Donation details “leak” from the Labour Party website

I see that 10 times a day you appear to be running vigorously.

Okay, breathe. Breathe. We don't want to die.

Smashing Security. Episode 154. A Buttock of Biometrics with Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security episode 154. My name is Graham Cluley. And I'm Carole Theriault. Hey, and

we're joined this week. Okay, it's very late, everybody. We're doing this late. It's going to be a silly episode. I'm warning you now.

We are joined this week by John Hawes. Hello. I'm not being silly at all. I'm being very serious. Good. Now, John, I'm going to describe you and I want you to tell me if this is a fair description or not. A diplomatic man who advises cyber companies around the world to get along and play nice and build fair standards.

Oh. Yeah, you missed the beard. You missed six foot four. A five foot four man. That's how I like to start all descriptions. There's nothing wrong with being any number of foot fours. He is notable by his ostentatious height, I feel. I don't do it on purpose. That's what you say John. Carole what have we got coming up on the show this week?

First thank this week's sponsors LastPass their support helps us give you this show for free. On today's show Graham is delving into the UK Labour Party DDoS non-fiasco. John is looking into why Apple credit card is being called sexist. And I'm going to get on my soapbox about private health info and Google. All this and loads more coming up on this episode of Smashing Security.

Super duper stuff now chums we here in Britain we're all British chums yes yes yes John sorry let's not even start. We have got an election on our hands election I said yes that's true. In one corner is the bumbling Etonian Boris Johnson. Now we should explain the various participants for people who don't live in the UK because not everyone around the world who listens. We are very popular around the world. We shouldn't just assume everyone knows what's going on in British politics. Shall we explain who everybody is?

Yeah, not everyone. Are you insane? Just the main players. Just the main players.

There are four main players. So we have in one corner the bumbling Etonian Boris Johnson. From time to time he's been described as a malevolent baked Alaska. He's like an ugly Hugh Grant.

There's an image of Donald Trump's hair and Owen Wilson's face. He does look a lot like Boris Johnson. Anyone's wondering what he looks like? It's also been suggested he looks a little bit like an unmade bed mixed up with a head injury. Now, he campaigned, remember the big Brexit referendum, he campaigned to leave Europe, but a lot of people suspect he really wanted to stay in.

Wait, whoa, somewhere in between. This is Pluto to

Uranus. No, sort of nestled in the nook of Boris Johnson. We have Nigel Farage. He's the plain-talking, beer-swelling man of the people who happens to be a commodities broker, who wants us to cut ourselves off from the continent at any cost. And we've also got, let's not forget, the head girl, goody-two-shoes, Jo Swinson. She's leader of the Liberal Democrats. She wants to kick Brexit to the curb, snuggle up with Europe, and promise to be their BFF forever.

OK, so an easier way to put this is if you've got Jeremy and Jo in one corner, and you've got Johnson and Farage in the other.

Yeah, well, I don't think Jeremy necessarily is in Jo's corner. It's slightly complicated when it comes to Jeremy.

Yes, well, we're going to simplify for our listeners.

Also, Nigel and Boris will keep denying that they're each other's buddies, but keep trying to be buddies. Yeah, okay. Anyway, in summary, Brexit's bloody confusing, has divided the country, and is the backdrop for what is probably going to be the most ruthless British general election in our lifetimes. And of course, we've mentioned those four people, but let's not even begin to start on what other countries they might have a vested interest in a particular result.

Do you know, I had a problem with that as soon as I read that, because sophisticated. It takes a while to establish whether an attack is sophisticated.

Right. But so many companies claim they've suffered a sophisticated attack.

Well, it's like they don't want to say it was a really elementary one, do they? You have to have a computer, which is quite sophisticated, I suppose. You can't just do it with a pen and paper. It's going to be tricky.

Well, my phone went crazy at this news. BBC TV News, they wanted to get me to a studio but I thought, well, we're planning to record a podcast I can't do that, sod that so we ended up doing it via Skype and while I was doing it, I was recording this while I was recording their TV slot my camera started to slide down it wasn't completely affixed and so, this doesn't sound very sophisticated.

So you had one of those moments like that guy whose kids came in while he was talking.

It wasn't quite like that, but it was a bit like 1960s Batman, where the villains always have a sloping floor on their HQ. Bam, wallop, wham. So anyway, not that sophisticated. Turns out that this attack on labor wasn't that sophisticated either because it was a DDoS attack, a distributed denial of service attack, which of course are often powered by botnets of computers around the world clogging up websites and making them fail to work properly.

Yeah, they've been around for more than a decade. Pretty cheap. Not complicated at all. $50 for three hours or something. Well, yeah, exactly. You could just purchase some DDoS time with a PayPal account virtually, couldn't you? I mean, ironically, Labor were using a DDoS mitigation service called Cloudflare, which many people will know. And they were ultimately able to get Labor back up and running as well. But there are many DDoS as a service booter sites, so sort of online sites you can go to to sort of purchase a denial of service attack if you wanted to launch one, which are themselves protected by Cloudflare. Well. He was at the pub one night. Had it for too many. A bit drunk. And he goes, I got an idea. I can do this.

Well, it could have been them. It could have been, maybe it was Russia. Because, of course, Russia might have a vested interest in the pro-Russian party. You're always blaming Russia for everything. Oh, yeah, bless them. Maybe it's the French. Maybe the French just don't like us. I mean, they're still technically at war, 300 years later, aren't they? Maybe it

was Boris himself. But did any of these people have a vested interest in slightly embarrassing Jeremy Corbyn?

Well, maybe they didn't know how embarrassing. Maybe they thought if we knock out Labour's digital campaign, they won't be able to do anything. They won't be able to move and motivate their forces and get them, you know, canvassing wildly for Jeremy and his potential referendum. Definitely not sophisticated there. Not that sophisticated. Maybe it was Boris himself. Remember Boris was getting private technology lessons from Jennifer Arcuri when he went round to her flat. That was the claim, at least. Maybe it was kids, because it could be a kid, right, with a DDoS attack.

Hey, Graham, Graham, Graham, you digress. So the Labour Party got hit by DDoS. And it wasn't anything complicated, or did they steal anything?

No, the DDoS doesn't steal anything. It just brings down services. So why did they go public?

Well, yeah, good question, I think, is should they have gone public about it? Should they have been so loud about it? I certainly think they tried to make a little bit of political capital out of it with the suggestion that maybe they were being targeted, whereas they didn't really know whether it was going to be a 14-year-old kid or not who had done it against them. OK, but really, do you think that's a good PR strategy to say, let's go out there and say that we've been targeted? Because then what, you get more headlines? You get more inches in the papers?

We know what they got more of. They got more DDoS attacks. Because then it appears other people thought, or little kids thought, oh, yeah, that'd be a laugh, wouldn't it? Let's have a go at Uncle Jeremy with his political party. Let's launch a DDoS attack against him. So others began to do it as well. Any script kiddie with a botnet decided they could have a go and sort of encouraged, I think.

Yeah, you can see the IT guy calling up Cloudflare going, hi, so we just need to have a bit of ramp up.

So I think maybe the truth was that it didn't have that much impact on them for a relatively short time. And many companies up and down the country are being affected by DDoS every week, right? And maybe they were a bit too quick. And maybe they did over-egg what happened. And then the media, of course, were getting really excited about the fact that it could be a state-sponsored attack. Seems true. It was very unsophisticated. This is tricky.

This is tricky, right? Because in a way, I'm kind of happy that they came out and said, hey, guys, we're having a problem. I don't like that they said sophisticated without actually looking at it. That seems a bit early in the game. I think anyone who uses any adjectives they can't defend, you know.

It seems to be the habit, though, isn't it? Whenever a security incident does occur, people love to say sophisticated. They said it with TalkTalk, for instance, which wasn't a sophisticated attack.

Do you remember when APT came out as the new term? What was it? Advanced Persistent Threat. And that was a way of basically saying, yeah, we got screwed by some thing.

A thing. That we couldn't stop. And you can't blame us because it was advanced and it was persistent and it was a threat. And coincidentally, the same day they announced this problem, there was an exclusive report in the Times newspaper saying that they had stumbled across a data breach on the Labour website. Now, I don't think this is connected at all. And I don't actually think that the Labour website was hacked. What it appears they had was they had an online donation tool, and it was generating an RSS feed containing people's names and the sums of money which they had donated to the Labour Party via this page. They must have clicked a box saying, I don't mind everyone knowing. Well, that's not how the Times portray it. The Times say that the form asked for people's first names, but a number of people also entered their surnames. And that's why it ended up on the RSS feed.

This was going out to anybody that subscribed to the feed got a list of everybody that donated to the party.

I think that is basically the sum of it, yes. That's not really a breach, that's just a boob. And there'll probably be plenty more boobs. It's going to be boobtastic. Boobtastic election. Which the tabloids are going to love, aren't they? It already has been. John, what have you got for us this week? Well, so I wanted to talk about Apple's sexist credit card. Okay, not controversial. Well, no. Actually, a little. But no. So, I'm not sure if you're aware, but Apple has a credit card. Why? What's the point? Well,

To buy stuff, Graham. That's what credit cards are for.

It's very Apple-y. Oh, okay. It's laser etched white titanium. Oh, it's sexy. Very slick and shiny, very Apple-y. If you're the kind of person that likes Apple stuff, you probably want one of these. As I say, white titanium with a name and a little Apple logo and the little chip and pin thing on it. There's no numbers.

There's no numbers. It's just smooth. Okay, well, it's cool not having numbers maybe if you lose it. But if you're such an Apple fan, why wouldn't you just use Apple Pay?

Aha! Oh, okay. Because so the idea is you can't apply for the credit card through any other means than through your iPhone or Mac. Right. Okay. So only Apple users

Can get an Apple card. Yes. Okay. It's

Proof that you're not just a person that likes Apple stuff, that you actually have Apple stuff.

Right. It's your cult membership card. Yeah. Right. And yeah, I don't know. Are you

Wearing a black cashmere turtleneck? Check. Exactly. Anyone can go out and

Buy a cashmere turtleneck these days. And people might think that you have an Apple Mac. Yeah.

So you're flat white, check. Getting

The Apple card, much more difficult. Right. Although apparently the white titanium does get discolored if you put it in a leather wallet or a jean pocket, which is a little disappointing. But yeah, so they describe it as a new kind of credit card. It's created by Apple, not a bank. What could go wrong, right, Graham? Yeah, so what's this?

But you say it's sexist.

Well, so it's not even a new thing. I think they announced it back in March. It was available sometime August. But suddenly in the last week or so it's been all over the headlines. About a week ago a chap called David Heinemeier Hansson who's a Danish tech entrepreneur best known as the creator of Ruby on Rails. Oh yeah right yeah. So he tweeted which is you know how how news happens these days that he applied for one of these cards and also his wife applied for one and he got a credit limit approved, which was 20 times higher than his wife. 20 times? 20 times. 20 times. So if hers Well, no. They claim that they've shared everything together forever and ever. He's Danish. He's been living in America for, I don't know, 10, 12 years or something. She says, oh, my credit limit's actually higher than his. So I don't know why I've got lower than his. And then Apple co-founder Steve Wozniak. Woz. Cuddly Woz. Yes. He stepped in and said, oh, same thing happened to me. I got 10 times more than my wife. Despite, you know, everything we have is shared, is mutual. So we should have exactly the same kind of credit limit.

So we have two quite big characters in the tech world basically saying, we're confirming this has happened to us. Yes. And that they're in the cult. That's also what they're telling everybody.

Well, obviously, I mean, Steve Wozniak is, he is officially still an employee of Apple. Is he really? 1985, he stepped down, but apparently he's a ceremonial employee. Bless him. I don't know what ceremonies he does. Like a ceremonial goat. Yeah. Then somebody from the New York State Department of Financial Services tweeted saying, oh, this sounds awfully dodgy. We will investigate. And now suddenly there's headlines all over the world saying, oh, Apple's credit card, massively sexist, and Department of Financial Services is launching a probe. So what, two people can tweet that Also, it's not necessarily a huge investigation. It's just somebody tweeting, oh, we'll have a look. Oh, yes. Nobody has said we are launching a massive probe here. They just said, oh, that sounds interesting. Let's have a look. Yes. I happen to work for the Department of Financial Services.

Not everything's Daily Mail.

I'm not necessarily qualified to say we're launching a massive probe right now. Okay. Right. Anyway, so then. Oh, my goodness. Yes. People kind of think about this and, hang on. So even though Apple's card says it's created by Apple, not a bank. Yeah. Obviously, it is a credit card. So it has to actually be provided by a bank of some kind. which in this case is Goldman Sachs.

So they're backing it. They're backing all the money and they're backing the background vetting.

They're doing the credit card basically. Apple is creating it in the sense of designing what it looks like. Everything else is Goldman Sachs.

I can't help but notice that in the name Goldman Sachs is the word man, of course. Possibly a slightly sexist organization.

Very. Also known as the Vampire Squid and mainly an investment bank. So not with much history of consumer credit card business. So maybe they didn't really know what they were doing.

2008 was a bit rough.

In the last couple of days, Goldman Sachs put out a statement again on Twitter, obviously. So weird, isn't it? It starts off with the typical, you know, your concerns are important to us. We take them seriously, all that stuff. Blah, blah. But they also said, we do not know your gender or marital status. I think we know Woz is a man. Blah, blah, blah. And we believe him when he says he's married. And they also say that some customers have told us they've received lower credit lines than expected. In many cases, this is because their existing credit cards are supplemental cards under their spouse's primary account.

Okay, so they're basically saying, look, there are reasons we're doing this. It's not all black and white you think. There's complications.

Okay. Well, it seems to make sense, except Apple has said they don't offer joint cards. Everyone has to apply individually. You have to do it from your own phone, right? You can't just fill in a form and say, oh, can I have one for my wife too?

Correct, gotcha. It's yourself.

So that bit seems to be self-debunking and Mrs. Hansson who described herself as a meek housewife who's not at all keen on publicity, she blogged about the matter and agreed to have the blog reposted on Fast Company where she, kind of meek right, basically said as a female person I find this quite scary that I'm being offered much less credit limit than my husband just because he's a man because that's the only difference that they can see between the two of us.

Wait, hang on. This is a bit peculiar. I mean, it's hard to imagine that there's an individual at Goldman Sachs or Apple who's making this kind of decision. So there probably is a bit of code or something.

That was actually, that was another thing that Mr. Hansson said that when he did get in touch with Apple, the Apple person said, oh, there's nothing we can do. It's all about the algorithm. We have no control over this.

You know, no one's looking after that algorithm. No one's there tweaking it. This is the problem.

So Goldman Sachs, whatever they say about we don't know about your gender status or your marital status etc etc, all they're doing is buying in a database from Experian or whatever and they're saying okay so if someone has a score of this then they get this. Whatever they're reading in somebody else's score that's been applied to you based on data that's been gathered about you from somewhere that you don't know about and that they don't know about and deciding how to interpret it pretty much at random, really, because it's the first time they've done it because they've not done a credit card before.

Well, you haven't explained that it's not sexist, though.

Well, I'm not saying it's not sexist. I'm just saying it's not Apple that's being sexist. It's not necessarily Goldman Sachs that's being sexist. It's the whole...

John, I'm going to put... No, come on. Is this sexism or not, John?

AI algorithms, machine learning, what they are doing is they're taking in huge amounts of data and they're interpreting it. They're looking at it. And if that data is biased towards a particular gender, then the output of the AI machine learning algorithm is going to be biased.

And if there is hundreds of years worth of evidence that people with the occupation of meek housewife are worse at paying off their debts than developer of Ruby Rails or something that. No, but

That's not what they're finding. That's the problem here. They're not finding that. Her credit score was better than his. Isn't that what you said? Mrs. Hansson's credit score was better than Mr. Hansson?

She did claim that, yeah. Yeah.

So she had a better credit score, yet he got 20 times, not 20%, 20 times more money. Now, all this is not real money. This is just a loan, right, from someone. God knows what the interest rate is with the Apple store. It's probably 25 APR just to have the cool tech in your hand.

Oh, they claim it's very good.

Oh, okay. Well, maybe I should get one. Guys, I kind of think you guys are outrageous. You're both a bit outrageous, actually. If it was the other way around, you'd be freaking out. You'd be freaking out.

I think a lot of people are freaking out. If your wives

Went out and got 20 times the money on their credit limit and you didn't?

I wouldn't be aware. You would when you got the bills. Is this all just a fuss because it's the Apple card? Which doesn't have a number and it is laser etched. And I wonder if this actually also happens in plenty of other cards.

That's a really good point, Graham. People are just creating a fuss because it's got the word Apple attached.

That's exactly what I was trying to say is that it's not Apple that's doing this. It's not even Goldman Sachs that's doing this. It's whoever is providing them with this credit rating data, which is based on whatever they can find out about you or they can be asked to find out about you. Maybe they're not going around to your house and looking through your bins.

Yeah, in other words though, this could be a much bigger problem. So Apple may be the tip of the iceberg, but it might be actually systemic across all credit cards.

I think it's systemic across all anything that involves machine learning, that it has to be fed with data. And the data has to come from people and people are biased. And if you have 20 years of historic data from something to base a decision on, you have no way of knowing how much of that data was gathered by racists or sexists or anti-ginger people or whatever.

Right, well, hey, listeners, follow John's advice. Just who cares? Just deal with it.

Deal with the bias. Put your money in gold, bury it at the end of the garden, never spend it. That's not what I'm saying. Have much better stuff to feed your machine learning algorithms. Why are you pushing gold rather than silver or some other metal? Okay, tin works very well. As a West Country lad, do it in tin. Or Cornish pasties. No, don't bury pasties. Do not bury a pasty. Carole! Sorry, yes. Carole, what have you got for us this week? Okay, well first, listen to this sound. Are you intoxicated by this sound? Do you feel it's mocking you with its joyous tweet-tweet? They don't refer to it as a brown thrush though. No, no, they tend to avoid that. Brown bird, how about that?

I expect they're not trying to say that. I expect that would be a bad marketing message.

Are they trying to sing us to sleep?

No, you probably haven't heard of Project Nightingale, but don't worry, it's only hit the streets this week. The Wall Street Journal published an explosive article on the company's new foray into private medical data. So in an exclusive interview penned by Rob Copeland, we learned that Google had teamed up with Ascension Health to secretly collate and crunch personal health information of millions of Americans across 21 states. Who is Ascension, you ask?

Who is Ascension? I was asking. Well, they're only the second largest non-profit health system in the states, and their strapline on their homepage is, "We are Ascension driven by compassion and a dedication to provide personalized care for all especially those most in need." Ooh. That sounds rather suboptimal.

Totally. So I did, of course, go and look at the HIPAA privacy rule because that's what regulates.

Because you know how to have a good time. And thank goodness, Carole, that you are on our podcast and you are the person who reads the terms and conditions. You read the privacy policies.

I just looked at the summary this week. I was busy.

But that's more than any of us would do.

All right, good. A major goal of the HIPAA privacy rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care. So you can already see the push-me-pull-you happening here, right? I also get it, right? You want to protect the identity of the person, but you also want to say, look, I've got someone here having a triple bypass. I need some help. Here's the stats. Here's his blood type. What can I do? So I can understand that. Now, the Wall Street Journal reported that Ascension employees raised questions about the way the data was being collected and shared. But privacy experts said it appeared to be permissible under federal law because the HIPAA Act, which came into effect in 1996, apparently quote "generally allows hospitals to share data with business partners without telling patients as long as the information is used only to help the covered entity," which would be the hospital, "carry out its health care functions."

Help is the important word there. So people raised an alarm, people said oh wait should we really be doing this? Should we be sharing Joe Schmoe's private hospitalization records with Google.

Should we be sharing Joe Schmoe's private you know hospitalization records with Google.

And they were told, hush, hush, hush.

Hush. Yes. Hush, hush. Don't speak. I know just what you're thinking. Yeah, that's what happened. Now, why didn't Google want to tell anybody? And they probably didn't want to tell anyone because they didn't want their competitors alerted. Because this must be a thorn in the sides of Google's competitors, namely Apple, Microsoft, and Amazon, all of whom are also aggressively pushing into the health market. Now do you guys remember? I'm just gonna take a left turn here. Do you guys remember a few weeks ago Google bought Fitbit for 2.1 billion? 2.1 billion. Okay, now please don your conspiracy hats because I have one for you to noodle on. So guy buys Fitbit gadget right? Guy enters in all his data right, so his height, his weight, where he goes, how fast he got there, what method of transport he used, how much sleep he got. Graham, you had one. Didn't you have one of these? I didn't have a Fitbit. No, I had something from another manufacturer. But there are a lot of these things around, aren't there?

You wouldn't want it running out, would you? Mid-session. So there you are. Guy's bought the Fitbit gadget, paid money for it, entered in all his data, right? And then the Fitbit gadget company somehow amasses all of Guy's personal data over the years and months that he's used this little gadget. And Fitbit's done this to millions of others out there as well.

Yes, good. Very good, Carole. Must have taken you hours. No wonder you were busy today. About a minute. About a minute. Okay. I see that 10 times a day you appear to be running vigorously.

Okay, breathe. Breathe. We don't want to die. I'm very funny. Okay, here's a serious question. Serious question. So $2.1 billion. How much of that do you think has basically been given to Fitbit for the data that Fitbit has collected throughout the years and processed at the user's expense effectively? Because some people actually pay more, right? They paid for additional services so they can give even more intrusive data to Fitbit. So people are actually paying monthly services to Fitbit when they're using it. So in other words, think about it, right? How valuable would Fitbit have been if they could sell themselves without any data, right? Without the data at all. And I get it, right? I get the service becomes moot because without the data history, you don't want to use it as a user, right? You don't have any service. You can't, you know, you'd cry because it's like, oh, my records with my five-knuckle shuffle. You know, I've lost all that. But surely—

Fitbit users have the right and ability to log into their account and wipe it out, don't they? If they felt strongly enough about it, I'm—

I'm sure many wouldn't. I'm sure it's really simple to do as well.

And also, what proportion of Fitbit users actually paid any attention to the news in the Financial Times that Google had bought a stake in their company or whatever?

But I have a solution. Unlike John, who delivered a story with just doom and gloom and saying, yeah, well, there you go. The bias is there, right? I have a solution.

Thank you, Carole.

Okay. So when a company sells itself, I say a third party has to value the company with and without its collated data from its users. And the company value associated with the collected user data, so basically the money that they make because they're snarfing up all the user data, should be distributed amongst the users who gave that data. So effectively, like a financial shareholder system, but with information. So you've given us free information. We've become billionaires off your back. Here's a little kickback. Thank you very much. It's pretty good.

Well, that sounds wonderful, Carole. Can you imagine any companies doing this?

Yes.

Oh, excellent. Go do it, people. Prove me right.

What are people going to do with this data once they've become owners of it again?

Well, they're owners that can lease out their data when they put it into these services. Rather than services saying, hey, here's a little shiny thing you can wear on your wrist that helps you keep fit, which was the sales pitch. And people put it on and they use it. And all that data gets amassed. Now it's being used in ways that they didn't ever predict beforehand. Don't you think they should be asked, going, oh, by the way, you gave us, you lent us this information. Do you mind if we sell it on?

And you're thinking people would get some money out of this? They'd be saying, oh, you've been wearing this pedometer for six months. You can't say pedometer. We're not allowed to say pedometer? They get 0.3 cents or something for their six months of walking time?

I used to have Irwin toy shares when I was a kid. And I would get something like 61p a quarter. That's pretty good going. Thank you grandad.

Well done Carole. Good to see. It's a great suggestion and I look forward to hearing the first companies to take it on. And well done you for coming up with a topic where you have some positive advice at the end, a suggestion, unlike you John. You could learn something from that John, you could learn something from that. Can I just put a slight downer on this one? Oh I thought you would. But in a positive way. You're going to put a downer in a positive way, this will be a smile. We'll be the judge of whether this is done in a positive way or not.

Look, Google, what Google is doing here, right, is trying to amass massive amounts of data about people's walking and habits and making use of it to analyze the human and be better at spotting when something weird's happening with you or whatever. You're sick and we can tell because 10 million other people when they suddenly their left knee went wobbly a month later developed, I don't know, some horrible brain disease. And they're doing that for the good of humanity to be able to, I know it's not ideal that Google's doing it, it should be someone, it should be governments and universities really, but somebody has to be doing it.

No, exactly. That's the sales pitch too, right? That's what Ascension and anyone else who partners in this way with other companies, tech companies are going to say to you. They're going to say, look, this saves lives. That's why you want to do this, right? And that is the sales pitch. But the other side, the flip side of the coin is, well, when is it going to be that insurers get access to the data and can deny you? Or when is it when employers get access to this data and they decide, oh, wow, you're at risk of Parkinson's so we're not going to hire you? I see how it's going to be sold to us as a really great thing, but I don't hear enough about the flip side, when it's going to be misused and how we're going to manage that.

Yeah, I don't imagine Google saying that to people.

That's a really serious point, Graham. I didn't smile once.

Well, lots of gravitas. Well done.

Gravitas. That's me. Middle name. Gravity. Okay, hand on heart time. How many of you can say that your password hygiene is squeaky clean? If you're feeling it could use a tune-up, maybe check out LastPass Enterprise. With central admin oversight, controlled shared access, automated user management, you help every employee become part of your security solution. Find out more at lastpass.com/smashing. Plus, I would like to extend a personal invitation to an upcoming LastPass event on Wednesday, November 27th in the wonderful city of Manchester. Occasional Smashing Security guest host Jessica Barker and yours truly are going to be talking about all things security related. We would love to see you there. Check out the registration page on LastPass.com/smashing. On with the show.

And welcome back. And you join us in our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they like. Have you ever had a record? Yes, I have. Actually, yes. Is that the vinyl? After 154, you've had everything. Doesn't have to be security-related necessarily. Should not be. And my pick of the week this week is a podcast. I was going up to a conference up north in Cheshire, and I had to entertain myself listening to something, and so I listened to a podcast. Is it Smashing Security? Not Smashing Security, no. That's security-related, surely. We have had people come on and recommend their own podcasts in the past, of course, during the Pick of the Week. It may not be the right forum for this one. No, the podcast which I listen to is called The Missing Crypto Queen.

Oh, darn it. I was supposed to listen to that, Graham. I did tell you. I'm sorry. You did tell me. Yes, I did. I've been very busy. Well, you know what, Carole? I've been very busy, but I've watched two of your art documentaries on YouTube. Ooh. So why didn't you tell me that when you were telling me listen to it? All you said is listen to this. So

The interesting thing about OneCoin was it turned out it didn't have a blockchain. It was a cryptocurrency without a blockchain. If you bought some OneCoin, what that gave you was access to a website which told you there was a number on the website which showed you what the value of OneCoin was. Every day, the number would go up, and you would think, "I'm going to be so rich." And then you'd get all of your friends to buy OneCoin, and you would make more money that way, and you'd get more and more OneCoin. This was all being masterminded by a woman called Dr. Ruja Ignatova, who was very public and giving presentations. And then, a couple of years ago, she vanished, and the big question of the podcast is why did she vanish and where did she go and what happened to her. Jamie Bartlett from the BBC presents this story and it is fascinating. At the end of every episode there's a cliffhanger and you can go thinking what is going to happen. It takes you all around the world — at one point you're in a sort of marina filled with luxury yachts because they're trying to track it down, then there are Romanian beauty pageants being run by the OneCoin cryptocurrency.

I'm totally gonna download this. I love this, sounds great. Really recommend it. No spoilers, but it was put together by the BBC but you will find it in most good podcast apps as well as BBC Sounds and it's called The Missing Crypto Queen. So I want to talk a little bit about a TV show which is on Amazon Prime. I assume you can just kind of rent it from Amazon too if you don't like the Prime thing. What's the premise of the show though, John?

Well exactly, it's bonkers. So it's a kind of relationship personal drama about a young lady in Texas who's got a boyfriend and has had a car crash and her dad's died and—

Basically is she losing her mind or she got secret powers?

Exactly, thank you. When I look this up though, it's on Wikipedia, it's in the mental illness in television category, which is very unpopular, only has 10 entries, but it includes Legion which is a great show, Flowers which was also excellent, Nighty Night which is great, Mr. Robot — I'm not sure how that's strictly supposed to be there I guess, but yes. There is a kind of, you know, is she crazy or is she time traveling? Nobody knows, there's a whole thing about that. But for me the main thing about it is just the look of it — it uses rotoscoping. So coloring in of — so filming actual live people and then drawing over them afterwards, like the famous A-ha "Take On Me" video, the 1970s Lord of the Rings movie which was also great. The lightsabers in the original Star Wars movies, they did it like that too — they were just carrying sticks and then someone drew over them frame by frame. Someone said why did we film it like this, this looks ridiculous, why didn't we just have glowy sticks? They were in every shop! So the backgrounds are like either oil paintings, and sometimes they're cartoons, and sometimes they're 3D animations, and sometimes it's a mixture of all of them.

It doesn't feel too gimmicky? It doesn't take away—

No, no, no, it looks spectacular. And it really works with the story because it's all a bit kind of, you know, is this a dream, is this real? So the kind of slightly wobbly, slightly weird looking visuals really kind of work with that. And it's only — it's very short, it's like eight thirty minute episodes, so four hours — you can totally binge it in a night.

Isn't that funny how that's become short to us in this time? It's like I could do that in a night, totally.

I didn't do it in a night, but I totally could have done it. It's very much, you get to the end of each episode, you're like, what the hell is going on? I want to see more. And I loved it, it was great. I agree, I've watched it as well. I think it's awesome. And it's called Undone on Amazon.

Yes, Undone. It's on Amazon Prime, Amazon stuff, generally streaming, downloading from Amazon. Fantastic.

Carole, what's your pick of the week?

Okay, I got a weird one this week. So I was just mooching along my feeds, right? I have pick of the week feeds. I don't know if you do, Graham, but it gets hard after 150 something episodes to come up with cool weekly picks.

Oh, really? You don't have any trouble?

No, never had any trouble at all.

Oh, right. Okay, good. So I have a few feeds, and I came across this kind of nascent YouTube channel. How often does that happen, right? A tiny little thing with hardly any followers, but somehow just magical in a way. Oh, and you know the other thing? In modern Monopoly sets, they only print the denomination of the money on one side.

I've done that too, actually.

Scrabble. The old Scrabble board. Spectacular.

Yeah. I'm going to tell you something. Okay. And I should have researched this before I got on the call. But this is a memory of two years ago listening to a podcast. So I may get some facts wrong. I think it was Stuff You Should Know. And they were doing a podcast about Monopoly. Stuff You Should Know About Monopoly. And apparently, if I remember correctly, a woman created the game because she was so frustrated with the banks and the lending system and how the rich got richer and the poor got poorer and created the game against the capitalists. And who's the game company that bought it? I can't remember, but that company tried to buy it from her and she said, no, you can't have it, right? It's to make fun of you, not for you. And so they created, if I remember correctly, a fake persona to buy it from her and she didn't know it was them. And they got the rights and then they created it to this big capitalistic game. That's just sneaky.

Yeah. So there you go. Monopoly was really on Bernie Sanders' side. Who knew?

Who would have guessed that? Fascinating. Does everybody that's involved have to be in on it? Or are there different rules, Carole? Yes, there's tiny different rules. So if you watch the video, when you pass Go, you only get $100.

I don't think you were ever meant to get money on free parking. I mean, that was a rule we played in our house.

That's because they wanted to keep it under an hour.

But I think in the official rules, you don't get money if you land on free parking. I think you are wrong. I think it's an urban myth.

I think it's an urban myth.

I think you're incorrect.

Anyway, I think, anyone who can play Monopoly for 30 minutes, anyone can do that. And if you have a Monopoly lover in your house, check out the rules and then you can play for 30 minutes and everyone's happy. Win-win.

I think it would be a lot better if you could just rock up at a Monopoly game and everyone else is playing seriously and you force the game to finish in 30 minutes using special talent that you've learned from this YouTube video.

You're so underhand, John.

What? No, not in an underhand way.

I feel sorry for your wife. That's what I feel sorry for. What a way to think.

No, no, I'm very secretive. I'm just a meek housewife.

But you can follow us on Twitter at Smash Security, no G. Twitter wouldn't allow us to have a G. And we're also on Reddit if you want to carry on the discussion up there. Just look for the subreddit with the name Smash Security.

And once again, thank you to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free, and thank you awesome wonderful listeners and Patreon supporters. It would literally be futile and ridiculous for Graham and I to do this show without you, so thank you for existing. Check out smashingsecurity.com for past episodes, sponsorship details and info on how to get in touch with us until—

Next time, cheerio bye bye later cheerio! I can't remember before we spoke about it. There was the Icon smart condom for instance, do you remember that? The world's— And what it did was you were able to track the size of your man bits and it would also detect Chlamydia and syphilis. And it even had a micro USB port I was charging up so—

Yeah, you wouldn't want it running out would you mid-session.

You know what, for Christmas, for the Christmas special, I reckon we should get out of being timely and just choose one of the best stories of all time.

I think we should just do an unboxing and review. You can't— Yeah, okay, no.

Let's not, let's get some bananas in.