Listen early, and ad-free!

210: DC rioters ID'd, Energydots, and ransomware gets you in a pickle

With , , ,
January 13, 2021
Read the transcript

Penile penal problems, identifying rioters in Washington DC, and can a sticker protect you from radiation?

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire's Dave Bittner.

And don't miss our featured interview with CrowdSec's Philippe Humeau.

Visit https://www.smashingsecurity.com/210 to check out this episode’s show notes and episode links.

Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Special Guests: Dave Bittner and Philippe Humeau.

Sponsored By:

Support Smashing Security

Links:

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

CAROLE THERIAULT. Hello, it's Carole Theriault here from Smashing Security. I have some fantastic news. You remember how through December we decided to give all of the profits that we made from Patreon over to the local food bank? Well, we wrote the check and it was £550 strong, almost $800 US, which is incredible. The volunteers at the food bank were incredibly grateful and and promise to put it to fantastic use of feeding people that need feeding. So thank you all. Amazing. Now it's that time to get the first show of 2021 on the road.

GRAHAM CLULEY. I'm trying to be, I'm trying to be delicate, Carole, because I know—

CAROLE THERIAULT. What was your topic? Why did you choose this topic?

GRAHAM CLULEY. Because it's an important topic.

CAROLE THERIAULT. Right.

GRAHAM CLULEY. I was hoping that we wouldn't get too grubby. In what way, shape, or form is this an important topic?

DAVE BITTNER. Yes.

CAROLE THERIAULT. Yes. Why is this front page news on our show?

ROBOT. Smashing Security, Episode 210: DC Rioters ID'd, Energy Dots, and Ransomware Gets You in a Pickle with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 210. My name's Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. And we're joined this week by Dave Bittner from the Cyberwar and Hacking Humans. Hello, Dave.

DAVE BITTNER. Hello, hello. It's great to be back.

CAROLE THERIAULT. Happy New Year, Dave.

DAVE BITTNER. Yes, thank you very much.

GRAHAM CLULEY. Welcome to 2021, where everything is looking rosy and wonderful and there will never be any problems ever again. Fantastic.

DAVE BITTNER. Couldn't be better.

GRAHAM CLULEY. Did you have happy holidays, Dave?

DAVE BITTNER. We did, actually. We took a week off between Christmas and New Year's and more or less shut the company down, which is the only way to get Type A folks to stop working. So that's what we did.

CAROLE THERIAULT. Are you Type A?

UNKNOWN. I. No, no.

CAROLE THERIAULT. Oh, right, right.

DAVE BITTNER. No, no, no, no, no, no.

CAROLE THERIAULT. Okay, okay.

DAVE BITTNER. Some people are.

CAROLE THERIAULT. Graham, are you.

GRAHAM CLULEY. Oh, yes, I definitely am. Taipei. Whatever that means. That sounds like me. Well, of course, Krul, you and I, we did. We did that extra special thing, didn't we? We went up on the YouTube, we did our livestream, our Christmas special with some marvelous guests.

CAROLE THERIAULT. It started off pretty dirty, I gotta say, with Geoff White. Yeah.

GRAHAM CLULEY. And his balloon modeling. Yeah, that was pretty filthy. Mark Stockley and Maria, of course. Dave, did you manage to catch the. The video?

DAVE BITTNER. I did. I did catch the video. I'll admit my invitation must have gotten lost in the mail, but I did catch the—

CAROLE THERIAULT. I don't think so. You were invited. Everyone's invited to watch the show.

DAVE BITTNER. Yeah, watch the show.

CAROLE THERIAULT. Right, right.

GRAHAM CLULEY. Carole, what's coming up on the show this week?

CAROLE THERIAULT. First, let's thank this week's sponsors, 1Password and CrowdSec. Their support helps us give you this show for free. Now, Graham, tell us what's coming up for your bit of the show.

GRAHAM CLULEY. I'm going to be looking at sex toys. I'm going to be taking a close look at them.

CAROLE THERIAULT. Of course you are.

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. Enough. David?

DAVE BITTNER. I'm going to be taking a look at how people have been identifying some of the folks who ransacked the US Capitol last week.

CAROLE THERIAULT. Oh, good. And I'm talking energy dots. Plus, we have a featured interview with the founder of CrowdSec, Philippe Humeau, who tells us all about how his IP technology technology can help save the day. So check that out. All this and much more coming up on today's episode.

GRAHAM CLULEY. Now, chums, chums, let me take you back in time to the golden era of Smashing Security. I'm talking about last October, episode 191.

CAROLE THERIAULT. Last year.

GRAHAM CLULEY. Yeah, exactly. When we had the lovely Zoe Kleinman, BBC's technology correspondent, discussing some of the fascinating work done by Pentest Partners. Pentest Partners partners, of course, have done all kinds of research into security vulnerabilities on IoT devices. And they took a close look at a device which had come out from China, but it's been sold around the world, called the Qi Cellmate. Qi is spelled Q-I-U-I, but pronounced key. Hmm.

CAROLE THERIAULT. It sounds innocent enough.

GRAHAM CLULEY. It sounds it, doesn't it? But the Cellmate, let me tell you, if you weren't aware, is an IoT chastity lock for men.

CAROLE THERIAULT. Oh yes, we talked about this before. Yes, yes, yes, with Zoe. That's right.

UNKNOWN. Exactly.

GRAHAM CLULEY. I remember, I remember. So if you want to restrict access to your proverbials or somebody else's perhaps, you would give them one of these, clamp it on, press a button on your little app.

CAROLE THERIAULT. What is this? Is this because someone touches themselves too much in public or something?

GRAHAM CLULEY. I don't think—

CAROLE THERIAULT. Why does someone have one of these?

GRAHAM CLULEY. I don't think you need to do that, Krowl. If you're suffering from that problem, you could just wear mittens or something.

DAVE BITTNER. But it's—

GRAHAM CLULEY. No. Well, you could— No, this is more of a— it's kind of a sex toy thing. It's kind of a bit sort of—

CAROLE THERIAULT. Oh, it's got a frisson.

GRAHAM CLULEY. Is the phrase BDSM? I don't know. I'm not really sure what that stands for, but it's something where you're in a relationship where someone says, oh no, no, no, you can't do anything with that until I give you permission.

CAROLE THERIAULT. And they lock up your privates.

GRAHAM CLULEY. They lock it up on an acid.

CAROLE THERIAULT. What if you need to go to the loo? I think we talked about this. Yes.

GRAHAM CLULEY. I think you can still drizzle through. So I think you can. Good Lord. Because otherwise that would be— That would be unhealthy, wouldn't it? For the electronics.

DAVE BITTNER. I mean, let's be practical here.

CAROLE THERIAULT. I was thinking they looked like pants. So I was assuming like you're both doing—

GRAHAM CLULEY. No, it's something which clamps. I'm trying to be delicate, Carole, because I know how much you love—

CAROLE THERIAULT. What was your topic? Why did you choose this topic?

GRAHAM CLULEY. Because it's an important topic.

CAROLE THERIAULT. Right.

GRAHAM CLULEY. I was hoping that we wouldn't get too grubby while talking about this.

DAVE BITTNER. In what way, shape, or form is this an important topic?

GRAHAM CLULEY. Yes. Yes.

CAROLE THERIAULT. Yes. Why is this front page news on our show? Jesus.

GRAHAM CLULEY. Let's start 2021, you know, clean breast of things. Let's not get all muddied down in some of the filth which we've done in past episodes. Let's move forward and not just be childish and snigger at these things. Now, the penetration testers, they found some troubling security vulnerabilities in the key cellmate.

CAROLE THERIAULT. Did they? Hell, surprise.

GRAHAM CLULEY. They said it opened up the door to some pretty eye-watering attacks. They explained, how attackers could grab remote control of a wearer's penile prison and lock them up permanently unless a ransom was paid because of vulnerabilities.

CAROLE THERIAULT. Oh, it's only for boys.

GRAHAM CLULEY. Oh, for goodness' sake, ladies.

CAROLE THERIAULT. You said penile prison.

GRAHAM CLULEY. Well, I said a male chest.

CAROLE THERIAULT. Yes. Oh, okay. Sorry, I missed that. I missed the adjective.

GRAHAM CLULEY. Yes, it is. Yes. Now, we looked at this threat. We discussed it, you know, the potential for ransoms and so forth. It was a bit of worrying, and we treated it with the gravitas it deserved, and we resolved to keep a close eye open on any developments. Well, there have now been developments. So I wanted to be sure that any listeners of ours who use the Cellmate chastity lock, and I'm sure we've, I mean, we've got a lot of—

CAROLE THERIAULT. Tweet us.

GRAHAM CLULEY. Get in touch.

DAVE BITTNER. Asking for a friend.

GRAHAM CLULEY. Because source code of ransomware which targets these devices has now been posted on GitHub.

CAROLE THERIAULT. Of course it has.

GRAHAM CLULEY. And it takes advantage of the flaws and demands a 0.02 bitcoin ransom, which is round about $650 at the current exchange rate. Because as you know, bitcoin prices have been zooming up, haven't they? They're— I think it's over $30,000 now, or maybe even more. So not quite enough for John McAfee to win his bet. But, you know, it's still going quite well. So this piece of ransomware—

DAVE BITTNER. Although this device would keep John McAfee from fulfilling his promise, wouldn't it?

GRAHAM CLULEY. Exactly.

CAROLE THERIAULT. This could— this is maybe the gadget for John McAfee. You got there right before me, Dave. I was gonna put down—

GRAHAM CLULEY. The problem is, I believe Mr. McAfee is currently in a Spanish prison. Awaiting extradition to the States. So.

DAVE BITTNER. He's got other locks on his mind.

GRAHAM CLULEY. Yeah. You may not be able to receive these via Amazon. I don't know, get a delivery of one of these. Anyway, if you get hit by the ransomware, you get this message saying, "Hahaha, I have your cock now.

CAROLE THERIAULT. Send 0.02 bitcoin to this address by this time or you'll be locked up forever." So presumably then you call the person who's locked up your junk and said, "Hello?" And they go, "It's not me, it's not me." Exactly.

GRAHAM CLULEY. Yeah. Exactly. 'Cause someone else has commandeered control control of it, which is—

CAROLE THERIAULT. I wonder if anyone's faked that.

GRAHAM CLULEY. Now I've been looking at the source code of this ransomware. And here's an interesting little fact.

DAVE BITTNER. For research purposes only, right, Graham?

GRAHAM CLULEY. Can either of you guess what programming language the ransomware is written in? What programming language do you imagine it would have been written in?

DAVE BITTNER. It must be a pun.

GRAHAM CLULEY. I'm testing your pun skills. It's Python. Do you know how I chortled when I realized that?

CAROLE THERIAULT. Only guys laugh at that. Women still don't understand the joke at all.

GRAHAM CLULEY. Now, the good news is that if you're unlucky enough to be hit by this ransomware, you don't have to pay. You don't have to pay.

CAROLE THERIAULT. No, you can just live in a cell for the rest of your life. You can still go to the loo, right?

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. You can still poop and number one and number two. So what's the drama?

GRAHAM CLULEY. You might find it hard to wash your penis afterwards though.

CAROLE THERIAULT. Well, you know. Bit of Febreze.

DAVE BITTNER. What could possibly go wrong by getting an electronic device that's that close to your goodies wet?

CAROLE THERIAULT. Yes.

GRAHAM CLULEY. There are alternative ways to override the lock, which don't involve paying the ransom, which is good because you probably don't have a backup penis to rely upon. Speak for yourself. So what you can do is you can prise open, apparently, prise open the circuit board.

CAROLE THERIAULT. I remember this from last time.

GRAHAM CLULEY. And apply a voltage with two wires.

CAROLE THERIAULT. It's right near your left bollock.

GRAHAM CLULEY. To unlock the— sex toy.

DAVE BITTNER. You seem like it'd be a lot easier if you had a very dear friend who could help you with this endeavor.

GRAHAM CLULEY. Or you can get an angle grinder as well to cut through.

CAROLE THERIAULT. No, I'm not going to go into DIY with you. What's the point?

DAVE BITTNER. There's no point. There's no point.

CAROLE THERIAULT. You can't even put a light bulb in.

GRAHAM CLULEY. So, um, but another thing to consider, Dave, is if you did manage to extricate your little friend from the chastity cage—

DAVE BITTNER. who you calling little?

GRAHAM CLULEY. Still be blackmailed. Because of course you may not want folks to know that that's where you parked your Percy.

DAVE BITTNER. Right.

GRAHAM CLULEY. So even if you can get it out, that isn't necessarily the end of the story. So I think there's some obvious morals to be learnt from this tale.

CAROLE THERIAULT. There's no morals. Don't put your dick somewhere stupid.

GRAHAM CLULEY. It's not quite the same as the lion with the thorn in its Or is it troll, that particular moral that you've shared with us there? But yes. Good. Nice.

CAROLE THERIAULT. What?

GRAHAM CLULEY. Happy New Year, everybody. Welcome to the show. So, Dave, what have you got for us this week?

DAVE BITTNER. Ah, well, I don't know if news of this has made its way across the pond to all of you, but we had a bit of a kerfuffle last week here at the US Capitol.

CAROLE THERIAULT. I'm so sorry, man. It was unbelievable to watch.

DAVE BITTNER. Yeah, it really was. I make light of it only because, as I often say, we laugh because otherwise we would cry. So some rioters took hold of the US Capitol here in DC, egged on by our president. So I think everyone's probably aware of that story, but one thing that caught my eye in all of this was the online attempt. Sort of open-source public attempt to try to figure out who some of these people were who stormed the Capitol building. And one gentleman in particular got to be known as Zip-Tie Guy.

CAROLE THERIAULT. That's right. Yeah.

GRAHAM CLULEY. Which is interesting because if anyone saw the video livestream we did just before Christmas, I thought I was going to be Zip-Tie Guy because I course, had my zip tied to my shirt so that when I stood up, it pulled the zip of my trousers up. That's the story I was telling. But yes, there's a new zip tie guy in town.

CAROLE THERIAULT. He may have a few more views, Graham.

DAVE BITTNER. You've been unseated. Yes, you're no longer alpha zip tie guy. I hope you're able to get over it.

CAROLE THERIAULT. Yeah.

DAVE BITTNER. So this particular zip tie guy was a gentleman who made his way into the Senate chamber, and he's called zip tie guy because he had a handful of zip ties. These are the kind of zip ties that you use instead of handcuffs. So if you're planning on arresting or restraining a whole lot of people and you don't want to spend the money for handcuffs, handcuffs are also heavy.

CAROLE THERIAULT. That's what I was gonna say. They're a little heavy.

DAVE BITTNER. Yeah.

CAROLE THERIAULT. Like dragging yourself around.

DAVE BITTNER. Yeah. So you use these zip ties. Now, this gentleman was dressed head to toe in camouflage.

CAROLE THERIAULT. Jesus.

DAVE BITTNER. Unlike most of his companions, he was wearing a mask. And so So began this online odyssey of trying to look at every possible little detail that was revealed in photographs of this guy. And I've included a link to a Twitter thread where they do just that. And they start with looking at the type of camouflage he was wearing, where it was probably purchased. He was wearing a few patches on his shirt, and one of them, a telltale one, was a Thin Blue Line patch, which is a patch that supports the police, and his was in the shape of Tennessee. So there's a bit of information. Perhaps this gentleman is from Tennessee. And then they started— people started combing through other photos from that day, from other demonstrations previously where this person may have shown up. He was wearing some patches on his hat and on his— on the front of his body armor that were unique. And so sure enough, some folks found some photos of him outside the Capitol, and he had a companion there. There was a woman who had a red hat on. And so now, even though we don't know who he is, well, maybe we start looking to try to figure out who this woman is.

GRAHAM CLULEY. Oh, narrowing down people who might be wearing red hats at this particular event. I suspect there's quite a few of them.

DAVE BITTNER. Yeah, well, you know, you start with a large pool and then you narrow it down.

CAROLE THERIAULT. Okay, but question, question, question. Don't you think that inside— that would be the one place I could imagine in America where facial recognition software would be der rigueur?

DAVE BITTNER. Yes.

CAROLE THERIAULT. You'd imagine that an official being like, you know, the person that goes and sits at Nancy Pelosi's desk and rifles through her drawers, you'd think he'd be caught at some point on camera and be thrown through a facial recognition software.

DAVE BITTNER. Yes. So this particular gentleman, only his His eyes were visible underneath of his, his baseball cap here. But people stayed at it. And by going through footage, they found a video that someone had posted from the lobby of the Grand Hyatt D.C. Hotel, which, let me say, is a bit of a swanky hotel on the night of January 6th. And sure enough, it looks like this guy with his female companion, who it turns out— wait for it— is his mom.

GRAHAM CLULEY. Was it Take Your Mum to Work Day?

DAVE BITTNER. Yeah. Well, you know, take your mum to a riot day.

CAROLE THERIAULT. Do you think this stuff is a bit scary? Because I'm just remembering, wasn't it the Boston Marathon where the internet, I think it was on Reddit, but there was kind of a hunt for who was suspicious on the day.

GRAHAM CLULEY. And people got it wrong, didn't they?

CAROLE THERIAULT. And they got it wrong.

GRAHAM CLULEY. It worries me. I certainly saw a lot of people online hunting and looking for clues as to who people were in the crowd. And it always feels a little bit uncomfortable when people start naming names, doesn't it?

CAROLE THERIAULT. Yeah, because if they get it wrong, man, and you just get attacked by this mob.

DAVE BITTNER. Right. And to their credit, the folks who seem to be going at this in a responsible way were very specific about saying, "We're not going to name names until we can get 100% verification. We're sending all this information on to the FBI so that they can do the work that they need to do." And that seems to be what happened here because update from the New York Times, this gentleman was arrested. It turns out he's a 30-year-old bartender. Looks like he let things get away from him. His mother was interviewed by the Times of London and she was quoted as saying, "I'd rather die as a 57-year-old woman than live under oppression. I'd rather die and would rather fight." Okay, well, there you are.

GRAHAM CLULEY. You know, it is an interesting question, this issue of people trying to work out who is who at a controversial event like this. What I quite liked was, of course, you're probably familiar with this interesting platform Parler, and there was somebody who it appears, judging by a screenshot which has been shared on Twitter, there's someone who posted up on Parler claiming to be a White House attorney Yes. And they said, the president is strongly considering pardoning all patriots who stormed the Capitol, but we need to get him the right information so he can do it in the next week and a half. If you would like a pardon, please respond below with your name, city, what crimes you think you need to be pardoned for. Yes. And share it with anyone else.

DAVE BITTNER. My favorite part of that is that the US Justice Department actually put out a press release saying that that was not actually them.

CAROLE THERIAULT. Oh, thank you. Thank God they did. Like today, you've got to. You've got to.

DAVE BITTNER. Yeah. Yeah. So, again, we laugh because otherwise we would cry. This is indeed frightening stuff, not far from where I live. And who knows where we're going to go from here as a nation. Certainly, I know you all have your hands full with plenty of stuff over your way as well. But it's been kind of a sobering sobering week for us here stateside.

GRAHAM CLULEY. Crazy times.

UNKNOWN. Yep.

GRAHAM CLULEY. On that, Carole, take us out of these dark times.

CAROLE THERIAULT. I know, I'm trying to think.

GRAHAM CLULEY. What have you got for us, Carole?

CAROLE THERIAULT. Energy dots. I'm talking energy dots. Now, what does that word mean to you? Does it mean anything to either of you?

DAVE BITTNER. No.

GRAHAM CLULEY. Energy Dots.

CAROLE THERIAULT. Because it did me from our childhood, probably the same decade, 1980s. Energy Dots.

GRAHAM CLULEY. Oh, are you talk— are they like acid or something? Is it like at a rave or—

UNKNOWN. no.

DAVE BITTNER. Well, probably there was a candy that came on a sheet of paper that was little, little dots of—

CAROLE THERIAULT. looked like acid—

DAVE BITTNER. little dots of candy that— and they were awful because you'd always get a mouthful of paper with them. That's when I can remember.

CAROLE THERIAULT. It's Energy Dots were in Pac-Man. Oh, Oh, those are the little dots that you grabbed and got your little doo doo doo doo doo. And that's what they were called.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. So anyway, today the term energy dots refers to something a little more questionable, maybe even controversial. But you guys tell me what you think. Okay, so let me start with the website description of this thing. Okay. Handy frequency technology discs that you can wear, stick to devices, or place around the home. Use them to rebalance, bring positive energy, and support your well-being.

GRAHAM CLULEY. Oh yeah.

CAROLE THERIAULT. Okay. So can you tell me what that— can you tell me what it is?

DAVE BITTNER. Like IoT crystals? Is that what we're talking about?

CAROLE THERIAULT. They're like stickers, right? They're basically stickers that you stick to either your phone or devices or— well, you'll just wait what they stick it to, right?

DAVE BITTNER. Graham's going to need his angle grinder.

CAROLE THERIAULT. Exactly right. But it's like, apparently it's an answer to the exposure of non-ionizing EMF radiation. So yes. Now, Amazon has reportedly a glut of companies offering these EMF protections or EMF harmonizers. The idea is, what do these things do and why are people buying them and what is going on? Right. So, they say these discs do on the website. They say they've created an EMF protection device. It's called Smart Dot. That's one of them. And it's programmed to retune electromagnetic frequencies emitted by your wireless devices.

GRAHAM CLULEY. This sounds a little bit like the holographic nanolayer catalyzers that, uh, Mark Stockley was on the show last week— last year. Yes, talking about, which was nonsense as well.

CAROLE THERIAULT. It's very much like that, I think.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. Okay, now, but I'd invite you guys to go to the website, so energiedots.com. If you guys go there, it takes a long time to load.

GRAHAM CLULEY. Probably because it's really popular. Oh, when I go there, it says you need to enter your username and password. It says the site is protected.

CAROLE THERIAULT. Energy dots.

GRAHAM CLULEY. Dot com.

CAROLE THERIAULT. Dot com. Is—

GRAHAM CLULEY. have they shut down their website?

CAROLE THERIAULT. Let's see.

GRAHAM CLULEY. Because people are—

CAROLE THERIAULT. There's been a bit of news.

GRAHAM CLULEY. Because they've been in the papers.

DAVE BITTNER. Yeah, I get the same thing.

CAROLE THERIAULT. Interesting. Dots, right?

DAVE BITTNER. Same thing.

CAROLE THERIAULT. Oh, interesting. Okay, interesting, interesting. Okay, well, I'll just have to tell you what's there. So basically you affix this smart dot, this sticker-like thing to your favorite gadgets and then await harmonization. And I'm not sure how you know when that hits you or how you know that your wellbeing is being fully supported, but there you go. Now in the product selection, they have lots of different things. Like they have PetDots, AquaDots, SpaceDots.

GRAHAM CLULEY. Hang on a minute, hang on.

CAROLE THERIAULT. Right?

GRAHAM CLULEY. So what, these are dots for your pet?

CAROLE THERIAULT. Yes, to make sure that they're at ease.

GRAHAM CLULEY. And what's an AquaDot? You can't stick it on water.

DAVE BITTNER. Stick it on your fish.

CAROLE THERIAULT. I would go tell you if I could get to the website.

DAVE BITTNER. Stick it on your fish.

CAROLE THERIAULT. But the website's down.

DAVE BITTNER. If you have a goldfish, just stick this to its tail.

CAROLE THERIAULT. Maybe when you're swimming? Like what?

DAVE BITTNER. Put it in the bathtub?

CAROLE THERIAULT. Yeah. So they say at one point on the website, they say it is the natural fields or information programmed onto the magnetic dot that does the work and creates positive change. Okay. Full stop. The next sentence, magnets have been used as storage devices for decades. Bank cards, videotapes, a computer hard drive are all examples of magnetic storage. It's unrelated.

UNKNOWN. Yeah.

CAROLE THERIAULT. So they're basically saying because we use them to store our devices, it's good for you. We trust it. We trust magnets. It's crazy. Anyway, and the other thing I scooped up on their website is they have this set of— this place where they talk about independent research, which—

GRAHAM CLULEY. sorry, I'm being a bit slow. What you're saying is this company, Energy Dot, sell little stickers which you stick on your equipment and it then produces harmonization and good stuff in your life. Is that right?

CAROLE THERIAULT. Why is it so complicated to you? It's completely clear from everything I've said.

GRAHAM CLULEY. Oh, sorry.

CAROLE THERIAULT. This is all the stuff from their website. I don't know why you're trying to dig in.

GRAHAM CLULEY. Just trying to clarify. Trying to find a problem?

CAROLE THERIAULT. No, no, no, you're absolutely right. You're absolutely right. It's not very clear what it does. I was looking to try and get an actual description of what it does, right? Not easy. But what they're trying to do from all these words on their website is to show that it gives you something good. And this is one of the examples they have in their independent research. It's called Chickpea Growth, okay? And it says, quote, "We all need a healthy living environment to thrive, and this can affect the way we think and feel both mentally and physically. Our chickpea experiment was conducted over a 15-day period to learn more about the effects of EMFs. The results found that exposed to a mobile phone, chickpeas were unable to grow as much in comparison to alongside a mobile phone with a Smart Dot." So there it is.

DAVE BITTNER. That's all the evidence I need.

CAROLE THERIAULT. Yeah, there was no link to any research on that one, but I'm sure it's peer-reviewed.

GRAHAM CLULEY. Yeah, that would be interesting if it was true, though, wouldn't it? Well, that sounds kind of interesting.

DAVE BITTNER. Yes, if it were true, it would be interesting, Graham. If only these things were infused with copper, then, then we'd be on to something.

GRAHAM CLULEY. How much do these stickers cost?

CAROLE THERIAULT. Oh, they're not cheap. They're not cheap. They're about £20 a pop. You can get a whole— you can get the whole gamut, like a whole pack, I think, for— it was like £180. So what, $250?

GRAHAM CLULEY. Oh my goodness. Because Smashing Security stickers, if anyone wants them from our online store, are a lot less than that. Or if you become a patron, you'll be sent 3 stickers very generously.

CAROLE THERIAULT. Now, earlier today, previous guest of Smashing Security, Graham Cluley, Kathleen Jones. He wrote a piece about these energy dots because they did a little digging of their own. So they went out and bought some energy dots and then they sent them.

GRAHAM CLULEY. Did they buy chickpeas as well to do the experiment properly?

CAROLE THERIAULT. They sent them to the University of Surrey for tests. And would you be surprised the test found no evidence of any effect?

GRAHAM CLULEY. No.

CAROLE THERIAULT. Like at all. Like nada. Like nothing. Energy Dots told the BBC that the stickers were programmed with scalar energy, which the scientist equipment would be unable to detect. The scalar energy—

DAVE BITTNER. what are you gonna do?

GRAHAM CLULEY. I mean, so it sounds like pretty, pretty shoddy reporting by the BBC then, who didn't do it properly.

DAVE BITTNER. You know, I'm sure there's some sort of, uh, quantum element here as well, because as we all know, that things, that things happen in the quantum realm that we simply cannot understand, but they happen. And, and And yeah, shame on the BBC for their shoddy reporting and testing techniques. I mean, I'm on team Dot.

GRAHAM CLULEY. Fake news.

CAROLE THERIAULT. Even last year, USA Today said, look, we are doing a fact check into this and they found no evidence, right, that the low-powered magnet would protect cell phone users from EMF radiation. Anyway, so all this is going on and the crux of this, right? So I was thinking, how does this happen? How do people fall for this? 'Cause people are, and that's why people like Rory are writing about it. We're trying to tell people this may not be very good. There is lots of charlatans out there making a buck out of this weird kind of Venn diagram between fact and ill fact, or non-fact. There's that sentence, absence of evidence is not evidence of absence.

GRAHAM CLULEY. [Speaker:WILLIAM GREEN] Do you think that's why their website has disappeared as well? It's gone absent because then we can't disprove any of it because it's no longer available.

DAVE BITTNER. It probably got hit by an EMF pulse.

GRAHAM CLULEY. I heard, I read this BBC News report and it's quite interesting and people have to be very careful about what they believe online, surprise, surprise, because they claim to have partnered with two NHS hospitals.

UNKNOWN. Oh yeah.

GRAHAM CLULEY. And the references to those hospitals have disappeared from their website apparently once the BBC started making inquiries because one hospital said, well, we don't know anything about this, we haven't partnered with them. And the other hospital hospital doesn't actually exist.

CAROLE THERIAULT. Yeah, and then they said, oh, it was a screw-up with their ad people. I know.

DAVE BITTNER. I mean, it doesn't exist in our realm, but what about the quantum realm? I'm sure—

GRAHAM CLULEY. oh, here you go—

DAVE BITTNER. hospital in another dimension.

CAROLE THERIAULT. But you know what, like, okay, so say, let's say I met someone on the street that was talking about all this stuff, and, you know, I knew absolutely nothing about EMFs and all this stuff and blah blah, and I would go and start Googling it, right? I would go do a search. So today I was screwing around doing different, you searches and I had like 5G scientists find or, you know, latest news on EMF radiation or what is EMF radiation or— and all of them, the first page, I had contradictory news. So I'm looking at one here. I took a screenshot of one and it says a scientist brand 5G claims complete rubbish. Right. Another one say 5G confirmed safe by radiation watchdogs. You're thinking, okay. And then as a prominent scientist warned that 5G could pose health hazards. You know, that's number 4. Science: What are the percentage of serious health effects with 5G? That's number 5. And these are all on the front page. So obviously those that are trying to make a buck out of this are spending a lot of SEO money to grab the top locations of this through keywords. And that may be where, you know, if I want to go educate myself, what am I going to do if I'm a normal Joe? I'm going to go and Google it, or I'm going to go to a search engine, type in the keyword And then I think, oh, these guys are selling for 20 quid this potential harmonization which may or, you know, do something. What's the harm in me buying it? Even if it's fake, who cares?

DAVE BITTNER. Yeah.

CAROLE THERIAULT. And I don't know how to deal with that argument.

DAVE BITTNER. Well, I can tell you from my perspective that nothing gets the conspiracy theorists out of the woodwork like mentioning an EMP pulse on our show, which is a, you know, and it's a real thing, a real possibility, you know, that's this notion that someone sets off a nuclear weapon, it creates an electromagnetic pulse and all the computers and things stop working. There's something to that, but in terms of the top 10 threats we need to worry about of keeping the electrical grid going, it's probably not up there. But let me tell you, if you even mention it in passing, people run to their local public libraries and start sending you emails about it. It is one of those things that the folks who are into this sort of thing electromagnetic stuff, boy, do they latch onto it and they come at you with vigor.

GRAHAM CLULEY. Well, thank you for mentioning it on our podcast then, Dave. I really appreciate that. Nice.

CAROLE THERIAULT. Jeez.

DAVE BITTNER. I just, I'm spreading the love.

CAROLE THERIAULT. I'll leave you with something quite ironic. I think I'm using the term correctly, but so I of course checked out their privacy statement because why wouldn't I? And it says, with this website, there are no implied conditions, warranties, terms of representations regarding the quality, accuracy, or completeness of the information. Right? So they're basically saying it could all be bullshit. We're not holding ourselves accountable at anything we've said here. And then they also say, Energy Dot's website pages do not constitute either an offer or legal or professional or medical advice. And by using this website, you confirm that you have not relied on any such content. So basically, don't trust us is the other thing it says.

DAVE BITTNER. Right, right.

GRAHAM CLULEY. To be fair, we'd say that for our podcast as well. I mean, we would say don't believe anything we say or trust us or believe it or, you know, don't rely on us.

DAVE BITTNER. For entertainment purposes only.

CAROLE THERIAULT. Well, I would say that's true for one of us, clearly.

DAVE BITTNER. I think he's saying, I think he's saying don't blame me. It's not trust, it's about blame.

CAROLE THERIAULT. Exactly. Well, I do blame him for so, so many things. Anyway, but if a company says don't trust us, maybe we should listen. Maybe. I don't know. Hey, Graham.

GRAHAM CLULEY. Hey.

CAROLE THERIAULT. Now that it's 2021, are you ready to admit that maybe your brain is turning to mush?

GRAHAM CLULEY. Why are you saying that? You thinking I'm getting forgetful?

CAROLE THERIAULT. Um, yes, often, very. And I'm a little bit worried about it. I suppose most of us, you know, working from home all the time I mean, how, how the heck do you even remember a password in these scenarios? Nice segue, eh?

GRAHAM CLULEY. Yeah, well, I use a good password manager. I in fact use 1Password.

CAROLE THERIAULT. 1Password, that's one with a one, right?

GRAHAM CLULEY. That's right.

CAROLE THERIAULT. One password.

GRAHAM CLULEY. It's a great password manager. It works for home use. It works for families. It works for business. So I run a little business here at home. Um, and it means, and imagine I worked in a bigger business, right? Imagine I was a part of the remote workforce. I could still work safely online. Make it really easy for me to create and use strong passwords or share them with my colleagues.

CAROLE THERIAULT. Oh, and tell you what, now that all of us are working from home and your computer is being used not just for work but also for home stuff more often than ever before, this kind of stuff keeps everything nicely segregated.

GRAHAM CLULEY. Yeah, and listeners can find out more, and they can try 1Password for free for 14 days at 1password.com. Thanks to them for supporting the show.

CAROLE THERIAULT. Hey, Clue Clue, did you hear my CrowdSec special interview that I did?

GRAHAM CLULEY. Well, the one at the end of this podcast?

CAROLE THERIAULT. Yeah, the one of episode 210.

GRAHAM CLULEY. Yes, yes. Yeah, I've heard it. Yeah.

DAVE BITTNER. Did you?

CAROLE THERIAULT. Yeah. Okay. I don't know if, I don't know if I believe you. Tell me everything you know about CrowdSec. Go.

GRAHAM CLULEY. Oh, okay. CrowdSec, they're building a community where you SecOps and DevOps can join forces around the world. And actually make a difference against all the new attacks which are coming out. Because no matter what your business size is, CrowdSec offers an adaptive response to security issues such as credential stuffing, port scans, password brute forcing, and much, much more.

CAROLE THERIAULT. Okay, tell me how they analyze visitors' behaviors. What do they do with malicious traffic, for example?

GRAHAM CLULEY. Okay, yeah, they analyze your visitors' behavior. They deal deal with the malicious traffic. And oh yes, they automatically share details across the community to ensure everyone is protected. So the more data that CrowdSec aggregates, the stronger it gets.

CAROLE THERIAULT. Okay, that's great, except you forgot the most important thing. It's free and it's open source, so anyone can benefit from this. So join the CrowdSec community and let's make the internet safer together. Find out more at crowdsec.net. /crude-sec.net/smashing. And Smashing Security special listeners, guess what? There's a prize just for you if you go and join the user community. Find out what it is, we're dying to know. Learn more, crowdsec.net/smashing. And thanks to CrowdSec for supporting the show.

GRAHAM CLULEY. And welcome back. Can you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week?

CAROLE THERIAULT. Pick of the Week.

DAVE BITTNER. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone choose something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.

CAROLE THERIAULT. Better not be.

GRAHAM CLULEY. Well, my Pick of the Week this week is not security related. I think we've all been reeling by the horrendous news reports coming from America where we saw people breaking into a building and then obviously causing some mayhem and distress and stealing stuff as well and doing a lot of damage. And that's why my pick of the week this week is a computer game all about the removal business. It's called Moving Out. And in Moving Out, which is available on Steam and also available for the Switch, PlayStation, and Xbox— I've been playing it on the Nintendo Switch— you are a house removal person working with your partner, and your job is to move everything from inside the house into the removal van within a certain time limit. And of course, you have to do this in coordination because there are some things which are quite heavy, like fridges, like sofas.

CAROLE THERIAULT. You recently moved house, didn't you? So, so you're obviously quite good at this. Is that— you're like, no, no, no, don't touch that one.

GRAHAM CLULEY. That's right. And so, and so it's, it's quite amusing because of course you have to coordinate with your colleague in the removal business to say, you get that end I'll get this end. And you're trying to get through the door together and you keep bumping up against it. And eventually in this game, what you find works best is to smash the windows and throw the sofa out of the window to get it out that way. And so you're knocking things over left, right and center because you're so desperate to get things into the van to get to your next job that mayhem ensues and the craziness truly does. If you've ever played a video game like Overcooked or Or perhaps even closer to this is a great, great game called Totally Reliable Delivery Service. Overcooked, you, if you played that, Dave, you will certainly know the kind of mayhem. Yes, I've played Overcooked. It's a lot of fun. It's a lot of fun. Well, Moving Out is similarly a great deal of fun, and that is why it is my pick of the week. Links in the show notes.

CAROLE THERIAULT. Hey, sounds, sounds interesting.

GRAHAM CLULEY. It's good fun. Fun. Dave, what's your pick of the week?

DAVE BITTNER. Well, I also have a video game. You know, I like puzzle games. I like something that's going to take my mind away from the day-to-day things that we've been dealing with all last year. And it seems into this year as well.

GRAHAM CLULEY. And if you've got a problem with that, all you need is some harmonization. Maybe you should stick a dot on your forehead.

DAVE BITTNER. It's true. It's true. Well, now I know. Now I know. I'm gonna, if they get their website working, I'll order some. So a game I've been enjoying, I've been playing it on my phone, it's called Poly Bridge. And this is a puzzle game where it is your job to construct bridges across, mostly across bodies of water. And so it's this sort of combination of engineering skills. You have different materials that you can use to build the bridge. You have wood and steel and ropes and steel cables and things like that. You have different types of vehicles you have to get across the bridge. Some of them are light, some of them are heavy, some of them move fast, some of them move slow. But it has a physics simulator. So when you build your bridge and you click go, these vehicles try to go across the bridge. And part of the fun, I will admit, is when the bridges fail, they fail catastrophically. And so, oh, wonderful fun to watch your bridge collapse and everyone go into the drink.

CAROLE THERIAULT. So do you have to learn some physics? Like, so you come away with a bit more knowledge? Do you think you're more reliable now? Could I trust you to build a bridge if you and I were walking along and there was this big stream and there was some wood nearby?

GRAHAM CLULEY. I need you to be some Bard Kingdom Bitner now. Are you capable of making some truly impressive bridges?

DAVE BITTNER. Yes, I will say that you do get much better at this as you go along because you learn what works and what doesn't. And they start you out with very simple things, but as you go along, they get more complicated you have to build many more things. There are hydraulics, there are drawbridges, all sorts of fun challenges that you have to make your way through. There is a Poly Bridge 2, which I also recently started playing, having made my way through Poly Bridge, the original Poly Bridge. And to your point, I— what I found was that starting out Poly Bridge 2, which starts at a lower level, I can just zip right through the beginning of it because of all these skills I've learned along the way. On the regular Poly Bridge. But it is a fun game. It's distracting. If you like these sort of little engineering puzzle types of games, it has a whimsical nature to it as well. I highly recommend it. It's Poly Bridge and it is my pick of the week.

CAROLE THERIAULT. And where do you, where do you play it? Do you play it on Steam or?

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. Do you play on your phone?

DAVE BITTNER. Yes, I play on my phone. It's available It's in the App Store for iOS. That's where I play it.

GRAHAM CLULEY. It's available on Steam. Yes, I think I've played it on the Nintendo Switch. It's good fun, this game. I've played it as well. I'm not very good at it.

CAROLE THERIAULT. Geez, Graham, do you do anything else?

GRAHAM CLULEY. No, no, no. No time for anything else. That and the podcast, Carole.

CAROLE THERIAULT. Cool, I like the sound of this one. I think this sounds—

GRAHAM CLULEY. Oh, you don't like the sound of mine?

CAROLE THERIAULT. Not as much. Just the mayhem ensues. I just— Yeah, I don't know. Maybe when I come over, we can play it in 2025.

GRAHAM CLULEY. Yeah, exactly. See you then.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. Carole, what's your pick of the week?

CAROLE THERIAULT. Well, let's start the year as we mean to go on, an audio drama. Brand new 10-episode pod thriller from the BBC called The Cipher. And it all starts with a mysterious puzzle that appears online. A cryptic parallax. And our main character, who's incredibly curious and smart-mouthed and sharp-witted and intelligent and 16, cracks the parallax. But rather than a big celebration, everything goes askew. And obviously, I'll hide the details, but things get exciting. She ends up hunting a serial killer at some point, who seems intent on killing top-rated scientists from around the world, and what's going on. Anyway, it's really be fun. And, uh, it's a great pandemic audio junket because you're like flying around, going to different countries, doing all kinds of crazy stuff, running around. A bit like, um, what's his name, the guy who lives up in Jackson Hole? I can't remember his name.

DAVE BITTNER. Where in the world?

CAROLE THERIAULT. I can't remember his name. Harrison Ford.

DAVE BITTNER. Harrison Ford.

CAROLE THERIAULT. It's a bit like that, but with a 16-year-old girl.

DAVE BITTNER. Do you mean Indiana Jones?

CAROLE THERIAULT. Yes.

DAVE BITTNER. Yes.

GRAHAM CLULEY. Oh, great.

DAVE BITTNER. Okay.

GRAHAM CLULEY. Now we're with you.

DAVE BITTNER. All right. Long, long way to get there, but we got there, so that's good.

CAROLE THERIAULT. I just had this complete brain fart, like complete, like nothing. There's nothing in there that could help me. Anyway, 10 episodes. It's a thriller. They're about 20 minutes or 30 minutes an episode. Easily digestible. Enjoy. Find it wherever you get your podcasts, including BBC Sounds. Do you use BBC Sounds, either of you?

DAVE BITTNER. Graham?

GRAHAM CLULEY. Only when it's only available on BBC Sounds.

CAROLE THERIAULT. I think the app's quite good, actually. I think the app on iPhone, I was playing around with it, and I'm like, it's not bad. I think it's pretty good. There you go. So that's my pick of the week. What's it called again? The Cypher.

GRAHAM CLULEY. Marvellous. Now, Carole, I believe you've got a featured interview up your sleeve for us this week.

CAROLE THERIAULT. I do, with the founder of CrowdSec, which was very exciting. Now, this is a great interview. Not only is he super, super personable, but I got to learn a lot about his approach to security. Check it out. Okay, so I am here with the delightful Philippe Humeau. You will hear that he has a French accent, which I adore. He is the founder of CrowdSec. Now, CrowdSec is one of our sponsors. And CrowdSec's not just their company name, it is also the name of their free open-source security automation tool. Now, we're going to get into that in a little bit. But first, I want to welcome you to the show. Thank you, Philippe, for coming on the show.

UNKNOWN. My pleasure. I'm really happy to be there with you and discussing. And with my strong French accent, I hope everyone will understand.

CAROLE THERIAULT. OK, so let's start. Let's start with the landscape. So right now, we're still in the middle of the pandemic. Pandemic, we've got tons of big companies out there with huge remote workforces, and we are still seeing loads of hacks happening. So why is that happening? What's going on? Maybe you can just give us a bit of insight onto the environment we're looking at right now.

UNKNOWN. Yeah, absolutely. It sounds crazy, but even in 2020, we were not ready for such a remote workforce, you know? And even the biggest companies got hacked, and even in the early 2020, one, repeat it again, based on what, 20 years of experience in the industry, I think there are 4 pillars to it. The first one would be time, you know, because you never get to choose a time when you're attacked, right? It's the time between the zero-day, zero-day is when you find a new vulnerability, and when the patch is released, and when the patch is released and when you apply it. And all of this takes time. And on the attacker side, the time time is counted in seconds, you know, and on the defense side, it's counted in weeks. And this is totally asymmetrical. But there are other points that are asymmetrical. If you think about it, like firewalls, they are not filtering much of what's really happening because you don't filter anyone coming to what, your mail, your website, your apps, your DNS and all. All of those protocols are just not filtered or barely filtered, and most of them are now encrypted, so it makes it extremely complicated for appliances to see through the traffic, see if there's something dangerous. So once again, it plays against you. Then the next one would be the perimeter, and actually I think it's even the biggest one. Back in the '80s, CTOs had their servers in their basement and they were happy about it because they can draw a wall around a sort of castle around all the resources.

CAROLE THERIAULT. It's almost like a watered moat and they're in control of everything.

UNKNOWN. Yeah, it's kind of Alcatraz. Or if you want another image that is fun, it's like this Gandalf in the middle of the bridge in the Moria Mines saying, "You shall not pass," except there are thousands of bridges and no Gandalf. So it doesn't play well. But more seriously, I mean, if you think about these cloud drives, Dropbox, for example, or Google Drive, whatever.

CAROLE THERIAULT. And we all use those all the time, right?

GRAHAM CLULEY. Oh, yeah.

CAROLE THERIAULT. For personal stuff, for work stuff.

GRAHAM CLULEY. Yeah.

UNKNOWN. We store everything there and we mix private and professional life greatly in this. There is the cloud, there are a lot of containers, SaaS. I mean, you can store things in your WordPress back office for what it's worth. We wouldn't know about it being the CTO. And then we had the pandemic, so we had the COVID-19 COVID-19 VPNs, as I call them. I mean, before that, some companies had some VPN, and after the COVID all companies had VPNs. But how many of them were ready for that? How many did the job properly or did it, made the proper security policies around it? So basically, now you've got the little one in the gaming room playing with the PlayStation or its Android device and bringing all the hell of the world into your central IT core system because there are no more parameters, right?

CAROLE THERIAULT. Exactly. And from what you're saying, as the person in charge of all the traffic and managing the systems, you actually have fairly limited visibility and time to act due to how it works and due to encryption and due to lack of information you have and visibility.

UNKNOWN. Yeah. Yeah, absolutely. I mean, this is why the game is rigged, but there's one more force at work and it's tremendous. It's money. You know, we all know that this is the biggest one ever in the world. So hackers, hackers are using what? Stolen servers, you know, that compromised before. They're using their IPs and resources, so it's for free basically. They're using free open source tools, some of them buy a bit, but it's mainly free open source tools, and their time. And when you're on defense side, you need to use what? Appliances that cost a hell lot, licenses, you need to have DevOps and SecOps people watching over your security and creating proper environment. You need to do a pen test and so on.

CAROLE THERIAULT. It's stressful. No wonder most IT people are bald. No, I'm kidding. I'm kidding. But no, but I can understand the stress levels, right? I'd want to pull my hair out, especially now in this new world. It's scary.

UNKNOWN. And the worst part is they just have to succeed once. You know, you have to defend and fold all of their attacks, all of them, one by one.

CAROLE THERIAULT. Every single one.

UNKNOWN. They just have to succeed once. Yeah, this is the crazy part. So it's totally rigged. That's why it's so asymmetrical. And that's why even big companies fell for hacking in 2020 and before.

CAROLE THERIAULT. Okay, okay. So I see the scene now. It's very bleak. But you, you created this CrowdSec tool for a reason.

UNKNOWN. You know, someone lately told me, gave me a new way of seeing it. It's kind of a giant multiplayer firewall.

DAVE BITTNER. Firewall.

UNKNOWN. And it's exactly this, actually. It's brilliant because we've been working on this for a year now, and it didn't come into my mind. The best way I could represent it before was like, it's a ways of security, right?

CAROLE THERIAULT. Yeah.

UNKNOWN. So, but it's this, it's a giant multiplayer firewall. So this tool is not really a firewall as such. It's folding attacks by looking at behavior. So for example, if you knock like 5 times the password and it's not the right one, Maybe you don't have the password and you're trying to guess it, right? It's called password brute forcing. Or if you constantly call URLs on the website that do not exist, maybe you are scanning the website and not making a legitimate use of it. Okay, so the basic layer is this: it's behavioral standpoint. We try to assess what you're doing with the resources. So it's super simple. There are scenarios, you just apply them, and it detects text shenanigans in your logs, right? But this is kind of, it's known and not known. But I mean, the tool does something that maybe some other tools are doing or used to do, like fail2ban. But we added something new to this. And the thing is the crowd. The crowd is so powerful.

CAROLE THERIAULT. The crowd, like, so this is all the other people, like the community of users, right?

UNKNOWN. Everyone using it. If you fold an attack, if you block an attack because, you know, say it was a brute force, you detected it, detected it, then you share the IP across the network.

CAROLE THERIAULT. Right.

UNKNOWN. Basically it's this: you detect an attacker, you detect its IP, and you share it all across the network. So this IP is burnt for all the users using the product. And it's extremely powerful because if you think about it, it's, it's a bit like Waze. You don't need to know, uh, what's happening, you know, 2 kilometers away from you because the GPS is going to tell you there's a roadblock or, I don't know, a speed trap or, and it shows you everything that's happening. And it's based only because all the users are sharing their position and speed and also what they saw on the road. And it's exactly what we're doing, but on internet.

CAROLE THERIAULT. So what you're saying is you, whenever your tool spots something, a bad IP, it shares that bad IP with all the other community, blocking it from availability.

UNKNOWN. Absolutely. And the point is we want to make, you know, if you think about it, a hacker has few resources that he really cares about? You know, it's time, obviously. But the second most precious resource is IPs, IP addresses. You know, if he compromised like 3,000 of them, he's using them on a daily basis to, I don't know, validate credit card numbers, for example. He has stolen a credit card database and he wants to validate every number to resell them at a higher price. And what he does is using those 3,000 IPs to do so, just not to get caught with one only. But if you burn them, it's like if you're emptying the cartridges in his pocket, you know? So he cannot fire anymore at you because one by one they get burned.

CAROLE THERIAULT. Exactly.

UNKNOWN. In the end, he doesn't have any more cartridges.

CAROLE THERIAULT. I noticed in the beginning I said it's a free open-source security automation tool. So this is for free? How does that work?

UNKNOWN. Yeah, we're part of those people that think open source doesn't mean being poor and walk in the woods to hunt for little animals to feed your family. Yourself and so on. We think those people are extremely talented. The people that are working with us are extremely talented pentesters, SecOps, DevOps that have like years of experience. So those people, they should earn their money, right? So what we do is we have to find a way of monetizing this properly and in respect for the community that is— and I, I shall tell it like every day again— our biggest asset. So we should never ever be aggressive toward this community. So what we The softest we found is that people not partaking in identifying those bad IPs are paying to get access to this database. So even though you would not partake into the network, you could still benefit from its database, but you would pay your access for that.

CAROLE THERIAULT. Okay. So what you're saying is if I used your tool and I said, yeah, yeah, I don't want you to see any of the IP address or any of the information, I don't want to take part start in blocking IPs, you say, no problem, that's fine, but we're going to ask for a fee from you to use the service. That makes total sense to me.

UNKNOWN. Absolutely.

CAROLE THERIAULT. Okay, got it. Yep.

UNKNOWN. And we think it's more than enough for us to be profitable, first of all, and to have the softest possible monetizing way toward the community.

CAROLE THERIAULT. Yeah, because obviously you want to pay people. I hate how often in our industry people are underpaid.

UNKNOWN. You remember this SSL thing? Yeah, it was like 2 years ago, I think. Tell me, tell me. There was a vulnerability in the SSL library, right?

CAROLE THERIAULT. Yes.

UNKNOWN. And everyone on earth is using it, like banks, major businesses, all of them, they rely on this SSL library. And then the developers were pointed, finger pointed, like, okay guys, you did crap. How could you let that pass? And so on. Those guys were working for free. I mean, tons of business were making money out of it and those guys were working for free.

CAROLE THERIAULT. It's outrageous.

UNKNOWN. That's so gross. Gross.

CAROLE THERIAULT. Yeah, yeah, gross. Yeah. People that use your tool and they do decide to share their data and help the community, they get to use it for free, is that right?

UNKNOWN. Yeah, absolutely. And on top of that, we don't even export the logs, right? Because, you know, since we are based in EU, there is a strong regulation around that is called GDPR. And it states basically, it's very protective toward privacy, which is great. I mean, we love it. So we don't export logs as such. Everything is treated locally and we just get the meta. The meta being like the timestamp, when is this event happening, the IP that is involved in the shenanigans, and the scenario that the IP tried to trigger, like, I don't know, password brute force or credit card stuffing or whatever it is. And this is the only information that is flowing back from you to us. So we don't export your logs. We don't want to know where you are or whatever, what you do in We just want to see who is attacking who.

CAROLE THERIAULT. God, to hear a company say that is so great. I just hope we get more companies that say that. Tell you what. Tell us, who is the kind of person that would really benefit from this? Is this like from a home user to a small business to enterprises?

UNKNOWN. We thought it would be SMBs and small companies would be the major benefactor from this. They would really enjoy the fact that it's costless or close to to and they would instantly get better security. But in the end, the first one that asked for a contract is a very big US hosting company.

CAROLE THERIAULT. Oh, there you go.

UNKNOWN. Yeah. It's kind of a tier 1 thing. We're like, okay, so our business model, the one that we showcase to our investors is like, okay, you know, guys, there's a lot of SMBs out there and they want to have better security. Smashing security, for bugs. And this is where we stand. And, you know, like, in December, you get a Tier 1 demanding, okay, can we get a support contract with you guys because we intend to deploy tens of thousands of machines? And you're like, sure. But let me call my investor because I need to tell them something first. Guys, we were wrong.

CAROLE THERIAULT. Yeah, yeah.

UNKNOWN. I don't know. I mean, anyone can use it. If you think about it, across the industry, across 40 years of IT devices ranging from the old school IBM machine in your basement that was doing the accountancy in the bank up until latest Apple Watch 6, all of them have one common point. They can do web requests, HTTP requests, right?

CAROLE THERIAULT. Yeah.

UNKNOWN. So if we can, and this is what we do, if you can enable trust in just one HTTP request, you can have things like IoT devices that are dumb as such, or very limited in resources, and that cannot make any smart thing to analyze security. The only thing they can do is like, "Okay, can I connect to this?" And you can tell them, "Yeah," right? On the fly. You can say, "Yeah, you could," or, "No, you should not." And so you can protect things that are even the dumbest or the smallest possible CPU package and RAM package, and that can't do any of those things.

CAROLE THERIAULT. It's certainly exciting times at CrowdSec. Yeah, it is.

DAVE BITTNER. We love it.

CAROLE THERIAULT. We could talk all day now. Is there anything else you'd like to add? Like to add?

UNKNOWN. Yeah, please. I mean, it's, it's a global thing we are trying to start, so it's just a sparkle now, and we need the community to grow. We need people to come and say, okay, we need this and that, or to develop tools with us, to interact with us. I mean, money is not the stake here. I mean, we have really literally VCs knocking at the door every other day. So what we need more than money is people interacting with us, discussing with us, saying we need this, we need that, we'd like to 'Hey, we'd like to develop this and that, how should we do it?' So please come and join the crowd. We are here to back each other and we'd be delighted to discuss and interact with you guys and try the product. It's really cool and it's free.

CAROLE THERIAULT. Fantastic, guys. You can find all the information you need at crowdsec.net/smashing and that's with a G. What an amazing interview. Thank you so much, Philippe Humeau from the founder of CrowdSec.

UNKNOWN. Thank you. Anytime you want.

CAROLE THERIAULT. Brilliant.

DAVE BITTNER. Cool.

GRAHAM CLULEY. Well, that just about wraps it up for this week. Dave, thank you so much for coming on the show. I'm sure lots of our listeners would love to follow you online and find out more about what you're up to. What's the best way for folks to do that?

DAVE BITTNER. Well, you can follow me on Twitter. It's @Bitner, B-I-T-T-N-E-R, and everything else is is over on thecyberwire.com.

GRAHAM CLULEY. Cool. And you can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G. And we're also on Reddit, go and look for the Smashing Security subreddit up there. And don't forget, make sure you never miss another episode of Smashing Security, subscribe in your favorite podcast apps such as Apple Podcasts, Pocket Casts, and Spotify.

CAROLE THERIAULT. Again, big thanks to our sponsors, 1Password and CrowdSec, and to our wonderful Patreon community, all of whom help us make this show free for all. Now, if you want details of past episodes or sponsorship information, guest lists, or the entire back catalog of our 200+ episodes of Smashing Security, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye-bye, ta-ta for now.

DAVE BITTNER. But you know what? Very interesting to me that in watching the show, I had a revelation that Graham and I have something in common.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. Is it an inherent ruggedness and squareness of chin?

DAVE BITTNER. Well, beyond that, beyond that.

GRAHAM CLULEY. So what do we have in common?

DAVE BITTNER. Well, Carole, do you remember some of the things that Graham talked about on the live stream?

CAROLE THERIAULT. I wasn't listening.

DAVE BITTNER. You weren't really. All right. Well, let me lead into this. Let's take a little trip back together.

GRAHAM CLULEY. Right. Yes.

DAVE BITTNER. The year is 1985. The internet's domain name system has just been created. We're all holding hands and singing We Are the World together. And 4 postmenopausal women have just moved into a Miami condo and started calling themselves the Golden Girls.

CAROLE THERIAULT. Oh, yes.

GRAHAM CLULEY. Happy days.

CAROLE THERIAULT. She's still going, you know.

GRAHAM CLULEY. She is.

CAROLE THERIAULT. Yeah.

DAVE BITTNER. I'm 15 years old. I'm a sophomore in high school, and my father has just finished a term volunteering as a board member for a local nonprofit. And as a thank you for his time with this organization, they present him with a lovely leather briefcase.

CAROLE THERIAULT. Leather briefcase.

DAVE BITTNER. My father is very proud of this briefcase. He starts using it day by day. And one day I'm downstairs where he has his little office, and I see sitting next to his desk is his old briefcase. And I say to him, Dad, what are you going to do with that old briefcase?

CAROLE THERIAULT. Please, Dad, can I have it? Please, Dad, please.

DAVE BITTNER. And he says, Son, would you like to have that briefcase? I say, yes, Daddy, I would.

CAROLE THERIAULT. Norman Rockwell Right.

DAVE BITTNER. And so the briefcase got passed on to me and I started using this briefcase in school to carry my books, my personal effects, my papers, my pens, the various things.

CAROLE THERIAULT. My calculator.

DAVE BITTNER. Calculator. Yes, indeed. So Graham, you and I have that in common. I'm curious, at what point did you stop using your briefcase? Because I remember the moment for me, but I want to hear yours.

GRAHAM CLULEY. Oh, I think I probably continued using it for quite some time, even after the lovely Harriet inquired why I carried— was the only kid at school who had a briefcase. I don't think I took that as a hint. I don't remember stopping. I must have stopped at some point, but I don't recall. What happened with you?

DAVE BITTNER. Well, as you both know, I was very much into theater in high school. So one day after school, I went into a rehearsal for one of the shows that we were doing. And again, I'm a sophomore in high school and I remember a young lady, a couple years older than me, a senior, a beautiful statuesque young lady with long flowing red hair, a dancer, so quite beautiful. Everything that a young 15-year-old boy could possibly want, but was so far out of reach. And as I walked in, she looked at me and she said, "What's with the briefcase, nerd boy?" And immediately you set fire to it. I let it go. It dropped to the floor and kicked it to the curb.

GRAHAM CLULEY. It's tragic.

DAVE BITTNER. It really was.

-- TRANSCRIPT ENDS --