WEBVTT 00:03.035 --> 00:04.677 [SPEAKER_01]: They simply removed all the keyboards. 00:05.217 --> 00:06.619 [SPEAKER_01]: Touch green only for you. 00:06.639 --> 00:08.080 [SPEAKER_01]: Yes. 00:08.100 --> 00:09.661 [SPEAKER_01]: You can't control our delete anymore. 00:19.571 --> 00:27.079 [SPEAKER_02]: Smashing security, episode 440, how to hack a prison, and the hidden threat of online checkouts. 00:27.099 --> 00:28.620 [SPEAKER_02]: With grand pluley. 00:29.984 --> 00:36.467 [SPEAKER_03]: Hello, hello, welcome to Smashing Security Episode 440 My Name's Grand Clearly, and I am Scott Helm. 00:36.903 --> 00:39.726 [SPEAKER_03]: Scott welcome back to the podcast. 00:39.786 --> 00:41.307 [SPEAKER_03]: It's been a little while, hasn't it? 00:41.608 --> 00:49.615 [SPEAKER_00]: It has and I think we've wrecked a few of these now and it must be I was going to say over the years just as a turn of phrase, but I actually think it must be over the years. 00:49.916 --> 00:55.601 [SPEAKER_03]: Well, the extraordinary thing is Scott last time you were on the podcast was seven years ago. 00:56.142 --> 00:56.862 [SPEAKER_03]: Can you believe that? 00:57.163 --> 00:57.843 [SPEAKER_03]: No way. 00:58.224 --> 01:04.750 [SPEAKER_03]: Come November it will be seven years and I have to ask what on earth have you been up to all this time? 01:04.898 --> 01:07.141 [SPEAKER_03]: Wow, seven years, I can't actually believe that. 01:07.621 --> 01:10.445 [SPEAKER_03]: What's been keeping you away from the podcast? 01:10.465 --> 01:21.878 [SPEAKER_00]: Oh, well, do you know, I have to say, like, the number one thing is just work, actually, such a boring thing to say, but kind of, because gosh, like seven years ago, it was right back at the start of, kind of, security headers and report your iPhone. 01:22.278 --> 01:22.519 [SPEAKER_00]: Yep. 01:22.539 --> 01:27.244 [SPEAKER_00]: So I've since sold security headers, built that up and grew it into quite a popular little thing, I guess. 01:27.324 --> 01:27.885 [SPEAKER_00]: And, um, 01:27.865 --> 01:44.608 [SPEAKER_00]: that's now sold and moved on to Pasha's new and I shifted my focus on to report your eye and now we have staff members and a team and people that I have to kind of, you know, be responsible for and we're currently in the progress of growing that into quite a respectable little organisation. 01:44.588 --> 01:49.254 [SPEAKER_03]: fantastic stuff so that Scott Helm Empire continues to roll. 01:49.775 --> 01:51.057 [SPEAKER_03]: I'm trying my best. 01:51.077 --> 01:54.702 [SPEAKER_03]: And for those people who haven't heard of it before, report URI, what does it do? 01:55.122 --> 01:57.526 [SPEAKER_00]: We help websites look after their cyber security. 01:57.846 --> 02:03.253 [SPEAKER_00]: So modern web browsers nowadays have some super cool features built into them by default. 02:03.734 --> 02:07.479 [SPEAKER_00]: And we kind of guide organizations through how to configure them and turn them on. 02:07.579 --> 02:12.486 [SPEAKER_00]: So you can know exactly what's going on in your website. 02:12.466 --> 02:18.537 [SPEAKER_00]: Data is not being snuffled off by malicious JavaScript or ads or any other kind of trickery that shouldn't be happening. 02:18.577 --> 02:20.320 [SPEAKER_00]: You can make sure that that's the case. 02:21.022 --> 02:21.543 [SPEAKER_03]: Great stuff. 02:21.923 --> 02:26.993 [SPEAKER_03]: Well, before we kick off, let's thank this week's wonderful sponsors Vanta One Password and Anon. 02:27.133 --> 02:30.559 [SPEAKER_03]: We'll be hearing more about them later on in the podcast. 02:32.767 --> 02:34.450 [SPEAKER_03]: this week on Smashing Security. 02:34.811 --> 02:43.566 [SPEAKER_03]: We're not going to talk about how a major outage hit Amazon web services impact in many websites and online services even stopped ring doorbells from working. 02:45.109 --> 02:56.749 [SPEAKER_03]: You'll hear no discussion of how China says it has irrefutable proof that the United States was responsible for a cyber attack that has disrupted the country's communications, financial, and transportation networks. 02:59.041 --> 03:00.224 [SPEAKER_03]: then we won't even mention. 03:00.625 --> 03:05.556 [SPEAKER_03]: How Nintendo has confirmed that hackers have access some of its infrastructure and stolen data. 03:06.057 --> 03:09.866 [SPEAKER_03]: The high profile hacking group, Crimson Collective has claimed responsibility. 03:10.327 --> 03:12.612 [SPEAKER_03]: Meaning Bowser is in the clear this time. 03:15.072 --> 03:17.795 [SPEAKER_00]: So Scott, what are you going to be talking about this week? 03:18.276 --> 03:25.245 [SPEAKER_00]: Compliance, but, but, but, but, but it's going to be an interesting kind of topic, very, very heavily cyber-secure related. 03:25.265 --> 03:31.973 [SPEAKER_03]: And I'm going to be talking about the ultimate inside a threat inside a prison. 03:31.993 --> 03:35.798 [SPEAKER_03]: All this and much more come up on this episode of smashing security. 03:43.810 --> 03:51.725 [SPEAKER_03]: Alright then, quick shout out to one of our sponsors this week, one password, and most specifically something that they've got called Treleka. 03:51.745 --> 03:56.173 [SPEAKER_03]: Now, be honest, do you actually know how many SATS apps your companies using right now? 03:56.714 --> 03:58.838 [SPEAKER_03]: Probably dozens, maybe hundreds! 03:58.858 --> 04:03.928 [SPEAKER_03]: Half of them signed up for by some guy in marketing, with the company credit card. 04:03.908 --> 04:13.787 [SPEAKER_03]: That's what Trellaker's for, it binds all of those apps, even the sneaky ones nobody admits to using and gives you a proper overview of who's got access to what. 04:14.408 --> 04:23.706 [SPEAKER_03]: So no more abandoned accounts sitting around waiting to be hacked, no more paying for licenses that no one's touched for years, it also makes it dead simple to them. 04:23.686 --> 04:34.579 [SPEAKER_03]: Bring new people on board, remove folks when they leave, keep track of who's got access to what, and stop your IT from turning into a tangled mess of old forgotten accounts. 04:35.259 --> 04:46.032 [SPEAKER_03]: I've used one password for years, they've always been great at taking the hassle out of security, and now with Trellaka, they're going after the whole SaaS sprawl problem. 04:46.012 --> 05:07.058 [SPEAKER_03]: If you want to tidy up your company's app chaos, take a look at 1Password.com slash smashing that to 1Password.com slash smashing, and thanks to 1Password for supporting the 05:07.865 --> 05:12.071 [SPEAKER_03]: Now, I don't know if you've ever been in a Romanian prison skirt. 05:12.091 --> 05:15.355 [SPEAKER_03]: I was beginning to wonder if that's where you've been for the last seven years or so. 05:15.876 --> 05:17.018 [SPEAKER_00]: I'm just finished by sentence. 05:18.019 --> 05:25.430 [SPEAKER_03]: But if you go to a prison in Romania, there are some things you can be pretty sure you are likely to see. 05:25.510 --> 05:37.146 [SPEAKER_03]: So there'd be bars on the cells, there'd be high walls, beefy guards, patrolling up and down, and you may think yourself. 05:37.430 --> 05:39.092 [SPEAKER_03]: What could it go wrong in a prison? 05:39.492 --> 05:43.216 [SPEAKER_00]: Well, you definitely hope that there wasn't anything to go wrong if there was. 05:43.276 --> 05:48.180 [SPEAKER_00]: They'd kind of foresee that and put the necessary protections in place, wouldn't you? 05:48.781 --> 05:49.642 [SPEAKER_03]: You'd like to think so. 05:49.862 --> 05:52.965 [SPEAKER_03]: You would hope everything's secure, that there's no back doors, right? 05:53.005 --> 05:54.346 [SPEAKER_03]: There's proper security in place. 05:54.607 --> 06:05.277 [SPEAKER_03]: Well, the danger it turned out in this particular set of prisons, what web key asks, because dotted around the prison, a funny little computer stations, 06:05.257 --> 06:08.582 [SPEAKER_03]: We can tell a little bit of this, do a little bit of that if you're prisoner. 06:08.883 --> 06:11.487 [SPEAKER_03]: But like in the days of the Great Train robbery, right? 06:11.847 --> 06:13.530 [SPEAKER_03]: The prisons have gone online. 06:13.570 --> 06:19.979 [SPEAKER_03]: Now, I'm not entirely sure what you do with a web key-osk, in-site, a prison to be able to. 06:19.999 --> 06:21.662 [SPEAKER_03]: Oh, why were you even need fun, Graham? 06:21.642 --> 06:27.313 [SPEAKER_03]: maybe you can order some snacks from the workshop, maybe you can book a night out at the local pizza ria, who knows? 06:27.633 --> 06:36.730 [SPEAKER_03]: My guess is that it's probably to reduce paperwork because if prisoners can serve themselves, it's a bit like how you and I, right? 06:36.750 --> 06:44.545 [SPEAKER_03]: We both live in the UK and if we want to deal with any sort of government organization like HMRC or anything like that, 06:44.525 --> 06:46.811 [SPEAKER_03]: You're always logging into a website these days, aren't you? 06:46.831 --> 06:51.222 [SPEAKER_03]: You're not queuing up somewhere, you're not filling in paper forms, you're doing it online. 06:51.503 --> 07:01.588 [SPEAKER_03]: I imagine it's similar for prisoners, where rather than getting them to queue up and go to a little window, they're actually saying, well, serve yourself. 07:01.568 --> 07:02.990 [SPEAKER_03]: into the information you need. 07:03.371 --> 07:26.766 [SPEAKER_03]: So you're probably logging in on one of these computers and you're submitting a visitor request or dropping a note about your medical needs or maybe tracking if you've got a sentence reduction because you've been good or something or whatever it may be and also you could use it to check out your financial balance while at the prison because when you go into a prison my understanding Scott maybe you know much more about this than me. 07:26.746 --> 07:32.496 [SPEAKER_03]: What I understand is that you have a different bank account which you can use inside the prison. 07:32.516 --> 07:38.045 [SPEAKER_03]: You've got a little float of cash which you can use to go and buy yourself a bit of grab ball. 07:38.066 --> 07:39.388 [SPEAKER_03]: Don't you already get fed though? 07:39.548 --> 07:40.189 [SPEAKER_03]: Did I miss? 07:40.209 --> 07:44.537 [SPEAKER_03]: Well yeah, I would think you may be able to get a little bit of extra chocolate or something you know. 07:44.557 --> 07:45.358 [SPEAKER_03]: Okay. 07:45.538 --> 07:45.919 [SPEAKER_03]: Okay. 07:45.899 --> 07:48.602 [SPEAKER_03]: So you'd have it some sort of token, so something like that? 07:48.763 --> 07:49.944 [SPEAKER_03]: This is just my imagination. 07:49.984 --> 07:54.369 [SPEAKER_03]: I'm sure prisoners who are listening to us right now on their smuggled-in smartphones. 07:55.030 --> 07:57.714 [SPEAKER_03]: Coney mall in and tell us if I'm not right about this. 07:57.994 --> 08:00.677 [SPEAKER_03]: But that's really it's rather than having cash in your pocket. 08:01.118 --> 08:11.751 [SPEAKER_03]: There'll be a little bit of digital cash inside the prison where maybe it's been deposited by your family as it earned through working in the kitchens or in the gardens and you can use that for little purchases. 08:12.071 --> 08:12.632 [SPEAKER_00]: Okay. 08:12.612 --> 08:16.660 [SPEAKER_03]: Maybe you're just using a computer system for working out of your library book, he's over to you. 08:17.161 --> 08:20.809 [SPEAKER_03]: Whatever it is, the point is, we need computer systems. 08:21.229 --> 08:25.257 [SPEAKER_03]: Well, frankly, we would show that up and die if we didn't have computer systems. 08:25.558 --> 08:26.520 [SPEAKER_03]: You and I. 08:26.821 --> 08:29.246 [SPEAKER_03]: I feel like sometimes I'm hemetically attached. 08:29.646 --> 08:29.887 [SPEAKER_01]: Yeah. 08:30.267 --> 08:34.175 [SPEAKER_03]: It's like trying to remove the smartphone from my child's palm. 08:34.195 --> 08:38.563 [SPEAKER_03]: I mean, it's quick enough, it's like holding onto it for a dear life. 08:39.104 --> 08:41.969 [SPEAKER_03]: The thing is, these guys had access to a computer. 08:42.550 --> 08:47.800 [SPEAKER_03]: And what one chap managed to do was find a way to bend the system a little bit. 08:47.780 --> 08:53.709 [SPEAKER_03]: Now, there are many reports of this from the Romanian press, and I'll be honest with you. 08:53.950 --> 09:00.400 [SPEAKER_03]: They've been through the Google Translate Mincer for me this morning trying to make it not out of exactly what happened. 09:01.001 --> 09:15.424 [SPEAKER_03]: There's a confusing story, but it seems fundamentally that one way or another, he managed to find out the password of a member of staff. 09:15.623 --> 09:22.750 [SPEAKER_03]: My suspicion is that it probably contained one number in one capital letter, so it would have been capital P for password followed by the number one. 09:23.210 --> 09:26.733 [SPEAKER_03]: It's probably going to be something like that, but I don't know exactly how they got it. 09:26.773 --> 09:33.720 [SPEAKER_03]: Maybe the staff member left their password on a sticky post did, or maybe they were watched as they were typing it in. 09:33.740 --> 09:35.021 [SPEAKER_00]: Are you sure the surfing in prison? 09:35.221 --> 09:35.461 [SPEAKER_03]: Yeah. 09:35.942 --> 09:39.845 [SPEAKER_03]: Or maybe they just let the prisoner have it for some reason. 09:39.965 --> 09:40.506 [SPEAKER_03]: Who knows? 09:40.606 --> 09:41.507 [SPEAKER_03]: It's not entirely clear. 09:41.827 --> 09:42.728 [SPEAKER_03]: But the prisoner. 09:42.708 --> 09:57.780 [SPEAKER_03]: Now has the login password for this prison worker, and it turned out that this password worked on this web-based portal, which they could access through these web-kiosks for managing their time inside the prison. 09:57.760 --> 10:19.043 [SPEAKER_03]: and these kiosks are normally fairly locked down in terms of what you can access and what you can do obviously as you would expect a bit like being in a school I imagine but hopefully even what locked down the map and buy some jigory poultry this guy found that they had unlimited access to the prison database. 10:19.023 --> 10:22.448 [SPEAKER_00]: Oh no, so I'm guessing like no to F.A. 10:23.009 --> 10:25.893 [SPEAKER_00]: And now we're going to go straight to superadmin, aren't we? 10:25.913 --> 10:26.393 [SPEAKER_03]: Exactly. 10:26.694 --> 10:27.755 [SPEAKER_03]: They became the admin. 10:28.216 --> 10:32.342 [SPEAKER_03]: And once they had this newfound godlike power, what's the first thing you does? 10:32.862 --> 10:34.605 [SPEAKER_03]: Does he delete his sentence? 10:35.326 --> 10:37.949 [SPEAKER_00]: I was going to say just set my release date to tomorrow, is it it? 10:38.550 --> 10:40.613 [SPEAKER_03]: That's... Not on this case. 10:40.713 --> 10:42.756 [SPEAKER_03]: Does he transfer millions of pounds? 10:43.057 --> 10:43.377 [SPEAKER_03]: No. 10:43.812 --> 10:50.818 [SPEAKER_03]: priority number one is to grant his buddies inside the prison access to porn. 10:51.490 --> 11:03.470 [SPEAKER_03]: Yes, ladies and gentlemen, this man hacked into a government system, a law enforcement system, risked additional years on his sentence, also his cellmates could watch some adult content. 11:03.490 --> 11:04.872 [SPEAKER_03]: But then he started doing other things. 11:05.493 --> 11:09.240 [SPEAKER_03]: He started to meddle with the other prisoners, financial accounts. 11:09.800 --> 11:16.772 [SPEAKER_03]: He started off by just adding zeros to the end of numbers, so imagine grandma, 11:16.752 --> 11:18.276 [SPEAKER_03]: Let's make it $1,000. 11:18.516 --> 11:32.348 [SPEAKER_03]: At one point, we got a little bit carried away with himself and he added the equivalent of $853,000 pounds that's over $1 million to his prison account. 11:32.328 --> 11:37.879 [SPEAKER_00]: Let's make sure we fly under the radar whilst the Huber's show is just a straight to multimillionaires in prison. 11:37.899 --> 11:38.780 [SPEAKER_03]: It's bonkers, isn't it? 11:39.101 --> 11:40.424 [SPEAKER_03]: It's like upgrading yourself. 11:40.444 --> 11:42.949 [SPEAKER_03]: It's like, well, I'm not very happy with this bucket they've given me. 11:43.349 --> 11:46.255 [SPEAKER_03]: So what I'm going to have, I'm going to have a gold-plated toilet. 11:46.315 --> 11:46.936 [SPEAKER_03]: Gold toilet. 11:47.297 --> 11:48.980 [SPEAKER_03]: Yes, and hope that nobody notices. 11:49.281 --> 11:53.409 [SPEAKER_03]: Frankly, there are some people who should be in prison who do have gold-plated toilets. 11:53.890 --> 11:55.112 [SPEAKER_03]: You can't. 11:55.092 --> 12:02.703 [SPEAKER_03]: Anyway, this guy obviously thinks twice because he switches it back from 850,000 pounds to 853 pounds instead. 12:02.923 --> 12:06.969 [SPEAKER_03]: Still, a lot of money for someone to have access to in-person. 12:06.989 --> 12:08.431 [SPEAKER_03]: You must be able to see a lot of goodies with that. 12:08.952 --> 12:11.816 [SPEAKER_03]: A lot of goodies, a lot of things from the workshop I would expect. 12:11.916 --> 12:20.188 [SPEAKER_03]: And this guy is spending something like four times the minimum wage in Romania every month. 12:20.168 --> 12:22.794 [SPEAKER_03]: I mean, what are you buying in prison that costs that much? 12:23.115 --> 12:25.060 [SPEAKER_03]: It's not like you're going to pay for your lodging, is it? 12:25.701 --> 12:26.002 [SPEAKER_03]: What is it? 12:26.022 --> 12:28.448 [SPEAKER_03]: Is it sort of soft-quilted blue paper? 12:28.488 --> 12:30.492 [SPEAKER_03]: Is it artisan sourdough bread? 12:30.974 --> 12:32.457 [SPEAKER_03]: Rebiased each dinner. 12:32.707 --> 12:43.037 [SPEAKER_03]: Right, yeah, everyone else is just a little bit of a lot of sandwich bread and water and grill and they're you are yes We've got just a bone steak. 12:43.757 --> 12:58.491 [SPEAKER_03]: It's bonkers now the prison union They have chipped in about this because this is all now become public of course They are far from impressed about all of this and they say that this guy spent over 300 hours Log dinners and admin 300 hours. 12:58.531 --> 13:02.595 [SPEAKER_03]: That's like two weeks a full-time hacking 13:02.575 --> 13:04.057 [SPEAKER_03]: and nobody noticed. 13:04.077 --> 13:05.820 [SPEAKER_03]: You have to wonder what the IT guys were doing. 13:06.481 --> 13:24.010 [SPEAKER_03]: And there are even and reports and again it's confusing due to Google translate and some people in Romania say it's true and other people say no that definitely didn't happen so it's a garbled message but there are reports that he was even able to change the length of fellow prisoner sentences. 13:23.990 --> 13:27.274 [SPEAKER_03]: and apparently around 15 prisoners benefit from the hack. 13:27.294 --> 13:31.118 [SPEAKER_03]: The way in which they did that was apparently you could earn. 13:31.138 --> 13:36.744 [SPEAKER_03]: I think through good behavior and things you could, you could earn sort of gratist days. 13:36.764 --> 13:41.910 [SPEAKER_03]: That's like, well, we're take one day off your sentence because you've been so good, because you've worked so hard. 13:42.270 --> 13:44.593 [SPEAKER_03]: And so as a result, you are going to be a ward of that. 13:44.873 --> 13:47.736 [SPEAKER_03]: And so he was given these credits to other people. 13:48.188 --> 13:49.230 [SPEAKER_01]: how do they? 13:50.512 --> 14:02.851 [SPEAKER_00]: Because you could kind of understand, you know, the access to porn thing or the number of hours as an admin, I'm surprised that the accountants like sure prisons of government departments have lots of bean counters don't they? 14:02.891 --> 14:06.156 [SPEAKER_00]: I'm surprised that the money thing wasn't the telltale thing here. 14:06.196 --> 14:12.306 [SPEAKER_03]: Well, this eventually was the way in which apparently they were 14:12.286 --> 14:29.741 [SPEAKER_03]: The apparently was to be in counters, a prisoner countered a parry notice that inmates were making purchases, but their account balances weren't changing because that is normally what would happen is they would buy something, and then their account would be topped up again automatically, as though no money had left their account. 14:30.182 --> 14:42.192 [SPEAKER_03]: So someone was sitting there and they'd say, hang on a minute, friends just bought 40 packets a lamb and butler king size, but it's still as the same amount of money, how's this 14:42.172 --> 14:59.603 [SPEAKER_03]: And the prisoners were so keen on this system though, while it was working, that they apparently was even planning to clone the entire system and sell it on the black market, because apparently there is demand for prison management software slightly used. 14:59.623 --> 15:04.973 [SPEAKER_03]: You can imagine that people outside the prison might think, well, if we could access that portal, 15:04.953 --> 15:16.293 [SPEAKER_03]: If we could hack into it and change things, then we could potentially make ourselves money or help our buddies who are in the prison through that system so they were looking to actually must have been used somewhere else, right? 15:16.674 --> 15:19.619 [SPEAKER_00]: Unless it was, you know, super, kind of specific. 15:19.860 --> 15:20.160 [SPEAKER_03]: Anyway. 15:20.140 --> 15:27.048 [SPEAKER_03]: a fellow inmate apparently eventually grasped up the hack at the prison authorities, but the authorities didn't do anything for a few weeks. 15:27.428 --> 15:35.337 [SPEAKER_03]: They say now that they've implemented over 20 security measures, 20, no other first one should have been, change the Rundee password. 15:35.498 --> 15:42.225 [SPEAKER_03]: Tell you, all right, yeah, well, one thing they did do is that it's a really simple and effective immediate solution. 15:42.425 --> 15:45.509 [SPEAKER_03]: What's a simply removed all the keyboards at the webcasts? 15:45.569 --> 15:47.631 [SPEAKER_01]: It's like, okay, touch screen only for you. 15:47.812 --> 15:49.033 [SPEAKER_01]: Yes. 15:49.013 --> 16:16.843 [SPEAKER_03]: You can't control or delete anymore. 16:16.823 --> 16:20.510 [SPEAKER_03]: It's a vibe nearly a decade in prison, probably how the hell downcunder was. 16:20.890 --> 16:24.036 [SPEAKER_03]: Yeah, exactly, why did he do that? 16:24.457 --> 16:28.865 [SPEAKER_03]: He said, I'm going to risk everything just to give my buddies access to only fans. 16:29.206 --> 16:31.069 [SPEAKER_03]: This is crazy! 16:31.353 --> 16:32.814 [SPEAKER_03]: Anyway, astonishing story. 16:32.834 --> 16:39.941 [SPEAKER_03]: So next time you hear about inside the threats, I think maybe also think about the people who are ready inside the prison. 16:39.961 --> 16:41.402 [SPEAKER_00]: Quite literally an insider threat. 16:41.562 --> 16:41.822 [SPEAKER_00]: Yeah. 16:42.062 --> 16:45.425 [SPEAKER_03]: For us, we decompute our programmers out there. 16:45.545 --> 16:49.169 [SPEAKER_03]: Maybe we'll actually be able to survive if we do ever end up on the inside. 16:49.469 --> 16:50.970 [SPEAKER_03]: I don't think we do very well, Graham. 16:52.211 --> 16:53.693 [SPEAKER_01]: That's just a say. 16:53.933 --> 16:55.254 [SPEAKER_01]: You know, a little bit about programming. 16:55.494 --> 16:56.395 [SPEAKER_01]: Please don't beat me up. 16:56.595 --> 16:59.858 [SPEAKER_01]: I can write some JavaScript for you. 17:02.268 --> 17:04.792 [SPEAKER_03]: quick word about one of our sponsors today, Vanta. 17:04.972 --> 17:05.853 [SPEAKER_03]: Now I know what you're thinking. 17:06.134 --> 17:12.383 [SPEAKER_03]: Oh good, another bit of software promising to make my security easier, but honestly, Vanta's actually pretty handy. 17:12.523 --> 17:13.164 [SPEAKER_03]: Here's the deal. 17:13.745 --> 17:24.080 [SPEAKER_03]: If you're spending half your week chasing down evidence for audit, or updating in the spreadsheet, or trying to prove that, yes, you do take security seriously, Vanta automates all of that. 17:24.701 --> 17:32.072 [SPEAKER_03]: It pulls everything together, keeps an iron your systems and basically 17:32.052 --> 17:38.305 [SPEAKER_03]: No panic, no last minutes, scavenger hunts for screenshots or policies you've forgotten to upload six months ago. 17:38.967 --> 17:47.665 [SPEAKER_03]: It also plugs into the tools you're already using and uses a bit of AI magic to flag up issues before they become a proper mess. 17:48.083 --> 18:00.282 [SPEAKER_03]: So, if that sounds like something that might save you from a few sleepless nights, check them out at vented.com slash smashing that way there know that you heard about them on this show. 18:00.703 --> 18:04.669 [SPEAKER_03]: And if you use that link, you'll get a thousand dollars off, which is nice as well, isn't it? 18:05.270 --> 18:10.118 [SPEAKER_03]: So, thanks to vented for sponsoring this week's episode, and let's crack them with the show. 18:13.083 --> 18:15.947 [SPEAKER_03]: Scott, what are you going to talk to us about today? 18:16.366 --> 18:22.900 [SPEAKER_00]: Well, he doesn't kind of stack up as fun as literally inside a threat inside prisons, but. 18:23.234 --> 18:31.566 [SPEAKER_00]: It is a compliance related topic that I spent all week last week actually in Amsterdam at an event specifically on the payment card industry. 18:31.667 --> 18:31.987 [SPEAKER_00]: Oh, yes. 18:32.348 --> 18:40.660 [SPEAKER_00]: So we have this huge body, you know, kind of like Visa, master card, that makes JCB all the card issuers and the payment card industry come together in the security standards council. 18:40.760 --> 18:42.242 [SPEAKER_03]: Hang on, JCB. 18:42.443 --> 18:42.783 [SPEAKER_00]: Yes. 18:42.803 --> 18:43.524 [SPEAKER_00]: Card issuers. 18:44.005 --> 18:47.470 [SPEAKER_03]: I know the people with the steam rollers 18:47.922 --> 18:50.025 [SPEAKER_03]: full clip traps and whatever they're called. 18:50.405 --> 18:51.046 [SPEAKER_00]: It's not the same. 18:51.627 --> 18:54.991 [SPEAKER_00]: It's not a big yellow card that can crush all of the other cards. 18:55.552 --> 18:58.996 [SPEAKER_03]: Uh, so you're not going to tell me that Tonka toys are real time a big payment service. 18:59.216 --> 19:01.159 [SPEAKER_00]: No, sadly not. 19:01.179 --> 19:02.200 [SPEAKER_03]: Sorry, carry on, carry on. 19:02.641 --> 19:10.150 [SPEAKER_00]: Yes, so the security status council is this, this gathering of all the card issues, and they produce something called the DSS, which is the data security standard. 19:10.130 --> 19:23.638 [SPEAKER_00]: And these big card issues are like, hey, look, it really sucks when somebody steals loads of credit card data because then we have to do an investigation and reissue the cards and that's surprisingly expensive and then they have to cover things like fraudulent transactions as well. 19:23.678 --> 19:29.771 [SPEAKER_00]: So if the attack is going a bit of a spending spree with a thousand credit cards, American Express, so generally not happy about that. 19:29.951 --> 19:30.332 [SPEAKER_00]: No. 19:30.312 --> 19:32.094 [SPEAKER_00]: No, that won't do nicely. 19:32.114 --> 19:32.554 [SPEAKER_00]: Yes. 19:32.855 --> 19:34.757 [SPEAKER_00]: And it gets to be quite expensive quite quickly. 19:34.817 --> 19:37.900 [SPEAKER_00]: So over the years, the DSS has had several major updates. 19:37.920 --> 19:41.724 [SPEAKER_00]: And obviously, like anything, it's always responsive to threats happening. 19:41.764 --> 19:44.046 [SPEAKER_00]: You know, like a new threat emerges and it becomes popular. 19:44.387 --> 19:47.350 [SPEAKER_00]: And then the industry kind of responds and brings out a new standard. 19:47.750 --> 19:52.455 [SPEAKER_00]: And this one was all about taking control of JavaScript on web pages. 19:52.635 --> 19:53.036 [SPEAKER_00]: Right. 19:53.196 --> 19:59.222 [SPEAKER_00]: So I'm sure you and many of the listeners will have heard about things like cross-site 19:59.202 --> 20:02.527 [SPEAKER_00]: you end up with this malicious JavaScript in your web page somehow. 20:03.088 --> 20:05.792 [SPEAKER_00]: And it doesn't really matter how, what matters is that it got there. 20:06.133 --> 20:17.591 [SPEAKER_00]: And then once an attacker can get that JavaScript on the page, the big thing for us then is really, how good are they at writing JavaScript, which is even easier nowadays with all the L11s to help you, and then how good is your imagination? 20:17.911 --> 20:20.856 [SPEAKER_00]: Because if you want to write code to do something, 20:20.836 --> 20:24.341 [SPEAKER_00]: Your imagination is actually the kind of the first step, is like, what do I want to do? 20:24.361 --> 20:28.308 [SPEAKER_03]: Yes, there've been some pretty nasty things which have happened in the past, haven't there? 20:28.328 --> 20:35.980 [SPEAKER_03]: For instance, you're in a number of breaches where when you reach a website's checkout page, that page where you enter your credit card information. 20:36.040 --> 20:45.274 [SPEAKER_03]: If there's some malicious JavaScript there, you could actually scoop up your payment card details as you enter them onto the website and add them to the hackers. 20:45.254 --> 21:00.613 [SPEAKER_00]: So this is the number one thing that the council were most concerned with because if you catch your mind back it's quite few years though and what you'll notice is those kinds of attacks don't really appear in the news anymore, but if we roll back a few years in our minds 21:00.593 --> 21:04.738 [SPEAKER_00]: You'll have, like, the British Airways one for Oslo being a new K was probably the most notable one. 21:04.778 --> 21:12.508 [SPEAKER_00]: British Airways, huge airline ended up with malicious JavaScript on their page and as you said, customers are set up there punching in their credit card details. 21:12.808 --> 21:20.378 [SPEAKER_00]: And you have to remember when you're doing that, you're typing in the full card number, the security code, the expiration date, your name, your address, your postcode. 21:20.818 --> 21:26.365 [SPEAKER_00]: And the JavaScript is just set there watching you press those keys on the keyboard and sending a copy of the keys off to the attacker. 21:26.345 --> 21:43.662 [SPEAKER_00]: So the transaction still goes through and you buy your tickets to friends and the attack is now also have a full copy of your card data so they would sit there quietly for several months just scooping up all this data and then once they think right we've got enough card numbers now that's when the big spending spree starts and that's. 21:43.642 --> 21:53.428 [SPEAKER_00]: Weirdly, like, that's the first time that anybody sees the attack has happened because, you know, thousands and thousands like tens of thousands of visa customers will all start reporting fraudulent transactions. 21:53.949 --> 21:58.461 [SPEAKER_00]: And then tens of thousands of MX customers will all start reporting fraudulent transactions. 21:58.542 --> 22:04.629 [SPEAKER_03]: Because it's not as though the hackers have broken into the British Airways IT infrastructure. 22:04.649 --> 22:06.691 [SPEAKER_03]: They haven't necessarily broken into their network. 22:06.911 --> 22:12.037 [SPEAKER_03]: They've somehow managed to sneak onto a British Airways web page, yes. 22:12.057 --> 22:21.968 [SPEAKER_03]: A little bit of script, which could have been planted inside some innocent piece of script, which BA uses for a no-cookie consent form, so I don't know. 22:21.948 --> 22:27.114 [SPEAKER_00]: The irony of something being put there to protect you and then potentially being the thing that harms you. 22:27.214 --> 22:27.475 [SPEAKER_00]: Yes. 22:27.815 --> 22:29.137 [SPEAKER_00]: But yeah, you're exactly correct. 22:29.157 --> 22:35.584 [SPEAKER_00]: This is ultimately how, and for people that follow the news as well, Ticketmaster was another very notable one around about the same time. 22:36.365 --> 22:39.950 [SPEAKER_00]: And the problem with, you know, these is they sit there quietly silently. 22:39.990 --> 22:44.395 [SPEAKER_00]: They scoop and gather all this data and monitor for as long as they can basically. 22:44.375 --> 22:53.127 [SPEAKER_00]: And either when they think all we might get caught, or, you know, somebody's kind of rummaging around, or maybe they just look and think, gee, where's we having enough credit cards to go on a huge spending spray? 22:53.548 --> 22:59.236 [SPEAKER_00]: So all of these cards start getting hit with the fraudulent transactions, and then they do it at a forensic investigation. 22:59.296 --> 23:05.765 [SPEAKER_00]: I've been involved with some of these historically, and they run something called a CPP report, which is a common point of purchase report. 23:06.206 --> 23:10.011 [SPEAKER_00]: So if you have thousands of customers suddenly reporting fraudulent transactions, 23:09.991 --> 23:14.880 [SPEAKER_00]: You look at those thousands of credit cards and say, where is the one place they've all shocked in the last six months? 23:15.261 --> 23:15.501 [SPEAKER_03]: Right. 23:15.662 --> 23:22.214 [SPEAKER_00]: And then there's always one thing that pops onto that list and it's like, this is the only place that they've been all shopping together in the last six months. 23:22.715 --> 23:27.544 [SPEAKER_00]: And usually, you can be pretty confident at that point that you have identified the source of the breed. 23:27.524 --> 23:28.165 [SPEAKER_00]: Yep. 23:28.185 --> 23:30.490 [SPEAKER_00]: Now, you know, be a ticket master, new egg. 23:30.991 --> 23:36.223 [SPEAKER_00]: All of these huge big companies have been fined huge amounts from first of all the data regulator. 23:36.503 --> 23:41.354 [SPEAKER_00]: So like the ICO here in the UK, because you've lost my name and my address and my personal data. 23:41.734 --> 23:43.879 [SPEAKER_00]: So you get a fine for the data breach. 23:43.859 --> 23:57.678 [SPEAKER_00]: And then you get find by the card issuance because visa have to now reprint and physically reissue tens of thousands of cards and then refund all of these fraudulent transactions and they had to do the forensic investigation which costs huge amounts of money. 23:58.099 --> 24:10.356 [SPEAKER_00]: So then they get found by visa and master card and American Express and then the American data regulator steps in and they're like, hang on, you've lost tens of thousands of American citizens data so here is your fine for the data protection breach. 24:10.336 --> 24:16.808 [SPEAKER_00]: Now, British Airways got really lucky, actually, because if you remember the timeline, it was just before COVID when this happened. 24:17.229 --> 24:20.395 [SPEAKER_00]: The ICO actually found them 180 million pounds. 24:20.816 --> 24:20.936 [SPEAKER_00]: Wow. 24:21.337 --> 24:26.928 [SPEAKER_00]: But then, British Airways went back and when COVID had hit and was like, this is basically going to end us. 24:27.308 --> 24:29.513 [SPEAKER_00]: Is there anything we can do about the size of the fine? 24:29.893 --> 24:33.340 [SPEAKER_00]: And if memory shows me correctly, I think they paid 18 million in the end as the fine. 24:33.320 --> 24:36.490 [SPEAKER_00]: So, you know, this is huge amounts of money. 24:36.530 --> 24:48.004 [SPEAKER_00]: Now, when was the last time you heard a story just like that, where somebody had managed to install a JavaScript skimmer in scoop, you know, thousands or tens of thousands of sets of credit card data? 24:48.254 --> 24:53.443 [SPEAKER_03]: I think you're right, I don't think I remember Magecart was the one we kept on hearing about, wasn't it? 24:53.523 --> 24:55.828 [SPEAKER_03]: Correct, that is the name of the collective, yes. 24:55.928 --> 25:02.740 [SPEAKER_03]: Yeah, that was the one which it seemed to be causing all the trouble, but yeah, I haven't heard one of those type of data breach stories for quite a while. 25:02.800 --> 25:05.505 [SPEAKER_00]: They probably started making huge headlines in kind of like 2015. 25:06.427 --> 25:11.055 [SPEAKER_00]: And by 2018, 2019, I think the term Magecart was like Mainstream. 25:11.035 --> 25:21.030 [SPEAKER_00]: Everybody knows who these people, you know, group, whoever you refer to them are because they were just decimating enormous companies, resulting in enormous fines. 25:21.570 --> 25:24.915 [SPEAKER_00]: And, you know, I think the card in the show is like, enough is enough. 25:24.975 --> 25:28.080 [SPEAKER_00]: This is getting super ridiculous, super expensive. 25:28.420 --> 25:33.668 [SPEAKER_00]: And these rules around controlling what JavaScript do you have on your site. 25:33.648 --> 25:34.790 [SPEAKER_00]: started to come into play. 25:35.130 --> 25:40.859 [SPEAKER_00]: So it was two years ago when the requirements were first introduced as kind of optional since March this year. 25:40.920 --> 25:42.242 [SPEAKER_00]: They were mandatory. 25:42.262 --> 25:44.225 [SPEAKER_00]: You must comply with them since March this year. 25:44.245 --> 25:46.749 [SPEAKER_00]: So they gave it really kind of like a two year run way to say look. 25:47.210 --> 25:47.730 [SPEAKER_00]: They're coming. 25:47.891 --> 25:50.635 [SPEAKER_00]: You probably should get ahead of this, you know, ahead of time. 25:50.935 --> 25:53.800 [SPEAKER_00]: But by March 2025, everybody must comply. 25:53.780 --> 25:57.204 [SPEAKER_03]: So without getting too nerdy, what are the rules? 25:57.304 --> 26:01.089 [SPEAKER_03]: Is it a rule about what types of JavaScript you can put on the page? 26:01.149 --> 26:06.736 [SPEAKER_03]: Or is it a simple, you can't have any external JavaScript or how does it work? 26:06.896 --> 26:07.617 [SPEAKER_00]: Yes, it was. 26:07.717 --> 26:12.082 [SPEAKER_00]: Number one, you had to be able to inventory all of the JavaScript you're using. 26:12.603 --> 26:12.823 [SPEAKER_00]: Okay. 26:12.863 --> 26:15.366 [SPEAKER_00]: And this sounds like a crazy thing to say. 26:15.346 --> 26:36.657 [SPEAKER_00]: But then when you think about it, most organizations don't really know exactly what JavaScript they have running on their website, it's because there's multiple people that can add it and then we have tools like Google Tag Manager so the marketing or the advertising team can inject different script tags maybe for monitoring or tracking or loading adverts and it's a very dynamic fluid environment on the website. 26:37.037 --> 26:37.438 [SPEAKER_03]: Yes. 26:37.418 --> 26:42.985 [SPEAKER_00]: If you wanted a developer to make a code change, that person would have to submit a change request. 26:43.005 --> 26:44.688 [SPEAKER_00]: The pull request would be reviewed. 26:44.708 --> 26:45.989 [SPEAKER_00]: It would go through a test suite. 26:46.009 --> 26:50.115 [SPEAKER_00]: It would be checked over before it even thought about touching the website. 26:50.375 --> 26:53.159 [SPEAKER_00]: But actually, on the front end, it's just like yellow. 26:53.179 --> 26:54.661 [SPEAKER_00]: Here's some JavaScript into production. 26:55.262 --> 26:59.267 [SPEAKER_00]: It's, there's almost no equivalent kind of standard of checking. 26:59.407 --> 27:02.531 [SPEAKER_00]: So the first one is that you have to be able to inventory it. 27:02.772 --> 27:06.717 [SPEAKER_00]: When you get audited, because if you're a merchant, you get audited once per year. 27:06.697 --> 27:15.995 [SPEAKER_00]: They will say, okay, what JavaScript do you have there and the other thing is you have to provide a written technical or business justification as to why it is there. 27:16.376 --> 27:16.476 [SPEAKER_00]: Okay. 27:16.496 --> 27:19.061 [SPEAKER_00]: So basically you have to say what it is and why do you have it? 27:19.502 --> 27:25.995 [SPEAKER_00]: And the idea was then you can remove stuff that you don't need anymore because you would look at that and say, Oh, the chatbot or will we don't use the chatbot anymore? 27:26.015 --> 27:27.658 [SPEAKER_00]: So maybe we'll just delete this. 27:27.638 --> 27:32.663 [SPEAKER_00]: And this was one of the first things was just keep the inventory, just know what is there, and why is this there? 27:33.384 --> 27:37.148 [SPEAKER_00]: The second one then comes on to obviously now we have the inventory we understand what's there. 27:37.288 --> 27:42.854 [SPEAKER_00]: You have to introduce a method to make sure that only the stuff is there that you think is there. 27:43.354 --> 27:50.181 [SPEAKER_00]: So again, if you do your inventory and you're like hang on a minute, we've got all these extra bits of JavaScript and nobody can tell me what they do or where they came from. 27:50.642 --> 27:56.768 [SPEAKER_00]: You have to have a method in place to make sure that that can't happen that you can't have 27:56.748 --> 28:02.015 [SPEAKER_00]: Now, with compliance standards like this, they'll never say, this is the technical way that I want you to do it. 28:02.236 --> 28:03.598 [SPEAKER_00]: What they'll say is, here is the objective. 28:03.718 --> 28:05.200 [SPEAKER_00]: This is what I would like the outcome to be. 28:05.681 --> 28:07.583 [SPEAKER_00]: The technical implementation is free. 28:07.603 --> 28:09.546 [SPEAKER_00]: So you can go about this anyway that you like. 28:09.646 --> 28:13.972 [SPEAKER_00]: You can build it yourself or buy a product or use one of the many different technical approaches. 28:14.473 --> 28:16.335 [SPEAKER_00]: We would just like this to be the end result. 28:16.616 --> 28:21.743 [SPEAKER_00]: Because of course, they don't want to lock you into one approach or one vendor or one technology. 28:21.723 --> 28:25.207 [SPEAKER_00]: Compliance numbers like this are generally quite open in their description. 28:25.527 --> 28:29.972 [SPEAKER_00]: They do give some examples just to help guide you if you're struggling to follow on a little bit. 28:29.992 --> 28:33.176 [SPEAKER_00]: But yeah, generally they specify the preferred outcome, not how you do it. 28:33.496 --> 28:44.608 [SPEAKER_00]: So content security policies, of course, one of the examples that they give, but you can also get a little JavaScript agent that you install in the page that guards and protects you against all of the other JavaScript. 28:44.588 --> 28:55.339 [SPEAKER_00]: Or you can have an external crawler, they will crawl your website and look at all of your JavaScript and say, okay, well, you know, yesterday we went to your website, you had these four things and today you have these five, what's going on, what changed? 28:55.359 --> 28:55.640 [SPEAKER_00]: Yeah. 28:56.140 --> 29:04.909 [SPEAKER_00]: Really, for me, it's about introducing some of the standards that we would have if a developer wanted to write code and commit that to production application. 29:05.330 --> 29:12.317 [SPEAKER_00]: Just introducing some of those ideas and concepts into the JavaScript on the front end, because that is a little bit wild 29:12.297 --> 29:23.075 [SPEAKER_00]: And honestly, working in this industry for as many years as I have now, and I think it's fair to say, as you kind of pointed out, looking at the news headlines, how frequently do these kinds of attacks happen? 29:23.456 --> 29:33.833 [SPEAKER_00]: I do feel like we are seeing a decline over time in these types of attack, and not just specifically stealing credit card data, but in other kind of similarly related areas as well. 29:33.813 --> 29:49.105 [SPEAKER_03]: Yeah, it sounds like this is actually a good news story, what you're reporting to us is, for once the industry got together, it's imposed some standards, people have actually put them into place and we are seeing the results because okay our headlines are full of ransomware and 29:49.085 --> 29:50.947 [SPEAKER_03]: other ghastly guests, which is going on. 29:51.127 --> 29:53.550 [SPEAKER_03]: But at least it isn't this particular thing. 29:53.830 --> 29:58.875 [SPEAKER_03]: And the impact, of course, off these kind of attacks wasn't just on the businesses. 29:59.095 --> 30:04.061 [SPEAKER_03]: It was on consumers as well, because it was their payment card details, which were being stolen. 30:04.081 --> 30:12.309 [SPEAKER_03]: So obviously there was damage done to brands, which, frankly, with ransomware these days, it's normally the enterprise, which is getting hit rather than the end users. 30:12.369 --> 30:15.953 [SPEAKER_03]: But back in those days, it was both sides of the fence, wasn't it? 30:16.169 --> 30:24.061 [SPEAKER_00]: And I feel like it's important to point out the consumer impact for me, and I'm sure if I think back to the few interviews I've done before here as well. 30:24.282 --> 30:26.906 [SPEAKER_00]: You know, my focus is on the consumer side of things. 30:27.006 --> 30:37.182 [SPEAKER_00]: It's great to put these organizations and yes, these standards are compelling the organizations to do it, but it is the consumer bits, the true victim, a minimum of all the inconvenience. 30:37.162 --> 30:42.132 [SPEAKER_00]: And many people will say to you, well, the credit, you know, if you're using a credit card, you're in short, you get the money back. 30:42.433 --> 30:47.403 [SPEAKER_00]: I might, yes, you do, but you've clearly never been through that process because you just made it sound really easy. 30:48.185 --> 30:50.530 [SPEAKER_00]: It's, it's, it's honestly a nightmare. 30:50.770 --> 30:52.233 [SPEAKER_00]: It's so much hassle, isn't it? 30:52.574 --> 30:54.057 [SPEAKER_00]: It's so inconvenient. 30:54.037 --> 31:11.488 [SPEAKER_00]: it's terrible and it's stressful and yeah then you have to go update your credit card in a million different places because you've got a whole new set of credit card details and it's just an unpleasant experience and also on top of everything else it's just a feeling of having been the victim of something because this has happened to me as well you know really 31:11.468 --> 31:18.742 [SPEAKER_00]: I don't know, like it gave me this weird feeling of like anger or annoyance, then stupidity for myself, I was like, should I, you know, could I have done something about this? 31:18.822 --> 31:19.043 [SPEAKER_00]: Yeah. 31:19.103 --> 31:23.532 [SPEAKER_00]: So I think there is a large impact on the consumer that who is ultimately the kind of end victim of this. 31:24.113 --> 31:26.257 [SPEAKER_00]: And I feel like that's also worth addressing. 31:26.297 --> 31:31.367 [SPEAKER_00]: Yes, you know, the companies are interested in protecting their brand and the loss of revenue from the fines and 31:31.347 --> 31:32.851 [SPEAKER_00]: All of this kind of stuff, right? 31:32.891 --> 31:37.263 [SPEAKER_00]: But unfortunately, that's how you motivate companies is to hit them in their wallet. 31:37.764 --> 31:41.555 [SPEAKER_00]: But yeah, for me, the end goal is protecting the consumer at the keyboard. 31:42.196 --> 31:42.437 [SPEAKER_03]: Sounds good. 31:49.927 --> 31:53.014 [SPEAKER_03]: This episode of Smash and Security is supported by a non. 31:53.755 --> 32:07.665 [SPEAKER_03]: No, that feeling when you google yourself and find, well, more than you'd like, old forum posts, data broker listings, photos you've forgotten about, maybe even some dodgy things you now regret, well, that's your life on the internet. 32:07.763 --> 32:10.528 [SPEAKER_03]: And that's where today's sponsor and non comes in. 32:10.989 --> 32:17.199 [SPEAKER_03]: Think of it as your personal privacy cleanup crew powered by AI that she does something useful for once. 32:17.760 --> 32:18.562 [SPEAKER_03]: Here's how it works. 32:18.942 --> 32:20.385 [SPEAKER_03]: And non scans the web. 32:20.425 --> 32:25.854 [SPEAKER_03]: Yes, including the dark corners you don't want to think about, and it finds all the data tied to you. 32:26.215 --> 32:27.137 [SPEAKER_03]: But here's the clever bit. 32:27.417 --> 32:31.965 [SPEAKER_03]: It doesn't just show you a complete horror show of your digital past and wish you luck. 32:31.945 --> 32:43.037 [SPEAKER_03]: It actually identifies which links might contain sensitive information and with one button press, fires off removal requests to get them delisted from search results. 32:43.437 --> 32:49.484 [SPEAKER_03]: Plus it keeps monitoring for new data breaches and alerts you if your information turns up somewhere it shouldn't. 32:49.744 --> 32:55.911 [SPEAKER_03]: It's like having a security researcher working for you 24-7 and you don't need to keep it fed with pizza and coffee. 32:55.891 --> 33:08.309 [SPEAKER_03]: Once take back some control, head to becomeanon.com and use promo code smashing for 25% off that's becomeanon.com. 33:08.990 --> 33:13.877 [SPEAKER_03]: Find monitor and remove your data online with ease because you're privacy matters. 33:14.417 --> 33:23.991 [SPEAKER_03]: And thanks to Anon for supporting the show. 33:28.730 --> 33:46.018 [SPEAKER_03]: Pick of the week is the part of the show where everyone choose something that could be a funny story a book that they've read a TV show a movie a record a podcast a website or an app whatever they wish it doesn't have to be security related necessarily Well my pick week this week is not security related my pick of the week is my new favorite program. 33:46.559 --> 33:48.122 [SPEAKER_03]: It is not a TV program. 33:48.242 --> 33:50.045 [SPEAKER_03]: This is a computer program. 33:50.065 --> 33:55.193 [SPEAKER_03]: Oh, that's what you were going with that and then I was loading up Netflix getting ready groom 33:55.173 --> 34:03.809 [SPEAKER_03]: This is my favorite program on my max which I have so I'm using a program called keyboard my stroke. 34:04.630 --> 34:05.592 [SPEAKER_03]: I love it. 34:05.652 --> 34:06.173 [SPEAKER_03]: I love it. 34:06.233 --> 34:07.255 [SPEAKER_03]: Yes, my stroke. 34:08.056 --> 34:18.295 [SPEAKER_03]: And it is for automating virtually anything keyboard my stroke is a really powerful utility that you automate repetitive tasks. 34:18.275 --> 34:26.713 [SPEAKER_03]: You can build custom workflows and if they're analysis and you don't have to get into the weeds of writing code, but it's very, very flexible. 34:26.753 --> 34:33.928 [SPEAKER_03]: So I can set up a macro to trigger when I press a specific key combination and then get it to do things. 34:34.409 --> 34:34.950 [SPEAKER_03]: Okay. 34:34.930 --> 34:41.036 [SPEAKER_03]: It may trigger when I launch a particular app or connect to a certain Wi-Fi network or even at a scheduled time. 34:41.377 --> 34:45.781 [SPEAKER_03]: So, for instance, I was using a particular app, and I didn't like the way that it was set up. 34:45.841 --> 34:55.791 [SPEAKER_03]: I'd go into a particular part of the app, and it always had a default kind of view, and I couldn't change the default view and I'd have to go into the menus and say, well, I want that there, and I want this here, and I want that there. 34:56.151 --> 34:58.133 [SPEAKER_03]: So, I had to go into the menus, oh, it's such a pain. 34:58.334 --> 35:01.697 [SPEAKER_03]: And so, I was able to write a macro that didn't just 35:01.677 --> 35:05.181 [SPEAKER_03]: I mean, I could have written one which just worked on a key press when I went into the app. 35:05.302 --> 35:12.831 [SPEAKER_03]: But in fact, what I did was I ended up writing on which detected when I went into that particular dialogue on that particular app. 35:14.173 --> 35:18.118 [SPEAKER_03]: And automatically hits that sequence and menu commands for me. 35:18.538 --> 35:21.642 [SPEAKER_03]: And it happens in an instant, so appears just as I want it. 35:22.083 --> 35:27.250 [SPEAKER_03]: Or sometimes I don't know about you, Scott, sometimes I leave my VPN on when I don't want it on. 35:28.431 --> 35:28.972 [SPEAKER_01]: Right? 35:28.992 --> 35:30.013 [SPEAKER_03]: I do do that. 35:29.993 --> 35:32.641 [SPEAKER_03]: Yeah, and then I think, oh, why can't I access this or whatever? 35:32.781 --> 35:34.004 [SPEAKER_03]: Oh, my bloody VPNs on. 35:34.205 --> 35:41.646 [SPEAKER_03]: And so what I've done now is I've written a macro that turns the wallpaper on my computer red when I'm connected to the VPN. 35:42.769 --> 35:45.437 [SPEAKER_03]: Oh, I mean, when I'm not connected to the VPN. 35:45.417 --> 35:49.861 [SPEAKER_03]: So it pulls this automatically all the time it's saying is the VPN on? 35:49.881 --> 35:50.602 [SPEAKER_03]: Is the VPN on? 35:50.782 --> 35:52.083 [SPEAKER_03]: Is the VPN on? 35:52.103 --> 35:54.405 [SPEAKER_03]: And if it is on, it changes the wallpaper. 35:54.565 --> 36:00.150 [SPEAKER_03]: It's a very simple visual reminder of what's going on, but doesn't disrupt my work. 36:00.170 --> 36:01.431 [SPEAKER_03]: Or, I'll give you another example. 36:02.252 --> 36:04.134 [SPEAKER_03]: You'll tell him it's used here to have this program. 36:04.154 --> 36:15.424 [SPEAKER_03]: Sometimes when my Mac wakes up from sleep, it forgets that I like to use a particular external speaker for sound, rather than the Laozi internal speaker that my 36:15.404 --> 36:23.372 [SPEAKER_03]: And so I wrote a macro that automatically detects when my Mac has woken up from sleep. 36:23.774 --> 36:26.338 [SPEAKER_03]: and it sets this sound thing automatically for me. 36:26.859 --> 36:28.922 [SPEAKER_03]: Just happens all automatically, so don't have to remember. 36:29.263 --> 36:31.787 [SPEAKER_03]: There are dozens of other, for an example, so I can give you. 36:31.887 --> 36:34.451 [SPEAKER_03]: This is an incredibly powerful program. 36:34.872 --> 36:35.773 [SPEAKER_03]: Great utility. 36:36.154 --> 36:38.518 [SPEAKER_03]: It's called keyboard my stroke for the Mac. 36:38.698 --> 36:40.741 [SPEAKER_03]: I know they don't have a Windows equivalent. 36:40.821 --> 36:45.890 [SPEAKER_03]: I don't know if anyone else has produced a Windows equivalent, but for the Mac keyboard my stroke. 36:46.471 --> 36:47.372 [SPEAKER_03]: Brilliant little tool. 36:47.552 --> 36:50.457 [SPEAKER_03]: And that is why it is my pick of the week. 36:51.922 --> 36:53.064 [SPEAKER_00]: Could you hook that? 36:53.084 --> 36:55.368 [SPEAKER_00]: Because you just said about changing your desktop. 36:55.388 --> 36:56.750 [SPEAKER_00]: There, that's a really cool idea. 36:57.832 --> 37:00.557 [SPEAKER_00]: Could you hook it into your smart ways? 37:00.877 --> 37:07.309 [SPEAKER_00]: So when you go into VPN mode, you could dip the lights or turn them red or make your screen or something. 37:07.589 --> 37:13.980 [SPEAKER_03]: Have you got an app on your computer, which allows you to then you definitely could. 37:14.500 --> 37:15.321 [SPEAKER_03]: You definitely could. 37:15.682 --> 37:16.984 [SPEAKER_03]: That would actually be really cool. 37:17.264 --> 37:19.668 [SPEAKER_03]: It's like a scripting language on steroids. 37:19.688 --> 37:20.990 [SPEAKER_03]: It's so much power. 37:21.151 --> 37:23.995 [SPEAKER_03]: I mean, I've just scraped the surface of this thing. 37:24.015 --> 37:26.539 [SPEAKER_00]: It sounds like the power may have gone to your head, Greg. 37:26.559 --> 37:27.801 [SPEAKER_03]: It has gone a little bit to my head. 37:27.901 --> 37:32.068 [SPEAKER_03]: It is a rabbit Warren, which I just send into and I fell off. 37:32.128 --> 37:38.378 [SPEAKER_03]: So, because I'm reading the forum thing, oh, the things I could do, the power, the power at my fingertips. 37:38.518 --> 37:41.423 [SPEAKER_03]: Now, it's a great distraction from doing proper work. 37:41.463 --> 37:42.364 [SPEAKER_03]: I have to tell you. 37:42.344 --> 38:02.238 [SPEAKER_00]: So I have this a lot on the command line like I create short cuts for repetitive commands or long commands, but then like sometimes you can run shell scripts and things like that you can do all of that it can run terminal commands see this would be great and I'm definitely going to check it out actually because you've already tweaked a couple of ideas for me that I will check that out I think you'd enjoy playing with it. 38:02.438 --> 38:05.263 [SPEAKER_03]: I will definitely check that out Scott what's your pick of the week? 38:06.425 --> 38:10.870 [SPEAKER_00]: I found out about this a couple of weeks ago, and I really started using it very, very recently. 38:10.890 --> 38:14.954 [SPEAKER_00]: So little application, it's also only on Mac, and it's called Screen Studio. 38:15.835 --> 38:23.783 [SPEAKER_00]: Now, I wanted to start making some little kind of, I guess I get educational videos of using our website and our product. 38:24.223 --> 38:29.749 [SPEAKER_00]: And I like you, Graham, and I've got all the video editing software and I've got Camtasia and audacity. 38:29.789 --> 38:33.052 [SPEAKER_00]: You can really like spend a lot of time on the production of this stuff. 38:33.513 --> 38:33.613 [UNKNOWN]: Yeah. 38:33.796 --> 38:36.120 [SPEAKER_00]: And I was like, no, I want quick, I want easy. 38:36.220 --> 38:37.562 [SPEAKER_00]: I want effective. 38:38.363 --> 38:40.406 [SPEAKER_00]: And I can't even remember how I came across it. 38:40.426 --> 38:43.571 [SPEAKER_00]: I was probably like midnight when I was crying into my keyboard video editing. 38:44.172 --> 38:46.175 [SPEAKER_00]: Someone has to have made like just a really simple way. 38:46.836 --> 38:54.268 [SPEAKER_00]: I've not like super duper extensive video editing, but just a quick and easy way to make a really good looking video on how to use a website. 38:54.248 --> 38:57.734 [SPEAKER_00]: and screen studio is exactly that. 38:59.017 --> 39:10.317 [SPEAKER_00]: It sounds like it's simple, but it's like screen recording of using a browser, but it does like all of the follows the mouse around or when you click it does little zoom and it shows you and it makes a cursor bigger and it's just so slick. 39:10.337 --> 39:16.729 [SPEAKER_00]: Like you can literally just go click around a website, do a voiceover with the microphone and it will produce an amazing demo video. 39:17.317 --> 39:20.424 [SPEAKER_03]: Oh, I'm watching a little video of it in action right now. 39:20.584 --> 39:22.348 [SPEAKER_03]: It does look very slick. 39:22.368 --> 39:33.351 [SPEAKER_03]: I mean, this is how you would want one of those videos teaching you how to use an app or an exactly what they step really this looks and you can do it on anything. 39:33.331 --> 39:35.273 [SPEAKER_00]: I think it will grab any application window. 39:35.613 --> 39:40.038 [SPEAKER_00]: I think it's last I checked it still on my own mark, but it will grab any application window. 39:40.078 --> 39:43.501 [SPEAKER_00]: And if you want, you can pop your camera in the corner. 39:43.521 --> 39:45.903 [SPEAKER_00]: So you can have your talking head there. 39:46.644 --> 39:52.870 [SPEAKER_00]: But for me, I was just like, we just want super easy like, how do we register login and set up our account for the first time? 39:53.471 --> 39:57.495 [SPEAKER_00]: And I can do all the screen records and take them into Camtasia and do all the edits. 39:57.515 --> 39:58.596 [SPEAKER_00]: And I was like, this is, 39:58.576 --> 40:00.279 [SPEAKER_00]: It's doing it all for you, isn't it? 40:00.299 --> 40:05.386 [SPEAKER_00]: Oh yeah, this thing was just, honestly, making the video takes about as long as recording the video. 40:05.406 --> 40:06.188 [SPEAKER_00]: That's about it. 40:06.688 --> 40:09.813 [SPEAKER_00]: And then you can control the zoom amount or the zoom delay. 40:09.833 --> 40:11.636 [SPEAKER_00]: And it's all just like simple sliders. 40:11.836 --> 40:18.066 [SPEAKER_00]: And you just whip up these beautiful, really cool looking videos with absolutely no effort. 40:18.587 --> 40:21.772 [SPEAKER_00]: And whilst, you know, Camtasia and my audacity and everything else still has its place. 40:22.132 --> 40:26.018 [SPEAKER_00]: For these quick instructional videos that are like, you know, one, two or three minutes. 40:25.998 --> 40:28.782 [SPEAKER_00]: This thing rocks and you can punch them out so quickly. 40:30.044 --> 40:31.747 [SPEAKER_03]: I think this looks great. 40:31.907 --> 40:37.796 [SPEAKER_03]: In fact, it's the kind thing I'd like to play with even though I'm not sure I've got a use for this. 40:39.438 --> 40:41.501 [SPEAKER_03]: Those are always the most expensive ones, aren't they? 40:41.542 --> 40:42.864 [SPEAKER_00]: Yeah, yes. 40:42.884 --> 40:43.865 [SPEAKER_00]: This just looks cool. 40:44.246 --> 40:46.349 [SPEAKER_00]: So it's called Screens Studio. 40:46.469 --> 40:47.450 [SPEAKER_00]: Yes, Screens. 40:47.470 --> 40:48.712 [SPEAKER_00]: Studio is their website. 40:49.393 --> 40:52.538 [SPEAKER_03]: Oh, they actually have a dot studio domain. 40:52.558 --> 40:53.119 [SPEAKER_03]: Yeah. 40:53.757 --> 40:54.418 [SPEAKER_03]: very cool. 40:54.598 --> 40:57.121 [SPEAKER_03]: Well, that just about wraps up the show for this week. 40:57.381 --> 40:59.204 [SPEAKER_03]: Scott, thank you so much for joining us. 40:59.264 --> 41:01.727 [SPEAKER_03]: I'm sure lots of our listeners would love to find out what you're up to. 41:02.207 --> 41:04.971 [SPEAKER_03]: Find out more about your business and follow you online. 41:04.991 --> 41:06.553 [SPEAKER_03]: What's the best way for people to do that? 41:07.334 --> 41:08.916 [SPEAKER_00]: Ooh, my blog is probably the best ones. 41:08.976 --> 41:10.918 [SPEAKER_00]: Scott Helm.co.uk from there. 41:11.158 --> 41:12.580 [SPEAKER_00]: I link through to all my socials. 41:12.620 --> 41:16.485 [SPEAKER_00]: So if you do have a preference on platform, you can click through to the one that you like. 41:17.106 --> 41:19.609 [SPEAKER_00]: And that also links through to my companies websites as well. 41:19.769 --> 41:23.173 [SPEAKER_00]: So that's probably the one central 41:23.255 --> 41:23.736 [SPEAKER_03]: Terrific! 41:23.856 --> 41:25.919 [SPEAKER_03]: And of course, we're on social media as well. 41:25.999 --> 41:38.296 [SPEAKER_03]: You can find me, Grand Cluly on LinkedIn, or follow smashing security on Blue Sky, and don't forget to ensure you never miss an other episode follow smashing security in a favourite podcast app, such as Apple Podcasts, Spotify, and Pocketcasts. 41:38.757 --> 41:46.067 [SPEAKER_03]: For episode show notes, sponsorship info, guest lists, and the entire back catalogue of around about 440 episodes. 41:46.087 --> 41:48.470 [SPEAKER_03]: Check out smashing security.com. 41:48.510 --> 41:51.895 [SPEAKER_03]: Until next time, 42:02.573 --> 42:20.363 [SPEAKER_03]: You've been listening to Smashin' Security with me, Graham clearly, thanks so much to Scott for coming along this week and also to this episode's sponsors, Vanter 1 Password and a non, and of course, to all those chums who've signed up for Smashin' Security Plus over on Patreon. 42:20.904 --> 42:25.932 [SPEAKER_03]: They include William Reddick, Sammy Dozer, Alexander Ughuis. 42:25.912 --> 42:27.254 [SPEAKER_03]: S. M. Y. 42:28.196 --> 42:29.098 [SPEAKER_03]: Just three initials. 42:29.619 --> 42:43.144 [SPEAKER_03]: John Boris, Rich, Travis West, Dimitri, Robert Odegard, Skadone, Lars, Ashley Woodall, Darren Kenny, Adina Bogota, Brian, Asklio, and Panda Bear. 42:43.124 --> 43:06.837 [SPEAKER_03]: All of those lovely people and many more have signed up to support Smashing Security on Patreon and one of the things that they get is that they get the chance to have their names were laid out at the end of the show every now and then and as well as that they also get early access to episodes with none of those pesky adverts if you would like to join them just go to SmashingSecurity.com slash 43:06.817 --> 43:07.217 [SPEAKER_03]: Plus. 43:08.018 --> 43:13.304 [SPEAKER_03]: Of course, not everyone can support the podcast in that way, I completely understand, times can be hard. 43:13.805 --> 43:34.647 [SPEAKER_03]: So, if you do want to support the show, but can't splash the cash for very understandable reasons, you can still give us a five-star review, say something like, about as maybe tell somebody that you like listening to smashing security, spreading the word, helps spread these podcasts far and wide around the world, and there is nothing lovely, but when I do get to travel around, giving talks to have some from 43:34.627 --> 43:39.734 [SPEAKER_03]: Please drop in to come up to me and say hello, I listen to smashing security each week And I say, oh, bless you. 43:39.774 --> 43:41.015 [SPEAKER_03]: What a lovely person you are. 43:41.416 --> 43:49.907 [SPEAKER_03]: So thanks to each and every one of you who goes out there and shares your appreciation for smashing security with somebody else because He really makes it all worthwhile. 43:50.448 --> 43:51.029 [SPEAKER_03]: Okay, don't you then? 43:51.149 --> 43:55.034 [SPEAKER_03]: Well, that's just about it for this week and Catch you again next week. 43:55.054 --> 43:55.414 [SPEAKER_03]: Too loop. 43:55.535 --> 43:55.875 [SPEAKER_03]: Bye-bye