Rockstar got hacked. The data was junk. The secrets it revealed were not

title Rockstar got hacked. The data was junk. The secrets it revealed were not

description A company that ran anonymous tip lines for 35,000 American schools - handling reports of bullying, weapons, and self-harm - boasted on its website that it had suffered zero security breaches in over 20 years. A hacker called Internet Yiff Machine thought that sounded like a challenge, with predictable results...
Meanwhile, Rockstar Games gets hacked again - and the stolen data turns out to be less embarrassing than the financial secrets it accidentally revealed. GTA Online is still making half a billion dollars a year. Red Dead Redemption is not.
All this and more in episode 464 of the "Smashing Security" podcast with cybersecurity keynote speaker and industry veteran Graham Cluley, joined this week by special guest BBC cybersecurity correspondent Joe Tidy.
Plus! Don't miss our featured interview with Ryan Benson of Meter.

EPISODE LINKS:
Grinex exchange blames "Western intelligence" for $13.7M crypto hack - Bleeping Computer.Are Former Black Basta Affiliates Automating Executive Targeting? - Reliaquest.Apple is working on passcode bug locking out iPhone users - The Register.Hackers who stole crime tip records offering data cache for $10k - San.P3 Advertised 20+ Years and 0 Security Breaches. You Can Guess What Happened Next - Databreaches.net.Portland police urge residents to avoid Crime Stoppers following hack - San.GTA-maker Rockstar Games hacked again but downplays impact - BBC News.Rockstar hackers release their stolen data, reveal that Rockstar was right to not pay them anything for it - PC Gamer.XCancel.”We Are Anonymous” by Parmy Olson - Penguin.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
SPONSORS:
Elastic – AI is transforming security operations, but security is still a data problem. Learn how context-rich data drives faster, more reliable defence.Meter – Network infrastructure for the enterprise. Get a free personalised demo.Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!

FOLLOW THE SHOW:
Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

pubDate Wed, 22 Apr 2026 22:00:32 GMT

author Graham Cluley

duration 3085000

transcript

Speaker 1:
[00:02] He said, selling data, he said, goes against my principles. But principles, he said, are for the well-fed. And he needs some grub on the table. Can we not just give him a burger rather than $10,000?

Speaker 2:
[00:24] Smashing Security, Episode 464, Rockstar Got Hacked.

Speaker 1:
[00:30] The data was junk, the secrets it revealed were not. With Graham Cluley and special guest, Joe Tidy. Hello, hello, and welcome to Smashing Security Episode 464. My name's Graham Cluley.

Speaker 3:
[00:42] And I'm Joe Tidy.

Speaker 1:
[00:43] Well, Joe, great to have you back on again. I have to say, author, of course. Or will I actually have the book on the shelf behind me here?

Speaker 3:
[00:51] Where it is, let me see it, let me see it.

Speaker 1:
[00:52] Here it is.

Speaker 3:
[00:53] Yeah, thank you very much.

Speaker 1:
[00:55] There you are, within reach.

Speaker 3:
[00:56] Lovely to see. I'm a little bit echoey, Graham, as you can tell, because I'm currently in what can only be described as a corridor, but I hope that's okay. I hope the sound is all right.

Speaker 1:
[01:05] The corridors of power, I suspect that's where you are.

Speaker 3:
[01:08] I'd like to say that, but no, it's just a corridor.

Speaker 1:
[01:12] Now, for people who don't know, you are the, what is it? What's your official title? Cyber correspondent at the BBC?

Speaker 3:
[01:18] That's right. Yeah, cyber correspondent. Yeah, actually, when I got the job at the BBC eight years ago, maybe nine years ago, it was a cyber reporter. I remember saying to them, that sounds a bit futuristic. Can you call me cyber security because I sound like a robot? But then over time, I've realized that people know what cyber means. Also, I do other things. I don't just do cyber security. I do online safety and gaming and crypto, that kind of thing. So cyber correspondent covers it all.

Speaker 1:
[01:47] It's funny because back in the day, you know, it's like, I don't know, 1999, cyber, most people thought of cyber sex, didn't they? They thought of the lawnmower man and things like that. And now it is all about cyber security.

Speaker 3:
[02:00] Yeah, I wouldn't know about cyber sex. Not really my thing.

Speaker 1:
[02:02] Nor me, sadly.

Speaker 3:
[02:06] But yeah, I think the term, when I say I'm a cyber reporter now, most people understand what that means. Whereas when I started, they're like, what on earth are you talking about?

Speaker 1:
[02:15] Well, we're really glad to have you here today. And before we kick off, let's thank this week's wonderful sponsors, Meta, Elaspic and Vanta. We'll be hearing more about them later on in the podcast.

Speaker 2:
[02:28] This week on Smashing Security.

Speaker 1:
[02:30] We're not going to be talking about how US sanctioned cryptocurrency exchange Grinex has suspended operations after what they claim was a hack by Western intelligence agencies. You'll hear no discussion of how hackers are bombarding executives' inboxes with hundreds of emails and then immediately following up with calls posing as the IT help desk claiming to be there to fix the problem. And we won't even mention how an iOS 26 update removed a Czech keyboard character, looking out any users who had it in their iPhone passcode. So Joe, what are you going to be talking about this week?

Speaker 3:
[03:12] I'm going to be talking about a fascinating data breach at Rockstar Games, the absolutely enormous games maker. They're the guys behind Grand Theft Auto and Red Dead Redemption. Don't know if you're a gamer, Graham, do you play these games?

Speaker 1:
[03:24] I'm not a gamer, but Red Dead Redemption is extraordinary.

Speaker 3:
[03:28] Brilliant.

Speaker 1:
[03:29] Absolutely amazing game.

Speaker 3:
[03:30] Yeah, absolutely amazing.

Speaker 1:
[03:31] And I'm going to be asking, is it wise to leave a tip? Plus, we're going to be chatting to Ryan Benson of Meta, find out what they've been up to, all this and much more coming up in this episode of Smashing Security. Time for a quick word from one of our sponsors today, Elastic. So here's a familiar scenario. Something suspicious hits your network. You need answers and you need answers fast. So your team logs in to Tool 1 and then Tool 2 and then the thing that doesn't quite talk to either of them. By which point, whatever was happening has, uh-oh, happened. Well, Elastic unifies your security data so analysts can focus on detecting and responding to threats, not herding different dashboards, which is probably why over half of Fortune 500 companies use Elastic. Find out more right now at smashingsecurity.com/elastic. That's smashingsecurity.com/elastic. And thanks to Elastic for supporting the show. Now, I've got a tip for any company that handles sensitive data. My tip is to never ever boast about how good your security is. Because it might bite you in the bottom one day. Could be a problem.

Speaker 3:
[04:59] I mean, the amount of times that these companies say, we are unbreakable, unhackable, that kind of thing. And then of course, that just like, it's a red rag to a bull, isn't it? To the cybersecurity world, because you want to break it. If you're told you can't break it, you want to break it. It actually reminds me of when I was at BBC Oxford, which is like a regional BBC News program. There was a guy, a local guy, a local company said, we've made a USB stick that's basically indestructible. So my team, when I quit Joe, go into a video report with these guys, and I filmed it all on my own. We did the interview and everything and they were giving it a big one about how this USB stick is indestructible. I said, just for fun, can I run it over with my car? The guy's like, yeah, okay. I ran it over with my car and I filmed everything, and it completely oblivious.

Speaker 1:
[05:46] Did you broadcast that or not? Absolutely, we did. It was great. End of that company, they won't be bringing up BBC Oxford again, will they?

Speaker 3:
[05:53] No, they will not.

Speaker 1:
[05:54] Well, one company was rather proud of its boasts that it had never suffered some kind of security breach, and it was an outfit called P3 Global Intel. On its website, the company actually advertised that it had been business for over 20 years with, in their words, zero security breaches. Zilch Nought, a marvellous, unblemished record. I think from your little chortle there, Joe, you can sense where this story is going already.

Speaker 3:
[06:27] Yeah. Again, it reminds me of those, the factory so-and-so days since the last accident. Yes. At the moment, we're good. There's been X amount of days before something went wrong. Yeah. You're foreshadowing, aren't you, Graham? I can tell. You're a storyteller.

Speaker 1:
[06:43] I am. That's right. So you may be wondering what does this company, P3 Global Intel, actually do? And they run what's called a fully integrated and state of the art tip acquisition and tip management solution. In other words, it runs anonymous tip lines, crime stopper programs, school safety hotlines, that kind of thing. And it is used, and this is extraordinary to me, it is used by 35,000 American schools.

Speaker 3:
[07:18] Wow.

Speaker 1:
[07:19] Obviously, American schools desire having a hotline.

Speaker 3:
[07:22] I didn't even know this was a thing, but clearly it is.

Speaker 1:
[07:25] Apparently, it is. Students are encouraged to anonymously report if a classmate is being bullied, or if someone has brought a weapon to school, or if a friend is suicidal. So very serious stuff.

Speaker 3:
[07:37] Absolutely. Yeah.

Speaker 1:
[07:38] So that's great that there's that facility, because obviously anonymity is the whole point. If you are able to leave a tip anonymously, that's going to encourage students to submit a tip, which could be very, very important. So it's rather unfortunate that a hacktivist going by the name, and brace yourself here, Joe, I know you are a seasoned cybersecurity reporter, so you've heard a lot of hacking names. This is someone who goes by the name Internet Yif Machine.

Speaker 3:
[08:08] Yif Machine? What is a Yif?

Speaker 1:
[08:09] I don't know what Yif. I'm looking it up.

Speaker 3:
[08:11] Have you looked it up?

Speaker 1:
[08:12] I haven't looked up what Yif is. Maybe it's something that the youngsters understand. I mean, there was Jif which became Cif, which was the bathroom cleaner. I don't know if it's now or Yif.

Speaker 3:
[08:23] So apparently, according to Wiktionary, Yif is the bark of a fox, slang, vulgar, informal.

Speaker 1:
[08:32] Oh, hang on, hang on. Hello.

Speaker 3:
[08:34] Section, of course.

Speaker 1:
[08:35] Ding-dong.

Speaker 3:
[08:37] Between furries.

Speaker 1:
[08:38] Yes, they are bit noisy foxes from what I've heard.

Speaker 3:
[08:40] Right. You've messed up with my internet history now. Thanks for that.

Speaker 1:
[08:44] Yes. Well, you could be in trouble with your employer, but anyway. So this chap, Internet Yif Machine, he scooped up 91 gigabytes of data containing 8.3 million of those supposedly anonymous tips. Now, how did he do this? And this is the worrying thing. It wasn't a sophisticated nation state attack.

Speaker 3:
[09:11] Zero day.

Speaker 1:
[09:12] It wasn't a zero day that no one had seen before. This was a simple cross-site scripting vulnerability in the leaver tip chat box. So it turns out this company, P3 Global Intel, had failed to set some flags on their cookies properly. So it was trivial for Internet YIFT Machine to steal a member of staff's session cookie through a little bit of social engineering, get him to click on something, bam, they've got the cookie. And once inside, they found it was child's play to exfiltrate vast amounts of data which should have been held securely. In fact, they made 8.3 million requests over the course of four days without apparently three noticing anything at all had gone wrong.

Speaker 3:
[09:57] This is a bit of a catalog of errors here, isn't it?

Speaker 1:
[10:00] It really is. So I mean, this wasn't a sophisticated vulnerability that was being exploited. It's the kind of thing that you learn on day one of Web Security School. It's the kind of thing that's been documented for years in the OWASP Top 10. These are the things that you have to make sure your web application doesn't suffer from the most common vulnerabilities on websites. So basically, someone left the front door open, the windows unlocked and they put out a big sign in neon outside saying, nobody's ever broken in here. Try your luck.

Speaker 3:
[10:34] Yep. And hackers will do that.

Speaker 1:
[10:36] Of course they will.

Speaker 3:
[10:38] Yep. If you tell them you can't hack me, you're going to get hacked. Yeah.

Speaker 1:
[10:44] So many times, internet companies have made really big posts and everyone out there is thinking, oh, you know, I'd love to prove them wrong. I bet it's possible if I put in enough effort. Turns out Internet Yiffle Machine didn't have to put in very much effort at all. Anyway, he grabbed all this data and he handed it over to an outfit, a whistleblower outfit called DDoS Secrets. Are you familiar with DDoS Secrets?

Speaker 3:
[11:08] Oh, yes. Oh, yeah. They've been around a long time. Yeah. Yeah.

Speaker 1:
[11:11] They have, haven't they?

Speaker 3:
[11:12] And sort of linked to WikiLeaks, I think. Yeah.

Speaker 1:
[11:14] It was like a WikiLeaks offshoot, I think. And they're rather like WikiLeaks. They've certainly had their fair share of controversy over the years as to whether they're doing the right thing or not and whether they're disclosing too much information and maybe working too closely with the hackers, you know, controversial out there. Anyway, they dubbed it BlueLeaks 2.0. And those of you with longer memories may remember in 2020, there was a breach of US law enforcement agencies and the date-

Speaker 3:
[11:44] Was that based around the George Floyd protests?

Speaker 1:
[11:47] I think it was exactly that.

Speaker 3:
[11:48] I think that because there was lots of DDoS secrets activity around there, lots of police forces were hacked around that time, I think, so it may have been linked to that.

Speaker 1:
[11:56] I think it was. And that original BlueLeaks incident involved the doxing of police officers and law enforcement agents, which obviously people were concerned that they could end up, you know, their families being put at risk and so forth. Anyway, the good news is this data has not been published publicly, but the hacktivist has listed it for sale on the hacking forum for $10,000.

Speaker 3:
[12:27] It doesn't sound like a hacktivist.

Speaker 1:
[12:28] Well, now, no, he doesn't, does he, really? No. And there's some sensitive information in there. So a researcher asked Internet Yiff Machine about this, said, you know, what are you doing? And he said, look, he basically said, I'm paraphrasing, he said, selling data, he said, goes against my principles, but principles, he said, are for the well-fed. And he needs some grub on the table. Could we not just give him a burger rather than $10,000? And he says, unfortunately, he's not doing very well financially. He says, don't worry, though. He says, I only intend to sell one copy. I'm going to keep the exposure limited. And that they're very, very sorry about this, but they're going to have to do it.

Speaker 3:
[13:09] Because that's how things work, isn't it?

Speaker 1:
[13:11] Yes.

Speaker 3:
[13:11] There's only ever one owner, because you can't just copy it.

Speaker 1:
[13:14] No, nobody's ever copied data. It's like, what? Come on, how are you going to control how this information is used and abused? It's ridiculous. I mean, I suppose it is better than the attitude of most ransomware gangs, but it's not really any comfort at all, is it? Far off.

Speaker 3:
[13:33] No, not at all, no.

Speaker 1:
[13:35] Well, at least the ransomware gangs tell you quite often these days how they got in. They offer to sell additional services.

Speaker 3:
[13:41] Yeah, that's true.

Speaker 1:
[13:42] Yeah, yeah.

Speaker 3:
[13:44] But also, this is like really, really sensitive data, isn't it? You can imagine some of the stuff.

Speaker 1:
[13:49] It is. I mean, there was information about people's self-harming, there was information about abuse, and all kinds of ghastly information, and the data apparently goes back as far as 1987. Some of this data, it goes back decades. Wow. One researcher who saw the data was able to identify someone who had had something happen to them when they were a toddler, and they were able to contact them today about it, because this data had been breached. I mean, it's ghastly to think that it could have been pieced together like that. Yeah. So very disturbing some of this. Last month, Portland police took some action. They told local residents to stop using Crime Stoppers while the hack was being investigated, because they said, we just can't be confident it's safe anymore. And as of this recording, P3's parent company, Navigate 360, they have not publicly confirmed that a breach has occurred. They haven't notified any schools or any individuals, hasn't responded to press inquiries. There's already a class action suit being revved up against them. But the claim on their website that they've suffered zero security breaches has been updated. It's been removed. They've just quietly shuffled that to one side. So rather than in the last 20 years, it's like, don't ask about that, don't ask about that.

Speaker 3:
[15:12] Yeah, yeah. Everything's fine.

Speaker 1:
[15:14] But it's pretty unacceptable that they haven't communicated at all about it, isn't it?

Speaker 3:
[15:18] Oh yeah. As a journalist, this really, really bugs me because of course, it's really difficult when you cover these cybercrime incidents because the victim here, is it P3? Do you know what they're called? P3. So they're a victim. They've been hacked by a criminal. However, they're also the custodians of this really important sensitive data. So in a sense, they're culpable for doing bad security at the same time. So it's really hard when you, I haven't covered this story myself, but there were journalists that have. They'll be wanting to get answers from this company, and the company had been clearly really, really terrible in transparency. Those people who have done tips, who've used the tip line, they need to be told by the way that tip you gave us anonymously, that might be out there now. Someone could find that and put your name to it. It's a really nasty breach. There's a really nasty bit of PR from them.

Speaker 1:
[16:07] This is the interesting thing. If the tips are anonymous, presumably they don't know who the people are who've left the tips.

Speaker 3:
[16:17] Well, hopefully, in that sense, that protects them a little bit, doesn't it? Because you could say, I'm in year three. Did you know that this kid here is bringing a knife into school? Whatever. If that was anonymous, then you'd be a bit more, okay, that's safe. But what if names are left on there?

Speaker 1:
[16:31] Well, exactly, because the tip is probably going to contain information which is actionable.

Speaker 3:
[16:36] True.

Speaker 1:
[16:37] So it could be people who've never had any interaction with this tip hotline as well. People who the company doesn't have any contact details for who have been impacted by this.

Speaker 3:
[16:47] That is such a good point. Yeah. Yeah, they're more likely to be impacted than the actual tip givers, aren't they?

Speaker 1:
[16:53] And of course, this goes back decades.

Speaker 3:
[16:56] Yeah.

Speaker 1:
[16:56] So even if you did have contact information, piecing together who these people are, I'll tell you the comparison I was thinking of was of course, the Julius Kivimaki, the Vistamo. You wrote a book all about it. So the Vistamo Psychotherapy Clinic Act in Finland, where he then went on to blackmail these people after their psychotherapy notes ended up in his lap effectively after he did the hack. This is information which potentially could be pieced together and used for blackmail purposes as well.

Speaker 3:
[17:28] Absolutely. Well, to be honest, if they can, they'll find any way to get paid, won't they? These cybercriminals. They'll stoop lower and lower and lower. So I wouldn't be surprised if this person isn't given $10,000 for their... It almost reminds me of the Wutang Clan. They did one album and they sold it to one person to try and keep it exclusive. If they're not going to do that and they're not going to get their 10 grand, I'm afraid some of those people in that data set might be approached by them. Which would be very scary and very troubling for them. It's unusual, isn't it, for hackers to reach out directly to data breach victims. But we know it does happen like in the Vistamo case.

Speaker 1:
[18:04] Yeah, we do.

Speaker 3:
[18:05] It also happened recently here in the UK with the kiddos nursery hack. There was this really weird, everyone went crazy for it in terms of it was a real nasty nadir in cybercrime where some teenagers hacked into kiddo nurseries, which is a chain of nurseries, stole all the data, particularly the kids' pictures and profiles and stuff like that, safeguarding notes. And then the company kiddos wasn't paying. So then the hackers called up some of the families, some of the mums and dads and said, we've got your kids' profile pictures to scare the parents. Absolutely horrendous and hideous. Yeah.

Speaker 1:
[18:39] Horrible stuff. I was just thinking, if someone does pay the $10,000 of course to access this information, they're going to want to then monetize it, aren't they?

Speaker 3:
[18:48] It's a great point.

Speaker 1:
[18:49] They are going to go to the office.

Speaker 3:
[18:51] Yeah, of course. Yeah. Unfortunately, the chances of those people being victimized further increases, doesn't it? Yeah.

Speaker 1:
[18:58] It's not like collecting butterflies if you're collecting data.

Speaker 3:
[19:03] Absolutely not. No, good point there.

Speaker 1:
[19:05] Yeah.

Speaker 3:
[19:06] I think this is probably just the start of it, isn't it? What a nasty one.

Speaker 1:
[19:13] Well, time now to talk about one of our sponsors, Meta. Joe, have you ever had to set up a network for a new office?

Speaker 2:
[19:19] Once. I've since sought therapy.

Speaker 1:
[19:22] Right. Well, Meta exists to make all of that someone else's problem. They are a network as a service company, but a proper end-to-end one. You hand them a physical address, a floor plan, they handle everything. They sort out the ISP, they design and deploy the network, they turn up on the site, they rack their own hardware, kits that they've actually designed themselves, not just rebranded someone else's gubbins.

Speaker 2:
[19:47] So, I don't have to spend 45 minutes on hold with the Telecoms company, only to be told they've misspelled our company name on the contract.

Speaker 1:
[19:53] Right, yeah, not a single minute of that. And once you're up and running, you get one dashboard for monitoring, security, VLANs, firewall, DNS security. The whole works. Full control without any of the soul-destroying groundwork.

Speaker 2:
[20:09] This begs the question, what's the catch?

Speaker 1:
[20:11] Genuinely, no catch. It's a straightforward subscription model. They even have a hardware buyback program if you've already blown the budget on equipment from another vendor.

Speaker 2:
[20:21] So they'll take away the evidence of my previous terrible decisions.

Speaker 1:
[20:25] Right. Basically, yes. So find out more at meter.com/smashing. That's meter.com/smashing. And thanks to Meter for supporting the show. Joe, what have you got for us this week?

Speaker 3:
[20:45] I have got a story about Rockstar Games, which was hacked again. I was particularly interested in this one because, as you mentioned my book earlier, at the end of my book, I talk about a gang called Lapsus, which in about 2022, 2023 were a really big deal. And one of the guys from Lapsus hacked Rockstar Games and stole a huge amount of data and source code, got into the Slack, I remember, of the company and posted pictures of penises.

Speaker 1:
[21:13] Like you do.

Speaker 3:
[21:13] Because he's a teenager and why not? Yeah, yeah. Anyway, and then he also published some 90 clips of GTA 6, the forthcoming GTA game, which by all accounts will be the biggest game, biggest entertainment product ever.

Speaker 1:
[21:28] They've been working on it for like 10 years or something, is it?

Speaker 3:
[21:31] Yeah, the hype is incredible. Two billion dollars have been spent on it, something insane. Anyway, so that was that hack and it costs Rockstar five million dollars in disruption and cybersecurity. Now, we find out that a group, again, we think teenagers called Shiny Hunters, you might have heard of Shiny Hunters. They've been quite prolific in data breach extortion attacks in the last couple of years. They have got into Rockstar Games using a third-party provider of, I think it was a bit of API that manages their cloud storage, and they have stolen quite a chunk of data. But the interesting thing here is that neither the hackers nor Rockstar thought it was really worth much. I spoke to the hackers. They said, oh, we've got this data. We are extorting Rockstar. They're not paying though. I said, well, what is it? He goes, it's junk data, to be honest. But we tried to get paid. What's funny is, of course, they've admitted it. Rockstar has said, the quote that we reported at the BBC was, this isn't going to impact us at all. So the data is gone, but we're not going to pay the criminals, which is, of course, what everyone says, don't pay, don't pay, don't pay. So that's good in a sense. But what I think is fascinating here, is the data has now been published and put online on the shinyhunters.net website. It's now being sent around and being shared. Although most of it is, in their words, junk, there's a few tidbits of information which have ended up being a massive talking point in the gaming world. Anything to do with GTA is a talking point because of the size of it. But what's really interesting is that the financials of how much GTA Online makes and how much Red Dead Redemption makes have been released as well. So you've got these reddit threads full of gamers talking about, oh my God, I can't believe it makes this much. The headlines are, GTA Online, bear in mind this is something like a 13-year-old game.

Speaker 1:
[23:21] Yes.

Speaker 3:
[23:21] It still makes half a billion dollars a year.

Speaker 1:
[23:25] Bloody hell.

Speaker 3:
[23:26] I mean, we knew it was big. We didn't know it was that big. This is another thing that's come out of the data breach, is that only a very small fraction of people who play that game actually spend in that game. They buy these shark vouchers or tokens, the in-game currency type stuff.

Speaker 2:
[23:41] Yes.

Speaker 1:
[23:42] Is this to pimp up their vehicles or to wear a fancy suit?

Speaker 3:
[23:45] I think so. That kind of thing.

Speaker 1:
[23:46] To have a more dangerous weapon or something?

Speaker 2:
[23:48] Yeah.

Speaker 3:
[23:49] I think it's all cosmetic stuff. I think it's to upgrade the visuals of your character, like Fortnite does with V-Bucks and that kind of thing. But the interesting thing about it as well is that Red Dead Redemption, which people had a feeling it wasn't that popular, it's not got anywhere near the size of GTA following. But because of this data breach, we now know just how little people spend in Red Dead Redemption. And the reason possibly why Rockstar Games isn't really putting much effort into Red Dead Redemption, according to the data breach, whereas GTA Online is making about 500 million per year, unfortunately Red Dead is only pulling in about $26.4 million per year. Still not bad, is it? But what gamers are saying is that this really does say a lot about where the money and effort and design is going, which is GTA, because that's where the money is.

Speaker 1:
[24:40] Yeah.

Speaker 3:
[24:40] And this article I love from PC Gamer, it says maybe Red Dead isn't Red Dead, it's just Dead Dead because there aren't many players.

Speaker 1:
[24:48] So, unlikely we'll get a third incarnation of it perhaps.

Speaker 3:
[24:52] No. But again, people are a bit worried now because of the data breach, because they're saying that is GTA 6 going to be aiming for that online audience? Is it not going to be a buy it once and play it forever? Is it going to be a live, constantly updated game because now they've seen the financials, and it makes so much sense business-wise? Perhaps people are saying, maybe that's why Rockstar isn't rushing with GTA 6, because they're making so much money on GTA Online. The reason I bring this up, I know it's not a gaming podcast, but in terms of data breaches, I think this is a real fascinating case study in the unintended consequences of letting data that you think isn't that interesting into the public. I love the PC Gamer article title is, Rockstar Hackers Release Their Stolen Data, Reveal That Rockstar Was Probably Right Not To Pay Anything For It. But perhaps, maybe Rockstar might be thinking that again, because this information, maybe it was already out there through investor calls and things like that, but no one really paid me attention. But now it's out there and people are really pouring over it and analyzing it and reading lots and lots between the lines.

Speaker 1:
[25:57] Well, we've got time now to talk about one of today's sponsors, Vanta. Joe, what keeps you up at 2 o'clock in the morning?

Speaker 2:
[26:05] The dog next door mostly.

Speaker 1:
[26:06] All right. Well, yeah, but I'm talking professionally. What keeps you up?

Speaker 2:
[26:10] Oh, whether we've got the right security controls in place, whether our vendors are secure, how to escape the nightmare of outdated tools and endless manual processes.

Speaker 1:
[26:19] Exactly. Which is where today's sponsor comes in. It's Vanta.

Speaker 2:
[26:24] Vanta, the fizzy orange drink. How can this possibly be true?

Speaker 1:
[26:27] No, Joe, it's Vanta with a V. It's a trust management platform. It's not a drink full of sugar. It automates all of that tedious manual compliance work, so you can stop drowning in spreadsheets, chasing audit evidence and filling out questionnaire after questionnaire.

Speaker 2:
[26:46] Lush. I hate questionnaires.

Speaker 1:
[26:48] Well, who doesn't? Vanta continuously monitors your systems. It centralizes your security data. It keeps your program audit ready all of the time. It also uses AI to streamline evidence collection and flag risks. It automates compliance for SOC 2, ISO 27001, HIPAA, GDPR and more.

Speaker 2:
[27:10] So basically, it handles the boring stuff, so we can focus on the interesting stuff.

Speaker 1:
[27:14] Exactly. Precisely that. For a limited time, new customers can get $1,000 off.

Speaker 2:
[27:20] $1,000?

Speaker 1:
[27:21] Yep, $1,000. Head to vanta.com/smashing. That's vanta.com/smashing and get started today.

Speaker 2:
[27:33] Maybe get a decent night's sleep for once. Unlike fizzy drinks, Vanta isn't bad for you. That's a fruit twist.

Speaker 1:
[27:41] And welcome back and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Speaker 3:
[27:47] Pick of the Week.

Speaker 1:
[27:52] Pick of the Week is the part of the show where everyone chooses. I know that could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security-related necessarily. Well, my Pick of the Week this week is not security-related. I'm sure you'll like me, Joe. I used to love Twitter.

Speaker 3:
[28:09] Oh, I miss it.

Speaker 1:
[28:10] Don't you just?

Speaker 3:
[28:11] I miss it so much.

Speaker 1:
[28:12] I mean, it wasn't perfect, but as a news junkie and I am a news junkie, it really appealed to me.

Speaker 3:
[28:18] Yeah, same. It was the place where everyone was. Every morning you would know, okay, this is where people are.

Speaker 1:
[28:25] It's great. It appealed to me much more than any other social media platformer and then they all went terribly wrong. I don't think we need to name anyone in particular, which coincided with it going terribly wrong. But I think we recognize that Twitter changed and not only changed its name, they want us to call it X for some ridiculous...

Speaker 3:
[28:48] Yeah, I find it hard to call it X.

Speaker 1:
[28:49] I can't really call it X to this day because I'm not 13 years old. It just seems like a stupid name. So I deleted my account, I said goodbye, moved to other places like Bluesky and Mastodon, and which aren't really as great as Twitter was in its heyday, but-

Speaker 3:
[29:07] No, not at all. You left behind a decent following as well, Graham, didn't you? So was that an ethical moral standpoint for you?

Speaker 1:
[29:16] It's hard to believe, isn't it? Yes. So yeah, I think I had about 120,000 followers.

Speaker 3:
[29:25] That was a big decision then.

Speaker 1:
[29:27] Well, yeah, I decided I didn't want to be there. I didn't want to encourage other people to be there, a bit like closing down your Facebook account or something like that really. So I went elsewhere. But the thing is, sometimes I still have reasons to go to Twitter, because sometimes someone posts up something like, you see these AI videos with Lego characters during the current conflict in Iran, for instance, and they're being posted up on Twitter. You think, oh, I'd quite like to see that. But I don't want to create a Twitter account, and I don't want to link to Twitter from an article because it's horrible, and it's bio-filled, and it's full of bots. I don't feel right thinking to it. And that is when I discovered a site called Xcancel. And Xcancel is a third-party interface that allows people to view and link to. You can't post to Twitter via it, but you can view and link to content, which is on Twitter, without directly using Twitter or X itself. Does that make sense?

Speaker 3:
[30:25] So it's like using X with really thick rubber gloves on, or wearing a hazmat suit.

Speaker 1:
[30:31] Yes, exactly, exactly. You won't publish anything, but you can see what's going on there. You don't have to create an account, which means I can replace x.com with xcancel.com in all of my URLs to access content through it. I can even use a browser extension that automatically redirects any links to the old Twitter to go to xcancel.com instead. Or, I don't use Google as a search engine. I use something called Kaggy, which is something you pay for, but it has some nice benefit. I can tell Kaggy to always change search results, which go to X, to go to Xcancel instead, automatically.

Speaker 3:
[31:13] That is smart.

Speaker 1:
[31:14] I feel like I'm doing my little bit, my little tiny little chink to chip away from their number of page visits every month by doing that. My recommendation to people, I don't know if other people are like it, or whether they're obsessed about this kind of thing as I am, but my pick of the week is xcancel.com.

Speaker 3:
[31:34] Nice. What would it take for you to get back on Twitter? Let's say a certain CEO maybe stood down or hided over the reins of someone else. If there was some sort of declaration or something, would you go back on?

Speaker 1:
[31:46] Fool me once, shame on me.

Speaker 3:
[31:48] Yeah, yeah, yeah.

Speaker 1:
[31:49] Oh no, shame on you, isn't it? Anyway, but yes, you know what I mean. There's a lot of shame going around as well. I think I'd always be nervous about it. To be honest, from what I've seen, a lot of it is bots or a lot of it is porn or AI content, and it's just like, this isn't actually valuable. Yeah. Although Mastodon and Bluesky aren't as great as Twitter used to be, I do find them more pleasant places to hang out, so I'm quite happy being there, to be honest. Anyway, xcantle.com. Joe, what's your pick of the week?

Speaker 3:
[32:21] I'm probably going to choose a book I'm reading at the moment, which is We Are Anonymous by Parmy Olson. It's an old one, I think, probably came out, the events of the book are about Anonymous, the hacking collective, so she's writing about things that happened in 2009, 10, 11, 12. I think it came out at 14.

Speaker 1:
[32:38] I think it was earlier than that.

Speaker 3:
[32:39] Well, I'm late to the party, but the good news is the party is still swinging. It's fantastic. I'm really enjoying it. It's a really good page-turner, and it gives us the type of cyber writing and reporting that I really like, is where you get to know the individuals, and you get to find out what makes them tick. I'm really enjoying it. She's a great writer, American. I think she was at Wired, and now I think she's a Bloomberg tech columnist or something. Yeah. She's written another book called Supremacy, which is about Sam Altman and Dennis Hassebus of DeepMind in Google. That's really good as well. But yeah, I'm really enjoying it. We Are Anonymous is the book, and check it out if you haven't already.

Speaker 1:
[33:17] It's a real blast to the past, isn't it, about some of those old hacking gangs who are making the news. I think LulzSec are covered in it quite a lot, for instance, who were a very prominent, primarily British, hacking gang back in the day.

Speaker 3:
[33:29] Yeah, and they feature in my book as well, because my book is about teenage hacking. And I realize now, too late, that I should have read her book while I was, or before I was writing mine, because it would have helped inform my reporting. But luckily, I haven't got anything wrong. But I could have just got some really nice detail from the sort of stuff that she got. Because as you say, she follows a small group of anonymous like CORE, which turn out, lots of them, to be part of this really world changing group that was LoLSEC.

Speaker 1:
[33:56] Does it feel like another time now? Does it feel, do you think, like a different age?

Speaker 3:
[34:01] I don't think so, actually. I think there's a lot of stuff that just keeps coming around. So some of the character beats, some of the things that make these hackers tick, you could see that in the book that Parmy wrote 10 years ago. And you could also see it in the book that I wrote last year. There is a certain number of character traits that you see in these young hackers who like anarchy and chaos. And that really does come through. And I think in a sense, it goes all the way back to like the Haffa Manifesto of the, it was the late 80s, mid 80s, where you know, you had this idea of the smartest people in the room. They think faster than everyone else. And they want to show everyone how clever they are by doing crazy magical things with computers. So it does feel almost timeless, that type of story. And that's been really interesting to notice as I've been reading it.

Speaker 1:
[34:47] Well, thanks very much. Good pick of the week there. Right. Well, we've got some time now to have a featured interview with a special guest. Well, if you've ever had to set up networking for a new office or you've watched an IT team try to bolt security on top of infrastructure that was never designed for it, you'll know it's rarely pretty. Well, Ryan Benson is from Meta, a company that thinks that there's a better way. Ryan, thank you for joining me.

Speaker 4:
[35:14] Oh, thank you for having me, Graham.

Speaker 1:
[35:15] So IT teams, they're constantly being asked to do more with less resources, aren't they? So what does it actually look like out there on the ground? What corners are people ending up cutting?

Speaker 4:
[35:27] Well, Graham, I've been doing this for almost 25, I don't want to admit how many years, and until I joined Meta, I was always asked to design to mediocrity. I would come up with a great network design and I'd have redundant firewalls and I'd have powerful switches and what have you and then inevitably, we'd go to the money folks and they'd say, uh-uh, rip out 30 percent of it or whatever, right? So we would rip out this skew or this box or whatever, and that would take oftentimes weeks of my work and working with the limited resources like you mentioned at those IT teams to come up with something that would fit the budget and yet also keep the business running. So we designed a mediocrity, rip out a bunch of cool design that I spent all this time working on, and in the end, we'd have something that works but really isn't the greatest, and might have some holes or what have you. And then three or five years later, we'd have to come back around and say, okay, well, here's some new boxes with some new chips or some new technology.

Speaker 1:
[36:34] Right. So the existing approaches seem to fail, don't they? They don't do so well. There's always trade-offs being made. If it's hardware or you're sacrificing redundancy or you're working with lots of different vendors, and there, all sorts of problems can occur, can't they?

Speaker 4:
[36:51] Correct.

Speaker 1:
[36:51] Correct.

Speaker 4:
[36:52] So you might have not only just like single points of failure, but in kind of the traditional way of doing these things, you might go for a lower tier software license that doesn't have as many features or something like that. And that's kind of the way that we've done things for a long, long time. Well, what if we didn't have to do that? What if we always put our best foot forward?

Speaker 1:
[37:13] And there is a temptation, I think, inside some companies to treat every security gap. No, it's like, how are we going to deal with this? It's like, well, we'll buy another tool. But sometimes that's not always the best approach, is it?

Speaker 4:
[37:25] Right. Because, you know, you can have a whole bunch of tools. But if you're not equipped to manage them or to log in a bunch of different dashboards or constantly be looking at them, it's not really a great approach to security because you might have the best tool, but if you don't know how to pick it up and use it, right, or if you don't have the time to pick it up and use it, it's not useful to you.

Speaker 1:
[37:46] So Ryan, for listeners who haven't come across Meta before, how do you sum it up?

Speaker 4:
[37:50] Well, Graham, we're an enterprise networking company that delivers wired, wireless, security, cellular even, as a subscription. So the idea is that we deliver world-class networking and security so the customer can go and enjoy whatever it is they want to do with their life and not have to worry about any of the technology. The idea is that everything, not just the boxes in the closet or the APs on the wall or whatever, all of it is a service. The support, day two and beyond, the design before we ever put anything in the building, the way that we configure the gear, all of that is done from Meta. And then supported in year two, year three, if there's some new Wi-Fi that comes out, we deliver all that.

Speaker 1:
[38:42] So I've heard that Meta's position is that security needs to be designed into the network from the ground up. So it's security built in, not bolted on, not added afterwards. But what does that actually mean in practice? What's different about how you guys build things?

Speaker 4:
[38:57] Yeah, I think it's, you know, some people use the term positive security model. Our default position when we deploy a new network to have security baked into the design of the network. So when something gets deployed, we've already designed it to be zero trust in terms of traffic flowing east-west within the network and things like that in the actual physical design and the software configuration of the network.

Speaker 1:
[39:25] So phrases like zero trust and NAC and others, these get thrown around a lot, don't they, by the marketing team. So I think they love all that.

Speaker 4:
[39:34] Oh, yes, yeah.

Speaker 1:
[39:36] In non-jargony terms, what does enforcement actually look like at the network level? How would you describe it?

Speaker 4:
[39:43] Not to get too jargony or too technical, but one of the things that we do is block traffic east-west by default in the actual switching infrastructure that gets delivered or the wireless infrastructure. We isolate clients from talking to each other and then open those things up as needed as the customer desires. So if there is an application that needs to talk east-west or what have you, we define that before the network ever even gets delivered. We do something called a digital twin where all of it is designed in the cloud before the physical gear is ever delivered. Then we all agree with the customer and we do a validation step. It doesn't sound like maybe the sexiest thing in the world to sell, but it is pretty cool that we go through the whole process of implementation and design. Then we shake hands and say, yes, we agree that this is how we want to run our business, or our school, or our government, or whatever. Then we say, all right, well, now we can actually physically build it. So I think a lot of that is what makes us capable of delivering a secure network from day one.

Speaker 1:
[40:53] Now, a lot of companies, I would think, have already got some kind of security stack that they've invested in. So it could be an EDR or SIM, identity tools.

Speaker 4:
[41:02] Sure.

Speaker 1:
[41:02] If meter comes in, does all that get replaced or does it sit alongside that?

Speaker 4:
[41:07] Well, I would say that some of it gets replaced. Obviously, the physical network, the management of that network and what have you. But no, the existing SIM, the IDP and all that stuff, we integrate deeply in with all of those things. In fact, they're critical to delivering a secure network. So for sure, your existing IDP, your existing SIM, those things are going to stay, and we're going to integrate in tightly with those things. So we can do role-based access control, the concept of least privilege. So if you add a new administrator or a new person in your team, you're not going to have keys to the kingdom day one and what have you. Obviously, your MFA and all of that that you use today with your IDP is still going to be used.

Speaker 1:
[41:58] So your existing investments, they are preserved. You're not chucking all of that out.

Speaker 4:
[42:04] Yeah, that's a good way to put it.

Speaker 1:
[42:05] So let's look at a typical customer and the sort of what's happening in the real world. What does their situation look like before you come in? And what's changed afterwards?

Speaker 4:
[42:18] Yeah, I think it's kind of like what we talked about just a few minutes ago, is that the incentives change. And I think that's one of the biggest differences that I could possibly say about Meter, is that it doesn't necessarily matter if our APs are the strongest, or the switches are the coolest, or fastest, or whatever, which of course I would say they are, but I might be biased. But it does matter that we care very much about the outcome. So if you're a hardware store, and you want to run that hardware store efficiently, and take obviously point-of-sale swipes, and you want to have your folks with their inventory scanner guns, be able to scan the inventory, and fly around in forklifts at 35 miles an hour, and whatever else, we care about that as much as we care about delivering an access point or a switch or what have you. So what that means is instead of worrying about what switches go in the closet, and what firewalls are plugging into the ISPs, or even what ISPs there are, we care very much about your hardware store running and operating as best as it can. We contractually obligate ourselves to that. So we deliver an SLA. We're not delivering a SKU, but we're delivering a network. I think that's the big difference is that for me, I love this stuff and you probably love it as well, right? That's why we talk about it on podcasts, and why we talk about it with friends and other network folks, right?

Speaker 1:
[43:58] Yeah.

Speaker 4:
[43:58] But really, the rest of the world sees the Internet now as plumbing, and it just needs to work, and that's what we're delivering. And I think that is the big difference for our customers, is that they can rely on a great outcome that also is secure, because we put it in the contract.

Speaker 1:
[44:21] You said that this isn't the sexiest thing in the world, Ryan, but then you start talking about plumbers. I mean, I think you are painting a picture now. Anyway.

Speaker 4:
[44:29] Well, you know, Graham, when people go to visit Rome, they go and what do they see? The Trevi Fountain? They see the aqueduct? That's 2,000 year old plumbing. So that's true.

Speaker 1:
[44:39] That is true. We've been running ads for META on the podcast for a while now. And one of the things that's been absolutely fascinating to me is that you guys even get down to the floor plans.

Speaker 4:
[44:49] Right.

Speaker 1:
[44:49] You know, you're working at that kind of level with some of your customers.

Speaker 4:
[44:52] Well, it's not just some of them. It's actually all of them. And I think I was just talking with someone about this yesterday. Like that is one of the biggest differences is that, you know, once again, like we were talking about earlier, instead of me, you know, being a nerd and putting skews and building material together and a Vizio drawing that takes me, you know, a month to do and all that, you know, all that goes away. If we talk to a customer and they say, hey, we like your idea, you know, what's the price? Instead of going through all that, we're just like, hey, send us a floor plan of your most painful location, you know, something that maybe you need to look at lately. That's it. We just need a floor plan or sometimes even just square footage and the type of building, right? And then we know based on our experience building networks for a warehouse or for a school or for a high density office or whatever, we know how much it's going to cost us to build a state-of-the-art great secure network. And so we can just give you a price. And so that's kind of reduces so much friction because at some point we can say, hey, here's what it is, you want to do business or not?

Speaker 1:
[46:01] So there's no extra SKUs, there's no add-on licenses for advanced features?

Speaker 4:
[46:05] None of that.

Speaker 1:
[46:06] Is that genuinely sustainable as a business model or does the catch arrive later?

Speaker 4:
[46:11] Well, it's funny you ask that because I don't think I can say I've had a bad meeting since I've joined Meter. But the only pushback we get is usually, this seems too good to be true. Where's the catch?

Speaker 1:
[46:26] Right.

Speaker 4:
[46:27] Or, wait a minute, if you do all this, it's probably too expensive. I can't afford it. I would say that's probably true if you own two coffee shops or something. That's not really a great fit, I guess, for Meter at this time. But if you own 100 coffee shops, we are absolutely your best option.

Speaker 1:
[46:49] Right.

Speaker 4:
[46:51] The idea of it being a consistent spend to say, you're always going to have the best network and you can just forget about networking and go on and sell your coffee or whatever it is your mission is. That's really our promise is to say, hey, hire the experts at this, we'll deliver the best and you can go on about your mission.

Speaker 1:
[47:11] So one final question for you, Ryan. If a listener is out there listening right now and thinks, oh, crumbs, you know, we could do us help with this. What's the right first step that they should take?

Speaker 4:
[47:21] Well, they could certainly head to our website, meter.com, slash smashing and see if they like what they see. And if they do, obviously, they can reach out to us either there or hello at meter.com or heck even email me benson at meter.com. I'll be happy to align you with the right folks.

Speaker 1:
[47:40] Great stuff. Well, it's been great talking to you, Ryan. Thanks so much. There you have it listeners. You can find out more. Just go to meter.com/smashing. That's meter.com/smashing. And thanks as always to meter for supporting the show and for you, Ryan, for coming on it.

Speaker 4:
[47:59] Well, thank you, Ryan, for having us. It's been an honor.

Speaker 1:
[48:01] My pleasure. Well, that just about wraps up the show for this week. Thank you so much, Joe, for joining us. Always a pleasure to have you on. I'm sure lots of listeners would love to find out what you're up to and fully online. What's the best way for people to do that?

Speaker 3:
[48:15] Well, Twitter obviously is the greatest website ever, so you should be... No, I'm actually working really hard to do more and more and more social stuff. So my Instagram and my TikTok, just my name. In fact, my Instagram is MrJoeTidy. And then I'm also on Bluesky and LinkedIn as well, but I'm...

Speaker 1:
[48:34] Only fans?

Speaker 3:
[48:35] Of course. Yeah, you know I'm only fans. Just put a little, what's it called?

Speaker 1:
[48:40] Aubergine.

Speaker 3:
[48:41] Affiliate link.

Speaker 1:
[48:42] Oh yeah, okay, well... You can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Reddit or Bluesky or Mastodon as well. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Pocket Casts. The episode show notes, sponsorship info, guest lists and the entire back catalogue of 464 episodes. Go, I know, I know. Go and check out smashingsecurity.com. Until next time. Cheerio. Bye bye. See ya. You've been listening to Smashing Security with me, Graham Cluley, and I'm ever so grateful to Joe for joining us this week and to this episode's sponsors, Elastic, Vanta, and Meta. And also, of course, the following patrons who've been plucked out of the hat. So who have we got this week? Skr Intiaz Ahmed, a name of real gravitas, that. I imagine he's read all of the Ts and Cs and actually understood them. The magnificently monikered Urs Schoenhäuser. Louis, just Louis, so confident he doesn't need another name. Trustworthy sidekick to Inspector Morse. The solid and trustworthy Robert McCurdy. Benjamin Haruth, the kind of guy who's never once clicked Remind Me Later on a Software Update. Who else? Kenneth Ingham gives the vibes of being the most knowledgeable person in any given room, but too polite to mention it. We appreciate that, Kenneth. Marvin71, yep. Marvin with a number. The 71 could be a birth year, I suppose. A high score. The number of times he's explained to someone why they shouldn't re-use passwords. We're guessing it's all three. And finally for this week, Karen Reynolds, the most organised person on the Instant Response Team and the one who brought Homemade Biscuits to the debriefing session. Those are just a few members of Smashing Security PLUS, which means that they get their episodes ad-free earlier than the general public and can be pulled out of the hat at random to have their names mocked at the end of the show. If you would like to join Smashing Security PLUS, just head over to smashingsecurity.com/plus for all of the details. You can also support the show in plenty of other ways and they aren't going to cost you a single penny. You can like, subscribe, leave a five-star review. But most important of all, go and tell your friends, go on, go and tell them that you listen to Smashing Security and encourage them to do the same. Well, until next time, that's just about it for us. So, I'll say to you, cheerio, bye bye.