In 2008, someone hacked the website of British MP Harriet Harman.
Harman, who was deputy leader of the Labour Party at the time, had a spoof message posted on her blog claiming that she had resigned and was switching to the Conservatives:
To friends, foes and fans,
Below is a copy of the resignation letter that landed on Gordon’s desk this morning.
I couldn’t be bothered to type a completely new one, seeing as Quentin Davies (LO-SER!) had written a perfectly good one here, I thought I’d just change the relevant sections… a swap for a swap if you like.
In another update, the hacked website claimed that Harman was lending her support to Boris Johnson, the Conservative candidate for Mayor of London.
How did a hacker break into Harman’s website? Well, according to the Guido Fawkes blog, they discovered that Harriet Harman’s password was ummm.. rather weak.
Username: Harriet
Password: Harman
Oh dear oh dear. Of course, it wasn’t to be the last time that British parliamentarians were found to have a poor grasp of computer security.
So, why talk about this 2008 hack now? Well, we now know who hacked Harriet Harman’s website.
Last year, Kemi Badenoch was elected the conservative MP for Saffron Walden. Badenoch is perhaps not your typical Tory MP. She studied computer systems engineering at university, and has worked since as a software engineer and systems analyst.
And, when she starred in a video answering quirky questions, she revealed her naughty secret between giggles:
Interviewer: What’s the naughtiest thing you’ve ever done?
Kemi Badenoch: About 10 years ago I hacked into… a Labour MP’s website and I changed all the stuff in there to say nice things about Tories.
Breaking into someone else’s website is, of course, an offence under the Computer Misuse Act (unauthorised access), and changing its content is also an offence (unauthorised modification). No laughing matter.
It doesn’t matter a jot that Harriet Harman had such an appalling password.
The version of the video published on YouTube, perhaps sensibly, chose to edit out the naughty secret. But the Mail on Sunday managed to get its paws on a copy regardless last weekend.
This media interest motivated Badenoch to issue an apology, describing the incident as “a foolish prank over a decade ago, for which I apologise”.
With so much time having passed I don’t think Kemi Badenoch is going to find herself in any legal trouble, and Harriet Harman has forgiven her.
But regardless that Badenoch’s hack was motivated more by mischief than malice or money, I think it’s a pretty poor show. Badenoch was 28 years old at the time of the offence, and can hardly shrug off the incident as the result of a heady cocktail of political fervour and youthful exuberance.
To hear more about this incident, be sure to listen to this episode of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
That's the right answer, but does she deserve being dogpiled on and then having people go after—
No, no, I mean, no, yes, I agree with you.
I mean, I was gonna say, whoa, get the popcorn!
Smashing Security, episode 73, Rik Astley, Never Gonna Hack You Up, with Carole Theriault and Graham Hello, hello, and welcome to another episode of Smashing Security, episode 73.
My name is Graham Cluley.
My name is Graham Cluley.
73, I'm starting to feel old. I'm Carole Theriault.
Starting to feel old? You are old.
How dare you.
And we are joined this week by the lovely returning Maria Varmazis. Hello, Maria.
Hello, and what did you call me?
I said the lovely returning.
Oh, what did you hear, Maria?
No comment. I think her laugh says it all. This is going to be a fun show.
I'm glad to be back. Just don't call me returning.
Sorry, I won't use the R word again.
This episode of Smashing Security is sponsored by LastPass. LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size with the right tools to secure your business with centralized control of employee passwords and applications.
But LastPass isn't just for enterprises. It's an equally great solution for business teams, families, and single users.
Go to smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses.
LastPass Enterprise simplifies password management for companies of every size with the right tools to secure your business with centralized control of employee passwords and applications.
But LastPass isn't just for enterprises. It's an equally great solution for business teams, families, and single users.
Go to smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses.
And welcome back, and gals, I've got a question for you.
Girls?
Gals.
Wait, wait, what do you want me to call you?
Guys.
Sophos.
Sistas, what is the naughtiest thing that you've ever done?
Oh boy, I don't think I'm ready to share that on radio.
I was almost late with my taxes once. That— yeah, pass on that one.
You're passing, are you, Carole?
Yeah.
Some people did something a bit naughty 10 years ago because someone hacked the website of a British politician called Harriet Harman, a member of Parliament, sometimes a cabinet minister and deputy leader of the Labour Party.
They hacked into her account back in 2008 where she blogged, and they posted a spoof resignation letter. And the letter went like this.
It said, to friends, foes, and fans, below is a copy of the resignation letter that has landed on Gordon Brown's desk this morning.
I couldn't be bothered to type a completely new one, so I've used instead one from Quentin Davies. Loser, it said. Who's written a perfectly good one here.
So she linked to someone else's resignation. Anyway, it's a very bizarre thing for a senior politician, right, to post up.
They hacked into her account back in 2008 where she blogged, and they posted a spoof resignation letter. And the letter went like this.
It said, to friends, foes, and fans, below is a copy of the resignation letter that has landed on Gordon Brown's desk this morning.
I couldn't be bothered to type a completely new one, so I've used instead one from Quentin Davies. Loser, it said. Who's written a perfectly good one here.
So she linked to someone else's resignation. Anyway, it's a very bizarre thing for a senior politician, right, to post up.
So 2008, this is a really current story. Yeah, I know.
Yeah, I like to be topical. Well, I don't worry, I'm going to make this topic.
And they also posted up a hoax blog post claiming that Harman, who was then Labour Minister for Women and Equality, that she was supporting BoJo, as Boris Johnson, Boris Johnson, in the Labour— now, Maria, do you know who Boris Johnson is.
I've got an image here which I'm sharing in our Google Doc so you can see what he looks like.
And they also posted up a hoax blog post claiming that Harman, who was then Labour Minister for Women and Equality, that she was supporting BoJo, as Boris Johnson, Boris Johnson, in the Labour— now, Maria, do you know who Boris Johnson is.
I've got an image here which I'm sharing in our Google Doc so you can see what he looks like.
The Mayor of London at his best.
He was Mayor of London, absolutely.
No longer, right?
No, no, no, because he's Trump's buddy now, isn't he? Well, he is very much our equivalent to Donald Trump in some ways.
He led us into the glorious future, which is Brexit, almost became Prime Minister, although he rather fell over his own shoelaces on that one and tends to call games like table tennis whiff-waff.
He's not wrong though. He's quite— what about whiff-waff?
He led us into the glorious future, which is Brexit, almost became Prime Minister, although he rather fell over his own shoelaces on that one and tends to call games like table tennis whiff-waff.
He's not wrong though. He's quite— what about whiff-waff?
Whiff-waff, that's great.
He's quite an individual.
Yes.
Anyway, so yes, I do know who he is for the record. Okay, great, great.
I know I'm sitting here going, does she get out ever?
Anyway, okay, so this hoax message was posted claiming Harriet Harman was supporting Boris Johnson. Very, very unlikely.
Now, back in 2008, on the Guido Fawkes blog, which is a politics blog, the hacker, at that time Anonymous, described how they managed to gain access to Harriet Harman's blog.
And they used a highly sophisticated technique, I can tell you. The technique was username Harriet, password Harman.
Now, back in 2008, on the Guido Fawkes blog, which is a politics blog, the hacker, at that time Anonymous, described how they managed to gain access to Harriet Harman's blog.
And they used a highly sophisticated technique, I can tell you. The technique was username Harriet, password Harman.
Oh, but is that excusable 10 years ago?
I see the sea lion is back. Well, you know, politicians over the years have shown themselves to be rather incapable when it comes to computer security.
Of course, we recently saw Nadine Dorries, another British MP, who was sharing her password left, right, and center and leaving her computer unlocked and was arguing this was acceptable.
Of course, we recently saw Nadine Dorries, another British MP, who was sharing her password left, right, and center and leaving her computer unlocked and was arguing this was acceptable.
You can just see the intern writing username Harriet, password Harman on the Post-it note and then saying, please make sure to change this later, please, please, please.
And then ignored.
And then ignored.
Okay, I don't want to beat up too much. It was 10 years ago. Yes. Hopefully Harriet Harman has learnt.
So why am I talking about this today?
Why the long lead-up?
Let's come back into the future. Let's come back, or at least to 2017. Okay, because there was a newly elected MP in 2017.
Her name is Kemi Badenoch, and she was a number of Conservative MPs, new Conservative MPs, who starred in a series of videos designed to present them with a human face by answering quirky questions.
Her name is Kemi Badenoch, and she was a number of Conservative MPs, new Conservative MPs, who starred in a series of videos designed to present them with a human face by answering quirky questions.
Yeah. And one of the questions Kemi was asked was, what's the naughtiest thing you've ever done?
What's the naughtiest thing you've ever done?
Now, seriously?
Yeah.
Don't ask a question you don't want to know an answer to, is all I have to say.
Well, the version of the video which was published on YouTube where she asked these questions perhaps sensibly chose to edit out that question and answer.
But this week, the media managed to get hold of a copy of the original tape, and we are going to watch it right now, okay?
I'm just sharing the link with you so you can watch the video.
But this week, the media managed to get hold of a copy of the original tape, and we are going to watch it right now, okay?
I'm just sharing the link with you so you can watch the video.
Okay, I'm actually going to watch this time.
I'm watching it.
What's the naughtiest thing you've ever done?
The naughtiest thing?
I, about 10 years ago, I hacked into— oh my God, this is about— I hacked into an MP's, another MP's, a Labour MP's website, and I changed all the stuff in there to say nice things about Tories.
Nice. Yeah, but I wouldn't name who.
I, about 10 years ago, I hacked into— oh my God, this is about— I hacked into an MP's, another MP's, a Labour MP's website, and I changed all the stuff in there to say nice things about Tories.
Nice. Yeah, but I wouldn't name who.
Oh, oh, snap, snap, lady!
What was the time period? She said— did she say a few years ago?
She says 10 years ago.
Oh, way back in 2008.
Well, the media worked out that what she was talking about was the hack of Harriet Harman's blog in 2008.
So the Mail on Sunday grabbed hold of this, and Kemi Badenoch has now said, "Look, this was a foolish prank over a decade ago, for which I now apologize." Presumably she's not laughing quite so much now.
I find it quite giggling and sniggering about it.
So the Mail on Sunday grabbed hold of this, and Kemi Badenoch has now said, "Look, this was a foolish prank over a decade ago, for which I now apologize." Presumably she's not laughing quite so much now.
I find it quite giggling and sniggering about it.
Yeah.
And an anonymous source at Conservative HQ, effectively her bosses, they played down the incident, describing it as not real hacking, as the password had been guessed.
But how do you feel about that? Is that hacking or not?
But how do you feel about that? Is that hacking or not?
Absolutely, it's hacking.
Just because someone guesses a password — now, we always warn about weak passwords all the time, but just because someone has a weak password and you happen to guess it doesn't mean you've not broken the law.
Just because someone guesses a password — now, we always warn about weak passwords all the time, but just because someone has a weak password and you happen to guess it doesn't mean you've not broken the law.
Exactly.
My view is that this is a breach under several areas of the Computer Misuse Act, because this was unauthorized access to a computer system and then unauthorized modification as well, because she was posting blog posts.
So this was a criminal act, it seems to me, which she's now admitted to on video and had a good snigger about.
My view is that this is a breach under several areas of the Computer Misuse Act, because this was unauthorized access to a computer system and then unauthorized modification as well, because she was posting blog posts.
So this was a criminal act, it seems to me, which she's now admitted to on video and had a good snigger about.
Oh, but it feels like a leftover from a more innocent age though, doesn't it? When this was the sort of funny stuff that people used to do, that was the worst of it.
I don't know, it's making me feel very nostalgic.
I don't know, it's making me feel very nostalgic.
Well, yeah, but it was 2008. It wasn't 1998.
I know, but Maria is much younger, right? So for her, it's like before the dawn of time.
Thanks for reminding us. And Kemi Badenoch was 28 when she did this, right? She's nearly 40 now. And it's like, it wasn't really just a teenage prank, this, was it? Pretty immature.
I think this says that maybe MPs need to get a bit of cybersecurity training going on, because this is not the first time we've seen the UK government talk about security in a way that's slightly embarrassing.
Yeah, not only do people need to protect themselves better — let's hope Harriet Harman has obviously learned from that incident all those years ago — but also they need to set a better example, because if people go on video and go, "Oh, you won't believe what I did, I launched a denial of service attack against Margaret Thatcher" or something like that.
It's Margaret Thatcher, I'm keeping it current.
It's Margaret Thatcher, I'm keeping it current.
How does that work exactly?
She's no longer with us.
Gerald Ford. Herbert Hoover.
All services are being denied at this point.
Anyway, Harriet Harman has accepted the apology. And with the length of time that's passed, I think it's unlikely any legal action is going to be taken.
But I don't know, I just think they should do better.
I think there must be parts of the world where we have senior politicians who really represent a fine example for young people, people who they can look up to and say, "Yes, I want to be more like him or her when I get older." I can't think of any countries at the moment.
Let's go to Maria, who's based in America instead.
But I don't know, I just think they should do better.
I think there must be parts of the world where we have senior politicians who really represent a fine example for young people, people who they can look up to and say, "Yes, I want to be more like him or her when I get older." I can't think of any countries at the moment.
Let's go to Maria, who's based in America instead.
What can I do with that segue? Well, I'm going to deflect completely to a different country because I'm going to talk about Austria today.
Which has never produced any dodgy politicians whatsoever.
I walked right into that one. Well, I mean, my story involves Austria, and my story started with an innocent enough question on Twitter last week.
Okay.
So one Claudia Pellegrino of Darmstadt, Germany was trying to get confirmation on something she just read on Twitter, and the question was this: Does T-Mobile Austria really store customer passwords in plain text?
Because it had been rumored that they did. So, you know, that's kind of a good question. So she did what most of us would do. Nobody's going to bother calling customer service up.
We use Twitter. So she tweeted at them instead. And the answer she got from a rep named Kathy was, no, no, no, of course we don't do that.
We only store the first 4 characters in plain text.
So this is because customer service reps need to know that you know your own password to make sure you really are who you say you are and that they're talking to the real account owner when you come in to see them.
Because it had been rumored that they did. So, you know, that's kind of a good question. So she did what most of us would do. Nobody's going to bother calling customer service up.
We use Twitter. So she tweeted at them instead. And the answer she got from a rep named Kathy was, no, no, no, of course we don't do that.
We only store the first 4 characters in plain text.
So this is because customer service reps need to know that you know your own password to make sure you really are who you say you are and that they're talking to the real account owner when you come in to see them.
Yeah. So what they're saying is the support rep, they can see the first 4 characters, but anything after that may be asterisked out or something.
Correct. Correct.
And so if your password was something like fuck you, T-Mobile Austria, you'd only get the first bit of that, which is, yeah, maybe that should be redacted. Okay. Maybe.
So if your password was password and the customer service rep sees pass, yeah, there are 4 more characters after it. One could wager a guess at the rest of the password is word.
Anywho, a much cleaner example.
So we— I think we've established that that practice is problematic.
Yes.
So the— yes, it's problematic.
So it's shocking because T-Mobile is not some tiny little outfit.
To be clear, for the sake of anyone here right now who's panicking, T-Mobile Austria is its own thing. It's not part of T-Mobile, the bigger company, I believe.
I think they're not a subsidiary, is my understanding. So they're a smaller shop than they might appear, is what I understand from this.
So when that answer came from the customer service rep, people said, well, okay, that's not good. So they responded to the customer service rep and said, you know, that's not great.
Maybe you should escalate that to somebody internally and say that that's not a great security practice.
And in fact, some helpful security pros on Twitter responded, and one by the name of Eric said, well, what if your infrastructure gets breached and everyone's password is published in plaintext to the whole wide world?
I think they're not a subsidiary, is my understanding. So they're a smaller shop than they might appear, is what I understand from this.
So when that answer came from the customer service rep, people said, well, okay, that's not good. So they responded to the customer service rep and said, you know, that's not great.
Maybe you should escalate that to somebody internally and say that that's not a great security practice.
And in fact, some helpful security pros on Twitter responded, and one by the name of Eric said, well, what if your infrastructure gets breached and everyone's password is published in plaintext to the whole wide world?
What he said. Exactly right.
It's a good question. And yes, the customer service rep responded with words that will now live in infosec infamy.
Okay.
What if this doesn't happen because our security is amazingly good?
Was there a smiley face at the end?
There was not.
It's a nice positive message, isn't it?
And this is all on Twitter. This is all on Twitter.
It's still on there, by the way. This hasn't been deleted. And unfortunately, the exchange doesn't end there.
Eric, to his great credit, I think, is trying to help the rep out and says— he wants to do some educating and he says, "Well, the bad news for you is nobody's security is that good.
Not even yours. It's not that I say you are 100% getting hacked, but what if an employee accesses the database directly?" A really good question there.
The response, this is a digging the heels in moment. The response from the reps is, "Excuse me?
Do you have any idea how the telecommunication companies work?" Do you know anything about our systems? But I'm glad you have the time to share your view with us. Drama!
Eric, to his great credit, I think, is trying to help the rep out and says— he wants to do some educating and he says, "Well, the bad news for you is nobody's security is that good.
Not even yours. It's not that I say you are 100% getting hacked, but what if an employee accesses the database directly?" A really good question there.
The response, this is a digging the heels in moment. The response from the reps is, "Excuse me?
Do you have any idea how the telecommunication companies work?" Do you know anything about our systems? But I'm glad you have the time to share your view with us. Drama!
Touched a nerve?
A smidge, a smidge. So at this point— She's like, ooh, the water's getting hot, gotta get out, gotta get out, gotta get out. So at this point, you might guess what is happening.
So many helpful Twitterers, tweeters, twits—
So many helpful Twitterers, tweeters, twits—
The trolls start sniffing blood.
Oh yeah, so the helpful folks are going, you know what, Cath, you may wanna escalate this internally and get off Twitter. Please don't feed the trolls because this is a disaster.
But saying, do you know anything about our systems, kind of reads like an invitation to a number of folks. And then the rather inevitable dogpiling began. And this is the ugly stuff.
So people are going, well, maybe the passwords are being encrypted. Oh no, wait, they're not. Maybe they're not being hashed, blah, blah, blah.
There's a lot of back and forth about what they are and aren't doing.
And the threads just kind of go super deep into, oh, if their password security is really lame, then maybe their website's terrible too, and, oh, look, it's really vulnerable to cross-site scripting attacks, and I'm going to post something on their site for the lulz.
It got really ugly, frankly.
But saying, do you know anything about our systems, kind of reads like an invitation to a number of folks. And then the rather inevitable dogpiling began. And this is the ugly stuff.
So people are going, well, maybe the passwords are being encrypted. Oh no, wait, they're not. Maybe they're not being hashed, blah, blah, blah.
There's a lot of back and forth about what they are and aren't doing.
And the threads just kind of go super deep into, oh, if their password security is really lame, then maybe their website's terrible too, and, oh, look, it's really vulnerable to cross-site scripting attacks, and I'm going to post something on their site for the lulz.
It got really ugly, frankly.
Yes.
So that's the sad inevitable side of where these kinds of threats can go, but more encouragingly to me was that we saw a lot of people chiming in saying, here's some helpful advice.
You may want to not just encrypt these passwords, but have them hashed.
You may want to not just encrypt these passwords, but have them hashed.
Yeah.
We should also not pile on a customer service rep because why would we expect one of them to have all the security expertise at the top of their head?
Right. You would expect them to be charming with customers, however, and maybe they didn't handle that terribly well. But I do agree with you.
I was watching these threads and I was thinking it felt rather uncomfortable. And I must admit, I put my hands up, I'm sometimes hypocritical. Well, sometimes. Sometimes.
I was watching these threads and I was thinking it felt rather uncomfortable. And I must admit, I put my hands up, I'm sometimes hypocritical. Well, sometimes. Sometimes.
What?
I am a hypocrite. But you know, there have been times when I've sort of jumped into the fray and, you know, had a go at somebody.
Is this an apology?
Hardly.
But on this occasion, it just did feel like everyone's kind of going, "Eh, nah, nah, nah, we know more about security than you." Clearly T-Mobile Austria, at least this customer service rep, doesn't know what they're talking about.
Clearly there's a problem.
But on this occasion, it just did feel like everyone's kind of going, "Eh, nah, nah, nah, we know more about security than you." Clearly T-Mobile Austria, at least this customer service rep, doesn't know what they're talking about.
Clearly there's a problem.
Why wouldn't she just say, "Let me get someone in our security department here for you." Should have done that.
Absolutely should have done that.
Yes. But let me find out for you and I'll get back.
That's the right answer. But does she deserve being dogpiled on and then having people go after—
No, no, I mean, yes, I agree with you.
I mean, I was gonna say, whoa, get the popcorn again.
Yeah, she deserves it.
No, I agree with you. I mean, it felt like every plunker out there was just sort of joining. It's like, come on, you know.
What were they saying? What were they saying?
I didn't follow this.
People were basically going, well, I'm giving a TL;DR version of this because there are hundreds of responses to this thread, which is still up on Twitter, so you guys can check it out.
But people are like, I'm gonna go check out their servers now. I'm gonna go try and check and take down their production systems. It's like, come on, really?
Can't we use this sort of moment as a moment, as an opportunity to educate?
But people are like, I'm gonna go check out their servers now. I'm gonna go try and check and take down their production systems. It's like, come on, really?
Can't we use this sort of moment as a moment, as an opportunity to educate?
You know, be the nice guy.
Yeah, there's no reason to be a dick. I mean, yeah, it's fun to snark, but there's no reason to go that direction. So there is a happy ending to this story.
Many people actually did use this as an opportunity to go, hey, T-Mobile Austria, you guys could do better.
What you're currently doing with plaintext may be in violation of GDPR, so you may want to get on that ASAP.
Many people actually did use this as an opportunity to go, hey, T-Mobile Austria, you guys could do better.
What you're currently doing with plaintext may be in violation of GDPR, so you may want to get on that ASAP.
Chop chop.
So they actually were able to reach out to T-Mobile Austria in a constructive way.
And now, as of April 7th, which was some time ago, apparently customer passwords are being not only salted but also hashed.
So those passwords are now delicious, and they're doing much better by their customers' security. And they did that pretty quickly — the turnaround was pretty quick.
So, you know, we don't have to be assholes to people because they got something wrong.
And now, as of April 7th, which was some time ago, apparently customer passwords are being not only salted but also hashed.
So those passwords are now delicious, and they're doing much better by their customers' security. And they did that pretty quickly — the turnaround was pretty quick.
So, you know, we don't have to be assholes to people because they got something wrong.
Yeah, but do you think that maybe the assholes expedited the salting and hashing? Oh my, I know.
Well, that is the thing, isn't it? Sometimes you kick up a stink in order to get a response.
For me, it felt like it was getting a little bit out of hand, and maybe there was a better way to communicate with the company.
For me, it felt like it was getting a little bit out of hand, and maybe there was a better way to communicate with the company.
I saw something went out of hand on Twitter.
No, I've never heard of that. But here's the thing — people are also saying that that customer service rep should have been fired for all this, and she has not been fired.
They have confirmed that she is still with the company, and actually they've come to her defense saying people calling for her to be fired are kind of frightening.
So I want to say kudos to them for standing by their own employee because that's pretty great.
But that seems like overkill to say this person should be fired because she doesn't know how password encryption should work. I mean, that's just really?
So TL;DR, the passwords are now being apparently secured, so that's great.
They have confirmed that she is still with the company, and actually they've come to her defense saying people calling for her to be fired are kind of frightening.
So I want to say kudos to them for standing by their own employee because that's pretty great.
But that seems like overkill to say this person should be fired because she doesn't know how password encryption should work. I mean, that's just really?
So TL;DR, the passwords are now being apparently secured, so that's great.
Huzzah! Yay! Hooray!
Hooray for that. Yes, a good news cybersecurity story.
Almost. Yeah, well done, Twitter. Well done, internet.
Right. Yes, well done. Keep it up, do that again next time — you did it, it worked. Carole, what's your story for us this week?
Well, I'm gonna be unconventional and we're gonna kick this off with a video.
Okay, good on a podcast.
Yep, I've just sent you a link. Oh yes.
Oh, worse than ransomware.
Oh, for goodness sake, that takes me back.
Now, I didn't just do that for fun — I did this for a reason.
Because researchers from security startup Bastille successfully proved that the emergency alert system used in San Francisco is vulnerable to being Rickrolled.
Because researchers from security startup Bastille successfully proved that the emergency alert system used in San Francisco is vulnerable to being Rickrolled.
We're not afraid to love. God, it's like he's here.
Sorry. Holy moly, it's uncanny. So hang on, they took over San Francisco's emergency siren system?
No, no, no. What they did was they wanted to know whether their siren system was vulnerable.
I mean, think about it — we had an accident that happened in Hawaii earlier this year where an emergency alert system went crazy because someone mistakenly pressed the button and it took 14 minutes for a correct alert to be sent out.
So that was very scary. Before that, in Dallas, the warning system was siren-jacked, which is the mot du jour at the moment.
This is where 156 emergency sirens went off in the early hours in the morning and blasted for 90-second durations around 15 individual times.
I mean, think about it — we had an accident that happened in Hawaii earlier this year where an emergency alert system went crazy because someone mistakenly pressed the button and it took 14 minutes for a correct alert to be sent out.
So that was very scary. Before that, in Dallas, the warning system was siren-jacked, which is the mot du jour at the moment.
This is where 156 emergency sirens went off in the early hours in the morning and blasted for 90-second durations around 15 individual times.
And what, this was just going honk? It wasn't sort of saying "marshmallow men attacking" or something like that — it was actually just doing a honk?
No, it was just a huge, that horrible, horrible loud siren in the middle of the night.
A security researcher from Bastille Security startup decided to take a look at his hometown's emergency alert siren system, which was in San Francisco, is where he lives.
And he found some rather shocking vulnerabilities. Now, before I get into this, these are proof of concept attacks, right?
So this is where a researcher demonstrates the proof of a never-seen-before vulnerability in a system. So by definition, it's a theoretical threat.
Okay, so he decides to look into this, and he discovers that the sirens get their orders via radio transmissions and that the signals were sent over an unencrypted channel.
So let me quote the Register here. So from this point, Bastille researchers were able to devise a way to intercept those signals and replicate emergency alert signals.
Effectively letting them activate the alarm sirens whenever they wanted.
Bastille estimated that in the wild, the hacker would be able to set off the alarms with little more than a PC and about $30 worth of handheld radio equipment, unquote. Oh my.
And the payload to prove this proof of concept was to blare Rik Astley's "Never Gonna Give You Up." Of course. This research came out on Monday.
Now this is quite a well-packaged piece of research. There's their own website called sirenjack.com. There's a lot of videos showing how it's all done. Have they got a logo?
They've got a logo. So they've done a lot of work on this.
And then this past Tuesday, the Industrial Control Systems Cyber Emergency Response Team, or ICS CERT, issued an advisory on the ATI vulnerability, citing improper authentication, missing encryption of sensitive data.
So these two vulnerabilities, they say, could allow an attacker to remotely trigger false alarms in ATI emergency mass notification systems.
The advice at the time of recording is that ATI are working on a patch and it will be available upon request. Okay, so don't expect to be contacted if you're running an ATI system.
You want to contact ATI, right?
A security researcher from Bastille Security startup decided to take a look at his hometown's emergency alert siren system, which was in San Francisco, is where he lives.
And he found some rather shocking vulnerabilities. Now, before I get into this, these are proof of concept attacks, right?
So this is where a researcher demonstrates the proof of a never-seen-before vulnerability in a system. So by definition, it's a theoretical threat.
Okay, so he decides to look into this, and he discovers that the sirens get their orders via radio transmissions and that the signals were sent over an unencrypted channel.
So let me quote the Register here. So from this point, Bastille researchers were able to devise a way to intercept those signals and replicate emergency alert signals.
Effectively letting them activate the alarm sirens whenever they wanted.
Bastille estimated that in the wild, the hacker would be able to set off the alarms with little more than a PC and about $30 worth of handheld radio equipment, unquote. Oh my.
And the payload to prove this proof of concept was to blare Rik Astley's "Never Gonna Give You Up." Of course. This research came out on Monday.
Now this is quite a well-packaged piece of research. There's their own website called sirenjack.com. There's a lot of videos showing how it's all done. Have they got a logo?
They've got a logo. So they've done a lot of work on this.
And then this past Tuesday, the Industrial Control Systems Cyber Emergency Response Team, or ICS CERT, issued an advisory on the ATI vulnerability, citing improper authentication, missing encryption of sensitive data.
So these two vulnerabilities, they say, could allow an attacker to remotely trigger false alarms in ATI emergency mass notification systems.
The advice at the time of recording is that ATI are working on a patch and it will be available upon request. Okay, so don't expect to be contacted if you're running an ATI system.
You want to contact ATI, right?
So if you don't want to listen to Rik Astley or whatever else someone might send through, you've got to go and get the patch.
Exactly.
And there's also this recommendation that maybe simple voice radios could be replaced with a digital P25 or APCO Project 25 radio, which provides more secure encrypted links.
And there's also this recommendation that maybe simple voice radios could be replaced with a digital P25 or APCO Project 25 radio, which provides more secure encrypted links.
I was just about to recommend that. Yeah. A P25 or an APCO Project 25. That's good. Yeah, absolutely. Yeah. Yes.
I'm very familiar with those things. Yep.
Yeah, but see, the thing is, this patching all this doesn't look like it's gonna be a walk in the park for every system.
There's gonna be some firmware and software updates required in some cases. So again, people are advised to get in touch with ATI and monitor ICS CERT reports for updates.
There's gonna be some firmware and software updates required in some cases. So again, people are advised to get in touch with ATI and monitor ICS CERT reports for updates.
It's a lot of acronyms. I know, it's crazy. This is very military.
I think I've been reading it so long, it actually makes sense to me now.
I would imagine some of these emergency siren systems may have been in place for decades.
Right, so this is the thing. I want to know whether the disclosure was responsible. So I went to ATI's website just to see what they were saying, and they were pretty stumped.
I couldn't see anything prominent in the website, and some mentions in the press suggested that they were playing this down a bit, saying highlighting the proof of concept theoretical aspect and saying that someone would need a lot of knowledge to pull this off.
And it made me wonder whether actually the disclosure was fully done responsibly.
The Bastille website FAQ says that they do indeed support the 90-day notice and they worked with certain, and it seems they did everything right, but there is a problem.
There's no patch. The patch is not ready. So is 90 days long enough to create and test certain patches?
I couldn't see anything prominent in the website, and some mentions in the press suggested that they were playing this down a bit, saying highlighting the proof of concept theoretical aspect and saying that someone would need a lot of knowledge to pull this off.
And it made me wonder whether actually the disclosure was fully done responsibly.
The Bastille website FAQ says that they do indeed support the 90-day notice and they worked with certain, and it seems they did everything right, but there is a problem.
There's no patch. The patch is not ready. So is 90 days long enough to create and test certain patches?
So I'm a little uncomfortable with this because there does seem to be a tendency for security researchers to say, if you can't fix it within 90 days, we're going public.
This seems to be sort of de facto standard. And that's clearly the policy which Bastille have followed on this particular case.
And I think it's very hard sometimes to know whether 90 days is enough because you don't know the ins and outs of the software.
You don't know what other priorities the developers may be working on, what other security patches they may be fixing as well.
And you really need to work alongside the vendor to get a decent estimate as to when the thing can be fixed.
This seems to be sort of de facto standard. And that's clearly the policy which Bastille have followed on this particular case.
And I think it's very hard sometimes to know whether 90 days is enough because you don't know the ins and outs of the software.
You don't know what other priorities the developers may be working on, what other security patches they may be fixing as well.
And you really need to work alongside the vendor to get a decent estimate as to when the thing can be fixed.
So this is where things get a little controversial for me. ATI are a leading provider of emergency systems.
And these systems currently could be vulnerable and they could be active in a school, in a city, in a hospital, in a government office, in a military base.
So Bastille have done a big full-on media push with dedicated websites, white papers, technical explainers and how-tos, videos showing everything.
So they're really banging the drum on this.
And these systems currently could be vulnerable and they could be active in a school, in a city, in a hospital, in a government office, in a military base.
So Bastille have done a big full-on media push with dedicated websites, white papers, technical explainers and how-tos, videos showing everything.
So they're really banging the drum on this.
Going off what Graham said though, I mean, isn't responsible disclosure going public only if they've done nothing after 90 days?
Well, I mean, it doesn't sound like they've done nothing.
Yeah, but Maria, they'd set up the website and they'd got the video already and they'd done a logo and they needed to get that out there. You know, they've invested a lot into this.
It is very slick.
Yeah, but Maria, they'd set up the website and they'd got the video already and they'd done a logo and they needed to get that out there. You know, they've invested a lot into this.
It is very slick.
I'm quite impressed. If you heard me exclaiming earlier, this is an incredible website.
And this ATI, this stands for Acoustic Technology Inc. It's not to be mixed up with any other ATI.
So they're very specifically in the business and have been for, I don't know, maybe 30 or 40 years of producing these sort of solutions for businesses.
I mean, it is obviously an important thing to fix.
And, you know, it would be good to think that organizations are updating their systems and asking where's the patch if one hasn't been made available.
But yeah, it leaves a slight taste.
So they're very specifically in the business and have been for, I don't know, maybe 30 or 40 years of producing these sort of solutions for businesses.
I mean, it is obviously an important thing to fix.
And, you know, it would be good to think that organizations are updating their systems and asking where's the patch if one hasn't been made available.
But yeah, it leaves a slight taste.
It just leaves a bad taste in the mouth, just a tiny bit.
You think, oh, if only they had waited and worked with ATI to publicize it when fix was ready, I would have been much more hat-tippy.
You think, oh, if only they had waited and worked with ATI to publicize it when fix was ready, I would have been much more hat-tippy.
And then there was always the potential that if you really felt they weren't doing anything, you could have gone to the press, you could have gone to the Guardian or the Register or Ars Technica or Wired or something like that and demonstrated this in some fashion and said, look, we've been talking to them about this for the last 9 months and it still hasn't been fixed.
And then create a script.
And then create a script.
But 9 months for a startup is a long, long time. So it's like a speedboat versus a tank trying to turn around.
And it, you know, yeah, I think you'll find speedboats are really rubbish on land, Carole. If you're going to try and drive a speedboat next to a tank, that simply won't work.
This whole story just sort of is uncomfortable for me for all the reasons you listed.
And I'm just thinking that these systems themselves are— I'm sure not that long ago, they were almost entirely mechanical systems.
So the whole idea of now we're trying to get all this sophistication in terms of getting them on software update cycles and that kind of thing.
I'm just wondering, the people maintaining this day to day, are they aware of stuff like this? I'm not trying to say, you know, they can't do it.
And I'm just thinking that these systems themselves are— I'm sure not that long ago, they were almost entirely mechanical systems.
So the whole idea of now we're trying to get all this sophistication in terms of getting them on software update cycles and that kind of thing.
I'm just wondering, the people maintaining this day to day, are they aware of stuff like this? I'm not trying to say, you know, they can't do it.
I don't think they would be aware. I think they'd have outside contractors who install systems.
Yeah, so I'm just kind of like, have we thrown a lot of folks to the wolves right now?
I mean, it's just a lot of these— I would say this is probably a critical infrastructure kind of thing.
There's a lot of vulnerabilities in a lot of these systems that people are really frantically trying to catch up on and just they're not ready for it.
I mean, it's just a lot of these— I would say this is probably a critical infrastructure kind of thing.
There's a lot of vulnerabilities in a lot of these systems that people are really frantically trying to catch up on and just they're not ready for it.
And I think you just hit the nail on the head, Maria. That's exactly the problem I've got with this.
The problem is not only that they did this, but it's critical systems that are under threat in this situation.
And whether this— the threat is no longer theoretical since they've now proved it works, right?
The problem is not only that they did this, but it's critical systems that are under threat in this situation.
And whether this— the threat is no longer theoretical since they've now proved it works, right?
Once again, digital has ruined everything.
If we just relied upon siren systems, which revolved around, I don't know, hamsters or something running around very quickly inside a hamster wheel, and that would trigger a siren, that would power it all into operation.
If we just relied upon siren systems, which revolved around, I don't know, hamsters or something running around very quickly inside a hamster wheel, and that would trigger a siren, that would power it all into operation.
Just give me a metal pan and a wooden spoon and I'll run around shouting. You know, I'm not happy. You could do it. You could do it. I could do it. I'm loud enough.
I could make this happen. Hey, some shit's going down. Ding, ding, ding, ding, ding, ding, ding.
I could make this happen. Hey, some shit's going down. Ding, ding, ding, ding, ding, ding, ding.
This episode of Smashing Security is sponsored by LastPass. LastPass simplifies password management for companies of every size. But it isn't just for enterprises.
It's equally a great solution for business teams, families, and single users. Learn more at smashingsecurity.com/lastpass.
It's equally a great solution for business teams, families, and single users. Learn more at smashingsecurity.com/lastpass.
And welcome back to our favorite part of the show, which we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book they've read, a TV show, a movie, a record, an app, a website, podcast, whatever you like. Doesn't have to be security related necessarily.
Could be a funny story, a book they've read, a TV show, a movie, a record, an app, a website, podcast, whatever you like. Doesn't have to be security related necessarily.
Definitely not me. Maria.
Oh, sorry. Should I scramble and get something different? No.
I just like to give you shit.
I was gonna do my one security related pick of the week for once. You're allowed.
'Cause it's you. Maria, calm down. I'm on first, right? You've still got a few seconds to consider whether you've made the right decision.
My pick of the week this week is a game which I've been playing on the Nintendo Switch with my son, but it is also available for iOS, Android, and Steam, and it's called The Adventures of Bertram Fiddle.
My pick of the week this week is a game which I've been playing on the Nintendo Switch with my son, but it is also available for iOS, Android, and Steam, and it's called The Adventures of Bertram Fiddle.
Oh, it's the most beautiful name ever for a game.
Episode 1: A Dreadly Business. And this is a point-and-click adventure game.
So if you've ever played something like, I don't know, The Secret of Monkey Island or Day of the Tentacle, Puzzle or one of those fantastic old games, you'll know what this is all about.
You're moving around the screen solving puzzles. And Bertram Fiddle is a Victorian adventurer.
And with his trusty one-eyed Peruvian manservant called Gavin, he is on the trail of Geoff the Murderer, who shouldn't be mixed up with Jack the Ripper at all.
So if you've ever played something like, I don't know, The Secret of Monkey Island or Day of the Tentacle, Puzzle or one of those fantastic old games, you'll know what this is all about.
You're moving around the screen solving puzzles. And Bertram Fiddle is a Victorian adventurer.
And with his trusty one-eyed Peruvian manservant called Gavin, he is on the trail of Geoff the Murderer, who shouldn't be mixed up with Jack the Ripper at all.
Yeah, I saw a bit of this. I saw a bit of this when I was over at Graham's on the weekend, and it is glorious looking. It's so beautiful, the drawings.
It's so pretty and funny and a bit rude, but not rude. It is a bit rude. It does it on both levels, where it's rude for an adult but very literal for a kid.
It's so pretty and funny and a bit rude, but not rude. It is a bit rude. It does it on both levels, where it's rude for an adult but very literal for a kid.
Yes. Whereas our podcast is a sort of single entendre, The Adventures of Bertram Fiddle is a double entendre.
Wasn't there something about going into Mrs. Havisham's bush?
I think it was, yeah. So Lady Fabishion has a secret garden which hasn't been pruned recently, and so you need to get the clippers out.
All right, I need to get a new pick of the week.
You have to discover what's in her drawers, and there's— you're on the trail of Lord Arthewipe. I love it, I love it. It is very funny. So I was there with a 7-year-old.
He was enjoying it greatly for the puzzle solving. And I was sort of chortling away in the background at some of the things that were being said. Here's the problem with it.
I've actually already finished it. I finished it on the day that I bought it. Only cost about £4 in the Switch store.
It's supposed to be a series of adventures, so it does end on a sort of cliffhanger and you're sort of dying to play part 2.
Now, from what I've read, part 2 is already available on some platforms, but apparently it's a bit buggy and it's got some bad reviews.
Part 1, Episode 1: A Dreadly Business, of The Adventures of Bertram Fiddle is a lot of fun.
So I'd suggest waiting a little bit before going for part 2, make sure they've ironed out the bugs. It's very much an independent game.
It feels by a very small group of guys who've been crowdfunding it, but very, very amusing.
So support episode 1 at the very least, because you'll certainly get a few hours of fun out of it.
He was enjoying it greatly for the puzzle solving. And I was sort of chortling away in the background at some of the things that were being said. Here's the problem with it.
I've actually already finished it. I finished it on the day that I bought it. Only cost about £4 in the Switch store.
It's supposed to be a series of adventures, so it does end on a sort of cliffhanger and you're sort of dying to play part 2.
Now, from what I've read, part 2 is already available on some platforms, but apparently it's a bit buggy and it's got some bad reviews.
Part 1, Episode 1: A Dreadly Business, of The Adventures of Bertram Fiddle is a lot of fun.
So I'd suggest waiting a little bit before going for part 2, make sure they've ironed out the bugs. It's very much an independent game.
It feels by a very small group of guys who've been crowdfunding it, but very, very amusing.
So support episode 1 at the very least, because you'll certainly get a few hours of fun out of it.
Well, if you have a Switch, you can get it on your smartphone.
They're great.
Oh my gosh. Oh yeah, Switches are fantastic.
Get the Switch and play Breath of the Wild forever. And then when you're done, and you're never going to be done, play this.
No, I know my other half really wants a Switch.
They're really cool. Yeah. Really cool.
I know we're thinking about it.
We're thinking about it. So Maria, what is your highly security-related pick of the week?
You know what? I'm going to pull the rug out because I was going to do my security-related one, but now I'm going to change it.
She's changing it. This has never happened on the fly before. This is most unorthodox.
You're going to have to tweet out what your security one was when we publish the show.
Should I just shout out the link? It's a very quick one. I can just say what it was. It's securitytxt.org. That was my security-related pick of the week.
It's a really tiny little website that's awesome.
And if you've got, if you're starting from zero, security-wise at your company, if you're a startup or something, this is a great place to go to.
It's a really tiny little website that's awesome.
And if you've got, if you're starting from zero, security-wise at your company, if you're a startup or something, this is a great place to go to.
Would have been handy for T-Mobile Austria, I think.
Might have been, might have been. Especially, actually, it would have been handy for Panera. Yeah, so that was actually one of the reasons I was picking it.
But there's not much else I can say about that. So I was going to change my pick of the week from that, or maybe I'll do an and pick of the week.
I'm going to suggest a documentary that I just saw on Netflix that is getting a lot of press, and I'm going to opine on it briefly. It's called Wild Wild Country.
But there's not much else I can say about that. So I was going to change my pick of the week from that, or maybe I'll do an and pick of the week.
I'm going to suggest a documentary that I just saw on Netflix that is getting a lot of press, and I'm going to opine on it briefly. It's called Wild Wild Country.
It's on my list. It's on my list, don't say too much.
Is it good?
It's— it is about the Rajneeshi cult that was— that made its own compound out in Oregon, and they basically took over an entire little town in Oregon, and all sorts of shenanigans happen.
And if I literally say anything more about that, if you don't remember what happened, or didn't hear about it in the '80s when it happened, I don't want to give it away because it's a really— it's a wild ride.
It's actually— it's 6 episodes long, it's extremely long. It could have done with a lot of editing, I thought. And it is a bit problematic in my opinion.
Not a flawless documentary, but it's a very interesting watch.
And everybody's— at least in the media I'm reading, everybody's talking about it right now because it just came out a few weeks ago, very bingeable.
It's— it is about the Rajneeshi cult that was— that made its own compound out in Oregon, and they basically took over an entire little town in Oregon, and all sorts of shenanigans happen.
And if I literally say anything more about that, if you don't remember what happened, or didn't hear about it in the '80s when it happened, I don't want to give it away because it's a really— it's a wild ride.
It's actually— it's 6 episodes long, it's extremely long. It could have done with a lot of editing, I thought. And it is a bit problematic in my opinion.
Not a flawless documentary, but it's a very interesting watch.
And everybody's— at least in the media I'm reading, everybody's talking about it right now because it just came out a few weeks ago, very bingeable.
I'd love to watch it. Yep, I'll put it on my list.
If you remember all the cult stuff happening in the '80s, at least in the States, there's so many cults around here.
It seemed like in the news, this is a big one, so it takes me back.
It seemed like in the news, this is a big one, so it takes me back.
I think you've still got one now, actually, Maria, to be honest. Never mind, anyway. Me personally? No, not— well, yes, of course.
She has a following of people throwing rose leaves in front of her all the time, I'm sure, but I wasn't actually thinking of Maria, lovely and fragrant as she is.
She has a following of people throwing rose leaves in front of her all the time, I'm sure, but I wasn't actually thinking of Maria, lovely and fragrant as she is.
Like garlic, you know, garlic and olive oil. It falls to the ground.
Thank you for that excellent Pick of the Week.
Graham, what's your Pick of the Week? Are you getting bored with the name of Pick of the Week? You're just having fun with it. Pick of the Week.
No, I love the— I love Pick of the Week.
Not every time. Pick of the Week.
So my Pick of the Week is not security related at all.
And Graham, you know what it is because I hinted to it last week, and then I saw you at the weekend and I gave you one of these, didn't I?
And before we tell everyone what it is, do you have anything to say about it? Do you have anything, do you want to—
And Graham, you know what it is because I hinted to it last week, and then I saw you at the weekend and I gave you one of these, didn't I?
And before we tell everyone what it is, do you have anything to say about it? Do you have anything, do you want to—
I love it. It is here right in front of me right now, and it has a rather bulbous head.
And if I tap it, if I put it— if I stretch out my finger and just stroke the very top of the head, something magical happens. No.
And if I tap it, if I put it— if I stretch out my finger and just stroke the very top of the head, something magical happens. No.
Okay, it's just a light. It's a light from a company called Hroom, H-R-O-O-M-E, and it's quite cool.
It's the shape of a small dog, it's made entirely of ash wood, and the legs and head are movable, so you can kind of place your wooden dog lamp into any posture, just like a real dog.
And the touch-sensitive on-off switch on the crown of the head is quite cute, it's like you're kind of patting your dog, and that's how you turn on the light.
It's the shape of a small dog, it's made entirely of ash wood, and the legs and head are movable, so you can kind of place your wooden dog lamp into any posture, just like a real dog.
And the touch-sensitive on-off switch on the crown of the head is quite cute, it's like you're kind of patting your dog, and that's how you turn on the light.
That's exactly how I like to turn it on. Seriously, I'm just gonna leave right now, I'm gonna leave the room.
I'll leave you, I'll let you finish the show because I shouldn't be— I'm taking off my headphones. I'm going, I'm going, all right, I'm off.
I'll leave you, I'll let you finish the show because I shouldn't be— I'm taking off my headphones. I'm going, I'm going, all right, I'm off.
All right, all right, Carole, he's gone now. He's gone, this is good, all right.
What is wrong with him?
Hello, I'm back. I'm back, damn.
Oh wait, hi! Oh yes, it was wonderful.
Crow, this is a lovely gift and yeah, it's tremendous. What more can we say about it? It goes into a variety of positions. Nothing!
We can just say get one. It's very, very lovely.
I'm not a dog person. Oh.
I'm sorry, she's not a dog person.
I'm never invited on the podcast again. I actually like dogs, but I'm more of a cat person.
I'm sorry. It's possible to like both.
Yes, it's true. And I do.
You just have a preference. All right, that's all right. Okay, well, next time you're on, Maria, maybe you'd like to make your pick of the week cats or something like that.
That just about wraps it up for this week. Thank you very much, Maria, for joining us once again.
That just about wraps it up for this week. Thank you very much, Maria, for joining us once again.
If people want to follow you on the tweets, @mvarmazis. That's my first initial and last name.
Piece of cake typing that in, I imagine.
M-V-A-R-M-A-Z-I-S. I'm really— it's out there. Yeah.
And you can follow us on Twitter @SmashingSecurity. No G, Twitter wouldn't allow us to have a G.
And you can buy stickers and mugs and t-shirts and things like that at smashingsecurity.com/store. And thanks for tuning in. If you like the show, rate it on Apple Podcast.
It really does help new listeners discover the show, and you can check out past episodes at smashingsecurity.com. And until next time, toodle-oo, bye-bye.
And you can buy stickers and mugs and t-shirts and things like that at smashingsecurity.com/store. And thanks for tuning in. If you like the show, rate it on Apple Podcast.
It really does help new listeners discover the show, and you can check out past episodes at smashingsecurity.com. And until next time, toodle-oo, bye-bye.
Cheerio, everyone. Oh, bye.
Perfect. I didn't know if you wanted me to say bye.
Are you one of those cool people that doesn't say bye at the end of a phone call? You just kind of go, I'll see you later, hang up.
I'm just like in the movies. I just hang up.
I don't even say anything.
You don't say hello.
You don't hang up.
Hey, something, something, something. That's me. Who does that? Felines. The end.
Update July 2022:
Kemi Badenoch, who has previously admitted hacking into a Labour politican's website and defacing it to promote Boris Johnson, wants to be the UK's next Prime Minister.https://t.co/V34nJ6Z4Hy pic.twitter.com/7g0wfadM7G
— Graham Cluley ???????? (@gcluley) July 9, 2022
She has spent the past few weeks talking in parliament on the need to firm up and enforce laws against cyber crime, so one may say that she has double standards.
Or maybe she understands thr risk of MP’s using poir security? She seems ideal to lead the charge on cyber defences. At least she has a clue.
I don't think there is any legal basis for ignoring computer crime, even if it happened ten years ago. At the very least this MP should be interviewed under caution; if it had happened in the US it is likely that she would have been arrested.
Only if she were a Republican.
Or that she learned from her experiences. Graham needs to grow a sense of humor. He is always saying stuff that borders on the offensive, but let someone else do something a little bit off and Bob's your Uncle.
Your handle is an extremely ironic name… though you probably don't realise just how much so (I won't even try and tell you).
But Graham does have a sense of humour. The fact you've missed it doesn't mean it doesn't exist. And his punning is excellent too (and very often funny – the two go together well). I question how any of what he wrote is bad enough to even come close to cause offence. With one exception: those wanting to be offended; and sadly there are many people who want to be offended. Of course they complain when they're offended which really means they enjoy whining; they should just close their mouths or sod off. Besides that he was only saying her behaviour/character was rather poor. And it was. It was poor and for her age she should have known better. There isn't anything funny about people performing poorly unless of course you like to take advantage of them and/or find humour out of other people's failures (etc.).
There is probably no way to prosecute her successfully. The only evidence against her is her public confession, which is probably both inadmissible and insufficient. She can't be made to repeat it under oath and was not under oath in the TV interview.
"a heady cocktail or political fervour and youthful exuberance."
I wonder if you meant a cocktail "of"?