want to see if they're querying active directory and they shouldn't be.

And maybe I'll feed them back some deceptive information that redirects them into a decoy. Now, once you've decided if you want to watch that engagement, you might have a little bit more senior person get involved in tracking and analysis so you can pick up that counter intelligence about what the attacker is doing to you, to your company, you know, there.

But the other stuff is pretty, pretty simple. I don't think we've ever had anybody add a person to operate any of the Ativo technology. Generally, people say maybe, maybe 15 minutes, you know, once a week, you might want to go in and look at it.

Some people look at it more often if there are bigger environments, but it's pretty, pretty simple and not terribly time consuming.

---

CAROLE. I think it's a perfect analogy because I was thinking about my car. If I had to know everything, how my car worked in order to drive, I never would have driven. I was going to say, if someone wants to learn more, what steps would they take? Can they go to the Ativo Networks website or is there special places you'd advise them to take a look?

---

CAROLYN. Yeah, I mean, there's a bunch of information out, not only on the Ativo website, which I would highly recommend to go take a look at that. So you can go in and you can look at things either by solutions, maybe you're concerned about ransomware and you want to look at our not only visibility for how people could maybe take over and download that ransomware, but also there's some cool cloaking technology.

So for the Trekkie fans that are out there, you can hide and deny access to the data they're looking for, the credentials they're looking for, the AD objects. They can't see anything. And, of course, you can decoy the environment.

So you're feeding back fake information. So they think they're progressing, which we love because it totally messes with their tools. It's so awesome because it looks real and they're just steered off the path.

---

CAROLE. Fabulous. Is there anything else that you'd like to add before we close this amazingly interesting interview?

---

CAROLYN. Yeah, I really think that identity security needs to be a priority for both small and large organizations because you've got to protect your credentials and you need to do that locally at your endpoints. You need to protect your active directory and everybody's moving to the cloud in a multi-cloud way.

So you've got to get your arms wrapped around entitlement visibility before it takes you over. And it will because it is very complex. So tools that are out there to do this make it super simple, make it integrated for complete viewing.

So take a look. It's new stuff that you probably have not seen before. So, again, judge with your own eyes. But I would encourage you at least to understand what you can do that you weren't able to do before.

---

CAROLE. Absolutely brilliant. Carolyn Crandall, Chief Security Advocate at Attivo Networks. Thank you so much for coming on the show.

My pleasure.

---

GRAHAM. Tremendous. Well, that really does wrap up the show for this week. Chris, thank you so much for coming on. I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

---

CHRIS. Sure. So on Twitter, I'm Chris underscore Kirsch. That's K-I-R-S-C-H. And you can also find me on LinkedIn.

And the website of the company is rumble.run, where you can download a private version or a personal version of the Rumble Asset Inventory. And you can run it on your home network. If you're geekily inclined, that can be a ton of fun to see what you have connected that you are not expecting. And it's completely free and unlimited in terms of time, just in terms of number of devices that you're likely to have on your network.

---

GRAHAM. And you can follow us on Twitter at smashingsecurity, no G, Twitter wouldn't let us have a G. And we've also got a smashingsecurity subreddit.

And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps, such as Apple Podcasts, Spotify and Google Podcasts.

---

CHRIS. We should all pitch in to get Graham a GoFundMe page to buy another G, I think.

---

CAROLE. And thanks to this episode sponsors, 1Password and Attivo Networks. And to our wonderful Patreon community, it's thanks to them all that this show is free.

For episode show notes, sponsorship information, guest lists and the entire back catalog of more than 245 episodes, check out smashingsecurity.com.

---

GRAHAM. Until next time, cheerio. Bye bye bye, goodbye goodbye, thanks Chris.

---

CHRIS. Thanks Chris. Okay, thank you. Too bad I'm off the next show.

---

CAROLE. You know what I have to say, I think your segment was longer than Graham's.

---

CHRIS. Yes, I know. That's why I said I'm going to be more concise.

---

GRAHAM. Never mind the length, feel the quality. That's what I say.

-- TRANSCRIPT ENDS --