Cheap Android smartphones sold on Amazon have been sending customers’ full text messages to a Chinese server, ski lifts are found to be the latest devices left open to abuse by hackers, and we remind you why password managers are a good idea on World Password Day.
Oh, and our guest serenades us with a hit from the 1980s!
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by broadcaster and journalist David McClelland.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Now, it may surprise you, Shanghai Adups Technology Co Ltd is actually a Chinese firm.
And what they do, their business is they say, look, we've got the technology to wirelessly update software installed on mobile and IoT devices.
And they have a number of big-name clients, not just Blue, but ZTE and the impossible-to-pronounce— and I'm going to look at you now, David— Huawei.
And what they do, their business is they say, look, we've got the technology to wirelessly update software installed on mobile and IoT devices.
And they have a number of big-name clients, not just Blue, but ZTE and the impossible-to-pronounce— and I'm going to look at you now, David— Huawei.
Whoa, my take on this is to adopt the 1980s kind of football chant, "Who are we?" Okay, like that, funny.
Smashing Security, Episode 76: Spying Phones, Hacked Ski Lifts, and World Password Day with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 76. My name is Graham Cluley.
I'm Carole Theriault, and we're joined today by returning guest, it's the globetrotting TV star, broadcaster, and journalist David McClelland. Hello, David.
Smashing Security, Episode 76: Spying Phones, Hacked Ski Lifts, and World Password Day with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 76. My name is Graham Cluley.
I'm Carole Theriault, and we're joined today by returning guest, it's the globetrotting TV star, broadcaster, and journalist David McClelland. Hello, David.
Hello, Graham. Hello, Carole. Lovely to hear from you again.
Yes, so good to hear you're on the show again.
It's great to have you back. I know you've been trotting around the world doing all kinds of things. You've been to China.
He's not a pig.
You've said trotting twice.
What's going on?
He's just trying to undermine you, David. I know his techniques.
He's a busy chap, so we always appreciate him coming on the show.
And talking of shows, David, you may have heard, if you've been following our Twitter, and our gracious listeners may have heard as well, that we are going to take our show on the road next month.
And talking of shows, David, you may have heard, if you've been following our Twitter, and our gracious listeners may have heard as well, that we are going to take our show on the road next month.
Very exciting.
Very exciting. In June.
So where are you going? Where are you trotting off to, Graham?
Yeah, Graham.
My piggy little eyes and four little trotters will be ambling along. First of all, we're going to Cambridge, and then London, and Manchester, and Edinburgh.
Sounds so pizzazzy, doesn't it?
Doesn't it? We will be appearing as part of the Secure Tour with our good chums at Chess Cybersecurity.
Yep.
And it will be in the form of a live podcast in front of real people.
Now, that in itself is petrifying, podcasting in front of people, but what's even worse is that Carole and I will be in the same room as we do it. And we've—
Now, that in itself is petrifying, podcasting in front of people, but what's even worse is that Carole and I will be in the same room as we do it. And we've—
Excuse me?
Well, we've never actually recorded in the same room, have we? Now, we're in different locations.
Thank God for that. So the sparks will fly. Sparks will fly.
Sparks are going to fly. So we have created a little page.
If you happen to be interested in coming to see us and the rest of the Secure Tour, if you go to smashingsecurity.com/live, you can check out—
If you happen to be interested in coming to see us and the rest of the Secure Tour, if you go to smashingsecurity.com/live, you can check out—
You've been talking so long, you're almost like Sam Harris's housekeeping section.
You can check out our upcoming dates.
Woo woo, sponsor section. Thanks to MetaCompliance for supporting this episode of Smashing Security.
People are the key to minimizing cybersecurity risk postures, and MetaCompliance makes this easier.
Listeners, you can get a 10% discount off the high-quality cybersecurity e-learning catalog from MetaCompliance by quoting the code SMASHING.
Visit metacompliance.com and quote the code SMASHING.
People are the key to minimizing cybersecurity risk postures, and MetaCompliance makes this easier.
Listeners, you can get a 10% discount off the high-quality cybersecurity e-learning catalog from MetaCompliance by quoting the code SMASHING.
Visit metacompliance.com and quote the code SMASHING.
Smashing Security. And welcome back. Now, chaps, how would you feel about me rifling through your smartphones? Would you be comfortable with that?
If you unlocked them, just give them to me. It'd be fine. It won't be a problem.
If you unlocked them, just give them to me. It'd be fine. It won't be a problem.
I noticed you say smartphones because, yes, like many techies, I do travel around with probably a pocket full of different smartphones.
You're kidding.
No, no, no, it's true.
Yeah.
You've got them all, haven't you? You're trying them out, testing out all the technology.
It's my job to be across as many of the platforms as I can be, otherwise I feel a bit of a fraud, even more of a fraud than I feel anyway.
So you could probably spare one of those, hand it over to me, and you wouldn't mind me looking at your text messages and your private communication. Be no problem at all, would it?
No problem at all. Well, the thing is, have you or any of our lovely listeners bought themselves a cheap Android phone on Amazon or at the Best Buy store?
Because if they have, it may have been secretly sending all of your text messages and more to a server in Shanghai.
No problem at all. Well, the thing is, have you or any of our lovely listeners bought themselves a cheap Android phone on Amazon or at the Best Buy store?
Because if they have, it may have been secretly sending all of your text messages and more to a server in Shanghai.
Shut the front door!
I'm afraid so.
Get away!
No way! Amazon and Best Buy, they're pretty reputable places.
Well, you would think so, but you know, there are some dodgy things sold up on these sites as well.
On the internet?
I know, hard to believe, isn't it? Even on places like Amazon.
Several Android smartphones sold through major retailers like Best Buy and Amazon have had firmware pre-installed on them which transmits sensitive information to third-party servers in China without the owner's knowledge or consent.
And the ones which are of interest to us today are made by a Florida-based company called BLU, B-L-U, all in caps.
And if you go looking for cheap Android phones on Amazon, chances are you're going to find some BLU phones.
Several Android smartphones sold through major retailers like Best Buy and Amazon have had firmware pre-installed on them which transmits sensitive information to third-party servers in China without the owner's knowledge or consent.
And the ones which are of interest to us today are made by a Florida-based company called BLU, B-L-U, all in caps.
And if you go looking for cheap Android phones on Amazon, chances are you're going to find some BLU phones.
Now, I remember, Graham, when these launched, it must have been late 2016. And I remember when the PRs were getting in touch with me and they reviewed okay.
You know, they're American budget Android handsets, but they've got pretty good specs. They look quite good and they're available at a really reasonable price.
And most of the tech titles that got their hands on it said, yeah, it's a pretty good budget phone. And it comes from the States.
You know, it's a United States brand rather than a no-name Far Eastern brand.
You know, they're American budget Android handsets, but they've got pretty good specs. They look quite good and they're available at a really reasonable price.
And most of the tech titles that got their hands on it said, yeah, it's a pretty good budget phone. And it comes from the States.
You know, it's a United States brand rather than a no-name Far Eastern brand.
What's a budget phone go for?
About $100 or something like that.
I'm looking actually at one right now on Amazon, one of these phones in question, and it is around about $100. £130 used.
They go up to around about £250, I think, for the new ones.
They go up to around about £250, I think, for the new ones.
That's a lot cheaper than an iPhone or a high-spec phone.
Oh yes, and a lot cheaper than a swanky Samsung or something like that.
Now, so Blue, an American company, but they don't want to do everything, so they contract out some of the dull, tedious, boring stuff like security updates, supply chain issues, things like that.
They gave that to a company called Shanghai Adups Technology Co., Ltd. And that may surprise you. Shanghai Adups Technology Co., Ltd. is actually a Chinese firm.
And what they do, their business is they say, look, we've got the technology to wirelessly update software installed on mobile and IoT devices.
And they have a number of big-name clients, not just Blue, but ZTE and the impossible-to-pronounce— and I'm going to look at you now, David— Huawei.
Now, so Blue, an American company, but they don't want to do everything, so they contract out some of the dull, tedious, boring stuff like security updates, supply chain issues, things like that.
They gave that to a company called Shanghai Adups Technology Co., Ltd. And that may surprise you. Shanghai Adups Technology Co., Ltd. is actually a Chinese firm.
And what they do, their business is they say, look, we've got the technology to wirelessly update software installed on mobile and IoT devices.
And they have a number of big-name clients, not just Blue, but ZTE and the impossible-to-pronounce— and I'm going to look at you now, David— Huawei.
Wait a minute, you guys in the same room and I'm not there?
I can feel your piercing glare through the microphone, Graham. My take on this is to adopt the 1980s kind of football chant, who are we? So there we go. Who are we is good for me.
So there's a number of big names who are being supported by AdUps technology, but it's Blu that has just had its knuckles wrapped by the FTC because AdUps weren't just pushing out updates, they were also grabbing much more data than they needed from your smartphone to do their job and sent it to a Chinese server.
You may be thinking, well, how much data were they really taking? Well, let me tell you exactly how much.
You may be thinking, well, how much data were they really taking? Well, let me tell you exactly how much.
Oh no, okay, hold on. Let me just get my head in my hands quietly so I don't knock my microphone.
Start weeping.
Okay. I'm silent. Tears are falling down my face.
They took the full content of consumers' text messages, their real-time location data, the call and text message logs with full telephone numbers, contact lists of applications used, everything that's been installed on the Blu device goes to a Chinese server.
Ouch. And £200 gave you this wonderful opportunity to give away everything. Ah, nightmare.
This data collection could not be disabled by users.
Now, that would be bad enough, and let's face it, that is pretty appalling because your private messages are simply not private and your location is not private anymore.
It's been shared with this other company you've never even heard of.
Furthermore, this AdUps software, which was pre-installed on the phones, contained its own security flaws, which could be exploited by hackers.
So bad enough that you're getting ripped off, but which is horrendous.
But in addition to that, to make it even more painful, that ripping off software was actually exposing you to other risks.
Now, that would be bad enough, and let's face it, that is pretty appalling because your private messages are simply not private and your location is not private anymore.
It's been shared with this other company you've never even heard of.
Furthermore, this AdUps software, which was pre-installed on the phones, contained its own security flaws, which could be exploited by hackers.
So bad enough that you're getting ripped off, but which is horrendous.
But in addition to that, to make it even more painful, that ripping off software was actually exposing you to other risks.
Okay. But you know what? The risk before is so bad. I don't even know. It's not even icing, right? It's not even a sprinkle of icing sugar.
But doesn't it make you wonder just for a second what might be the intention behind collecting all this data?
You know, I think if we read between the lines, it's probably advertising. It's going to be about making money in some fashion.
You know, I think if we read between the lines, it's probably advertising. It's going to be about making money in some fashion.
If we're lucky.
And they might even be selling themselves to the telephone company saying, look, if you allow us to extract data, if you put us on the phones, then we'll give you a cut of any advertising.
I think it's about if someone could actually tie that to social media feeds. Right? So they've got your full number, they've got all your secret texts now.
I mean, it's a lot of information.
I mean, it's a lot of information.
Right, and look at the freakout we've just had, quite rightly, about Facebook and Cambridge Analytica and all the impact that's had. Huge, huge mega headlines.
Here is something which I would argue is even more invasive in some ways, taking much more of your information.
This is a level of data theft, basically, which goes far beyond what that Facebook application was taking from users.
Here is something which I would argue is even more invasive in some ways, taking much more of your information.
This is a level of data theft, basically, which goes far beyond what that Facebook application was taking from users.
We've also seen this not only on smartphones but also on desktop and laptop computers as well. Do you remember Lenovo a few years ago?
There was a piece of malware which Michael Horowitz, I think, discovered that was sending data to Omniture, and that was all about marketing and so on.
And that was a big stink when that got trawled out as well. And again, consumers have no idea that this is happening.
It's so wrong that I may well have agreed to some terms and conditions, but nowhere in there does it say that it's going to be sending the content of my text messages or my emails or the data about the files that I've got stored in My Documents.
It seems to be more rife than we imagine.
There was a piece of malware which Michael Horowitz, I think, discovered that was sending data to Omniture, and that was all about marketing and so on.
And that was a big stink when that got trawled out as well. And again, consumers have no idea that this is happening.
It's so wrong that I may well have agreed to some terms and conditions, but nowhere in there does it say that it's going to be sending the content of my text messages or my emails or the data about the files that I've got stored in My Documents.
It seems to be more rife than we imagine.
And it's insidious, isn't it?
This sort of crapware which is pre-installed on your— it's like you have to pay more money to get a computer which doesn't have all this junk which is pre-installed by the manufacturer.
That's one of the ways they're trying to claw some income out of you because they've sold it to you for so cheap.
This sort of crapware which is pre-installed on your— it's like you have to pay more money to get a computer which doesn't have all this junk which is pre-installed by the manufacturer.
That's one of the ways they're trying to claw some income out of you because they've sold it to you for so cheap.
Well, you know, and GDPR, guys, is literally two weeks away now, right?
And kind of need a klaxon to go off when someone mentions GDPR.
I'm just thinking these kind of stories are— it's going to be interesting if they actually, you know, rev up the engines right away or not, because this is exactly the kind of thing that I think certainly the EU residents, although I'd argue everyone around the world, would like to see it dealt with.
Do you have a drinking game?
Does anyone in any of the forums have a drinking game that whenever you mention passwords or malware or something, it's, you know, have a sip of your beer or something else.
Maybe we should have the same for GDPR.
Does anyone in any of the forums have a drinking game that whenever you mention passwords or malware or something, it's, you know, have a sip of your beer or something else.
Maybe we should have the same for GDPR.
Yes, or just, yeah, just listen to the show and every time we say a security word, have a shot.
Oh my word, baby shot.
It'll be more Smashing Security instead.
So talking about slurping, the first reports of this data being slurped up, they became public in November 2016 when some researchers found these Blue phones were doing this.
And Blue said to its customers, oh look, Adups has updated its software, don't worry about it. They've stopped all of that. A year later, it was found that they were still doing it.
And just now, FTC have said that Blue continued to allow Adups to operate its rather shady activities without properly watching what was going on.
And Blue said to its customers, oh look, Adups has updated its software, don't worry about it. They've stopped all of that. A year later, it was found that they were still doing it.
And just now, FTC have said that Blue continued to allow Adups to operate its rather shady activities without properly watching what was going on.
What the heck did Adups have on Blue?
Well, I think the thing was that Adups had the ability to remotely disable this functionality on phones. And then whenever they wanted, they thought, okay, the heat's off us now.
They could turn it back on again. So maybe Blue didn't know about it. I don't know. It's a little bit vague as to how much Blue were compliant with all of this. Yeah.
They could turn it back on again. So maybe Blue didn't know about it. I don't know. It's a little bit vague as to how much Blue were compliant with all of this. Yeah.
You'd kind of want a phone manufacturer to kind of look into this stuff though, no? You know?
Well, they have now had their knuckles wrapped. They say that they've now implemented a comprehensive data security program.
They have been told that they cannot misrepresent what has happened in the past. And further than that, what the heck does that mean?
I think that means that they may have told some porky pies about it in the past as to why exactly.
And for the next 20 years, every 2 years, they will be subject to third-party assessments of their security program. And they've been told they have to be anyway.
So it's pretty, you know, although they haven't been financially fined for this, it's pretty rough treatment, I think, for one.
They have been told that they cannot misrepresent what has happened in the past. And further than that, what the heck does that mean?
I think that means that they may have told some porky pies about it in the past as to why exactly.
And for the next 20 years, every 2 years, they will be subject to third-party assessments of their security program. And they've been told they have to be anyway.
So it's pretty, you know, although they haven't been financially fined for this, it's pretty rough treatment, I think, for one.
Oh, whatever. Shut up.
No, no, no. Rightly rough. I mean, rightly rough, right? It's not been a complete sort of, oh, there, there, and don't do it again, tap on the hand. It is more than that.
They have to keep records.
Well, no, on what they're doing. They have to keep proof that they are compliant and that they're not spying on you.
That's how you comply with most regulatory bodies anyway.
Anyway, I think the message here is think twice before buying a cheapo Android phone from an unfamiliar manufacturer.
Be wary of anything that's super cheap, because if it is really cheap and doesn't make you watch ads, for instance, then you have to wonder how else the company is making money.
Be wary of anything that's super cheap, because if it is really cheap and doesn't make you watch ads, for instance, then you have to wonder how else the company is making money.
And I hate that argument. I hate that argument. Someone could come out tomorrow, add a zero to the price, and people are like, oh, well, Graham said, as long as Graham said—
Sorry, why exactly would they have a voice like that, Carole, when you say Graham said?
No reason. No reason, honey.
Okay. Interesting. Interesting. I think the thing is you live your life through the phone.
It has to be worth paying a little bit more to have some confidence that you've got a safe device. And you are right, Carole. More expensive doesn't necessarily mean better.
It has to be worth paying a little bit more to have some confidence that you've got a safe device. And you are right, Carole. More expensive doesn't necessarily mean better.
No.
But at least I imagine the major manufacturers are being watched a little bit more closely and maybe have got more to lose when they're found out to be doing something wrong.
I hope so.
Yes, let's hope so. So I guess you guys want your phones back now, do you?
Like you ever got your hands on my phone.
David, what have you got for us this week?
Well, I don't know if you're aware, but there are a couple of big days this week. Tomorrow is May the 4th, so it is Star Wars Day.
Woo!
But today, Thursday, it is World Password Day. So I wanted to drag up a story from a few days ago now, but I don't think you've discussed it here on the show yet.
And it's a piece of what some would call controversial advice from UK bank Santander.
And it's a piece of what some would call controversial advice from UK bank Santander.
Ooh, do tell.
So this came after one of Santander's customers, he found himself unable to copy and paste from his password manager software into the Santander web app and so on.
And so he got in touch with the bank on Twitter.
And so he got in touch with the bank on Twitter.
Okay.
Or rather, he got in touch with one of the customer service reps who was manning the Twitter account, which is as good as the same thing, right?
And the bank turned around and said that it would never recommend using third-party password managers. It is no longer possible to use these for security reasons.
Well, as you can imagine, the internet kind of blew up at that statement, but I just wanted to raise some of the concerns because I know we've talked about password managers on here.
I've talked to them elsewhere as well, and there are a number of common concerns that people, maybe from outside the industry, and looking at the Twitter conversation with Santander and a few security professionals, yeah, some people even within the security industry, some concerns that people have around password managers.
So while I think of them as generally being a good thing, I know you guys do as well.
I think given that it's World Password Day, it might be as well just to address some of those concerns and maybe do a bit of myth-busting if you like.
So this is a bit of a Splinter episode topic, I'm just noting.
So how about the criticism or the concern that password managers— surely having all of your eggs in one basket is a bad thing?
And the bank turned around and said that it would never recommend using third-party password managers. It is no longer possible to use these for security reasons.
Well, as you can imagine, the internet kind of blew up at that statement, but I just wanted to raise some of the concerns because I know we've talked about password managers on here.
I've talked to them elsewhere as well, and there are a number of common concerns that people, maybe from outside the industry, and looking at the Twitter conversation with Santander and a few security professionals, yeah, some people even within the security industry, some concerns that people have around password managers.
So while I think of them as generally being a good thing, I know you guys do as well.
I think given that it's World Password Day, it might be as well just to address some of those concerns and maybe do a bit of myth-busting if you like.
So this is a bit of a Splinter episode topic, I'm just noting.
So how about the criticism or the concern that password managers— surely having all of your eggs in one basket is a bad thing?
Do you know, this is the one which I hear all the time. And when people— because people say, oh, how am I meant to remember my passwords? I said, get yourself a password manager.
They say, yeah, but what if that gets hacked? I love it when people say that, because that says to me you are thinking about security the right way. Well done for being cynical.
Well done for thinking something really bad could happen, because that's what's going to protect you in future. And yes, potentially—
They say, yeah, but what if that gets hacked? I love it when people say that, because that says to me you are thinking about security the right way. Well done for being cynical.
Well done for thinking something really bad could happen, because that's what's going to protect you in future. And yes, potentially—
Have you given this talk before?
Yes, maybe your password vault could be hacked, right? And maybe your master password, which you use to protect it, could be weak or whatever.
But it's still got to be better and more secure for you to use a password manager than using your puny human brain to remember passwords because you'll just end up using the same password everywhere.
But it's still got to be better and more secure for you to use a password manager than using your puny human brain to remember passwords because you'll just end up using the same password everywhere.
Okay, but what about some people that might be more technically challenged than others?
Would you recommend that they try and get their head around the whole concept of apps running within browsers that allow you to cross-platform it from your computer to your phone, or do you just say pen and paper?
Would you recommend that they try and get their head around the whole concept of apps running within browsers that allow you to cross-platform it from your computer to your phone, or do you just say pen and paper?
It depends. So there are people who I must admit I have failed to get to use password managers.
There's people who I've managed to overcome their concerns and they're, "Oh, I don't know what to do." You know, we've shown them it's not that tricky.
However, I have had a number of failures and in those cases I have tended to say, "Write it down in a book and put the book somewhere safe." I don't love that as a solution.
Because there's the risk, of course, that you might have a fire, or you may lose the book, or get stolen.
You may lose your password manager vault as well if all of that's in one place and it's well secured. You know, that's equally open to a fire as well, I guess.
There's people who I've managed to overcome their concerns and they're, "Oh, I don't know what to do." You know, we've shown them it's not that tricky.
However, I have had a number of failures and in those cases I have tended to say, "Write it down in a book and put the book somewhere safe." I don't love that as a solution.
Because there's the risk, of course, that you might have a fire, or you may lose the book, or get stolen.
You may lose your password manager vault as well if all of that's in one place and it's well secured. You know, that's equally open to a fire as well, I guess.
I suppose so, although you would hope that it's at some data center which has been looked after properly and properly backed up.
And look, it's basically this: I think we all want to have different passwords for different websites, and there's no way in heck any of us can remember all the passwords for 200, 500, 1,000 websites we need to visit and log into.
Now, some of us are very lucky and we have 5 websites we go to, and to you I say, I wish I had your life, often.
But I am not one of those people, and I need to use a password manager in order to have nice, long, complex passwords that I don't need to keep track of. That's it.
It makes my life easier. I don't know if it's safer, though. 'Cause I do think they're a bit of a, you know, no, I do think they're safer. I do think they're safer.
I do think they're safer.
Now, some of us are very lucky and we have 5 websites we go to, and to you I say, I wish I had your life, often.
But I am not one of those people, and I need to use a password manager in order to have nice, long, complex passwords that I don't need to keep track of. That's it.
It makes my life easier. I don't know if it's safer, though. 'Cause I do think they're a bit of a, you know, no, I do think they're safer. I do think they're safer.
I do think they're safer.
I think they're safer because I think you just fall into making so many mistakes if you just leave it to yourself to do.
We've done a Splinter episode all about passwords, so I don't want to cover too much of the same ground, but maybe the most important thing to stress to people is it's not so much about having a hard-to-crack password.
The most important thing is to have a unique password. So have a different password for different sites.
The bad guys will grab your password in one place and the first thing they will do is try and use that password to unlock your Gmail account.
We've done a Splinter episode all about passwords, so I don't want to cover too much of the same ground, but maybe the most important thing to stress to people is it's not so much about having a hard-to-crack password.
The most important thing is to have a unique password. So have a different password for different sites.
The bad guys will grab your password in one place and the first thing they will do is try and use that password to unlock your Gmail account.
Parallel attacks.
Yeah.
And also, of course, if you can enable something like two-factor authentication, you're even more secure.
You can even hopefully on your password vault have additional levels of authentication to make sure someone can't get into that.
You can even hopefully on your password vault have additional levels of authentication to make sure someone can't get into that.
Look, let's face it, we're all into using password managers, right? So this is not really very debaty. We need someone from the other side.
We need someone who hates all of these things. Some sort of mega brain who can remember all of their passwords.
Oh, I can think of someone.
You can?
Mm-hmm. I'll say it off air.
It's exciting for the listeners.
I have tried and failed with password managers with my mum and dad who always listen to the things that I do. So hello mum, hello dad.
But they, I think they do live that lifestyle that you crave in terms of having 5 different usernames and passwords.
My dad has a Chromebook, which goodness me has cut down on my PC support calls so much. And you know, everything he accesses is through a web browser.
Everything he accesses is basically two websites, which even he can just about remember those. And my mum on her iPad, that's all she uses, pretty straightforward.
My wife, she doesn't listen to everything that I do, so that's fine. I can kind of naysay her.
But they, I think they do live that lifestyle that you crave in terms of having 5 different usernames and passwords.
My dad has a Chromebook, which goodness me has cut down on my PC support calls so much. And you know, everything he accesses is through a web browser.
Everything he accesses is basically two websites, which even he can just about remember those. And my mum on her iPad, that's all she uses, pretty straightforward.
My wife, she doesn't listen to everything that I do, so that's fine. I can kind of naysay her.
My husband doesn't listen either.
Welcome to the club.
I've been trying to get her into a family account with a password manager that I use for the last 6 months or so, and she just doesn't get it.
She seems to think it's far easier just to reset the password every time you forget what it is, which is practically every time. I've heard people do that.
She is one of those people.
She seems to think it's far easier just to reset the password every time you forget what it is, which is practically every time. I've heard people do that.
She is one of those people.
I don't know though, what's the fight against it? I don't know. I kind of thought it was rather clever.
I'd never even thought of it myself, so I thought when someone mentioned, I was like, kind of interesting idea.
I'd never even thought of it myself, so I thought when someone mentioned, I was like, kind of interesting idea.
I think it's just change, and it's that age-old thing of getting people to change the behaviors that have been embedded within them.
It's an additional step, you know, with the password manager that I use, it can be built into the browser or as a standalone app or something, but it's just not in her muscle memory, and I think that's her main objection to it.
So I'm going to keep on chipping away at that little block, and I'll report back and let you know if I have success.
It's an additional step, you know, with the password manager that I use, it can be built into the browser or as a standalone app or something, but it's just not in her muscle memory, and I think that's her main objection to it.
So I'm going to keep on chipping away at that little block, and I'll report back and let you know if I have success.
And listeners, if there is anyone out there who hasn't yet tried a password manager, keeps on hearing us talking about them, give it a go because it is World Password Day.
So maybe today's the day to just give it a dip your toe in and see how you get on.
So maybe today's the day to just give it a dip your toe in and see how you get on.
Yeah, at least check it out.
Yeah, just as a coda to this story, the guy on Twitter who got in touch with Santander, I mean, he was, he was pretty good about the whole thing.
He wasn't used to being involved in the middle of a Twitter storm like this, and I think that he actually handled it very well.
The guy, he actually spoke with the guys from Santander who did say, well, you know what, in the face of this and in the face of so much vitriol online from all of the great and good of the security world and the National Cybersecurity Center who chipped in as well, they said, we're going to go and review our policies.
We're going to have a chat to our developers and we will get back to you and let you know what we think. So, you know, it's not as though Santander have shut us down.
They've been quite open about it and said, well, thank you for bringing this to our attention.
He wasn't used to being involved in the middle of a Twitter storm like this, and I think that he actually handled it very well.
The guy, he actually spoke with the guys from Santander who did say, well, you know what, in the face of this and in the face of so much vitriol online from all of the great and good of the security world and the National Cybersecurity Center who chipped in as well, they said, we're going to go and review our policies.
We're going to have a chat to our developers and we will get back to you and let you know what we think. So, you know, it's not as though Santander have shut us down.
They've been quite open about it and said, well, thank you for bringing this to our attention.
Well, just like people are being convinced to use password managers.
I think more and more websites are learning that they shouldn't do things which stop password managers from working effectively.
And one of those things is, of course, the ability to paste your password into the login form, because if you don't do that, then admittedly, yeah, a password manager can be a bit of a pain there.
I think more and more websites are learning that they shouldn't do things which stop password managers from working effectively.
And one of those things is, of course, the ability to paste your password into the login form, because if you don't do that, then admittedly, yeah, a password manager can be a bit of a pain there.
Good advice. Onwards.
Onwards. Carole, from one happy story to another, I hope you got something upbeat, something cheerful, something that's going to fill us with joy.
To end this episode of Smashing Security with. What have you got for us?
To end this episode of Smashing Security with. What have you got for us?
Well, you know, it's always fun doing this show because I know you quite well, Graham, but I don't always know our guests very well, right?
So, Dave, I want to know if you're a big wuss like Graham when it comes to winter athletics.
So, Dave, I want to know if you're a big wuss like Graham when it comes to winter athletics.
I have never been skiing.
I have—
Have you not been skiing?
Skating?
Skating?
Skating? I've been ice skating a few times, but I'm— we haven't met in person, but I'm quite tall. I'm a good 6'2", 6'3".
I've got quite a high center of gravity, which means I fall over, and it makes a lot of noise, and it may crack the ice when I fall over. And the same with skiing as well.
It's a long way to fall. I've never been skiing on actual snow, just those really bristly, dry ski slopes. And I hate those.
I've got quite a high center of gravity, which means I fall over, and it makes a lot of noise, and it may crack the ice when I fall over. And the same with skiing as well.
It's a long way to fall. I've never been skiing on actual snow, just those really bristly, dry ski slopes. And I hate those.
The Canadian in me is crying.
I'm sorry.
Hang on a moment.
Does it turn out that out of the two of us, out of hunky David McClelland and myself, who's got a very low centre of gravity, I am actually the more experienced winter athlete.
Does it turn out that out of the two of us, out of hunky David McClelland and myself, who's got a very low centre of gravity, I am actually the more experienced winter athlete.
And also any sports that I do have to involve a ball, whether I'm hitting a ball or kicking a ball or throwing a ball or something like that.
They're the only ones that seem to engage with me. I must be part dog or something.
They're the only ones that seem to engage with me. I must be part dog or something.
I can't wait to meet you in person. I'll let you know.
Yes.
Now, Graham, so it turns out that maybe you've been right about being afraid of things like skiing.
Oh, sorry. I have been skiing once.
And not—
When I was 12 years old. And I just thought, what is the point of this?
Because there you are standing at the bottom of this slippery, slidey, icy mountain thing, and you've got to get to the top of it in the glorious sunshine.
You're wrapped up like this and you're biking away and all the rest of it, getting heat stroke or whatever.
And you've got planks stuck on your feet and you have to sort of waddle up to the top or catch a chairlift just for the purpose of coming all the way back down again.
Because there you are standing at the bottom of this slippery, slidey, icy mountain thing, and you've got to get to the top of it in the glorious sunshine.
You're wrapped up like this and you're biking away and all the rest of it, getting heat stroke or whatever.
And you've got planks stuck on your feet and you have to sort of waddle up to the top or catch a chairlift just for the purpose of coming all the way back down again.
What was the point of that? Terrified.
Well, not as terrified as the people I'm about to crash into. But yeah, I've had some bad experiences on the snow, I have to say.
Not as terrifying as the poor skiers in Gudauri, Georgia this week when the ski lift went completely haywire. Did you see this?
It started speeding backwards at terrifying speeds with loads of skiers on the ski lift. So it's kind of hurtling them off. There's, I've got a short clip here.
You can take a look, but it's bloody harrowing.
It started speeding backwards at terrifying speeds with loads of skiers on the ski lift. So it's kind of hurtling them off. There's, I've got a short clip here.
You can take a look, but it's bloody harrowing.
Let's check this out. This is— oh my word, this is horrendous!
Good grief! Oh my gosh, and they're all crashing into one another.
This is a guidance warning, please don't watch this.
Oh my word!
Yes, yes, and they're jumping off trying to save themselves.
Chairlifts are terrifying at the best of times. Being 30, 40 feet in the air, and then you're being— this is flinging you backwards around. It's horrendous. Do people die?
Are we watching people die in here, Carole?
Are we watching people die in here, Carole?
No, I don't think anyone died, but a lot of people got hurt. A dozen people or so got hurt, and they're actually thinking that's incredible that there was so few.
Now, a completely different story, all about chairlifts and security happens to come out on the same day, which is really kind of strange because apparently they're not related at all.
In fact, the researchers didn't even know about the Gudauri chairlift incident.
Let me welcome to the story two infosecurity dudes named Tim Philip Schäfer and Sebastian Neef, both from internetwache.org.
Now, a completely different story, all about chairlifts and security happens to come out on the same day, which is really kind of strange because apparently they're not related at all.
In fact, the researchers didn't even know about the Gudauri chairlift incident.
Let me welcome to the story two infosecurity dudes named Tim Philip Schäfer and Sebastian Neef, both from internetwache.org.
Internet what?
Internetwache.org.
Careful how you say that.
Now, Internetwache is like a cyber Scooby-Doo gang, and they seem to look— they really are. It's a really great website and they look around for serious online flaws.
Which one of them is Danger Prone Daphne?
And they follow protocol to get it fixed. And their whole ethos seems to be, look, we look for small donations, but really we want to make the internet a safer place.
And that's just, you know, a cute ethos. I love all that.
So anyway, as one of their projects, Tim and Sebastian decided to do some internet-wide scanning, hunting down insecure human-machine interfaces. This is known as HMIs.
Now, an HMI is kind of the centralized control unit for manufacturing lines. I mean, we use them also. It's all the devices that we use, like a phone, right? It has an HMI to it.
But if we look at the ones that are in manufacturing lines, this is things that let us do event logging or video feeds or event triggering.
And it basically allows the person in charge to access the system at a moment's notice and make any changes, right?
And that's just, you know, a cute ethos. I love all that.
So anyway, as one of their projects, Tim and Sebastian decided to do some internet-wide scanning, hunting down insecure human-machine interfaces. This is known as HMIs.
Now, an HMI is kind of the centralized control unit for manufacturing lines. I mean, we use them also. It's all the devices that we use, like a phone, right? It has an HMI to it.
But if we look at the ones that are in manufacturing lines, this is things that let us do event logging or video feeds or event triggering.
And it basically allows the person in charge to access the system at a moment's notice and make any changes, right?
Okay.
Now, these two started looking at the HMI of a skylift at Patscherkofel-Bahn, a mountain resort based near Innsbruck, Austria.
Well done.
Thank you very much. I said that beautifully. Now, Tim and Sebastian snoop about and guess what they find. Okay, you ready for this?
Right.
The chairlift's control panels was left wide open on the internet, meaning anyone from malicious agent to pesky kid could take control of the ski lift.
Now, first, there was no login screen for viewing or making changes to the ski lift.
Second, and I'm quoting Bleeping Computer here, the wonderful Bleeping Computer, settings for controlling the ski lift speed, the distance between the cable cars, and cable tension were all exposed in the open along with logs and other data.
Now, first, there was no login screen for viewing or making changes to the ski lift.
Second, and I'm quoting Bleeping Computer here, the wonderful Bleeping Computer, settings for controlling the ski lift speed, the distance between the cable cars, and cable tension were all exposed in the open along with logs and other data.
So this is, you've got complete control over this chairlift thing?
Yep. Just click on the Bleeping Computer link. There's a perfect screenshot of actually the interface and it's frightening.
So you could say, I want these cable cars or whatever to be, I don't know—
Go backwards at ridiculous speeds and very close together.
And be 2 inches apart or something.
Exactly.
Crikey.
And these two guys found that the firmware was outdated as well. So Internetwache did the right thing, reported the flaw to CERT Austria.
The ski lift was taken off pretty darn quickly, and Innsbruck officials are taking, quote, extreme care to roll out a secure system before summer season, unquote.
I suppose it's not slopes. It would be more the roads or the paths, the fields.
The ski lift was taken off pretty darn quickly, and Innsbruck officials are taking, quote, extreme care to roll out a secure system before summer season, unquote.
I suppose it's not slopes. It would be more the roads or the paths, the fields.
The thing is that they may have fixed this particular instance, but they're probably hiding somewhere or other running some other ski lift or chairlift system, which is equally exposed.
It's just, this is the one that they found.
It's just, this is the one that they found.
Oh no, I know. Totally. And it's really scary because big manufacturing companies or critical infrastructure tend to think very much about security when doing these things.
But these guys are kind of like, do chairlift operators even consider that their thingamajig is connected to the internet?
So there's like three kinds of due diligence that everyone has to do. It's like, did the people who you bought the gizmo from build it safely, right?
You've got to somehow make sure of that. And then did you set the dingus up correctly? Did you make any mistakes? Did you leave it open? And you do checks, right?
Have you looked at it in the last few years to make sure you've updated it and it's running correctly?
And those are kind of the three things I think you got to do, even if it's a chairlift or even... think about gyms, think of everything's internet.
But these guys are kind of like, do chairlift operators even consider that their thingamajig is connected to the internet?
So there's like three kinds of due diligence that everyone has to do. It's like, did the people who you bought the gizmo from build it safely, right?
You've got to somehow make sure of that. And then did you set the dingus up correctly? Did you make any mistakes? Did you leave it open? And you do checks, right?
Have you looked at it in the last few years to make sure you've updated it and it's running correctly?
And those are kind of the three things I think you got to do, even if it's a chairlift or even... think about gyms, think of everything's internet.
Once you've set these things up, it's just forgotten about. Now I can imagine that maybe the primary risk here would be just kids messing around, right?
Not thinking about the potential harmful consequences.
Not thinking about the potential harmful consequences.
Oh yeah, but can you imagine?
Yeah, but imagine if you were some conspiracy theorist who believed that the royal family were shape-shifting lizards.
You might take over a ski lift when Prince Charles and Camilla were going off on one of their jaunts, or Prince Andrew.
You might take over a ski lift when Prince Charles and Camilla were going off on one of their jaunts, or Prince Andrew.
And they're so much more important than every one of us, of course.
Well, as a British person, I do believe that, obviously, deep down in my heart. But that's... there is the potential though for someone to...
I wonder if you could take over the ski lift. I wonder, hey, how about ransomware for ski lifts? How about you get people stuck halfway?
I wonder if you could take over the ski lift. I wonder, hey, how about ransomware for ski lifts? How about you get people stuck halfway?
Enough feeding bad people ideas. I think really all we need to do is whatever happened in Gudauri, Georgia shows us how awful something like this could happen.
So if you have something that's connected to the internet, which basically means anything that you can control that's not actually actively connected to it, it's probably using the internet, make sure it is locked down.
Boom.
So if you have something that's connected to the internet, which basically means anything that you can control that's not actually actively connected to it, it's probably using the internet, make sure it is locked down.
Boom.
At the very least, have a password. Something like ski lift 1, ski lift 2, something like that.
And store it in your password manager.
You guys.
We'll be right back after this break with Pick of the Week. And thanks once again to MetaCompliance for supporting this episode of Smashing Security.
People are the key to minimizing your cybersecurity risk posture.
You can save 10% as a Smashing Security listener off the high-quality cybersecurity e-learning catalog by going to metacompliance.com and quoting the code SMASHINGSECURITY.
That's metacompliance.com. And don't forget the code Smashing Security. On with the show. And welcome back.
It's our favorite time of the show, the part of the show that we like to call Pick of the Week.
People are the key to minimizing your cybersecurity risk posture.
You can save 10% as a Smashing Security listener off the high-quality cybersecurity e-learning catalog by going to metacompliance.com and quoting the code SMASHINGSECURITY.
That's metacompliance.com. And don't forget the code Smashing Security. On with the show. And welcome back.
It's our favorite time of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
He knows. He knows.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever they like. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever they like. Doesn't have to be security-related necessarily.
It should not be security-related at all. Okay.
It can be chess-related. Oh no.
And my pick of the week this week is a gallimaufry of geeky goodness.
You practiced that.
Yes.
I have. More than you practiced your Austrian ski lift location.
Hang on, what is a gallimaufry?
A gallimaufry, I believe, is a concoction— is it of food? Is it like a cornucopia in a way of sort of food and— oh look.
A confused jumble or medley of things. Top hit on Google, thank you very much. That was in perfect unison.
Yeah, our brains are synced.
And that is exactly what this is because it is a confused jumble of BBC sound effects.
The BBC has compiled over 16,000 sound effects since they started doing such things in the 1920s, and they've made them available for free.
The BBC has compiled over 16,000 sound effects since they started doing such things in the 1920s, and they've made them available for free.
Oh, I love that.
I'll put a link in the show notes. It's bbcsfx.acropolis.org.
Let's play a few on this show if we can. If I can include some, I will.
They've got— well, oh well, well, Carole, I do— are we a commercial enterprise? That's the first thing. We do have sponsors. I'm not sure.
Probably are.
The sound effects can only be used for personal, educational, or research purposes, which is a bit of a shame.
And also the interface means that you can't go and download all, you know, 16,000 all at once. So the interface isn't fantastic, but I love this. I think it's fantastic.
And it is hilarious, some of the sounds which some BBC technician obviously went out in the 1930s and recorded.
And also the interface means that you can't go and download all, you know, 16,000 all at once. So the interface isn't fantastic, but I love this. I think it's fantastic.
And it is hilarious, some of the sounds which some BBC technician obviously went out in the 1930s and recorded.
Love it.
Maybe of use sometimes. So that is why it is my pick of the week. Now, David, what's your pick of the week?
Well, Graham, this one is for you.
Oh, it's not chess, it's not chess, it's not chess.
Well, it is actually chess. Yes, it is the musical, the musical Chess, which is playing right now at the London Coliseum Theatre, which is the home of the English National Opera.
And opening night was earlier this week.
And opening night was earlier this week.
You're kidding me!
No, I mean, so Chess is a big musical that was written by the two blokes out of ABBA, Benny and Björn, along with lyricist Sir Tim Rice.
ABBA too?
This is just my idea of heaven, I have to say. Chess and ABBA.
So it's very rarely performed, and the West End original production was in 1986. It hasn't been performed in the West End since.
But it's got some really memorable songs in there like One Night in Bangkok and I Know Him So Well and Anthem.
And the original cast had some brilliant names in it like Elaine Paige and Barbara Dickson and Dennis Quilley.
This time around it's got Michael Ball and Alexandra Burke and Tim Howar.
Now the first preview last week actually took a bit of a turn for the worse when the lead Tim Howar who's also in Mike and the Mechanics, I should add, had to leave, had to make a move very quickly during the interval to go and make the birth of his baby boy.
But he's been back in again this week. So it's playing at the Coliseum this week and until the 2nd of June. And I've got tickets to go and see it next Friday.
But it's got some really memorable songs in there like One Night in Bangkok and I Know Him So Well and Anthem.
And the original cast had some brilliant names in it like Elaine Paige and Barbara Dickson and Dennis Quilley.
This time around it's got Michael Ball and Alexandra Burke and Tim Howar.
Now the first preview last week actually took a bit of a turn for the worse when the lead Tim Howar who's also in Mike and the Mechanics, I should add, had to leave, had to make a move very quickly during the interval to go and make the birth of his baby boy.
But he's been back in again this week. So it's playing at the Coliseum this week and until the 2nd of June. And I've got tickets to go and see it next Friday.
I'm a bit jealous. I'm a bit jealous.
It's also really interesting politically in that it is a face-off between the United States and Russia, and it is very much a kind of Cold War story.
And these are names that I don't really know. I'm sorry, Graham, you're gonna scowl at me now, but it's loosely based upon the stories of Bobby Fischer and Anatoly Karpov as well.
So it's kind of a product of its time in the '80s, but there then some would say maybe it's eerily relevant right now as well.
And these are names that I don't really know. I'm sorry, Graham, you're gonna scowl at me now, but it's loosely based upon the stories of Bobby Fischer and Anatoly Karpov as well.
So it's kind of a product of its time in the '80s, but there then some would say maybe it's eerily relevant right now as well.
This is maybe the second most interesting chess-related thing, or first actually, that has ever happened on the show. And we've had a lot of chess stuff talked about.
I think— but this is fantastic because Bjorn and Benny are terrific. ABBA were fantastic sometimes.
Oh, come on, they're fun, they're great fun.
And are you aware?
No, I've never heard of it at all.
I don't know anything about this? You must know Bangkok.
Not from that rendition.
And I Know Him So Well as well. That was—
I Know Him So Well, which was Elaine Paige and Barbara Dickson.
And how these worked— and there were a number of these concept musicals back in the '80s or so where they released the album a couple of years to raise money to put on the stage production.
And that was exactly what happened with Chess.
And that was exactly what happened with Chess.
Hey, can you remember the best song or the most popular song from Mike and the Mechanics?
In the Living Years.
Oh yes, yes. I thought there was one that was more—
I wish I could have told him, say it loud, say it clear.
Musical theatre comes to Smashing Security.
Graham, that's how you sing a tune.
He did very well, didn't he? And I mean, ABBA are having a bit of a resurgence at the moment, of course, because fantastic song.
Mamma Mia, let's move on.
Okay, Carole, what's your pick of the week?
So my pick of the week actually started way back in 2004, so it's nothing new and shiny. This is even though it has 700,000 active users even today.
So I'm talking about the World Community Grid. Do you hear of this, Graham? World Community Grid? I'm sure David has.
So I'm talking about the World Community Grid. Do you hear of this, Graham? World Community Grid? I'm sure David has.
Yes, I have.
Yeah. So it's coordinated by IBM, and its mandate is to create the world's largest public computing grid to tackle scientific research projects that benefit humanity.
What a beautiful little segment.
So it's kind of a teeny bit like legit crypto mining where the WCG makes approved use of your idle processing power to number crunch for specific projects like learning more about cancer or influenza or Ebola or trying to eradicate these diseases.
They've also done some deep dives into sustainable water, clean energy, human genome and proteomes and research like that. So really amazing stuff. And the best bit is the website.
Go take a look at this website. It's the most beautiful, simple— I miss websites like this so much, and I really urge people to go back to this.
What a beautiful little segment.
So it's kind of a teeny bit like legit crypto mining where the WCG makes approved use of your idle processing power to number crunch for specific projects like learning more about cancer or influenza or Ebola or trying to eradicate these diseases.
They've also done some deep dives into sustainable water, clean energy, human genome and proteomes and research like that. So really amazing stuff. And the best bit is the website.
Go take a look at this website. It's the most beautiful, simple— I miss websites like this so much, and I really urge people to go back to this.
It's like an old GeoCities website. Oh no, it's quite nice.
Look how clearly— just click on something, and then the information you get is exactly what you want. There's no big whiz-bang. There's nothing flashing around.
There's no bright colors. It's just nice and clear and perfect.
There's no bright colors. It's just nice and clear and perfect.
Okay.
And then you can go check out the stats there as well.
So the stats showing how it's used and how people help, and they talk about how much more they have left on current projects that they're running.
So the stats showing how it's used and how people help, and they talk about how much more they have left on current projects that they're running.
So in a nutshell, this is a variety of projects which use the idle time of your computer to go and do something helpful.
Right. And it would probably cost you a tiny bit of money on your electrical bill, right?
Maybe on your ISP bill, and you need to look into that, but it's trying to use a tiny bit of that processing power to—
Maybe on your ISP bill, and you need to look into that, but it's trying to use a tiny bit of that processing power to—
And you can pick and choose which project you want to actually participate in. It's not like you get divvied up between all of them, right?
No, no, no, it's very cool. And I've read their terms and conditions, it seems very above board.
They're basically saying, we don't want anything from you, we don't want to collect any data, all we want is to basically mine these numbers and collect that.
They're basically saying, we don't want anything from you, we don't want to collect any data, all we want is to basically mine these numbers and collect that.
It's funny how you liken this a bit to legitimate crypto mining, but I remember going back to the '90s or so, SETI. Remember SETI@home, the Search for Extraterrestrial Intelligence?
And you had an agent very much like this installed on your machine, and it would have a really cool screensaver. I think that was the reason why many people had it on there.
And I remember I had an IBM ThinkPad that I ran it on, and every time my machine went idle, SETI would kick in and it would start to take off.
The fans would spin up to full whack, and I knew that it was— yes, I'm finding ET. Fantastic. And I kind of feel a bit guilty for going back to work again.
But it strikes me very, very similar to that.
And you had an agent very much like this installed on your machine, and it would have a really cool screensaver. I think that was the reason why many people had it on there.
And I remember I had an IBM ThinkPad that I ran it on, and every time my machine went idle, SETI would kick in and it would start to take off.
The fans would spin up to full whack, and I knew that it was— yes, I'm finding ET. Fantastic. And I kind of feel a bit guilty for going back to work again.
But it strikes me very, very similar to that.
Yeah, it's a cool thing to do, and it helps science and research and humanity. And it's something that even the terribly lazy Graham can do to be amazing world citizens.
You mentioned my name for some reason at that point, Carole.
David doesn't sound lazy to me at all.
Apart from I'm the actual skier, it turns out. Let's not forget that. I'm the athlete.
Anyway, check out theworldcommunitygrid.org.
Well, that just about wraps it up for the show today. If you want to follow us, you can do so at @SmashInSecurity, no G. Twitter wouldn't allow us to have a G.
And you can pick up mugs and t-shirts and stickers and things like that at smashingsecurity.com/store.
And don't forget, if you're interested in seeing us live next month in the UK, go to smashingsecurity.com/live. And you can see the dates.
And you can pick up mugs and t-shirts and stickers and things like that at smashingsecurity.com/store.
And don't forget, if you're interested in seeing us live next month in the UK, go to smashingsecurity.com/live. And you can see the dates.
Hope to see you there, be brilliant.
And things there. David, thank you for joining us. If you want to follow you online, what's the best way to do that?
Probably go to Twitter @DavidMcClelland. That's two C's, three L's, and a few vowels chucked in as well.
That sounds like a master password to me. So thanks everybody for tuning in. If you like the show, do rate us on Apple Podcasts.
We really appreciate it, and it actually helps new listeners discover the show as well.
So go to www.smashingsecurity.com if you want to check out some of our past episodes and the details of how to get in touch with us. Until next time, cheerio. Bye-bye.
We really appreciate it, and it actually helps new listeners discover the show as well.
So go to www.smashingsecurity.com if you want to check out some of our past episodes and the details of how to get in touch with us. Until next time, cheerio. Bye-bye.
Bye everyone. Apparently entirely unconnected with the Duglary ski lift disaster, happened the same day. These two find the HMI of a sky lift at Paterokilfan. I can say that.
I practiced so much as well, and I've wrote it phonetically.
I practiced so much as well, and I've wrote it phonetically.
Sorry.
Okay, try again.
Sky lift where, Carole?
I'm going to try and do it seriously first, because I don't think I'm going to even do it.
Now these two started looking at the HMI of a sky lift at Patrick-Kofelbahn, a mountain resort based near Innsbruck, Austria.
Now these two started looking at the HMI of a sky lift at Patrick-Kofelbahn, a mountain resort based near Innsbruck, Austria.
Well done.
Thank you very much. I said that beautifully.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
David McClelland – @davidmcclelland
Show notes:
- See Smashing Security LIVE!
- Mobile Phone Maker BLU Reaches Settlement with FTC over Deceptive Privacy and Data Security Claims
- Phone maker settles charges it let partner collect customers’ text messages
- Backdoor in some Android phones caught secretly sending data to China
- UK bank advises against password managers – Twitter
- Santander Locks Horns with Security Pros, NCSC Over Password Managers
- Passwords – a Smashing Security splinter episode
- Terrifying Ski Lift Malfunction Caught On Camera – YouTube
- Ski Lift in Austria Left Control Panel Open on the Internet
- Control of Tyrolean cable car open in the network accessible
- BBC Sound Effects
- Chess – English National Opera
- Murray Head – One Night In Bangkok "From CHESS" – YouTube
- Elaine Paige, Barbara Dickson – I Know Him So Well "From CHESS" – YouTube
- World Community Grid – Research Overview
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: MetaCompliance
People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management. Listeners can get a 10% discount off the high-quality CyberSecurity eLearning catalog by quoting the code SMASHING. Visit www.metacompliance.com now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
