This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

CAROLE THERIAULT. Isn't boudoir mean risky?

---

GRAHAM CLULEY. Well, boudoir doesn't have to mean risqué, does it?

---

CAROLE THERIAULT. What's risqué? A bit of nip showing? What do you mean?

---

GRAHAM CLULEY. Goodness gracious, yes, Carole, definitely a bit of nip showing. You know, if there were photographs of me in my dressing gown with my smoking pipe and my slippers in my boudoir, not so risqué.

---

CAROLE THERIAULT. Yeah, it's risky enough for me. No, I do not want to see it, I'm telling you.

---

JOHN LEYDEN. Oh, I think I now want to leave the call.

---

UNKNOWN. Smashing Security, Episode 321: Eurovision, Acts of War, and Twitter Circles with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 321. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And Carole, this week we have a returning guest. He's not been on the show for quite a while, but glad to have him back. Who have we got in the hot seat?

---

CAROLE THERIAULT. It's journalist John Leyden. Welcome.

---

JOHN LEYDEN. Thank you for having me.

---

CAROLE THERIAULT. It's so great for you to be here. Now, what have you been working on since you've last been on?

---

JOHN LEYDEN. Well, so since I've last been on, that must have been a couple of years ago, and most of that time I was working for the Daily Swig, which was part of PortSwigger. So unfortunately, in March I was made redundant from that job. So I've now embarked on the wild world of freelancing tech journalism.

---

CAROLE THERIAULT. So you are a freelancer now?

---

JOHN LEYDEN. I am. I'm a hired gun.

---

CAROLE THERIAULT. You are looking for more work, are you? Is this an ad? Is this an ad post for you?

---

JOHN LEYDEN. I'm open for work, let's put it that way.

---

GRAHAM CLULEY. And in the past, John, you've worked for all kinds of publications, haven't you? You've worked for The Register for many years as their cybersecurity correspondent. You were with, was it CRN, I seem to remember?

---

JOHN LEYDEN. I worked for, I started off work for Network News. So I wrote about networking and things like that. But that was a long time ago. I was with The Register for 17 years, so I had a lot of experience there.

---

CAROLE THERIAULT. Yeah, well, we always loved reading your articles. So guys, if you're looking for a writer, this is the guy.

---

JOHN LEYDEN. Why, thank you.

---

CAROLE THERIAULT. You're welcome. Now let's kick off this week, but first let's thank our wonderful sponsors: Bitwarden, Kolide, and Outpost24. It's their support that help us give you this show for free. Now coming up in today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be letting you into my inner circle.

---

CAROLE THERIAULT. Your inner circle. I don't know if I want to go there. John, what about you?

---

JOHN LEYDEN. I'm going to be talking about war and peace, cyberattacks, insurance, and very large payouts.

---

GRAHAM CLULEY. Okay, good.

---

CAROLE THERIAULT. A light topic. And as we all know, Eurovision 2023 is upon us. Let's see if there's anything cyber to worry about. Plus, we have a featured interview with John Stock from Outpost24, explaining that while you might not be able to get your attack risk down to zero, you can reduce it dramatically by taking the correct steps. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, are either of you fans of wrestling?

---

CAROLE THERIAULT. No.

---

GRAHAM CLULEY. No. John, are you? Do you fancy you often oil yourself up?

---

JOHN LEYDEN. Not especially. I did go to WrestleMania in the US, but that was back in the '80s.

---

GRAHAM CLULEY. Ah.

---

JOHN LEYDEN. Yes.

---

GRAHAM CLULEY. The US version of wrestling is very different from the British version. I remember in the 1970s watching ITV. Obviously not at my house. We weren't allowed ITV.

---

CAROLE THERIAULT. Is that Big Daddy times?

---

GRAHAM CLULEY. Yes, Big Daddy and Giant Haystacks. Dickie Davies would be there as well. But I actually want to talk about the American WWE, World Wrestling Entertainment. I think they used to be called the WWF.

---

CAROLE THERIAULT. Yes. And for obvious reasons, yeah. They were told, back down, back down.

---

GRAHAM CLULEY. Duke of Edinburgh wanted to go around there and start shooting pandas or something. Anyway, I'm talking about the one which involves Dwayne 'The Rock' Johnson, Stone Cold Steve Austin, Hulk Hogan.

---

CAROLE THERIAULT. Hulk Hogan, yes. The one who took down Daily Beast.

---

GRAHAM CLULEY. Oh, because they posted about his shenanigans, I think, didn't they? Well. If you are into WWE and the world of entertainment wrestling, you would probably know of a chap called Vince McMahon. Have you heard of Vince McMahon?

---

JOHN LEYDEN. No.

---

GRAHAM CLULEY. He is the businessman who basically runs WWE.

---

UNKNOWN. I'm the lord, the master and god of all sports entertainment. Oh boy.

---

GRAHAM CLULEY. And all that participate in any manner whether or not it's in the ring or you buy a ticket, you will worship me. He ran WWE for 40 years, but very, very visibly. He would be there in the ring in his suit. Sometimes there'd be a punch-up, he'd be in the middle of it.

He's probably in his 70s by now, but he was very much the big man of wrestling. He was running the show. He was the CEO. If you were interested in the backstage goings-on at WWE, you may also be interested in a new book that's coming out all about Vince McMahon called Ringmaster.

---

JOHN LEYDEN. Ah.

---

GRAHAM CLULEY. And it's been written by a transbian authoress, Abraham Josephine Reisman.

---

CAROLE THERIAULT. A what?

---

GRAHAM CLULEY. A transbian is a trans lesbian. This is how Abraham Reisman describes herself, is as a transbian authoress.

---

CAROLE THERIAULT. Okay, I've never heard that term ever.

---

GRAHAM CLULEY. Yeah, yeah, this is— it's all right to call people transbians if they're comfortable with being called transbians, don't you?

---

CAROLE THERIAULT. Yeah, only if other people understand what the heck you're talking about. But yes. Exactly.

---

GRAHAM CLULEY. Well, I just got it from her Twitter profile.

---

CAROLE THERIAULT. This is what she calls herself, right? Okay, well, I'm very happy with that. That's great. Okay, so she's written a book about Vince. Can we call him Vinny just for fun?

---

GRAHAM CLULEY. Vinny.

---

CAROLE THERIAULT. Vinny. Vinny.

---

GRAHAM CLULEY. Yeah, you can do that if you want. You can do that.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. If you wish. When you were at WrestleMania, Jon, back in the '80s or the '90s, you may remember that WWE wrestlers, they don't wear many clothes, do they?

---

JOHN LEYDEN. No, they don't wear many clothes. And there may be an element of orchestration in the fights. I don't know.

---

GRAHAM CLULEY. What?

---

JOHN LEYDEN. No.

---

GRAHAM CLULEY. What? Some fiction?

---

JOHN LEYDEN. Yes.

---

GRAHAM CLULEY. Are you suggesting?

---

JOHN LEYDEN. There could be some theatrics involved.

---

CAROLE THERIAULT. But that's part of the fun though, right? That's why— I mean, I did used to watch— you remind me, I did watch it as a kid, because we'd only had about 3 channels. So if you wanted to watch TV and that happened to be on, that's what you watched.

And you know, even as a kid, you knew it was kind of fake.

---

GRAHAM CLULEY. Did you? I don't know. Anyway, some kids are crazy for it. Some grownups are crazy for it as well. The thing about WWE wrestlers, as we've ascertained, they don't wear very many clothes.

They're presumably comfortable being photographed in the ring wearing their skimpy spandex outfits. I wouldn't be. I wouldn't want that.

I wouldn't want people to photograph me in skimpy spandex stuff. Well, you know, I'm not giving my permission. Let me put that out there right now. If anyone gets hold of photographs like that, I don't want to see pictures of you like that, Carole, or John.

---

CAROLE THERIAULT. Do you know what? I am actually looking right now at WWE outfits.

---

GRAHAM CLULEY. Are you?

---

CAROLE THERIAULT. On Google Images. Yeah. And it is astounding. It is really quite astounding how spandexy it actually all is. There's a guy here with a fake sun and bat wings. So he puts his arms up, and it makes him look like a whole sun.

---

GRAHAM CLULEY. Ah, probably for when they jump from the corner of the ring and glide down. Right. To do, I don't know the names of all them. Anyway, back to authoress Abraham Josephine Reisman, who's written this book, right? As we're talking about not wearing very many clothes. Now, as she told friend of the show, Chris Stoker-Walker, who appeared on the show a while back, he's been writing for BuzzFeed, she told him how she'd recently had a private photo shoot. She said, "I did a boudoir shoot a few weeks ago." And I had some nice photographs of myself taken. One of them was risqué.

---

CAROLE THERIAULT. Isn't boudoir mean risqué?

---

GRAHAM CLULEY. Well, boudoir doesn't have to mean risqué, does it?

---

CAROLE THERIAULT. What's risqué? A bit of nip showing?

---

GRAHAM CLULEY. Goodness gracious! Yes, Carole, definitely a bit of nip, as you refer to it, showing would be. I was thinking, you know, if it was photographs of me in my dressing gown with my smoking pipe and my slippers, in my boudoir. Not so risqué.

---

CAROLE THERIAULT. Yeah, it's risqué enough for me. No, I do not want to see it, I'm telling you.

---

JOHN LEYDEN. Oh, I think I now want to leave the call.

---

GRAHAM CLULEY. Reisman took this risqué photograph and she posted it on her Twitter Circles, as you do. And she said, as usual, as usual, it got no engagement. Now, do you know what a Twitter Circle is? I didn't know what this was.

---

CAROLE THERIAULT. I'm gonna guess. Can I guess?

---

GRAHAM CLULEY. Can I guess?

---

CAROLE THERIAULT. Is it a group, a category of friends? So it's not all your followers - it's just a group of them that can see what you're showing them.

---

GRAHAM CLULEY. God, you're so clever.

---

CAROLE THERIAULT. Oh, thank you very much.

---

GRAHAM CLULEY. So many times I thought you're not, but in fact, you're a genius. You're absolutely right. A Twitter Circle, this is a new feature which launched August last year, which promised users the flexibility to choose who can see and engage with your content on a tweet-by-tweet basis. The thing is, with Twitter, you've always been able to have a completely private account. Right? Apart from the people outside Twitter could view it. But you could have a locked-down account where you had to ask permission to follow somebody. And clearly, Twitter wasn't as keen on that. So what they did was they introduced this Twitter Circle concept where you could have a regular account, but you could have a sort of almost subset of the account, which you just share with a select group of friends, and only they can see it, and only they can reply to it. And, you know, the conversation remains intimate.

---

CAROLE THERIAULT. Yeah, on Twitter.

---

GRAHAM CLULEY. Yeah, on Twitter. On Twitter.

---

CAROLE THERIAULT. Yeah, yeah, on Twitter.

---

GRAHAM CLULEY. But in a way, it's a bit like, you know, a lot of people use WhatsApp groups, don't they? And they share pictures and messages with a small collection of friends rather than the entire universe, rather than posting it up on a public website. They use an app like that. So it's fair enough.

---

JOHN LEYDEN. Okay.

---

GRAHAM CLULEY. So Twitter said easier way, make intimate conversations, build closer connections with select followers. All makes sense. And Twitter said, you can choose who's in your Twitter Circle. Only the individuals you've added can reply and interact with your tweets you share inside the Circle.

---

CAROLE THERIAULT. Only the people inside the Circles can see the images. Do they say that too?

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Oh, okay. Yeah, yeah, yeah.

---

GRAHAM CLULEY. So it's only people who you've allowed to have access. That's very important because there were a number of groups who were using Twitter Circles to share sensitive information. They didn't want outsiders chiming in or dogpiling on them or being unpleasant or picking on them or bullying them or anything like that.

So there is, for instance, an LGBTQ+ community on Twitter called Belong2 for young people across Ireland. And they were using this just to talk amongst themselves, which, you know, is fine and dandy. And why should you not do that?

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. So back to the subject of this story. Oh yeah, which is Ms. Reisman and her boudoir pickies. Yeah, she shared this intimate boudoir shot.

---

CAROLE THERIAULT. We don't know if there's a nip involved with 1,500 of her closest friends in a specific circle.

---

GRAHAM CLULEY. Yep, she's posted up there. She says she got virtually no engagement. That's not that unusual these days on Twitter. I'm finding you don't get much engagement on Twitter anymore unless you've got the blue tick. Those are the people who seem to be being promoted on Twitter at the moment.

But when Reisman woke up the following morning, she found people who she didn't follow back, let alone were inside her Twitter circle, had liked this, as she put it, little bit spicy photograph.

---

JOHN LEYDEN. Ooh, missus.

---

CAROLE THERIAULT. And she didn't make a mistake. That would be my first thing would be what did I do? Oh, no, no, no, no, no, no, no, no, no, no.

---

GRAHAM CLULEY. She says she's been very careful about curating her circles to the people she thinks wouldn't mind. But she says, "The general public do not need to see me in my birthday suit," is what she's saying. But people did.

And she has not been the only one. Since last month, in the last few weeks, multiple Twitter users who've been using Twitter Circles have said that their private posts, their posts which they thought they were sharing just with a select group of trusted people, were in fact showing up in the feeds of complete strangers.

---

CAROLE THERIAULT. Wow. So can we see these pictures? I'm kidding. I'm kidding.

---

GRAHAM CLULEY. Probably. So these private conversations where people are talking shit about each other, they're bitching about people, they're sharing explicit photos. You know, they think they're doing all this safely, but they're not.

---

CAROLE THERIAULT. Trusting Twitter under the wonderful tutelage of its CEO.

---

GRAHAM CLULEY. He who shall not be named on this podcast.

---

CAROLE THERIAULT. Finally.

---

GRAHAM CLULEY. Let's not give him more of the oxygen of publicity. So people have been complaining to Twitter. Now, John, you're a journalist. If you complain to Twitter, what do you think the response is likely to be?

---

JOHN LEYDEN. Radio silence, more likely than any other response.

---

GRAHAM CLULEY. You would think that, wouldn't you? Because of course, Elon Musk, he who shall not be named, Lord Voldemort himself, has fired the entire press team at Twitter. So yeah, you would expect them to be silent, and they were silent for a long time when people were contacting them.

But they've just announced and acknowledged that a security incident did occur. They've emailed affected users. But in the meantime, any journalists who've been contacting the press team or have asked more questions about this security breach, which caused these private messages to appear for anybody, have got the automatic response, which has been in place for months now at Twitter's press office.

Which is Twitter's press office, if you email them, they reply back with an emoji. And they send you a poop emoji is their response.

---

CAROLE THERIAULT. Fine.

---

JOHN LEYDEN. It's more than you get when you contact Apple.

---

GRAHAM CLULEY. Yes, more than you get.

---

CAROLE THERIAULT. Yeah, I suppose it's received. You know.

---

GRAHAM CLULEY. Received and here's what we think of it. Yeah, so Twitter is just sending poo to do that.

---

CAROLE THERIAULT. Okay, well, it's self-describing itself, I think, but anyway.

---

GRAHAM CLULEY. So they claim they fixed this bug, but I think a warning to everybody probably is, once again, even if a website or a service claims it's going to keep your messages private, just simple screw-ups are going to carry on happening. And there's no detail as to what caused the problem, why it took Twitter close to a month to acknowledge the problem existed, let alone fix it.

It's just radio silence on that as well. So not really very impressive.

---

JOHN LEYDEN. It seems to me that the Twitter algorithm was promoting these supposedly private or restricted tweets to the world at large. That's how they ended up in people's feeds. And then these people replied and chaos ensued.

So there was something in the algorithm that was promoting it to people. And the whole thing seems reminiscent of when Facebook had a feature where you could restrict your communication to just friends and whatever. And that's a barrier Facebook keep changing and wanting to push down all the time without really getting people's informed consent over it. So the bigger lesson seems to be if you post stuff on social media, you can expect it to leak, frankly.

---

GRAHAM CLULEY. So the message, if you've got something private—

---

CAROLE THERIAULT. Don't put it on Twitter? I don't know.

---

GRAHAM CLULEY. Don't put it on the internet, full stop, maybe. I think the emoji sums it up.

---

CAROLE THERIAULT. Yeah. C'est le grand caca.

---

JOHN LEYDEN. Maybe it was an internal complaint not meant for the journalist, but just explaining their state of feeling, you know?

---

CAROLE THERIAULT. It's an emotional response.

---

JOHN LEYDEN. Why can't they just plug it into ChatGPT and then it'll generate a response and whatever?

---

GRAHAM CLULEY. Yeah, I wonder if anyone's done that yet.

---

CAROLE THERIAULT. Of course they have.

---

GRAHAM CLULEY. John, what's your topic for us this week?

---

JOHN LEYDEN. What I'd like to talk about today is a very important legal ruling that came down from the US concerning a high-profile cyberattack which dates back to 2017. It was NotPetya, which is a strain of file-encrypting ransomware which affected Windows machines across the world. Many, many enterprises were affected by this.

---

CAROLE THERIAULT. Yeah, huge. It was huge.

---

JOHN LEYDEN. So this targeted the update mechanism of a piece of Ukrainian accountancy software that anybody who traded in Ukraine needed to report VAT and so on and so forth called MeDocs. But because it targeted anybody who had any business in Ukraine, lots of international companies as well as the Ukrainian government and Ukrainian businesses were affected.

One of the worst affected was Merck, which is a pharmaceuticals company. Huge one. Massive. Another was advertising company WPP. And another big victim of this was, not to be confused with Merck, but Maersk Line, which is shipping. So that's just three, but lots of other things were affected, including consumer goods company Reckitt Benckiser, not sure if I've pronounced that correctly, and DHL logistics and parceling firm.

---

GRAHAM CLULEY. So in all, this probably cost companies billions, didn't it, this ransomware attack, in terms of disruption, in terms of ships not sailing, not delivering goods. Stuff not arriving. PR questions from journalists not being answered and having to resort to emojis instead, all kinds of things.

---

JOHN LEYDEN. They didn't even have a resort to emojis. Basically all the computer systems that all these companies relied on become non-operational. This wasn't really ransomware, it was designed to destroy systems, to encrypt things and just render them useless.

So all these companies were left without any information on how to do their work. Nobody could talk to each other while the people involved on the sysadmin side were frantically trying to contain the outbreak and to restore systems. If it happened now, I think people would be in a slightly better position, but this was something that was an almost unprecedented attack in its scale and its speed. So that's why so many companies were caught on the hop.

There were DHL parcels that couldn't send out. Maersk Line didn't know what was happening. In the case of Merck, the pharmaceutical giant, it was left with systems that were completely unoperational. So that's the background to the story. What's the news, you ask? Well, the news is—

---

GRAHAM CLULEY. Yeah, John, what's the news? What is it?

---

JOHN LEYDEN. Well, you started off your story by talking about WWE and all the outfits.

---

GRAHAM CLULEY. I've very eloquently got straight to the point.

---

CAROLE THERIAULT. Okay. He always does.

---

JOHN LEYDEN. Always do. Always do. Okay, so Merck had an insurance policy which covered it for all risks. So it went to insurers and they had 8 insurers at least. And they said to them, well, we've suffered this damage, which we can document for you. It affected 40,000 of our computers, shut down our production facilities, left us without any apps. It was terrible. We would like to be compensated, please.

And the insurers said, you know, this NotPetya thing. It's an act of war, a military action. And if you read the small print of your insurance policy, it will say, "We don't cover wars."

---

GRAHAM CLULEY. So, "We're very sorry, but we can't help you." So they've been caught out by exactly the same thing as each and every one of us is caught out by whenever we try and make an insurance claim and you look at the small print and you find out, "Actually, we're not gonna cover you for this detail." Now, in this particular case, they're saying because it was an act of war, because it was allegedly done by the Russians, therefore it's nothing to do with us. And even though you've been giving us millions to pay for insurance, we're not going to give you a handout.

It sounds pretty much par for the course for insurance companies to me.

---

JOHN LEYDEN. Yeah, it does. They had a comprehensive policy, and the insurance companies were trying to use the small print to argue that they weren't liable to pay out. So this, unsurprisingly, was placed in the hands of the lawyers. It went to court. And it wound its way very slowly through court.

In January 2022, a court in New Jersey awarded the pharma giant $1.4 billion. After deciding that the insurance companies had to pay up. So that's a lot of money.

---

CAROLE THERIAULT. And what was the reason? What was the, do you know what the reason was? Did they say, nah, nah, nah, you can't use this act of war clause? Is that basically what happened?

---

JOHN LEYDEN. They decided that the acts of war clause didn't apply. And what's happened last week was that the appeal court has upheld the earlier court's decision. So that more or less sets a precedent.

---

GRAHAM CLULEY. So I think what I read, I may be wrong about this, so correct me, John, if you've heard differently. I think I heard it said that for it to be an act of war, there had to be some physical element to it, some sort of physical, violent, kinetic activity, which may well have saved the bacon of Maersk in this case for saying, well, it wasn't an act of war then. But it does sound like that maybe we're not really considering the potential for a cyberattack to be an act of war.

---

CAROLE THERIAULT. Yeah, it sets a precedent for that.

---

GRAHAM CLULEY. It's surely something insurance— I mean, other insurance companies watching this and indeed whoever Maersk next turns to—

---

CAROLE THERIAULT. Are sending each other poop emojis right now.

---

GRAHAM CLULEY. You know, the insurance company is going to say, well, we're not going to fall for this one. We know we don't want to do a $1.4 billion payout.

---

CAROLE THERIAULT. But they already taken the money, Graham, right? So insurance companies got on the bandwagon about 5 years ago thinking, I'm sure this and other tiny little clauses would get them out of having to do any mega payouts.

I'm sure people are freaking right now in the insurance company because of this precedent being changed. I mean, the risk has changed.

---

JOHN LEYDEN. And the calculation that they used when these policies were set up no longer applies. What the appeal bench said, and this is the key point of it, is that the NotPetya attack is not sufficiently linked to a military action or objective, as it was a non-military cyberattack against an accountancy software provider.

---

GRAHAM CLULEY. Hmm. Yeah, I see.

Yeah. So it wasn't a direct attack. It was an attack via this accountant's, this accounting software for Ukrainian or people doing business in Ukraine.

---

JOHN LEYDEN. Yeah. So this has quite big implications, not just for the victims of NotPetya or other cyberattacks, but for how the whole insurance market works.

And those in insurance have already seen this coming. Last year, Lloyd's of London said insurance policies will exclude nation-state cyberattacks that happen during wars, declared or not, beginning in April. So rather than relying on a general— Hang on. Yeah. Hang on.

---

GRAHAM CLULEY. So Lloyd's are saying insurance won't cover cyberattacks that occur during wars. Cyberattacks. Yeah. Cyberattacks from now onwards. That's— well, hang on. Well, there are wars happening all the time.

---

CAROLE THERIAULT. Yeah, are they relating them to wars? Are they saying if this is a direct result of the war, we're not covering you? Or are they just saying, if there's a war going on, no coverage for anybody.

---

GRAHAM CLULEY. We're not gonna pay out. We're not gonna pay out any more, any insurance. It's interesting.

---

JOHN LEYDEN. It's going to be that the premiums are going to go up if people want the coverage.

---

CAROLE THERIAULT. Yeah, that's always the answer, isn't it? Yep, add a zero.

---

JOHN LEYDEN. The other implication of this is that insurance companies will be very, very interested in attribution of future cyber attacks. Yeah.

---

GRAHAM CLULEY. And we all know how easy that is. Oh yeah. It never ever goes wrong. NASA, add one. Carole, what have you got for us this week?

---

CAROLE THERIAULT. Well, I know you guys love a quiz.

---

GRAHAM CLULEY. Oh, great.

---

CAROLE THERIAULT. Yes, I know you do, and I know our listeners love quizzes, so I'm kicking off my story with You Think You Know Eurovision. Oh, brilliant. Okay, okay, you're going to know more about this international contest than you ever thought possible by the end of my story.

Are you guys fans of the show? So listeners that don't know Eurovision, it really is. There's people that hate it and there's people that love it. I'm in the love camp.

---

GRAHAM CLULEY. I don't normally watch it. I liked it in the old days when it always used to go wrong when people dialed in their votes.

So they'd say, okay, Vienna, do you have your votes please? And you'd get some cleaning lady on the other end. You know, it was always just a shambles. Katie Boyle. It still is.

---

CAROLE THERIAULT. You still have live, you know, live from the square and there might be 80-mile winds hitting them in the face and they're still—

---

GRAHAM CLULEY. Maybe. Maybe. It's all a bit too slick. And it goes on for hours and hours and hours now, doesn't it? So I'm not a huge fan these days.

---

JOHN LEYDEN. 3 hours. Yeah, well, that's hours and hours for me.

John, what about you?

---

JOHN LEYDEN. I quite like it. I don't regard it as unmissable. What I used to do is, you know, have the show on and then not really be watching the acts, but be on social media laughing at people's observations about the acts.

---

GRAHAM CLULEY. A modern viewer. I think now everyone's allowed to sing in whatever language they want, so they can sing in English. Whereas I used to enjoy it when they had to sing in their own language, and then I would put the subtitles on for the translation. And the lyrics on some of the songs were hilarious.

---

CAROLE THERIAULT. Well, that's not because the lyrics were hilarious. That's because the translation of the lyrics were hilarious.

---

GRAHAM CLULEY. Sure, but yeah, that I used to greatly enjoy that, I must admit. Anyway, on with the quiz.

---

CAROLE THERIAULT. Okay, okay, okay, let's do a little quiz quiz. No cheating, okay? That means no ChatGPT, no Googling, no search engines. And I've made them fairly easy so you could try and make it, okay? So what decade did Eurovision first air? See, not what year, what decade.

---

JOHN LEYDEN. I'm going to go 1950s.

---

GRAHAM CLULEY. I was going to say I was going to say— I'm going to say 1958. Okay, well, I said—

---

CAROLE THERIAULT. John Leyden, you answered first, so yes, 1950s, Lugano, Switzerland, with 7 songs. And the contest was one of the earliest attempts to broadcast a live televised event to a large international market.

---

JOHN LEYDEN. Surely things like the World Cup preceded that for an event broadcast to a large international audience.

---

CAROLE THERIAULT. I said one of the earliest attempts. Stop being picky, John. Covered my ass there. Okay.

---

GRAHAM CLULEY. Whose quiz is this, John?

---

JOHN LEYDEN. I'm sorry, I'm putting my place.

---

CAROLE THERIAULT. How many countries are competing this year?

---

JOHN LEYDEN. No Googling. Too many. About 30.

---

GRAHAM CLULEY. Hang on, are you including the semifinals and things like that? And the knockout rounds?

---

CAROLE THERIAULT. Yeah, yeah, of course. All the rounds, I guess.

---

JOHN LEYDEN. About 35, probably including Australia for some unfathomable reason.

---

CAROLE THERIAULT. John Leyden, you're very— 37.

---

GRAHAM CLULEY. 38. You're just copying John Leyden, because you know he knows more about it than you.

---

JOHN LEYDEN. No, I was closer than he was.

---

CAROLE THERIAULT. What song did the UK put forward last year in Eurovision 2022?

---

GRAHAM CLULEY. Oh, it was that guy with the long hair. I don't know, Sam something, was it? Sam Ryder. Sang about a spaceman.

---

JOHN LEYDEN. Well done. Yeah. I'm on fire here.

---

GRAHAM CLULEY. Right, yeah, I didn't know that one at all.

---

CAROLE THERIAULT. And you should know that, because we came in second last year. The UK, I mean. The previous year, we got a whopping nul points. So we came second to Ukraine's Kalush Orchestra, okay? The song was called Stefania. It was a mashup of traditional Ukrainian folk music with a modern rap and hip-hop twist.

---

JOHN LEYDEN. Oh, love that. Yeah.

---

CAROLE THERIAULT. Right. And normally, if you win Eurovision, what honour do you get as a country?

---

GRAHAM CLULEY. You get to host the next concert. Correct.

---

JOHN LEYDEN. Sorry, I'm having to jump in now. John getting all the points. Okay.

---

GRAHAM CLULEY. We should have a buzzer.

---

CAROLE THERIAULT. You could just honk or something. Okay, now for obvious reasons, Eurovision will not be held in the Ukraine, the actual, you know, the winners of last year, because, you know, there's fucking war going on. So the show airing this weekend will be coming to you live from Liverpool, thanks to the BBC. It's the first Eurovision Song Contest to be held in how many years?

---

JOHN LEYDEN. Well, it was held last year, something like that.

---

CAROLE THERIAULT. Yeah, 25 years. So you do the maths, I'm too lazy.

---

GRAHAM CLULEY. Yeah, since Bucks Fizz won, I think.

---

JOHN LEYDEN. No, Dana International won last time it was in the UK, and it was in Brighton. I only know that because a friend of mine went.

---

CAROLE THERIAULT. There you go, you see, I didn't— I see, I trust a man, I'm sure he's right. Listeners, you let us know.

Now this brings me on to today's topic, because how does one keep Eurovision safe from cyber BS? Because there's a lot of moving parts here, right?

There's international cooperations without Russia, who was banned for its warmongering. Plus you have, you know, real-time digital voting.

You've got the whole physical security angle. You've got digital communication links across the entire planet.

You know, near-live votes. I could say live, but I'd say near-live.

It's pretty amazing. And it's not always been smooth sailing.

Right, because last year, you might remember there were shenanigans where voting irregularities were identified in 6 countries taking part of Eurovision 2022. This is according to the European Broadcasting Union.

The EBU say that irregular voting patterns were spotted, and I think they mean voting manipulation.

---

GRAHAM CLULEY. Were the irregularities that they detected some people in Greece who weren't voting for Cyprus and some people in Cyprus who weren't voting for Greece? Because that would, that would be irregular.

---

CAROLE THERIAULT. It's changed slightly in that there's now a jury that kind of tops up the voting of the nation in question. And there were some irregularities.

They didn't go into it and they didn't name any countries, but 6 countries subsequently lost their voting rights, which were Azerbaijan, Georgia, Montenegro, Poland, Romania, and San Marino. And earlier this year, as people were gearing up for the show in Liverpool, you know, booking up nearby hotel rooms for the sold-out show.

Here's another factoid, or another quiz question. How fast did the show, the Eurovision show 2023, sell out?

A couple of hours.

---

GRAHAM CLULEY. Yes. I was going to say 3 and a half months. All right, okay.

---

CAROLE THERIAULT. 90 minutes. Well done, John.

90 minutes. And Booking.com said a number of accounts had been affected by cyber attacks, which were quote, quickly locked.

Okay, this is according to the BBC.

---

GRAHAM CLULEY. That sounds weird phrasing. Do they mean denial of service attacks?

Maybe. I can imagine that happening against ticketing sites.

---

CAROLE THERIAULT. The BBC writes, Booking.com confirmed to BBC News that some accommodation partners had been targeted by phishing emails but denied that it had suffered a security breach. The way it worked, the phishing scams used WhatsApp probably due to its end-to-end encryption capabilities.

And the story goes like this. So guy books a hotel for the event, then he gets contacted on WhatsApp by someone claiming to be the receptionist asking initially if he needed parking, and then claims that there was an issue with his payment.

And the guy said, "Oh, I thought this must be okay," he told BBC News. "I got a text message from my bank and I then had a phone call from them saying that someone was trying to scam me out of money."

So he thought it was all okay and it was the phone call, it's the bank stopped it happening. So you've got these kind of things, you've got people who are attending, you have to watch out for phishing scams, but are there bigger concerns?

And seems there is, 'cause it was brought up in the House of Commons only last week. The golden-locked Conservative MP for Lichfield, Michael Fabricant.

Oh, for God's sake. Asked the Commons.

---

GRAHAM CLULEY. He, listeners, just look him up and you'll know why I'm reacting like that.

---

CAROLE THERIAULT. Look, I don't think we should comment about his—

---

GRAHAM CLULEY. You know, I'm not talking about his hair, I'm talking about his wig.

---

CAROLE THERIAULT. He said last year during the Eurovision Song Contest, Russian agents attempted to interfere with the voting that was made for Ukraine. And he cites this correctly: Italian police thwarted hacker attacks by pro-Russian groups during the semi-final and final of Eurovision Song Contest in Turin 2022.

During voting and the performances, the police cybersecurity department blocked several cyberattacks on network infrastructure by the Killnet hacker group and its affiliate Legion, the police said. And you remember, last year saw Ukraine win the contest, and early on they were pegged to do well.

And there have been more digital disruptions with political overtones. There was one in 2019 in Israel when the national broadcast online stream was replaced with footage of explosions I remember that.

Right, so brings us to last week. Fabrikant, right? I shouldn't call him that. What should I call him?

---

GRAHAM CLULEY. I think Fabrikant is almost correct. It's just one syllable.

---

CAROLE THERIAULT. Yes, Fabrikant says in the comments, this year of course we're hosting Eurovision Song Contest, and he wants to know what is the department doing to ensure that the integrity of the voting will be maintained. And he's not alone in being concerned because soon after, experts from the National Cybersecurity Center were called in after the government and Eurovision organizers raised concerns that the competition could be a digital front for the Ukraine war.

Daily Mail reported that this year's contest held in Liverpool will have reinforced cybersecurity defenses by NCSC. This is the National Cybersecurity Center.

And a source told the Times, while it's possible to be confident that concertgoers will be safe, the cyber side is far more unpredictable. So yeah, it's kind of a case of wait and see.

---

GRAHAM CLULEY. Or not, as the case may be. I think I personally—

---

CAROLE THERIAULT. I'm not going to be tuning in. Oh, come on!

---

GRAHAM CLULEY. I don't think I'm going to tune in.

---

CAROLE THERIAULT. Why are you so grumpy about it? Well, I just, you know, it's too— Yeah, it's music, it's fun, it's country.

---

GRAHAM CLULEY. I'll tell you my favourite story about Eurovision very quickly, which is, as you know, it costs money to put on the competition. So the host nation— I don't even know why the UK is doing it this year because we've got this cost of living crisis going on.

Couldn't we have combined the Eurovision contest and the King's coronation? We could have made them the same event.

I reckon we could have done it. That would have been easy. They're close enough in time.

Anyway, back in the '80s, Ireland kept on winning the Eurovision Song Contest because everyone loves Ireland and, you know, they have a lovely brogue and the rest of it. But Ireland couldn't afford to run the competition every year, so they deliberately chose a folk duo singing a rather sappy song.

They put it forward as their entry, thinking, we don't want to win this year because it'll cost us a fortune, we can't afford it.

---

JOHN LEYDEN. Wasn't this a plot in Father Ted?

---

GRAHAM CLULEY. Yeah, this is probably my lovely horse running, running in the fields. These guys won it, and so Ireland had to host for a third year, right?

---

CAROLE THERIAULT. I'm watching it. You know what I'm doing on Saturday? I'm watching it. I'm gonna make my DIY voting cards. We're gonna have a great old time.

---

JOHN LEYDEN. That's the highlight show, Graham. You might find something new.

---

CAROLE THERIAULT. No, he's just a grumpy beep. This week's sponsor, Outpost24, delivers smarter cyber risk management. Making it easy to identify security gaps in your attack surface and prioritize the vulnerabilities that matter.

With Outpost24, you get the most complete view of your attack surface and threats targeting your organization, helping your security team understand what's real, what's dangerous, and what's important to fix in the environment right now. Application security, vulnerability management, cyber threat intelligence, they've got it all covered. They can even protect your remote workforce and critical data by blocking weak and already compromised passwords.

Sign up for a free attack surface assessment from Outpost24. Get insights into exposed domains and web applications, leaked credentials, and more. Sign up for your free attack surface assessment at smashingsecurity.com/outpost24. That's smashingsecurity.com/outpost24.

---

GRAHAM CLULEY. Now there's some big news from our sponsor Kolide. If you are an Okta user, they can get your entire fleet up to 100% compliant.

How do they do that, you're asking yourself? Well, if a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple.

Kolide patches one of the major holes in zero-trust architecture, which is device compliance. Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date. Unsecured devices are logging into your company's apps because there's nothing there to stop them.

Kolide is the only device trust solution that enforces compliance as part of authentication. And it's built to work seamlessly with Okta. The moment Kolide's agent detects a problem, it alerts the user and gives them instructions on how to fix it.

If they don't fix the problem within a set time, they are blocked. Kolide means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Visit kolide.com/smashing to learn more or to book a demo. That's k-o-l-i-d-e.com/smashing.

---

CAROLE THERIAULT. Smashing Security listeners, did you know that Bitwarden is the only open-source cross-platform password manager that can be used at home, on the go, or at work? Bitwarden's password manager securely stores credentials spanning across personal and business worlds.

And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access. And it's easy to set up, it's easy to use.

I honestly love Bitwarden. I use it at home, use it at work, use it on the go. Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing. Or you can even try it for free across devices as an individual user. Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.

---

GRAHAM CLULEY. And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

JOHN LEYDEN. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.

It doesn't have to be security-related necessarily. It better not be. Well, my Pick of the Week this week is not security-related.

My Pick of the Week is a podcast. It's actually a collection of podcasts because I support this particular chap on Patreon, which means I get to listen to all of his podcasts, including the episodes he doesn't release to the general public. And I also get early listening to episodes months before they are released to the great unwashed.

And the name of this chap is Toby Hadoke.

---

CAROLE THERIAULT. And what does Toby Hadoke talk about?

---

GRAHAM CLULEY. Toby Hadoke's Time Travels is all about Doctor Who. Funny, I hadn't heard of it. And he's a very funny guy. He's a stand-up comedian, he's an actor, he's a writer, and he's also a complete Doctor Who fanatic.

And he puts out several podcasts a week, all of which I listen to, which include episode commentaries, where people challenge him to find out something which they really liked about a particular episode. So he watches it in real time and he knows an awful lot about every single actor in Doctor Who, including the third Cyberman on the left and other things that he may have done in the past. And it's just wonderful, uplifting, positive stuff about Doctor Who.

---

CAROLE THERIAULT. Not like that boring stuff called Eurovision.

---

GRAHAM CLULEY. Well, I think if you are a Doctor Who fan, you should really check out Toby Hadoke and his podcasts. And if, like me, you like him, then just for a few quid every month, you can support him as well and get the real hardcore stuff, the really geeky stuff, which he sometimes puts out as well.

Anyway, I love it. I love his dog Bernard as well. He also posts up a weekly photograph of his dog Bernard. And that is why it is my pick of the week. John, what's your pick of the week?

---

JOHN LEYDEN. Okay, I'm going to offer a fairly practical pick of the week. Now, over the last couple of years, I've been involved in home renovations. Fun. Yes. Lots of builders, lots of disruption, lots of things going on.

One of the things that really helped me navigate through this was a site called mybuilder.com. So how that works is, it makes it easy to find local tradespeople. And what you do, it's free to use for homeowners, and you would post a job. You'd select the category of the job. It could be anything from plumbing to kitchen fitting to a full renovation.

And then tradespeople in your area will respond to it, and you can check out their reviews, their profiles, see if you want them to come around and have a look at the job. And once you meet, then you can agree a price. You can get, you know, it's far easier to contact tradespeople this way, I found, than it would be just to rely on word of mouth or just to go through the Yellow Pages. I found it a lot easier than Trusted Trader to work through, for example.

---

CAROLE THERIAULT. This is really useful, John, because every one of us have this type of thing. I mean, obviously this is only good for people in the UK, but I'm sure these kind of services exist in other countries. And it's— I— yeah, this is really— I'm bookmarking this. So yeah, looks good.

---

JOHN LEYDEN. Yeah, it's really, you know, I've used it for over two years and the vast majority of the jobs I put out there, it found people for them. Some jobs you get swamped with people looking to do them, others, you know, it's quite difficult to find people. Yeah, it's not a complete panacea for home renovations, but it is really good.

And one of the biggest benefits I found was that you can write down and explain the work you want to do. So when the builder comes, you can talk on that basis about the work you want to do, rather than having four or five ten or fifteen minute conversations with different people who may or not be interested. Yeah, it saves a lot of time, much more efficient in that way.

---

GRAHAM CLULEY. Cool. And I'm seeing on the site, so for listeners who are in other parts of the world, they are a member of something called HomeAdvisor International. So they have a sister site at homeadvisor.com if you're in America and homestars.com if you're in Canada. And here's my favorite in Germany, myhammer.de. Oh, well, that's wonderful.

---

JOHN LEYDEN. I didn't know that.

---

GRAHAM CLULEY. Well, that's a great recommendation. Thank you, John, for mybuilder.com. Carole, what's your pick of the week?

---

CAROLE THERIAULT. My pick of the week was going to be the Eurovision Song Contest, but I was able to make it slightly security-related. So I'm going to choose something else.

And I was thinking, what do I choose? And I decided to choose the Oxfordshire Art Weeks as my pick of the week.

This is an open exhibition where artists from all over the county show their work from their studios or homes or wherever they do it. And it started last weekend and it goes on for a month.

And Oxford City, where I live, the exhibitions start this Saturday on May 20th, and yours truly is taking part once again. It's my third year.

Opening my studio and selling artworks and prints and all kinds of cool stuff. And listeners, you can have a gawk at my new work because I spent the last month or so preparing and labeling and scanning and adjusting and getting them up on a website.

And it's been driving me insane, but I think I've managed to get most of it done for this episode. So I cordially invite you to visit carole.wtf and see how I spend my time when I'm not podcasting.

Sounds awesome. Yeah.

And if we were really lucky, by the time the show goes live, I am hoping that you will be able to vote on favorite artworks, which I would really love if you would do. It's not that it goes anywhere, but it helps tell me which ones might be more popular than others, so I can just help me decide which ones are displayed for the exhibition.

So that's a little favor, but maybe you might enjoy it too. So there you go, Oxfordshire Art Weeks, my pick of the week.

And if you get a chance to come down and see our little corner of the UK, do it. But if you can't make it, go to my website, so it's carole.wtf, C-A-R-O-L-E dot w-t-f, and go vote on some favorites.

---

GRAHAM CLULEY. And thank you. Fantastic.

Done some terrific paintings up there, I have to say. And you've updated it recently around about 150 pictures?

---

CAROLE THERIAULT. I think probably about 60 or 70 are new from last time I posted. I just only do it once a year, it seems.

I hate this bit. I hate the website updating bit so much.

---

GRAHAM CLULEY. Fantastic. Well, I've been to some exhibitions run by Oxfordshire Art Weeks in the past, and they've always been good fun going around to people's houses and checking out.

You were at my house last year. I was indeed, and I look forward to checking out some of your art in the flesh as well, Carole, if I get the opportunity.

Wow, sounds sincere. Okay.

Well, I try. Carole, you've been speaking to the folks at Outpost24 this week.

---

CAROLE THERIAULT. Yes, I have. I was speaking with John Stock from Outpost24.

Check it out. So listeners, I would like to introduce you to John Stock.

He is the Director of Product Management at Outpost24. Thank you so much for coming on Smashing Security.

Thanks for having me. You sound like you have a very busy and stressful job because, from what I understand, you're managing all the feature implementations, the timelines, the testing, and everything else for the suite of cybersecurity services that are offered by Outpost24?

This includes things like risk-based vulnerability scanning and application security testing and pen testing and red teaming and training, certification, managed service. I mean, do you have time for family and hobbies?

---

JOHN STOCK. No. Yeah, I make time.

So that— yeah, wife and two kids keep me very busy. The kids have a social life, I don't, so I'm busy taking them to football and cricket and everything, but no, I keep myself stress-free with Lego and photography.

And so there's a few very different things there, and none of them involve too much outside stuff. But I'm quite lucky, I live in Devon, so I'm 20 minutes from the beach and have Dartmoor on my doorstep.

So I get a lot of outside time and enjoy that.

---

CAROLE THERIAULT. Yeah, so for our international listeners, Devon is a beautiful county in the UK. I absolutely love it. But we digress.

I want to talk to you about being a director of product management. So with that job, you must have some deep insight into what companies, in general, are good at securing and what things they tend to overlook.

---

JOHN STOCK. So it's really funny. I was actually talking to a customer last week.

I traveled up to sunny London to go and spend some time with them. And it's the common problem we see is they've got too much stuff.

Everything is online and connected now. So when they went back, if we say go back 3 or 4 years before we all started changing the way we work and they had a few offices and everybody was sat in an office, they knew where nearly everything was, was in a data center or it was in a cloud infrastructure.

And now their data centers are shutting down because less people are using them and things are moving into the cloud. People aren't coming into the office, you know, they're in for 2 days a week rather than 5.

So they've got mothballed offices that are now shared offices because they need to get people in and they rent out space. So suddenly they're looking at, you know, where we had— we knew where everything was.

We knew that it was in our data center or we had a specific cloud account or everyone was in an office. Now, you know, someone like me works from home and the other laptops in my house, we don't know how good or bad they are.

So one of the challenges that they're coming across is their threats or the threats that are being presented to them have grown from just what's hitting their firewall coming at them from the internet to their organization to where their employees are actually sat doing their work. And it just seems more and more customers that I'm talking to now are becoming really concerned about that.

You know, that I'm sat now at home with other infrastructure that is not within the organization's control, or I'm, you know, I'm traveling and sat in airport or sat in a coffee shop or something like that, and they suddenly realized that actually that problem already existed, but they're really concerned about it. So that's one of the things that I'm hearing a lot about, is that they're seeing more threat coming at them from stuff they'd never considered.

Rather than, you know, they think of people attacking them over the internet on a global scale from, you know, big threat actors or national threat actors. And actually, it's, you know, the bad things are happening from a piece of infrastructure that's not in their control that could have something bad.

My wife's company may not care about the malware that's installed on her laptop. They're not bothered by it.

And then that's trying to infect everything in my house, and my laptop sat there without antivirus that's out of date because I'm not connecting to the VPN I should be. So yeah, they're just— the risks, they're seeing more risks opening up than they've thought that they had to struggle with.

---

CAROLE THERIAULT. Yeah, it's true.

---

CAROLE THERIAULT. I mean, just this weekend I had a neighbor come over and wanting to do some scanning and couldn't get her cloud account working. So she was just, "Oh, I'll just bring over my USB and slap it in your machine."

And I'm, "Whoa, no, no, no, no, no, no, no." You feel very— I don't know, I felt a bit awkward saying that, but there you go.

---

JOHN STOCK. But it's funny because that— those are the little things that make people aware, oh, is that bad? Yeah, those of us who've worked in security for years and then someone says, "Oh, can I just stick my USB in?"

And you're, "No." They're, "What?"

I'm, "No, you're not going anywhere near my laptop with your USB."

---

CAROLE THERIAULT. Just get out of my house." So when you're explaining how the whole landscape has kind of shifted under the feet of all these organizations, I'm imagining what comes with that is that they have less insights on how their whole network looks and, you know, 'cause it's so disparate.

---

JOHN STOCK. Yeah, I mean, I used to be a, back in the day, out of university, I was a network engineer and I remember the day of printing out an A0-sized network map because it was huge on a big plotter. And now, well, you'd need something massive because your network is no longer those cables and wires and routers and switches in your building.

It's everything else outside and probably most of the internet as well, including parts you didn't really know existed are probably now part of your, you know, you've got stuff there because I know from speaking to our marketing department a lot, things thrown up and pulled down. You know, there's advertising campaigns and all these things where you go to a third party and they'll spin something up and then that's now yours and it's got your name plastered all over it and you're responsible for it.

But guess who's the first person to know? It's that security person who's responsible for it. So those things are, you know, it's got your name, it's your problem.

And one of the— it's the whole thing of the asset management used to be the job of an asset manager, and then suddenly everyone's turned around and gone, you're a security person, you need to know where everything is because if it gets hacked, that's your problem. You know, CISOs need to know where everything is and they can't just say, oh, it's all in our CMDB, it's all in our IPAM, because it's not.

---

CAROLE THERIAULT. I think, because I guess what I'm hearing is that it's basically impossible to have 100% visibility of the entire network and the potential attack surface that comes with it? Absolutely.

---

JOHN STOCK. Yeah, it's— you can get close. So it's possible to get close, but, you know, 100% is going to be impossible.

You know, if you just rely on a CMDB, maybe you're 60% or 70% of the way there. That's quite a good step forward. You know where the laptops that you've bought should be, you know, where the devices you've bought should be.

But that doesn't take into account and, you know, developers, I love them to bits because we couldn't do any of the stuff we do without a good team of developers. However, you know, there's instances where they throw things up in the cloud, they just need to test it, and then, oh, it works, and they're so happy it works, they walk away and forget about it.

Or, you know, we've had quite a few customers we've been talking to where that's happened way too many times because things have been thrown up and they've forgotten about it, or they've thrown it up and it hasn't worked, so they've left it there and worked on it, and then they're running vulnerable services. Places because they've just thrown it up to solve a problem without thinking, how is that secure?

---

CAROLE THERIAULT. But that seems to me that's what most people do. There's someone in most companies that does that approach, hopefully not working in security, to your point. No, no, hopefully not.

---

JOHN STOCK. But yeah, there's always, you know, we all come across that thing. What's the easiest way to solve this problem? Right. And as a product manager, that's the kind of thing that I'm all about solving problems. How can I solve this problem?

Sometimes it's really easy. I just need to document it. Other times it's like, yeah, let's just throw this up and test it. And you throw something up in the cloud.

Now, if you're good, you go to your cloud people and go, hey, I need to do some testing on this. And they're like, okay, we'll provide you an instance. They provide it and you get it for a set amount of time and then they kill it down and you know it was secure while you were testing it.

But yeah, there's nothing stopping me going into my own cloud account, throwing something up and putting it in, having Outpost24 all over it and forgetting about it and paying the bill every month and it being associated with the organization, which I would point out I would never do because too many people get angry at me.

---

CAROLE THERIAULT. So this seems a good time to pivot to Outpost24's vulnerability prediction technology, or VPT. What can you tell me about that?

---

JOHN STOCK. Yeah, so, I mean, one of the big challenges you get, so when you're in security, you're scanning your stuff, right? Everybody runs vulnerability scanning. I'm not saying everybody likes it.

You know, no one does it by choice. You do it because the auditors have said you've got to do it. There's a regulation that says you've got to do it or you need to check that your security, your base level security is pretty good.

But no one does it because they think it's an exciting thing to do. And you find out what your vulnerabilities are and you get a CVSS score. Now, CVSS scores are great, but they don't have any context really in them.

You know, you get a score from 0 to 10, 0 go, ignore it. 10, it's really bad. But that's not really looking at the risk.

It's just looking at, you know, what's the potential threat of that vulnerability? Doesn't matter if no one's ever going to build an exploit for it. If it's potentially really bad, then it will still have a high score, even though it could be almost impossible to build an exploit for it.

And it's probably not worth everybody working at the weekend to try and patch it. So the idea of VPT is it uses our threat intelligence technology that we have and actually looks at what are the real-world threats of this vulnerability. So rather than just, yeah, there's the CVSS score 10, we must fix it.

It's like, okay, let's look. Are there any threat actors actually talking about this vulnerability itself? Is it used in any malware?

Yeah. How much is it being discussed on social media? Those kinds of things. Because, you know, you often find that just the social, the social side of things is quite a good indicator of whether something's going to be big or small.

---

CAROLE THERIAULT. And it's like, you know, your VPT kind of gives you just the edge, doesn't it, on the attack surface that you can't basically fully lock down because you're not fully aware of it for whatever reason.

---

JOHN STOCK. And it allows you to focus on what's important. I think that's the key thing, right? If I've got a million vulnerabilities, and to be honest, the size of some organizations, that's not unheard of, you know, it's not a bad thing.

You just can't fix everything. But if they've got a million and they're like, oh, we don't know where to start, there's a couple of ways to start. It's, okay, what's the stuff that's most likely to be exploited and maybe is exposed, right?

So internally, we all talk about the internal threat, and I know it's still high, but if you look externally, there's billions of people externally and maybe hundreds to thousands internally. So, you know, obviously internet-facing stuff is the Wild West out there.

So that's priority and stuff that, you know, likely has that exploit available. That's the stuff you should prioritize.

So it's where do you get the most bang for your buck in terms of remediation? Where can you make the most difference without paying 6 months worth of overtime in a weekend?

And that's all it is. It's trying to bring the focus into your business risk rather than just saying, oh yes, this formula says that these are all really potentially high risk. So, look, taking away from potential risk to actual risk.

---

CAROLE THERIAULT. It's funny, it reminds me of when I got my true corporate business legs was when a coworker explained to me, I was like, how do you manage this list of 80,000 things I have to do by tomorrow? You know, how do I do it? She goes, you bring it to your boss and you say you prioritize it and then just go and do it.

And I thought, that's so genius. So that's kind of what you guys are doing. You're kind of prioritizing it and giving the people that are responsible for security the chance to focus on the biggest fish.

---

JOHN STOCK. And it's understanding your risk appetite as well. So this is another thing that I've always kind of talk to a lot of customers about is what is your risk appetite?

And most organizations don't actually know what their risk appetite is because I always say, oh, you'd never catch me doing a bungee jump because my risk appetite is not that high. It's way too dangerous. But actually many things I have done, like scuba diving and even driving every single day, are way more dangerous.

If you look at the deaths per million people, they are way more dangerous than a bungee jump. Driving to work is the most dangerous thing I can do.

---

CAROLE THERIAULT. You should try walking. No, there's limits here.

That's wonderful. Is there anything you'd like to add?

---

JOHN STOCK. One, understand what your risk appetite, how much risk you're willing to accept. And two, make sure you get— when you're remediating vulnerabilities, don't panic.

Don't think, oh, I've got a million I've got to fix and I've got to do them all now. It's what can you fix and get the most value out of?

What's going to— what can you do to impact your business in terms of risk and reducing that risk as easy as possible? Brilliant.

---

CAROLE THERIAULT. Now, listeners, you will be thrilled to learn that Outpost24 is offering a free attack surface assessment. So this will give you insights into things like domain and web applications exposed on the internet, staging applications in clear text form that may be putting you at risk, old and vulnerable components in use, leaked credentials, and you'll even get an attack surface risk rating and recommendations.

So you can sign up for your free attack surface assessment at smashingsecurity.com/outpost24. And thank you so much, John Stock, Director of Product Management, for coming on the show and giving us a bit of your time.

---

JOHN STOCK. Oh, thank you for having me.

---

CAROLE THERIAULT. It's really fun. Brilliant.

---

GRAHAM CLULEY. Terrific stuff. And that just about wraps up the show for this week. John, I'm sure lots of listeners would like to follow you online, and maybe there are some folks who would like to hire your cybersecurity expertise if they need some content written. What's the best way for folks to do that?

---

JOHN LEYDEN. You can find me on Mastodon or Twitter or LinkedIn.

---

GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G, and also Smashing Security has a Mastodon account. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

---

CAROLE THERIAULT. And huge, huge shout out to this episode's sponsors, Ride, Outpost24, and Bitwarden. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 320 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye. Bye.

---

JOHN LEYDEN. Adios. Yes. I tell you what, we got through an episode of number 321 without mentioning Dusty Bin or the quiz show.

---

GRAHAM CLULEY. No, Ted Rogers. Ted Rogers, wasn't it? Ted Rogers, that's it. Ted Rogers and Dusty Bin. Oh, we missed a trick there. Definitely. Carole, have you heard of Dusty Bin and 321? No. You're too young, I think. She probably wasn't in the country when that was on. No. It's another ITV thing as well. It's probably on after the rest of it.

---

CAROLE THERIAULT. Oh, I see.

-- TRANSCRIPT ENDS --