Grindr, MyFitnessPal, and Panera Bread. They’ve all had data breach scares of varying degrees this week. Some handled the security breaches well, some didn’t. We took a look at how well different firms are respecting your data privacy.
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, who weren’t joined by a special guest for this recording.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
If you're thinking you can scam me, if you're thinking you can make money, you know, it's just like— and this guy said, look, I never mentioned money. I never did.
I'm just trying to tell you about the problem here. Smashing Security, Episode 72: Why Are Phirms So Crap With Our Private Data? With Carole Theriault and Graham Cluley. Hello.
Hello, and welcome to Smashing Security episode 72. My name is Graham Cluley.
I'm just trying to tell you about the problem here. Smashing Security, Episode 72: Why Are Phirms So Crap With Our Private Data? With Carole Theriault and Graham Cluley. Hello.
Hello, and welcome to Smashing Security episode 72. My name is Graham Cluley.
I'm Carole Theriault.
And Carole, this is our second time recording this podcast, isn't it?
I know. I don't know how we're going to make it sound as fresh.
So we should explain. We did record a version of this podcast with a special guest.
We did.
And I'm sorry for them that they're not included on this rerecording, but it was just technicality stuff. Yeah. For various reasons. We're not able to use that.
And so we've had to rerecord at the last minute and it's going to be wonderful, isn't it?
And so we've had to rerecord at the last minute and it's going to be wonderful, isn't it?
Yes, very. It's going to be amazing. We're going to make up for—
We're going to be well behaved, aren't we, Carole? We're not going to be nasty to each other or bicker or anything that, are we?
You shouldn't do any of that. Definitely not.
Because that's not the kind of thing we do on the Smashing Security podcast, is it?
We're all—
No, no, no, no. All good quality. Okay. Well, we'll be right back with the regular show straight off the break.
Thanks to MetaCompliance for supporting this episode of Smashing Security.
People are the key to minimizing your cybersecurity risk posture, and MetaCompliance makes this easier by providing a single platform for phishing, cybersecurity training, policy, privacy, and incident management.
Listeners can get a 10% discount off the high-quality cybersecurity e-learning catalog by quoting the code SMASHING. Just visit www.metacompliance.com. That's www.metacompliance.com.
So, Carole, if you were an animal, what kind of animal would you be?
Listeners can get a 10% discount off the high-quality cybersecurity e-learning catalog by quoting the code SMASHING. Just visit www.metacompliance.com. That's www.metacompliance.com.
So, Carole, if you were an animal, what kind of animal would you be?
Probably— that's a hard question. I think I'd probably be a leopard. Snow leopard. Yeah.
Like leopard skin?
No, snow leopards. They're big, they're fast, powerful.
Oh, okay. Yeah.
Okay. You don't mess with them.
I think I would probably be a gazelle. I think— sorry?
Sporting your Doctor Who sweatband?
Doctor Who?
Doctor Who sweatband?
No, maybe I'm not a gazelle leaping from rock to rock. Maybe I'm—
Gorilla? A gorilla? Pot belly pig? A snake? A rat?
Right, okay, so maybe you'd be something a beaver, or you would be— No, no, no. What are those things? They look raccoons. A skunk. Maybe you'd be a skunk.
I've been sprayed by a skunk. That's happened.
Anyway, look, we have to bring this back to computer security. And the reason why I'm talking about things bears is that I've been reading about the gay hookup app Grindr. Right.
Okay.
And on Grindr, which as people probably know, is very popular. It's got over 3.5 million daily active users around the world. Yeah.
And I think we can guess that everyone who listens to the show know what Grindr is.
Pretty popular app. They may not all have used it.
No, no, fine, fine, fine.
It's basically Tinder for gay people, I think. I haven't used Tinder either, but it's basically a dating or hooking up app.
Tells you where someone is who might be of interest to you in their location, and you can look at their details and say, "Oh look, they're a cuddly bear type or a daddy."
Tells you where someone is who might be of interest to you in their location, and you can look at their details and say, "Oh look, they're a cuddly bear type or a daddy."
Okay.
They're of this gender or this ethnicity and this kind of age range, what they're looking for relationship-wise.
And one of the things which you can look at— This isn't a data breach story, is it?
It is.
Oh, sorry.
One of the things you can look at is their HIV status.
So if they're offering that information, which is a valid thing to offer, because for instance, if people are HIV positive, they may only want relationships with other HIV positive people.
So if they're offering that information, which is a valid thing to offer, because for instance, if people are HIV positive, they may only want relationships with other HIV positive people.
So basically you're saying people put in a lot of personal information in these apps in order to find good matches. And of course that data was really, really well secured, right?
Well, it's not as though hackers have got hold of it yet.
Okay.
So that's good news, right?
Yep.
But what has happened is a Norwegian nonprofit called Sintef and a researcher called Antoine Pezier has discovered that Grindr was sharing this information with two other companies, including not only the other personal information, their GPS position, their gender, their age, but also this HIV status and when they were last tested.
Okay.
And that information was being shared via unencrypted HTTP.
So the information wasn't— first, the information was transferred in a way that wasn't safe.
It appears that it was being transferred via HTTP unencrypted.
And were they allowed to send this information? Who were they sending this to? Well, it was ads. It was advertisers.
Well, no, it wasn't advertisers. It was being shared with two other companies who help you optimize your mobile apps, companies called Apptimize and Localytics.
So they're doing kind of analytics on how the apps are being used.
So they're doing kind of analytics on how the apps are being used.
So like, put different words on buttons to see if people click more. That kind of thing.
Well, I imagine they're just testing the performance, seeing which bits people— which bits of the app.
Are you dying?
Yes.
Please don't die. Okay.
Which bits of the app users might be using. I guess they might be doing a little bit of A/B testing as well as to what's popular.
Yeah.
What's not. So it's not unusual for apps to measure that kind of thing, but is it really necessary?
Right, right, right.
To pass on really sensitive information, such as your precise location.
What's wrong with lorem ipsum text?
Right. Or your HIV status along with everything else. You know, it's kind of crazy, isn't it?
And so the concern naturally is that maybe Grindr is looking after this information properly in its app, but can you be confident that these third parties are being just as careful?
And so the concern naturally is that maybe Grindr is looking after this information properly in its app, but can you be confident that these third parties are being just as careful?
Yeah. Again, a supply chain issue.
So Scott Chen, the CTO of Grindr, has told BuzzFeed, who were the ones who really sort of made these details public, they told BuzzFeed that it was standard practice for mobile apps to work with companies like these and that the data was being shared under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.
And I think they're absolutely right about that. If you put a contract in place, there's no way at all that security can be breached. Privacy is a premium. No problems at all.
Well done, Grindr, having a contract. Fantastic.
And I think they're absolutely right about that. If you put a contract in place, there's no way at all that security can be breached. Privacy is a premium. No problems at all.
Well done, Grindr, having a contract. Fantastic.
You know what though?
That reassures everybody.
The thing is, what other choices do they have? You have to cover your ass with some contract. Okay, vouchers of words. But you do, right?
You have to say this, and you have to say it in a way that basically says, I'm liable for this, but I'm definitely not liable for this information.
So you use very specific words to try and give you a little leeway. And you're exactly right. There's no silver bullet to security.
You have to say this, and you have to say it in a way that basically says, I'm liable for this, but I'm definitely not liable for this information.
So you use very specific words to try and give you a little leeway. And you're exactly right. There's no silver bullet to security.
So, but there you are a but. But why? Why did the developers feel the need to send everything?
No, no, I agree. I agree.
That's the crazy thing.
They didn't even think.
That's the incompetence, is they just lazily said, "Oh, just send it all." Whereas it should be, we'll only send the information they absolutely need to have, or we'll anonymize the data en route.
Did anyone say sorry? Did you see anyone say, "Yeah, sorry about that, guys. Sorry we did this."
Actually, I found Grindr rather defensive in their response.
It's, "Oh, you're only making a fuss about this because of Facebook and Cambridge Analytica." And they went to a competitor of BuzzFeed to say, well, we've decided to change our policy.
We're no longer going to share this particular sensitive information, including HIV status, with third parties. It seemed a little bit mean-spirited to me.
I think sometimes better to put your hands up and say, okay, hands up, baby, hands up. We had a data breach, baby. We— well, they haven't had a data breach yet, right?
That's the good news, and that's the important thing to underline.
But anytime you share data about your users unnecessarily and insecurely, there's the potential for a breach to happen.
So you should only share the data you absolutely have to share.
It's, "Oh, you're only making a fuss about this because of Facebook and Cambridge Analytica." And they went to a competitor of BuzzFeed to say, well, we've decided to change our policy.
We're no longer going to share this particular sensitive information, including HIV status, with third parties. It seemed a little bit mean-spirited to me.
I think sometimes better to put your hands up and say, okay, hands up, baby, hands up. We had a data breach, baby. We— well, they haven't had a data breach yet, right?
That's the good news, and that's the important thing to underline.
But anytime you share data about your users unnecessarily and insecurely, there's the potential for a breach to happen.
So you should only share the data you absolutely have to share.
Absolutely agree. And what's interesting, Graham, is my stories also have to do with a data breach. Oh, really?
So what I suggest we do is we— so these guys haven't had a data breach, but my will talk about how two companies handled a data breach and figure out which one you think did the better job.
So what I suggest we do is we— so these guys haven't had a data breach, but my will talk about how two companies handled a data breach and figure out which one you think did the better job.
Carole, can I say, after 72 episodes of Smashing Security, you're getting very, very slick at the segues.
Oh, well, you know, I was born slick, baby.
Slick leopard. Okay, let's see what you got then.
Well, unlike you, Graham, I was loosening my belt this weekend, preparing for family food mountains, chalky egg hunts, and everything else.
Lovely.
And then of course many people feel guilty after they stuff their faces over a long weekend, don't they? And many people turn to apps to get back into shape. Apps MyFitnessPal.
Oh yeah.
However, you've used MyFitnessPal before.
I have used MyFitnessPal, yes. I've never been able to keep it up to date with what I actually eat, but I have used it sort of measure how much I've maybe moved or typed.
Whatever the exercises.
Whatever the exercises.
Yeah.
I just remembered it was a calorie counter. Oh yeah, and there was a bit where you'd log what exercise you did, wasn't there? Like, oh yeah, 30 minutes on the bike. Whatever. Yeah.
Anyway, this past weekend, MyFitnessPal got into some hot water for a data breach involving 150 million of their subscriber base.
Anyway, this past weekend, MyFitnessPal got into some hot water for a data breach involving 150 million of their subscriber base.
150 million?
I know, it's huge. It's huge. It's like 3 times the size of Canada in terms of number of population.
So what kind of data leaked out?
Well, we're going to get to that. There's all kinds of things because what I want to do is compare how these two do. So let me just set up the other app.
This is contender on the right, contender on the left. Right after Easter, another data breach happened. This was announced on Brian Krebs' blog. And this time it was Panera Bread.
Now, I don't know Panera Bread, but people tell me it's as ubiquitous as Starbucks in the States.
And it's a popular online food outlet and also has a cafe chain with 2,000 cafes across the States.
This is contender on the right, contender on the left. Right after Easter, another data breach happened. This was announced on Brian Krebs' blog. And this time it was Panera Bread.
Now, I don't know Panera Bread, but people tell me it's as ubiquitous as Starbucks in the States.
And it's a popular online food outlet and also has a cafe chain with 2,000 cafes across the States.
Online food sounds terribly convenient. I like the idea of that rather than having to actually— I'll just download food.
You know, we have a lot of that in the UK.
People in the States, I don't think, have that kind of food ordered and delivery to the house on a weekly basis for the weekly shop, but we get to enjoy that thing.
Anyway, they are said to have exposed millions of customer personal details. And I know, another weekend, another hack. You just talked about one.
There was also the Saks hack that happened over the weekend. But let's just compare how they work. So let's start with MyFitnessPal.
So 150 million users affected, email passwords and username potentially compromised. Ouch. So email passwords, username.
You can't change your email, but you can certainly go and change your password, right?
People in the States, I don't think, have that kind of food ordered and delivery to the house on a weekly basis for the weekly shop, but we get to enjoy that thing.
Anyway, they are said to have exposed millions of customer personal details. And I know, another weekend, another hack. You just talked about one.
There was also the Saks hack that happened over the weekend. But let's just compare how they work. So let's start with MyFitnessPal.
So 150 million users affected, email passwords and username potentially compromised. Ouch. So email passwords, username.
You can't change your email, but you can certainly go and change your password, right?
And of course you need to make sure that you change, if you're using the same password on MyFitnessPal somewhere else, you need to change those passwords too.
Passwords should be unique. Go and listen to our Passwords podcast, folks.
Passwords should be unique. Go and listen to our Passwords podcast, folks.
Good plug. Agree. So the fitness app owner said last week that the accounts were compromised in February and the breach was only discovered a month later on the 25th of March.
Now Under Armour, that's the parent company of MyFitnessPal. These are the steps that I've seen that they took.
They first emailed all potentially affected customers within 4 days of discovering the breach.
So on the 29th of March, the email explained how they used bcrypt hashing functions to protect passwords, and it also linked to an FAQ.
The FAQ was comprehensive and gloriously free of marketing spin and high-res pics. It answered those important questions.
You know what I mean though, when you're worried about something, you don't want them to sell to you. You really just want to have the information. And they did this really well.
What information was affected? Who was being notified? What was the company doing to enhance protection.
And they've also updated their social channels like Twitter, where they pinned a link to the FAQ at the very top of the channel.
Now Under Armour, that's the parent company of MyFitnessPal. These are the steps that I've seen that they took.
They first emailed all potentially affected customers within 4 days of discovering the breach.
So on the 29th of March, the email explained how they used bcrypt hashing functions to protect passwords, and it also linked to an FAQ.
The FAQ was comprehensive and gloriously free of marketing spin and high-res pics. It answered those important questions.
You know what I mean though, when you're worried about something, you don't want them to sell to you. You really just want to have the information. And they did this really well.
What information was affected? Who was being notified? What was the company doing to enhance protection.
And they've also updated their social channels like Twitter, where they pinned a link to the FAQ at the very top of the channel.
Well, that's good, because quite often they don't do that, do they? They try and hide it from their social channels.
Exactly. And they have two social channels. They have a kind of support channel that doesn't have a very big number of followers.
And then they have their more public MyFitnessPal channel, which has almost 200,000 followers. And it was pinned on both of them.
I didn't really see a strong apology from MyFitnessPal or Under Armour anywhere.
And I really think those are important because even though you were a victim, you were responsible for keeping our stuff safe, right?
So if you lent me, for example, if you lent me what would I want of yours? Not much. Let's say you lent me a Doctor Who doll.
And then they have their more public MyFitnessPal channel, which has almost 200,000 followers. And it was pinned on both of them.
I didn't really see a strong apology from MyFitnessPal or Under Armour anywhere.
And I really think those are important because even though you were a victim, you were responsible for keeping our stuff safe, right?
So if you lent me, for example, if you lent me what would I want of yours? Not much. Let's say you lent me a Doctor Who doll.
I don't have dollies of Doctor Who.
Okay, well, let's—
I'm not a weirdo, you know.
Let's say you lent me Orinoco.
Oh, listen.
Yeah, okay.
And Orinoco is my childhood womble.
Right, so you lend me this womble thing and I lose it, okay? And it's gone. And then I just say, yeah, God, sorry about that. We'll do better next time. But I said sorry.
You actually did say sorry.
Just said sorry, trying not to say sorry.
I have to say, it didn't feel terribly heartfelt because this is Orinoco we're talking about. I would be deeply, deep— I'd just be upset.
What do you think about MyFitnessPal users? They feel deeply, deeply upset, I'm sure too.
Well, they should do because potentially... Now, the only thing I— so actually most of what you said there sounds quite good in the way in which they've handled that.
The only potential issue I have is when they actually went public with this, which was on the 29th of March, which was of course just before the big holiday weekend.
The only potential issue I have is when they actually went public with this, which was on the 29th of March, which was of course just before the big holiday weekend.
You know what? Maybe that was a thought, but it certainly didn't work in their favor because coverage was everywhere. This was a big story over the weekend.
Because we do sometimes see companies bury the news, don't they?
Yeah, well, they didn't succeed.
One company just before Christmas announced some mega breach and you just thought, no one's going to hear about this.
Well, thanks to us, everyone's hearing about this one.
Exactly.
The other thing that MyFitnessPal could have done was advertised or basically said, if you want to delete your account with us, here is how to do it.
So I didn't see any of that information. I just think it's a good thing. You know, we screwed up and if you want to leave, we understand. I think that's a fair thing to say.
So I didn't see any of that information. I just think it's a good thing. You know, we screwed up and if you want to leave, we understand. I think that's a fair thing to say.
Clear off if you want to.
Yeah, okay. So this is the MyFitnessPal information. Now let's compare MyFitnessPal to the Panera Bread problem.
So Panera Bread, a well-meaning security researcher named Dylan Houlihan told the online food store Panera that they were exposing data belonging to millions of its customers.
Now this explanation was given 8 months ago, way back in 2017.
Panera's director of information security, Mike Gustavsson, initially dismissed Houlihan's report as a scam, which is really an odd thing.
So Panera Bread, a well-meaning security researcher named Dylan Houlihan told the online food store Panera that they were exposing data belonging to millions of its customers.
Now this explanation was given 8 months ago, way back in 2017.
Panera's director of information security, Mike Gustavsson, initially dismissed Houlihan's report as a scam, which is really an odd thing.
And in fact, if you look at Dylan Houlihan's blog post about this, he's included a screenshot of the initial email he received back from Panera.
And it sounds like a company which does not want to be told that they've got a security issue.
It's like, if you are thinking you can scam me, if you are thinking you can make money, you know, it's just... And this guy said, "Look, I never mentioned money. I never did.
I'm just trying to tell you about a problem here." So they approached it really, really badly initially, at least.
And it sounds like a company which does not want to be told that they've got a security issue.
It's like, if you are thinking you can scam me, if you are thinking you can make money, you know, it's just... And this guy said, "Look, I never mentioned money. I never did.
I'm just trying to tell you about a problem here." So they approached it really, really badly initially, at least.
Okay, but you know what? A week later, still in 2017, Houlihan's findings were validated and Panera said they were working on a fix. Now, problem solved, you say? Not quite.
Now, this is an interesting aside.
Apparently, Brian Krebs' source says that the Panera Bread Info Security Director was the Senior Director of Security Operations at Equifax until 2013.
Now, this is an interesting aside.
Apparently, Brian Krebs' source says that the Panera Bread Info Security Director was the Senior Director of Security Operations at Equifax until 2013.
Oh, you know, I've seen a lot of people on Twitter talking about this and saying, well, what a surprise, you know, he used to work at Equifax. I think this is a bit mean.
I think people are all picking on this guy. Okay, so his initial email response wasn't that great.
But the fact that he had a career before he joined Panera Bread, the fact that he chose Equifax, which was Equifax, you know, before the details of the big Equifax breach occurred as well.
I don't think it's really nasty, I think, that people have just said, oh, look, he used to work at Equifax, therefore he must be a completely shitty person.
I think people are all picking on this guy. Okay, so his initial email response wasn't that great.
But the fact that he had a career before he joined Panera Bread, the fact that he chose Equifax, which was Equifax, you know, before the details of the big Equifax breach occurred as well.
I don't think it's really nasty, I think, that people have just said, oh, look, he used to work at Equifax, therefore he must be a completely shitty person.
God, sensitive. Can I just tell you what else happened?
I've never worked at Equifax, by the way. Let me just stress that right now.
I agree. Now listen, problem solved, you say? Well, not quite.
Brian Krebs says that the index data from Panera's website indicates that more than 7 million customers' accounts could be affected.
The information included email addresses, physical addresses, and birthdays. And all this was available in plain text from the Panera website.
Worse still, the records could be indexed and crawled by automated tools with very little effort, said Krebs.
Did I also mention that the information included Panera loyalty card numbers? Nice for a scammer if they want to get their hands on a prepaid card.
Brian Krebs says that the index data from Panera's website indicates that more than 7 million customers' accounts could be affected.
The information included email addresses, physical addresses, and birthdays. And all this was available in plain text from the Panera website.
Worse still, the records could be indexed and crawled by automated tools with very little effort, said Krebs.
Did I also mention that the information included Panera loyalty card numbers? Nice for a scammer if they want to get their hands on a prepaid card.
Oh, so if I wanted to sort of stock up on sausage rolls and things like that.
Of course you would. Of course you would. Of course it would be a sausage roll.
I could exploit this kind of information.
Yes.
Credit card numbers, for goodness' sake. Sausage rolls are where it's at, aren't they?
Yeah. You have to understand, this stuff was left in plain text for 8 months, just sitting there waiting to be scooped up.
Researcher Houlihan, who initially reported the problem, was understandably pissed that the problem wasn't resolved in the 8 months. He ended up informing Krebs.
Krebs' team looked into it and decided to get in touch with Panera. Presto, Panera's website suddenly goes dark for a few hours.
The site reappears with the exposed data now apparently hidden. 2 hours later.
Researcher Houlihan, who initially reported the problem, was understandably pissed that the problem wasn't resolved in the 8 months. He ended up informing Krebs.
Krebs' team looked into it and decided to get in touch with Panera. Presto, Panera's website suddenly goes dark for a few hours.
The site reappears with the exposed data now apparently hidden. 2 hours later.
Okay. So, I mean, it took them 8 months to fix the problem. But once Brian Krebs got on the phone to them, because frankly, you know, everyone has a bat phone, don't they?
And if it rings and you think, oh, Brian Krebs is calling, then you know you've got a problem.
Then you know you've got to deal with the problem because everyone will find out about it within hours.
And if it rings and you think, oh, Brian Krebs is calling, then you know you've got a problem.
Then you know you've got to deal with the problem because everyone will find out about it within hours.
Do you have your popcorn, Graham?
So to the—
Do you have your popcorn?
I have popcorn. Yeah.
Okay, good. Because this gets really exciting now.
Okay.
Okay. Turns out they didn't do a very good job of fixing it, and this is how it all exploded.
So after they made this fix and Krebs published his article, a Panera statement shows up on Fox News.
So after they made this fix and Krebs published his article, a Panera statement shows up on Fox News.
Lovely.
And it kind of promotes their quick reactions and seems to downplay the severity of the breach to 10,000 accounts, not 7 million. Hmm, I don't know who I trust in this, but—
So the security researchers got their details wrong, and Panera Bread saying, "It's not that big a deal." And then we've taken care of it in a couple hours, all done, done and dusted.
However, Twitter starts going nuts with people explaining exactly what Panera did to hide the exposed data so quickly. Turns out it's one of the toughest things I've ever heard.
So they basically just added all the data behind the login. So if you had a login to the Panera website, you could then get access to all these millions of details.
Oh, sorry, 10,000. 10,000 customer details, according to Panera.
So they basically just added all the data behind the login. So if you had a login to the Panera website, you could then get access to all these millions of details.
Oh, sorry, 10,000. 10,000 customer details, according to Panera.
How many details is it really?
Well, right now people are thinking it's 37 million. So it turns out that their commercial division may have been affected as well.
So evidence is suggesting that it could be as high as 37 million customer records that are affected. And Panera being very quiet about this. I didn't see anything on their website.
Their Twitter seems to have just things stupid polls, "How are your taste buds celebrating this spring? Hibiscus iced tea or green smoothies?"
So evidence is suggesting that it could be as high as 37 million customer records that are affected. And Panera being very quiet about this. I didn't see anything on their website.
Their Twitter seems to have just things stupid polls, "How are your taste buds celebrating this spring? Hibiscus iced tea or green smoothies?"
Oh, but in fairness to them, if I had an issue with my website which allowed hackers to extract information about all of my customers simply by incrementing a customer number, I think I'd think, oh, should I fix that or should I go and have a kale smoothie instead?
You know?
You know?
So it's really no competition really, is it? MyFitnessPal did a way better job compared to Panera in this instance.
And this is the thing. Any company can suffer a breach. Any company can have a vulnerability or a weakness. It's just natural to happen, right? Problems will happen.
There's no company which can guarantee.
There's no company which can guarantee.
Yes. I would agree that problems certainly happen. Yeah, things don't always go smooth.
Yeah. What matters is how well you respond. Absolutely, and MyFitnessPal, from the sound of things, responded fairly promptly and responded responsibly.
Yep.
In the emails that they sent as well, I believe that they said, "Look, we're not going to send you links for you to click on." So you're avoiding phishing.
Really smart in a short amount of time. They put that all together. Panera Bread had 8 months, did nothing. When they did something, it wasn't good enough.
And the problem actually was much, much worse than they even imagined.
Really smart in a short amount of time. They put that all together. Panera Bread had 8 months, did nothing. When they did something, it wasn't good enough.
And the problem actually was much, much worse than they even imagined.
And hey, do a bad job and it really takes its toll. Just ask the Zuckster, right? His share price is—
The Zuckster?
The Zuckster.
Does he deserve to be called the Zuckster?
Well, what, you think it sounds cool? I think it sounds a bit shitty. We'll censor that.
And thanks once again to MetaCompliance for supporting this episode of Smashing Security. People are the key to minimizing your cybersecurity risk posture.
You can save 10% as a Smashing Security listener off the high-quality cybersecurity e-learning catalog by going to metacompliance.com/smashingsecurity.
And quoting the code Smashing. That's metacompliance.com, and don't forget the code Smashing Security.
And welcome back to our favourite part of the show, the part of the show that we to call Pick of the Week.
You can save 10% as a Smashing Security listener off the high-quality cybersecurity e-learning catalog by going to metacompliance.com/smashingsecurity.
And quoting the code Smashing. That's metacompliance.com, and don't forget the code Smashing Security.
And welcome back to our favourite part of the show, the part of the show that we to call Pick of the Week.
Pick of the Week.
Now, Pick of the Week is the part of the show where everyone chooses something they.
Could be a funny story, a book they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever they. Doesn't have to be security related necessarily.
Could be a funny story, a book they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever they. Doesn't have to be security related necessarily.
It shouldn't be.
And my pick of the week.
Definitely not data breach related this week, please.
No, definitely not. Been a lot of data breaches.
Too much. Yeah.
Too much data breaches. Well, I'm going to talk to you not about data breaches, but instead about Vikings.
Okay.
Yeah. So my pick of the week isn't actually Vikings because I think they've been around for a while and many people know about them.
Nothing new there.
Nothing topical.
Topical.
All this security news podcast. Let me tell you about Vikings. So as you know, Vikings were fantastic seafarers, weren't they?
They raced off to Iceland and Greenland and discovered America.
They raced off to Iceland and Greenland and discovered America.
You know, heroes discovered everything. Yep.
They discovered everything. Amazing Vikings. Apparently their helmets didn't have horns. Did you know that?
No, I wouldn't have even been sure that they wore helmets.
So apparently this whole thing about their helmets having horns is Hollywood invention. I think it's just Hollywood made it up.
Of course they did.
All right. Well, there is an article, if you don't know much about Vikings, in Science magazine. Which is very interesting.
And they are saying that Vikings may have navigated the seas and specifically safely reached Greenland from Norway using legendary crystals.
And they are saying that Vikings may have navigated the seas and specifically safely reached Greenland from Norway using legendary crystals.
Excuse me?
Yes. Researchers—
Are these naturally magnetic?
Here's the issue, right, Carole? They didn't have compasses. They didn't have GPS as Vikings on their boats or anything like that.
And I don't know if you've experienced this, but sometimes in the Northern Hemisphere, there's not a lot of sunshine.
And I don't know if you've experienced this, but sometimes in the Northern Hemisphere, there's not a lot of sunshine.
Or there's way too much.
And so even at nighttime when you're thinking, oh, you know, it'd be nice to have a moon or something, you know, there's nothing, right? There's nothing.
So there are legends that the Vikings had these things called sunstones, special crystals which acted as navigation aids and helped them even when the sun was obscured by clouds to identify the sun's location.
Well, I'm very glad that you asked this, because researchers believe that there are particular types of crystal which— I think it's a bit technical, Carole.
So there are legends that the Vikings had these things called sunstones, special crystals which acted as navigation aids and helped them even when the sun was obscured by clouds to identify the sun's location.
Well, I'm very glad that you asked this, because researchers believe that there are particular types of crystal which— I think it's a bit technical, Carole.
Is it magnetic?
No, no, no.
I think they refract light or they polarize light in a particular way, and you turn two crystals at the same time, you can identify a difference in the light which helps you identify where the sun may be even on a cloudy day.
So that's the theory.
I think they refract light or they polarize light in a particular way, and you turn two crystals at the same time, you can identify a difference in the light which helps you identify where the sun may be even on a cloudy day.
So that's the theory.
Now, the kind of triangulation I don't know. Okay, so your pick of the week. Sorry, I've got some exciting questions about it.
I don't know if it's triangulation.
I think they're doing it from the same place, but I think maybe they can identify where in the sky possibly the sun may be through these crystals.
I think they're doing it from the same place, but I think maybe they can identify where in the sky possibly the sun may be through these crystals.
Anyway, so tell me, Graham, what's so riveting about this for you?
Well, I think I identify myself very much as a stone, as an explorer, as a warrior.
And anyway, listen, the scientists, the researchers believe that they've done some simulations of Viking trips such as the ones undertaken in the Saga of King Olaf, where they were navigating under less than sunny skies, and they've determined that it would have been possible using these stones to reach Greenland around about 92% or up to 100% of the time, even in bad weathers, as long as they use crystals at least every 3 hours.
If they took longer, so they only checked every 6 hours or so, the success rate would drop to about 32 to 59%.
And anyway, listen, the scientists, the researchers believe that they've done some simulations of Viking trips such as the ones undertaken in the Saga of King Olaf, where they were navigating under less than sunny skies, and they've determined that it would have been possible using these stones to reach Greenland around about 92% or up to 100% of the time, even in bad weathers, as long as they use crystals at least every 3 hours.
If they took longer, so they only checked every 6 hours or so, the success rate would drop to about 32 to 59%.
Oh, that's impressive!
It is. See, now you're impressed, aren't you? So I find it quite interesting. So I love when modern scientists are trying to work out what, you know, our predecessors and our—
Yes, it's a great use of tax money.
Well, I don't know if it's tax money. Exactly, it's just for the greater good. It's the Royal Society of Open Science, you know.
Yeah, no, that's very cool.
They were able to create settlements on Greenland and Iceland.
It is all speculation because I don't think these crystals have actually been found in the Viking ships, but there are tales and legends of these things, and so maybe it does make sense.
And of course, those who missed Greenland, where did they hit, Carole?
It is all speculation because I don't think these crystals have actually been found in the Viking ships, but there are tales and legends of these things, and so maybe it does make sense.
And of course, those who missed Greenland, where did they hit, Carole?
I guess they go all the way to Canada.
North America. Exactly. Something you should be grateful for.
All right. Thanks, buddy.
Because I'm sure you're descended from a Viking. And that is why it is my pick of the week.
Okay. Okay. Interesting. I'm not convinced you're totally into it, but—
Ooh.
I'll ask you a quiz on it later. Okay. My pick of the week.
Now, well, yes, I have an issue this week because I have this really great pick of the week that I cannot share because it is so great that I actually bought you one.
And I want to give it to you before so that you can talk about it on the show with me and say, oh my God, it's amazing.
Now, well, yes, I have an issue this week because I have this really great pick of the week that I cannot share because it is so great that I actually bought you one.
And I want to give it to you before so that you can talk about it on the show with me and say, oh my God, it's amazing.
Hang on. Have you bought yourself one as well?
Yes.
I was about to say, if it's really amazing, you would have bought yourself one. Yes, I did. Okay.
I bought us— and aren't I nice that I bought us both one? Not cheap, Graham. Not cheap.
Oh, crikey.
Yeah.
Very exciting.
You're worth every penny though. Instead, I'm going to talk about April Fools because I love April Fools. And there were a few interesting April Fools fails this year.
I don't know if you saw the French town called Beauvais. Now, Beauvais has an unemployment issue that is higher than the rest of the country.
And the mayor went out saying, hey, IKEA is coming into town and it's going to provide thousands of jobs for everyone. April Fools!
I don't know if you saw the French town called Beauvais. Now, Beauvais has an unemployment issue that is higher than the rest of the country.
And the mayor went out saying, hey, IKEA is coming into town and it's going to provide thousands of jobs for everyone. April Fools!
Oh, really?
Yes.
Oh, that's jolly, isn't it?
I know, I know. It's in The Telegraph. I'll put a link in the show notes.
It's a bit if you were a Viking or something and you put a buoy in the sea saying, Greenland this way, and you pointed to the Caribbean. You know, it's that. Yeah, that would be it.
I saw an April Fools, which kind of annoyed me. I saw one from Elon Musk.
I saw an April Fools, which kind of annoyed me. I saw one from Elon Musk.
Yes, he's the other one I want to talk about.
Oh, right. Yeah, go for it.
Yeah, well, because I saw him tweet.
Saying that Tesla had gone bankrupt or something.
I was thinking of Scott Helmee, who had waiting for his car, you know, put money down. He must have thought that was hilarious.
And Elon Musk posted these photos of himself sort of, you know, sort of, I don't know, splayed across a Tesla, sort of with a begging piece of cardboard or something.
Well, he is $10 billion in debt.
And I just thought, you know what, I'm just not sure that's funny.
Yeah, really agree. Now, so this was the one I wanted to focus on. It was on the Beeb, or the BBC for you guys in foreign places. They got taken this year live on air.
This is BBC breakfast morning host Roger Johnson and Bibita Sharma. Now, I'm not a breakfast news person. I tend to do it— I'm a Radio 4 listener, really.
So I don't do the TV thing.
This is BBC breakfast morning host Roger Johnson and Bibita Sharma. Now, I'm not a breakfast news person. I tend to do it— I'm a Radio 4 listener, really.
So I don't do the TV thing.
Snob.
Yeah, well, yeah, you go. But there they are chatting. You know, they're chatting. It's like a sofa setup where they're chatting about the day.
And they're talking about the news that a tech firm in Gibraltar was capitalizing on the Brexit discourse on social media with a pair of emoji.
The article says the firm created the Brexit Bulldog and the Starry Blue emoji for users to have a colorful way to share their political leanings on social media.
In fact, I've got a clip. Okay, this is a great story here in the Observer about how you can choose your emoji post-Brexit.
Of course, the British Bulldog there on one side and the EU flag with starry eyes. What did you make of this one?
And they're talking about the news that a tech firm in Gibraltar was capitalizing on the Brexit discourse on social media with a pair of emoji.
The article says the firm created the Brexit Bulldog and the Starry Blue emoji for users to have a colorful way to share their political leanings on social media.
In fact, I've got a clip. Okay, this is a great story here in the Observer about how you can choose your emoji post-Brexit.
Of course, the British Bulldog there on one side and the EU flag with starry eyes. What did you make of this one?
It's a blueberry, isn't it? I have to say—
It looks like it, doesn't it?
I love this story. The minute I saw this, I thought, we've got to do this if we can.
Essentially, it's an Italian firm that's based out of Gibraltar that is developing emojis to allow you to state your Brexit identity, to say that you're a Remainer or that you're a Leaver.
The one thing I really loved as well is at the end of the story, government sources indicated that if the Gibraltar-based company presses ahead with the launch, ministers might look at imposing a post-Brexit tariff on emojis.
Oh my goodness.
Essentially, it's an Italian firm that's based out of Gibraltar that is developing emojis to allow you to state your Brexit identity, to say that you're a Remainer or that you're a Leaver.
The one thing I really loved as well is at the end of the story, government sources indicated that if the Gibraltar-based company presses ahead with the launch, ministers might look at imposing a post-Brexit tariff on emojis.
Oh my goodness.
At this point, they are hook, line, and sinker falling for it, but tweets start coming in explaining that actually it was an April Fool's joke. See how they react.
If we could rewind 5 or 6 minutes, we might have a different view on this. How's it— how are your foreign languages?
Good. Brilliant. Amazing.
Really?
No.
Okay, but a schoolboy French for me. I presume Mike, who did the papers, doesn't speak any Italian either. A couple of people have pointed this out.
It is, of course, today the 1st of April.
This story in the Observer about the emojis that we were discussing, as someone said very enthusiastically here, is written by— if you come across here, the journalist who wrote it is called Scherzo Primavera, which is Joke of Spring.
It is, of course, today the 1st of April.
This story in the Observer about the emojis that we were discussing, as someone said very enthusiastically here, is written by— if you come across here, the journalist who wrote it is called Scherzo Primavera, which is Joke of Spring.
Oh, why did we not get that earlier? Why indeed?
Scherzo Primavera. It sounds like a plate of pasta. That's what they were duped by.
Yes, it sounds like a plate of pasta. You're so learned. You're so learned. Learned. Anyway, very funny, very cute. They handled it well. Excellent.
Well, I guess I do like when people's balloons are popped by falling for an April Fool. You know, people—
Oh, you've fallen for quite a few, Mr. Cluley.
Oh, you— it used to— can I tell the dear listener, it used to be hell working with Carole Theriault because every April 1st. I would be so fooled by her.
The most devious, evil, evil April Fools. And sometimes she'd have her colleagues involved.
The most devious, evil, evil April Fools. And sometimes she'd have her colleagues involved.
We went far and wide.
You certainly did.
Yeah. Well, you were worth it back then when you were young.
On that bombshell, I thank you for listening. If you enjoyed the show, you can follow us on Twitter @Smashing Security. No G. Without a G.
We have an online store where you can buy stickers and mugs and t-shirts and things like that. SmashingSecurity.com/store. Next week, it'll be a regular show.
We should have a special guest back with us. Hopefully we won't have any of these techie problems that we had this time. And thanks for tuning in.
If you like the show, rate it on Apple Podcasts. It really does help new listeners discover us.
We have an online store where you can buy stickers and mugs and t-shirts and things like that. SmashingSecurity.com/store. Next week, it'll be a regular show.
We should have a special guest back with us. Hopefully we won't have any of these techie problems that we had this time. And thanks for tuning in.
If you like the show, rate it on Apple Podcasts. It really does help new listeners discover us.
Yes. And it makes Graham not complain as much. It just makes my life much easier.
Go to smashingsecurity.com to listen to past episodes and for details on how to get in touch. I've got a little how to get in touch with us. Until next time, cheerio.
Bye-bye. Bye. Great. Yes, didn't go bad. No, no, it doesn't sound like it's a second pass though. It's pretty stumbly.
That's natural.
It's natural. Exactly. Yeah.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Show notes:
- Grindr Is Letting Other Companies See User HIV Status And Location Data
- Grindr Will Now Remind You To Get Tested For HIV
- Grindr to stop sharing HIV status with third parties
- Hackers steal data of 150 million MyFitnessPal app users
- MyFitnessPal Security Issue FAQ
- Smashing Security: Passwords – a Smashing Security splinter
- Panerabread.com Leaks Millions of Customer Records
- No, Panera Bread Doesn’t Take Security Seriously
- Don't blame Panera Bread's security guy just because he used to work at Equifax
- Viking seafarers may have navigated with legendary crystals
- BBC Fooled By Brexit Emoji April Fools Prank On Air
- Smashing Security on Facebook
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: MetaCompliance
People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management. Listeners can get a 10% discount off the high-quality CyberSecurity eLearning catalog by quoting the code SMASHING. Visit www.metacompliance.com now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
