This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

---

CAROLE THERIAULT. Oh no, I do remember. What I remember about our conversation with him was that he was so warm and charming and calm and very reasonable, I thought.

---

GRAHAM CLULEY. You know, this is news at Facebook, wasn't it?

---

CAROLE THERIAULT. Yeah, it's not that he pulled out the huge guns and started going, "Da da da da da da!" He would never have done that, and I'm really pleased that he didn't do that.

---

UNKNOWN. That's right, yes. Smashing Security, Episode 285. Ransomware's hidden hack, tips for travel, and AI accent fixes with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 285. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. Hello, Carole. And also hello to our special guest this week, who is Carole? Well, no, he isn't Carole, but Carole, who is it?

---

CAROLE THERIAULT. Definitely not me. It is the wonderful, the fantastically funny, Paul Ducklin from Sophos.

---

PAUL DUCKLIN. Well, with that introduction, Carole— Graham made a slight mess with his commas in that sentence, they're quite hard to do vocally.

---

CAROLE THERIAULT. He's still learning.

---

PAUL DUCKLIN. They're very kind words anyway. Um, I suppose I could be witty now by being deeply dry and boring throughout so that everyone goes, what a funster.

---

CAROLE THERIAULT. Thanks to this week's sponsor, Bitwarden, Gigamon, and Soul Cyber. It's their support that help us give you this show for free. Now, coming up in today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be taking a ride back the recent past to talk about a data breach.

---

CAROLE THERIAULT. Oh, it's hot tub travel something time machine.

---

GRAHAM CLULEY. No, not time— not hot tub time machine. Not that again. All right.

---

PAUL DUCKLIN. Okay, Paul. Oh God, it's not gonna be Doctor Who, is it?

---

GRAHAM CLULEY. No, no, no, no. Just hold your— just hold your fire until I start my story.

---

CAROLE THERIAULT. Duck, what about you?

---

PAUL DUCKLIN. I am going to be talking about how you can travel with digital devices more safely by remembering a few simple tips.

---

UNKNOWN GUEST. That's cool.

---

CAROLE THERIAULT. Looking at the future of global call centers. Plus, we have a great featured interview with Iain from Gigamon, who shares the results from his latest research into ransomware. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, ever taken a lift in an Uber?

---

PAUL DUCKLIN. Of course you have.

---

GRAHAM CLULEY. You must have. Have you not done—

---

PAUL DUCKLIN. no, no, you won't do it.

---

GRAHAM CLULEY. You refuse on principle. I'm not spraying out—

---

PAUL DUCKLIN. Absolutely.

---

GRAHAM CLULEY. So why—

---

PAUL DUCKLIN. Don't need that in my life.

---

GRAHAM CLULEY. Why will you not take a ride in an Uber?

---

PAUL DUCKLIN. Just don't see the point. Plus, I'm not really into cars anymore.

---

GRAHAM CLULEY. Right, okay.

---

PAUL DUCKLIN. I get on the train. I take my bicycle with me. And then I can always get close enough that then I get a nice ride, do a bit of the tourist stuff. It's great through London. And then you arrive right at the door and you don't have to listen to somebody else's conversation along the way telling you how fantastic it is to understand and agree with their political viewpoint or whatever it is.

---

GRAHAM CLULEY. Well, in which case, you also were never at any risk of having your confidential data stolen if Uber were perhaps, maybe, possibly couldn't possibly imagine that this would ever happen, if they were hacked, if they suffered some kind of security breach. And it's recently been announced that the United States Department of Justice is not going to prosecute Uber about its 2016 data breach, which occurred after two hackers found that Uber's software engineers left some of their login credentials lying around on GitHub.

---

PAUL DUCKLIN. As you do.

---

GRAHAM CLULEY. Yeah. And—

---

CAROLE THERIAULT. Is that hard to do? Like, you guys are techier than me. Is that something that you just, one does? Or is that just like colossally dumb of them?

---

PAUL DUCKLIN. It's something that one should not do.

---

GRAHAM CLULEY. Yes.

---

PAUL DUCKLIN. And that GitHub, bless their hearts, now try to detect, 'cause they look for the obvious directories that you weren't supposed to upload and go, "Whoa, no." But if you are determined to upload private data to a public place, it's very hard for anybody to stop you.

---

UNKNOWN GUEST. Yeah.

---

GRAHAM CLULEY. If you're a developer, you might write a piece of test code and you might hardcode into it some passwords. For your testing purposes. And then whoops-a-daisy, you've left it somewhere public where someone else can scoop them up and abuse them, which appears to have happened in this particular case. And the hackers—

---

PAUL DUCKLIN. It's worse than that with GitHub type things, Graham, because you could have a whole directory tree with your code in. And when you go to sync it back, you go, oh, new project, upload everything. And you upload the hidden directories, including on Unix, the ones that start with a dot, that might include the subdirectory that has all your private stuff in it that you didn't mean to upload. So you upload everything rather than a subset of everything. So you could even include the private keys that actually give access to the whole account. Just like that.

---

GRAHAM CLULEY. Private keys are exciting, Carl. They're not quite that exciting, although they might— they might also open back doors into your system. Who knows? But anyway, back in 2016, these two hackers, they got hold of the passwords and that allowed them to access data which Uber had stored on AWS servers, and they stole confidential data related to 57 million customers and drivers.

---

CAROLE THERIAULT. Chump change these days. That's so disgusting to even say that, but—

---

GRAHAM CLULEY. Well, well, what the hackers then did is they contacted Uber and said, oh, hey, we've got your data. If you don't want us to release it, if you want us to permanently delete it, just pay our ransom effectively. And what do you think Uber, that rather controversial organization, might have done when faced with that?

---

CAROLE THERIAULT. I'm imagining they paid immediately.

---

GRAHAM CLULEY. Well, well, what they did was, yes, they did pay.

---

PAUL DUCKLIN. They paid in a special way.

---

GRAHAM CLULEY. They paid the hackers $100,000 in bitcoin. But controversially, they also didn't go public about the security breach. They didn't tell the world. They didn't tell the affected individuals. They paid the hackers and they said to the hackers, "Look, shh." They said, "Keep it quiet, keep it under your hat, delete the data." Which breaches convention, right?

---

CAROLE THERIAULT. Because you're mandated to inform people when this happens, right?

---

GRAHAM CLULEY. You're supposed to, aren't you? Yes, under exactly.

---

PAUL DUCKLIN. Particularly if you write it up on a special piece of paper headed with the words "bug found." So you— Sort of after the effect.

---

GRAHAM CLULEY. Yes, so Doug has remembered exactly what actually happened here because Uber's security team headed up by a guy called Joe Sullivan. Hmm, wonder where we've heard of him before.

---

CAROLE THERIAULT. Facebook.

---

GRAHAM CLULEY. Joe Sullivan used to be in charge of security at a little company called Facebook.

---

CAROLE THERIAULT. He did such a good job, Uber snapped him up.

---

PAUL DUCKLIN. Yeah, right.

---

GRAHAM CLULEY. So he was heading up a team and what happened was they identified one of the hackers. They worked out that he was a chap called Brandon Charles Glover. But rather than telling the authorities, "We've found out who one of the hackers is," Uber popped round to his place to go and have a chat with him.

---

CAROLE THERIAULT. What, with, like, baseball bats and stuff?

---

GRAHAM CLULEY. Maybe they took an Uber to get there. I don't know. What they did bring, rather than a baseball bat, was a confidentiality agreement.

---

CAROLE THERIAULT. Saying, "Shut the fuck up!" Well, more than that.

---

GRAHAM CLULEY. They said, "Can you sign this?" And according to prosecutors, the NDA signed by the hackers falsely stated that they had never taken nor stored Uber's data, and they agreed that the payment would go down on Uber's bug bounty. So Uber's security team disguised the payment, saying this was just a regular bug which had been found, was reported via our bug bounty program.

---

CAROLE THERIAULT. We decided to pay very, very generously for it because we're those kind of people.

---

PAUL DUCKLIN. And responsible disclosure for the win.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. So it appeared as though it was the work of ethical bug hunters. And according to the DOJ, the hackers actually used their success in extorting money out of Uber as a bit of a selling point. They went to Lynda.com, you know, that online training site, I think owned by LinkedIn.

---

UNKNOWN GUEST. Yeah.

---

CAROLE THERIAULT. What did they do there?

---

GRAHAM CLULEY. They also hacked into them via a similar route, via the GitHub route. And they said, look, we expect a big payment. This was hard work, which we did. And we've already had a big, one big corporation pay us close to 7 digits, they said, and all went well.

---

CAROLE THERIAULT. Close to 7 digits.

---

PAUL DUCKLIN. I suppose 6 is close to 7.

---

GRAHAM CLULEY. 6 is close to 7, isn't it?

---

PAUL DUCKLIN. Let's not talk orders of magnitude, eh? It works for physicists. Why shouldn't it work for irresponsible bug bounty disclosure folk?

---

GRAHAM CLULEY. So Uber subsequently, they agreed to pay $148 million as settlement for concealing and badly handling the data breach.

---

CAROLE THERIAULT. And where does that money go? Goes to the DOJ?

---

GRAHAM CLULEY. Well, I think, I think, oh, the FTC. I think so. I don't think it ends up in the—

---

CAROLE THERIAULT. you don't bring it back to the people, the poor people whose data has been stolen.

---

GRAHAM CLULEY. I mean, maybe, maybe there was actually, uh, one of these suits filed, you know, where you get a class action representing— yeah, representing people who may have been affected. Um, but still, you know, with so many millions of people, what was it, 57 million people affected, 148 million $57 million is only— Two bucks each. Yeah, yeah, it's two, two, well, a number, a number close to three bucks each. Yes.

---

CAROLE THERIAULT. So you can't even get yourself a Starbucks.

---

GRAHAM CLULEY. So what we've got here, Uber seemingly concealing the theft of personal information of 57 million customers and drivers. And rather than informing the people who are affected, they paid the hackers over $100,000 to keep quiet.

---

CAROLE THERIAULT. Yeah, not only not telling their customers who probably may be sharing passwords different places, so really naughty on that front, but not also telling the regulators.

---

GRAHAM CLULEY. Yeah, exactly.

---

PAUL DUCKLIN. Well, I think there's a bit of the story that you've missed, Graham, but apparently when this happened, it was right in the middle of a period where Uber was working with the regulator to come clean about a previous data breach. Yes, I'm pretty sure that's in the story. So the Obviously, if this had come out while they're in the middle of going, oh no, no, no, we've now got it all tickety-boo, you know, we've ticked all the boxes, it's all great. Right, right at the cost of resolving the previous one, this thing came in, oh golly, we can't have two, let's reduce it to one. So it seems that there's, I don't know whether that makes it better or worse, but it certainly makes it more complicated.

---

GRAHAM CLULEY. So prosecutors allege that Uber's security honcho, Joe Sullivan deliberately concealed the hack from drivers to stop them—

---

CAROLE THERIAULT. Stop doing this right now!

---

GRAHAM CLULEY. Yeah, well, and but also to stop them defecting to Rideshare.

---

PAUL DUCKLIN. That's probably what was said, I can imagine.

---

CAROLE THERIAULT. Exactly.

---

PAUL DUCKLIN. Can't handle this shit!

---

GRAHAM CLULEY. And the prosecutors claim that drivers were defrauded because money kept flowing into Uber, although naturally you would expect people maybe to switch. They also say that Sullivan kept the hack secret due to his own ego. He didn't want to admit failure on his watch because it looked bad on his CV. Now, Carole, I don't know if you remember, we've actually had dealings with Joe Sullivan.

---

CAROLE THERIAULT. Oh no, I do remember. And he was so, what I remember about our conversation with him was that he was so warm and charming and calm and very reasonable, I thought.

---

GRAHAM CLULEY. This was the news at Facebook, wasn't it?

---

CAROLE THERIAULT. Yes, it wasn't that he pulled out the huge guns and started going, "Da da da da da da." He would never have done that. And I'm really pleased that he didn't do that.

---

GRAHAM CLULEY. That's right, yes. So, so what we've got here is two cases which have been going on. So the government have been investigating Uber and they've also been investigating Joe Sullivan. Uber has been cooperating with the government and they are not a named defendant in the case against Joe Sullivan. So Joe Sullivan is now being prosecuted. Uber, now under different management than when the hack happened, have washed their hands. They've agreed with the DOJ. They've accepted and admitted responsibility for the acts which its employees did. Regarding the breach, they say that they're going to run a comprehensive privacy program for the next 20 years. They're assisting with the investigation and with the ongoing case against their former security chief, Joe Sullivan.

---

CAROLE THERIAULT. Oh my God.

---

GRAHAM CLULEY. So he's been— he hasn't got very much support from his former employer.

---

PAUL DUCKLIN. He's sort of been thrown under the automotive device that's technically not a taxi.

---

CAROLE THERIAULT. I don't know if I feel very nicely about that though, either. I really— it bugs me when companies just kind of point the finger at one solitary individual, where obviously this must have been discussed at some levels? Or do you think it was just Joe that was in on this?

---

GRAHAM CLULEY. Well, I believe the claim is that Uber's senior management didn't necessarily know, and it was just Joe Sullivan and one of his colleagues—

---

CAROLE THERIAULT. Oh, geez.

---

GRAHAM CLULEY. —who had sort of done this on the side. Because again, it is alleged that he wanted bad things not to happen under his watch, and wouldn't it be easier if the bug bounty— were to handle all this?

---

CAROLE THERIAULT. You know what? He's a great, charming guy, and I'm sure he'll sail through this with no issues.

---

GRAHAM CLULEY. He could, if he's convicted, face as much as 20 years in prison, but his sentence, chances are, if he is convicted, will be much lighter than that. He is, by the way, a former federal prosecutor himself. So, he'll understand what's going on the whole time. Yes, he does have a legal background. Which maybe occasionally he tried to use against us in our past conversations. Maybe. He wouldn't. No, no, he was lovely.

---

PAUL DUCKLIN. Duck, what are you going to talk to us about this week? Well, it's vacation season. And you're definitely, if you're going overseas from Britain, going to either have packed or wish you packed all your digital devices to keep the kids quiet in the car while you're waiting to get on the train or the bus.

---

GRAHAM CLULEY. Just to keep them quiet. You feel occupied when you spend 3 days in Kent trying to get on the ferry, yes.

---

PAUL DUCKLIN. Yeah, why don't people just go to Kent for a vacation? It's a lovely place. And then you don't have to worry about it. Just go anywhere else. But the point is that wherever you're going these days, you're almost certainly going to pack 1, 3, or 12 digital devices, possibly 1 or more for every member of the family. Like, who would risk leaving the thing to distract the kids behind? Who would risk— you know, let's take the PlayStation, why not? It'll fit in the boot. And everyone's got a mobile phone. I know someone who took a Roomba once.

---

CAROLE THERIAULT. What? They took a— They just didn't wanna sweep or anything, so they just said, "Well, why not? I'm putting my stuff in the hall, so I'll take my Roomba." Yeah, okay.

---

PAUL DUCKLIN. Well, I think that makes my argument stronger for thinking about what you do before you travel. And so on Sophos Naked Security, we put together some travel tips. Now, they're often the same every year, you know, do the obvious stuff. The problem is that people don't, and then they get alarmed. So the first two tips kind of go hand in hand. One is, should I back up before I go? Well, that's a rhetorical question. Of course you should. You should be backing up anyway. And the really important thing about making a decent backup, particularly if you make it onto, say, a removable drive and put it in the cupboard at home, it means you're not relying on having your whole life, say, on your phone. You can remove some of the content from the devices you're taking with you so that if they get lost or stolen or inspected at customs or whatever it is, you have less on there. So you're not trying to cheat anybody, you're just saying, why take absolutely every bit of information that I've got about myself with me when I don't need to? And the flip side of that is, of course, don't think, well, I'm going on vacation, I might really need my phone, I'll sort of need it for boarding cards, I don't want to forget my lock code, I'll just go with 123400 or something that I'll easily remember in a hurry. And so when you're going away, you might as well set yourself a decent lock code before you go. You're allowed to write it down while you're at home and practice it for a few days or a week or so until you're comfortable with something which keeps your phone properly locked so that if someone runs off with it, they can't just guess what your code is, go in and see everything you've got on there.

---

CAROLE THERIAULT. Do you know, once my code for years was the phone number of my first boyfriend.

---

GRAHAM CLULEY. Ooh.

---

PAUL DUCKLIN. For real, yeah. So whoever had got that phone number, was that in the local—

---

CAROLE THERIAULT. Well, it was their childhood phone number, right? It was when, you know, so I doubt that's— It wasn't a mobile. Mobiles didn't even exist at the time.

---

PAUL DUCKLIN. The idea that even if you left off the area code, that's going to be 7 digits. Mm-hmm. So, and given that if that was your first phone, that was by the standards of the day when people have lock codes like 11. Or 3, you know, like one good shit, let alone 4. That was probably quite good because at least it can't be guessed. But, you know, people going, oh, well, who needs a long lock code? The problem on your phone is that the lock code is protected by the hardware on the phone. So, you know, for example, on an iPhone, you can say after 10 wrong ones, wipe the phone. And I think we all agree it's largely impossible to extract the lock code from the phone or to bypass the lock code because of the hardware protection that exists these days in modern devices. But that lock code, it can't be attacked offline. So someone can't take the phone and try a million times, they still only get 10 goes. But if they can guess the lock code, then they can pretty much get in and that unlocks the decryption key for the device itself. And lots of people just stay logged in in all their apps. They never actually log out. So if you can open somebody's Facebook app or Twitter app or Instagram app or WhatsApp app or whatever, you kind of get straight into their accounts.

---

GRAHAM CLULEY. And there's nothing to stop a mugger or something if they wanted just to sort of brandish a knife or a screwdriver or something sharp and say, tell us your password so we can get into your phone. I mean, that's the real weak link.

---

CAROLE THERIAULT. Would you, Graham, or would you lose an eye? Would— I just want to know what your level of security, what your level is.

---

GRAHAM CLULEY. Of course I'd hand over my phone. Of course I would.

---

CAROLE THERIAULT. You'd hand over your whole life rather than just give an oral confession?

---

GRAHAM CLULEY. Yes, I don't want to lose my eyesight, or I don't want to be stabbed. Yes, I'd say willingly, go and please take this. Well, there is that.

---

PAUL DUCKLIN. And of course there's a famous XKCD cartoon about that, isn't there? You know, do you spend millions of dollars building password cracking tools? Yeah. Or do you buy a shifting spanner costing $5? Yeah. It's hard to sort of regulate for that. But like I said at the start, if you've backed up your stuff and you've removed data that you genuinely don't need from your phone, then that minimizes that risk as well. And you could also go to apps that you don't use often and actually log out on the phone, which means if someone does steal your phone and does force you to unlock it and then runs off with it, when they try and use those apps, they'll be faced with having to log into the apps all over again.

---

CAROLE THERIAULT. And I think that works well, but you do need a password manager in order to do that because I have no problem if I go away of deleting apps off my phone because I can just reinstall the app, put back in my username and password, and bish bash bok, I'm, I'm back where I was, right? The app doesn't live on my phone. The data doesn't live on the phone. Do you see what I mean?

---

PAUL DUCKLIN. Yes. Now password manager wasn't in the tips that we did for vacations in particular. But I agree with you. I think that it's kind of hard to do without one these days. Yeah. So I don't say to people, look, they're compulsory, you have to use one. You might have some kind of fear about, well, what happens if my password manager gets compromised? And the answer to that is there's no law that says if you use a password manager, you have to put every single password in the world into it. So you might decide, well, accounts I only use occasionally, like my mortgage account or my this or my that, my pension account that I check up on once a month. I'll log into those deliberately using, you know, something that I've locked away at home, for example. So the nice thing about a password manager to me is not just that it picks great passwords every time and doesn't use your cat's name with two digits on the end, you know, or your, your first, second, and boyfriend's phone number. The great thing is that it also protects you against old-school phishing attacks, which still work really well because The password manager can't be seduced by the fact that the site looks correct. Oh, look, it's got, it's got exactly the right pixel-perfect backdrop. It's got exactly the right logo. It looks exact. It doesn't care what the site looks like. It just says wrong URL, never heard of it. So it's not just that it won't help you, it can't go. Don't even know, never heard of it. Can't put in a password. And so that's a great thing as well. Great. And then the third thing that goes along with those two Of course, is that if you are traveling internationally, then you do have to think in advance. Don't worry about it, prepare for it. You do have to think in advance how you will conduct yourself at an international border if you're asked to reveal information that in your own country, or even once you are inside the country that you're planning to visit, you might have every right to say, I refuse to disclose it. In other words, privacy rules can be quite a gray area in that sort of gray zone between leaving one country and entering the next, you know, totally at border control. And certainly I know that the US and the UK, and they're by no means the only countries in the world, many countries have this, that they can ask you to show information, say, on your phone or your laptop. They can ask you to unlock it. In fact, in some countries they might even say, look, we're going to make a forensic copy of your hard disk, so we want you to unlock it. And you may decide that you don't like that and you're going to stick up yourself from a privacy point of view, but you need to research in advance what the side effect of that is likely to be, because you might just find that the immigration official is perfectly polite about it and says, that's your choice, but it's also our choice to refuse you entry to the country. So we will securely transfer you to the departure lounge and you are welcome to get the next flight home. And of course, once you've been refused entry to a particular country, that can make it very complicated to visit in the future. So don't be afraid about what's going to happen. Just do your research beforehand. And if you're going to a country where you find, wow, I don't like their privacy rules, I don't think I can agree with these, I think I'm going to shoot my mouth off and it's not going to end well, well, maybe pick a different destination. Or just stay home.

---

CAROLE THERIAULT. Stay home.

---

PAUL DUCKLIN. Or go tell the truth and only take the data you need. You're not trying to cheat anybody when you do that. When you're going on vacation, you don't go to your safe deposit box and get out all the documentation, physical documentation you've ever acquired in your life from your birth certificate, your marriage certificate, your passport, your previous passport, your mortgage documents, all of that. You don't get that and put it in an envelope and take it with you generally because you're worried you might lose it. So my simple advice is, if your life's on your phone, why not leave it at home? Ooh, I see the t-shirt slogan now, Duck. It's my theory that, you know, if you're going somewhere with beachfront cocktail bars, the cost of buying a burner phone for your trip is probably going to be lower than the first round of drinks that you have on day one, shortly after you arrive. And you're perfectly entitled to do that. Sage advice. Another thing that many countries apparently do now, I haven't traveled internationally well since before lockdown, is that, you know how they'll say, well, what's the address that you're going to? And you're obliged, supposed to put the name of the hotel you've got booked so they know you've got somewhere real to go to. And they want to know your home address and everyone's used to writing that down and they want your passport number and they want your phone number, a landline if you've got one. But increasingly, Many countries are saying, and we also want, you know, your email address and your social media handles. And again, you need to decide, you know, what am I going to say when I get to the border? Because if you go, oh no, I don't have any social media accounts, just write not applicable, and then you're on your vacation and you're sharing stuff on your actual social media account with all your buddies, when you come to leave the country, uh, two and two might not make four. If you, you know, you entered making a formal claim, no, I don't have any social media accounts. And then it's obvious that while you were there, you were publishing stuff for the world to see. Exactly. You know, you would understand why an immigration or a security official in that country might up their suspicion of you, you know, even if you haven't really done anything wrong. Well, you have if you've made a false statement when you entered the country. So think before you do that.

---

CAROLE THERIAULT. Good advice, Doug.

---

GRAHAM CLULEY. Good advice. And never reveal you've participated in a cybersecurity podcast. Yeah. Or don't, just boycott them. I think don't appear on them. That'd be the most sensible piece of advice because there may be all kinds of bad things you've said on those in the past. [LAUGHTER] Carole, what's your story for us this week?

---

CAROLE THERIAULT. So my story was actually suggested to me by Dave Bittner. He put the seed in my head. Dave Bittner, friend of the show. Cyberwire host, and it all revolves around call centers. So we have this globe of humans, right? Billions of us and all of us with different native languages. And somehow it's been accepted by most that English is the preferred international digital language of choice. Can I say that? Would you guys agree with that?

---

GRAHAM CLULEY. It's my first choice.

---

PAUL DUCKLIN. It's my preference. It's strange when you listen to people speaking a language that you don't understand at all, how much you can understand when they suddenly start talking about computers and phones and apps. Yeah, yeah. In amongst incomprehensible words where you can't even figure out where the word boundaries are, and then suddenly you start hearing familiar words like Facebook, two-factor backup.

---

CAROLE THERIAULT. And like, I don't care really who you are, but if you're over, like, I don't know, 30, you've had to negotiate a call with someone that you found difficult to understand because maybe they have a different native language than you do, or they have a very strong regional accent that's different from yours, and it can all make it a struggle to understand what you are trying to understand. And you guys have had this, right?

---

PAUL DUCKLIN. I'd say that on support calls, the main language problem I've had is that the person on the other end wants to reach a different conclusion to you, whereby they can prove that it was your fault and close the call. I haven't found the English to be a problem. I've found the, the jargon and the direction of the call to be tricky. That's the hard part. Even in English, it seems that we've learned how not to speak plainly quite deliberately, you know, in order to sort of disguise what's really going on.

---

CAROLE THERIAULT. But like, the thing is, is you can't really do much about, you know, your accent. Like, I certainly have been living in the UK for 20 years, still sound as Canadian as the day I was born, you know. Oh, you're not from America?

---

GRAHAM CLULEY. I believe, Carole, a lot of your Canadian friends, people back in the homeland, back in the plains of Manitoba.

---

CAROLE THERIAULT. Quebec, but yeah.

---

GRAHAM CLULEY. I think you sound like Her Majesty the Queen. They think you're terribly posh sounding, and they think you're like Helena Bonham Carter or something.

---

CAROLE THERIAULT. Yeah, okay. Yeah, I'm not sure about that. But you know what we're gonna do? We're gonna go back to the story now. So it's kind of something that's been a problem for a while. So as far back as 2008, I found an article in Computerworld saying that IBM was looking to change or to address this problem. So IBM's Indian research lab developed a web-based interactive language technology. You can see the language has changed so much, right? This is 2008. To help people improve their English speaking skills. And according to IBM, the system was based on advanced speech processing techniques that the company had devised for call centers in India to help improve the capability of its agents. So it would evaluate grammar and pronunciation and comprehension and other spoken language skills, and then provide a detailed score for each category.

---

GRAHAM CLULEY. Interesting, huh? All right. Okay.

---

CAROLE THERIAULT. And this was years ago. Yeah, 2008. Years and years ago.

---

PAUL DUCKLIN. Yeah. The understanding or the deliberate misunderstanding process, because sometimes it feels like that's what the other end is instructed to do. Don't think what could have given me that idea.

---

CAROLE THERIAULT. And then I found this other company, Florida-based outfit called Accent Advisor, and this is all about about accent reduction. So they say on their site, quote, if you speak English as a second language, there's a good chance that your accent will stand in your way of communicating fluently with native speakers. So many people assume that a mastery of English grammar and excellent vocabulary is enough to communicate in America. This is not often the case. So they go on to say, correct native-level pronunciation or a firm grasp of the American accent is important for anyone who wants to live, work, and enjoy life in America. Hmm.

---

GRAHAM CLULEY. Thoughts on that, guys? I think you'll find it's pronounced pronunciation, Carole, rather than pronunciation. If you want to be properly English.

---

CAROLE THERIAULT. I don't. I'm happy to be a lady of the world. And then the way they worked basically is they had accent coaches, right? And they'd have accent reduction classes for private individuals and companies. And it's training, right? Just to help them with speech analysis and all this.

---

PAUL DUCKLIN. Every 12 minutes, do they burst into song like they do in My Fair Lady? It sounds like a sort of trope that's been an issue since the Industrial Revolution, isn't it? Where, you know, your accent makes a big difference to how you're perceived rather than how you're understood.

---

CAROLE THERIAULT. Exactly where we're going with this. So I want you guys to think a little bit outside the box because I want to talk about this new approach to dealing with this problem. And I want you guys to think what could possibly go wrong, Graham, to use your catchphrase. So this newer approach, thanks to 3 Stanford undergrads. So these guys started a company to help the world understand, that's their catchphrase. And the pain point that instigated this whole company was that after the pandemic kicked off, these students, or all the students at Stanford had to go home, right? And one went back to Guatemala and decided to be a tech support guy. Right. And his mates were like, quote, "We told them that he'd be the best tech support person they'd ever had because he's the smartest guy we've met and always had a smile on his face. But it totally didn't work out because the locals couldn't understand his accent." So a team of students dedicated their empty pandemic hours to building a solution. They did a lot of research on what people have done in the past. So people have done voice conversion for deepfakes, and that technology is pretty advanced, they say. But there's been little done in accent translation. So this company is called Sanas. The name like that, they could be a bidet company, but anyway. And, and I've put a link in the show notes. You can actually see a demo of this working because they say they have an algorithm that can shift English to and from American, Australian, British, Filipino, and Spanish. And they've developed it using a neural network trained with recordings made for the most part by professional voice actors. But I want to see what you guys think.

---

PAUL DUCKLIN. Well, you know, Carole, I think you're speaking like a gillar. I think that's the most stupid thing I've ever heard. No, I think my concern with trying to control what people say exactly and just how they pronounce it, which you can usually work around if you do have some common understanding, is much less important than techies learning to speak or being willing to speak in plain English.

---

CAROLE THERIAULT. But plain English is difficult because there's no no accent. There's no non-accent, right? There's no language that has that.

---

PAUL DUCKLIN. But the point is you could have the plummiest, the weirdest, the uppest, the downest, the leftist, the rightest, the northern hemisphere-est, southern hemisphere-est accent in the world, but if the phrases you've been instructed to trot out to who are making, in air quotes, "close the call," are just there to kind of make the conversation go your way, then does your accent really matter?

---

CAROLE THERIAULT. Mm-hmm. Graham, what about you?

---

GRAHAM CLULEY. I'm sorry, while Doug's been saying all that, I've been participating in the demo. And it is very good at neutralizing the accent, at least in the demo, which they're claiming is how their technology works. But what comes out does sound rather robotic and characterless, doesn't it?

---

CAROLE THERIAULT. Yes, it does. And I was thinking about that as well. But then I had another thought, 'cause I was thinking, "We don't need to do this. This is just too much. This could be misused." You could then— This could be used by all kinds of phone people kind of calling up, pretending to be in the neighborhood, putting on a regional accent, and actually they're calling from 5,000 miles away.

---

PAUL DUCKLIN. Absolutely. Doing. Or, Carole, vice versa, couldn't they? They could be local, but they could want to convince you that, oh no, I'm actually— I'm calling from overseas on behalf of, you know, a friend who's had an accident. Yes. You know, the fakery doesn't just go with fitting in with the locals, it goes— it goes with fitting in with whatever backstory you've concocted for the scam at hand.

---

CAROLE THERIAULT. Yes. Okay, but take this example. I was thinking about this and I was thinking, but you know what, this would marvelous for the medical field when you're trying to do cutting-edge operations or something like that. And the expert happens to be based in India, and another expert, you know, is based in, you know, Bucharest, and another, you know, expert somewhere else, and that they're all able to communicate robotically but extremely clearly. Or when politicians get together for a global, you know, hoedown They have translators in there to help them understand everything. And those translators obviously have pretty clear accents that are understandable to the person they're meant for. So it's effectively trying to make this ubiquitous, I think, across the web. I don't know, I thought it was kind of interesting, but scary too.

---

PAUL DUCKLIN. I've heard that in the busy sea lanes, the sort of shipping motorways that run through the English Channel, which are, I believe, the busiest sea lanes in the world, The sea can get quite rough in there, and you've got all the ferries and other boats trying to cross from England to France, and then boats steaming through in the other direction. English is the basis of the language that ships use for communicating, but the vocabulary has been stripped down even for native English speakers so that there is no chance of you using a phrase that could be misunderstood. So that, you know, there's no politeness and there's no rules. No, it's not pirate speak. Apparently, if you don't hear the person, then you don't say, 'Oh, I'm terribly sorry, old chap, could you say that again?' You just say, 'Say again?' Right. And that's— there's no other way to ask the person to repeat themselves. And that way, the chance, you know, with huge ships closing in on each other unable to stop quickly. You can see that in some cases, I can imagine that just simplifying the vocabulary rather than how you say it could be much more important. Because that means that you— politeness is all very well when you're chatting to someone face to face, but it can lead to terrible misunderstandings when there's a crisis on. And I guess all emergency responders are used to that as well. You look at how 911 or 999 people are trained to respond respond. They use standard phrases that can't be misinterpreted. Do not hang up the phone.

---

CAROLE THERIAULT. But I just want to say that, uh, these guys have just gotten a huge amount of money. So with an investment of $32 million for a company, a startup company that started a year ago, okay, so some big, big dogs have gotten involved, including global supply chain companies, because they're very keen to making sure everything always, you know, slick and smooth as they try and get goods or services from one geography to another where there might be language barriers. So, you know, watch this space.

---

GRAHAM CLULEY. So Carole, I've got a question. Obviously, I don't need this technology because there's nothing wrong with my accent. I don't have one. But are you going to start using this on the podcast maybe to make yourself easier to understand?

---

CAROLE THERIAULT. Yes, because many people have complained actually, haven't they?

---

GRAHAM CLULEY. Gigamon is the leading deep observability company. It offers a deep observability pipeline that harnesses actionable network-level intelligence to amplify the power of observability tools, enabling companies to conquer blind spots and overcome the threat of today's sophisticated ransomware attacks. Gigamon's latest report into the state of ransomware reveals how insider threats are evolving, what impact cyber insurance and blame culture are having on the cybersecurity industry, and why deep observability is the new frontier for tackling the ransomware crisis. So what are you waiting for? Download the report today at www.gigamon.com/smashing. That's www.gigamon.com/smashing. Smashingsecurity.com/smashing. And thanks to Gigamon for supporting the show.

---

CAROLE THERIAULT. Bitwarden is an open-source, cross-platform password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing. Not only does Bitwarden offer enterprise-grade security, conducting regular third-party security audits, and is compliant with Privacy Shield, HIPAA, GDPR, CCPA, SOC 2, and SOC 3 security standards. This is pretty slick stuff. You can get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing. That's bitwarden.com/smashing. Or you can try it for free across devices as an individual user. That's bitwarden.com/smashing. And massive thank you to Bitwarden for sponsoring the show.

---

GRAHAM CLULEY. Thanks this week to our sponsor, Smashing Security, who believe that it shouldn't just be the Fortune 500 that benefit from top-of-the-line cybersecurity. They make managed security affordable and accessible to all small to medium-sized organizations. Check out Smashing Security's foundational coverage services. They include ransomware assessment and training, advanced email protection, endpoint detection and response, Active Directory abuse prevention and lateral movement detection, and 24/7 security operations center capability. As a SolCyber Foundational customer, you also get access to expedited cyber insurance coverage and discounts of up to 30% off your premiums. Mention Smashing Security and you'll get 1 month free for every 12 months you subscribe to SolCyber's foundational coverage services. Visit smashingsecurity.com/solcyber to learn more. That's smashingsecurity.com/solcyber. And thanks to SolCyber for sponsoring the show.

---

PAUL DUCKLIN. And welcome back.

---

GRAHAM CLULEY. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

---

PAUL DUCKLIN. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something like, could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily. Better not be. And my pick of the week this week is not security related. I think everyone really is a big fan of the rude curse word, saying something rude, having some sort of offensive phrase —Not me. —to describe the amount of stuff I've heard coming from your potty mouth over the years is quite extraordinary. And in fact, I thought maybe you need some inspiration, maybe you need some new ones. And that is why I have found, and I will include a link in the show notes to a page which is all about compound curse words. What someone has done is they've taken data from Reddit comments and they've analysed the frequencies of different compound insults. So— I love it. Your buttheads, your dirtwads, your weasel boys, your wankpuffins. Wank nozzle. So they've created a matrix, effectively. Douche wit. Yes. And they've also— they're showing how frequently these different phrases are used. So something like dumbass, for instance, or scumbag, very commonly used. Of course. Something like poop goblin, not often used. Do you want that to be your nickname, that clue? Well, I don't know. And they've also analysed whether dictionaries are keeping up with all these things, because some dictionaries have included a number of curse words, but some are not being represented. In dictionaries and therefore probably unlikely to be accepted on a Scrabble board as well. And I think that is something which we might want to look into as well. So I am including, I've put into the show notes here some links. You guys can choose your own favourites here as well. Absolutely. So you can have a trump nozzle.

---

CAROLE THERIAULT. You put them in any direction. You don't have to go XY, right? You can go YX as well. Waffle twat. Waffle twat.

---

GRAHAM CLULEY. Or twat waffle. I don't know. Whichever suits you best. But anyway, I'm a big fan of the wankpuffin. Of course you are. But there's lots of others there as well. It tickled me, and I've been playing a lot of Scrabble lately, so I've been looking for some more words to use. And so it's been quite helpful to me. And that is why it is my Pick of the Week.

---

PAUL DUCKLIN. Have you ever used the word quijibo in a Scrabble game yet.

---

GRAHAM CLULEY. Ah, as used by the Melissa virus. For a bald North American ape. It comes from a Simpsons episode, doesn't it? You guys. Yeah, so there we go, really nerdy there. I know. Duck, what's your Pick of the Week?

---

PAUL DUCKLIN. Well, I had a few words, so I had to sort of thin them down, and I decided that I would go— I don't think maritime is the right word because that refers to the sea, and where I live is quite a long way from the sea, but it is riverine. And that is, I discovered a delightful pastime which is very enjoyable probably the first, second, and maybe the third time you do it. And in all my life, this is the very first time I've done it, so it was great. And that was, I happened to be riding my bicycle around a lot, like to go around the river and that, because this time of year, gorgeous wildflowers, birds singing, all of that stuff in the early evening. And, uh, a boat was puffing along into a lock. It was Pinkhill Lock, actually. And I glibly said, I'll do the gates. And so I got to do the lock gates. Oh, it's not a— they're not narrowboats on on the, on the River Thames. The locks are much wider, so they've generally got two gates, and some of them are electrified, but the electricity gets turned off after hours. And this one is still mechanical, so you have to do all the work yourself, like swinging these great— Have you, have you ever done that, Graham?

---

GRAHAM CLULEY. I messed around on locks? No, I haven't.

---

UNKNOWN GUEST. No.

---

CAROLE THERIAULT. Oh, I did a lot as a kid in Ottawa. To get from the Ottawa River up to the canal, the Rideau Canal, there are 8 locks in between them. And when I was a kid, they were all hand-cranked.

---

PAUL DUCKLIN. So yeah, one of the reasons, Carole, that I didn't want to put this in is I thought, oh golly, like anyone who's lived in the Quebec/Ontario area near what counts for a river in Canada, you know, you're— when you see like something like Isis Lock on the Thames, which is 7 feet wide and the water's about 2 feet deep, you must go, that's not a lock, that's not even a ditch, that's not even a puddle, like what is this? So I was hoping that you would not mention the St. Lawrence the Eway or Mary or wherever, the Sioux Locks. Um, but these you can do all by hand. It's, it's all very sort of very cool. It's very cool. And you know what's really weird is the River Thames did not have proper locks, what they call pound locks. You'll actually seal off a section of water to let it up and down until about the 1920s. Most of the navigation was done with what are called flash locks, which is basically there's just a channel with a weir, and you basically run the rapids. That's insane. I kid you not. When you want to come upstream, they just— you basically row your boat up to the water pouring over and attach ropes, and a few hefty fellas—

---

CAROLE THERIAULT. Yeah, lift the keel, Fred! Lift it all the way!

---

PAUL DUCKLIN. Well, that's the thing with canal boats in the UK. Don't have any keels, do they? Because the canals are only about 2 feet deep. Yes. So the water's so shallow that they're basically totally unsteady. Anyway, I— I did the lock, and I think I left it correct. Upper gates closed, bottom gates open, lock empty so the walls can dry out. Very cool, Duck. And I thought it was great, and it'll be great for the next two times, and then I suspect I might start to shirk my duties. I think it dulls fairly quickly. Eight locks in a row, I think by the third one you'd be going, Oh no, not even halfway.

---

GRAHAM CLULEY. Cool. Carole, what's your pick of the week?

---

CAROLE THERIAULT. Well, this past week I went away to camp in deepest, darkest constable country near Colchester and Ipswich, all in order to meet one of my watercolor— well, I don't know, I guess I can say heroes— Andy Evanson. Um, and you know, to improve what I like doing, you know, painting watercolor So I went to this place called Dedham Hall, and it's a place I'd never heard of, but today it is my pick of the week because this is a beautifully amazing quaint hotel and art retreat in this lovely village of Dedham. And it's run by Jim and Wendy. So big hello to you two if you're listening. And they are like the most incredible welcoming and organized people I've ever seen. They were work, like, all the time. They've been doing it for 30 years, and they're just a joy. And Wendy's an incredible cook. Uh, lemon tart night was a big deal, right? Everyone was going mental for it. And they also host art retreats, which is what I was doing. And I met, like, amazing people, like students and artists at the top of their game. Like, Steve Hall was there. So he gives classes around the UK and also at Dedham Hall. And he was there because he wanted to see Andy Evans paint. So it was all very cool. I met loads of amazing people. And there's this, uh, one guy named Jacek, and he did this LiDAR thing on me, a 3D capture of me on a rock while we— I was in a boatyard trying to paint a boat, and I did a horrific job. But I've put it in the show notes so you can take a look at it.

---

GRAHAM CLULEY. So I'm looking at this right now, Carole. Uh-huh. And so what we have here is basically you've been sort of photographed in 3D, sat on some— a couple of rocks or something.

---

CAROLE THERIAULT. Yeah, yeah, just— I mean, a whole— yeah, it's kind of weird without the, uh, without the surrounds, but there you go.

---

GRAHAM CLULEY. I can zoom in on you in rather extraordinary detail. Yeah, my finger— yeah, I've had a good look around. There's nothing rude, so you've chosen well here. You covered yourself up in the appropriate places. But it's, it's kind of amazing.

---

CAROLE THERIAULT. He's going to put it on Twitter, so I'll put the link up on the show notes and we'll retweet it out if you want to see it. But it's kind of cool.

---

GRAHAM CLULEY. How, how did he do this? Did he have to walk around you or something?

---

CAROLE THERIAULT. It's an app. It's an app. Yeah, yeah, we'll connect to him via Twitter.

---

PAUL DUCKLIN. So this is using the LiDAR in a phone. You don't need special hardware?

---

CAROLE THERIAULT. No, just on his phone. The only problem was I had to sit very still for about 2 minutes for him to do it.

---

GRAHAM CLULEY. That wouldn't be easy for you. So it took him 3 times. Your hair's looking very purple.

---

CAROLE THERIAULT. Uh, it is very purple at the moment. Yeah. Anyway, the whole thing was a life-changing week for me. I loved it, loved it, loved it. So my pick this week is Dedham Hall Hotel and Artist Retreat, and links in the show notes, and check it out because they're amazing.

---

GRAHAM CLULEY. So no need to catch a ferry, people can just go there. You can just drive.

---

CAROLE THERIAULT. It took 2.5 hours to drive there from Oxford. No biggie.

---

PAUL DUCKLIN. No environment-burning plane trip, no border crossing. Nope.

---

CAROLE THERIAULT. You can even get there by train and they'll pick you up at the train station and bring you. They didn't ask for your passwords or anything like that, didn't ask you to unlock your devices, though I helped quite a few of them them, some of the artists, because it turns out they're not necessarily super au fait with technology. So once they found out I did this, I was, uh—

---

GRAHAM CLULEY. Are they all listening now, Carole, do you think? Do you think they're now loyal listeners?

---

CAROLE THERIAULT. Probably, yeah. Yeah.

---

PAUL DUCKLIN. Hi guys! It's true, isn't it, that sometimes when people find out you're a cybersecurity expert, you get to feel like what I imagine is to be a doctor or a surgeon, you know? Can you just look at me appendix scar? It's been throbbing a bit. You know, I've got a strange rash on the underside of my Do you mind if I take my shoes and socks off and take a quick look at it in public? You do get a lot of questions.

---

CAROLE THERIAULT. Yeah, but they were extremely grateful. They were super grateful. Very cool. So I had no problem doing it.

---

PAUL DUCKLIN. And if you can stop any, even one of them falling for a scam at any time in the future, a job well done.

---

CAROLE THERIAULT. Right?

---

GRAHAM CLULEY. Now, Carole, you've been busy this week. You've been chatting to Iain Farquhar from Gigamon, haven't you?

---

CAROLE THERIAULT. Yes, I have. We talk about all things ransomware and zero trust in depth. Deep observability, which is a word I had a lot of trouble saying in the interview. Thank God we edit. Observability, observability, observability. But check it out, guys. It was really fun. Alrighty, listeners, today we are talking about the The current state of ransomware, and we are with Iain Farquhar. He is Global Field CTO at Gigamon. Thank you for coming on the show, Iain. I know you must be very busy. I know you've been up since the very early morning today. Thank you for having me on. I appreciate it. So Gigamon's paper called State of Ransomware for 2022 and Beyond looks into insider threats, insider threats, blame culture, which I'm super interested in, and of course, zero trust. And let's be honest, cybersecurity professionals around the world are currently facing some serious challenges and the exacerbation of ransomware, I'm sure, is not helping reduce pressure. Let's talk maybe about the insider threat first. You know, how is it going inside?

---

UNKNOWN GUEST. I mean, the interesting thing about insider threat for me is that this is not new, but it's definitely ramping up in focus. I mean, I used to do DLP, DLP. Years and years ago, I did a huge focus on DLP, 2008 to 2013. A lot of that was about insider threat, and then we pivoted as an industry and we focused on advanced persistent threats, and we kind of forgot about it, but it never went away. Now, the focus here is on, of course, ransomware threat actors, ransomware teams, ransomware crews are now using insiders as one more way to get into the organization. But we've always had an insider threat. We need to start focusing more on it.

---

CAROLE THERIAULT. But this insider threat though, is it fair to say that you can divide it into two different camps? Like the malicious actor, but you also have the duped actor inside the company?

---

UNKNOWN GUEST. Well, arguably, you actually have even three because you also have an actor, the non-malicious insider who just messes up really badly. They write some huge amount of data onto a USB key that they're not meant to do, and then they lose it. Somebody picks it up and that data is breached. That, you know, so you've got this multiple ways of dealing with vectors that a threat could enter your organization through an insider. And, you know, governments have been dealing with insider threats for years. That's what security clearances are about. But we don't really actually look at this out in non-government enterprise. Maybe it's time that we did.

---

CAROLE THERIAULT. Yeah, because I'm guessing What you're describing, if you have all these threats that are inside, that can lead to a blame culture, right? Absolutely.

---

UNKNOWN GUEST. One of the things that we do is we talk to a lot of CISOs all around the world. Before COVID I traveled a lot and starting to travel again. There is definitely an issue of blame culture. A lot of CISOs feel very, very strongly that they can be held to account. If they have built a solid infrastructure, but they still get breached, They can be tarred personally, and that worries a lot of them. You hear stories, for example, about CISOs who ask for an investment. They get denied, and then they'll say something like, right, I need an email from the CFO or the CEO saying, I've told you this, you decided not to invest in it. That's a terrible situation to be in. The blame culture has really got to end because it is very useful to understand when an organization has been breached. It allows the customers of that organization, the people, to respond to it appropriately. If they don't, that's bad.

---

CAROLE THERIAULT. Do you find that there are a lot of companies that try to hide if they get into trouble? I mean, honestly, I'm being honest, I did this when I was working in a corporation. I might do something bad and then go, "Oh, God, I shouldn't have done that," and try and hide my tracks rather than going to the IT guys and going, "Okay, I have to be honest. Do you know what happened?" So how do you get around that?

---

UNKNOWN GUEST. Well, the standard way is we've got mandatory breach disclosure laws, and generally they tend to work, you know, in the areas where they are present, that they are very effective. They not only allow people who are affected by breaches to deal with this, but they also support investments. People don't want to be subject to them because one of the things we found out out in this paper is that 33% of organizations actually see ransomware as mostly a reputational issue. So if your reputation is going to be affected by being mandatorily exposed, that's definitely going to drive behaviors. It's going to drive people towards better data governance and better protecting information that they hold.

---

CAROLE THERIAULT. Now, so, so you're thinking that the head honchos of companies, like the board and senior team are they taking this super seriously because they're so worried about a reputational, you know, kick in the nuts? I shouldn't say that. Kick in the shins.

---

UNKNOWN GUEST. Kick in the pants. Yes, yes, they are taking it seriously. And the board definitely is looking at ransomware as a risk to the business. You know, 9 out of 10 boardrooms, 89% of boards see ransomware as a priority concern. That was one of the findings in this paper.

---

CAROLE THERIAULT. That's huge. That's really huge. I think about 5 years ago, that would have been half that number, if not less.

---

UNKNOWN GUEST. Yeah, yeah.

---

CAROLE THERIAULT. And so reputation is the big key. They're worried about it. Are they investing?

---

UNKNOWN GUEST. They definitely are, but exactly what they're investing in varies. So you've got, for example, the top area investment seems to be more cybersecurity tooling, and that's absolutely a legitimate approach. You know, one of the, one of the things that I love to see is defense in depth. We tend to forget about that with security tooling, or a lot of people do. I think in that we kind of assume that security tools are perfect. No, they're not. Therefore, the more coverage we have, the more visibility we have, the more observability of our network we have, the better, the more likely we are to catch, to catch the incidents, to catch the issue. Issues that are causing it, but that's not the only thing. You've got security awareness and training. That's like about half of people are doing that. And security awareness and training is a great approach. And I do a lot of security awareness and training, not only in my job, but also as a volunteer to other organizations. The problem is, is that a really good attacker will still get around that. There was an organization I used to work with many, many years ago. It was a large government supplier in the US that used to use the most punitive, absolutely vicious security training where they would train their staff and then they would have an internal tiger team that would attack their own staff. And you got one freebie, you got one freebie, and if you failed, if they successfully attacked you, you had to go and do a 4-hour training course and update. If you did the second one, you had to go and report to a vice accident.

---

CAROLE THERIAULT. It's like getting in a speed trap in the UK. If you get caught speeding, you've got to do the courses, you lose the points, you can get fined, the whole nine yards.

---

UNKNOWN GUEST. Oh yeah. Wow, extremely punitive. Nonetheless, they still were unable to get it below 10%. There's still 1 in 10 they were still able to hit them. Now bear in mind, that also means 90% success. Yeah. So what 1 in 10 means, 9 out of 10 they didn't hit. So it's a useful tool, but it's not the only tool. Defense in depth is so important.

---

CAROLE THERIAULT. Well, yeah, before we get into defense in depth, tell me about like cybersecurity insurance. I'm just interested, as we're talking about the senior management team, are they buying into that concept?

---

UNKNOWN GUEST. Is that something worthwhile? Oh, absolutely. Um, their cyber insurance is a huge issue now, and certainly this international survey, and in Australia and Singapore, 9 out of 10 organizations have cyber insurance against ransomware. And in fact, one quarter in Asia Pacific. That was their only approach. The problem is we're aware of organizations that simply can't afford it anymore. The premiums are going through the roof, and the cyber insurance companies are asking a huge amount of details about the risk remediations that these organizations have in place.

---

CAROLE THERIAULT. I'm not surprised.

---

UNKNOWN GUEST. We heard of one story of a 3-page survey going to 57 pages between last year and this this year. Wow. And that was the diligence the insurance company was using to determine what premium they should be charging.

---

CAROLE THERIAULT. And of course, that, that's very costly to a company because you have to have legal eagles go through that. You have to have technicians to go through all the systems to make sure they're meeting all the stipulations in order to be covered. Absolutely. Yeah, right. So this is why deep observability is so vital.

---

UNKNOWN GUEST. Could you maybe explain that concept for our wonderful So deep observability is a really interesting concept. There is the existing industry concept of observability, which is the old concept of logs, events, metrics, and tracing. And we've been doing that for a lot of years. And essentially, it reports about the inside of a system, a workload, a cloud instance. Deep observability looks at it from the outside. It looks, say, at a piece of see at a cloud image from the outside, looking at what it is doing on the network. Now, one of the first things a good attacker will do when they break into a workload is they'll turn off logging. I mean, you can go and read the Mandiant report. That's one of the first things the attacker that breached SolarWinds did. They turned off logging and cleared the logs. That's in their reports. The first ever incident response I did, I'm almost ashamed to admit this, in 1989, fine. I saw them turning off logging. They turned off syslog. So, you know, this is an old attacker, TTP. On that basis, you've got to look at logging. While it's essential, and I'm not saying don't do it, it's not good at catching attackers. If once they violate a workload, once they get in, they compromise something, be it ransomware, be it an advanced threat two-factor, they are going to compromise logging. How do we deal with that? We go back to defense in depth. We look at what that workload is doing from the outside, and they can't easily compromise that because that workload still needs to generate traffic, and that's what deep observability is.

---

CAROLE THERIAULT. I mean, it kind of makes sense in a way, if I can make it, you know, more colloquial. If you had a burglar come in, the first thing they'd want to do is turn off CCTV or video recording, right, in order to away doing what they want to do without any evidence. It makes perfect sense.

---

UNKNOWN GUEST. Indeed, some burglars will go to the power board and pull the fuse, right? That is to shut down any cameras, right?

---

CAROLE THERIAULT. Exactly. Um, so talk to me about Gigamon. Talk to me about what you guys can offer to help companies get this deeper insight into their system.

---

UNKNOWN GUEST. So what Gigamon is about is getting access to the traffic, the network traffic, the deep observability traffic, be that on a physical network from 10 meg Ethernet right through to 400 gigabit Ethernet in the cloud, or in a public cloud, or in private cloud. All of these environments have network traffic. All of these environments we can do deep observability in. So if your environment is on-prem, hybrid, multi-cloud, private cloud, public cloud, it doesn't matter. We can deliver the traffic from those environments and deliver them to the tools needed to detect the ransomware, to detect the insider threats, to detect all of the stuff that are a risk to your organization.

---

CAROLE THERIAULT. And that is what Gigamon does. And I'm guessing in providing that information, you have to parse it in a way that it's easily interpretable by whoever's receiving that information.

---

UNKNOWN GUEST. Yeah, if you don't do that, the, the tool that is consuming that is wasting its time. It's hard enough as it is to detect threats without dealing with overwhelming a tool with useless data.

---

CAROLE THERIAULT. And what about the concept of zero trust? What are your thoughts on that, Iain?

---

UNKNOWN GUEST. I am absolutely fascinated. I spend a lot of my time doing zero trust, and I think it's an amazing concept because it gets us away from all of those security assumptions like good people inside, bad people outside. That just aren't realistic. One of the things I will say is that if you are doing zero trust with just normal observability, well, you're probably not looking at it. You should be looking at normal observability, deep observability, and as much information about risk as you can derive. Then you will achieve a really good outcome.

---

CAROLE THERIAULT. Amazing. You can learn more about all this by getting your mitts on their latest research. This is Giga Gigamon's paper, State of Ransomware for 2022 and Beyond. And it looks into insider threats, blame culture, and of course, zero trust. And it's yours for free by visiting gigamon.com/smashing. That's gigamon, G-I-G-A-M-O-N, dot com forward slash smashing. And all that I have to say is thank you so much, Iain Farquhar. Global Field CTO for Gigamon.

---

UNKNOWN GUEST. Thank you so much for having me. It's been awesome.

---

GRAHAM CLULEY. Well, that just about wraps up the show for this week. Duck, I'm sure lots of our listeners would love to follow you online or find out what you're up to. What's the best way for folks to do that?

---

PAUL DUCKLIN. They can find me on Twitter @duckblog, or they can find me on the web at nakedsecurity.sophos.com.

---

GRAHAM CLULEY. Sophos.com. Terrific. Oh, my old baby. And you can follow us on Twitter @SmashingSecurity, no G, Twitter and LastPass have a G, and we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Overcast, Spotify, and Apple Podcasts.

---

CAROLE THERIAULT. And massive shout out to this episode's sponsors, Bitdefender, Gigamon, and Soul Cyber. And of course, to our wonderful Patreon communities, It's thanks to them all that this show is free. For episode show notes and sponsorship information and guest lists and the entire back catalog of more than 284 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

---

CAROLE THERIAULT. Bye. Last show next week for the summer. Bye. Who's crying? Don't cry, guys.

---

PAUL DUCKLIN. Don't cry. Don't cry.

---

GRAHAM CLULEY. Well done. Thank you very much, Duck. You're a rock star, Duck.

---

PAUL DUCKLIN. I learned some rude words.

---

CAROLE THERIAULT. What, like ass monkey or whatever?

-- TRANSCRIPT ENDS --