53% of Britain’s most frequent porn watchers aren’t aware that they’re about to be blocked

The end of March marks the date from which UK internet users will have to verify their age before they can visit pornography websites. This is definitely not Brexit-related, but you could say that certain freedom of movement is being restricted as a result of this. Smashing Security, Episode 119. Phishing, darknet, malware, hijacked homes, porn passports, and ransomware regret with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 119. My name is Graham Cluley.

And I'm Carole Theriault.

Hello, crew. Hello, Mr. Cluley. This is late in the evening for us. Yes, it's Smashing Security late night.

It's because we have someone who's very busy on the show.

If you want to ring in with your—

Personal problems.

Yes, sexual relationship problems, marital—

Stop it, it's my dream.

We have with us this week technology guru and broadcaster, David McClelland. Hello, David.

Hello, hello, hello everyone. How you doing?

We're great. So what have you been up to?

Where have you been?

You've been gallivanting around, things that.

Yes, you always seem to catch me just after I've returned from somewhere. And I guess most recently I've been in Barcelona for MWC or Mobile World Congress.

Great city. As everyone calls it. Oh, Barcelona is my favourite city outside of the UK. Outside of the UK city?

Yeah. It's my favourite second city beside London.

Better than Slough?

Oh, better than Slough, yeah. But I think I've been to Barcelona more times than I've been to Birmingham, and I don't say that lightly. Bolton? Bolton. Bolton. I've never been to Bolton or Blackburn or Barnsley. I have been to Blackpool, and I definitely prefer Barcelona to Blackpool. But yeah, it's the— I go there every year, several times a year, but it's the big annual mobile phone show, isn't it? And there's about 100,000-odd people all there geeking out over 5G and AI and blockchain and folding phones this year was a big one.

Oh, did you see a folding phone?

I saw a folding phone behind a glass case, 'cause they're still that far away from being in people's hands. You know what? I never understood why they got rid of them.

No, but these are ones with folding screens, Carole. Not Captain Kirk.

Oh, you mean not a Snap phone?

No, they aren't the communicator. This is actual screen technology that folds in the middle for what reason? I don't really know apart from the fact that mobile phone companies want to try and sell us something new and get us to part with £2,000 for a new device rather than £1,000.

That's the thing, isn't it? Because I'm finding that with my phone at the moment, I'm just thinking, well, what is the possible reason that I would want to upgrade this phone?

It's—

I don't really care about it.

Some water could fall on it and fritz the entire phone and short-circuit it. These days they're waterproof, splashproof phones, aren't they? I mean, I don't know how old yours is, Carole. My Apple 6S. It wasn't last week.

Oh, wow.

Yeah. An expensive mistake.

Kroll's been having a pretty soggy time of it. So, Kroll, other than that, what have we got coming up on the show this week?

Well, Graham, you have a viewing at a California mansion listed on Zillow. Dirty Dave delves into the murky world of UK porn. And yours truly will be asking the big question: to pay or not to pay? All this coming up on this episode of Smashing Security.

So, chaps, I want to talk about Zillow. Now, we're all British, I believe, and so we quite possibly—

I was chosen. I just want you to know that.

Yeah. Okay.

I wasn't just born here.

None of us know what Zillow is. Is that right?

No, never heard of it before.

Well, apparently it's a big deal. Have you heard of it?

Isn't it a house buying, you know, whatever, Rightmove, Rightmove in the UK.

That's right. So what this is, is a website where you can look up hundreds of millions of different US homes, whether they're on sale or not, and it will tell you information about them. So it will tell you what it believes its price is, or how many bedrooms, or how many bathrooms, or it'll show you the property on Google Street View and all kinds of information.

Historically, interestingly, the UK equivalent is Zoopla. Also starts with a Z.

It does, yes.

I was just thinking of them.

You and I are very smart.

Well, I wanted to look up an American home on it. So I typed in the address of one of our occasional American guests. Now they don't know that I did this. So I'm not going to name them. And I'm not going to give out their address. And hopefully I won't give away their gender or, you know, any sort of identifying birthmarks or anything that. But if you click on the link, which I've shared with you, you will see the home right now.

Oh, that's quite nice.

That does. I thought it looked quite nice as well, actually. I thought, well, they've done all right for themselves. Now, I've never been into this person's house, but now I know when it was built, how many bedrooms and bathrooms it has, all kinds of other information. I can see a picture of it from the street.

It's bloody expensive, isn't it?

It is.

It was quite expensive, wasn't it? And I very much doubt that they added all of that detail themselves to Zillow. Maybe it was a previous homeowner. But the interesting thing about Zillow is it keeps information and it publishes information about your homes. Whether you're selling your house or not, and whether you want to be on Zillow or not.

They call these things Zestimates. That's fucking—

That's right. So Zillow has a thing called Zestimates. And what the Zestimate is really there for is if you're thinking of buying a property or if you're curious about your own property and what it might be worth, you go to the Zillow website, it will give you its Zestimate, and the Zestimate— There is actually a disclaimer. It does say Zestimates are not professional appraisals, right? They don't walk around your house. It's just a computer algorithm based upon recent sale prices for similar properties in the area. And they may look at any information you've added, you know, we did up the kitchen two years ago, or, you know—

Got a new boiler.

Right. Or, you know, we did out the basement, or we added an extension, or whatever it is, right? But it doesn't know that stuff unless you tell it. So it won't know that you've installed a new kitchen. It won't know that you ripped up the stinky carpet pit in the downstairs loo and replaced it with some tiles. It won't know that you've got a fibreglass shark poking out of your roof, which—

Ah, the shark.

The shark. David, if you haven't checked out Oxford properly, there is a house with a fibreglass shark poking out of its roof from a guy called Bill Hyner.

He's a local celeb.

Quite incredible.

Yeah, this is quite a famous bit of art. It's been sticking out of that same roof for quite a few years now, isn't it?

Maybe 30 years, something like that. So you can update the information in your Zillow profile if you claim ownership of the entry and add the information, right? Otherwise it won't know anything. So the practical effect of Zillow is that many buyers give those Zestimates, even though Zillow say, look, this isn't really something you can base anything on. They give it as much weight as a professional valuation and they use these Zestimates as a means of leveraging when they're trying to knock down the price on the properties that they want to buy. So someone is selling something for, I don't know, $600,000. But if Zillow says, oh, we estimate it's $550,000, you go in low and you say, well, why are you asking $600,000? You should be $500,000 or $550,000. In short, buyers love Zillow, but sellers aren't so keen.

Right.

And in the past, sellers have tried to sue Zillow. There was one group who were suing Zillow, and they were trying to sell properties for $1.5 million, but Zillow was saying, well, they were only worth a meager $1 million.

Who are all these people throwing around, bandying around millions of dollars?

They're Americans, Carole. They've got loads of money.

$1 million, $1.5 million, same diff.

Okay. But, and Zillow, when asked to fix the Zestimate— I'm going to have to keep on saying Zestimate, aren't I?— they refused to do so. And they also won't remove your property from the website. And so people get exactly to use the technical term. So Zillow, of course, being an American company, how does it defend this? First Amendment.

Freedom of speech.

Yes. So they say we're protected. We're allowed to say this is what we believe your house is worth. And they have the little disclaimer on the page as well.

Yeah.

So it's caused a bit of fuss. Mind you, I suspect sellers aren't complaining when Zillow lists properties with a higher Zestimate than they really deserve, right? If they added a million on.

Right.

Now, here's the latest. Someone has claimed ownership of a Zillow listing that wasn't actually theirs. There is a $150 million—

Chump change.

Palatial. It's just like your pad, Carole.

Exactly.

Palatial.

Helicopter. Helipad.

You joke. You joke about the helipad.

Okay, okay, okay.

Go on. It's overlooking the Pacific Ocean in Bel Air.

Boring.

Home of Wiki Wiki Wow Wow, Will Smith, right?

About 40 years ago, yes.

Hey, hey, hey.

It's got 12 bedrooms. It has 21 bathrooms.

Hang on a minute, hang on. 21 bath— How does that even work? There's 8 bedrooms, that's 2 baths.

So if every bedroom is a double, everyone can shit at the same time.

Oh, charm. You are charming, aren't you?

Almost everyone.

38,000 square feet of interior space.

I don't even know how big that is. I mean, was that an aircraft hangar or what?

It probably is, isn't it?

Parliament buildings? Something that?

17,000 square feet of whatever are entertainment decks.

Yeah. Stupid, stupid.

And an 85-foot glass tile infinity pool.

Oh, now you're talking.

Yep. Anyway, last month, a hacker gained control of this uber mansion's listing page on Zillow and updated its information. Now, if I had accessed that, I think I would have been tempted to change it in a different way, I think. You know, you would have made out that it was next to some sort of nuclear processing plant or a sewage pit. Oh, you know, a—

A hacker would.

Yes, exactly. And if you're going to hack it, that's the sort of thing that most people, I suspect, would do is just out of pure jealousy. They would deface it in that way. But what this particular person did is they used a fake mobile phone number and a Chinese IP address. They were able to waltz past Zillow's security questions in order to convince the site that they were the genuine owner. Now, remember, nobody puts their property up on Zillow. Right? The property is already there and you can claim it, which means that Zillow doesn't really know very much about you other than what's a public record and they've been able to grab from a database. So if you're able to confirm and answer their security questions, you may be able to claim any old property up there. But what this particular hacker did was they then posted a history of recent bogus sales of the property for up to $60 million less than the genuine owner is asking, because they're asking for $150 million right now.

So they're asking for $90 million as opposed to $150 million.

Right.

And they had a number of sales in close succession, over a few days of, oh, it's been sold again for this price and it's up and down. But it's basically a lot less than what is really being asked. And you have to wonder, why would someone want to do that?

Yeah.

Because they want to process the deal. So it's maybe the was it called?

The broker?

The realtor broker.

Maybe. Or maybe it's someone who wants to buy the property but wants to buy it for less. And suddenly you have a good price down.

I'm hooked. Tell me you have an answer to this.

No, I don't. But we don't know who did it. But they even announced on the page that there was going to be an open house on February 8th, and anyone can come along and go and view the property. And frankly, if I'd seen that, I think I would have been tempted. My wife definitely would have been tempted. She definitely would have wanted to check out those 21 bathrooms and five bars.

How many bogs can you look at?

Seriously?

No, but a house, $150 million house, Carole, you are going to want to check that out, aren't you? Come on, it'd be a nice day out.

Have you ever been to a big office? Right? You could just walk around all the stalls and go, oh look, I've seen 100 toilets. That's exciting.

I do remember once when we worked at a particular security company, Carole.

I know exactly what you're going to say.

When we did a survey of the quality of the lavatory paper in different—

To see if the head honchos had a 3-ply versus the 1-ply donated to the first floor workers. I won't reveal the results. I would be giving away too much.

Anyway, it is alleged that Zillow was asked by the real seller's lawyers to pull down the bogus information, but it took them over a week and they still hadn't done anything. And Zillow said, oh, you know, we go to great lengths.

First Amendment, First Amendment, First Amendment.

We only put— we really try and publish only correct and accurate data, but something went wrong. And the way in which they work, they say, is unfortunately, if someone's able to provide responses to the verification questions, they're able to claim the home, at least its entry on the website. And they don't manually check.

That's fucking insane.

But also they ask you the same questions over and over again. So if you try 4 or 5 times, Carole, you're going to know what the questions are, and so you can be prepared with the answers. If you really want to do this, you can do it.

Yeah, no, no, I just think the model's insane because Zillow's basically holding homeowners hostage by providing misleading, at times, information, which is actually affecting the market. And they're saying, oh, First Amendment, we don't have any responsibility for actually assuring that this information is right because it's a Zestimate.

Imagine you were a big property magnate in America, for instance. You had a number of properties. Maybe you had one in Mar-a-Lago down in Florida. Maybe you had some in New York. And you wanted to inflate their prices, you know, in order to convince Forbes that you should be on some top-ranking list of the biggest earners. You know, you might well just think, oh, I'll just go onto Zillow. Three kitchens, which I think is a bit paltry, to be

I would flip my beautiful golden locks from one side to the next and add a zero.

So this is our message for people who might find their homes on Zillow. Unfortunately, you can't ask them to remove your house's entry. honest. Five bars, a fitness spa, a four-lane bowling alley, a We can ask them, they're just not necessarily going to do anything about it. The only thing it seems you can really do if you're worried about this is visit the site regularly to check your entry and hopefully claim it for yourself so that someone else doesn't mess around with it. basketball court, a tennis court, a wine cellar.

That's the worst advice, because then you're saying, okay, so then you're tied to that listing of your house and it's your job to make sure the information is correct on it.

Okay, Carole, what's your advice? Is your advice to launch a denial of service attack against Zillow so no one can get up there? Is that your plan? Or go and firebomb their offices?

I a pool. Bonjour, bonjour. Pass.

Oh, all right. Well, this current mega mansion, $150 million. They are asking for $60 million, 6-0 million, in damages against Zillow. So we will have to wait and see whether they manage to get any of that money out of them. Anyway, $60 million. Not bad, eh? I guess it's that much because well, America, isn't it?

Chump change. Trump change.

Boom boom.

Firebombing their offices.

David, what's your story for us this week?

Well, well, well. So, you know, when you guys got in touch with me last week to ask me onto the show this week, and you did say that Smashing Security had been, well, languishing in the gutter over the last few episodes, and you were hoping I could help it to rise above once again.

It was all Maria's fault. No, it wasn't. It was your fault, actually, Carole, wasn't it? What? With your pick of the week, with the rude words.

Anyway, I'm flattered that you ask me, and I do love a good challenge, but not this week. So, as we all know, there is a ticking time bomb afflicting the UK that looks set to come to a mighty climax at the end of the month. I'm not talking about Brexit. After countless mass debates and government ministers—

Oh my goodness. What?

You're gorgeous. Carry on.

As I was saying, after countless mass debates and government ministers endlessly shuffling backwards and forwards, the end of— What? The end of March marks the date from which UK internet users will have to verify their age before they can visit pornography websites.

What?

So is it banned for seniors now?

No, no, no. You have to be 18 or above. Oh, right. So you're okay, Carole. You're okay.

She's more than okay. She was okay a long time ago.

Just wait till you see my pick of the week.

Oh, okay, okay. So yeah, this is definitely not Brexit-related, but you could say that certain freedom of movement is being restricted as a result of this. So before it's too late, for those of you who do have a penchant more for dirty websites, I urge you to head right now to www.legislation.gov.uk and in particular to the Digital Economy Act 2017 Chapter 30 Part 3, where the government deals with lots of issues arising from online pornography. In particular, aside from lots of talk of statutory instruments— they sound pretty brutal if you ask me— The legislation introduces the concept of an age verification regulator.

Now— I'm definitely getting the horn over this, I tell you that.

I'm glad to hear it. So whether you think this whole thing is a good idea or not about restricting access to online pornography for under-18s, whether you think that's a good thing or not, and there are arguments on both sides, there is a sticking point, and that is how on earth technically can this age verification be enforced across all of the different websites, all the different social media and dedicated sites? That might serve up pornographic content, deliberately or otherwise, to under-18s. Now, the government minister in charge at the time was Matt Hancock. Perhaps he was a bit premature, should we say, by giving the world 9 months to try and figure it out. And he literally chucked it out there, didn't he, and said, hey, you guys have got 9 months until April 2018. You go away, you go and do that, it'll be fine, everything's fine. Needless to say, that didn't work. A few deadlines have kept on getting pushed back until now, it seems. And April, maybe around about Easter, seems to be about the time when the government is saying they're going to flick the switch on this.

So they're going to slip this in. They're planning to slip this in under the carpet.

Oh, Bluey, don't even compete.

No, I'm not trying to. But I mean, what I'm saying is that all of Britain is obsessed at the moment with Brexit. The current omni-shambles which is happening around that. So that's in all the headlines, whereas this story, which is going to affect a lot of people and would be of interest to them, it's not really getting very much coverage, is it?

Who's going to complain? Who's going to complain other than the places that provide porn or the kids that want access that they're underage?

Well, people will complain if they are concerned that their personal information may at some point be breached in the future, and it may come out that they've been accessing these sites.

And that is the point here. It's about the consequences of this particular enforcement. So this week, one of the biggest players in online pornography, MindGeek, which owns the likes of YouPorn and Pornhub and many besides, apparently, has developed a system called Age ID. And so what'll happen is, Graham, is that when you visit one of MindGeek's sites, you'll be directed to a, I guess, a non-pornographic Age ID website, where you will be asked to enter in an email address and password as your username and password to confirm your age by using a credit card, a passport, or a driving license. That in turn will then enable you to log into any sites that support Age ID. Did you get that, Graham? Are you clear on those instructions?

So these sites, these Age ID sites, are going to ask me for credit card to prove that I'm old enough, or a pass— yes, they want I need to give them my credit card information or scan in my passport.

Nothing important, or your driver's license. No biggie. No biggie.

So look, it doesn't take a lot of imagination to realize that this is potentially loaded with trouble. First of all, you know, it's going to encourage teens to visit perhaps less reputable sites, not those MindGeek sites, places where maybe, you know, these aren't being enforced. To download VPN software, for example, that I hear people do to bypass geographic IP address checks. And as we all know, not all VPN software is above board and looks after your data responsibly. And yes, of course, it will open the door, I can guarantee it, to phishing scams as fraudsters look to set up fake verification sites to capture credit card, passport details. They'll set up fake porn sites. Of course, this data's got to be stored somewhere. So that makes it a big target for potential fraudsters and scammers wanting to hack into that database.

Yeah. Now listen, you both are parents. Is this something that worries you, that your kids might access porn before 18? Who's really worried about that as an issue?

My son is of an age where he wouldn't encounter this kind of stuff at the moment because he just wouldn't go browsing around. But I certainly know older children who have accidentally accessed this kind of stuff and been quite shaken by it and not found it very pleasant.

Absolutely.

So it's the landing on it by accident, and it's a shock. That makes sense. Yeah.

And I think that's one of the parts of this legislation in a way, because on the one hand, some people go very deliberately to seek out pornography online. And I'm not saying there's anything wrong with that at all. Many people say that's very healthy indeed. But it's when it's stumbled upon accidentally. And goodness knows there are quite a few websites that have got perfectly innocent-looking URLs when you type them in deliberately accidentally, whatever, then you are presented without any filter whatsoever with extreme hardcore, potentially shocking content. And that is the stuff that should absolutely have some clamps put down on it to protect innocent young eyes.

I was teaching an English class and showing them how to use the web. This is way back, and we used to use a search engine called Hotbot. So I'll let you know what happened, you can— in front of everyone.

Yeah. So my son has a Chromebook because he uses those at school and I've actually set it up to use something called the Clean Browsing DNS. It's fairly easy to set it up. You just put it into the computer or on your router and that automatically blocks certain types of websites from being visited, whatever application might be using it. So you don't have to run any actual software on the computer, but just by changing the DNS records, it also puts things like Google into safe search mode and I think it does the same on YouTube as well, which can block some nastiness.

And that sounds like a really good idea. And like you say, you could set that up either at your router side so it only uses that SafeSearch DNS or on a device-by-device basis perhaps as well. I would like the sound of that, Graham. Good call.

You're so smart, Graham.

Yeah, you're so smart. You're so smart.

So, I mean, this is all going to be kicking off in April. We really think this is going to... Well, yes.

So as late as autumn last year, the government was saying that they would hope to have it in place by Easter, which is quite late on in April this year. We don't know exactly when it's going to be dropping, but whenever it is, if I'm honest, I'm not sure this one's going to have a happy ending.

And societally—

Oh, goodness.

And we're going to have a lot of pent-up men who don't want to actually take part and give away their age information or driver's licence or passports running around the streets. Yeah.

Well, quite frankly, anyone who's going to unsavoury websites anyway should be using—

Porn isn't unsavoury.

Well, no, but they're—

It's just adult.

All right, all right. But you know, if you may not want, for instance, your ISP knowing that you're going to these sort of sites. So presumably you're using a VPN anyway.

Yeah, so the VPN guy can know. Yeah.

The VPN guys are gonna start advertising. Well, no, some of the VPNs—

Some of them don't know, I know.

You know, the VPN guys are going to start advertising this as yet another reason why you want to use VPNs, aren't they?

Yeah.

Maybe some good will come of it.

Maybe there will be some good. For those sites that don't enforce this age restriction, there's some pretty hefty fines in place. You know, first of all, get blocked by all ISPs, but up to a quarter of a million pounds, which, you know, for many of these sites is going to be a big chunk of money for them.

And this, of course, will affect sites all around the world. You don't have to be a UK-based site. Wherever you are, if you are delivering content. So I wonder whether some sites may simply decide we don't want to get into this age ID thing. Let's just forget about the UK anyway, because they're not really interested and we'll just concentrate on the Belgians. Carole, what's your story for us this week?

Come with me to Jackson County, Georgia.

Georgia.

Georgia. Jackson County is a quiet rural area in the southern US state with a population of about 64,000. They boast an impressive public library as one of its top tourist attractions. I'll show you. It's quite impressive.

Take a look.

It's impressive.

I remember once I went on a trip to Zagreb and I thought, what am I going to do when I'm here? And I looked up on TripAdvisor, the top attractions. Number 1 was the cemetery.

Do you remember when we went to Geneva and on the top 10 was the world's longest bench?

Oh yes, yes, I remember the bench.

Yeah, we went and saw that. So Wednesday last week, bleary officials in Jackson County announced that they'd been hit by a ransomware attack. And it had managed to bring the entire fleet of computer systems to its knees. Now, the ransomware had hit on the 1st of March, 6 days earlier, and then they announced to the press. So you can imagine the hell the Jackson County IT team faced during those 5 or 6 days. Daily meetings, caffeine-laden systems, grumpy bosses, and they were probably blamed for not protecting against the attack. Now apparently the entire county's government email was fritzed. The only thing that was left standing was the 911 emergency system and its website, right? So you get the picture, they were waist deep in ransomware doo-doo. The sheriff in town, Janice Mangum, which drives me nuts because I bet she wishes she could change her name to Magnum, so close. Anyway, Janice Mangum said everything we have is down. We're doing our bookings the way we used to do it before computers. We're operating by paper in terms of reports arrest bookings. We've continued to function, it's just more difficult. So Jackson officials don't sound super freaked out, but I bet this is a brave face for the press, right? It must have been a nightmare scenario inside. Now, they didn't confirm how hackers breached the network, all right, but some are speculating that it's the Ryuk ransomware. This is a known but apparently undecryptable strain of ransomware that tags along with other botnets to creep into systems.

Right.

So, only the bad guys can decrypt your data. You've gotta pay them to get your data back, right?

Exactly. Right. So, let me set the scene here. So, you're this small rural community in Jackson County. You've spent a week desperately trying to retrieve your files and data. You've had to announce to the press. And, you know, what do you do? Do you carry on or do you pay up? Do you wanna make a call?

No backups. No backups.

There's not a lot of mention in the press about that. They don't seem to wanna be coming really clean, but I'm guessing that's probably an issue, right? Because they ended up shelling out $400,000 to get their files back. So I did some maths, and it works out to about $6.25 per Jackson County resident. Okay, now put that in your back pocket because it's going to be important later, right?

Wow.

So Jackson County official Kevin Poe said, we had to make a determination on whether to pay. We could have literally been down months and months and spent as much or more money trying to get our systems rebuilt. Because I can count your 400,000 smackaroos down, but they have their data back, right? And most of us in cybersecurity would say, never pay, never pay, never pay, just say no.

I've got various thoughts about this. I think sometime, I mean, obviously in an ideal world, you would have a backup and you'd be able to recover and you'd be able to do it in a timely fashion and get your systems up and running. But I also think that businesses need to be a little bit pragmatic. And if they haven't got a backup, if there's nothing to restore, then maybe it is easier to pay. But I hate, hate the idea of paying. Mel Gibson never paid in ransom. He never said, he never gave in. But I hate it. First of all, because the bad guys end up cashing out. They're doing great from it. But also it sends a message to everybody, this is an organization that's prepared to pay. And who knows if they fixed whatever problem it was through which the ransomware came in in the first place, they may get hit next time and asked for $800,000.

Yeah, and it's that long-term thinking, I think, that's very easy to dismiss when you are a public servant, you have all of your computers scrambled in front of you. And yeah, like you say, it's gonna cost more money to reestablish those systems to get things back up and running again, or you can write a check straight away. I can understand why they did pay. I hate the idea of it, but yeah, I can see that.

I'm very surprised actually by both your reactions because this was gonna be my big moment here. Okay. So you guys can just pretend to run with me.

Okay.

Not yet. I'll tell you when. I'll say deep gasp now.

Okay. Okay.

We practiced that. It's good.

You might remember the SamSam ransomware and in March it actually ended up taking down Atlanta's computer network. This is Jackson County's neighboring capital city. SamSam managed to knock out almost all of Atlanta's services. They couldn't issue warrants, process inmates, court fee payments, accept online bill payments. It was all a bit of a mess. And to unlock the city systems and data, the hackers were demanding $51,000 in bitcoin — quite a lot less than what Jackson County was facing, right?

Yeah.

And do you know what Atlanta did? They refused to pay.

Right.

So my question in doing the story was, what did that cost the residents? So I did a little digging and initial recovery costs seem to be pegged at just shy of $3 million. So how many people live in Atlanta? I looked that up, half a million. So it works out to $6 per person. And if you remember, Jackson County's was $6.25 per person. So right now, it's pretty aligned. It doesn't seem to be any difference in terms of doing the right thing or doing the wrong thing. So you're kind of thinking everyone should do the right thing.

So did — how did Atlanta recover if they didn't pay? Did they have backups, or did they have people to reenter the data, or what occurred?

Well, Atlanta just announced last week that the cost estimate has changed a teeny tiny smidge. It's up from $3 million to —

I'm getting ready —

An estimated $17 million.

Georgia!

Georgia! So the cost to residents is now 6 times as much as Jackson County, the rural town that paid the baddies to go away. Now Atlanta is coming clean in saying that it's revamping its systems to be more secure, and that is reflected in this $17 million price tag. But yeah, who wins, right? The upshot seems to be that it costs a shitload of money to do the right thing. And I'll tell you one thing, the thing I learned in all this is if you're an IT sec guy out there listening to this, IT sec guy or girl, head to Georgia because they got the money. Smashing Security, they need you.

The other thing, I think we spoke about this maybe about a year ago or something in another podcast. There are some companies which say, we will help you recover from a ransomware infection. Give us your files. And they charge the organization an amount of money and they use some of it to pay the hackers. And they keep the profit. Of course they do.

Of course they do.

Which may look better PR-wise, I don't know, for the organizations who've been hit than simply paying the bad guys. It's basically protect your systems is what you're saying, Carole. Don't let this happen in the first place. Make sure you've got backups.

Exactly. Well, you know what? It's not just having backups, is it? It's having accessible, I can reload right away backups. I'm testing them monthly and I know it works. So, if anyone just grabs my systems, I know I might lose half a day's work for the company, whatever, but I'm not in that horrible scenario of going, "Oh no, I have backups, but..." And ironically, because we did a piece recently on cyber insurance, didn't we? Atlanta was saying, "And part of the $17 million is we now have cybercrime insurance." Yeah, it does make my blood boil.

And before I did media-y stuff and talked about tech, I used to do tech, and I used to do disaster recovery, business resilience, business continuity. And a backup isn't a backup until you've restored from it, and you need to make sure you understand your recovery time objectives and all that good stuff, how much data you're prepared to lose. And it seems to me that particularly in public services, that stuff just doesn't happen the way that it should.

So it's a bit of a quandary. So watch out out there. It's an interesting little story. How much does it cost the residents? Quite a fun game.

When the sugar hits the fan, it's all about how quickly you can get back up and running again.

Isn't it right, Carole?

Oh, cutesy cutesy.

You found that with your iPhone, didn't you? When you dropped it down the loo or whatever happened.

If only I dropped it down the loo. It had two sprinkles of water. I swear to God. That's the only thing I can think that happened. And it really crits, scarily, magenta, you know, lightning rods across the screen. But apparently I have insurance, so let's see what happens.

Human error is at the root of 95% of all security breaches. It's all too easy for any of us to make a mistake that lets hackers win. Download a free cybersecurity awareness training kit from Mimecast, which will help your staff learn about threats like data leaks, ransomware, phishing, malware, doxing, darknet, darkweb, and business email compromise, and much, much more. Grab it for yourself at smashingsecurity.com/mimecast. And thanks to Mimecast for supporting the show.

Quote, most business security breaches are the result of one thing: sloppy password practices. Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts. Unquote. That's my co-host Graham Cluley. This is what he says on the LastPass Enterprise page. And most of you know how much I hate to admit when he's right, but he is. Sloppy passwords are a huge contributor to security breaches within an organization. The way to manage that is get a password manager, and the one we recommend is LastPass Enterprise. Check it out at lastpass.com/smashing. On with the show.

And welcome back, and you join us on our favorite part of the show, the part of the show that we like to — it's called Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book they've read, TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security related necessarily.

Should not be.

Now, a couple of episodes ago, the lovely Maria recommended Tetris 99 on the Nintendo Switch.

Oh, she did?

Have you been playing it? Have you been playing it?

I played it a little bit. I haven't played it as much as I would like. I don't tend to — well, I just don't tend to get very much access to the Nintendo Switch because I'm sharing my house with a 7-year-old, right?

Does your 7-year-old not go to bed?

Well, you know, I'm doing other things.

Are you one of those parents that has it in his room?

No, no, no, no, no. But it's — no, certainly not. No, no, no. Anyway, I don't need Tetris 99 anymore because I have discovered on Twitter an account called Emoji Tetra.

Okay, I'm checking it out.

Clicking through.

Clicking through.

So Emoji Tetra is a Twitter bot written by a chap called Joe Sondow, and it uses Twitter polls so that the Twitter community can decide whether the falling block coming down the game of Tetris moves left, right, or twists, or drops. Now, and that's basically it. It is a way of playing multiplayer Tetris rather slowly, and it's all computerized and bot-ized, and I just thought, well, that's very cute.

I'm not — okay, I'm not sure I get it. I mean, I understand it's a game. I don't understand how it works. I'm looking at a GIF of it. I need to —

Okay, so you're looking at a GIF of the current situation, and what you are seeing is an L-shaped piece, which in the fullness of time will descend down the screen, right? And it would fill a little bit of gap there, and you would fill up all those hearts. You see the greens and the purples. You'd get a line there, but there would be a gap underneath. Now you could choose, Carole, to vote to rotate that?

That's what I'm going with. I'm going to click on rotate.

I think that is the correct thing to do. So at the moment, 91% of people have chosen to rotate that piece. That is probably the most sensible thing to do. Now, you might then have to move it left, I'm suspecting, but we have to wait for the next one to come through. Looks like they happen every few minutes. And then we could drop it down and we would get two lines.

This information is going to be fascinatingly glorious for the gambling community to — I don't understand how you guys, how the world chooses left, right, rotate, or down.

Well, I'm just saying you don't need a Nintendo Switch and multiplayer online support.

You just need Twitter because Twitter's amazing. Twitter's the best thing ever. Twitter, Twitter, Twitter, Twitter, Twitter.

You might be excited about Emoji Tetra. And then I discovered there's also the Emoji Snake game. So if you have —

I love Snake.

I love it. Graham, that's not fair.

I like Twitter, but Snake. Snake.

So there's a snake going around. And you can decide whether to turn it left or right. And it's a group choice, right? It's every left or right, up, down. And yeah, how much fun is that?

And this is the same guy again, is that Joe Sondow?

It's the same guy who's doing it. And I just thought, well, that's lovely.

Yeah. That's ingenuity.

How nice to see a positive, wonderful bot on Twitter rather than the normal Russian bots.

Well, you don't know that. How nice to see a wonderfully looking bot that seems to be doing no harm.

It's not spreading bile though, is it, Carole? It's not being unpleasant to people, trying to change their political views or anything that'll reinforce—

How do you know? Things are very hidden today.

Because it's a game of Snake and Tetris. That's why, Carole. Are you suggesting because it's Tetris, there's some Russian influence?

What I should say is that the same guy, I've just done a bit of digging around on him. The same guy actually does a few of these bot accounts, and it seems as though one of the more popular ones, certainly more popular than Emoji Tetra and the Emoji Snake one, is Emoji Aquarium.

Yeah, I've checked that out. Yes, that's—

It's got almost 20,000 followers on there.

David, what's your pick of the week?

Well, we haven't talked about porn for a few minutes, so let's change that.

It normally takes me a few minutes to recover until I'm in the mood for it again, to be honest. But okay, right, so let's go for it.

But this one, again, we're talking serious stuff here. So my pick of the week this week is a podcast— well, it's a couple of things, I suppose— by British author and documentarian Jon Ronson. Now, I first came across Jon's work via his book 'You've Been Publicly Shamed,' which is a brilliant read if you haven't come across it.

I've read it. It's wonderful. I found it— I love that stuff. Yeah.

Yeah. So for those of you who haven't come across it, it is how social media, Twitter in particular, has essentially reinvigorated the centuries-old ritual of public shaming. So once upon a time—

Shocking, actually. Yeah.

When you were young, Graham, perhaps we used to lock petty criminals in the stocks in the town hall square and, you know, throw fruit at them. After a little bit of hiatus where society tried to convince itself that it was civilised, nowadays we're basically doing the same thing again, but this time on social media instead. So what Jon does in 'You've Been Publicly Shamed' is tell a number of toe-curling stories in the book through interviews with the victims, I guess, of how the mob descends and punishes those pretty ruthlessly who it deems worthy. The book's great, I've read it a couple of times. He reads the audiobook on Audible very well as well. But that's just the preamble, because speaking of Audible, Jon Ronson's recent projects have been serialized in podcast form, podcast documentaries, and one of them is called 'The Butterfly Effect,' which for the avoidance of doubt is my pick of the week. So 'The Butterfly Effect,' he explores how the web changed the porn industry and the ripple-on effect of that. So this isn't juvenile or seedy in the way that, you know, sometimes we talk about it on here. It's refreshingly—

Yes.

Matter of fact. How dare you? All right, guilty as charged.

Shame him.

Tomatoes out of tins before you throw them at me, please. So what it begins by doing is it starts by looking at the advent of freely available pornography on the web. So sites like Pornhub and those other mind geek sites. And then it looks at the ripple effect, the so-called butterfly effect, that the availability of this free on-demand porn has had on society, on the adult entertainment business, a big business around that obviously, and of course on adolescents as well, on children who stumble across this material. John has a really sharp understanding of internet culture, and I really enjoy his analysis of how it impacts on so many facets of our lives, sometimes subtle, sometimes profound ways. So the podcast Butterfly Effect, The Last Days of August, which is a spin-off of that, and You've Been Publicly Shamed, they're all my pick of the week.

Ah, so awesome.

I have listened to The Butterfly Effect, which I really loved. I've read most of his books. I have read Publicly Shamed. I also read Psychopath test. And Graham and I, with our partners, we bought tickets to see Jon Ronson in Oxford doing a reading of The Psychopath Test, or something, with special guest psychopaths, as I remember.

Oh no, they were victims of psychopaths, they weren't actually the psychopaths. Or were they? I can't remember now.

All I can say is I think he's great on audio. Audiobook. He's— his audiobooks are incredible because I really love his voice. I know not everyone loves it. I really love it. I find his cadence just really lovely. But, yeah, there you go.

He's done a TED Talk on So You've Been Publicly Shamed, and also he's on tour again in this country. He's based in the United States now, but he's on tour again talking about Butterfly Effect, last days of August, in May this year. So interesting feedback, I'm thinking of going to go and see him do this tour.

Do, and let us know what you think. Okay. Yeah.

We thought he was shit.

But I love him. Oh, that's interesting, isn't it? It's interesting.

We were so looking forward to it, and maybe it just wasn't working for him that night, but it was just—

Hashtag being nice. Yeah. Yeah. Okay, so I live in Oxford, and we have a few smarty pants Oxford professor friends. La di da, I know, I know, I know.

I don't know.

So basically, the premise is simple. Upload a pic and let the algorithm do its work. And it gauges how old you are. So of course I loaded pics of both of you. I started with you, Clue. I started with you.

You uploaded my photograph to Microsoft.

Go back to episode 106, you did the same to me. Okay, so I started with you, Cluley.

Okay, I've already got your excuses ready. And I was— I chose the picture that you looked the oldest in. I went along your site on grahamcluley.com. What happened?

They thought you were 37.

Thank you very much. It's because I don't have any wrinkles because I'm so fat.

So then I went on to start page image search, right? Found a little pic of our friend David here. And David, I don't know how old you are, but I think you're younger than what it thought. It said 44.

Oh yeah, okay, interesting. Interesting. Yeah, I am younger than that, for the avoidance of doubt.

I thought for sure you were. Yeah. So I was thinking, okay, so of course then, you know, I thought maybe I should load myself up because hashtag be nice.

That's what we're waiting for.

And it wouldn't be fair if I didn't slap up my own mug. So I grabbed one from my local machine called Crawl.

Was it an airbrushed photo? Was it one you had done at a studio?

No, no, no. I literally just— I just literally went to— I searched for my name, found one, slapped it up, okay? And I'm sorry, guys. I promise, hand on heart. And I'm really sorry because I came out rather well in this, okay?

Oh, forgive you.

Okay, are you ready?

What's it going to be?

Check it out.

Oh my word.

And so it's saying 73.

To be fair, to be fair. Be fair, Carole.

I know. Okay, so then I thought about it, right? 73 is a great age. My mom rocked 73. And besides, I think everyone plays the age game totally wrong. Isn't it much smarter to tell everyone that you're a decade, or hell, decades older than you actually are, so they can marvel at your youthful appearance and physical abilities? So yeah, I'm 73. Hottest one in the room. Boom.

I think this all says far more about Microsoft's really piss-poor AI than it does about any of our photos or ages.

Okay, honestly, I freaked out, right? Of course, when it said 73, I totally freaked out. I freaked out and I madly searched for another picture, found this one, slapped it up, and it actually gave my correct age. 'Cause I did this, it gave it exactly.

Oh, but you're doing the kind of Princess Diana eyes there, aren't you?

They're the only two I have on my desktop, so they're the ones that I used. But it's— there's a 30-year age gap between the two. So, well done, Microsoft.

High five.

Don't you love how they say— don't they say on it somewhere, I think they say, don't be mad if we got it wrong. Yeah, sorry if we didn't get it quite right. It says underneath the pictures.

We are still improving this feature.

So do they actually ask you to enter what your real name is?

No, no, no. And I would never have done that. I obviously gave them yours. So I emailed them especially. But yeah, I kept David and mine private because we're not, we're not, yeah.

Because we're a student podcast. Good. Well, that just about wraps it up for this week. David, I'm sure lots of our listeners would love to follow you online and follow you on your travels. What's the best way for folks to do that?

Well, on that there Twitter, I am @DavidMcClelland, all one word, two C's, three L's. Cross your fingers and hope for the best.

He's never said that before, ever, guys.

You can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G. And you can continue the discussion on Reddit. We've got a Reddit subreddit now, imaginatively titled Smashing Security. So just go looking for that and you can chat about things you've heard about on the podcast or tell us what we got wrong.

So huge warm hugs to our Smashing Security sponsors, LastPass and Mimecast. Their support helps us give you this show for free. And fist bumps to all our glorious listeners. Yes, you! If you like what you hear and want to help us grow, then do that leave a review thing. It really, really helps.

Until next week, cheerio, bye-bye, bye-bye. I forgot to say goodbye. Oh my goodness.

I was waiting for you. Ladies first.

I know, I know, I know. That's very polite. And I just forgot. I'm still reeling from the 73.

I really enjoyed his analysis in The Butterfly Effect in the last days of April as well. Sorry. Another podcast. Oh, I'm sorry. What is that noise?

I was trying to mute my microphone. It's my dog. My dog is underneath me and he's scratching rather loudly at the carpet.

So, okay, okay.

I was just trying to mute the microphone so it wouldn't put you off.

We just heard quack, quack, quack, quack. Okay, sorry, I didn't mean to interrupt you.

Carry on.

I did wonder what was going on there. We'll just remove his audio. So yeah, John has