Apologies for the lack of posts of late was really busy working from home and the with all this Corona/COVID 19 stuff I have been made furloughed so have been at home for the last week helping the wife home school.
All the rubbish aside I am super excited to bring you this interview I have done with the excellent Graham Cluley.
Graham is an award-winning security blogger, researcher, and public speaker. He has been a well-known figure in the computer security industry since the early 1990’s when he worked as a programmer, writing the first ever version of Dr. Solomon’s Anti-Virus Toolkit for Windows.
Between 1999 and 2013, Graham worked as a senior technology consultant at security firm, Sophos. He was also the head of corporate communications, and the editor and main writer of Sophos’s award-winning Naked Security site, which typically receives 1.5 million-page views each month.
Graham has given talks about computer security for some of the world’s largest companies. He has also spoken at events around the world such as RSA, Infosec, Web Summit, Microsoft Future Decoded, EICAR, AVAR, ICSA, ISSA, Virus Bulletin, Ja.net, Campus Party, and the European Internet Security Forum. He has worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.
As well as being an independent blogger, Graham has also made many international media appearances, including BBC, NPR, Good Morning America, Sky, Fox, CNN, Mashable, and TechCrunch. He has written columns on computer security for publications such as the Telegraph, IT Week, Computer Weekly, VNUNet, and the BBC College of Journalism.
Graham was inducted into the InfoSecurity Europe Hall of Fame in 2011 and was given an honorary mention in the “10 Greatest Britons in IT History” for his contribution as a leading authority in internet security.
Every week he is part of the award-winning “Smashing Security” podcast with Carole Theriault and a variety of special guests.
The podcast launched in December 2016 and in 2018 and 2019 “Smashing Security” was named the Best Security Podcast at the prestigious Security Blogger Awards held in London.
For me it is my go-to podcast and with Darknet Diaries is by far and away my favourite two podcasts.
In security it can quickly all become very academic and dry when discussing the cyber news and such, but the podcast NEVER gets to that, it’s fun, light-hearted and very, VERY funny!
I also have his blog in my feedly so when the news comes in from it I check it out straight away, I actually find myself reading his blog posts using his voice in my head to read them in the same fun manner of the podcast ?
If you haven’t listened to any episodes yet or checked out his blog WHERE HAVE YOU BEEN, go and do it now.
Thank you so much for speaking to me, I work in IT but have only been getting into the security world since last year and your name was one of the first a seen when looking for blogs and podcasts so thank you.
Here are a few questions for you to answer and apologies if you have been asked them before.
You started off in the security industry in the early ’90s presumably straight from College/Uni, was this always the plan as I was reading that you were a programmer on the first-ever version of Dr Solomon’s Anti-Virus Toolkit for Windows or was the plan just to be a programmer?
My first love was English language and literature, and I hoped that I would go to university to study English. Unfortunately, I messed up the exams to get into university, and ended up doing computing because (for me) it was relatively easy. Eventually I studied computing at Bristol Polytechnic (now the University of Western England).
During this time, I was writing computer games and distributing them as shareware. The idea was that if you liked my games, you’d send me a cheque in the post. Amazingly people did, and one day a parcel arrived on my doorstep from Dr Alan Solomon with a packet of cheesie biscuits, some drawings his kids had done of characters in my games, a copy of Dr Solomon’s Anti-Virus Toolkit for DOS and a letter saying that if I was interested in working for him I should give him a call.
So, I did, and I got the job as their first Windows programmer. Which was a surprise as I’d never written a program for Windows before. Alan said it didn’t matter as no-one would buy an anti-virus for Windows. In his view every serious business would buy the anti-virus for OS/2 (the version he was writing) … The rest is history. 🙂
I am jealous a bit not just if your career but the length of time you have been in the security world (nearly 30 years) and here I am 9 years younger with less than a year, I have asked this previously but I am weary of the fact I am an old beginner, do you think 41 is too old?
Goodness no. I don’t think age makes any difference at all. If you’ve spent many years outside of computer security then you will have had experience at other things, all of which may bring valuable skills and perspectives to the table. And don’t worry if you’re relatively new to cybersecurity. If anything, a long time in an industry might make you more jaded, and less open to looking at problems in a fresh way.
You have quite the storied career in terms of what you have done in terms of where you have worked, what you have been involved in but at what point did you decide to move over from the more technical aspects to doing the public speaking, blog and podcast?
At Dr Solomon’s I spent a few years programming, but after a while they noticed I was quite enthusiastic about giving presentations about my software and the malware threat. There came a point where doing “public” stuff meant it wasn’t possible to also put enough time and effort into the programming, so I made the jump. It wasn’t an easy decision, as it’s not uncommon for the (for want of a better word) “marketing” side of the company to not have the best relationship with the “developer” side, and vice versa. I suspect some of my programming colleagues didn’t take kindly to me jumping ship, but then it’s not as though they’d have wanted to do that job.
But having had a technical background obviously gives me an advantage over folks who weren’t technical at all, when presenting a sometimes-complicated topic in a way that hopefully anyone can understand.
Dr Solomon’s eventually got acquired by a big American security company.
A lot of people were made redundant and I always viewed myself as one of the unlucky ones who wasn’t! So, I quit after a month or two and eventually found a job at a (then) smallish UK security company called Sophos, where I effectively became their “public face”.
By 2013 I’d been there a long long time and the company had changed over time, and I wanted to do something more interesting. So, I started working for myself, running my own blog, and – in late 2016 – launching the “Smashing Security” podcast with Carole Theriault.
Speaking of the podcast which I do listen to regularly, do you listen to any other security podcasts yourself?
Not religiously. There’s so much security in my life that I don’t enjoy bombarding myself with more infosec podcasts in my spare time. Occasionally I’ll dip in, but I’d rather be listening to podcasts about Doctor Who, The Beatles, or the shit show that is American politics.
With all the events you have been a public speaker, was the dick pic you spoke about in last week’s podcast the strangest thing to happen?
That was uh… pretty odd, and quite unwanted.
I was once asked if I’d like to do karaoke on a company’s booth with female malware author Gigabyte. I don’t know if it ever got as far as them asking her, but I thought that might be a step too far.
In the near 30 years you have been in the security world you have done so much and are now enjoying yourself immensely with the blog and podcast, what’s the plan for the next 5 to 10 years as you are still a young guy?
Ha, I’m not a young guy! But I’m afraid there is no plan. I’ve had no plan throughout my career, as my bank balance can probably prove. The only plan is to have fun and try to avoid anything that I consider boring. Because when people ask me to do things that I find boring I tend to do them badly. They end up disappointed, and I feel like I haven’t delivered. So, I turn down quite a lot of potentially lucrative job offers because I think I’d not only be atrocious at them but also because I’d be bored.
Since first starting on Dr Solomon’s Anti-Virus Toolkit until now are still as fascinated and amazed at some of the stuff you read and see, is it still evolving that way where there is always something new?
There’s always something new going on – although sadly a lot of the old tricks still work to con people out of their money or steal data. Some of the innovation has actually disappeared because most of today’s criminals are only interested in stealing money as effectively and easily as possible, and you don’t need to be too sophisticated to do that.
If you were to recommend someone how to get into infosec given people come to it from all areas, what resources like book, course etc would you recommend?
I don’t have any formal IT security qualifications, and so don’t feel qualified to tell people what they should do to seek employment in the sector. I fell into the industry by accident almost 30 years ago and haven’t been to a job interview since.
But I would recommend people check out Twitter – there’s lots of expertise up there, and interesting people to follow.
The podcast is so much fun, I have yet to listen to an episode where I never laughed along ?. Was it that fun relationship with Carole which made you both want to do the podcast, how did it come about?
So, I worked opposite Carole for about 13 years – sat the other side of a desk from her.
It was hell. If you’ve ever heard the podcast, you know how irritating she is. Despite this – and occasional fallouts – we somehow remained what can be loosely called “friends”. Carole was the best man at my wedding, and when she got married a few years later I was her chief bridesmaid.
She probably got into podcasts before me and nagged me for years to make a podcast. I wasn’t against the idea of making a podcast – it’s just that I didn’t want to make one with her.
Anyway, the solution came in the form of our great mutual friend (and security expert) Vanja Svajcer. Vanja was the third host of “Smashing Security” and I hoped would keep Carole in check and allow things to work properly. Unfortunately, after some months Vanja changed jobs, and his new employers wouldn’t let him come on the podcast anymore.
So, it was just me and Carole. My nightmare scenario. And has been ever since. Annoying as she is, she does bring a lot of energy and spikiness to the podcast, which is a good thing. She’s just a pain in the arse to work with. Grudgingly, I will say that I missed her on the one episode that she wasn’t able to appear on because she was unwell.
We try to invite special guests on each week to make it less painful to record the show, and hopefully make us stay on our best behaviour.
The idea behind the podcast is simply to make the kind of cybersecurity podcast that we’d like to listen to. There are some very technical security podcasts, and we don’t try to compete with those. We try to appeal to anyone who has a computer or smartphone, because they should be caring about security and privacy too. And if the bickering between Carole and I amuse people then I guess that’s a good thing.
The last question is about being inducted to the ‘Infosecurity Hall of Fame’ in 2011, being new to all of this I never even knew it existed until recently, was it surreal accepting it and along with the award do you get a lifetime subscription to ‘The Infosecurity Magazine’ ?.
Ha! No! They don’t give us one of those. But they bloody well should!
Thank you again so much for the interview I am genuinely a fan.
It’s my pleasure. Good luck and sorry it took me so long to answer your questions.
Please check out the social media places below:-
- Graham Twitter = https://twitter.com/gcluley
- Graham Blog/Website = https://www.grahamcluley.com/
- Smashing Security Site = https://www.smashingsecurity.com/
- Smashing Security Twitter = https://twitter.com/smashinsecurity