Is password manager 1Password treating its customers unfairly? Are autonomous cars driving us around the bend? And what is this Net Neutrality thing anyway?
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Michael Hucks of PC Pitstop.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Shall we?
We're all waiting, man.
We're all waiting for me.
Yeah. Keep going, Liberace.
This episode of the Smashing Security podcast is made possible by the generous support of Recorded Future.
Recorded Future are the real-time threat intel firm whose machine learning technology analyzes the open and dark web to give you an insight into emerging threats.
You can sign up to their Cyber Daily newsletter and get the latest insights at recordedfuture.com. Recordedfuture.com/intel. That's recordedfuture.com/intel.
And thanks to Recorded Future for supporting the show. Smashing Security, Episode 33: 1Password, Net Neutrality, and Spatchcock Chicken with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to the latest episode of Smashing Security, Episode 33, for the 13th of July, 2017.
My name is Graham Cluley, and I'm joined as always by my good chum and co-host Carole Theriault. Hello, Carole.
Recorded Future are the real-time threat intel firm whose machine learning technology analyzes the open and dark web to give you an insight into emerging threats.
You can sign up to their Cyber Daily newsletter and get the latest insights at recordedfuture.com. Recordedfuture.com/intel. That's recordedfuture.com/intel.
And thanks to Recorded Future for supporting the show. Smashing Security, Episode 33: 1Password, Net Neutrality, and Spatchcock Chicken with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to the latest episode of Smashing Security, Episode 33, for the 13th of July, 2017.
My name is Graham Cluley, and I'm joined as always by my good chum and co-host Carole Theriault. Hello, Carole.
Hello. Hello. Hello.
How are you doing?
I'm great, actually. It's a beautiful day.
Marvelous.
Yeah, it's all going swimmingly, actually.
Super duper. And we've also got a special guest and returning to the show, friend of the show, Michael Hucks of PC Pit Stop. Hello, Michael. Thanks for joining us.
Howdy, Graham. Thanks for having me back.
How did your gig go? You were going off with your band somewhere, weren't you? You were our pick of the week a while back, I seem to remember. Yeah.
Yeah, it went really great. We played at Bonnaroo in Manchester, Tennessee, and it was really great. Just a life-changing experience.
We had a lot of fun and got to see some cool music and meet some of our favorite bands.
We had a lot of fun and got to see some cool music and meet some of our favorite bands.
Awesome.
We had a good one.
Michael, Michael, don't miss the opportunity to say what the name of your band is.
The name of the band is Sweet Sweet. Check it out. We're from Myrtle Beach, South Carolina. So yeah, give us a Google.
And what instrument do you play? Are you singing or what are you doing in it?
I do sing. I also play just kind of a utility guy, whatever they need. I play banjo or mandolin or ukulele. He played a saw.
You played a saw, didn't you?
Yeah, I play the saw with a bow. It makes a cool little ghosty woo kind of noise. All right. So yeah, pretty interesting.
We will put a link in the show notes so other people can check you out.
Awesome.
And you know how it goes.
What we're going to do is each of us is going to bring a topic to the table, something which has caught our attention from the world of computer security and privacy in the last week, and we'll have a little bit of a chat about it.
And first thing I want to talk about is a password manager, a popular password manager called 1Password. It's been around for years.
Carole, it's actually— I think it's made in Canada. You know, you should be terribly proud of this.
What we're going to do is each of us is going to bring a topic to the table, something which has caught our attention from the world of computer security and privacy in the last week, and we'll have a little bit of a chat about it.
And first thing I want to talk about is a password manager, a popular password manager called 1Password. It's been around for years.
Carole, it's actually— I think it's made in Canada. You know, you should be terribly proud of this.
I think actually I used 1Password for quite a long time, actually.
Right.
Yeah.
I don't at the moment, but I did use them for a long time.
Oh, I use it. I think it's a pretty good password manager, I have to say.
But it has got itself into a real whirlpool of controversy online over the last week or so because, well, you see, many people over the years have liked 1Password.
And one of the reasons why a lot of security-savvy people have liked 1Password is it gives you the option of creating a local vault, which is a password-protected database that only lives on your own computer or on your smartphone.
But it has got itself into a real whirlpool of controversy online over the last week or so because, well, you see, many people over the years have liked 1Password.
And one of the reasons why a lot of security-savvy people have liked 1Password is it gives you the option of creating a local vault, which is a password-protected database that only lives on your own computer or on your smartphone.
So it's not in the cloud, it's just kept locally, and then the user has full control over it, knows that they're in charge of protecting it. And I get it. Yeah. OK, cool, cool, cool.
So the idea is, you know, if you're being really security conscious, your passwords aren't leaving your computer.
You're not entrusting them to Dropbox or iCloud or anything like that where they might go astray or potentially maybe some sort of hack can go on.
But a few days ago, some security researchers started tweeting that 1Password was moving people away from local vaults and instead saying, rather than paying your one-time payment for your copy of 1Password, maybe you'd like to sign up for our monthly subscription instead, which will give you cloud-based storage of your password vaults on 1Password.com instead.
You're not entrusting them to Dropbox or iCloud or anything like that where they might go astray or potentially maybe some sort of hack can go on.
But a few days ago, some security researchers started tweeting that 1Password was moving people away from local vaults and instead saying, rather than paying your one-time payment for your copy of 1Password, maybe you'd like to sign up for our monthly subscription instead, which will give you cloud-based storage of your password vaults on 1Password.com instead.
Okay, so basically they're saying goodbye, vaults, local vaults, and hello to cloud vaults. And we're going to charge you a monthly fee for that.
Well, that's certainly the way that many people took it.
And there was fury and there was a story on Motherboard, which I think really sort of heated up the waters and people were getting furious.
And I'll link to some of the stories which have been around this. So you can see the forum posts, but basically as I see it, people were getting angry about two main things.
The first thing was they wanted local vaults as opposed to shoving their passwords up in the cloud somewhere.
And there was fury and there was a story on Motherboard, which I think really sort of heated up the waters and people were getting furious.
And I'll link to some of the stories which have been around this. So you can see the forum posts, but basically as I see it, people were getting angry about two main things.
The first thing was they wanted local vaults as opposed to shoving their passwords up in the cloud somewhere.
Okay.
Yeah.
Okay. Because they think local is safer. They think it's safer. Okay. Yeah.
And the second thing that people don't like is they don't like paying a subscription for software.
People think, I want to buy my software once and I want to carry on using that piece of software forever rather than paying an annual or a monthly fee.
People think, I want to buy my software once and I want to carry on using that piece of software forever rather than paying an annual or a monthly fee.
I kind of agree with that. I don't really like paying monthly fees for software. I see why companies do it, but—
You know what? I think a lot of people feel the same as you, right? And we're now in this era of $1.99 or 99-cent apps.
You know, everyone is getting amazing programs really, really cheaply. The problem is, however, how are they ever going to invest in R&D?
How are they going to ensure that they're properly securing our data?
You know, everyone is getting amazing programs really, really cheaply. The problem is, however, how are they ever going to invest in R&D?
How are they going to ensure that they're properly securing our data?
I didn't say the one-off fee be 22p. Okay. They can charge $50. I kind of want a one-off payment, I suppose. And I know what you're saying.
You're saying they need those extra funds to come in for R&D. Okay, I get it. I get it.
You're saying they need those extra funds to come in for R&D. Okay, I get it. I get it.
Yeah, see, I personally quite like paying for things. I don't know if I've suddenly become altruistic at my age. Whoa, Graham, suddenly being generous here.
No way.
You don't think that's happened, Carole?
Never.
No way.
There's a lot of stories I could tell right now about your altruism, quote unquote.
But I quite like the idea of if I use— let me be honest with you, right? A password manager is one of the most important programs on my computer and on my smartphone.
It's the thing which I'm going to use umpteen times a day, and I'm putting a lot of trust in it.
Do I feel more comfortable paying maybe $40 my entire lifetime for that program, or do I feel more comfortable maybe spending $3 a month until I'm sick of it and don't want it anymore?
I actually want that company to exist. I want them to put a lot more effort into ensuring that they've got good, strong security. I want them to be around.
I want them to do a damn good job because if they ever fail in any way, that could be disastrous for me. So I—
It's the thing which I'm going to use umpteen times a day, and I'm putting a lot of trust in it.
Do I feel more comfortable paying maybe $40 my entire lifetime for that program, or do I feel more comfortable maybe spending $3 a month until I'm sick of it and don't want it anymore?
I actually want that company to exist. I want them to put a lot more effort into ensuring that they've got good, strong security. I want them to be around.
I want them to do a damn good job because if they ever fail in any way, that could be disastrous for me. So I—
Those are all good points.
They're all good points. Yeah, that makes sense.
I think there's one thing about when you used to buy software and have a one-time purchase that there was kind of ownership of it and you were done paying.
You can use this software forever. And when you are on a subscription-based, you know, it just— at any point you stop paying, you just don't have this anymore.
Which— but I see the point about, you know, also them being able to count on these people coming back month after month after month.
It's worth it for them to keep developing their products and making them better.
I think there's one thing about when you used to buy software and have a one-time purchase that there was kind of ownership of it and you were done paying.
You can use this software forever. And when you are on a subscription-based, you know, it just— at any point you stop paying, you just don't have this anymore.
Which— but I see the point about, you know, also them being able to count on these people coming back month after month after month.
It's worth it for them to keep developing their products and making them better.
The other problem though is you have to manage all these payments going to different people all the time.
I'm managing loads of different subscriptions for software I require, and honestly, it's a pain in the butt.
You know, because— yes, because I have to— well, because Graham, I know that you go in, tick a box, and never look at it again.
But I kind of like to go in and kind of go, who am I giving to? What is everything appropriate? Is everything working?
And you've— there's a lot of different monthly fees I've got to check.
I'm managing loads of different subscriptions for software I require, and honestly, it's a pain in the butt.
You know, because— yes, because I have to— well, because Graham, I know that you go in, tick a box, and never look at it again.
But I kind of like to go in and kind of go, who am I giving to? What is everything appropriate? Is everything working?
And you've— there's a lot of different monthly fees I've got to check.
I think I fall into the tick a box and never return kind of thing. I have no idea how many things I'm probably— there's probably things from two years ago I've never even used.
Yeah, it's like the old gym membership story, right? Exactly. Someone joins the gym and they forget about it, they stop going, but they're still paying their monthly fee.
So what I tend to do once I trust a product or a service, or I think, oh, this is a good one, I tend to switch over from a monthly subscription to an annual one so I don't get bugged every month.
And I think, okay, this is good. And I just had a situation today, for instance, I use an online backup service, one of the ways in which I back up my data.
And they sent me a message saying, hey, you know, we tried to do the annual charge on your credit card and it failed.
And it's because they had old credit card details for me, right? That particular credit card had expired. And so I had to give them some new details in order to continue the service.
But that worked fine for me. And I think once a year, I'm perfectly happy with that.
I'm happy to give 1Password an annual subscription fee as well, because awesome products and great support don't come cheap.
And one of the things that I've seen from them over the years is real openness and honesty, and sometimes saying things that people don't like to hear, but they provide a fantastic service.
So, okay, I understand something— And they're not the only ones that provide an amazing service.
And I think, okay, this is good. And I just had a situation today, for instance, I use an online backup service, one of the ways in which I back up my data.
And they sent me a message saying, hey, you know, we tried to do the annual charge on your credit card and it failed.
And it's because they had old credit card details for me, right? That particular credit card had expired. And so I had to give them some new details in order to continue the service.
But that worked fine for me. And I think once a year, I'm perfectly happy with that.
I'm happy to give 1Password an annual subscription fee as well, because awesome products and great support don't come cheap.
And one of the things that I've seen from them over the years is real openness and honesty, and sometimes saying things that people don't like to hear, but they provide a fantastic service.
So, okay, I understand something— And they're not the only ones that provide an amazing service.
No, no. I know you're championing them because you use them, but there's lots of other good ones as well.
Yeah, there are obviously other good technologies out there as well, but I think they do a good job.
I think ultimately, if you don't want to pay a monthly subscription or don't want to pay an annual subscription for your password manager, then go and get something else.
But don't mix that up with this other issue, right? There's this other issue, about local vaults versus cloud-based vaults as well, right?
And a lot of people are saying, oh, you know, this is absolutely terrible that we're being moved to cloud-based storage of our passwords, but I think people really need to read the small print as to what's really going on here, because 1Password isn't storing your passwords in the cloud.
What it's doing is this. Your password data is being gathered in your password manager program, which has been run on your client, like your desktop computer.
I think ultimately, if you don't want to pay a monthly subscription or don't want to pay an annual subscription for your password manager, then go and get something else.
But don't mix that up with this other issue, right? There's this other issue, about local vaults versus cloud-based vaults as well, right?
And a lot of people are saying, oh, you know, this is absolutely terrible that we're being moved to cloud-based storage of our passwords, but I think people really need to read the small print as to what's really going on here, because 1Password isn't storing your passwords in the cloud.
What it's doing is this. Your password data is being gathered in your password manager program, which has been run on your client, like your desktop computer.
Right.
It's been encrypted locally before it is transmitted. And their servers only receive an encrypted blob of data, right? Your master password is never transmitted.
And this is true whether you are using 1Password's cloud or whether you're using Dropbox and iCloud or whatever else it is.
And be honest, most people who are using a password manager these days are probably syncing their passwords.
By that, I mean they're sharing the same passwords or having been able to access the same passwords on their smartphone or their laptop as well as their desktop.
And this is true whether you are using 1Password's cloud or whether you're using Dropbox and iCloud or whatever else it is.
And be honest, most people who are using a password manager these days are probably syncing their passwords.
By that, I mean they're sharing the same passwords or having been able to access the same passwords on their smartphone or their laptop as well as their desktop.
Yeah.
One way or another, they're shoving their password data, hopefully encrypted, that's the way 1Password would do it, via some sort of syncing service to do this. All right?
Yeah.
So most people, I think, are already doing this. There's a very small number of people who are only storing it on their local computer.
And there's even still a danger, of course, if you are storing your passwords encrypted on your local computer, of your computer being owned by a hacker and maybe them grabbing your master password and being able to access your password data.
And there's even still a danger, of course, if you are storing your passwords encrypted on your local computer, of your computer being owned by a hacker and maybe them grabbing your master password and being able to access your password data.
Great point. Great, great point. But why do they have to do away with the local vault if people want to keep that?
Well, they could warn them.
They could warn and say, this is why we don't recommend it.
Well, AgileBits, the company behind 1Password, is saying it hasn't removed support for local vaults from its password apps.
Everyone is getting all up in arms about this and they're going, no, no, no. If you want to carry on doing that, if you're currently doing that, you can carry on doing that.
Stop getting your knickers in a twist over this. But they are arguing that in some ways the local vaults are actually less secure.
For instance, if you're using Dropbox or iCloud, which might have a weak password, they're harder to sync and more difficult to support.
And in fact, 1Password's own cloud service is additionally encrypted using an additional 128-bit randomly generated secret key that is never transmitted to their servers.
So in short, you might actually have more security that way than a local vault. And I think a lot of people have got really excited about this and are just like, "Oh, yeah."
Everyone is getting all up in arms about this and they're going, no, no, no. If you want to carry on doing that, if you're currently doing that, you can carry on doing that.
Stop getting your knickers in a twist over this. But they are arguing that in some ways the local vaults are actually less secure.
For instance, if you're using Dropbox or iCloud, which might have a weak password, they're harder to sync and more difficult to support.
And in fact, 1Password's own cloud service is additionally encrypted using an additional 128-bit randomly generated secret key that is never transmitted to their servers.
So in short, you might actually have more security that way than a local vault. And I think a lot of people have got really excited about this and are just like, "Oh, yeah."
Yeah, but we're the ones who get them excited by talking about data breaches that happen from cloud providers.
We talk about that most weeks.
Yes, and it does. You're absolutely right.
All the time we are encountering situations where organizations— we saw it with the AA, we saw it with the World Wrestling Entertainment organization just in the last few days as well— where they have put plain text user databases and sensitive information up on publicly accessible cloud servers.
All the time we are encountering situations where organizations— we saw it with the AA, we saw it with the World Wrestling Entertainment organization just in the last few days as well— where they have put plain text user databases and sensitive information up on publicly accessible cloud servers.
Yikes.
And that does happen all the time. And we're seeing breaches from that sort of incompetence all the time. That isn't what we're talking about here.
Here we have a company who's actually taken its security seriously, is encrypting things in multiple fashions. It is not storing your keys.
The only way in which a hacker could actually access your data is if they managed to hack your computer first and then hack 1Password as well in some fashion.
Here we have a company who's actually taken its security seriously, is encrypting things in multiple fashions. It is not storing your keys.
The only way in which a hacker could actually access your data is if they managed to hack your computer first and then hack 1Password as well in some fashion.
Yeah, I totally understand. And I think that's a really, really good point.
But all I'm saying is that of course people are going to be nervous when they hear the word cloud at the moment.
But all I'm saying is that of course people are going to be nervous when they hear the word cloud at the moment.
I know, I understand. I get that.
I get that because of course there's loads of bad news regarding it, but I think we have to just stop and think.
Sometimes on Twitter, a Twitter storm will be provoked, and some of the reporting on this has been fairly sloppy as well. I think it's just get things in proportion.
Sometimes on Twitter, a Twitter storm will be provoked, and some of the reporting on this has been fairly sloppy as well. I think it's just get things in proportion.
Yes, and that's why people come to Smashing Security, to get the real story.
The real story.
Absolutely.
And somebody's going to give us another story is Michael. Michael, what have you got for us this week?
Well, I found this kind of interesting thing here that Audi has unveiled the new A8, which is the first production car to reach Level 3 autonomy.
Level 3 autonomy?
Level 3 autonomy. So the reason this is a big deal is because this is the first production car that basically takes the driver out of the equation completely.
You can permanently remove your hands from the steering wheel and any controls, and it will just take you places.
You can permanently remove your hands from the steering wheel and any controls, and it will just take you places.
Really? At any speed?
Well, the feature right now is called AI Traffic Jam Pilot, and so it'll only do it in slow-moving traffic. I think it's up to 60 kilometres per hour.
You know what's cool about that though, is you imagine the people, you know, it's still illegal probably even if you're in one of those cars to actually use your mobile phone, right?
So you're gonna be hands-free but not able to use or look away, look at your device.
So you're gonna be hands-free but not able to use or look away, look at your device.
Yeah, well, that's why this is raising so many interesting points, because now that—well, first of all, yeah, if you're not driving, you're essentially a passenger at that point.
Are you a driver of that car? And so a lot of laws are having to be closely looked at and regulations to see how this is actually going to fit into a day-to-day scenario.
And all across the world, I mean, it's going to be pretty wild.
Are you a driver of that car? And so a lot of laws are having to be closely looked at and regulations to see how this is actually going to fit into a day-to-day scenario.
And all across the world, I mean, it's going to be pretty wild.
I wonder—I mean, of course, the rules may vary from country to country, but I wonder if you did have Level 3 autonomy in your car, so it's able to drive itself in not crazy motorway traffic, but at fair speed traffic.
I wonder if you still have to keep your hands on the wheel and pretend to be at least alert.
I wonder if you still have to keep your hands on the wheel and pretend to be at least alert.
Oh, and fight the car?
Well, no, I know. I'm wondering if you have to be basically prepared to take over should anything happen.
That's what it's like with the Tesla, right.
The Tesla has that thing, and you basically do have to be able to—and I don't know if that's level 2 or whatever, but it's the thing below this.
But the driver has to be prepared to take over control of the vehicle at any point.
This one Audi is actually saying that they're encouraging people with—when Tesla released theirs, and there's actually—I put a link in here too—whenever Tesla first came out with this, of people uploading videos of themselves riding in the backseat of the car and just completely taking their hands off in very fast traffic on highways.
And so Tesla was, no, no, please don't do this. They were just ignoring everything. But Audi is actually encouraging people to completely not even be in the car.
For example, the Audi smartphone app that comes with this car, if you, let's say, you come out of a restaurant, you can basically Knight Rider, just hit go, and here comes Kit around the corner, and you can watch the whole thing on the 360-degree camera that comes on the app.
The Tesla has that thing, and you basically do have to be able to—and I don't know if that's level 2 or whatever, but it's the thing below this.
But the driver has to be prepared to take over control of the vehicle at any point.
This one Audi is actually saying that they're encouraging people with—when Tesla released theirs, and there's actually—I put a link in here too—whenever Tesla first came out with this, of people uploading videos of themselves riding in the backseat of the car and just completely taking their hands off in very fast traffic on highways.
And so Tesla was, no, no, please don't do this. They were just ignoring everything. But Audi is actually encouraging people to completely not even be in the car.
For example, the Audi smartphone app that comes with this car, if you, let's say, you come out of a restaurant, you can basically Knight Rider, just hit go, and here comes Kit around the corner, and you can watch the whole thing on the 360-degree camera that comes on the app.
This sounds pretty cool. So I could, so there we are, I'm going down the dual carriageway at 40 miles per hour, whatever it is, the traffic's not doing anything very exciting.
I can get up through the sunroof, work my way down the back of the car, open the boot if I left something in there, get it out, and then crawl.
I'm sure that's not gonna put off any other drivers, is it?
I can get up through the sunroof, work my way down the back of the car, open the boot if I left something in there, get it out, and then crawl.
I'm sure that's not gonna put off any other drivers, is it?
I would love to see you try and do that. That would be really, really great stunt. It has a bunch of other really interesting things with it too.
Every single piece of the car is controlled autonomously, including each wheel individually, and just a really neat thing.
Every single piece of the car is controlled autonomously, including each wheel individually, and just a really neat thing.
I kinda hate this. It just says to me, I'm obviously old, but I just keep thinking that's all that stuff is more stuff that can go wrong.
You know, that can break.
Well, not only can it break, but if it can be programmed, it can be reprogrammed.
And all of this is connected to the internet.
But to be devil's advocate for a moment, Carole, it's not just computers and cars which can break, it's humans which break as well. Not break as in stop the car.
I mean, break as in are broken, right? Humans are imperfect drivers and they make bad decisions.
And maybe if the code is good, computer-controlled cars would actually be superior and safer.
I mean, break as in are broken, right? Humans are imperfect drivers and they make bad decisions.
And maybe if the code is good, computer-controlled cars would actually be superior and safer.
No, look, hey, I love driving, so I'm not a fan of this whole automated driving.
But I can see that there's lots of great, you know, it allows people who can't drive to get around autonomously. It's fantastic. It's gonna make the roads safer. I believe all that.
I just like driving, right?
But I can see that there's lots of great, you know, it allows people who can't drive to get around autonomously. It's fantastic. It's gonna make the roads safer. I believe all that.
I just like driving, right?
Of course.
So I don't want that right to be taken away from me. And I, you know, in my lifetime, I'm hoping that, I think that that will ultimately happen, right?
I mean, once 99% of the cars on the road, I mean, I don't know how that would work with actually implementing this, but at a certain point, the most dangerous thing on the road is gonna be people driving cars.
Well, they just won't insure. It won't be, you won't be able to get insurance for it, right? Because you will be less safe than an automated car.
So therefore you won't be able to drive legally.
So therefore you won't be able to drive legally.
Carole, this is going to happen during your lifetime.
Do you think so?
I think it's going to happen within the next 10 years.
I think it's going to be quick.
Don't assume I'm going to live a really, really, really long time.
That's true.
You live pretty hard. You go pretty hard. I live hard, right? Yeah.
Yeah.
I mean, I think it is a really weird thing to think about that at a point very soon, you'll be kind of a badass that at one point in your life you drove a car.
Kids will be like, what? You used to actually control this? And, you know, push the buttons. And yeah, I mean, it'll be a strange thing.
Kids, you know, not too far from now, it will be an old-fashioned thing to do, to even probably know how to drive a car.
Kids will be like, what? You used to actually control this? And, you know, push the buttons. And yeah, I mean, it'll be a strange thing.
Kids, you know, not too far from now, it will be an old-fashioned thing to do, to even probably know how to drive a car.
What, you used to stand up and walk over to the television to change channel? That's crazy, Dad. Wow.
Do you guys remember when that, you know, it was a constant speed regulator that came out in cars so you could kind of go, okay, I'm going 45. Cruise control.
That's what it's called, cruise control. And I remember this story about these guys. They had a camper van.
It was in the States somewhere, but basically it had just come out cruise control, so they put their camper van on cruise control and they went out in the back to make lunch.
That's what it's called, cruise control. And I remember this story about these guys. They had a camper van.
It was in the States somewhere, but basically it had just come out cruise control, so they put their camper van on cruise control and they went out in the back to make lunch.
Oh, yeah.
No.
Yes.
Yeah.
So make sure you understand the technology and understand what's required of you as a driver in these situations rather than to—
And we've really got to hope that the car manufacturers are taking security seriously as well, because we've already seen researchers prove how hackable some internet-connected cars are and taking them over.
It's quite staggering what's been done in that field. More and more cars are going to become the ultimate mobile internet-enabled device, aren't they?
It's quite staggering what's been done in that field. More and more cars are going to become the ultimate mobile internet-enabled device, aren't they?
Yeah, yeah, totally.
For sure. One I was reading about was in 2015, these two white hat hackers, they took control of a Jeep Cherokee and cut the transmission on the highway.
And in response to that, Chrysler had to actually recall 1.4 million vehicles. It was very highly publicized that they took over this and were able to shut it down.
And so it's, yeah, I mean, it's kind of easy, but it's got to be close to the biggest thing that these people are talking about right now.
If you're going to be implementing this, there has to be some sense of security here with these things, right?
And in response to that, Chrysler had to actually recall 1.4 million vehicles. It was very highly publicized that they took over this and were able to shut it down.
And so it's, yeah, I mean, it's kind of easy, but it's got to be close to the biggest thing that these people are talking about right now.
If you're going to be implementing this, there has to be some sense of security here with these things, right?
Yeah. Yeah.
I think people will be nervous. I imagine just the average person on the street would be very nervous about the whole security aspect, I imagine.
Although I suppose physical security does trump digital security. You just don't want to die.
Although I suppose physical security does trump digital security. You just don't want to die.
I think people are nervous about not driving because that's very visible and very obvious.
Not being in control.
What I think people are largely blind to is the fact that so many vehicles these days have some sort of an internet enablement, that they are smart devices, that they are doing incredible things right now connected to the internet.
And you may be slightly blind to that. And that potentially is a backdoor for hackers to get in and to meddle.
And as we've seen, white hat researchers have done this already and had lots of fun. So anyway, it's the future and it is just around the corner, I think.
I don't think we're too far away from this at all.
And you may be slightly blind to that. And that potentially is a backdoor for hackers to get in and to meddle.
And as we've seen, white hat researchers have done this already and had lots of fun. So anyway, it's the future and it is just around the corner, I think.
I don't think we're too far away from this at all.
Well, we'll see if it happens in my lifetime. Fingers crossed.
Carole, I hope you're not planning to kick the bucket just to prove me wrong about this thing about happening in your lifetime.
Yeah, that's so my style. That'll teach you. That'll teach you a lesson.
I'll show you.
Yeah, I'll show you.
Carole, what have you got for us?
Well, I want to talk about the big news of today, the day of recording. So this is day before publication, and today is Net Neutrality Day.
So, Graham, I know you're not a big fan of this topic, are you? Net neutrality. You're not.
So, Graham, I know you're not a big fan of this topic, are you? Net neutrality. You're not.
You think— No. I want to know why should I care about it? Tell me what net neutrality is and how it's gonna affect me.
Okay, so net neutrality is the basic principle of ensuring a level digital playing field. That's how I see it.
So basically all internet traffic is treated equally, whether you are streaming Netflix or whether you're sending information to a particular recipient, no matter what the content is, the traffic should be treated equally for any user.
There. Does that make sense?
So basically all internet traffic is treated equally, whether you are streaming Netflix or whether you're sending information to a particular recipient, no matter what the content is, the traffic should be treated equally for any user.
There. Does that make sense?
Yeah. Right.
So there's no internet fast or slow lanes.
I can't give you a slower, crappier service because you pay less or because you're not as important to me as maybe a bigger provider or someone like Netflix might be.
I can't give you a slower, crappier service because you pay less or because you're not as important to me as maybe a bigger provider or someone like Netflix might be.
Oh, I see. So Netflix, which is quite powerful, for instance, they could pay an ISP and say, look, slow down everybody else, but make sure that we are super duper fast.
Maybe they could do that. Or the ISP might say, actually, Graham, you can't access Netflix unless you pay more, because we think that it hogs too much bandwidth.
So we're going to charge you.
So we're going to charge you.
Oh, okay. All right.
Right? So this is something that President Obama was a big supporter of net neutrality and he established—
President who, sorry?
Obama. Do you remember him?
Oh, it was a fairy tale, wasn't it? Do you remember those days?
It was so long ago.
Yes. Well, he—
Anyway, back to the program.
Oh, you feel that?
Oh, man.
He was a big supporter of net neutrality, and he actually established formal rules to enforce it. And now this is known as Title II, right? The Title II order.
And this was basically to ensure that internet service providers and ISPs like AT&T and Verizon and Comcast and all of them gave equal footing to all websites and all internet services, right?
So you can think about it from a point of view of, I might have a blog, for example, right?
And they may want to make more money out of ads, so they give me a slower service so that people stay longer on the page just so they can deliver more ads to them via my blog.
Might be a way that an ISP might want to make some cash.
And this was basically to ensure that internet service providers and ISPs like AT&T and Verizon and Comcast and all of them gave equal footing to all websites and all internet services, right?
So you can think about it from a point of view of, I might have a blog, for example, right?
And they may want to make more money out of ads, so they give me a slower service so that people stay longer on the page just so they can deliver more ads to them via my blog.
Might be a way that an ISP might want to make some cash.
That sounds yucky.
Yeah. So today, as we're saying, is Happy Net Neutrality Day.
And the idea is to inform people about net neutrality and tell them basically the FCC, if you're in the States, the FCC are basically, there's four more days left before their proposal to scrap net neutrality comes off the table.
So right now, people can comment on whether they think net neutrality is important.
And the idea is to inform people about net neutrality and tell them basically the FCC, if you're in the States, the FCC are basically, there's four more days left before their proposal to scrap net neutrality comes off the table.
So right now, people can comment on whether they think net neutrality is important.
So how are people being rallied to pass on their comments, what they think about all this?
Well, it's funny. There's a lot of things going on on social today. And also, there's a lot of companies out there that are supporting it.
So we were saying earlier, Google, Facebook, Reddit.
So Reddit this morning, for example, had this sign prominently on their website saying, we're sorry, access to our technology is not included with your internet service package.
You must pay your cable company an extra fee to proceed. And then it says, okay, just kidding, but this could happen if we lose net neutrality.
So we were saying earlier, Google, Facebook, Reddit.
So Reddit this morning, for example, had this sign prominently on their website saying, we're sorry, access to our technology is not included with your internet service package.
You must pay your cable company an extra fee to proceed. And then it says, okay, just kidding, but this could happen if we lose net neutrality.
Okay.
And then it provides you a link for you to go and log your viewpoint, right? On the site for the FCC.
And we're just trying to get as many people out there as possible to say, yes, you know, we support. So I guess what I'm saying is don't dilly-dally.
If you're a net neutrality supporter and you're based in the States, it's really important that you go out there and bring your support forward.
There is some news items out there that say the playing field might not be as even stevens.
Some of you may have seen the John Oliver and other media talking about faked comments supporting net neutrality.
So this week, TechDirt's Carl Bode published a story about how his identity, now he's a staunch net neutrality supporter, his identity along with millions of others was used falsely to generate bogus support for the killing of net neutrality rules on the FCC comment system.
And we're just trying to get as many people out there as possible to say, yes, you know, we support. So I guess what I'm saying is don't dilly-dally.
If you're a net neutrality supporter and you're based in the States, it's really important that you go out there and bring your support forward.
There is some news items out there that say the playing field might not be as even stevens.
Some of you may have seen the John Oliver and other media talking about faked comments supporting net neutrality.
So this week, TechDirt's Carl Bode published a story about how his identity, now he's a staunch net neutrality supporter, his identity along with millions of others was used falsely to generate bogus support for the killing of net neutrality rules on the FCC comment system.
Oh, so he's an outspoken critic.
He's an outspoken critic.
He wants net neutrality to stay, but someone used his name and his ID and associated to a comment that he claims he never made.
I see, sort of saying, oh, saying it should be killed.
I see, sort of saying, oh, saying it should be killed.
Saying scrap this, you know, we need to bring, you know, we need to have a— yeah.
So he's been writing to them, commenting, saying take this down, take this down, take this down, and they've been kind of dragging their feet and getting back to him.
And they finally did get back to him basically saying, look, we're not going to remove it, it's not really within our policy to remove any comments from the site, whether they may be— so the idea is that maybe this has been tied to a spam bot.
So the idea is that maybe millions of addresses were picked up by a spam bot and the same message was being pushed onto the FCC comment site.
So it happened, I think, 150,000 times, the same message from the same sender was being shown up.
So he's been writing to them, commenting, saying take this down, take this down, take this down, and they've been kind of dragging their feet and getting back to him.
And they finally did get back to him basically saying, look, we're not going to remove it, it's not really within our policy to remove any comments from the site, whether they may be— so the idea is that maybe this has been tied to a spam bot.
So the idea is that maybe millions of addresses were picked up by a spam bot and the same message was being pushed onto the FCC comment site.
So it happened, I think, 150,000 times, the same message from the same sender was being shown up.
So I would imagine most people listening to this podcast and the three of us, we're probably fans of the idea of net neutrality. I think it sounds like a sensible idea, doesn't it?
I think it's wonderful.
I don't understand really, I can't make a good argument for getting rid of it for anyone except that actually uses the internet.
Not someone who's— I can see why for if you're a provider of the internet, but I have not heard anyone really give me a good argument for why they think it would be a good idea to kill net neutrality.
Not someone who's— I can see why for if you're a provider of the internet, but I have not heard anyone really give me a good argument for why they think it would be a good idea to kill net neutrality.
I mean, if you think about landlines, right?
If you think about landlines, you know, imagine if I could say, okay, I'm going to give you a really, really scratchy landline, you know, about 50 years ago, if you, instead of a really good one, depending on who you are, right?
So you won't be able to hear everything that you want to hear.
So, you know, kind of a landline should be a landline and internet should be internet and everyone should have equal access to it.
Once, you know, once they have access to it, they should be treated equally, I think, completely across the board.
If you think about landlines, you know, imagine if I could say, okay, I'm going to give you a really, really scratchy landline, you know, about 50 years ago, if you, instead of a really good one, depending on who you are, right?
So you won't be able to hear everything that you want to hear.
So, you know, kind of a landline should be a landline and internet should be internet and everyone should have equal access to it.
Once, you know, once they have access to it, they should be treated equally, I think, completely across the board.
Where does, I mean, where does this fit in with the plan of making America great again?
Is this, this is it. Yeah, this is happening right now.
Yeah. The ISPs are the ones that really want this, right? Because they want— and net neutrality is not just a US issue. So there's kind of two issues here.
One is net neutrality, in my view, should be a right for everyone who uses the internet.
So I think, you know, and it's not— net neutrality does exist in Europe, it exists in the Americas, but, you know, in a lot of places in Asia, it doesn't exist.
One is net neutrality, in my view, should be a right for everyone who uses the internet.
So I think, you know, and it's not— net neutrality does exist in Europe, it exists in the Americas, but, you know, in a lot of places in Asia, it doesn't exist.
Oh, right.
Is it a right? I don't know. It just seems like the right thing to do. It's just the right thing to do. Don't do this. Come on, just leave the internet alone. It's fine the way it is.
Well, it's got its problems.
Well, it's got its problems.
Yeah, and ISPs are saying, look, we laid down loads and loads of cable to make this all easy for everyone to access, and what, we're supposed to not get money back for that because now people are streaming huge amounts of content all the time?
Donald Trump, he's a big fan of the little guy. Is he standing up for net neutrality or not?
Well, he appointed ex-Verizon lawyer Ajit Pai to head up the FCC, and he's the guy who's actually put for the proposal to roll back on Obama's net neutrality rules.
The comment being that it hurts future investment and innovation.
One of the problems, of course, is in the States, not everyone— people live rurally and they don't have access to one or more ISPs.
There's only one that kind of operates in their area. So from an idea of competition and price, you don't have a lot of choice if you've only got one that's covering your area.
So it's not like you can kind of use the competitiveness to say, well, these people give me more bandwidth and these people give me less for the same price.
The comment being that it hurts future investment and innovation.
One of the problems, of course, is in the States, not everyone— people live rurally and they don't have access to one or more ISPs.
There's only one that kind of operates in their area. So from an idea of competition and price, you don't have a lot of choice if you've only got one that's covering your area.
So it's not like you can kind of use the competitiveness to say, well, these people give me more bandwidth and these people give me less for the same price.
Right.
Anyway.
Could you say rurally again?
Rurally.
How do you say it? Rurally.
How do you— it's a hard word to say.
I just said it. I said it perfectly well. Thank you very much.
Rurally.
Rurally.
So I—
I have really good pronunciation of rurally.
Rurally.
So I'm basically here to say, guys, you have basically till the 16th, so this is going out on the 13th. You've got four more days to get your comments into the FCC.
Inside our show notes, there's going to be loads of links on how best to make your argument, what pages to go to.
There's different news items to get your— if you want more information on the story. But, you know, I think don't ignore this one. This is time to pay attention.
Inside our show notes, there's going to be loads of links on how best to make your argument, what pages to go to.
There's different news items to get your— if you want more information on the story. But, you know, I think don't ignore this one. This is time to pay attention.
Awesome.
There's my story. There's my pitch.
For sure.
Thank you very much. The sound broke up for a while for me there, but I imagined it was recording it locally.
It broke up for me as well. Yeah. That's the net neutrality people trying to— they're trying to take you down. They don't want your message out there.
They're gagging me already.
Yeah.
They're gagging me.
You see, you see, guys?
Maybe they're the ones who interfered with your pronunciation of— you say it.
Rurally.
Rurally. Okay. Let's find out who's sponsoring the show this week.
So you want to know what's going on in the crazy world of vulnerability and exploits and hacking, you want to know what people are talking about on the darkweb, maybe what the new emerging threats are going to be, you need to sign up for the Recorded Future Cyber Daily.
It's a daily newsletter which arrives free in your inbox from the guys at Recorded Future, the threat intel firm.
And all you have to do to sign up is go to recordedfuture.com/intel. Thank you to the Recorded Future guys for supporting the show this week.
And make sure you go to recordedfuture.com/intel to get your free Smashing Security Cyber Daily Newsletter. And welcome back to the show.
And it's time now for Pick of the Week, our favorite part of the show. Pick of the Week. Pick of the Week.
So you want to know what's going on in the crazy world of vulnerability and exploits and hacking, you want to know what people are talking about on the darkweb, maybe what the new emerging threats are going to be, you need to sign up for the Recorded Future Cyber Daily.
It's a daily newsletter which arrives free in your inbox from the guys at Recorded Future, the threat intel firm.
And all you have to do to sign up is go to recordedfuture.com/intel. Thank you to the Recorded Future guys for supporting the show this week.
And make sure you go to recordedfuture.com/intel to get your free Smashing Security Cyber Daily Newsletter. And welcome back to the show.
And it's time now for Pick of the Week, our favorite part of the show. Pick of the Week. Pick of the Week.
Michael.
Pick of the Week.
That's good. So this is where we choose something which has tickled us from the last week. Doesn't have to be necessarily security related.
Could be a TV show, a movie, a news story, a website.
Could be a TV show, a movie, a news story, a website.
You've changed that. You've changed that. It wasn't security related.
I think, Carole, if you go back through the archives, you'll find out. Doesn't matter if it is anyway. Don't worry, my one isn't this week. Actually, I was gonna talk about one thing.
You remember talking about going back through the archives. You remember we've spoken a few times about the Amazon Alexa voice thing?
You remember talking about going back through the archives. You remember we've spoken a few times about the Amazon Alexa voice thing?
Yeah, yeah, yeah.
You know.
We're big fans of that.
Oh yeah, enormous fans. Well, I'll tell you someone who isn't a fan. There is a geezer, his name is Eduardo Barros from New Mexico.
Okay.
And he's absolutely furious with the Amazon Alexa right now because he was having a quiet night in, beating up his girlfriend.
What?
And threatening to kill her.
For real? So he's— okay.
Well, allegedly, allegedly, this is what happened, right?
Right.
And so he was having a bit of a dispute with his partner back a week or so ago.
Okay.
And during the assault, he started waving a gun around like you do. Oh my God. And he threatened to kill this woman.
And apparently he said I said to her, "Did you call the sheriff?" Okay. Now, that's not the thing to say in front of an Amazon Alexa.
Because apparently if you say that in front of an Amazon Alexa, it will then call the sheriff.
And apparently he said I said to her, "Did you call the sheriff?" Okay. Now, that's not the thing to say in front of an Amazon Alexa.
Because apparently if you say that in front of an Amazon Alexa, it will then call the sheriff.
So it took it as an order. It took it as an instruction.
And so you could argue— I know we've been criticized.
Is that because "did you" sounds like Alexa? Did ya? Did ya, Alexa?
Oh, I don't know.
Maybe it just is prompted for certain things it doesn't need to be prompted.
Maybe his girlfriend's name is Alexa. Alexa, did you call the sheriff? Yeah.
Yeah.
Hey, Alexa, did you call us? Anyway. And so what? Oh my God. His name's Eduardo.
Are there any people in the world named Alexa that own an Alexa? It can't be, right?
Of course they do.
That would just be so— oh, God.
Anyway, it could be argued that the Amazon Alexa did something good and actually maybe saved this woman's life.
So the cops arrived and saved her?
The cops arrived, and I think she was quite badly beaten up, and who knows what the outcome's going to be of all that. But links in the show notes for that one.
But that isn't actually my pick of the week. But that was something—
But that isn't actually my pick of the week. But that was something—
Oh, I see you're getting a twofer.
Yeah, I'm trying to— A twofer?
A twofer, two for one.
Oh, two for one.
I'm sure we've discussed this already in the podcast.
I want to talk about a British railway, Southern Rail.
Oh, that sounds exciting.
Yes, I'm going global. Their Twitter account, I read this, I read that a 15-year-old had taken over their Twitter account. I thought, oh, here we go again.
It's another TalkTalk situation. You know, someone hasn't been careful enough and a teenager has hacked their way in and commanded control. But no, no, no.
They gave this 15-year-old kid called Eddie access to their Twitter account for his work experience. And it turns out he's been an absolute social media hit.
It's another TalkTalk situation. You know, someone hasn't been careful enough and a teenager has hacked their way in and commanded control. But no, no, no.
They gave this 15-year-old kid called Eddie access to their Twitter account for his work experience. And it turns out he's been an absolute social media hit.
Oh, really?
Yes, he's been fielding questions from commuters.
Yeah.
Who, as soon as they discovered that there was a work experience kid handling the— rather than doing the usual sort of, "There is a 13-minute delay," or the sign from— you know, none doing that.
They've been asking him questions saying, "What should we have for dinner, Eddie?" And he's been saying, "Oh, obviously chicken fajitas," he's been saying.
And then they've been asking, "What's the air velocity of certain birds?" And he's been providing the answers and Googling them.
And one guy, a guy called Adam Winston, said, "Would you rather fight one horse-sized duck or 100 duck-sized horses?" And he chose— Eddie chose 100 duck-sized horses.
And I just thought, what a great story, because we hear so much negativity about kids and the internet.
We hear so— there's so much unpleasantness on social media and on Twitter sometimes. You know, we have so many arguments over politics or whatever it is, or password managers.
And here was something which was just utterly joyful as you were overheating on the railway, probably on a slow train. You were at least being amused by them.
And I think it's been a bit of a PR success for Southern Rail. So I say well done to them and well done to Eddie the teenager for taking over the reins of the rails.
They've been asking him questions saying, "What should we have for dinner, Eddie?" And he's been saying, "Oh, obviously chicken fajitas," he's been saying.
And then they've been asking, "What's the air velocity of certain birds?" And he's been providing the answers and Googling them.
And one guy, a guy called Adam Winston, said, "Would you rather fight one horse-sized duck or 100 duck-sized horses?" And he chose— Eddie chose 100 duck-sized horses.
And I just thought, what a great story, because we hear so much negativity about kids and the internet.
We hear so— there's so much unpleasantness on social media and on Twitter sometimes. You know, we have so many arguments over politics or whatever it is, or password managers.
And here was something which was just utterly joyful as you were overheating on the railway, probably on a slow train. You were at least being amused by them.
And I think it's been a bit of a PR success for Southern Rail. So I say well done to them and well done to Eddie the teenager for taking over the reins of the rails.
And Eddie, use two-factor authentication and have a really good strong password, please. Thanks.
Yes, I hope good advice is the case. Thanks for bringing it back to security. Pick of the week. Michael, what have you got?
I have a, I watched a documentary recently that I found to be very interesting. It's called The Red Pill. It's a 2016 documentary by a lady named Cassie Jaye.
She used to be an actress and turned kind of activist feminist.
It's about the men's rights movement, which is a controversial subject and one I really had I've never looked into very much or heard much about.
She used to be an actress and turned kind of activist feminist.
It's about the men's rights movement, which is a controversial subject and one I really had I've never looked into very much or heard much about.
Men's rights, because we don't have very many men's rights, do we?
You don't have very many rights, Graham?
Oh, absolutely not. I mean, I'm never allowed to go, you know, sit down and breastfeed a child or something like that. I mean, what's the problem with people?
Why are men asking for men's rights? Surely we've got enough rights, haven't we?
Why are men asking for men's rights? Surely we've got enough rights, haven't we?
That's what one would think, but it explores the, it kind of explores that idea that, you know, kind of the— it's somewhat controversial.
Several places have canceled their screenings of the film because—
Several places have canceled their screenings of the film because—
Can you give us one? Can you give us some— can you just give us a taster of something controversial? Like something that—
Well, I think even saying the words men's rights is controversial.
And so a lot of these people that follow this movement and are leaders of the movement, it's kind of watching them deal with trying to make their point about men's rights and they do it in some pretty outrageous ways.
This guy has a website that he writes some pretty insane stuff on, and the way they set up the documentary is kind of explaining how their perception is in the world and then what this lady's perception of them was after spending a year with them and actually listening to what they had to say.
So she filmed the whole thing, and you know, it was— I think it was just an interesting take on something that I had never really put that much thought into.
And it's kind of, it's getting a good bit of buzz at the moment. So cool. I highly recommend it.
And so a lot of these people that follow this movement and are leaders of the movement, it's kind of watching them deal with trying to make their point about men's rights and they do it in some pretty outrageous ways.
This guy has a website that he writes some pretty insane stuff on, and the way they set up the documentary is kind of explaining how their perception is in the world and then what this lady's perception of them was after spending a year with them and actually listening to what they had to say.
So she filmed the whole thing, and you know, it was— I think it was just an interesting take on something that I had never really put that much thought into.
And it's kind of, it's getting a good bit of buzz at the moment. So cool. I highly recommend it.
I'm gonna do that.
It's worth watching.
Defo.
Is it entertaining or is it just ultimately depressing because you think this is, these aren't guys really who are in favor of men's rights, they're just misogynists?
No, I think that I actually, my personal opinion is I ended up sympathizing with them by the end of it.
I think that they had points, they had relevant points, and the way it was presented, I don't know how it was supposed to make me feel, but I thought at least that it was— they were maybe kind of a misunderstood bunch and that they might not have represented themselves that well.
But in this documentary, you kind of get to see the other side of them and someone who's actually listening to them and trying to paint them in somewhat of a neutral light instead of a negative light.
I think that they had points, they had relevant points, and the way it was presented, I don't know how it was supposed to make me feel, but I thought at least that it was— they were maybe kind of a misunderstood bunch and that they might not have represented themselves that well.
But in this documentary, you kind of get to see the other side of them and someone who's actually listening to them and trying to paint them in somewhat of a neutral light instead of a negative light.
Well, it sounds thought-provoking then.
It is thought-provoking. Yeah, yeah, worth watching.
Cool. Thank you, Michael, for your pick of the week. Carole, what have you got?
Mine is definitely not thought-provoking. My tip of the week, yes, is all about barbecues, because the Northern Hemisphere right now, it is barbecue season.
And I, for all those real barbecuers out there, and by that I don't mean your little gas guys, I mean those with charcoal or wood, I am advocating the chimney barbecue starter from Weber.
For real, it is about £15, £20, or $30, and it's basically this chimney that you put on your grill and you put all your coal and your fire starter and paper or whatever, and it gets really hot really quickly, and it gets you moving, and it's fantastic, and I love it.
And because that was a bit of a weak tip of the week, right, Graham? You thought it was a bit weak, didn't you?
And I, for all those real barbecuers out there, and by that I don't mean your little gas guys, I mean those with charcoal or wood, I am advocating the chimney barbecue starter from Weber.
For real, it is about £15, £20, or $30, and it's basically this chimney that you put on your grill and you put all your coal and your fire starter and paper or whatever, and it gets really hot really quickly, and it gets you moving, and it's fantastic, and I love it.
And because that was a bit of a weak tip of the week, right, Graham? You thought it was a bit weak, didn't you?
That sounds terribly useful. Is there anything else you can say about it?
How wonderful it— It's very—
I don't know.
No, really, it's a chimney. It literally just gathers everything underneath the flame.
So yeah, I've used one of these. It stacks it up in a vertical fashion.
So, you know, the heat rises through it really quick and it gets all your charcoal blasting with heat very quickly.
So, you know, the heat rises through it really quick and it gets all your charcoal blasting with heat very quickly.
It's anti-technology. It's very, very basic technology. There's nothing digital about it. And it's wonderful because of that.
So you've been using this in your back garden at barbecues and things?
Yeah, I have. You know, I actually used it. Well, I would have invited last time.
Thanks very much.
I don't know, I think you'd have to be a lot nicer to me. Yeah, you have to be nicer to me and then I'll consider inviting you.
But I used recently, I made this amazing chicken dish from an old Telegraph recipe, which I've included in the show notes because it's kind of a spatchcock chicken with a shallot dressing and it's awesome.
And the dressing works really well on grilled vegetables and halloumi and things like that as well. So it's good for everyone.
But I used recently, I made this amazing chicken dish from an old Telegraph recipe, which I've included in the show notes because it's kind of a spatchcock chicken with a shallot dressing and it's awesome.
And the dressing works really well on grilled vegetables and halloumi and things like that as well. So it's good for everyone.
Hot chicken, some nice vegetables.
Yeah, a little sauce on that and mustard. It's delish.
Sounds lovely. I'm sorry I wasn't able to be there.
I know it. I'm sorry too, Graham. I'm really sorry too.
No, maybe next time you'll remember to invite me.
Michael, if you want to come. Yeah, if you want to fly over, keep it warm for me.
I'll head out right now.
Right, I'm on your way. Before a fight breaks out, I think that wraps it up. Thank you very much, Michael, for joining us once again. We really appreciate you being here.
Absolutely.
You can find out more about Michael and his band in the show notes. Thank you, Carole Theriault, as well, I suppose, although I didn't get an invitation to the barbecue.
Thank you at home for tuning in. If you like the show, tell your friends, let us know what you think. Maybe even leave us a review on iTunes or Stitcher or something like that.
You can go to our brand spanking new website at www.smashingsecurity.com. Drop us a line at or follow us on Twitter. We are @SmashingSecurity.
It's not my fault. Twitter doesn't have the extra letter. Crazy, isn't it? Until next time, cheerio, toodle-oo, bye-bye.
Thank you at home for tuning in. If you like the show, tell your friends, let us know what you think. Maybe even leave us a review on iTunes or Stitcher or something like that.
You can go to our brand spanking new website at www.smashingsecurity.com. Drop us a line at or follow us on Twitter. We are @SmashingSecurity.
It's not my fault. Twitter doesn't have the extra letter. Crazy, isn't it? Until next time, cheerio, toodle-oo, bye-bye.
Adios.
Graham, I did buy you a present from Canada that I haven't given you yet. In fact, there's two presents. So don't say I don't do anything nice for you.
Is it a delicious piece of chicken?
That sounds lovely.
Yeah, that you cooked in your barbecue, because that's all you can think about now.
You could cook this in your barbecue, and I would love to watch you eat it.
Show notes:
Please check out the show notes for this episode of the podcast on the Smashing Security webpage.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Michael Hucks
Thanks to our sponsor:
This episode of Smashing Security is made possible by the generous support of Recorded Future – the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical, open, and dark web sources to give organizations unmatched insight into emerging threats.
Sign up for free daily threat intelligence updates at recordedfuture.com/intel
Thanks to Recorded Future for their support.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on iTunes or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Local Vaults have been removed from the Windows product which is now subscription only.
For an accurate summary:
http://www.androidpolice.com/2017/07/12/1change-manydeceits-1password-betrayed-users-disappointed-security-experts-moving-license-local-storage-monthly-cloud-subscription/
It's such a shame that 1Password haven't been honest with people.
They have a history of deceit; the Cloudflare leak being the most recent when they pretended no 1Password data had been leaked.
Google engineers called 1Password liars and published some of the leaked data. 1Password changed their tune and said it 'wasn't a security risk'.
With the exception of Windows,
"In short, you can still use your EXISTING private local vault with 1Password. If you're new to 1Password, get in the cloud with everyone else."
And on cloud security,
"The downside to the subscription scheme is that you're trusting 1Password.com with all your passwords. Although they are stored encrypted on its servers, they are accessed through your web browser, so anyone who manages to hack into the service could – potentially, worst-case scenario – screw around with the JavaScript code that's served to browsers to subvert the encryption and decryption process and thus break into a lot of people's vaults."
https://www.theregister.co.uk/2017/07/13/1password_not_killing_onprem_storage/
You can access the encrypted password vault stored on 1Password.com via the client app. No need to use the web interface if you're worried about Javascript webcrypto jiggerypokery.
Yes the client app is nicely designed (and doesn't rely on Javascript) but it still relies upon TLS to transmit your master password.
Because they don't use effective certificate pinning a rogue attacker could get a fake certificate. It raises the bar but such attacks have been demonstrated in practice by non-nation states.
They DO transmit your master password to the server – that's what authorises you to download the encrypted password database. I know in your video you suggested they didn't but (I think) what you meant was they don't transmit the second password using SRP – they call it an Account Key.
1Password 4 for Windows still supports local vaults I believe for those who want to carry on working that way.
But I do wonder how the average person would keep their passwords in sync without using one of the cloud options. (Yes, I know about wi-fi sync – which I *guess* 1Password 4 supports – but I suspect that may be beyond the typical user)
I'm more worried about people not using a ruddy password manager at all, than their issues with 1Password.
I believe you cannot purchase 1Password 4 any more, so that's out of the question for new users.
I don't think it's the cloud storage which has people up in arms; it's 1Password's reluctance to admit they've effectively shuttered the ability to use local vaults in Windows and they're making it MUCH more difficult for Mac users.
They've not been truthful with people – they want people to have a "conversation" (aka 'sales talk) via email before you find out that you can't purchase the standalone Windows licence any more. However you can purchase a standalone Mac licence – after bartering with them via email.
They should give people the option OR be honest and admit they're removing X, Y, Z features. It's their refusal to give clear, honest advice which gets people (myself included) angry. They then come out with crap like "we totally understand that you love 1Password"…
Your average person hypothesis is an interesting one. I'd argue that your average Mac user would find 1Password with iCloud sync the easiest because it's already setup on your Apple devices. No extra logins, account keys required. Just download 1Password, it finds your database in iCloud and you then enter your password. But this is exactly what they've removed; unless you barter with them to get the standalone licence.
Windows users, unless subscription based, are now fully out in the cold. They could have kept the ability to use your own cloud, or, retained the ability to use vaults on a local device; but no, it's gone.
I fully accept that they need to make money through the use of a subscription BUT at least give people the OPTION to keep control of it.
The largest proponents of password managers are people like you and me – we both understand computers but by alienating a large core of their 'expert' audience I can't help feeling they're shooting themselves in the foot. They could sell the benefits of their cloud service but by giving people Hobson's choice they're doing themselves no favours.
As far as net neutrality is concerned, we already in the UK have a multi-speed internet dependent on how much you pay. Whether that is access to cable being limited (let alone a choice of cable providers) or because you have to use a ropey old phone line because you live in rural Wales. The various packages that ISPs offer also don't advertise that fact that your speed is dependent on the contention ratio (ie how many other people are on the same line as you) and that you will need a 'Business' package if you want this to be lower. ISPs also have a 'Fair Usage' policy and can/will throttle your speed/access time if you break it.
That said, we could have nearly unlimited bandwidth for free UK wide including rural areas if the Government had gone ahead with using the National Grid for internet use. This was proven to work, but was suddenly cancelled….. not sure why?! Maybe BT et al know the answer to that??
You need to make a video of a virtual spatchcock-chicken-on-a-chimney barbecue with Carole cooking it and demonstrating the chimney fire enhancer thingy and Graham salivating, drinking beer and eating crisps, anticipating the delicious virtual feast and dishing out safety tips between sips. And you could have as a guest one of the people who barbecue shashlik at the Izmailovo Crafts Fair in Moscow demonstrating the finer points of smoke management.
The best password manager for Android is "Keepass 2 for Android"
Free, open source, available on all platforms. But the app is the safest, because it incorporated a keyboard to autofill user name and password. Also, you can keep it local, or sync to other devices and your own Cloud choice.
https://play.google.com/sto…
For other platforms, check your app store, or look Keepass up online. They have lots of tools to help migrate databases from most other major providers. And they had a thorough review of their code base last year, from an independent commission.