Kudos to Nadine Dorries, the British MP for Mid-Bedfordshire, who has bravely exposed the appalling computer security practices that she and her fellow politicians have in place.
My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!
— Nadine Dorries (@NadineDorries) December 2, 2017
Now, to be fair, Nadine probably though she was simply supporting First Secretary of State Damian Green after revelations by a retired detective that thousands of legal pornographic images were found on his Dell PC at Portcullis House in 2008.
Damian Green, who is deputy to British Prime Minister Theresa May (not to be confused with British glamour model Teresa May), says he has never watched or downloaded porn on the computer.
And Nadine Dorries attempted to support her colleague by explaining that she allowed her staff and interns to log into her computer with her password “everyday”.
When security-minded folks on Twitter began to criticise Nadine’s cavalier attitude to security (particularly pertinent in light of recent targeted computer attacks on Westminster) some of her colleagues jumped to *her* defence.
I certainly do. In fact I often forget my password and have to ask my staff what it is.
— Nick Boles (@NickBoles) December 3, 2017
Maybe someone might like to tell Nick Boles, the right honourable member for Grantham, that he is being needlessly reckless. The first rule of passwords is that you don’t share them.
As we have explained many times in the past, the solution to not being able to remember complicated, unique passwords is to use a password manager.
Maybe next time Nadine Dorries shouts “What’s the password?” across her office floor, she might want to remember that too.
All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?’
— Nadine Dorries (@NadineDorries) December 2, 2017
Meanwhile, Will Quince, MP for Colchester, freely admits that he leaves his computer unlocked:
Less login sharing and more that I leave my machine unlocked so they can use it if needs be. My office manager does know my login though. Ultimately I trust my team.
— Will Quince MP ???????? (@willquince) December 3, 2017
It would perhaps be churlish to suggest that Will Quince is preparing his alibi should porn ever be found on his PC.
And, if Nadine Dorries is to be believed, Damian Green is not the only MP who may have to face awkward questions about porn being found on their PC. No, because over the weekend Nadine claimed that *every* single MP’s PC (including hers, presumably) has been used to access porn.
I’m sure if the computers of all MPs – including Labour ones, were investigated there would be a record of porn being accessed. There would, in all cases, be zero proof of who it was who accessed it.
— Nadine Dorries (@NadineDorries) December 2, 2017
Wow. That’s quite a claim. With all that porn swirling around parliamentary systems is it any wonder that the Brexit negotiations are proving to be quite a challenge?
I guess the beauty of letting any member of your staff access your computer with none of that password hassle is that they can easily peruse your porn if they need to in a hurry.
Nadine Dorries, meanwhile, is under the misapprehension that she simply isn’t interesting enough to be hacked.
I’m not the Gov. I’m an MP with a computer in a shared office upon which lives an email account. That’s as exciting as my computer gets
— Nadine Dorries (@NadineDorries) December 3, 2017
Oh dear… She’s wrong, of course. I would bet my bottom dollar that there is plenty of information on her PC that would be of value to criminals (they’d probably ignore the porn). It’s not just the personal information of the people she corresponds with, but also the fact that her PC, email and social media accounts could be used as a launchpad for attacks against others.
And what worries me from the above tweets is that Nadine Dorries doesn’t seem to be an isolated case. And it should worry you too if you’re a constituent of an MP who has adopted similarly lax IT security measures.
And it should worry us all if the very people who are tasked with legislating on internet privacy and security issues are proving to be so utterly clueless.
For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Now, Matt claims that the videos are of consenting adults, right? And the cops are of course now in the process going, well, we're going to verify that info.
But can you imagine that conversation? Like, bing bong, hello, your local copy here. First, happy holidays. Second, is this your butt bouncing around in this video, sir? Right?
But can you imagine that conversation? Like, bing bong, hello, your local copy here. First, happy holidays. Second, is this your butt bouncing around in this video, sir? Right?
Smashing Security, Episode 56: Peeping Toms, Prison Hacks, and Parliamentary Passwords with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, episode 56 for the 7th of December, 2017. My name's Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, episode 56 for the 7th of December, 2017. My name's Graham Cluley.
And I'm Carole Theriault.
And we are joined today by a special returning guest all the way from New York. He's joining us over the interwebs. It's Iain Whalley from Google. Hi, Iain.
That's correct. All the way over the interwebs.
Good to have you back on. Anything interesting going on in any of our lives? No? All right then. In which case, what we should do—
We can talk about politics in the interim if you'd like.
Oh, go ahead, because we have politics here in the UK. In fact, I'm going to be talking about that after the break. But you're in America, right?
Is there anything going on with American politics, Iain?
Is there anything going on with American politics, Iain?
No, no, everything's fine.
Everything's been all quiet.
Humdrum, humdrum.
All quiet. Yes, there's some news, but it seems to be pretty normal over here.
Okay. All right. Okay.
By normal, he means insane. I'm addicted to the news right now, and I think I need to check myself in. It's kind of an illness.
Yeah, it is a bit bad, isn't it?
I just get lost in kind of news cycles, looking at every different angle. So looking at everyone's different report of the same story.
So you're only gathering one extra crumb per 30 seconds of investment.
So you're only gathering one extra crumb per 30 seconds of investment.
This isn't the best advert for our security news podcast, where we're going to be looking back over the last week and working out what's been happening and commenting on it.
I'm just saying, what you've just said suggests that our podcast is a bit shit.
I'm just saying, what you've just said suggests that our podcast is a bit shit.
Sorry.
This episode of Smashing Security is supported in part by Netsparker.
Netsparker is a web application security scanner that can automatically find security flaws in your website and fix them before hackers can exploit them.
If you want to automatically check your web applications for cross-site scripting, SQL injection, and other vulnerabilities and coding errors that can leave you and your business exposed, then you need Netsparker.
Try it out now by downloading a demo from www.netsparker.com/smashing.
Netsparker is a web application security scanner that can automatically find security flaws in your website and fix them before hackers can exploit them.
If you want to automatically check your web applications for cross-site scripting, SQL injection, and other vulnerabilities and coding errors that can leave you and your business exposed, then you need Netsparker.
Try it out now by downloading a demo from www.netsparker.com/smashing.
Today's podcast is also sponsored in part by OneLogin. OneLogin provides single sign-on.
This allows IT to say which users have access to which applications at which time and also enforces two-factor authentication.
So even if credentials are compromised, hackers can't get access to those corporate services.
Find out more about OneLogin and download a free guide to identity access management at smashingsecurity.com/one-login. On with the show.
This allows IT to say which users have access to which applications at which time and also enforces two-factor authentication.
So even if credentials are compromised, hackers can't get access to those corporate services.
Find out more about OneLogin and download a free guide to identity access management at smashingsecurity.com/one-login. On with the show.
The Cling. And welcome back. So there's been an interesting situation going on in the British Parliament when it comes to computer security.
So I'll give you a little bit of background first, and then I'll tell you what the politicians have been doing lately.
So I'll give you a little bit of background first, and then I'll tell you what the politicians have been doing lately.
Okay.
Way back in 2008, a senior British politician by the name of Damian Green had his computer looked at by the cops, and nothing came of that, right?
They seized a computer, they took a look at it.
Now, a retired detective has now said, he's gone to the media and said that during that investigation they found thousands of legal, so nothing that naughty, pornographic images on Damian Green's Dell PC.
And obviously there's been uproar. How can he have thousands of images like that? Shouldn't he have been working a bit harder?
They seized a computer, they took a look at it.
Now, a retired detective has now said, he's gone to the media and said that during that investigation they found thousands of legal, so nothing that naughty, pornographic images on Damian Green's Dell PC.
And obviously there's been uproar. How can he have thousands of images like that? Shouldn't he have been working a bit harder?
I don't think I've ever heard the term legal porn before.
Well, consider illegal porn, which would be things like, I don't know, sort of child abuse or snuff movies or, you know, I don't know, you know, coprophilia or, you know, something really very unpleasant.
I think this was sort of fairly standard sort of Razzle magazine kind of stuff.
I think this was sort of fairly standard sort of Razzle magazine kind of stuff.
Okay.
So there's been uproar that he has all this legal porn. Do you think that's just jealousy or what is that?
Well, I think there's been uproar about the allegation that he has all these images, but also that this retired police detective has gone public about it because the police never brought any charges and never made it public.
But now it's sort of come up and it's obviously potentially put his career in some jeopardy. And some of his colleagues in the Conservative Party have been jumping to his defence.
And one of them is Nadine Dorries, who aside from once being a contestant on I'm a Celebrity, Get Me Out of Here.
But now it's sort of come up and it's obviously potentially put his career in some jeopardy. And some of his colleagues in the Conservative Party have been jumping to his defence.
And one of them is Nadine Dorries, who aside from once being a contestant on I'm a Celebrity, Get Me Out of Here.
Oh dear.
How do you know that?
Because I do my research, Iain.
Oh, right, that's your trick. I got you there.
No, he reads Private Eye.
Anyway, she is the British MP for Mid Bedfordshire, and she has done something very, very brave indeed because she's not only tried to defend Damian Green, but she's also bravely exposed the appalling computer security practices that she and her fellow politicians have in place.
Because what she tweeted the other day was that my staff log on to my computer on my desk with my login every day, including interns.
Because what she tweeted the other day was that my staff log on to my computer on my desk with my login every day, including interns.
Okay.
And so she said, oh yeah, we do this.
And so for anyone to say just because a computer on Damian Green's desk has got porn on it suggests that he was the one who downloaded or looked at it is completely outrageous, is her point of view.
Now, of course, when Nadine said this on Twitter, and I don't know if you guys have been on Twitter, but it's a very sort of calm, relaxing environment where people don't jump to judge each other.
And so for anyone to say just because a computer on Damian Green's desk has got porn on it suggests that he was the one who downloaded or looked at it is completely outrageous, is her point of view.
Now, of course, when Nadine said this on Twitter, and I don't know if you guys have been on Twitter, but it's a very sort of calm, relaxing environment where people don't jump to judge each other.
Right, you're about to do now.
Just like I did when I saw that she'd tweeted this, and plenty of other cybersecurity professionals as well. Obviously, we said, you are bonkers, aren't you?
What a cavalier attitude to share your parliamentary login details.
Remember, just a few months ago, the UK Parliament was being targeted allegedly by Russian hackers who were trying to break into email accounts.
And there were also reports that bad guys were ringing up political staff members and just asking for passwords, pretending to be the IT team as well.
So there have been targeted attacks. But some of her colleagues jumped to her defence as everyone was saying, what do you like?
You know, you don't have to give out your email password. There are ways to delegate access to your email if you want to have your staff coping with your constituency email.
But a number of MPs sort of said, "Whoa, you know, I do exactly the same." Nick Bowles MP, for instance, said, "Oh, I often forget my password.
I have to ask my staff what it is." And then Nadine says, "Oh yeah, all of my staff have my login details.
It's a frequent shout in my office when I'm saying, 'What's the password?'" And a whole bunch of them have come out of the woodwork saying that they are entirely the same.
They don't know their passwords. They're telling all their staff their passwords. They're shouting them out in the office.
And in some cases, they admit— there's a guy called Will Quintz MP, and he says, it's not so much about sharing my logins.
I just leave my computer unlocked all the time so they can use it if they want.
What a cavalier attitude to share your parliamentary login details.
Remember, just a few months ago, the UK Parliament was being targeted allegedly by Russian hackers who were trying to break into email accounts.
And there were also reports that bad guys were ringing up political staff members and just asking for passwords, pretending to be the IT team as well.
So there have been targeted attacks. But some of her colleagues jumped to her defence as everyone was saying, what do you like?
You know, you don't have to give out your email password. There are ways to delegate access to your email if you want to have your staff coping with your constituency email.
But a number of MPs sort of said, "Whoa, you know, I do exactly the same." Nick Bowles MP, for instance, said, "Oh, I often forget my password.
I have to ask my staff what it is." And then Nadine says, "Oh yeah, all of my staff have my login details.
It's a frequent shout in my office when I'm saying, 'What's the password?'" And a whole bunch of them have come out of the woodwork saying that they are entirely the same.
They don't know their passwords. They're telling all their staff their passwords. They're shouting them out in the office.
And in some cases, they admit— there's a guy called Will Quintz MP, and he says, it's not so much about sharing my logins.
I just leave my computer unlocked all the time so they can use it if they want.
I know, it's unbelievable. From our perspective, from our world, this is just gobsmacking.
Well, it's gobsmacking to us, isn't it? But Nadine, believes that we're being really, really unfair because we're in our ivory tower.
Just we criticize Amber Rudd, who's the Home Secretary, who's trying to bring in the Snooper's Charter. She claims also that this is sexism and we're just being sexist.
It's just no, you know, I'm taking the piss just as much out of the male MPs as the female ones. I don't think it has anything to do with sex whatsoever.
Well, apart from maybe the files found on their computer. But yeah, so I just laugh at my own joke.
Just we criticize Amber Rudd, who's the Home Secretary, who's trying to bring in the Snooper's Charter. She claims also that this is sexism and we're just being sexist.
It's just no, you know, I'm taking the piss just as much out of the male MPs as the female ones. I don't think it has anything to do with sex whatsoever.
Well, apart from maybe the files found on their computer. But yeah, so I just laugh at my own joke.
No, but you know what? I don't know if it's fair to be poking at her and saying she's an idiot.
I think what she's shown is there's a huge lack of knowledge inside our government about cybersecurity best practices.
I think what she's shown is there's a huge lack of knowledge inside our government about cybersecurity best practices.
And imagine how frustrating it must be to be one of the people who works in the Westminster IT team.
I was just gonna say.
Who has to manage these morons And you don't even have the option of giving them the sack because it's down to an election whether they leave or not.
I think once again, it's not really a question that they're morons. It's that they don't— this is going to sound terrible— they don't know any better.
They don't know that this is a terrible idea. And you can see that in some of these tweets.
They don't know that this is a terrible idea. And you can see that in some of these tweets.
Yeah.
You know what? I've heard this argument on Twitter over the last few days.
Oh, we're just— yeah, there we go as cybersecurity professionals again, looking down at them and sneering at them. And you know what?
I accept that to a point, but then I think, no, I think if you're an MP, and frankly you don't have to have any qualifications to be an MP, do you?
Just need to have gone to the right school.
Oh, we're just— yeah, there we go as cybersecurity professionals again, looking down at them and sneering at them. And you know what?
I accept that to a point, but then I think, no, I think if you're an MP, and frankly you don't have to have any qualifications to be an MP, do you?
Just need to have gone to the right school.
Oh yeah, it must be such an easy job.
Have none.
What a walk in the park.
Yeah.
But what you should be appreciative of is actually turning to experts and saying, you know what, thank you for that input, that's really useful to me, I will take that forward.
Not being close to it and just assuming that you know best, because Nadine Dorries clearly believes that she knows best.
If you read her tweets, she's saying, you know, there's— she's saying there is no one who would be interested in hacking me, she says.
You know, my email account is utterly unexciting, apart from of course the personal information from her constituents who are communicating with her, no doubt.
She has even said that she is sure that all of the computers, every MP's computer, if it was investigated, would have porn on it, she says.
But what you should be appreciative of is actually turning to experts and saying, you know what, thank you for that input, that's really useful to me, I will take that forward.
Not being close to it and just assuming that you know best, because Nadine Dorries clearly believes that she knows best.
If you read her tweets, she's saying, you know, there's— she's saying there is no one who would be interested in hacking me, she says.
You know, my email account is utterly unexciting, apart from of course the personal information from her constituents who are communicating with her, no doubt.
She has even said that she is sure that all of the computers, every MP's computer, if it was investigated, would have porn on it, she says.
That sounds like an admission.
Which presumably includes hers, right?
But this comes back to Iain's point. All this points to that she doesn't know very much about computers or email or security.
All right, but if you know nothing about a subject, no doubt if you don't know anything about— so I don't know everything about every subject.
I know it's going to surprise you, right? I know nothing about cars, for instance, or snooker.
I know it's going to surprise you, right? I know nothing about cars, for instance, or snooker.
Oh, I do know that you know nothing about cars. When I watched you tie your radiator up with a piece of string. And then drive and be surprised that it got burned off. But yeah.
Hey, look, if all I had was a shoelace on me, I think that's a reasonable step anyway.
But the thing is that you should be prepared to say, okay, look, I'm clearly massively out of my depth here. I'm going to get the advice of an expert.
But the thing is that you should be prepared to say, okay, look, I'm clearly massively out of my depth here. I'm going to get the advice of an expert.
Surely the bigger issue is not her personality or how she's handling the issue, but surely the bigger issue is how do we get education for these people who are running our country?
How do we get them open to listening to those people who are trying to educate them? Just we've been trying to educate them about encryption backdoors.
Yes, they need to have better training and there needs to be better education from however the IT in the Houses of Parliament works. I have no idea.
Are there security trainers there? I have no idea. But I don't think you can really fault her for not taking advice from randos on Twitter.
Are there security trainers there? I have no idea. But I don't think you can really fault her for not taking advice from randos on Twitter.
Randos?
Yeah, Graham. Randos.
Oh, you mean random people. You don't mean randy people.
I'm just checking.
Well, they may be too. I couldn't say, but I mean, random people. Yes.
Maybe get people trained up on how security, you know, at least the basics of security and what's valuable on their computers.
Yeah.
Because she doesn't even realize that email is a valuable thing.
Oh, I do have one defense for her, by the way.
Oh.
It is possible that she wasn't the one who sent these tweets. Maybe it was just someone else using her password, perhaps.
Well, I just think that now if you want access to an incredible amount of porn, just go to any MP's computer because Nadine has— she's outed all of them.
Okay, Iain, what story have you got for us this week?
Well, I just think that now if you want access to an incredible amount of porn, just go to any MP's computer because Nadine has— she's outed all of them.
Okay, Iain, what story have you got for us this week?
I chose this one with the wonderful headline, Ann Arbor Man now we need to stop there for a second. It's not a man called Ann Arbor. Turns out Ann Arbor is a place in Michigan.
I think you're thinking of a harbour, aren't you?
Ann Arbor man pleads guilty to computer intrusion case. Now this is a gentleman called Conrad something I can't pronounce, so we'll stick with Conrad.
It happened in a place called Washtenaw.
It happened in a place called Washtenaw.
Washtenaw.
Now I'm not going to try to pronounce that more than once, but the important thing about this place is the name of this county. It's a county in Michigan, ends with a W.
Okay, so what this gentleman Conrad did, he started by registering a domain. So this county's domain is ewashtenaw.org.
So he registered the same domain except without the W at the end. He registered it with two Vs. Ah, yeah.
Now you see, as my co-hosts have already realized, two Vs looks a bit like a W. In fact, it makes you wonder why W isn't called double V.
But anyway, so he registered this domain that looks like the real thing.
He then used that domain to send emails to employees of this county, claiming to be some guy that he wasn't, requesting help with, quote, court records, unquote.
Okay, so what this gentleman Conrad did, he started by registering a domain. So this county's domain is ewashtenaw.org.
So he registered the same domain except without the W at the end. He registered it with two Vs. Ah, yeah.
Now you see, as my co-hosts have already realized, two Vs looks a bit like a W. In fact, it makes you wonder why W isn't called double V.
But anyway, so he registered this domain that looks like the real thing.
He then used that domain to send emails to employees of this county, claiming to be some guy that he wasn't, requesting help with, quote, court records, unquote.
Okay.
He also called other employees on the phone, and he impersonated two real county IT department employees.
And what he wanted the people to do, both the people he was emailing and the people he was calling on the phone, he wanted them to visit his fake website.
And what he wanted the people to do, both the people he was emailing and the people he was calling on the phone, he wanted them to visit his fake website.
Okay.
To, quote, "upgrade the county's jail system," unquote.
Which doesn't really sound like the sort of thing you could do by visiting a website, but that's what he was wanting them to do.
Which doesn't really sound like the sort of thing you could do by visiting a website, but that's what he was wanting them to do.
Okay.
Hang on, what? So he created this dodgy website with two Vs on the end rather than a W to trick these people. And he said upgrade your jail system.
Yes.
Okay, well, so it's some piece of software used for managing jails, I imagine.
Yes.
Okay. All right.
And quoting now from the legal documents, quote, "Some county employees followed his directions." Okay. So they visited his dodgy website and they clicked on some links. Yeah.
And we know what wonderful things happen when you visit websites and click on links. So now, of course, the county network where these county employees were has malware on it.
He gets some login credentials. So now this Conrad character has access to basically everything on the county network.
So he has access to the personal information of the county employees, he has all the login information, he has search warrants, he has disciplinary records, he has all sorts of wonderful things.
And here comes the good bit. He also has access to this wonderfully named thing called ExJail, the county's system for tracking prison inmates.
So now what he does, and this appears to have been his goal all along, he modifies someone's release date.
And we know what wonderful things happen when you visit websites and click on links. So now, of course, the county network where these county employees were has malware on it.
He gets some login credentials. So now this Conrad character has access to basically everything on the county network.
So he has access to the personal information of the county employees, he has all the login information, he has search warrants, he has disciplinary records, he has all sorts of wonderful things.
And here comes the good bit. He also has access to this wonderfully named thing called ExJail, the county's system for tracking prison inmates.
So now what he does, and this appears to have been his goal all along, he modifies someone's release date.
Oh, Barry the headline!
Well, so what he's doing is he's gone through all this, and it took him a couple of months to do this, maybe 6 weeks, something like that.
And at the end of it all, he modifies someone's prison release date, quote, "in an effort to get that inmate released early." So that was his main goal, you think?
That's what it appears, yes.
And at the end of it all, he modifies someone's prison release date, quote, "in an effort to get that inmate released early." So that was his main goal, you think?
That's what it appears, yes.
And I thought it was cool when Ferris Bueller hacked his school computer system to improve his grades. This is really taking things to another level, isn't it?
Was that Ferris Bueller or was that WarGames?
I think it was Ferris Bueller.
It definitely happened in WarGames 2.
Was there a WarGames 2? I thought there was no sequel. I thought after WarGames it was—
Actually, there was a straight-to-video sequel, but it was terrible. We'll have to get the listeners to write in and tell us whether this also happened in Ferris Bueller.
So somehow the county noticed that he had changed this release date.
And they say, "Thanks to a careful review by employees, no inmates were released early," said the US Attorney for the Eastern District of Michigan's press release.
So somehow the county noticed that he had changed this release date.
And they say, "Thanks to a careful review by employees, no inmates were released early," said the US Attorney for the Eastern District of Michigan's press release.
So maybe they had some guy in for 50 years for mass homicide or something.
And it's like, "Oh no, I'm actually leaving next Thursday." He was getting his suit on and they said, "Whoa, whoa, whoa, whoa, whoa, whoa." Hang on a minute, Mr. Manson.
Why have you been let out like this? What's going on?
And it's like, "Oh no, I'm actually leaving next Thursday." He was getting his suit on and they said, "Whoa, whoa, whoa, whoa, whoa, whoa." Hang on a minute, Mr. Manson.
Why have you been let out like this? What's going on?
Now, it's unfortunate that the documents don't tell you who the inmate was that he was trying to release early.
Yeah.
Right? And what the relationship was there. Because, you know, the gossipmonger in us really want to know that.
I'm imagining it's someone like Lex Luthor. Wouldn't that be cool if it was some real supervillain?
Not really a real supervillain in this case.
Oh, how disappointing.
So this is a great story because it's got social engineering, it's got fake domain names that look like the real thing, it's got malware, and it's got dodgy computer systems that are apparently easy to modify.
And in their defense, they noticed.
And in their defense, they noticed.
Yeah.
Although it sounds like they noticed at a sort of human level rather than the computer system had been breached. No, no, no.
They noticed straight away, I think, didn't they?
It's not totally clear. They don't really make it very clear in the documents I read, which we'll put a link in the show notes. I'm sure the Register hopefully has the PDF.
All right, okay.
And one more thing on the subject of XJAIL: it's an off-the-shelf software product. You can go buy it. Now, if you Google for XJAIL, or Bing, or whatever—
I can go and buy some jail management software.
Well, I shouldn't say you can go and buy it.
It might cost you a pretty penny.
It is an off-the-shelf product that you can buy. Right. Maybe you have to be a corrections officer.
Okay.
But it's interesting because if you Google for it, it's really hard to find the manufacturer of this product because you keep finding public-facing search pages to look up prison inmates.
Oh.
So try it.
Yeah.
Use the search engine of your choice to search for XJAIL.
It just happened to me.
And you'll find a bunch of web pages where you can look up inmates.
Lex Luthor.
Which prison system are you checking in? Is Metropolis in there?
Oh, he's not found. How disappointing. He must have escaped.
Yes, it does have special detection for when the employee— when the inmate escapes.
Also, the website for this software is, when you do find it, is appallingly full of grammatical errors and typos.
Also, the website for this software is, when you do find it, is appallingly full of grammatical errors and typos.
Oh, well, that is a crime in itself, isn't it?
Which really should have been the headline, I think.
So when you read this story originally, it had the title "Ann Arbor Man Pleads Guilty to Computer Intrusion Case" rather than "This Hacker Almost Sprung a Villain or Felon or Something." Or rather than "Website Full of Spelling Mistakes." It's a pretty dire headline, actually.
I agree.
It does. I believe the term of art is bury the lede.
But hey, you ended on a high. It's kind of a fascinating story, though. I didn't see it coming. Didn't see it coming.
Carole, don't bury your lede. Tell us what caught your attention this week.
So Airbnb, you guys ever use it?
Have I? Yes, I have. Yes, I have used it.
Okay, but not often.
No, not often, no.
No, no, no, no. Don't use it. It's creepy.
Have you used it, Iain?
No.
No.
No? So I've used it quite a lot and I've always had a pretty good experience, right?
But okay, so question, have you ever worried about secret video cameras or microphones in hotel rooms or in Airbnb places that you've stayed in?
But okay, so question, have you ever worried about secret video cameras or microphones in hotel rooms or in Airbnb places that you've stayed in?
Well, not in an Airbnb place. I think we did once in an early podcast talk about the time I was in a restaurant in Boston and a video camera came under the bathroom door.
Yes.
Bathroom door. Oh, that's right. But that wasn't so much a hidden camera as it was pointing directly at my private parts.
Well, you were blinking for a long time, having one of your catnaps. It could have been.
So I've never had a bad experience, but I've never actually been in a place and actually thought, I wonder if they're actually spying on me.
And surprise, surprise, it turns out there are indeed dirtbags out there who secretly record their paying guests' private moments.
So an article penned by friend of the show Lisa Vaas pointed to a tweet that was sent last week by this guy called Jason Scott.
And he says, oh, in that's a thing now news, a colleague of mine thought it was odd when there was a single motion detector in his Airbnb in the bedroom, and voilà, it's an IP camera connected to the web.
And then he continues, he left at 3 AM, reported, host is suspended, colleague got refunded. And then just earlier this month, there was another one.
This is in Florida, a guy named Wayne Natt. Seriously, who names their babies Wayne?
So I've never had a bad experience, but I've never actually been in a place and actually thought, I wonder if they're actually spying on me.
And surprise, surprise, it turns out there are indeed dirtbags out there who secretly record their paying guests' private moments.
So an article penned by friend of the show Lisa Vaas pointed to a tweet that was sent last week by this guy called Jason Scott.
And he says, oh, in that's a thing now news, a colleague of mine thought it was odd when there was a single motion detector in his Airbnb in the bedroom, and voilà, it's an IP camera connected to the web.
And then he continues, he left at 3 AM, reported, host is suspended, colleague got refunded. And then just earlier this month, there was another one.
This is in Florida, a guy named Wayne Natt. Seriously, who names their babies Wayne?
Mr. and Mrs. Natt do, by the sound of things. I guess if you're a Natt and feel rather insignificant on the surface of the planet, you think, oh, a name like Wayne would be cool.
Hey, maybe it's Bruce Wayne, right? And he and Lex Luthor— sorry, I don't know where I am today.
Hey, maybe it's Bruce Wayne, right? And he and Lex Luthor— sorry, I don't know where I am today.
He and Lex Luthor what exactly?
Well, they could have a tussle or wonder where Superman is in my bizarre scenario. Carry on, Carole. Don't be distracted, Carole, by what Iain's talking about.
Iain keeps on butting in with these silly little comments. You keep going, Carole. Who's editing this one, by the way?
Iain keeps on butting in with these silly little comments. You keep going, Carole. Who's editing this one, by the way?
You.
Oh, now you say that.
Anyway, this guy Wayne rents out his condo on Airbnb, and this place looked reputable. It had 40 reviews of other supposedly happy guests, right?
So this couple from Indiana go down, and they're vacationing at Wayne's pad, and they discover a hidden camera and microphone inside a smoke detector in the master bedroom with the camera pointing at the bed.
Oh yeah. And there was also another hidden camera in the smoke detector in the living room.
So this couple from Indiana go down, and they're vacationing at Wayne's pad, and they discover a hidden camera and microphone inside a smoke detector in the master bedroom with the camera pointing at the bed.
Oh yeah. And there was also another hidden camera in the smoke detector in the living room.
Hmm.
Yeah.
So that is a bit creepy, isn't it?
It's totally creepy.
I mean, I can kind of understand.
I can kind of understand that if you were an Airbnb property owner, you might be nervous of freaks coming in and causing damage and then trying to hide it or stealing something or something like that.
But it's still a bit weird, isn't it?
I can kind of understand that if you were an Airbnb property owner, you might be nervous of freaks coming in and causing damage and then trying to hide it or stealing something or something like that.
But it's still a bit weird, isn't it?
I'm sure that's the reason why there was a camera pointing at the bed.
Well, exactly. What are you going to ever lose on a bed? Well, virginity.
Do you want to hear what Mr. Wayne Natt's reason is for having the camera there?
I don't know, do I?
So he claims that the videos that he has, because they, you know, the police were called, they went looking and they found a big army of videos that date back to 2008 that are all a little bit salacious.
And he claims that the videos were made with consenting adults, right?
And he claims that the videos were made with consenting adults, right?
And that goes back to 2008.
Yeah.
He wasn't sharing these with a British member of parliament.
No, I doubt they knew each other. I doubt Wayne's left the country.
All right.
Okay.
Now, Nat claims that the videos are of consenting adults, right? And the cops are, of course, now in the process going, well, we're going to verify that info.
But can you imagine that conversation? Like, bing bong, hello, your local cop here. First, happy holidays. Second, is this your butt bouncing around in this video, sir, right?
How do you go about doing that?
But can you imagine that conversation? Like, bing bong, hello, your local cop here. First, happy holidays. Second, is this your butt bouncing around in this video, sir, right?
How do you go about doing that?
And even if they were consenting adults, they're consenting adults with each other. They weren't necessarily consenting with having their ass filmed, were they?
Also, were these videos correctly timestamped? Because otherwise the policeman is going to have to say, no, not that one, how about this one?
I mean, it's just a terrible job for any policeman.
I mean, it's just a terrible job for any policeman.
It is awful. So Wayne has been charged with video voyeurism, which I didn't know actually was even a thing, but there you are.
Airbnb are of course outraged and have kicked him out of the Airbnb family and claim to be helping the authorities as well.
Now, I was interested in what are the Airbnb rules when it comes to this kind of thing?
Airbnb are of course outraged and have kicked him out of the Airbnb family and claim to be helping the authorities as well.
Now, I was interested in what are the Airbnb rules when it comes to this kind of thing?
So make sure you have a QR code stamped on your bottom should images of you appear on the internet in future.
Well, no, but you made a good point earlier, right? If I were going to put my place or one of my places, one of my many, many houses on Airbnb—
Your property empire.
One of my many, yeah.
Theriault Towers.
Exactly, Theriault Towers, exactly. If I was going to put that out on Airbnb, I think I would be a little bit nervous, right? I'd be well, who's going to be coming in here?
But I can understand that.
So apparently if you're a host and you have any type of surveillance device in or around a listing, even if it's not turned on or hooked up, we require that—this is Airbnb speaking—they require that hosts let guests know by including this information clearly in the listing and photographs.
So basically they're saying you need to let people know before.
But this is the punishment: if a host discloses the device after booking, Airbnb will allow the guest to cancel the reservation and receive a refund. So that's the punishment.
But I can understand that.
So apparently if you're a host and you have any type of surveillance device in or around a listing, even if it's not turned on or hooked up, we require that—this is Airbnb speaking—they require that hosts let guests know by including this information clearly in the listing and photographs.
So basically they're saying you need to let people know before.
But this is the punishment: if a host discloses the device after booking, Airbnb will allow the guest to cancel the reservation and receive a refund. So that's the punishment.
I wonder if there's some perverted exhibitionists who'd actually get a bit of a kick knowing that an Airbnb thing was being videoed.
Yeah, exactly. Maybe you get more money.
That could be your thing.
Sort of people who go on that Naked Attraction Channel 4 program.
And you've talked about this show before.
You seem very interested in this program, Graham. Is there anything you'd like to tell us?
I was just appalled by it.
Didn't your wife say that you found—she found this show a little bit too, you know, rude?
Well, I don't watch. I cannot physically be in the same room as it, but I do have friends who have seen it and have narrated what is going on through the doorway towards me.
Oh, right. So it's Naked Attraction for the vision impaired.
For me, yes, it's the braille version of Playboy is what I'm experiencing.
So I was thinking, I wonder if I was an Airbnb host, how would I go about getting one of these surveillance cameras, especially if you want it to be secret?
And my first search brought up an article called 10 Best Security Cameras for Airbnb and Short-Term Rental Hosts.
And it starts with the rise in home sharing through Airbnb short-term renting comes a need to protect one's investment.
After all, if your home ends up trashed or mistreated by a guest, et cetera, et cetera. So they're, you know, feasting off this as well.
And my first search brought up an article called 10 Best Security Cameras for Airbnb and Short-Term Rental Hosts.
And it starts with the rise in home sharing through Airbnb short-term renting comes a need to protect one's investment.
After all, if your home ends up trashed or mistreated by a guest, et cetera, et cetera. So they're, you know, feasting off this as well.
Yeah.
So what can you do if you are going to be an Airbnb or similar guest? Obviously, read the details carefully.
See if they say anything about surveillance, microphones, and video cameras on the premises. Consider disconnecting the router or the Wi-Fi. You know, why use it?
You can use your 3G, and then your traffic at least stays clean and doesn't— and also if they have any devices connected to Wi-Fi, they will not work.
And you can get these things called bug detectors. I had a bit of fun looking these up. So they can detect GPS trackers and RF transmitters and wired and wireless hidden cameras.
And they cost a pretty bob though, something like £300. But apparently they'll tell you if there's anything in a room. And of course you could always just stay in a hotel.
See if they say anything about surveillance, microphones, and video cameras on the premises. Consider disconnecting the router or the Wi-Fi. You know, why use it?
You can use your 3G, and then your traffic at least stays clean and doesn't— and also if they have any devices connected to Wi-Fi, they will not work.
And you can get these things called bug detectors. I had a bit of fun looking these up. So they can detect GPS trackers and RF transmitters and wired and wireless hidden cameras.
And they cost a pretty bob though, something like £300. But apparently they'll tell you if there's anything in a room. And of course you could always just stay in a hotel.
Yes.
And there'd never be a hidden camera.
Yeah, exactly. There would never, ever, ever be a hidden camera in a hotel room.
I admit, even when I stay in hotels, I do kind of look around a bit going, is there a camera in here checking out my junk? So far I've not found a camera, but I do wonder.
We know people that never use kettles in hotel rooms.
I was about to mention that.
I think I remember that.
Yes. Let's not say more. Let's not say more. Stay away from the kettles.
Okay. After the break, we'll be back with our picks of the week.
Today's podcast is sponsored in part by OneLogin. OneLogin provides single sign-on, which people think is a productivity tool, but it's very much a security tool.
Companies use hundreds of applications every day, with the average worker having to remember about 40 passwords.
Unless you use a product like OneLogin, passwords go into spreadsheets, into emails, and end up on Post-it notes.
OneLogin allows IT to say which users have access to which applications at what time. And also enforce two-factor authentication.
So even if credentials are compromised, hackers can't get access to those corporate services.
And by connecting to Active Directory, access to all of these services is deprovisioned as soon as someone leaves the organization.
OneLogin has customers like Airbus, Royal Mail, BSI, and Dun & Bradstreet.
Find out more about OneLogin and download a free guide to identity access management at smashingsecurity.com/onelogin. That's smashingsecurity.com/onelogin.
Companies use hundreds of applications every day, with the average worker having to remember about 40 passwords.
Unless you use a product like OneLogin, passwords go into spreadsheets, into emails, and end up on Post-it notes.
OneLogin allows IT to say which users have access to which applications at what time. And also enforce two-factor authentication.
So even if credentials are compromised, hackers can't get access to those corporate services.
And by connecting to Active Directory, access to all of these services is deprovisioned as soon as someone leaves the organization.
OneLogin has customers like Airbus, Royal Mail, BSI, and Dun & Bradstreet.
Find out more about OneLogin and download a free guide to identity access management at smashingsecurity.com/onelogin. That's smashingsecurity.com/onelogin.
Are you worried that your website might be the backdoor through which hackers can access your information and steal data? Well, if so, you'll be interested in our sponsor today.
NetSparker is a web application security scanner. It can automatically find the flaws in your website security and fix them before hackers can exploit them.
You can try it out right now. Download a demo from www.netsparker.com/smashing. On with the show. And welcome back.
Well, it's that time of the show when we talk about things that we like.
Could be a funny story, a book that we've read, a TV show, movie, record, an app, a website, a podcast, whatever.
NetSparker is a web application security scanner. It can automatically find the flaws in your website security and fix them before hackers can exploit them.
You can try it out right now. Download a demo from www.netsparker.com/smashing. On with the show. And welcome back.
Well, it's that time of the show when we talk about things that we like.
Could be a funny story, a book that we've read, a TV show, movie, record, an app, a website, a podcast, whatever.
A piece of fruit.
Doesn't have to be security. It could be a piece of fruit. It doesn't have to be security-related fruit, however, necessarily. And we'd like to call it Pick of the Week.
Pick of the Week.
Pick of the Week.
My Pick of the Week this week is this.
We've all seen photographic images from World War II or World War I, or maybe even Victorian times that have been colorized and somehow it makes everything, it makes the past feel more real, doesn't it?
Well, yes, it does. What are you laughing at? Of course it does.
We've all seen photographic images from World War II or World War I, or maybe even Victorian times that have been colorized and somehow it makes everything, it makes the past feel more real, doesn't it?
Well, yes, it does. What are you laughing at? Of course it does.
Wait, look, black and white, when's a fake past?
No, I think sometimes you can feel slightly distanced from a black and white picture, or you imagine it's some Calvin Klein advert that you're looking at.
So, you know, seeing something color makes you go, oh, look at that, it's in colour, crikey. It somehow feels more real. You know, pictures of World War I or whatever.
So I'm going to introduce to you a Twitter bot, and it's not a Twitter bot which is being controlled by Vladimir Putin. Instead, it is called the Colorize bot.
Colorize without a U, with an S. I'm sorry about this.
So, you know, seeing something color makes you go, oh, look at that, it's in colour, crikey. It somehow feels more real. You know, pictures of World War I or whatever.
So I'm going to introduce to you a Twitter bot, and it's not a Twitter bot which is being controlled by Vladimir Putin. Instead, it is called the Colorize bot.
Colorize without a U, with an S. I'm sorry about this.
That's an interesting combination, isn't it?
And what it does is if you tweet a black and white image to Colorize bot on Twitter, it will churn away, does a little bit of machine learning magic, and it will come back with what it believes is a colorized version of the image.
Ooh!
And it's rather fun.
So when I first discovered this a few weeks ago, I did what most other Doctor Who fans were, which we basically started bombarding it with images from 1960s black and white Doctor Who, which we wanted to see in color.
Sometimes because we were curious as to what a particular alien actually looked like, what color it was in the Dalek master plan, for instance.
I won't go into the scene and details of it, but anyway, to see if the machine knew best. And sure enough, it does come back with colorized images.
Now, sometimes they are a little bit sepia-ish. Things can get a little bit orange on occasions, but it's quite fun. And that is why Colorize Bot is my pick of the week.
So when I first discovered this a few weeks ago, I did what most other Doctor Who fans were, which we basically started bombarding it with images from 1960s black and white Doctor Who, which we wanted to see in color.
Sometimes because we were curious as to what a particular alien actually looked like, what color it was in the Dalek master plan, for instance.
I won't go into the scene and details of it, but anyway, to see if the machine knew best. And sure enough, it does come back with colorized images.
Now, sometimes they are a little bit sepia-ish. Things can get a little bit orange on occasions, but it's quite fun. And that is why Colorize Bot is my pick of the week.
I'm looking at it.
It's really, really cute.
Ah, you see?
Yeah.
I've been doing well on my picks of the week recently, haven't I? Anyway, it's a lot of fun. So there you go. And Iain, what's your pick of the week?
My pick of the week is a TV series. It's called The Leftovers. Now there's several good things about this. Firstly, it's finished. So you know how much time you're committing to it.
You're committing to 28 episodes.
You're committing to 28 episodes.
All right. That's good to know.
Do people do that if there was too many series that people would just go, I'm not going to invest the time in that?
I know people who won't watch Doctor Who because they think they have to watch it from episode 1, which means 54 years of catching up.
Every time you say Doctor Who, you break a little bit of my heart that I have to— I'm on a podcast where it's mentioned regularly.
So some people don't like to start series that are halfway through or 6 seasons in just because you don't know.
You don't know, am I now committing to 12 years of trying to follow this program?
You don't know, am I now committing to 12 years of trying to follow this program?
Yeah.
You don't know, and how many series have actually just dwindled at the end? It's just, just flutters like a dying fish on the side of a pool.
So this one, it's 28 episodes, about an hour long each. It was on HBO in the US. I think it was on Sky in Britain. And it's a very interesting program.
It's created by one of the people behind Lost. But don't let that put you off. This one does have a good ending, unlike Lost.
And the premise of the show, and there's no spoilers here, the premise of the show is that it starts immediately after something that comes to be called the sudden departure, when 2% of the world's population just disappears.
And there's no explanation for why this happens. There's no explanation for who disappears and who doesn't.
And it's an interesting premise because it doesn't lead to your normal post-apocalyptic situation where there's hardly anybody left, right? Because most people are left, right?
It does cause all sorts of societal problems and panic and people wondering why this happened and all of that stuff. And it's a character-driven program.
There's some very interesting characters in it. The two leads are Justin Theroux and Carrie Coon, who you may not have heard of, but she was also in season 3 of Fargo.
And she's very good. And it's super interesting. You should definitely watch it.
It's created by one of the people behind Lost. But don't let that put you off. This one does have a good ending, unlike Lost.
And the premise of the show, and there's no spoilers here, the premise of the show is that it starts immediately after something that comes to be called the sudden departure, when 2% of the world's population just disappears.
And there's no explanation for why this happens. There's no explanation for who disappears and who doesn't.
And it's an interesting premise because it doesn't lead to your normal post-apocalyptic situation where there's hardly anybody left, right? Because most people are left, right?
It does cause all sorts of societal problems and panic and people wondering why this happened and all of that stuff. And it's a character-driven program.
There's some very interesting characters in it. The two leads are Justin Theroux and Carrie Coon, who you may not have heard of, but she was also in season 3 of Fargo.
And she's very good. And it's super interesting. You should definitely watch it.
I have actually watched a trailer for this. And I saw, because I recognized the name of the guy who's behind it, who is the same guy who's behind Lost.
And yes, I have to say that put me off.
So I'm quite encouraged by what you've just said in so much as the series has ended and you said it has a proper ending because often with these sort of shows, I think, oh, this is just going to be ridiculous, which is kind of what I didn't watch Lost after a while because I just thought they are never going to explain any of this, which I believe was the case that they just sort of left it and just annoyed everybody.
And yes, I have to say that put me off.
So I'm quite encouraged by what you've just said in so much as the series has ended and you said it has a proper ending because often with these sort of shows, I think, oh, this is just going to be ridiculous, which is kind of what I didn't watch Lost after a while because I just thought they are never going to explain any of this, which I believe was the case that they just sort of left it and just annoyed everybody.
Well, they did try to explain it in Lost, but in this they don't really try to explain it.
There are several theories proposed, but it's left very ambiguous at the end of the third season. The third season is insanely weird, but very, very fun.
I liked it very much, so you should watch it. And it does meet one of the Cluley conditions for appearing on the podcast.
Christopher Eccleston is in it, and he played one of the Doctors.
There are several theories proposed, but it's left very ambiguous at the end of the third season. The third season is insanely weird, but very, very fun.
I liked it very much, so you should watch it. And it does meet one of the Cluley conditions for appearing on the podcast.
Christopher Eccleston is in it, and he played one of the Doctors.
Yes.
So if it wasn't for that, I wouldn't have been allowed to mention this program. So there you go.
Don't worry, Carole, we'll take that out.
That's the end of my references to that TV program that Graham likes.
So, okay, so basically you've spoiled this show. You've said that there is no explanation at the end, right?
Yes.
Well done. So anyone beginning it, don't expect—
I think it's pretty clear from the beginning that there's not. Oh, really?
It's not the sort of program that is going to try to say, ah, well, it happened because there was a fluctuation in the neutron flow in... You know, no.
It's not the sort of program that is going to try to say, ah, well, it happened because there was a fluctuation in the neutron flow in... You know, no.
But despite that, you weren't frustrated by it. You still found it a good show. Okay.
No, because the point of the show isn't why did this happen? It's about these people and what they do and the crazy, crazy things that happen to them.
All right.
And I'm certainly not going to promise everybody's going to like it, but I liked it very much.
I'm going to take that as a promise.
Iain, I've heard of worse picks of the week. I mean, do you remember The Red Pill? Suddenly this sounds, this sounds more promising.
High praise. Thank you, Graham.
Carole, what's your pick of the week?
Okay, so my pick of the week has to do with Christmas coming, and I think everyone over the age of 30 is getting very stressed out already about it.
So I say you need just a bit of old school fun. So let me introduce you to littlealchemy2.com. So you guys can go there if you want while I'm talking. So this is a game.
And it's a bit of a time waster. I seriously spent an hour there today, and I'm embarrassed to say that, but it's kind of addictive.
Now, it came out earlier this autumn, and it's very simple in concept and design. It's a bit like a flash game where you combine elements.
So if you're there, you'll see that you have water and fire and air and other things like that, and if you take two of them and put them on top of each other, you can create a new element.
And you can go and create life, universe. So there's things like you can even, if you get a unicorn and you can combine it with the sea and you can get a narwhal. Kind of cool.
A rainbow and a bird make a peacock. So there's kind of cute humor in the combinations that you pull together.
So I say you need just a bit of old school fun. So let me introduce you to littlealchemy2.com. So you guys can go there if you want while I'm talking. So this is a game.
And it's a bit of a time waster. I seriously spent an hour there today, and I'm embarrassed to say that, but it's kind of addictive.
Now, it came out earlier this autumn, and it's very simple in concept and design. It's a bit like a flash game where you combine elements.
So if you're there, you'll see that you have water and fire and air and other things like that, and if you take two of them and put them on top of each other, you can create a new element.
And you can go and create life, universe. So there's things like you can even, if you get a unicorn and you can combine it with the sea and you can get a narwhal. Kind of cool.
A rainbow and a bird make a peacock. So there's kind of cute humor in the combinations that you pull together.
I'm trying it right now, Carole. And, right, I haven't made a unicorn. I have, oh, I've just made gunpowder.
There you go.
Oh, there we go. I think I made it anyway.
Yes.
So basically there's 600, 700 things that you can create and you can go up, you go up a kind of, like almost a pyramid.
Excuse me, I've just, I've just erupted. My volcano has just sneezed.
Oh God.
And I've created granite through the process of it.
There you go. Anyway, have fun. I think it's cute. I think kids would like, I like it too.
It's great to have around, especially during the holidays if you're sitting with family and need a little distraction. And you're welcome.
It's great to have around, especially during the holidays if you're sitting with family and need a little distraction. And you're welcome.
Thank you very much, Carole. Little Alchemy 2.
Yeah.
I'm sorry, I'm just playing it, so—
Yeah, and it's an app as well. See, it's addictive. I knew this would happen. I knew you guys would get in. I fell right in as well.
Maybe all those politicians who've got porn on their computers, they could be better wasting their time doing this instead.
Yes! It's the new solitaire, boys.
And then their volcano can erupt as well.
Oh God. I don't know what he ate for dinner. I don't know.
It's a late night recording. That just about wraps it up for this week.
You can follow us on Twitter @SmashingSecurity, no G, and we also have a Facebook group as well where you can find us and you can buy swag. You can buy a t-shirt, a mug, a cushion.
All kinds of gorgeous things from smashingsecurity.com/store.
You can follow us on Twitter @SmashingSecurity, no G, and we also have a Facebook group as well where you can find us and you can buy swag. You can buy a t-shirt, a mug, a cushion.
All kinds of gorgeous things from smashingsecurity.com/store.
The mugs are great.
The mugs are great. Is it a particularly amusing cushion?
No, no, it's not. Okay. It's really not. I just say stick with the mug.
Iain, if people want to follow you online, where's the best place to do that? Is there anywhere they should do that?
Ah, no, I don't do online.
Contact us and we'll get a message to him via the secret pigeon.
I've heard of the internet and I'm not having any truck with this modern stuff.
So, until next time, thank you very much for listening to the show. If you know someone else who might like the show, please tell them about it.
And if you don't know anyone else at all, go to Apple Podcasts and leave us a nice review. We don't want any of those nasty ones.
Until next time, cheerio, bye-bye, bye everyone, bye-bye. So seriously, I meant to do this, am I?
And if you don't know anyone else at all, go to Apple Podcasts and leave us a nice review. We don't want any of those nasty ones.
Until next time, cheerio, bye-bye, bye everyone, bye-bye. So seriously, I meant to do this, am I?
Yeah, because you're the one who's kind of made this crazy. So yeah, you're editing.
Yeah, well, it wasn't me.
Is anyone surprised about *anything* these idiots do (or say!)?
Here’s a more comprehensive article citing Parliamentary codes of practice, and how they were breached by password sharing, and teeets from other MPs.
https://www.troyhunt.com/the-trouble-with-politicians-sharing-passwords/
It's even worse than that – Dorries used to be director of BUPA, the medical insurance company. So you would hope that she knew a thing or to about computer security.
*two
Send the OFFICIAL Teresa May off to negotiate EU trade deal.
Am I being cynical here – but a stream of MPs lining up to say, in public, that other people have access to their computers, sounds like they are preparing a line of defence for when someone leaks information on what is on their computer (and shouldn’t be).
No sane person would admit to being that stupid, unless they were trying to hide a bigger problem…
Wow! And these are the ones who say that the likes of the public shouldn't be allowed to use strong encryption.
Good to see that the Cabinet Office and Home Office spending on Cyber Streetwise has been such a resounding success in Westminster.
So far as many employers are concerned, possession of pornography on a work-provided computer is case for a disciplinary action up to and including dismissal. Or don't these sort of rules apply to MPs and their staff?
Graham Cluley said:-
"Oh dear… She's wrong, of course. I would bet my bottom dollar that there is plenty of information on her PC that would be of value to criminals (they'd probably ignore the pawn)."
pawn
noun
a chess piece of the smallest size and value, that moves one square forwards along its file if unobstructed (or two on the first move), or one square diagonally forwards when making a capture. Each player begins with eight pawns on the second rank, and can promote a pawn to become any other piece (typically a queen) if it reaches the opponent's end of the board.
a person used by others for their own purposes.
Or did you really mean that Graham? in which case I'm laughing out loud :)
John
Oh my. I spelt it as "pawn" rather than "porn".
What is *wrong* with me?
As only who listens to the podcast will know, I'm rather obsessed with chess. In fact, Mrs Cluley has said that she doesn't have to worry about me doing naughty things on the internet as whenever she catches me watching videos in the dead of the night it's almost always one of the chess tournaments on YouTube…
I spotted it too but thought it was intentional; i.e. the MP is somewhat inconsequential (i.e. a pawn) in the grand scheme of things.
All being said I don't believe that a password manager is the solution here. I agree with Troy Hunt: proper access delegation is what's needed.
My comment about the need for a password manager was directed at Nick Boles MP who says he can't ever remember what his password is.
I agree that delegation is the correct approach if you need more than one person to access your email.
And I apologise again for always having pawn on the brain.
What red-blooded male *isn't* interested in chesst?
What's scarier is that she's actually registered with the ICO as a Data Controller https://ico.org.uk/ESDWebPages/Entry/Z1716668 yet she then admits to using bad infosec security practices. Worse still, she considers that the information she processes has little value as she is not in government. Given the types of data mentioned in the Data Controller registration, I would certainly beg to differ.
Perhaps a hefty fine would help, the money could go to charity as an incentive.
Is her daughter still travelling from the Cotswolds to the constituency office each day?
Just asking,
Here in Denmark we had a case where sensitive information from a police database were leaked to the press. An investigation revealed that too much security was to blame… read on for an explanation.
The security was high. Only one or maybe two senior people had access to any kind of sensitive information, but in the course of the daily work other aspects of this information was needed by other officers. As the senior people often were away at meetings or tasks, and their access to information was needed on a daily basis, a culture of logging in early and staying logged in all day developed. The terminal was located near the service counter at most police stations and thus not only everybody working there (officers, office staff etc.) but also visitors coming in from the street, had access. It was left completely unlocked all day and had full access. The blame for the leak was never placed (could be anybody) but security procedures were updated and now everybody with terminal access has access to the sensitive information but it is logged exactly who searches for what and when, and idle users are logged out quickly.
None of this is a surprise for anyone that has worked in IT support at local gov or in private business with regulatory obligations and responsibilities. I've seen horrendous practises not just instigated but encouraged with the sole purpose of covering up the fact that staff are clueless (including manager level and beyond). Rather than acknowledge that training or hiring of competent people is required, it seems preferred to cover that fact up with crazy breaches of common sense like this. I have tried to be part of the solution – called it out, suggested / designed secure alternatives but you hear the same rejections – 'too difficult', 'too slow', or, my favourite – 'stop being a negative person'. It'll never change until the quality of staff does.