You don’t have to be hacked to lose control of your sensitive data.
That truth was brought home again this month when it was revealed that information gathered by the United States Customs and Border Protection (CBP), the largest federal law enforcement agency at the Department of Homeland Security, had leaked onto the internet.
And how had the data leaked? The CBP wasn’t hacked. Instead, a subcontracting company working for the CBP had copied onto its own network the digital photos of “fewer than 100,000” travellers and license plates as they made their way through a land border crossing onto its own network.
The copying of the data, which was done without the knowledge or authorisation or the CBP, would normally be bad enough. But what made things worse is that the subcontracting company, Perceptics, was then hacked.
The result? Not only were the photographs now in the hands of hackers but, as Gizmodo reports, more than 400 GB of other data stolen from Perceptics’ network – including databases, spreadsheets, HR records, business plans, financial figures, as well as personal information.
The stolen data has been distributed via torrent sites, and is now available for anyone to download from the web if they know where to look.
It’s clear that whoever hacked Perceptics weren’t picky about what they took, as there were even MP3 music files scooped up from workers’ desktops, including “Superstition” by Stevie Wonder, “Wannabe” by the Spice Girls, and a variety of AC/DC and Cat Stevens songs.
The CBP hasn’t confirmed or denied that Perceptics was the hacked subcontractor, but it did say “the subcontractor violated mandatory security and privacy protocols outlined in their contract.”
“We’re making these files available for public review because they provide an unprecedented and intimate look at the mass surveillance of legal travel, as well as more local surveillance of turnpike and secure facilities,” said journalist Emma Best, one of the team which has chosen to share the vast amount of breached data online. “Most importantly they provide a glimpse of how the government and these companies protect our information—or, in some cases, how they fail to.”
Lesson? Your organisation may take security and privacy seriously, but if you have subcontractors and partners who are more lax about how they protect their network then it might be your data that ends up for anyone to read on the internet.
To hear more about this case, be sure to check out the episode of “Smashing Security” podcast we released earlier this month:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Okay, so let's see if we get this right. So this is like me. So I get a job with the government.
I'd like to see that happen.
I get a job with them. What are you talking about? I'm an angel.
No, but that would make you terrible for that job.
Smashing Security, episode 132: CBP Cyber Attack. Ransomware, an iPhone privacy boost, and Twitter list abuse with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 132. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 132. My name is Graham Cluley.
And I'm Carole Theriault.
And we're joined this week by the ever-popular Maria Varmazis. Hello, Maria.
Hi! Yay!
Fans go wild!
Oh my God, that's awkward. I'm always happy to be here. Thank you for having me.
Well, we're delighted to have you back on the show because it is something of a mini celebration today because—
Not that many.
I say yay for you both. Non-sarcastic applause.
Because if you haven't been following us on Twitter or Reddit, first of all, where have you been? But secondly, you may have missed the news, right?
We had big news last week, didn't we, Carole, when we were up in London?
We had big news last week, didn't we, Carole, when we were up in London?
We did. We won best cybersecurity podcast at a Blogger Awards that's affiliated with the Infosecurity Show. Pretty exciting.
Basically, it's a flipping big deal. This is like getting a Tony or an Emmy or an Oscar. Exactly. One of those. And we now are the proud owner of our second best podcast trophy.
Carole, I believe you're going to keep this one in your lavatory at home. Is that right? Not actually in the lavatory.
Carole, I believe you're going to keep this one in your lavatory at home. Is that right? Not actually in the lavatory.
For what purpose?
No, it will be nowhere near the lavatory. That would be a horrific place to put an award.
But what we need to do is we need to thank everybody who voted for us. Thank you very much if you did that. Thank you for listening to the show. And for choosing us.
You voted, Maria Varmazis?
You voted, Maria Varmazis?
Yeah, I did, I sure did.
Anyway, enough of the self-congratulation.
Well, it's not self-congratulation. We're saying thank you to everyone who helped us get where we are now. That includes listeners, sponsors, people who voted. You all rock.
Absolutely. What's coming up on this week's show, Carole?
Well, thanks to this week's sponsors, LastPass and Edgewise. Their support helps us give you this show for free. Now put your hot cuppas down, folks.
We don't want any spillages during this episode of Smashing Security. Graham checks in with US borders to find out exactly what the hackers got away with.
Maria heads to the Apple Grove, delving into all things iOS 13. And last but very much not least, I look at a new way Twitter trolls might be targeting folks.
All this and more coming up on this episode of Smashing Security.
We don't want any spillages during this episode of Smashing Security. Graham checks in with US borders to find out exactly what the hackers got away with.
Maria heads to the Apple Grove, delving into all things iOS 13. And last but very much not least, I look at a new way Twitter trolls might be targeting folks.
All this and more coming up on this episode of Smashing Security.
I want to talk to you about the United States Customs and Border Protection force, the CBP.
They are the largest federal law enforcement agency at the Department of Homeland Security. And of course, they're doing a very important job.
They're stopping unauthorized immigrants from entering the United States of America.
And in the absence of a huge, huge, beautiful wall, it's up to the CBP to police the border with Canada, preventing Winnebagos crammed full of lumberjacks from entering the country illegally.
I'm sure you appreciate that, don't you, Maria?
They are the largest federal law enforcement agency at the Department of Homeland Security. And of course, they're doing a very important job.
They're stopping unauthorized immigrants from entering the United States of America.
And in the absence of a huge, huge, beautiful wall, it's up to the CBP to police the border with Canada, preventing Winnebagos crammed full of lumberjacks from entering the country illegally.
I'm sure you appreciate that, don't you, Maria?
You mean the Americans trying to go into Canada, right?
I'm not sure which way it works. But, you know, basically there's a lot of Canadians trying to sneak in.
They've got harmful imports, maple syrup, universal healthcare, gun control, all those sort of things.
They've got harmful imports, maple syrup, universal healthcare, gun control, all those sort of things.
Weed. Yeah, weed.
Now, it's quite possible that CBP also keep an eye on The United States have other borders as well, but we never hear about those.
Anyway, they are in the news this week for a security screw-up.
Anyway, they are in the news this week for a security screw-up.
What?
Because—
No.
Yes. It's hard to believe. It's hard to believe a government agency have messed up when it comes to security. Not because they allowed some Canadian bacon to be snuck over the border.
Very cute, Graham.
But instead, because they have been careless with their data, or so it appears.
Okay.
Now, Customs and Border Protection, they have confirmed publicly that hackers stole the photographs of travelers and vehicle license plates traveling in and out of the United States.
Oh.
Now, you're probably imagining that the hackers broke into the government computers or something like that, but—
Yeah, right. Into the network where they have a cache of images or something.
Not at all.
Okay.
The CBP's personal security, their actual organizational security, their network wasn't infiltrated by hackers.
Bravo.
Instead, it appears that a subcontracting company working for the CBP copied the photos of travelers and license plates onto its own computers.
No!
Which was in violation of policies and without the knowledge or authorization of the CBP.
Oof.
And that subcontractor then suffered a malicious cyberattack.
Okay, so let's see if we get this right. So this is me. So I get a job with the government, with the CBP.
Yes.
I'd to see that happen.
I get a job with them. What are you talking about? I'm an angel.
No, but that would make you terrible for the job.
Yes, yes. You're not qualified, girl.
I'd be, come on in, guys. Have you been to the United States?
Come on in.
Everyone's welcome. Let's have a party.
I know. Okay, right. Okay, so I get a job kind of manning the borders, and I'm a consultant for the CBP, right?
Yes.
And I'm taking pictures of all this stuff for the CBP, but as well as giving them, I keep a copy secretly and put it on my own network at home, which does not have the right protections in place to protect me from said cyberattack.
It's a bit that, or it's a bit if you posted it up on Pinterest or your Tumblr, pictures you were taking at work.
Or it's if you had sensitive data at your job and then you copied it to your personal laptop and then you lose your laptop in a cafe. Right. I have never I'm sure you haven't.
I have never copied a phone number over and sent it to my personal Gmail.
Never, ever. No one's ever done homework on the weekend, you know. No, and lost it in a taxi.
The reality is this is something which happens all the time, right?
People take their work home or they send it to their Gmail or Yahoo account or they copy it onto their laptop because they want to do some extra work.
In this case, this subcontractor, we don't know exactly why they did it, but according to the CBP, less than 100,000 people have been affected, and it was a few specific lanes at a single land border over a period of a month and a half.
So passports and other travel documentation weren't compromised, and it appears that air travelers aren't included in the haul.
People take their work home or they send it to their Gmail or Yahoo account or they copy it onto their laptop because they want to do some extra work.
In this case, this subcontractor, we don't know exactly why they did it, but according to the CBP, less than 100,000 people have been affected, and it was a few specific lanes at a single land border over a period of a month and a half.
So passports and other travel documentation weren't compromised, and it appears that air travelers aren't included in the haul.
Just your faces are compromised, that's all. Right, yeah.
Okay, is it possible that it's just one bad apple in this subcontracting unit that did it, if it's a few specific lanes at a particular land border?
It's a bit of mystery as to why this happened.
And it's possible that they were taking the data maybe to do some troubleshooting, or maybe they needed a sample of data because they were wanting to analyze pictures and see whether their analysis would work better.
And they obviously couldn't do that on a government computer without permission. They're thinking, oh, we've got access to this data, we're able to see it, let's hoover it up.
And it's possible that they were taking the data maybe to do some troubleshooting, or maybe they needed a sample of data because they were wanting to analyze pictures and see whether their analysis would work better.
And they obviously couldn't do that on a government computer without permission. They're thinking, oh, we've got access to this data, we're able to see it, let's hoover it up.
Yeah, hoover the data and let's see what we can do.
So this is not a supply chain attack where somebody compromises a subcontractor and then pivots into the main network. This is somebody messed up policy-wise. So that's a—
Yeah, it appears the hackers never managed to gain access to the CBP actual network. So it was just the subcontractor, but obviously the implication is kind of the same.
Exactly. Yeah.
And this is the issue is whether subcontractors working for your organization are treating your data securely and if their security is as good as yours. And it's hard to know.
I mean, everyone's going to say and rubber stamp it and say they're doing a good job, aren't they?
I mean, everyone's going to say and rubber stamp it and say they're doing a good job, aren't they?
Are they? Are they gonna say that? Oh yeah, I suppose if they want the contract.
If they want the contract, or they may be completely unaware. They may think, yes, of course we take security seriously.
Yes, can you imagine them going, to be honest, I'm doing a terrible job with my security. Just be real.
Look, I'm the IT guy and I have no idea what I'm doing.
All cards on the table, I'm shit. But—
Can I have the job?
Please give me money, yeah.
Now the CBP hasn't named the subcontracting company that was actually hacked. Presumably they want to save it some embarrassment. However, the cat might have been let out of the bag.
Meow.
Very good.
Thank you.
You see, there's only one US government contractor which provides license plate reading technology at the US's land borders.
Okay, so hardly an investigative journalist job here.
Real gumshoe work. Yeah, okay.
And that particular contractor is a Tennessee-based company by the name of Perceptix.
And basically their technology says, well, look, we can recognize cars and their drivers from camera footage, right? All very cool if you want to do that kind of thing.
Now, when the CBP shared its press statement regarding the security breach, they sent to journalists at the Washington Post a Word document.
And although they didn't name in their statement the contractor in that Word document, they did send the Word document with a file name, which included the name Perceptix.
And basically their technology says, well, look, we can recognize cars and their drivers from camera footage, right? All very cool if you want to do that kind of thing.
Now, when the CBP shared its press statement regarding the security breach, they sent to journalists at the Washington Post a Word document.
And although they didn't name in their statement the contractor in that Word document, they did send the Word document with a file name, which included the name Perceptix.
What?
Which did rather let the cat out of the bag. So you can put one and one together and easily make two.
Well, it may be that they did that on purpose as well.
Yeah, we're not saying, but we're kind of saying.
Oh, I see. You're like, we don't want to name them, but actually we're really pissed with them.
Oops.
Yeah, cruel. You know what I'm like, oh, oops, I dropped this. Hope nobody sees that. Yeah, exactly.
Now, to add to the intrigue, just a couple of weeks ago, the Register was contacted by someone who called themselves Boris Bullet Dodger.
Nice.
Subtle. Okay. Yep.
Now, Mr.
Bullet Dodger, he shared with The Register evidence that suggested hackers had made available on the darkweb hundreds of gigabytes of data seemingly snarfed up from Perceptics servers, including databases, spreadsheets, HR records, business plans, financial figures, personal information, and yes, thousands and thousands of images of what appeared to be license plate captures.
That happened a couple of weeks ago.
Bullet Dodger, he shared with The Register evidence that suggested hackers had made available on the darkweb hundreds of gigabytes of data seemingly snarfed up from Perceptics servers, including databases, spreadsheets, HR records, business plans, financial figures, personal information, and yes, thousands and thousands of images of what appeared to be license plate captures.
That happened a couple of weeks ago.
Hmm.
That's not the only data though that they actually managed to snarfle up from Perceptics Network, because they also took a few MP3 files from users' desktops, including—
This is the best part.
Including Superstition by Stevie Wonder, a variety of AC/DC and Cat Stevens songs.
I'm thunderstruck.
And— very good. And Wannabe by the Spice Girls.
Oh yeah. That's my jam.
Do you think they just hoovered up everything and that came along, or do you think those were individually selected?
It looks like somebody completely owned the Perceptics network.
If you wanna own Perceptics, you gotta get with my friends.
Now you definitely wouldn't want that falling into the wrong hands.
But no, but there's clearly a significant amount of sensitive information here which has fallen into the hands of hackers about the monitoring of US borders.
And that's pretty embarrassing, isn't it? So the important thing to remember is this, right?
The US government contractor, which may or may not have been Perceptics, they didn't have permission to move the data to their own systems.
But no, but there's clearly a significant amount of sensitive information here which has fallen into the hands of hackers about the monitoring of US borders.
And that's pretty embarrassing, isn't it? So the important thing to remember is this, right?
The US government contractor, which may or may not have been Perceptics, they didn't have permission to move the data to their own systems.
Right.
Maybe they did it for testing purposes or troubleshooting, we don't know, but it probably wasn't done with malicious intent.
But the point is they didn't seek authorization and lo and behold, their security was insufficient.
But the point is they didn't seek authorization and lo and behold, their security was insufficient.
Surprise.
And the CBP would never have given them permission to do this because obviously it would have been quite sensitive and they don't like to bring themselves into controversy, do they?
They don't like to have people pointing a finger at them.
They don't like to have people pointing a finger at them.
So basically an American government agency and their American subcontractor messed up and compromised the info of non-Americans.
Most likely a lot of people who are not American, that somehow seems about right.
Most likely a lot of people who are not American, that somehow seems about right.
Well, they have all yours after the Equifax.
Oh yeah, that's not even— every American's got their info compromised already.
Yeah, exactly. Why worry, right?
Yeah.
Everyone can join the party now. Just go to America. Finally. Fantastic.
Everyone's invited, let's go.
Maria, what's your story for us this week?
As we mentioned at the top of the show, I'm going to be talking about Apple and iOS 13, which was recommended to me by a number of folks on Twitter.
So thanks Twitter netizens, I was kind of feeling lazy and didn't know what I wanted to cover this week, so I appreciate the tip from everyone.
The iOS 13 beta is currently in developer-only beta, but it'll be in public beta later this summer. And iOS 13 is the new upcoming version of Apple's iOS for your iPhone.
So thanks Twitter netizens, I was kind of feeling lazy and didn't know what I wanted to cover this week, so I appreciate the tip from everyone.
The iOS 13 beta is currently in developer-only beta, but it'll be in public beta later this summer. And iOS 13 is the new upcoming version of Apple's iOS for your iPhone.
Yes, quite exciting.
They always roll out some interesting new features, and I don't want this to be just a rehash of the Apple press release.
There's some interesting stuff here, so I wanted to call out two specific security and privacy features that Apple's announcing, 'cause there's some stuff there we should dig into.
There's some interesting stuff here, so I wanted to call out two specific security and privacy features that Apple's announcing, 'cause there's some stuff there we should dig into.
Okay, sounds good.
Okay, so first, Apple's going to be slapping greedy apps that want all your location data all the damn time.
So up until now, up until iOS 12, you can set location data to be shared with an app either always, while the app is in use, or never.
So they're now gonna be rolling out a new option that says location sharing, allow it just once.
So basically, hey, you app, you need to ask me every damn time you want to use my location. I'm pretty sure that Android users have had that option for a while. I'm pretty sure.
Don't quote me on that one, but that's a great option. I think I would definitely be using it a lot.
So up until now, up until iOS 12, you can set location data to be shared with an app either always, while the app is in use, or never.
So they're now gonna be rolling out a new option that says location sharing, allow it just once.
So basically, hey, you app, you need to ask me every damn time you want to use my location. I'm pretty sure that Android users have had that option for a while. I'm pretty sure.
Don't quote me on that one, but that's a great option. I think I would definitely be using it a lot.
But I kind of already do that, but in a much more manual way, right?
So I have it all off on most apps all the time, and then I'm like, oh yeah, okay, now I'm using this map app to get from A to B, so I'll turn on location data for the length of my journey and then turn it off at the other end.
But you do have to remember to turn it off. You have to check your phone a lot. It tends to be—when I go to the loo, I just check my settings.
So I have it all off on most apps all the time, and then I'm like, oh yeah, okay, now I'm using this map app to get from A to B, so I'll turn on location data for the length of my journey and then turn it off at the other end.
But you do have to remember to turn it off. You have to check your phone a lot. It tends to be—when I go to the loo, I just check my settings.
Well, it's a very productive time for your poo time, you know, whatever. Yeah.
But that's quite interesting, Carole.
So if you turn it on, it doesn't—other than the bit about going to the loo, but if it doesn't turn itself off at the end, so if you allow it just once, Maria, to say, yes, you can use it during this session, when does it turn off?
So if you turn it on, it doesn't—other than the bit about going to the loo, but if it doesn't turn itself off at the end, so if you allow it just once, Maria, to say, yes, you can use it during this session, when does it turn off?
That's a great question. I can't tell you specifically. I have not been able to use the public beta yet. It's not out.
Anyone out there listening who's used this and checked it out, please tweet us and let us know.
Okay.
Yeah, I think some of our listeners have the developer beta access, which I don't have yet. So if they know, I'd love to know that.
Awesome.
I agree, Carole. I do the same thing. Everything is off, and then if it really nags me, I might turn it on, and I have to remember to turn it off again, which is annoying. Doable.
Annoying but doable.
Annoying but doable.
Yeah, there's something I want to complain about at some point. I'll do it later, but I have an Apple thing I really want to complain about.
Yeah, that sounds good. So as part of this, in addition, Apple will also show you the location data that your app is receiving.
So quite literally, they will put the locations, coordinates, on a map on a screen and say, hey, this is literally all the data this app is getting from you about where you are.
Do you still want them to have this?
So quite literally, they will put the locations, coordinates, on a map on a screen and say, hey, this is literally all the data this app is getting from you about where you are.
Do you still want them to have this?
I love this so much because this is actually translating what it means that when they say hoovering up your location data, you see how exact it is, within a few feet.
They're right. Yeah, it's like you might be thinking they know generally, maybe what state I live in, but no.
For example, I saw somebody tweeting about this because they had developer beta access. This person's name is Sam Sophos. I probably mispronounced his last name. Sorry.
And he tweeted what that actually looks like on the iOS 13 beta. He got a notification about his Google Nest thermostat saying it's been using his location in the background.
And then the map shows all these light and dark circles over all the coordinates, basically all over all of San Francisco. It's like block by half block by half block.
For example, I saw somebody tweeting about this because they had developer beta access. This person's name is Sam Sophos. I probably mispronounced his last name. Sorry.
And he tweeted what that actually looks like on the iOS 13 beta. He got a notification about his Google Nest thermostat saying it's been using his location in the background.
And then the map shows all these light and dark circles over all the coordinates, basically all over all of San Francisco. It's like block by half block by half block.
Well, hang on. Why is his thermostat traveling across San Francisco?
Right, like why does his thermostat, yeah, why?
Because it's his phone.
It's connected to your phone.
Yeah. Oh, I see.
Yeah, his Nest thermostat knows where he lives, as another Twitter user said, where he lives, where he works, his favorite restaurant, his gym, where he shops.
Like, why does your thermostat need that information?
Like, why does your thermostat need that information?
Why is that needed? And not just Nest, right? That's Google services. So all your location data is being, yeah. And why exactly, Graham? Good question.
Why? Wait, and that's the question that I think Apple's trying to get its general users to start asking itself is going, wait, why do you need that?
Actually, maybe I'll turn that off.
Actually, maybe I'll turn that off.
I mean, the only thing I can think of is maybe if you were in a different time zone, so it may collect time zone data if you wanted to control your thermostat back at home through WhatsApp.
Are we really defending this?
No, I'm not. I'm just struggling to understand why it would even be interested in that data.
Because they can. I think it's just because if you're going to offer it up, they'll be like, I'll take it.
Yeah.
All right.
And you know, yeah, Google has shown itself to have such restraint when it comes to our information and private — And let's be real, it's not just Google.
Any app developer, they're like, I'll just take your data. I'm not going to protect it, as we well know.
I'll just grab it and hoard it like I'm a squirrel with lots of acorns, and I'll figure out what to do with it later.
I'll just grab it and hoard it like I'm a squirrel with lots of acorns, and I'll figure out what to do with it later.
You are like a squirrel right now. I need a snack. I need your old Pocky face.
Yeah, the data.
And just a little footnote to the Apple location data thing, they're going to also apply these limits to apps that also try to sniff out location via Wi-Fi and Bluetooth, like those guys that try to circumvent those location sharing permissions by figuring it out through Wi-Fi and Bluetooth.
They're tamping down on that as well. So, I don't know the technical details.
This is what they've said, but I think some of our listeners may know, and when I get my hands on the public beta, I will try that out for myself. So, that's location data.
That's iOS 13's location data update. Now, let's get to what I think is the even juicier bit. I'm curious to hear what you think.
So, as many listeners know, I am basically contractually obligated to mention Facebook every time I'm on the show. So, I'm—
And just a little footnote to the Apple location data thing, they're going to also apply these limits to apps that also try to sniff out location via Wi-Fi and Bluetooth, like those guys that try to circumvent those location sharing permissions by figuring it out through Wi-Fi and Bluetooth.
They're tamping down on that as well. So, I don't know the technical details.
This is what they've said, but I think some of our listeners may know, and when I get my hands on the public beta, I will try that out for myself. So, that's location data.
That's iOS 13's location data update. Now, let's get to what I think is the even juicier bit. I'm curious to hear what you think.
So, as many listeners know, I am basically contractually obligated to mention Facebook every time I'm on the show. So, I'm—
But not in a positive way. Not in a positive way. It's not like they're paying you.
No, they are definitely not paying me. I mean, they're very free to. They've got a lot of money. No, they're not paying. So tell us, what—
So this single sign-in from Apple.
Yeah, so they are entering the third-party sign-in game directly in competition with Facebook and Google, and they are requiring it.
So all developers who are making or updating their apps for iOS 13 were told in writing, if you offer third-party sign-in for your app, you must put in Apple's third-party sign-in option as well.
You don't have to put it first, but it has to be there. So it's a requirement.
And the reason that Apple's offering is different from what Facebook and Google are offering is that instead of offering up your personal details on a silver platter for that app or website service, you can actually ask Apple to sign you up and sign you in with essentially anonymized data.
So all developers who are making or updating their apps for iOS 13 were told in writing, if you offer third-party sign-in for your app, you must put in Apple's third-party sign-in option as well.
You don't have to put it first, but it has to be there. So it's a requirement.
And the reason that Apple's offering is different from what Facebook and Google are offering is that instead of offering up your personal details on a silver platter for that app or website service, you can actually ask Apple to sign you up and sign you in with essentially anonymized data.
I've been thinking about this thing from Apple. Yeah, they can hide your own email address and get you in without providing any personal information to the third party.
Right.
So Facebook, if you use Facebook or Google's third-party sign-in, it'll give the app developer not just your name and your email, but they'll pass along any other data that they've got on you that the app developer wants.
Right. Apple says, I'm taking their word for it right now because I can't dispute it, Apple says they will only give the name and email, nothing else about you.
Apple will not track you on the phone either, so it won't have any data on you. That's just what they say anyway.
And Carole, as you mentioned, you can actually ask Apple to basically sign you up for that service with a burner email.
So Apple will generate a random email address that forwards to your real email, so the app guys don't get your real email and you can just disable that burner email at any time if the app starts spamming you.
So if you've been using 10 Minute Mail for years to get around app signups, this sort of allows you to streamline that process.
So Facebook, if you use Facebook or Google's third-party sign-in, it'll give the app developer not just your name and your email, but they'll pass along any other data that they've got on you that the app developer wants.
Right. Apple says, I'm taking their word for it right now because I can't dispute it, Apple says they will only give the name and email, nothing else about you.
Apple will not track you on the phone either, so it won't have any data on you. That's just what they say anyway.
And Carole, as you mentioned, you can actually ask Apple to basically sign you up for that service with a burner email.
So Apple will generate a random email address that forwards to your real email, so the app guys don't get your real email and you can just disable that burner email at any time if the app starts spamming you.
So if you've been using 10 Minute Mail for years to get around app signups, this sort of allows you to streamline that process.
And the beauty of this, of course, is that those email addresses are going to be unique, just like your password should be unique.
And so it'd be difficult for the app developers to, or big tech companies to begin to piece together a picture of who you are based purely on your username.
And so it'd be difficult for the app developers to, or big tech companies to begin to piece together a picture of who you are based purely on your username.
Right. It's a serious game changer, I think. Also, because I use a lot of Apple products for the last, whatever, 10, 15 years, they basically know everything about me already.
So I'm in bed with this. I trust them. I use their services. I buy their very expensive products. Love some of them, others.
So I'm in bed with this. I trust them. I use their services. I buy their very expensive products. Love some of them, others.
But because you're actually paying them quite a lot of money, Carole, for that hardware and for that software, they have less interest in collecting a huge amount of personal information about you.
Right. They've got a lot of—
Compared to some of the other tech companies.
Yeah. Hey, you know what I admire? They could be also doing that, right? They could be charging an arm and a leg for their tech and also collecting and selling off my data.
But they've chosen not to.
So in this day and age where everyone's making money through data hoovering and data reprocessing and ads and ads and ads, they are really playing a really big differentiator game.
And I think it's excellent.
But they've chosen not to.
So in this day and age where everyone's making money through data hoovering and data reprocessing and ads and ads and ads, they are really playing a really big differentiator game.
And I think it's excellent.
I think it's really exciting. It's sort of the luxurification of privacy.
So as long as you can afford to— I mean, I'm not saying that you can't get privacy outside of an Apple product, but Apple is making it part of their differentiator that, hey, we make privacy even easier for you as long as you can afford our products and are always locked into buying our products.
We'll give you this as part of the overall experience.
So as long as you can afford to— I mean, I'm not saying that you can't get privacy outside of an Apple product, but Apple is making it part of their differentiator that, hey, we make privacy even easier for you as long as you can afford our products and are always locked into buying our products.
We'll give you this as part of the overall experience.
One of the things I like about this, and of course we'll have to wait until it all rolls out properly so we all get a copy of it and make sure that it works properly.
But from the sound of things, this could address that issue, which we so commonly see about where a website is hacked.
And the hackers then have your username or your email address and your password, and they use that password with that email address against all manner of other online accounts. Yes.
With this, because each username is unique, they won't be able to use that username to break into your Gmail or your Amazon or anything else.
But from the sound of things, this could address that issue, which we so commonly see about where a website is hacked.
And the hackers then have your username or your email address and your password, and they use that password with that email address against all manner of other online accounts. Yes.
With this, because each username is unique, they won't be able to use that username to break into your Gmail or your Amazon or anything else.
Credential reuse is basically taken away here. So that's a differentiator from Facebook and Google as well. You don't have that unique username.
Are you saying it makes hacking exponentially harder?
I think it honestly, as you said, it's a potential game changer.
I'm trying not to sound like I'm working for Apple PR, but there is a lot here that's like making privacy easier, basically circumventing the whole begging and pleading for people to use unique passwords, you know, keep an eye on when their credentials get pwned.
The options that we'd given people were take care of all this kind of manually and figure it out for yourself.
Or if you want to use something a little easier, like a third-party sign-in with Facebook or Google, be okay with divvying up all your private info and giving that away.
And now there's this nice other option where you can actually maintain what sounds like a pretty good sense of privacy and not give away all this demographic info.
That's pretty fantastic. The other thing with this whole third-party sign-in is that to use it, you have to have 2FA enabled. You have to have two-factor authentication enabled.
So if you are not okay with Apple owning your biometrics in some way with Face ID or Touch ID, you won't be able to use this. But that's the factor that it uses to authenticate you.
So, exciting if you're trying to adopt two-factor authentication.
I'm trying not to sound like I'm working for Apple PR, but there is a lot here that's like making privacy easier, basically circumventing the whole begging and pleading for people to use unique passwords, you know, keep an eye on when their credentials get pwned.
The options that we'd given people were take care of all this kind of manually and figure it out for yourself.
Or if you want to use something a little easier, like a third-party sign-in with Facebook or Google, be okay with divvying up all your private info and giving that away.
And now there's this nice other option where you can actually maintain what sounds like a pretty good sense of privacy and not give away all this demographic info.
That's pretty fantastic. The other thing with this whole third-party sign-in is that to use it, you have to have 2FA enabled. You have to have two-factor authentication enabled.
So if you are not okay with Apple owning your biometrics in some way with Face ID or Touch ID, you won't be able to use this. But that's the factor that it uses to authenticate you.
So, exciting if you're trying to adopt two-factor authentication.
Oh, so you can't authenticate with a password, is what you're saying?
Correct. You have to use Face or Touch ID as your second factor.
Oh, you see, that's interesting. I don't like that.
And that one I haven't seen mentioned many places. It's oh, it uses two-factor authentication. I'm great. That's awesome.
But that specifically is Face or Touch ID, or at least that's what it sounds like right now when I was reading through the documentation.
But that specifically is Face or Touch ID, or at least that's what it sounds like right now when I was reading through the documentation.
Although of course, maybe that will encourage people who leave their phones permanently unlocked to enable Face or Touch ID to actually—
But why can't it be a password too?
Well, it's not a two-factor in that case, right? It's got to be not just something you— Well, it could be a second password as well.
It feels to me I have to say, I'm going to be optimistic about this because there are gazillions of people out there who are using Apple devices who may very well begin to use this feature when they sign up for sites.
And I have some more trust at the moment, I think, that Apple is going to get it right than the typical human being would in terms of choosing their email address and password.
And I have some more trust at the moment, I think, that Apple is going to get it right than the typical human being would in terms of choosing their email address and password.
Yeah, or Google or Facebook, who've had 10 years to work on this and have basically just let us down.
Yeah. As I said earlier, I'm a little about the idea of privacy being a luxury that you have to buy into from Apple.
But there are ways to do this on your own, but it's just a lot harder.
But there are ways to do this on your own, but it's just a lot harder.
Lots of great things, though, come into the world and they're expensive at first, like solar panels.
Yeah. I hope this inspires others to follow in this example. I mean, I really do.
And the way Apple is selling this to its developers, who I'm sure are kind of like, eh, about this whole thing about getting less data, is that Apple's saying, hey, if you're getting this anonymized user info from us, you can be sure that it's an actual real user trying to sign into you as opposed to some spammer.
So that's how they're angling it. Yeah. I don't know if that tracks, but that's what they're saying. Watch the space. Yeah. All right. So what was your complaint about?
And the way Apple is selling this to its developers, who I'm sure are kind of like, eh, about this whole thing about getting less data, is that Apple's saying, hey, if you're getting this anonymized user info from us, you can be sure that it's an actual real user trying to sign into you as opposed to some spammer.
So that's how they're angling it. Yeah. I don't know if that tracks, but that's what they're saying. Watch the space. Yeah. All right. So what was your complaint about?
I think, yes, you have a complaint about Apple that you want to share with everybody.
Oh, yeah. Well, my complaint has to do with Bluetooth. Yes. Right. So I don't use Bluetooth headphones very often.
When I connect, when I need to use Bluetooth, like I do with my location sharing, I like to turn it on and I like to turn it off, right?
So my normal protocol would be to have Bluetooth off by default and then I would turn it on.
It seems as though every time I turn it off, it says, oh, okay, we'll keep it turned off for 24 hours, then turn it back on for you tomorrow.
When I connect, when I need to use Bluetooth, like I do with my location sharing, I like to turn it on and I like to turn it off, right?
So my normal protocol would be to have Bluetooth off by default and then I would turn it on.
It seems as though every time I turn it off, it says, oh, okay, we'll keep it turned off for 24 hours, then turn it back on for you tomorrow.
Yeah, it's annoying.
And there's no way you can get out of that.
I hate that. Yeah, I hate that it decides that it's gonna turn itself back on for you. Yes. It drives me crazy. Well, hang on.
How are you turning it off?
What do you mean how I'm turning it off?
How do you turn it on and off?
Well, I turn it off probably normally using the little swipe up screen, whatever that's called.
Ah, right. See, that's the mistake.
Is that my problem?
That's your problem. If you do it that way, you're right. It does kind of say, oh, well, we'll just temporarily do this.
I think if you go through settings, then it will permanently turn it off.
I think if you go through settings, then it will permanently turn it off.
All right. I'll check it out.
Yeah, we'll try that. I think that sounds right to me as well. It seems it shouldn't be buried like that.
Just call me an Apple genius.
Well, I'm not until I try it, until I use it. I think you'll find— I'll wait. I'll wait till I find it.
Pretty sure it's going to work.
I need proof. I need proof.
Pretty sure.
Pretty sure it's going to work out. Take his word for it.
Carole, what have you got for us this week?
OK, Twitter. We're talking Twitter now. Both of you, Graham and Maria, you're both avid Twitter users.
And I wanted us to analyze the guts of this CNBC article and see what you guys think.
So aside from following specific people and reading, liking, or replying to their tweets, you can also create lists of accounts that you want to follow.
And I wanted us to analyze the guts of this CNBC article and see what you guys think.
So aside from following specific people and reading, liking, or replying to their tweets, you can also create lists of accounts that you want to follow.
Yes. Yes. That's right.
Right? So a Twitter list is basically, for those who don't know, is a list curated by you or by someone else. You can create your own list to subscribe to certain accounts.
Lists that are created by others. You can actually subscribe to other people's lists so you can save yourself the work, I guess.
So for example, if Graham was following infosecbods, I could follow his list if it was public and, you know, basically hoover up all the data that you get. Yes.
Lists that are created by others. You can actually subscribe to other people's lists so you can save yourself the work, I guess.
So for example, if Graham was following infosecbods, I could follow his list if it was public and, you know, basically hoover up all the data that you get. Yes.
Yep.
And you can also see a list timeline. So you can see a stream of tweets from the accounts that are actually on that list alone. Yeah.
It's like a recommendation that you curate, right? These are people that are worth listening to.
I find it very handy, actually. I'm not sure how people manage to use Twitter without lists.
Because if you follow any number of people, a certain number of people, it's impossible to keep track of it all.
So I sort of have a list which is "don't miss." So people who I definitely want to see every tweet from, those small number of people there. And then I have my timeline.
Because if you follow any number of people, a certain number of people, it's impossible to keep track of it all.
So I sort of have a list which is "don't miss." So people who I definitely want to see every tweet from, those small number of people there. And then I have my timeline.
Well, this might be why you're much more interested in Twitter than I am, because I have no lists.
Oh, right. Oh, wow. Yeah, you're missing out on an actually decent feature.
Yeah. Well, am I? Because listen to this.
Dun, dun, dun.
Did I set you up for that?
So according to a CNBC article published this week, a few people have complained about suddenly receiving a barrage of hateful tweets, almost like someone has put a bullseye on their Twitter back.
So according to a CNBC article published this week, a few people have complained about suddenly receiving a barrage of hateful tweets, almost like someone has put a bullseye on their Twitter back.
Oh no, this would never ever happen on Twitter.
People would never send harassment on Twitter.
No one would be mean on Twitter.
This is nonsense. Fake news.
But it seems as though these trolls were coming out of nowhere and suddenly accusing them of all sorts of stuff that they didn't necessarily believe or support.
So they're getting all these awful tweets and they decide to do some digging and they're trying to go, what the heck is going on here?
And they discovered something rather interesting. And it seems that Twitter lists is the culprit.
So while Twitter lists are normally a cool, useful thing, some users have figured out how to use Twitter lists to troll people. And here's how it works.
It turns out that the victim Twitter accounts are being added to questionable lists, lists that seem solely created to maybe embarrass the owner of that Twitter account or to call trolls into action to fire hateful and bullish tweets at the targeted victim.
We're talking lists here with names like Black Racists.
So they're getting all these awful tweets and they decide to do some digging and they're trying to go, what the heck is going on here?
And they discovered something rather interesting. And it seems that Twitter lists is the culprit.
So while Twitter lists are normally a cool, useful thing, some users have figured out how to use Twitter lists to troll people. And here's how it works.
It turns out that the victim Twitter accounts are being added to questionable lists, lists that seem solely created to maybe embarrass the owner of that Twitter account or to call trolls into action to fire hateful and bullish tweets at the targeted victim.
We're talking lists here with names like Black Racists.
Oh. So yeah. So you, for instance, Carole, you might be added to a list called Apple Fans or something. And Maria, you'd be Deep Space Nine dweebs.
It'd be more like I would be added to a list called Apple fans suck.
Oh, I see. Or shills. Yes, or something like that.
Oh, shills. OMG. Yes.
For example, Graham, you might create a list called my favorite people where Maria and I would be featured very highly there.
And just you could create a list that, a troll could create a list of so-called enemies. Right.
And distribute that list across forums or chat rooms or Twitter itself as a call to action to attack the specific user.
And just you could create a list that, a troll could create a list of so-called enemies. Right.
And distribute that list across forums or chat rooms or Twitter itself as a call to action to attack the specific user.
Ah, I see. So they create a list of people they want to attack and then they share it with their evil buddies, whether on Twitter or elsewhere.
Yes.
Attack my pretties! Attack! Can I be a hipster for a second and say this doesn't surprise me at all? Because— no, for real, I'm going to be a total—
I'm just laughing at you.
Hipster. No, I was doing that before it was cool. No, people— but people have been coordinating attacks through DMs on Twitter for ages.
This is a well-known thing, is they'll use DMs and people will be, okay, there's— here's this tweet from this politician that we decided we don't like, whatever aisle side you're on, whatever.
And then they'll blast it to a group of people in DMs, and then it's go, go, army, sick 'em! And then they'll go after them. So this sounds like it's sort of an extension of that.
It makes it maybe a little more public.
This is a well-known thing, is they'll use DMs and people will be, okay, there's— here's this tweet from this politician that we decided we don't like, whatever aisle side you're on, whatever.
And then they'll blast it to a group of people in DMs, and then it's go, go, army, sick 'em! And then they'll go after them. So this sounds like it's sort of an extension of that.
It makes it maybe a little more public.
Yeah. And apparently the current way that the people who were reported in the article from CNBC handle it is they basically on a monthly basis or weekly basis go and check.
And this is where I want you guys to confirm this is possible, right? They go and check where they're listed. So where are their Twitter usernames listed? Okay.
And if the list seems troublesome or worrisome based on the fact that maybe there's no followers or the name's outrageous they remove or delete themselves from said Twitter list.
Psst, listeners, okay, I make a bit of a boo-boo here.
These people aren't able to delete themselves from said lists, but what they can do is block the creator of the list and block all the followers of that list, and in that way can kind of control the stem of misinformation and attack.
Now watch Graham actually figure this out. Own.
And this is where I want you guys to confirm this is possible, right? They go and check where they're listed. So where are their Twitter usernames listed? Okay.
And if the list seems troublesome or worrisome based on the fact that maybe there's no followers or the name's outrageous they remove or delete themselves from said Twitter list.
Psst, listeners, okay, I make a bit of a boo-boo here.
These people aren't able to delete themselves from said lists, but what they can do is block the creator of the list and block all the followers of that list, and in that way can kind of control the stem of misinformation and attack.
Now watch Graham actually figure this out. Own.
I don't see an option for that. I think maybe what you could do is you could block the person who owns the list.
But if their buddies are also using that list, that doesn't block them, does it?
But if their buddies are also using that list, that doesn't block them, does it?
Yeah, maybe they're using blockchain or something, but still, this is—
Don't mention blockchain.
Oh, sorry.
Okay, so what is Twitter doing about it? Not much, say a number of reports. So trolls misuse this basic function as they misuse other functions on Twitter.
And they say it's the responsibility of the individual user to report the, you know, the problem to Twitter and allow Twitter to make their move.
Now, there seems to be a bit of a weird loophole here, because if a user reports a troll for abuse, the troll might counter-report in a massive way by getting all their friends to do the same.
So counter-report the victim in retaliation. Yeah, that does happen.
So for example, I report Maria to Twitter saying, God, Maria is so annoying, and then Maria and all her buddies and all her Smashing Security fans all attack me saying, no, she's outrageous.
And they say it's the responsibility of the individual user to report the, you know, the problem to Twitter and allow Twitter to make their move.
Now, there seems to be a bit of a weird loophole here, because if a user reports a troll for abuse, the troll might counter-report in a massive way by getting all their friends to do the same.
So counter-report the victim in retaliation. Yeah, that does happen.
So for example, I report Maria to Twitter saying, God, Maria is so annoying, and then Maria and all her buddies and all her Smashing Security fans all attack me saying, no, she's outrageous.
Yeah, she refuses to use an Oxford comma.
I just forget sometimes.
And, and thanks to algorithmic logic, if a user gets enough reports it's enough for Twitter to indiscriminately suspend an account.
Yeah, it's the vagaries of Twitter support. Yeah, exactly.
According to a lot of just completely anecdotal anecdota, when I see a lot of Twitter got it wrong kind of support stuff, it seems like it's not super hard to game it. Yeah.
And use it against somebody in a retaliatory way. You see that a lot on Twitter, especially in the political spheres.
It's interesting, which is why I stay out of that world on Twitter for the most part.
According to a lot of just completely anecdotal anecdota, when I see a lot of Twitter got it wrong kind of support stuff, it seems like it's not super hard to game it. Yeah.
And use it against somebody in a retaliatory way. You see that a lot on Twitter, especially in the political spheres.
It's interesting, which is why I stay out of that world on Twitter for the most part.
They say the best advice is not to attract the attention of trolls, but that in itself—
You don't exist.
Yeah, and that itself is quite difficult in this day and age where everyone wants to have a YouTube channel and, you know, a social media presence and wants to have a point of view that matters and the world got mad.
Yeah, I never want a YouTube channel, so whatever. Don't put me in front of a camera.
Okay, thanks.
I wonder if there's also an issue here, because if you're looking at the lists which you've been put on, if that list was given a benign name, oh, really cool cybersecurity guys— Graham's the best, something that— or something that, you may think, oh, well, I obviously have no problem with that.
But it could actually be used for something unpleasant, couldn't it? Or renamed maybe at some point.
I wonder if there's also an issue here, because if you're looking at the lists which you've been put on, if that list was given a benign name, oh, really cool cybersecurity guys— Graham's the best, something that— or something that, you may think, oh, well, I obviously have no problem with that.
But it could actually be used for something unpleasant, couldn't it? Or renamed maybe at some point.
And I think because you're in a list, there is a sense that you've okayed your belonging there. You haven't, it has nothing to do with you, but somehow—
Well, that's interesting as well, isn't it? Because people might see that you are on the Neo-Nazi list, for instance. It's, no, I didn't want to join that club.
I think that's the issue with the idea of being on a list.
I think it's embarrassing to some people because the club might be something they agree with at all or be a contentious point or a socially manipulative point.
I think it's embarrassing to some people because the club might be something they agree with at all or be a contentious point or a socially manipulative point.
If it doesn't exist already, Twitter needs to implement a way for people to easily remove themselves from lists, just kind of how there was for a while on Facebook.
Oh God, I can't believe I mentioned it again. People could add you to a group you didn't want to be a part of without your permission. That was a thing for a while.
Oh God, I can't believe I mentioned it again. People could add you to a group you didn't want to be a part of without your permission. That was a thing for a while.
My guess is that you have to block the person who created the list.
That sounds about right.
So what, you block the person that created the list and therefore they can't add you to a list?
Or maybe your existence on that particular list vaporises because they can no longer follow you.
That seems plausible.
That's my guess. Anyway, anyone can confirm it.
We're all ears. That's right. Lots of feedback from the listeners we're asking for this week.
Please be kind.
So, Carole, imagine a hacker has gained access to one of the computers inside your organization. Dun dun dun.
And of course they're going to take advantage of any flat networks and ineffective security controls to try and move laterally towards their intended targets, which is going to be all that juicy data your company collects.
And of course they're going to take advantage of any flat networks and ineffective security controls to try and move laterally towards their intended targets, which is going to be all that juicy data your company collects.
Gotcha. Yep. Right.
Now, traditional solutions, they often find it difficult to reliably distinguish between legitimate software accessing that data and unapproved applications.
Yeah. Okay. Yeah, yeah, yeah.
Right. And that's where our sponsor comes in this week. Edgewise is the industry's first zero-trust segmentation platform.
It has a simple-to-use interface which lets you stop data breaches by allowing only verified software to communicate within your cloud or data center.
It has a simple-to-use interface which lets you stop data breaches by allowing only verified software to communicate within your cloud or data center.
Cloud. Yeah, really smart.
In a nutshell, Edgewise's data-centric approach makes micro-segmentation simpler and more secure.
Okay, I want to learn more.
Well, that's easy. All you have to do is go to edgewise.net and request a trial of their one-click microsegmentation.
Oh, awesome. Boom. Hey Graham.
Yes.
There are people out there with companies a little bit bigger than ours, and one of the issues that they face is visibility and oversight.
And when it comes to cybersecurity, that is super important. So listeners, listen up.
If you do not have a password manager in your organization, please check out LastPass Enterprise.
They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashingsecurity.
Let me try that again, folks. Check it out at lastpass.com/smashingsecurity.
And when it comes to cybersecurity, that is super important. So listeners, listen up.
If you do not have a password manager in your organization, please check out LastPass Enterprise.
They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashingsecurity.
Let me try that again, folks. Check it out at lastpass.com/smashingsecurity.
Perfect. Do you want to make it more conversational? I don't know. I think that sounded great. And welcome back. Can you join us on our favorite part of the show?
The part of the show that we like to call Pick of the Week. Pick of the Week.
The part of the show that we like to call Pick of the Week. Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. Better not be. And my pick of the week this week is not security related. You'll be very pleased to hear, Carole. Super pleased.
Now, way back in 2003, an anime— is it anime? Is that how you say it? An anime show called Firestorm hit TV screens in Japan.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. Better not be. And my pick of the week this week is not security related. You'll be very pleased to hear, Carole. Super pleased.
Now, way back in 2003, an anime— is it anime? Is that how you say it? An anime show called Firestorm hit TV screens in Japan.
We're talking anime on this podcast? I'm so here for it.
Hang on. This is just the buildup to my pick of the week. Oh, okay. Never mind.
And this Japanese TV show, no one would really have cared about it apart from the fact that one of its creators was Gerry Anderson, who in the '60s, of course, was famous, and '70s, was famous for such classics as Thunderbirds, Captain Scarlet, and UFO and Space: 1999.
Now, this Firestorm TV show never really caught fire. But, and so it's no more, little more than a curiosity for most of us.
But wait, because Gerry Anderson's son, Jamie Anderson, he has picked up his late father's mantle and he is rebooting Firestorm in the style of classic puppets-based Thunderbirds.
And this Japanese TV show, no one would really have cared about it apart from the fact that one of its creators was Gerry Anderson, who in the '60s, of course, was famous, and '70s, was famous for such classics as Thunderbirds, Captain Scarlet, and UFO and Space: 1999.
Now, this Firestorm TV show never really caught fire. But, and so it's no more, little more than a curiosity for most of us.
But wait, because Gerry Anderson's son, Jamie Anderson, he has picked up his late father's mantle and he is rebooting Firestorm in the style of classic puppets-based Thunderbirds.
Oh, that's where it comes from, because you're a big Thunderbirds fan.
I'm a big fan of the Gerry Anderson stuff. I was kind of going, I'm surprised. Surprised, anime too.
I was surprised.
I was like, I mean, I'm excited, but I didn't think y'all— yeah, okay. Yeah.
So if you go and check out FirestormHQ.com, or I'll also put into the show notes a link to the YouTube trailer, a 10-minute mini episode, you will see the puppets are back. Whoa.
But unlike in the 1960s, you're not going to see any strings. It is filmed in ultra marionation, even better than supermarionation, which they used to use.
Real sets, miniatures, practical effects, and it looks wonderful. It really is bringing back that Gerry Anderson magic.
Currently it's only a 10-minute minisode, but it looks like they're going to produce— oh, it looks pretty slick though. Oh yeah, go a couple minutes in.
But unlike in the 1960s, you're not going to see any strings. It is filmed in ultra marionation, even better than supermarionation, which they used to use.
Real sets, miniatures, practical effects, and it looks wonderful. It really is bringing back that Gerry Anderson magic.
Currently it's only a 10-minute minisode, but it looks like they're going to produce— oh, it looks pretty slick though. Oh yeah, go a couple minutes in.
I hope they haven't lost too much of the puppeteering. You know, it's such a difficult balance when you do digital puppeteering.
Go a couple of minutes into the episode and you'll see some of the characters, and you'll see they really are. Yeah, but I'm also seeing James Bond style explosions here.
You know, the original Thunderbirds and Captain Scarlet were full of action as well. There was all sorts of explosions. Yeah, but I'm seeing tinfoil sets.
You know, the original Thunderbirds and Captain Scarlet were full of action as well. There was all sorts of explosions. Yeah, but I'm seeing tinfoil sets.
So, you know, it's pretty cool stuff.
And there you are.
Well, I wanted to throw us back to some classic sci-fi TV in this week when sadly Paul Darrow, Avon from Blake's Seven, passed away, who was a real hero for all of us.
Have you seen Blake 7, Maria?
Well, I wanted to throw us back to some classic sci-fi TV in this week when sadly Paul Darrow, Avon from Blake's Seven, passed away, who was a real hero for all of us.
Have you seen Blake 7, Maria?
I have not. And I have not. You're just missing out, guys. Anyway, it's a name I'm familiar with.
I've just not seen it though. FirestormHQ.com is my pick of the week. Go and check it out.
Maria, what's your pick of the week?
So I have a pick of the week, but I want to mention while we've been recording this episode, Nintendo just announced they're making a sequel to Breath of the Wild for the Switch.
Yeah, stop everything. I knew you would, because I literally had to suppress that sound I saw my Twitter feed explode with everyone going, "Oh my God!" So it's in development.
So I feel like that should be my pick of the week, but there's nothing yet, so I'm just like, that's just an announcement.
My actual pick of the week is a subreddit that I've become somewhat addicted to. And it is r/AITA. Oh, I love it.
So I have a pick of the week, but I want to mention while we've been recording this episode, Nintendo just announced they're making a sequel to Breath of the Wild for the Switch.
Yeah, stop everything. I knew you would, because I literally had to suppress that sound I saw my Twitter feed explode with everyone going, "Oh my God!" So it's in development.
So I feel like that should be my pick of the week, but there's nothing yet, so I'm just like, that's just an announcement.
My actual pick of the week is a subreddit that I've become somewhat addicted to. And it is r/AITA. Oh, I love it.
I love it. I'm a total fan.
What does AITA stand for? It's something you should know.
It is. It's a question.
Am I the asshole? So this is a subreddit where people ask the question, am I the asshole in this situation?
And they then write out a situation they've been in, some sort of moral quandary where somebody gets mad at somebody else or there's some sort of fallout or just a general sense of malaise.
And they then write out a situation they've been in, some sort of moral quandary where somebody gets mad at somebody else or there's some sort of fallout or just a general sense of malaise.
And then he kicks them in the butt and goes, am I the asshole? Was it wrong of me to do that?
Was it wrong of me to, you know, spit on their face or whatever. I don't know. So they ask the question and then the commenters weigh in. No, you're not the asshole.
There's no asshole in the situation. Yes, you're the asshole. And it's really such a great fun read. And if you—
There's no asshole in the situation. Yes, you're the asshole. And it's really such a great fun read. And if you—
And so you're basically polling the internet to find out, do most people think you're being an asshole?
My favorites are when people in the comments completely disagree if the person is or isn't an asshole. And it's just like, it gets real heated.
And you know, you've got people all over the world weighing in on these moral quandaries, and sometimes it's social issues. Yeah. Should I give you one?
And you know, you've got people all over the world weighing in on these moral quandaries, and sometimes it's social issues. Yeah. Should I give you one?
Should I give you one?
Yeah, go for it. I love how Carole likes my pick of the week.
Oh, I love it. I'm a total addict. I love this subreddit. Am I the asshole for wanting a salary as a SAHM, Graham?
Sorry, a salary as a what?
Am I the asshole for wanting a salary as a stay-at-home mom?
SAHM, stay-at-home mom.
I didn't know what that was.
I'm teaching you, I'm teaching you the low hand. Okay, so that's the title, and then basically they're saying, sorry guys, I just need to know if I'm the asshole.
I want money for being a stay-at-home mom because it's a lot of freaking work.
I want money for being a stay-at-home mom because it's a lot of freaking work.
Not salary from a company, presumably, but salary from maybe the breadwinner in there. And then people are going, you're the asshole.
Other people are saying, you're not the asshole.
And they justify it. They write out whole explanations about why they think this. So it's not just a yes or no. It's yes, you're an asshole because— no, you're an asshole.
Yeah, it's a great time waster.
I love it. It really is.
So that was high five, Maria.
Cool. I'll go and check it out. Thanks.
That's my pick of the week. I am not an asshole. You're definitely not an asshole. I try not to be an asshole.
Me too. Well, let's see how Carole does with her pick of the week.
Do you try not being an asshole, Graham? I don't try.
I mean, it's just genetic, right?
Natural. Just comes to you naturally.
Yeah, exactly. So I thought— What do you mean? Right.
Today, my pick of the week is all about trees. I know I'm Canadian, so I have a special relationship with trees.
So your pick of the week is trees. Are we talking Reddit's definition of trees?
Look, we all agree though, trees are really important, right? It's the biggest plant on the planet, gives us all the oxygen stuff and stores carbon and stabilizes the soil.
And if you don't believe any of this, go read Harari's Homo Sapiens. Very educational.
And if you don't believe any of this, go read Harari's Homo Sapiens. Very educational.
I did not know about trees.
There's a search engine that I discovered called Ecosia, E-C-O-S-I-A. And Ecosia says that it uses 80% of its profits to plant trees.
And they claim to have planted millions of trees since 2009 all around the globe.
Now I did a little digging, you know, 'cause you know me with these new things, I'm like, hmm, right? So they're funded through advertising.
So the idea is use the search engine, they get sponsors that sponsor on their site, they don't share any data with them. I've been using the engine now for about 3 days just to see.
I found it — the search is pretty competent. It's not as super slick as maybe the big boys, but it certainly is holding its own so far. It's got a social business model.
So what's kind of cool is it has a lot of strong transparency.
For example, you can see a breakdown of all their financial reports and where their money goes, how they spend their money internally and how they split out the profits and spend the profits.
And they claim to have planted millions of trees since 2009 all around the globe.
Now I did a little digging, you know, 'cause you know me with these new things, I'm like, hmm, right? So they're funded through advertising.
So the idea is use the search engine, they get sponsors that sponsor on their site, they don't share any data with them. I've been using the engine now for about 3 days just to see.
I found it — the search is pretty competent. It's not as super slick as maybe the big boys, but it certainly is holding its own so far. It's got a social business model.
So what's kind of cool is it has a lot of strong transparency.
For example, you can see a breakdown of all their financial reports and where their money goes, how they spend their money internally and how they split out the profits and spend the profits.
I don't know.
I think it's kind of cool.
This just, I'm going to be really dumb right now. This is not one of those things where it's built actually on top of Google, the Google search technology?
I don't think that's a dumb question because I was trying to find that just before we started recording.
I'm thinking they didn't build their own search engines, so they must be using the technology from someone else. And my initial — Oh, it's powered by Bing.
I'm thinking they didn't build their own search engines, so they must be using the technology from someone else. And my initial — Oh, it's powered by Bing.
Bing. It says it's powered by Bing. Okay, and I thought, oh, that must be it.
Okay, so they're, yeah. So they're built on Bing. There you go.
There are a lot of websites that do stuff like this. That's really interesting that this one does something ecological.
I've seen some that do sort of a similar, put a, not a filter, but yeah, I guess a filter over search results. And it's a kid-friendly search engine.
And they try to make sure that schools only use that kid-friendly search engine, but it's really powered by Google in the backend. So this is a Bing version. That's cool.
I've seen some that do sort of a similar, put a, not a filter, but yeah, I guess a filter over search results. And it's a kid-friendly search engine.
And they try to make sure that schools only use that kid-friendly search engine, but it's really powered by Google in the backend. So this is a Bing version. That's cool.
I think it is cool. Well, Carole, at least hopefully some trees are being grown as a result of your browsing, maybe. Okay. Well, I've never heard of it before.
Interesting one to investigate a little bit more deeply, maybe. And on that curious turn, it's time to wrap up the show.
Maria, I'm sure lots of our listeners would love to follow you online and put you on their Twitter lists. What is the best way for folks to do that?
Interesting one to investigate a little bit more deeply, maybe. And on that curious turn, it's time to wrap up the show.
Maria, I'm sure lots of our listeners would love to follow you online and put you on their Twitter lists. What is the best way for folks to do that?
Nice lists only, please. Yeah, I'm @MariaVarmazis. @mvarmazis, M. Varmazis, it's my name. And it's a Twitter. And if you are on infosec.exchange via Mastodon, I am @maria.
So much easier on that.
So much easier on that.
And you can follow us on Twitter at Smashing Security, no G. Twitter won't allow us to have a G. And we're also on Reddit.
Go and find us there after you've spent some time on the Am I the Arsehole subreddit. You can go pop over to Smashing Security on Reddit as well.
Go and find us there after you've spent some time on the Am I the Arsehole subreddit. You can go pop over to Smashing Security on Reddit as well.
Huge thank you to sponsors LastPass and Edgewise. Their support helps us give you the show for free, so be sure to check out their offers. And thank you, lovely listeners.
Check out smashingsecurity.com for past episodes, sponsorship details, info on how to get in touch with us. Until next time, cheerio, bye-bye, later, bye-bye, bye-bye, guys.
Check out smashingsecurity.com for past episodes, sponsorship details, info on how to get in touch with us. Until next time, cheerio, bye-bye, later, bye-bye, bye-bye, guys.
In-game with iOS 13. And this is directly in competition with Facebook and Google. So all app developers were told for iOS— oh, fuck. Everything all right?
Yeah, I'm just telling a recording, right?
Hi, Carole's mom.
Is that Facebook's marketing department wanting to make an offer to Maria?
Oh, they're telling me, please stop talking about us, actively hurting us. Yeah, nothing else is. Yeah, literally just me. Yeah. Yeah.
It's nothing to do with me, says Zuck. I'm great. You're the problem. Yep.
Do you think they were listening in?
Maybe they were. Of course they were.
Well, Maria still uses Facebook. So tell us what— so this single sign-in from Apple. Yeah.
So they are entering the third-party sign-in game.
“Superstition” by Stevie Wonder, “Wannabe” by the Spice Girls, pretty "eclectic" taste… as always, good article.
:)
I'm guessing they were from different employees' PCs. Stevie Wonder and Cat Stevens I can appreciate. Not so sure about the others in that list…
More reason to use a travel phone when crossing the border, in case they "take it to the back room".