Smashing Security podcast #038: Gents! Stop airdropping your pics!

Before we start the show, we'd like to give a shout out to our sponsors. This episode of Smashing Security is supported in part by Recorded Future. They're the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical, open, and dark web sources to give organizations unmatched insight into emerging threats. You should sign up for their free daily threat intelligence updates at recordedfuture.com/intel. And thanks to Recorded Future for supporting the show. Smashing Security Episode 38: Gents, stop AirDropping your pics! With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Episode 38 of Smashing Security for the 17th of August 2017. My name is Graham Cluley, and I'm joined as always by my gorgeous co-host, Ms. Carole Theriault. Hello, Carole.

How are you?

I'm wondering how you can see me actually, as we're not in the same room.

I just remember what you looked like.

What, from 4 years ago when we actually hung out in person? I'm doing brilliantly. Thank you for asking.

Oh, smashing. And we are joined this week by a special guest, investigative journalist Geoff White. Normally you'll see him popping up on Channel 4 News or the BBC talking about technology, sort of cybercrime stuff. But Geoff, hello, welcome to the show. You are off to the Edinburgh Festival. You're doing a show called "The Secret Life of Your Mobile Phone." Tell us about yourself, what you do, and tell us about this show. It sounds interesting. Well, yeah, we've managed to sort of blag our way into the Edinburgh Festival, which is full of, obviously, full of thespians and actors. So myself and a colleague of mine called Glenn Wilkinson, who's an ethical hacker or a penetration tester, to give it the more humorous name, are off up with our show to Edinburgh Festival. Well, yeah, I suppose they weren't so keen, but Marcus got arrested, of course, after the DEF CON conference, he was in Las Vegas and he was caught as he was planning to board his plane back to the UK. Oh, we could have done with that in our net neutrality episode. We needed a way to explain it simply. And he's now appeared in court in Milwaukee.

I think that sounds like a genius idea. Are you going to record this? Are people going to be able to watch it, even those that can't get up to Edinburgh?

He's pleaded not guilty in connection, not with WannaCry, but in connection with another piece of malware, a banking Trojan called Kronos. You know what they actually— do you remember what they said actually,

We try, it's a tricky one. We try to keep the whole thing offline. There are highlights online, you can watch sort of clips online. We try to keep the whole thing offline because, you know, it's our show and we want to try and stop people copying it, but because we have a Luddite mentality about copyright.

And there's a suggestion that he, well, the allegation is that he may have written code which ultimately ended up inside the Kronos malware.

But B, also the whole thing works when you're actually in the room. So putting it available online, we'd be back to the same problem of people thinking, "Oh yeah, I saw your show, but it doesn't affect me." Everybody who's seen the show so far, no one can walk out of that venue and not think it applies to them because it does apply. We have shown it applying to your phone. So it needs to be up close and personal.

Cool. And of course, a criminal could do the same kind of thing which you and your ethical hacking friend are doing as well. They could set up an evil twin hotspot, say, in a cafe or an airport. People just mindlessly connect to it, and they'd be able to see everything which you're seeing in this show. I mean, it's a very real threat, isn't it? Geoff? They said less than 1% of the 9,000 accounts we look after.

Yeah. It really is. I mean, you know, as Glenn Wilkinson, the guy I do the show with, says, you know, this hack, what's called the karma attack, where you impersonate a Wi-Fi hotspot, you know, it's 10 years old, but it's still working for us. And what's really scary is what you said there is people connect to a Wi-Fi hotspot.

Well, it sounds like an interesting show. Go and check out Geoff if you are up in Edinburgh, and we'll put a link in the show notes where you can find out some more about Geoff and his show. What we're really here for is to talk about what's been going on in the wonderful world of computer security in the last week. We're all going to choose a topic and—

You should go first, Graham. You should definitely go first.

You think so? Well, I think first of all, maybe we just need to quickly touch on what's been going on with Marcus Hutchins, aka MalwareTech. If you remember, he was the WannaCry accidental hero, the man who single-handedly crushed the WannaCry ransomware, which was ravaging National Health Service here in the UK by finding a kill switch for it. And of course, he hailed very much as a hero by everybody for what he did, which was fantastic. But—

Well, except for the guys who There were some very odd, I was trying to follow this in terms of the comments made in the accusation against the allegation against him and also the comments made by his lawyer in the US. And it was just very confusing in that there seemed to be contradictory messages about whether he was claiming he'd actually designed this piece of malware. were running the attack.

It is. I'm of the opinion as well, though I've been working in antivirus for 25-odd years, I do believe on your own computer, if you want to write malware, you go ahead and write malware.

You know, ordinarily nappies for adults are a great idea. So this update went out to a set of locks. Unfortunately, the update applied to one set of locks, a newer version, but got applied to the older set of locks and, in sort of techies' parlance, bricked the locks. The locks just stopped working. This wouldn't have been so bad. It's hundreds of locks, so it's not the thousands and thousands, but it is a significant number of locks. And what makes it slightly more worrying is LockState are— describe themselves as a global partner for Airbnb.

Yeah, the problem though is everyone's connected to the internet. They're not writing it in a, you know, in a box. Yeah.

But I've read the transcript of the hearing in Las Vegas, the initial hearing, and it is interestingly worded because it was slightly different to how some of the media the prosecutor said that Hutchins had admitted he had written code which had eventually ended up inside the Kronos malware, which isn't the same as saying you wrote the Kronos malware.

He could have written a tiny line of code that just fetches something that could be used both for good and for bad.

Absolutely.

It could have just been plugged in. It could be nothing. So I think right now everyone has to just hold their breath and wait, you know, until we get more information. Because I agree with Geoff, it's hard to know what's going on right now. The situation right now is he's pleaded not guilty. They've tagged him. He's now in Los Angeles. He works for a security company out there and he's back online. Isn't it weird though, that they wouldn't be able just to discover it based on, you know, using software? Wouldn't the government be using software to kind of go, "Hmm, a lot of traffic coming in from here."

And it's all so common, isn't it, that organizations, they'll have a breach and they may even admit they've had a breach, but you go to their website, you

It. So it looks like none of the accounts in this Scottish example have actually been compromised as far as we've been told so far. But what's happened is some users have been locked out of their accounts. And that actually suggests to me that maybe some of the preventative measures which they put in place to prevent a brute force attack from succeeding actually worked.

go to their Twitter account, and you won't find a mention of it, or it's so hidden away in a PDF somewhere on their website.

You end up with almost denial of service attack, don't you, by default, because everybody's inconvenienced, you know?

And there should always be a single line of something just saying, yeah, we screwed up, but look, here's what we're doing about it.

Mm-hmm.

I think penes is the plural.

I think that's a good idea. I changed the name of That's right. And that's why I think it's not a good idea to lock out someone from their account after maybe 3 attempts. But if you lock out someone after 30 attempts or 100 attempts, or if you slow down the attacks so people can only try a few passwords every hour or progressively make that delay between entering a new password, even a few seconds can make a dramatic difference to slow down a brute force attack. my iPhone to Carole Theriault. And the number of penis pictures

Basically, you're saying they've locked out everyone in order to kind of safeguard the accounts is what?

I'm now getting is enormous being sent to me. No, I think some of the accounts, people automatically got locked out because there were so many

Yeah.

Yeah.

Yeah.

failed attempts to log in.

These attacks, I mean, the brute force attacks are incredibly noisy. Yeah. If you look at any institution, whether it's the NHS, government, you know, a local council or a business. You know, how many of these brute force attacks go on all the time? And is it just that it was Westminster and Scottish Parliament's turn, or was it a directed, targeted attack? And if it's the latter, who on earth would do that? I mean, as soon as you get rumbled, you're locked out. You know, it's exactly the opposite of what people who are interested in getting into an organization want to do, which is to be stealthy, get in, stay in, and stay undercover as long as possible.

It's strange, and it runs contrary to the story which we're hearing from some people. Some people have suggested, oh, this must have been a state-sponsored attack.

No, no, no. I'd be stunned, stunned if that was.

Exactly. It doesn't feel like that. There are attempts made, for instance, you know, you get the LinkedIn breach database, the database of passwords which came out of LinkedIn years ago and other big hacks. And you might try those passwords against particular people's credentials. But a brute force attack sounds a little bit dumber. Although ultimately, you know, brute force attacks, given enough time, will work. It's just whether your site or your web service is going to allow a brute force attack to continue.

It's a great way to distract attention, isn't it, as well? If you're wanting IT staff to be focused elsewhere. Just saying. Yes.

Conspiracy theory number 12. I love it. Like?

It's a bit like one of these Ocean's Eleven style heists, isn't it? If you want to steal one thing, you'll divert everyone's attention to the hippopotamus in the lift or whatever it is that you've created as a huge distraction.

Don't remember that from the film.

If you want to be ahead I don't remember that.

It's a bit rude of me talking about Catherine Zeta-Jones like that, but it's— Oh! Is she even in it? I don't know. I have no idea what I'm talking about here. But there are things you can do to prevent brute force attacks. And obviously put in more checks, heighten the security. If you determine that unusual levels of attempted logins are happening, you could have a CAPTCHA in place, although CAPTCHAs can be irritating. So you might want to use Google's reCAPTCHA or even their invisible one.

of the game, I guess you

You can demand stronger passwords from your users in the first place. You can have two-step verification. Troy Hunt, who runs the Have I Been Pwned website— we should try and get him on the show sometime because we keep on plugging his sites— he's just opened a new product called Pwned Passwords. You can actually download 300 million passwords that they know have already been breached. When people create an account, you can run it past that database and you can say, actually, don't choose that password because we know that one's been breached in the past, and it might be a dumb password. And that maybe will encourage people to use stronger passwords. Passwords, I don't know, but it seems like a neat kind of idea.

get their free daily email. Well, once again, people, password managers are a good idea to think about. Passwords, yeah, because they would generate stronger passwords for you. That's absolutely true. And long, complicated ones rather than people reusing them. Oh yeah, we've not seen any of that in the last few years.

Well, this is the thing. So, you know, with the Westminster attack,

You can have a

obviously 90 accounts were compromised. I was slightly huffy that they put

shower after this.

So look, if you're a constituent of that MP, hang on, do they get written to to say, you know, sorry, some of your data is personal, very personal data potentially, of constituents potentially. You know, imagine the ICO has been informed, but do users, do constituents get informed if data's been breached? I mean, on the one hand, national security might say, oh no, don't tell anybody. out the line that "only" in inverted commas, 90 accounts compromised. On the other hand, it's like, well, this is people's data. So I don't know what's going to happen with that.

We need an investigative journalist to look into this.

Get on it, Geoff, get on it.

It was mate because of Queen Okay, Geoff, what have you got for us this week?

You know what, actually, that would be amazing for

d7, but now he's— oh, he's

Well, I'm quite interested as ever in the Internet of Things, partly because the phrase winds me up like you wouldn't believe. The internet is things, you know, it's always been the fiber optic cable switches, routers, you know, to say the Internet of Things is glibly assuming that it used to run on kind of hot air and bacon. So the Internet of Things obviously is now a headline. And my favorite story from this week of the Internet of Things gone wrong is the digital locks, the remote access locks. There's a company called LockState, who are a US company. As the name suggests, they make digital locks. These are connected to the internet. And as such, which is probably quite a good feature, these locks can update themselves over the internet. Unfortunately, it seems that—

a lot of charities, actually. You know, I can

winning the queen back!

You don't even have to start,

And that little thing they had that kept the

imagine that would be a good thing.

discs in, and then you'd return them and you'd

you could just go dot, dot,

think, what's next on my list?

dot, and the rest was history.

Normally we'd be saying, thank goodness, there's finally an IoT device which

Oh, it's rubbish.

can actually update itself. No, that's what we've been calling for.

I think Amazon have a bit

And so, but now you're going to tell us—

of money though, right? Because of course, if you're trying to let somebody into your flat, you don't necessarily have to be there. You can remote lock, you can give them the code and so on. So this caused problems obviously for Airbnb customers who are trying to get into properties. Now there's a few depressing things about this story. I seem to remember them being quite profitable. Number one is the fixes that were offered by this company were, well, one of them was take the back off the lock, send it to us. We'll update it. We'll send it back to you. That could take about a week.

Are they paying postage? Yeah.

If you at home enjoyed the show, please tell your friends.

I don't know whether they're paying for, you know, hotel accommodation while I'm locked out of my flat.

Let us know what you think. Exactly. You can go to our website, smashingsecurity.com, or drop us a line at , or even leave us a little review on somewhere like iTunes.

Changes of adult nappies. But the response was slightly lackluster. A lot of customers felt also looking at LockState's Twitter feed.

That'd be nice, wouldn't it, Carole?

I mean, it's in the tweets and replies, you know, there's a lot of people saying, oh God, I'm locked out. What can you do? And in fairness, LockState were contacting me on Twitter and reaching out fine. But on the front page, of LockState's Twitter account. And last time I checked their website, there's barely a mention of this. And I just feel, you know, it's not like nobody knows this has happened.

I've been a crisis PR person for a number of years. And yeah, I think the number one advice is don't hide your failings.

I understand you kind of don't want to make a huge fuss about it, but the fact that on the front page of your website you don't have a thing saying, look, we're on it, here's the deal, I find that a depressing response in this day and age.

If you can kind of own up quickly and solve it as fast as possible, I think we all like it better.

Like Donald Trump did this week over Charlottesville, for instance, he recognised he'd caused a problem. He may be—

How long? 48 hours?

He'd misspoke. Yes, but he'd misspoke, but then he came back, Carole, with a much better stat— Of course, then he came back again. Yeah, flim-flam. And made it worse.

'Cause he likes to get his facts right.

He does. He's very keen on that.

Very keen on that.

The other thing, the thing I find most depressing about this entire lock state story is, you know, thankfully this system comes with a failsafe. There is a key that can activate the lock. And I just imagined myself getting my brand new lock state lock and fitting the door and thinking, "Oh, there's a spare key. That's great. It's a really good idea. Where shall I store that? I'll store that in my flat." Yeah, underneath the welcome mat. Because if you have to carry the key around just in case the lock goes wrong, what was the point of having the digital lock in the first place?

It's nonsense. But there is actually, on the subject of locks, there has been a nice fun story, a happy story about a family who were locked out of their Toyota Estima. Yeah, this is the Higgins family. Father John lost the key to the imported car when he bent down to tie his son's laces one day. Well, immediately I'm, you know, how would you— is he standing above some furnace or something? What's— how do you— the key goes missing under strange circumstances, but it's the only key that will work on this car because they haven't got a spare because it's an imported, I think a secondhand version. So friendly neighborhood hacker, because he put out a, you know, a Facebook alert for this lost key.

I just would have broken the window.

Well, but then you can't start the car. You've got to cure a car with a broken window.

I'm sorry, I was thinking back to when I actually did that before IoT and cars.

Yeah, you've got a literal wheelbarrow in that case. People just chop litter through the broken window and have people sleeping in it.

I'm just feeling sorry for this family who went on holiday with their Toyota Estima, presumably got locked out of the property because it was using one of these smart locks, thought, okay, we'll spend the night in the car. Oh no, we can't get in that either. You've got all these bricked devices left. What you actually need is a real brick. We should all carry a brick around so we can smash a small window in order to get into our properties or into our cars.

I sometimes get accused of being the tinfoil helmet man.

You're in good company here.

I'm in the company of the brick man. Brick solution.

Yeah, you guys could become superheroes.

Brick man, brick man and tinfoil helmet It's a terrible metaphor.

All right, Carole. So what have you got for us this week?

Well, Bluetooth. I want to talk about Bluetooth. All right. So these days, we've got many devices that have Bluetooth switched on all the time. This is largely thanks to the popularity of wireless headphones and wearables, not to mention all the IoT devices Geoff was just talking about, or even retail apps, those things that track you around stores, you know, that offer you click and collect or in-store navigation functionality. But I'm thinking that not many people are actually managing the Bluetooth restrictions as well as maybe they should. So we want to just look into how they can do that on iPhone particularly. And I want to talk about AirDrop in a second. So this was inspired by a story in the New York Post earlier this week. This is involving 28-year-old Britta Carlson, who was on a New York train heading to a concert. And her phone makes this weird sound, right? The one that she's not familiar with. And so she looks at the phone, there's a message displayed and it says iPhone 1. 'Would like to share a note with you.' She hits accept and was horrified with what she saw.

We're on Tinder.

What did she say?

I'm going to quote here. I'm quoting, 'It was just a huge close-up picture of a disgusting penis,' unquote.

I don't think we needed the word disgusting. Surely they're all disgusting.

Yeah, and she said that it really felt like someone had just flashed her. That's what she said, right? Now, the image was sent— she has an iPhone— so the image was sent via AirDrop. And now AirDrop is this neat little feature in Apple which makes use of Bluetooth to create a kind of peer-to-peer Wi-Fi network between devices. So each device creates a firewall around itself, and the connection and the files that are sent are encrypted. So of course then she's panicking about who sent it.

So you can, so there must be a setting somewhere in the phone where you can either accept or—

Hey, hey, I'm getting to the advice section. I'm getting there. Just slow down, buddy.

Oh, I'm sorry, sorry, sorry, sorry.

So the thing is, the thing is that the Bluetooth tethering range is limited. So that basically means that someone that's using AirDrop has to be nearby.

She knew the person who was sort of willy waving at her was—

No, 'cause she was in the subway. Yeah. But it had to be someone close by, maybe in the same carriage.

Something like that.

Yes.

Crikey. Yeah.

Right. And that nearby penis.

It's a nearby penis. Penis proximity. So the message she got was just titled Straw, and it was sent basically by an anonymous stranger. She couldn't locate the perp, right? And it turns out that Apple's AirDrop doesn't keep a log of these transactions.

If there was a national database of penises, would be possible to do some sort of penis recognition.

Didn't we cover— didn't we have some porn site?

Dave McClelland, who was a guest a few— yeah, Pervert, yes, who was on our show a few weeks ago, who was talking all about a porn site which was asking you to photograph— I don't know why he talked about this, but he was talking about a website which is using penises for authentication purposes. That's right. And was asking you to upload images to it. I mean, if Apple worked with that company, presumably maybe there'd be some correlation which could be drawn.

Honestly though, as a girl, I mean, I don't know, as a girl, you guys tell me if I'm being a, you know, genderist, but I think I'd find that really disturbing. If, you know, I'd probably laugh out loud, but then I'd panic that I insulted the perv when I realized that he was just around, right? Peacocking at me and waiting for my reaction. So this goes, but I mean, bluetoothing, I think it was called bluetoothing back in the day, because when Bluetooth first came out, you could send unsolicited messages, unsolicited contact. And I thought that had been for exactly that reason, that bluetoothing became this thing where you'd try and, if you heard a shriek at the other end of the train carriage, you knew you'd hit the right spot or whatever with your offensive message or rude message or whatever. Well, there are ways to handle this. There are things that you can do and I would recommend, I know, you know, I'd recommend you talk to everyone around, check your kids' phones and your family's phones to make sure the settings like this.

Framing me. I do have Bluetooth turned on on my phone, but I'm very careful about what I allow to connect to it. And certainly with AirDrop, which is the iOS technology which has been used to spread these rude pictures, I do use AirDrop. I have a use for AirDrop inside my office, but what I only do is I only allow people who are contacts to send me an AirDrop message.

Well, that's exactly the advice, isn't it? So with the AirDrop, so iPhone users, you can just check your AirDrop settings by swiping upwards on your home phone from the bottom. And if you do, you can see whether your AirDrop is turned on or off, or if it's allowing it for contacts or for everyone. And if you've got everyone there, tsk, tsk, tsk, turn that off and choose contacts only. Although contacts is also an interesting choice because I have a lot of people in my phone whose penises I don't want to look at. Maybe I should have a penis contact list. My favourites. Favourites.

The penes.

On a more serious note, if I can, I was going to say I was dying to squeeze that one in there, but let's move on. Look at what's behind this. What's interesting is there's an entire edifice behind the drive behind Bluetooth, because what's interesting is everybody switched their Bluetooth off because it used up batteries and it's annoying. We now have Bluetooth Low Energy. And what's interesting is because Bluetooth is such a short-range thing, and because, as you say, they can tell which aisle, not just which aisle in the supermarket, they can tell which vegetable you're in front of.

They can see what tampons I'm looking at. It's really annoying.

Exactly. Now, what's interesting is the drive among advertisers are super, super excited about this, and marketers, because they can do really localized advertising, coupons for that brand of tampon or that vegetable, whatever. But in order to do that, people have to have their Bluetooth switched on. Now, at the moment, they can do, if they want, they can do push notification if they change the systems, which means you have no option. Your phone comes up with a, "Hey, Geoff, you're in front of the potatoes, buy some." I feel the industry is holding back from that because they don't want to creep people out. But as you start to get Bluetooth headphones, as you start to get Bluetooth enabled by default, these advertising methods are going to start coming through. I really think we're going to see a boom in this.

I actually recently bought an iPhone and I bought the 6S so I wouldn't have to deal with the whole wireless headphones, which would require me to have Bluetooth on all the time. And the reason Graham, for example, needs Bluetooth on all the time is 'cause he uses it in his car. So he pairs it with his car 'cause he's got a fancier car than I have. So there's a lot of technology out there making it very easy for people to have it on all the time. And I think there is a cost. The other cool idea here is that you can actually, so when your Bluetooth is turned on, you are effectively discoverable. And it might be a good idea to change your phone's name. And you can do that in Settings, General, and About. So using a code name or initials or something that doesn't infer, well, in this case, as we're talking about dick pics, infer gender or age might be a good thing. It is, just going back quickly to, you know, to the show that we do, that we're doing up at Edinburgh, it is astonishing the number of people who name their phones after themselves. And what we do in the show is we show where people, you know, we can find people's work Wi-Fi networks, who know where they work. If you had John Smith written there, maybe you'd be less likely to get that. Yeah, but Geoff, I'm not sure that's fair because I think when you get a new iPhone, it says, what's your name? And then it automatically assumes you want to be called by your name. So I think it actually might be in the setup section. So it's a good idea for everyone, just check your phone's name, you got Settings, General, and About on the iPhone. Just see what's written there and maybe change that to make it a little less all about you.

At least that during setup isn't asking you for your stripper name or your porn name. And then it would get, of course, what is it, your mother's maiden name and the street where you used to live, which obviously would be useful information for thieves as well. But the advice you are giving people, Carole, is if you're going to have AirDrop on, make it contacts only. Of course, this—

If you're going to have it on, I say turn it off whenever you're not using it.

Okay, but sometimes there are situations where you want it on. In this particular case, this victim on the New York underground system, she had enabled it so everyone could contact her. I think she was using it like that for her office. Wouldn't it be great if Apple gave you an option of saying, turn it on for everybody but only for half an hour, and then switch back to contacts? Because you will forget to change it back.

I love that idea. Yes, call them now. That's a great idea.

I'll have a word with Tim.

Yeah, no worries. Now, one thing, I saw a lot of articles about this piece this morning, and there's a lot of in the titles I'm seeing cyberflashing, you know, a trend. I don't think via AirDrop it is a trend. From my research this morning, I don't think it's been happening very often. I saw one case in 2015. There was a few in 2016, but I haven't really seen any others. So I think that is a bit of hyperbole. However, there is a problem with— and there's many reports of women on dating apps receiving unwanted pics of male junk. So that led to this interesting and related conundrum for me. So we all know that flashing in public is illegal in most places that I frequent anyway. In the US, for example, indecent exposure— basically, I think that you have to purposely display your genitals in public causing others to be alarmed or offended. And in the UK you can get a 2-year prison sentence if you're convicted under the Sexual Offense Act. However, seems to be quite gray as to whether sending someone a dick pic, for instance, is considered indecent exposure. So it's this digital problem of cyberflashing.

It's interesting because it's not actually— it's not publication or exposure generally, is it, to the public? You're actually targeting it to a specific person, albeit a stranger you don't know. But there's indecent communications legislation. So if you send someone a picture through the post of your junk— So maybe that's the legislation that would apply. But you are— I don't think flashing legislation would apply to that. Barrack room lawyer here.

No, but I think you may be right. And it's very— it's going to get grayer and grayer as our world becomes more online. How do we apply our old laws to this new world that we're living in?

Well, thanks, Carole.

Yeah, very deep. Nice.

Anytime. Cheery note to perk us up.

Get it?

Really? We're gonna make innuendos about the word.

You didn't even laugh at my peacocking joke. I thought that would.

I didn't notice it.

Oh, well, I was talking too fast. Above your head.

Let's find out who our sponsor is this week, shall we? Who is going to be our sponsor this week?

Sponsors.

Yeah, we love sponsors. Are you going to interrupt me? I thought you were going to interrupt me. Say, Graham, who's the sponsor? Graham. Hi, Graham. Let me guess. Hi. Hi. Hi.

Graham, who's our sponsor this week?

Our sponsor is Recorded Future. You know them. They're cool. They do all kinds of cool things. They look on the web. They look on the dark web. They peruse the internet in its darkest corners and they work out what are the new emerging threats and vulnerabilities from the world of hacking and cybersecurity. And then they bundle it all up. They wrap it up in a beautiful ribbon and send it to you in a free email. Of course you do. But first of all, you've got to sign up for it. Otherwise they won't know to send it to you. They're not that clever. Go to recordedfuture.com/intel. And thanks to Recorded Future for supporting the show. Welcome back to the show. And it's our favourite bit of the show. This is what we like to call Pick of the Week.

Pick of the Week. Gotta say it, Geoff.

Pick of the Week.

Thanks, Geoff. It's important.

I feel cheap.

Hey, look, we've plugged your Edinburgh show enough. You can at least say Pick of the Week for us.

Pick of the Week. So Pick of the Week could be a funny story, a book that we've read, a TV show, a movie, a record, an app. It doesn't have to be security-related necessarily. And my pick of the week this week, I'm a bit of a chess fan.

You don't even get cucumber sandwiches, though, do you?

I bet. It is fantastic though. Anyway, what's happening right now is a rapid and blitz tournament.

So it's only 4 hours.

No, no, no. So the rapid tournament, you have about 25 minutes each, and the blitz tournament, I think you have about 5 minutes each. So this is rapid fire chess.

This used to be called bullet chess, wasn't this bullet chess?

There is bullet, there's blitz, and there's rapid.

I don't know a lot about chess, so you're saying in this rapid chess someone has 5 minutes to make a move or finish a game?

In blitz chess, yeah, yeah.

No, no, 5 minutes to make a move?

No, no, the whole game.

Okay.

And then you're clocked out. So as Geoff's just said, there's also bullet chess where I think it's just a minute for the entire game, and you've never seen anything like it. It's so exciting. Anyway, there are some amazing players. Leon Aronian, crazy player. He's been doing some fantastic games. Hikaru Nakamura, and the return after 12 years, the incredible Garry Kasparov is back from retirement playing chess. And it's terrific to watch. You can watch this live streaming on the internet. Oh no, it's not mate because he could go to d6 anyway. Knight c6 is King d6.

Oh, and Gary is playing Knight c6. Queen takes c6. Yes, he's playing Rook d6.

He's winning the queen back!

Rook d6. And what's that pawn endgame?

And the pawn on f4—

What's the pawn endgame? Look at Gary, he's devastated.

The pawn on f4 is winning.

Oh my goodness.

After Queen takes d6, King d6 takes on f7, the king is coming back to e7. Wow, wow, that was very exciting, but not exciting in the way that Garry Kasparov's fans would have had it.

Oh my God, I feel a chill. I feel this stone cold chill. I can't— I'm— you can go and check it out on YouTube. I'll put a link in the show notes as well, so you can— and there's live commentary on the games as well.

You have insomnia?

I know. Hey, I've basically been doing no— don't tell the wife— I've been doing no work all week because I've been watching these broadcasts.

Does she like being called 'the wife'?

Well, she is 'the wife'. She's not 'a wife'. I can't say 'a wife'. Why would I tell a random wife? I'm telling my wife.

Oh, okay.

But that's just possession as well. That could cause controversy in the household. Anyway, go and check it out if you're into chess. If you're not into chess, don't go and watch it.

Well, let's hurry up the show so I can go check it out.

Alright, alright. Geoff, Pick of the Week.

Tell us your Pick of the Week. My Pick of the Week is tech-related actually, but in a sort of vintage tech-related way. The demise of the LoveFilm DVD-by-post service.

They're still doing that?

Yes. And that just shows, doesn't it, how out of touch you are with the diversity of people in this country. You know, my mum, for example, I went home to visit and she said, "Oh, should we watch DVD?" And I sort of felt like being invited on the Antiques Roadshow. And so they've got— so this is basically, you know, Amazon like, nope, streaming is the way forward. DVDs no more. And obviously that does throw up the question of what they do with all of the old DVDs. LoveFilm's catalogue covers apparently more than 80,000 titles. Amazon has told the BBC that they will donate the DVDs to charity partners. And I just have this image of a guy going to Oxfam with bin bags. Here you go.

And Oxfam's like, whoa!

I don't know. I'm interested what charities think about this. They must get inundated with these old rubbish DVDs. Oh, here's my All Creatures Great and Small collection DVDs. Do they actually manage to sell any of that stuff?

They're probably pleased people have finally stopped bringing in their AOL sign-up DVDs and things like that. LoveFilm ones. Oh, Craig will shift these now too.

They don't have to go to charities that are actually reselling. It could actually just go to a place which is helping people, you know, just be on the shelves. I don't know. Not everyone can afford a Wi-Fi connection, you know, a strong one for streaming. So I don't know. I think it could be really good if they do that.

That is true. But I used to love the DVD. I used to love getting those little packages.

Me too.

Yeah, it was kind of at the time it felt revolutionary. They had such cool little envelopes, didn't they? Which sort of folded over.

And isn't it 3 a month you were allowed for a fixed fee?

For several years I managed to keep doing the free trials with different email addresses. I probably wish I shouldn't say that on the podcast, but—

You're the one that led to their demise.

So now we're all wondering why they've gone kaput.

RIP LoveFilm DVD. We know who's responsible.

He's all right.

Well, the main guy does. We don't know about anybody else.

None of the rest of them are making any money, but Geoff is doing all right. Not our Geoff. Geoff Bezos.

Geoff spelled the wrong way.

Yes, exactly. So your pick of the week is basically the death of LoveFilm, is that what you're saying?

The death of the DVD generally. Oh yeah.

That is strange, isn't it, that technology is already gone?

I own stuff. I'm a big owner of stuff because then no one can take it away from you or change it. So this is a really interesting thing, you know, if we're streaming all the films now, they can change the films they did with Star Wars, this big controversy about that. So I'm slightly worried by the fact that if the studio says, actually, we're going to recut this film, put out a new version, if I had the DVD, they couldn't take that back.

Carole, what's your pick of the week?

Whereas now, I know this might sound paranoid, but I do just, you know, I own the stuff. It's control, it's power.

Mine is brain food for those fascinated by science, morality, culture, politics, life. And this is the podcast called Waking Up with Sam Harris. Now, Sam Harris is no small-time fish. He's written a number of books. He's considered quite a genius in many, many circles. But I had never listened to his podcast and someone recommended it to me. So I took a listen as I was on my way to Cambridge last weekend, and after only three episodes, I am delighted and feel much brainier, which, you know, it's hard for me because I'm, you know, I'm up there on the scale. So as I was talking about cyber flashing earlier, I would recommend checking out the episode called Living with Violence, a conversation with Gavin de Becker. Now, de Becker is a three-time presidential appointee. He did pioneering work changing how U.S. governments evaluated threats to the highest officials. He looks after lots of people in Hollywood. He's the business. In fact, years ago when I was on my way to university, my dad actually sat me down and made me watch a PBS episode with him explaining how women could protect themselves better on the streets, on their own.

So he's a guest on the latest Sam Harris.

So he's a guest on the latest Sam Harris podcast, and the whole format is really a kind of conversation between Sam Harris and experts in their field.

All right.

So I definitely would check it out. So check out Living with Violence in Conversation with Gavin de Becker and get smarter.

And the podcast is called Waking Up with Sam Harris. Yes. Okay.

I can say it a 15th time if you.

Ouch.

Burning hot today. Burning hot.

Well, as you're such hot stuff, have we got any other business for our listeners this week?

We have a new Facebook group, which Graham is managing beautifully. You can find it at smashingsecurity.com/facebook. And you can buy a t-shirt. We were talking last week about a global thermonuclear war. So the cotton here is good. It'll protect you. You can find it at smashingsecurity.com/store.

Yes. And I checked just before we started recording, someone has bought a t-shirt and they've bought a sticker. And I think the sticker, the t-shirt combined with a whole bunch of Love Film DVDs, you could create a shelter out of them, I think, if there is a nuclear winter.

This is dangerously close to false advertising, you guys.

There's so many lawsuits coming your way. So on that note, I think that's just about all we've got time for. So, thank you for tuning in. Thank you, Geoff, for joining us this week. Really appreciate it.

And it's been a pleasure.

Good luck with your show up in Edinburgh. I hope it goes well.

Thank you.

Yes. Best of luck. Yes. Or anywhere else.

Why not?

Feedback's good. Feedback is good. Until next time, toodle-oo, bye-bye. Bye-bye!

I can't say goodbye.

Exactly. Geoff got it.

It sounds lame. How many people say goodbye?

Well, I just think it's polite. You know, we're a friendly show.