Millions of Facebook user accounts put at risk after hack! The UK Conservative party’s conference app causes a privacy omnishambles! And Facebook (again) has been doing something naughty with the phone numbers you give it for security reasons! Oh, and Maria gets very excited about something to do with Star Trek.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
That's a lot more people than I would have thought. That's a lot of people.
We're not some tinpot little country, Maria Varmazis. We have lots of people going to these conferences.
A political conference? I would have thought a couple hundred. I don't know, who wants to go to these things? They're so boring.
Smashing Security, Episode 98 of Facebook Omni: Shambles with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 98. My name is Graham Cluley.
And I'm Carole Theriault.
And Carole, hello, hello, hello. We are joined this week by—
Let me guess.
What, what, what?
Is it a David?
Well, we've had about 4 or 5 Davids in a row.
Exactly.
It is actually, yes, it is a David. It's David Varmazis. Hello, David Varmazis.
Hi. Hi, it's David.
Oh no, it's Maria Varmazis. Hi, Maria.
Much, much better.
I'll go by David if that helps. But that's also confusing for me. I don't know.
I loved your little David time, but it's time for Maria time.
Maria time.
Well, what it isn't time for, Carole, is a time for celebration because at the time we are recording this, it is the morning after the Podcast Awards.
Tell you what, I'm hoping this show is going to cheer me up. I don't think I've smiled all day.
There's got to be a morning after.
If you haven't heard, Maria, we didn't win at the Podcast Awards.
No. Boo, hiss.
Well, they're wrong.
Despite the enormous effort we went to creating our acceptance speech video, which they requested in advance.
Yes. Okay. I was just going to say they did request it in advance.
Yes. They said, if you want any chance of winning, you have to make an acceptance video. They said, we thought, oh, darn.
So we got our friend Michael Hutch to help us create a cool, cute video. And yeah, we still lost.
So you couldn't win without a video? Am I understanding that correctly? Yeah. Yes.
Well, it turns out sometimes you don't win with a video. It wasn't in the bag, you see. I misread.
Anyway, it was a brilliant video. We'll link to it in the show notes if people want to see it.
It's a great video. We're going to use it again.
To be honest, it's better than our podcast. I think we should have just won the Trophy Acceptance Video Awards instead of the Podcast Awards. That would have been nice, wouldn't it?
Now, Carole, are we even going to do an episode next week? Because you're off somewhere, aren't you?
Now, Carole, are we even going to do an episode next week? Because you're off somewhere, aren't you?
Yes, well, we'll have to see what we do next week. Yeah, I'm in Montreal at the Virus Bulletin 2018 conference.
Get you?
Yes.
Well, I'm doing a little work there, so if there's any Smashing Security fans in the area, they should come and say hello.
Oh yeah. Bonjour.
Yeah. So, you know.
Okay. Will you have a little something for them? I'm into sticker. Oh, Smashing Security sticker. Will you have anything to give people, you know, if they're listeners?
I don't think people need a sticker to come say hello to me, Graham. I think meeting me is pretty cool.
It might help. Hey!
This episode of Smashing Security is supported by LastPass. Everyone knows LastPass is password manager for end users, but it's also a great solution for businesses.
LastPass Enterprise simplifies password management for companies of all sizes, giving you the right tools to centrally control employee passwords.
LastPass Enterprise simplifies password management for companies of all sizes, giving you the right tools to centrally control employee passwords.
Go to lastpass.com/enterprise lastpass.com/smashing to learn more.
Hey Graham?
Yes?
So I've got a problem.
Yes?
I use a cloud service, I put all my files and data up there, and I'm kind of nervous about prying eyes looking at it. Any advice?
Yeah, you've got to encrypt it.
Before I load it up?
Well, I would recommend so, because any file which you put on Dropbox or Google Drive or OneDrive or those other sort of cloud services, it could be accessed by that company.
Or indeed law enforcement or any hacker who broke into your account. So what I would recommend is use a piece of software like Boxcryptor.
It's what I run on my computer, and any file before it gets uploaded to those cloud services gets encrypted with my own keys, which I control.
So the cloud service itself can't see the contents of the files which I'm putting on the cloud drive. It's all encrypted.
Or indeed law enforcement or any hacker who broke into your account. So what I would recommend is use a piece of software like Boxcryptor.
It's what I run on my computer, and any file before it gets uploaded to those cloud services gets encrypted with my own keys, which I control.
So the cloud service itself can't see the contents of the files which I'm putting on the cloud drive. It's all encrypted.
Cool, I'll check it out.
Go to Boxcryptor.com, and thanks to Boxcryptor for supporting the show this week.
I want to take you both on a summer holiday to the heart of Britain, the jewel of the Midlands, the beautiful resort known as Birmingham.
I want to take you both on a summer holiday to the heart of Britain, the jewel of the Midlands, the beautiful resort known as Birmingham.
Just up the road.
It's not that far from us, is it?
No.
And that is where the Conservative Party, who are currently the party ruling Britain, have been having their conference this week. Yeah.
Now, the Conservative Party conference doesn't always go without a hitch. For instance, last year Prime Minister Theresa May, she was giving her keynote speech.
Now, the Conservative Party conference doesn't always go without a hitch. For instance, last year Prime Minister Theresa May, she was giving her keynote speech.
She wasn't very well.
Well, she did have a cough and someone passed her a lozenge, but that actually was the least of her problems because her keynote speech also got interrupted by a comedian who managed to pass her a P45 on stage.
That's basically the form you get when you've lost your job.
That's basically the form you get when you've lost your job.
So what we would call a pink slip. Yes. Yes. Gotcha.
See, there's a reason why you make them pink, right? If it had been pink, she would not have touched it with a 10-foot pole. She thought it was a secret message. I felt for her.
And then there was this signage behind her. You know, they put big slogans behind you.
Yeah.
And she had one behind us which said, building a country that works for everyone. But during her speech, every now and then, a letter would fall off the wall. It's the Velcro.
Oh, God.
It did feel a bit like they didn't have a very big budget.
It's poetic.
It was a bit of an omni-shambles. And they don't want a shambles again, do they?
Omni-shambles.
Yes. They really don't want one of those. So this year, Conservative Party Chairman Brandon Lewis, he's in charge of the whole conference.
He wanted to make sure that everything went very smoothly.
He was planning to boast at his opening address about the evidence that the party had turned itself around and that they were really getting with the beat.
And they had a new conference app, he was planning to say, which would let delegates provide feedback during cabinet ministers' speeches.
He wanted to make sure that everything went very smoothly.
He was planning to boast at his opening address about the evidence that the party had turned itself around and that they were really getting with the beat.
And they had a new conference app, he was planning to say, which would let delegates provide feedback during cabinet ministers' speeches.
Oh, wow.
Like a Twitter?
Something like that, but a specific conference app. Unfortunately, it turns out that the app has a vulnerability. Unfortunately, my wife is also now printing a document behind me.
She's somewhere else in the house.
She's somewhere else in the house.
I was wondering what that sound was. Are you Xerox copying your butt right now, or?
Are you paying attention to the podcast? Because this is business.
It's not time for vulnerability. Was that printing is going to happen? Yeah, that's my guess.
So I don't know how many pages there are going to be.
Maybe it's a book. Maybe it's a Harlequin. Read a few lines. Read a few lines.
What is this? It's either my son's math homework or it's something to do with the PTA.
Okay. It's not going to be very long then.
No, hang on.
Is that a dot matrix? What are we?
No, it's a desktop. Yes, desktop. Let me just find out how much he's actually printing. Okay.
Maria? Yeah?
Maybe we should tell him now about our news.
Right now while he's not actually listening.
Well, he's editing the podcast.
Oh, is he really? Well, Graham. We have news for you.
Oh, shit.
Hang on.
I'm coming back. Right. She's rather embarrassed and she says she won't print anymore. Right. Now, listen, listen.
We're behaving.
We're being good.
Right.
Okay.
So nothing suspicious happened while you were gone. Just want to assure you. You have nothing to worry about.
Everything above board.
Yep, absolutely nothing went on.
No, we didn't—
Nothing was discussed. Nope, not in the slightest. Just skip over that bit.
Listen, listen, there was a Conservative Party conference app, and unfortunately the app had a vulnerability. It had a weakness.
You could access and change anyone's information simply by entering their email address. No password required. Okay, access anyone's account.
You could access and change anyone's information simply by entering their email address. No password required. Okay, access anyone's account.
No printer involved?
Whoa, whoa, no, this wasn't a printer flaw.
Oh, okay.
Graham.
Yes.
So I go to this app and I put in your email address.
Presuming I was a Tory MP.
Presuming you were a Tory MP, which you are now, by the way. Oh, fantastic.
A career with a future. Or perhaps not.
And then I'd have access to your page and I could say you don't live at your address, but you live at Bum Sweat Lane.
You would— wow. You could change my profile photo. You could view my secret mobile phone number. You could maybe send me messages or send messages from my account.
So this was not meant to be open to anyone.
No, no, no, it certainly was not. And the problem is, right, so the only authentication is an email address. In the UK—
Wait, that was it? There's not even a password?
No, no, there's no password.
What?
In the—
Had I not made this clear? In the UK, MPs' email addresses are public. They are published on the parliamentary website.
It's a matter of public knowledge how you get hold of your MP via email.
It's a matter of public knowledge how you get hold of your MP via email.
Yeah, that's nothing. Yeah, that— yeah.
So it was easy to get hold of any of these or to log in. Now, it wasn't just MPs who were affected by this, but of course there are lots of political journalists who go.
In fact, a total of 11,000 people are in attendance at this conference, and many of them were presumably on this app.
In fact, a total of 11,000 people are in attendance at this conference, and many of them were presumably on this app.
That's a lot more people than I would have thought. That's a lot of people.
Yeah, we're not some tinpot little country, Maria Varmazis. We have lots of people going to these conferences.
A political conference, I would have thought like a couple hundred. I don't know who wants to go to these things, they're so boring.
You get all the MPs, all the aides, and the people they're having affairs with.
You have the journalists, you have companies, because there'll be an exhibition there, people who are touting.
You have the journalists, you have companies, because there'll be an exhibition there, people who are touting.
Oh, exhibitionists.
Yes, yes, yes, all those exhibitionists. So all those sort of people. Now, as a consequence of this a number of things happened.
You will find it hard to believe, but there are pranksters and mischief makers out there who, when they get hold of a minister's private mobile phone number, they might call them up.
You will find it hard to believe, but there are pranksters and mischief makers out there who, when they get hold of a minister's private mobile phone number, they might call them up.
Wait, is that all they do?
No, no, no, it goes further than that, of course.
Because that's not what I would do.
Well, other victims included former London mayor and former foreign secretary and wannabe prime minister BoJo, Boris Johnson, who had his picture briefly replaced by something unmentionable.
But yeah, I think the clue is in his surname, Johnson.
But yeah, I think the clue is in his surname, Johnson.
See, that's more where I would have gone with that.
Yes.
Yeah. Yep.
Juvenile.
Oh, absolutely.
Immature. And there were also journalists who were tweeting actual screenshots of themselves effectively hacking into MPs' accounts.
And this is where it begins to get a little bit dodgy because, for instance, Guardian columnist Dawn Foster, who was one of the first to notice the flaw, she raised the alarm.
And this is where it begins to get a little bit dodgy because, for instance, Guardian columnist Dawn Foster, who was one of the first to notice the flaw, she raised the alarm.
Right.
She posted a picture of herself having access Boris Johnson's account. And she was fuming. She was saying, look, you can do this with anyone who's on the app.
And you can post comments as them. They've essentially made every journalist, politician, and attendee's mobile number public. Fantastic, she said sarcastically. Rather embarrassing.
And you can post comments as them. They've essentially made every journalist, politician, and attendee's mobile number public. Fantastic, she said sarcastically. Rather embarrassing.
Thank you for that clarification.
Need a sarcasm alert.
I didn't catch that.
British person using sarcasm, you may not have noticed.
As an American, it went right over my head. What can I say?
Now imagine, imagine you were a state-sponsored hacker wanting to infect an MP's smartphone with a zero-day exploit, or even just phish them.
Their mobile phone number, well, that'd be pretty useful, wouldn't it? So I think all Conservative MPs, their mobile phone numbers have to now be considered public knowledge.
Everyone who was listed in the app needs a new mobile phone number pronto.
And journalists as well who were in the app, they need new mobile phone numbers as well because of this security breach.
And you know, there are people out there who want to hack into journalists' phones, aren't there?
Their mobile phone number, well, that'd be pretty useful, wouldn't it? So I think all Conservative MPs, their mobile phone numbers have to now be considered public knowledge.
Everyone who was listed in the app needs a new mobile phone number pronto.
And journalists as well who were in the app, they need new mobile phone numbers as well because of this security breach.
And you know, there are people out there who want to hack into journalists' phones, aren't there?
Now tell me, is Brandon Lewis thoroughly embarrassed?
I imagine that his crumpets are being toasted right now.
I don't think he deserves any crumpets after this shenanigans.
I imagine that he is in a little bit of hot water about this, because of course this distracted from a wonderful, fantastic conference as they were going forward.
And yeah, he doxxed 11,000 people, basically.
Well, yeah, I mean, he didn't write the code. It was the developers.
Oh, he didn't? Okay.
Oh, no, no, we don't get the actual chairman of the party to write the program.
It's a little different over here, Maria.
I know, I know you guys are—
I know Trump does everything.
On average smarter than us, so I don't know what the level is, you know, like Donald Trump gets his son Barron, doesn't he?
Because he's really good with computers. We've said that to us before. He gets into it. No, a company called CrowdComms, they've apologized and said that they fixed the app.
But you know, the damage has been done.
But you know, the damage has been done.
That's not really an oops thing, right?
This isn't like a, sorry guys, sorry.
Hugs. Well, this I think is the central point here, which is conference apps. Do we really need them? And I was reading an article by a chap called Matthew Hughes on the Next Web.
And he's saying, you know, basically they're all a load of rubbish, aren't they?
And he's saying, you know, basically they're all a load of rubbish, aren't they?
They're just there to track you.
I'm speaking at a conference this week, actually.
And one of my followers on Twitter said, hey, Graham, I've just installed the conference app and it's asking for my location on Android.
You know, why on earth would it be doing this? And I thought, well, maybe it's to track speakers.
You know, if I went off to the loo or something and I should have been on stage, maybe they'd be able to find me that way.
But yeah, generally I think it's probably unnecessary, right? But Matthew Hughes on the Next Web, he says, conference apps, they're as close as you get to disposable software.
They're like Pampers diapers, used once, then discarded. And as a result, they seldom have the polish you might expect from a commercial piece of code.
And I would imagine if this company made an app for this particular conference, they may make apps for other conferences, just reuse them.
So there may be many other conferences, maybe from other political parties, which have similar vulnerabilities.
And one of my followers on Twitter said, hey, Graham, I've just installed the conference app and it's asking for my location on Android.
You know, why on earth would it be doing this? And I thought, well, maybe it's to track speakers.
You know, if I went off to the loo or something and I should have been on stage, maybe they'd be able to find me that way.
But yeah, generally I think it's probably unnecessary, right? But Matthew Hughes on the Next Web, he says, conference apps, they're as close as you get to disposable software.
They're like Pampers diapers, used once, then discarded. And as a result, they seldom have the polish you might expect from a commercial piece of code.
And I would imagine if this company made an app for this particular conference, they may make apps for other conferences, just reuse them.
So there may be many other conferences, maybe from other political parties, which have similar vulnerabilities.
Yeah, no, I think that's a really good point, actually. I don't think I've ever thought about that before, but of course, they're just one-hit wonders, these apps, aren't they?
Yeah, I don't really need an app for a conference. What I need is an agenda, right? Or a map.
A piece of paper.
A piece of paper. Yes. Wouldn't that be a novel thing to do?
That you could fold and put in your pocket?
Oh, flexible screen. Fantastic. Yeah, why not?
Yeah, I think it would be much smarter if these people use platforms that are trusted and recognized, and I'm actually having trouble thinking of one that is trusted.
Well, the internet. I mean, just put it on your website, the agenda. I mean, you know why conferences use these apps, right?
Yeah, yeah, yeah, yeah, yeah, but if the agenda is on the website, when you go to the conference, there's often lousy network coverage or the Wi-Fi sucks.
Oh, yeah, it's nonexistent. Yeah, but if you have a conference app that's trying to pull that information from the internet anyway, then you have the same problem.
It could cache it, couldn't it? But yeah.
So conference apps, they exist because the conference organizers are going, our agenda is going to change at the last minute.
Some Graham dude is not going to end up speaking because he's in the bathroom. So we need to change the lineup and we need people to know that. And paper doesn't update itself yet.
Some Graham dude is not going to end up speaking because he's in the bathroom. So we need to change the lineup and we need people to know that. And paper doesn't update itself yet.
I think I'm going to add that to my advice column though, that, you know what, say no to one-hit wonder apps.
Yeah.
Yeah. I think we're alone now.
We're advocating people just printing stuff out, are we? Interesting.
Just take a notebook and write it down. Get rid of the computer, get rid of the phone, just go back to paper.
At least in an emergency, you can put the paper to additional uses. So that's—
Oh.
What? You mentioned the bathroom.
You wipe your butts with paper?
In an emergency, Carole.
Not even, no.
I was once out walking my dog.
Wait, do we really need to hear this? No! I don't want to hear the rest of the story. No.
Maria, Maria, what story have you brought for us this week?
So equivalent to talking about wiping your rear end with something, we're talking about Facebook. It's time for my story.
Settle in, kids. This is going to be fun.
So big, big story this week. Hard for me to even concentrate on much of anything due to the whole political situation in the States right now.
So I was— some sort of breach happened on a day where there was a lot of news happening politically in the States, and it was Facebook.
And I don't know, it kind of went under the radar for me, which was, I'm sure, completely on purpose.
So I was— some sort of breach happened on a day where there was a lot of news happening politically in the States, and it was Facebook.
And I don't know, it kind of went under the radar for me, which was, I'm sure, completely on purpose.
Must have been. Yeah, it must have been a coincidence, right?
Yeah, that they would announce this breach on a day when they knew not a lot of people in the States at least were paying attention.
So gross.
Yeah. So let's talk about what has now been dubbed the Facebook View As debacle. I'm dubbing it that. I don't know who's dubbed it that but me.
I did not pay attention to any real details here on the story, so I am very pleased.
Because you're not a Facebook user, are you?
No, certainly not.
That's the lovely thing about not being on Facebook.
Didn't give a shit.
Don't give a flip. It's great. Well, a lot of people still use it.
I do care. I do care. I care for you. I care for you, Maria, because you use it.
I do. I wasn't affected as far as I know, but whatever. I don't know. So did you at least hear about this View As debacle? Yes. Are you familiar?
Okay. Okay.
Okay.
So for those that aren't familiar, Facebook announced this past week that someone, some external actor, some malfeasant exploited a vulnerability that impacted the View As feature on Facebook.
Which is the little button that you hit on your profile that lets you see how your profile appears to somebody else, usually the general public.
So for those that aren't familiar, Facebook announced this past week that someone, some external actor, some malfeasant exploited a vulnerability that impacted the View As feature on Facebook.
Which is the little button that you hit on your profile that lets you see how your profile appears to somebody else, usually the general public.
Oh, to see if you're revealing too much or too little information.
Yeah, it's a nice little privacy check to go, okay, I want my profile to look like basically nothing to a random person I'm arguing with on some news article.
It's actually a really nice feature. And I like that Facebook has this because it helps you check that your privacy settings are set correctly. Yeah.
You know, if I was my crazy stalker, would he be able to view me? No, he can't. Fantastic. Okay. Let's, you know, it's a good thing.
You know, if I was my crazy stalker, would he be able to view me? No, he can't. Fantastic. Okay. Let's, you know, it's a good thing.
Well, I bet you loved it if it were coded properly. Let's hear what happened. Yeah.
So yeah, I mean, right now it's disabled and here's why.
So when you pretend with the View As feature to pretend to be someone else, you end up with this little token, which is that person you're impersonating's key effectively.
And you're able to grab it if you're a bad guy and actually pretend to be that person for real.
And you're able to grab it if you're a bad guy and actually pretend to be that person for real.
Yes.
Okay.
Yeah, so—
I think I'm following.
Basically, very, very, very high level, somebody could get access to your Facebook account.
Right, and then screw around with it and pretend to be you and say stuff.
Yes, and all sorts of things.
So let's talk for half a sec, maybe a little longer than that, and we're done, the weird cascade of flaws in Facebook that actually allowed this to happen.
I thought it was fascinating, because it wasn't just one thing. It's actually three.
So let's talk for half a sec, maybe a little longer than that, and we're done, the weird cascade of flaws in Facebook that actually allowed this to happen.
I thought it was fascinating, because it wasn't just one thing. It's actually three.
It rarely is.
Yeah, but somebody figured this out. I mean, obviously a lot of people are targeting Facebook, and this is a really cool — I think it's kind of cool how they figured this out.
So problem number one, in one version of View As, when you're specifically wishing somebody happy birthday, so it has to be the target's birthday, the video uploader still appears, which it should not.
So that's problem number one.
So problem number one, in one version of View As, when you're specifically wishing somebody happy birthday, so it has to be the target's birthday, the video uploader still appears, which it should not.
So that's problem number one.
Okay.
Number two, apparently it appears as if you are the person you are viewing and not yourself, which it shouldn't be either.
What?
Yeah.
I was like, blah, blah, blah, blah, blah, blah. Okay.
Yeah.
And then three, with a change in the video uploader that Facebook made last year, the video uploader incorrectly generates an access token with more permissions than it should.
So you can see a video uploader when you shouldn't be able to.
And then three, with a change in the video uploader that Facebook made last year, the video uploader incorrectly generates an access token with more permissions than it should.
So you can see a video uploader when you shouldn't be able to.
Yeah.
You get, it shows as you are the person that you are viewing. You are not yourself, which is — this is some very philosophical stuff. And number three, you then—
Is it me? Is it me?
And then number three, you get more permissions than you should through the video uploader. So there's some weird squirreliness.
It's very interesting, Maria. Very interesting. I think you've really put your finger on it. I think we can maybe summarize this as omnishambles.
Omnishambles, yes.
Almost like you've got a member of the Conservative Party in the UK to write Facebook's code, something like that.
Basically, you're able to do way more than you should. It's a mess. It's a mess.
It's a mess.
It's a mess.
You don't need to know any more. It's a complete mess. And please don't ask what happened. It's a mess.
Oh my God. We'll put a link in the show notes to the detailed technical explanation.
Facebook's actually given us some information on how this all went down, but they're being a little cagey because they're not entirely sure they've got it locked down yet.
Facebook's actually given us some information on how this all went down, but they're being a little cagey because they're not entirely sure they've got it locked down yet.
They don't understand themselves how the code works.
Because you're not you, you're somebody else. And that's where it starts getting really confusing.
So when you combine all these problems, basically the attacker could grab that access token that allows them to log in as somebody else. That's really the crux of it.
So when you combine all these problems, basically the attacker could grab that access token that allows them to log in as somebody else. That's really the crux of it.
Yes. Yes.
Yes. Yes. So that's on its own, it's a problem, but then—
So was it a vulnerability or was it hacked? Was it taken? Was it breached?
Well, those three problems combined make a capital V vulnerability, which then an attacker can exploit. So if you want to call it a hack, sure.
No, no, no, what I mean is it hasn't been exploited yet.
Oh no, it was.
Oh, it has.
It was, yes.
Okay, okay.
They confirmed that it was active, it was actually taken advantage of. So they ended up resetting access tokens for 50 million users that they confirmed were affected.
Does not mean all 50 million were breached, it means that those people were affected by this issue.
So 50 million users were forced out of Facebook and they had to basically re-login again.
And on top of that, Facebook said there was another 40 million users that were potentially problematically affected.
So that's total 90 million users who had to reset their access token by logging out.
Does not mean all 50 million were breached, it means that those people were affected by this issue.
So 50 million users were forced out of Facebook and they had to basically re-login again.
And on top of that, Facebook said there was another 40 million users that were potentially problematically affected.
So that's total 90 million users who had to reset their access token by logging out.
And even though this vulnerability has been present since July of 2017, Facebook only found out about this, I think they've, what first happened was they saw a spike in the activity on one of their servers on September 16th.
And it was only last week that they noticed a few days before they decided to bury the news amongst all the political stuff.
And it was only last week that they noticed a few days before they decided to bury the news amongst all the political stuff.
That timing was suspect.
It was only last week that they realized, oh, we've actually been breached. And that's what that huge spike in activity was, was people grabbing tokens.
And they don't have a chief security officer right now because Alex Stamos is no longer with Facebook.
So that's kind of—
Oh, they haven't replaced him?
No, they haven't. So that's another— Yeah, no. Yeah, yeah.
It's outrageous though, isn't it?
Well, there's more to this. I feel like I'm always, and there's more bad news. So you know how a lot of people use Facebook to sign onto other services?
LastPass, that Facebook single sign-on thing.
This whole hack means that potentially if the attacker had your token, they could have also logged into any other services that you were logged into before Facebook figured this all out.
LastPass, that Facebook single sign-on thing.
This whole hack means that potentially if the attacker had your token, they could have also logged into any other services that you were logged into before Facebook figured this all out.
So, oh, before, so they wouldn't be able to do that now.
Well, now they've reset the keys, I think.
Yeah, so I don't think it's possible now, but before Facebook figured this out, and presumably this could have been going on for, you know, a little while, having that access token means they could log into for example, your Spotify account if you used Facebook to sign into Spotify.
Oh no, don't let the hackers get my mix lists, right?
Which is terrible. Or, you know, your home delivery services.
Or in my case, if Spotify is now in conjunction with Ancestry and is making a playlist based on my DNA, that person now has my DNA info. So it's great. I don't know.
Or in my case, if Spotify is now in conjunction with Ancestry and is making a playlist based on my DNA, that person now has my DNA info. So it's great. I don't know.
Or your dating app, or all kinds of things do use Facebook login, don't they?
So now we shouldn't even use apps that I was going to call Facebook a trusted app, and then I was going to go, "Hahaha." But, you know, so we can't use one-off apps.
The conference apps.
Thanks for cheering me up, guys. You got it. I was all depressed about the fact that we hadn't won the award.
We can now just say Facebook as a single sign-on is really not a good idea.
We've said that before, and now we're, "Well, we've got more proof." They've actually had an issue now about this, and maybe we should reconsider using that everywhere, because Facebook really wants to be your internet everywhere identity and—
We've said that before, and now we're, "Well, we've got more proof." They've actually had an issue now about this, and maybe we should reconsider using that everywhere, because Facebook really wants to be your internet everywhere identity and—
Your internet BFF.
Yeah, maybe there's some other solutions there. Backstabbing. I don't know, but it ain't Facebook.
Strike one, Facebook. That's not good, is it? That's another— Strike one? Well, that's another nail in the coffin. You think it's more than that, Carole?
Strike 17 million.
Well, look, why don't you cheer us up with a happy, jolly security story to restore our trust in these online services. Over to you, Carole.
He's setting me up, guys, because he knows that I want to talk about Facebook 2. I know.
Facebook 2, is that the sequel?
Electric Boogaloo.
Look, it's important. I know we're all bored of Facebook, but, you know, we need to talk about Zucks and his Facebook fail because there's another problem with this.
And this isn't just Facebook. This is also Twitter, Google, and so on.
This story comes to us thanks to months and months of investigation work by a group of 4 academics and Gizmodo's Kashmir Hill.
So there's all kinds of notes in the show notes for you.
This all starts with a few researchers deciding to figure out how phone numbers and email addresses get sucked into the advertising ecosystem vortex.
Because there's some addresses that you kind of put out there for that. I don't know if you guys do that.
You may have a kind of junk account or junk mail address that you may use for certain purchases. For phone numbers? Well, for certain purchases, right?
Not phone numbers, but for email addresses.
And this isn't just Facebook. This is also Twitter, Google, and so on.
This story comes to us thanks to months and months of investigation work by a group of 4 academics and Gizmodo's Kashmir Hill.
So there's all kinds of notes in the show notes for you.
This all starts with a few researchers deciding to figure out how phone numbers and email addresses get sucked into the advertising ecosystem vortex.
Because there's some addresses that you kind of put out there for that. I don't know if you guys do that.
You may have a kind of junk account or junk mail address that you may use for certain purchases. For phone numbers? Well, for certain purchases, right?
Not phone numbers, but for email addresses.
Sorry. Okay. Yeah, I do. .
And if you had a very kind of protected email address, the one that you didn't want to get into the wrong hands, you want to keep kind of clean, you might be surprised if you're being advertised on it and how they got that information.
And that's what these guys are trying to get into. That's what's bugging them. How are they getting access to this information?
So let's go back and just think about how online advertising works, right?
So Facebook, and I'm sure everyone has a version of this somewhere, says that they use the information it has about you, including information on your interests and your actions and your connections, to select and personalize ads, right?
And that's not a surprise. And what do you guys assume that includes in terms of information they'd have access to?
And that's what these guys are trying to get into. That's what's bugging them. How are they getting access to this information?
So let's go back and just think about how online advertising works, right?
So Facebook, and I'm sure everyone has a version of this somewhere, says that they use the information it has about you, including information on your interests and your actions and your connections, to select and personalize ads, right?
And that's not a surprise. And what do you guys assume that includes in terms of information they'd have access to?
Oh, literally everything. Might be just me. Just me? No.
So it'd be based upon information you've given them, things your hometown, maybe your age. So stuff in your profile, let's say?
Yeah, your interests, groups that you've liked, or, you know, your interests and things you've liked on Facebook, I would imagine.
Yeah, your interests, groups that you've liked, or, you know, your interests and things you've liked on Facebook, I would imagine.
Things you comment on. Yeah.
What if you said, though, this is only for me, don't show this information to anyone else, your contacts, for instance?
Oh, I would expect Facebook to completely and utterly honour that. I would trust Mark Zuckerberg.
Oh, that's so sweet.
You see, I wasn't told I'm not totally surprised that they would take that information as well, right? Because even the only me kind of misleads you. It's a bit misleading, I think.
But anything else?
But anything else?
Oh man. If you hover your mouse over something, I assume if you're on a computer, which, you know, nobody is anymore, but they would say, hey, this shows interest. I don't know.
What if I told you that Facebook also harvests information that you put into your security page to beef up your security?
You know, your 2FA stuff, your multifactor authentication, the phone number they're supposed to call in case you get locked out of the app.
You know, your 2FA stuff, your multifactor authentication, the phone number they're supposed to call in case you get locked out of the app.
Really? Oh, that should be, shouldn't that be behind a wall, in a vault, hands off. That's not what that information's for. Right?
So this security contact information, according to this academic team that did research in this, and it's not like Facebook were upfront about this, right?
This took months and months of digging and researching to be able to prove this, and they've put a paper together to explain how they did it.
But they hoover up, snuffle up all that security contact information. And then basically hand it over to Facebook, vetted, whatever that means, advertisers.
This took months and months of digging and researching to be able to prove this, and they've put a paper together to explain how they did it.
But they hoover up, snuffle up all that security contact information. And then basically hand it over to Facebook, vetted, whatever that means, advertisers.
They're not really, I think I need to stop you just there. They're not handing it over to the advertisers, are they?
So it's not like the advertisers get a database of all of this information. It's just that they are able to advertise and target based upon it. So Facebook does the match-up.
So it's not like the advertisers get a database of all of this information. It's just that they are able to advertise and target based upon it. So Facebook does the match-up.
So yes, it's like a dating game. But it's still underhand. And Facebook is allowing this huge resource people going, yeah, these are people that might be interested in buying this.
Yeah, but that distinction we're making, most people aren't — the end result is the same. That information should not be connected to advertising in any way.
That should be walled off. It should, in my mind anyway. But I guess Facebook says, well, what's the point?
You're putting that data in my app, so I'm gonna do whatever the hell I want with it.
Whatever you're thinking I'm using it for, I'm gonna do for my own purposes because I'm Facebook. Fuck you.
That should be walled off. It should, in my mind anyway. But I guess Facebook says, well, what's the point?
You're putting that data in my app, so I'm gonna do whatever the hell I want with it.
Whatever you're thinking I'm using it for, I'm gonna do for my own purposes because I'm Facebook. Fuck you.
But they're also doing this with two-factor authentication, which on Facebook, it doesn't have to be SMS-based any longer, but if you were using SMS-based and you gave them your actual mobile phone number—
They also have the in-app version though, the code generator on the phone app.
Yes. And so that, this particular instance, that's not affected because you haven't given Facebook your mobile phone number then, right?
But if you have used the version which requires the mobile phone number, then what the advertiser does is they upload loads of phone numbers, which they've collected through some means or another of people they want to advertise in front of.
And Facebook matches it to the mobile phone number which you have associated with your account by enabling two-factor authentication.
But if you have used the version which requires the mobile phone number, then what the advertiser does is they upload loads of phone numbers, which they've collected through some means or another of people they want to advertise in front of.
And Facebook matches it to the mobile phone number which you have associated with your account by enabling two-factor authentication.
So if you put this information to your security page, it takes about a week or two, apparently, according to the researchers, before you start seeing targeted ads that specifically use that hoovered-up information from your security page.
So they're calling it PII-based targeting, and it allows an advertiser to uniquely identify an individual. And I don't even know how this sits with GDPR. It just seems crazy to me.
So they're calling it PII-based targeting, and it allows an advertiser to uniquely identify an individual. And I don't even know how this sits with GDPR. It just seems crazy to me.
So by whatever means, Facebook has acquired your phone number. Basically, they don't care if you gave it to them under the guise of it's for security only.
They're like, well, we have it, so we're putting it in the big phone number pile. Right.
Of all the things that Facebook has done, this one I cannot believe is making me go, this is probably the one that makes me most uncomfortable.
They're like, well, we have it, so we're putting it in the big phone number pile. Right.
Of all the things that Facebook has done, this one I cannot believe is making me go, this is probably the one that makes me most uncomfortable.
Me too.
It's so it's not satisfied with the contact information that you volunteer as part of your profile, but it also wants the details you provide to get extra privacy and security at their recommendation.
Right? They say to you, please do this so that your account can be more secure. And it pisses me off. Sorry to use big language, boys and girls.
But I do feel a bit like Facebook are acting a little bit like scammers, right? Because they're not being totally upfront about what they're taking from users.
They're not being explicit about it in their terms and conditions that they're taking that information.
It's so it's not satisfied with the contact information that you volunteer as part of your profile, but it also wants the details you provide to get extra privacy and security at their recommendation.
Right? They say to you, please do this so that your account can be more secure. And it pisses me off. Sorry to use big language, boys and girls.
But I do feel a bit like Facebook are acting a little bit like scammers, right? Because they're not being totally upfront about what they're taking from users.
They're not being explicit about it in their terms and conditions that they're taking that information.
You've gone too far now. You're suggesting that Facebook is in some fashion underhand. And I just will not accept that they've ever done anything dodgy whatsoever.
This is a step to— sorry, do I need the klaxon again? The sarcasm?
This is a step to— sorry, do I need the klaxon again? The sarcasm?
So are we saying that Facebook has no scruples? Are we really saying that? No scruples whatsoever?
I do feel like this particular instance shows a real lack of— because they can't put this down to, oh yeah, we had no idea. Right. Like they play dumb when it suits them, I feel.
But I think this is just underhanded because they're not alone. Omni-unscrupulous.
So they are literally, you know, effectively selling this security PII information to third-party advertisers. And by doing that, they're pitting privacy against security. Yeah.
And that is the issue, right? It's a bad precedent.
But I think this is just underhanded because they're not alone. Omni-unscrupulous.
So they are literally, you know, effectively selling this security PII information to third-party advertisers. And by doing that, they're pitting privacy against security. Yeah.
And that is the issue, right? It's a bad precedent.
Yes. Because we in the IT industry—
This is why I think you're pissed off, because this is why I'm pissed off.
We advise people all the time to take advantage of these security features like two-factor 2FA to help users keep better control of their accounts.
Yeah, that's never what that information is for. So the EFF is freaking out about this, and I don't blame them.
They are worried that people are going to stop using things, security features like 2FA, to authorize accounts because they've heard about this big story.
And of course, from a security point of view, that's a big step backwards if we stopped using 2FA, because that's what helps you keep control of your account.
So, but should you have to do that as a trade-off for privacy?
We advise people all the time to take advantage of these security features like two-factor 2FA to help users keep better control of their accounts.
Yeah, that's never what that information is for. So the EFF is freaking out about this, and I don't blame them.
They are worried that people are going to stop using things, security features like 2FA, to authorize accounts because they've heard about this big story.
And of course, from a security point of view, that's a big step backwards if we stopped using 2FA, because that's what helps you keep control of your account.
So, but should you have to do that as a trade-off for privacy?
It's insane. We've joked about this. This is bloody awful. Yeah.
And I haven't joked about it, actually. Well, I've been very serious.
She's on the verge of tears over there. I can hear it. Yes.
A few giggles might have been nice. But no, I mean, it's— this is terrible because it's deliberate. It's intentional. It's underhanded. And you can't trust them.
And we all know that Facebook are hurting for cash, right? We know that. That's why they're doing this, because they just quit Facebook.
Just quit Facebook. Just quit Facebook now. Hi, Facebook. Just quit Facebook. Did you?
Hey, Graham, you were talking about Boxcryptor earlier. Yes. What about price? Is it super expensive? Oh no, it's free for non-commercial use.
And if you have a company and want to take advantage of some of the enterprise features, then obviously you spend a little bit of money, but they have flexible licenses as well.
But your data is encrypted before it reaches the cloud, works with lots of cloud services, and it's cloud security made in Germany. And that's cool, isn't it?
But your data is encrypted before it reaches the cloud, works with lots of cloud services, and it's cloud security made in Germany. And that's cool, isn't it?
Yeah, thank you, Boxcryptor.
Boxcryptor.com, go and check it out. Many of us have worked in big companies, right? And we know that it only takes one person to make a boo-boo to allow the hackers in.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare!
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, supporting user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashing. No more password snafus, no more boo-boos, just LastPass. And welcome back.
And you join us at our favourite time of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare!
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, supporting user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashing. No more password snafus, no more boo-boos, just LastPass. And welcome back.
And you join us at our favourite time of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
It's like you've said that 100 times. 98 times so far.
Not security related necessarily. Definitely should not be. Now, my pick of the week is related to a TV programme which is broadcast in the UK.
I don't believe, Maria, you will be able to see it in the United States unless you do some craftiness with a VPN and pretend to be based in the UK and go on to iPlayer.
Tut tut if you do. What are you talking about? I'm talking about a TV show called The One Show. Oh, you're recommending The One Show? Just wait and see.
I don't believe, Maria, you will be able to see it in the United States unless you do some craftiness with a VPN and pretend to be based in the UK and go on to iPlayer.
Tut tut if you do. What are you talking about? I'm talking about a TV show called The One Show. Oh, you're recommending The One Show? Just wait and see.
Hush, hush. I don't know what this is.
Oh my gosh. The One Show is a BBC television magazine programme. It's snorefest. Broadcast live on weeknights at 7 PM. So sort of prime time here in the UK.
Unfortunately, even though it's been on for about 10 years, BBC One's programme controllers don't seem to have noticed. That it's complete and utter shite.
Unfortunately, even though it's been on for about 10 years, BBC One's programme controllers don't seem to have noticed. That it's complete and utter shite.
Wow, don't hold back. I just said snorefest. I don't know why you're comparing it to fecal matter.
It's not just a snore, it is an omnishambles, a word that we've used quite a lot in this podcast. It has lost all meaning at this point.
It's filled with gaff, it's painfully terrible, but it's there on our main TV channel. Pot kettle. Oi, watch it.
And so, because no one else appears to have done anything to put it out of its misery, there is a new podcast called The One Show Show. And what they do is every week—
It's filled with gaff, it's painfully terrible, but it's there on our main TV channel. Pot kettle. Oi, watch it.
And so, because no one else appears to have done anything to put it out of its misery, there is a new podcast called The One Show Show. And what they do is every week—
Does someone have a stutter? Every week they look back.
They do the very important job of ridiculing it, looking back over past episodes.
So for instance, the most recent one was Rowan Atkinson talking about his new movie with his sidekick as serious guests on the show.
So for instance, the most recent one was Rowan Atkinson talking about his new movie with his sidekick as serious guests on the show.
Yes, yes, right.
They get very serious guests and then they get truly bizarre people to sit next to them. Oh no.
Anyway, so this podcast, The One Show Show, features John Holmes, not that one, and guests forensically analyzing each week of the show and ripping it to shreds.
Anyway, so this podcast, The One Show Show, features John Holmes, not that one, and guests forensically analyzing each week of the show and ripping it to shreds.
Oh, I don't know if I like it now.
That's a bit evil. Well, someone has to put it out of its misery.
Is he being paid a ton in the BBC?
But I think they do make quite a lot of money, the presenters of this show. Do you think? I think they probably do, Carole.
I've always seen it as a kind of afternoon show.
Well, they put it on at 7 PM, you know.
Yeah, I was surprised by that actually.
Now, if you don't— I don't watch The One Show, obviously, because it's rubbish.
But you will probably, even if you don't like The One Show, enjoy The One Show show, because it's quite— You too, if you can laugh at them, even if you don't know them.
It's quite funny.
But you will probably, even if you don't like The One Show, enjoy The One Show show, because it's quite— You too, if you can laugh at them, even if you don't know them.
It's quite funny.
It's quite funny. I'll take your word for it. You're a little bit mean-spirited, Graham Cluley.
Well, I just— No words.
No words. I pay for The One Show. I pay a BBC licence and it's one of those shows which, unlike Doctor Who, which is returning this very weekend.
They probably get 20p and they're very grateful for your 20p that they get from your license every year.
Anyway, I found the podcast funny and maybe other people will. And that is why, Carole, it is my, if not yours, pick of the week. Thank you.
Did you take a little bow at the end there? I did a little flourish.
Did a curtsy. It sounds to me like cyberbullying. Oh, for geez. On a digital scale.
Yeah, well, if we're going on that route, then Zuck's going to say that we're cyberbullying him because we're picking on Facebook so much.
So— Yeah, let's do a nice little bland podcast, shall we, Carole, where we're really nice to everybody and we just say, oh, well, bless them.
Bless, bless, bless, bless Mark Zuckerberg. Oh, he's so good, isn't he? I love his hair. I love his hoodie. No, we're not doing that sort of show. We're saying it as it is, right?
Bless, bless, bless, bless Mark Zuckerberg. Oh, he's so good, isn't he? I love his hair. I love his hoodie. No, we're not doing that sort of show. We're saying it as it is, right?
Well, maybe that should be episode 100 where you just— Can I ask one question before we move on to the next book of the week?
How many times have you watched The One Show? Literally never. A handful of times. A handful of times.
You know, if it's been on and, you know, I've been in the room and I might have been there rolling my eyes at the inanity of it all. Yes, maybe.
I watched one with Bruce Willis once, a very, very awkward interview on The One Show. Maybe I'll dig it out and put it in the show notes.
I watched one with Bruce Willis once, a very, very awkward interview on The One Show. Maybe I'll dig it out and put it in the show notes.
I think I've seen that one, right?
So he did not play ball, did he? I think that must have been a meme going around. They're not very good presenters, to be honest, and they do ask very dumb questions.
Anyway, I digress. I apologize.
Right. Maria, what's your pick of the week?
Well, my pick of the week is an internet artistic experiment-y thing. It's got a Facebook presence, but I'll ignore that. We'll go straight to Twitter. Yeah, obviously.
They have a Twitter account, and the name of this internet experiment artistic-y thing is called The Man Who Has It All. So the Twitter account is Man Who Has It All.
That's what it is.
They have a Twitter account, and the name of this internet experiment artistic-y thing is called The Man Who Has It All. So the Twitter account is Man Who Has It All.
That's what it is.
Okay, I'm looking at it right now.
So I'll just read some of the tweets. Time to get up, dads, before your wife and kids. Now is the time to prepare healthy snacks, get a load of washing in, and exfoliate your elbows.
Working dad, pro tip, empower yourself by starting a gratitude journal. Log every occasion your wife helps you with the housework or the kids.
Or one of my favorites, I don't mind being called a postwoman because I know it covers both women and men. 'Anything else would sound silly,' says Ben 33, male postwoman.
Working dad, pro tip, empower yourself by starting a gratitude journal. Log every occasion your wife helps you with the housework or the kids.
Or one of my favorites, I don't mind being called a postwoman because I know it covers both women and men. 'Anything else would sound silly,' says Ben 33, male postwoman.
I think I've worked out what they're doing here. Yeah, it's pretty great. I feel slightly uncomfortable because I, of course, allegedly have a penis. And so I feel slightly uneasy.
It appears the worm has turned and womankind is rebelling through the form of this Twitter account.
It appears the worm has turned and womankind is rebelling through the form of this Twitter account.
It's like, actually, it's a gender-neutral neutral term.
Yep, it's a brilliantly funny thing and they make me laugh so much. And so I just follow them on Twitter and they tweet a lot and it's—
I've just fallen— I just fallen in love. I just saw a t-shirt saying Crazy Cat Gentlemen. Yes, and men.
Yeah, just a little reminder to smile today because women like positive men. It's great, it's really, really great. And yeah, I don't even know what else to say.
A few tips for you, Graham. A few tips.
Yes, go on then.
I'm being kicked here. Go on. No, I think just—
I just think follow, I just think follow, follow the, follow the feed and learn a few things, dude.
Oh, I got one right here. Man architect is not an offensive term. It is simply a way to differentiate them from proper architects. End of story.
What's your problem, Graham, you man host?
Oh, I love this account so much.
I thought you're going to say man ho rather than man host, so I suppose I should be pleased about that at least.
Male guitarist. Allegedly. Male guitarist. Okay.
Moving rapidly on.
I made all the listeners really uncomfortable.
Oh no, no. We've got plenty of male listeners as well as female. Oh really? Oh great.
Oh, that's wonderful.
Yes, yes.
It's really nice to talk to men once in a while. I don't hear from them very often.
Just like most tech podcasters. You know, we have a small number of men listening. Just women all the time.
We have an open door policy for men. Yes.
Nothing but estrogen.
You know what? We're pretty good because we have a pretty much 50-50 mix between the hosts, don't we? I mean, I'm mostly male and Carole, you're mostly female.
You weigh a little more than I do. Like by little, I mean—
Host by weight is apparently what we're doing.
Well, if it's even stevens, I'm just saying. So my pick of the week, since no one's going to introduce me, my pick of the week.
It revolves around Lenovo and their attempt to boldly go where no laptop has gone before. Say hello to the Star Trek Dream PC. Oh my God, I have it!
Please click on the provided YouTube link, friends.
It revolves around Lenovo and their attempt to boldly go where no laptop has gone before. Say hello to the Star Trek Dream PC. Oh my God, I have it!
Please click on the provided YouTube link, friends.
Don't Rickroll me.
At home, you can go to the show notes. Oh my God, this is so cool! Look at that, it's got lights.
It actually is a laptop modeled after the 23rd century Federation Starship USS Enterprise.
It actually is a laptop modeled after the 23rd century Federation Starship USS Enterprise.
The original, no letter.
Yeah, it's not perfect because they had to squeeze in a lot of tech under the hood.
It's not perfect, Carole, because if this is a laptop, it's a very, very inconvenient shape.
Do you think so, Graham? Yes, I do.
Look at those nacelles, they're gorgeous. Oh my God. I am clearly the target audience for this.
How are you going to get a case for this?
Does this sound delicious to you, Maria? It has a GeForce RTX 2080 graphics card. Is that exciting?
Computing? GeForce is okay. Yeah. I don't—
Okay. All right. What about 9th generation Intel CPU? That's pretty advanced.
And apparently, is it overclocked? Yes, it's overclocked.
Of course it's overclocked. Shouldn't it be next generation rather than 9th generation?
No, this is original Trek. This is not next generation.
Oh, sorry. So I've been outnerded.
Yes. Oh, you're on my turf now, Graham. You're on my turf. Careful now. I will not out-Doctor Who you, but—
Apparently it's fairly high spec. It's only available in China, Maria.
That's an easy problem to solve.
It was at the Beijing Tech World Conference. Oh, not Bajoran. Did you see? $2,200. Really?
He made a DS9 joke just now. That's impressive. Are you impressed? I'm actually a little impressed. Oh yeah.
DS9. It's not, Carole, I have to refute this claim that this is a proper laptop. First of all, you could not use this on your lap.
Yeah, not convenient to walk around with. You know? Not really easy to take into presentations to your sci-fi, I don't know, conventions.
And how much does it cost? $2,200. Okay, that's actually not as bad as it could be.
Because there's also a replica of a Cardassian desktop computer that just came out, and it doesn't do anything. It doesn't actually work as a computer, but it costs $2,500.
Just for a replica.
Just for a replica of— it's just a screen that lights up that doesn't do anything, and it looks like the thing he had in his ready room, but it doesn't work as a computer.
So at least this works as a computer, and it's cheaper.
Because there's also a replica of a Cardassian desktop computer that just came out, and it doesn't do anything. It doesn't actually work as a computer, but it costs $2,500.
Just for a replica.
Just for a replica of— it's just a screen that lights up that doesn't do anything, and it looks like the thing he had in his ready room, but it doesn't work as a computer.
So at least this works as a computer, and it's cheaper.
I could probably make you a replicator if you wanted a hot cup of tea.
Earl Grey, hot.
I just wish I could see it open. I wanna see the screen.
Yeah, that's my confusion is how does this computer?
I think, okay, if you imagine the Starship Enterprise is basically a donut with a few, I don't know, a whisk at the back of it, or an iron with a donut on an iron.
Just say it looks like the Starship Enterprise. That's what it looks like, doesn't it?
Okay, that's okay.
But if I'm gonna say the top lid of the Starship Enterprise opens up. The saucer. The saucer.
This is painful.
That's for the CD drive, I guess.
That's probably the hard drive though, legit. That's—
Well, where's the screen then? I think it looks like there's a screen behind it. I think you have to lug a monitor around with it as well.
Oh, this is just the hard drive?
Are you sure this actually is a laptop, Carole, and not a desktop computer? Yeah, no, I'm not sure at all. Oh, it says with an optional built-in projector coming soon.
Oh, very interesting.
Oh, very interesting.
Okay, because it says it's just a construct. It's a massive metal construction PC.
So look, to be honest, I didn't do a lot of research in this. I really— I knew Maria would take over because she loves Star Trek, so it was just basically an easy win.
I slid it in there, it all went perfectly. Thank you, Maria.
I slid it in there, it all went perfectly. Thank you, Maria.
Don't worry, I don't think anyone noticed.
Anyone who wants to see— hold on, anyone who wants to look at it, check the show notes. But Enterprise NCC-1701.
No bloody A, B, C, or D. Yes, thank you. Okay. I don't know what's going on.
Well, fortunately, we have a number of male nerds who listen to this podcast who have no problem at all understanding what Maria's talking about.
Male nerds is great. There are not many of them.
So, especially, we need to differentiate them because they're not proper nerds, right?
Correct.
When you get a male fan of Star Trek, there's something to be celebrated.
These guys is the thing, you know.
Exactly. Exactly. They're just fanboys. Squealing away. What? Okay. Okay. No, maybe not. Anyway, on that bombshell, I think we've spoken enough, frankly. I think we're done.
Maria, if people want to follow you online to share Star Trek gossip, how should they do that?
Maria, if people want to follow you online to share Star Trek gossip, how should they do that?
The internet. Twitter. Twitter's good.
Twitter. You'll find me. You'll find me.
Yeah, I was do I have to spell my name out again? M-V-A-R-M-E-Z-I-S. You can find me on the internet. I'm on Twitter. Just find me on Twitter.
And you can find us on Twitter at Smashing Security. No G. Twitter won't allow us to have a G.
And it's a good idea to follow us there because we often will tweet out discount codes, which you can save money at our online store and grab a mug, a t-shirt, a sticker at smashingsecurity.com/store.
And it's a good idea to follow us there because we often will tweet out discount codes, which you can save money at our online store and grab a mug, a t-shirt, a sticker at smashingsecurity.com/store.
I would that people send in their favorite moments from the past 97 episodes.
This one was full of them. Oh, yes. It was definitely full of something.
So that'll make my job of editing the 100th episode maybe easier.
Oh, so you're asking people if they—
I'm asking people to please, please send in the episode and a timestamp of your favorite moments of Smashing Security.
And you, your episode might get in with a chance to be on the 100th episode.
And you, your episode might get in with a chance to be on the 100th episode.
Could they also just email in with stuff they love about Smashing Security or maybe an audio clip? Maybe they could send us some audio clips.
Yeah, if you have anything nice to say about Maria or I, we're very welcome to hear it.
.
Can someone do a master edit of Graham, you doing just your wheezy chuckle thing? Just a whole master edit of that. Just a chain of them. What a wonderful man laugh.
Until next time. Cheerio. Bye-bye. Adieu, mes amis.
See, I'm going to Montreal, that's why I said this.
Oh yes.
I'm gonna eat poutine.
Ooh. I'm down.
You don't know what that is. Maybe a smoked meat poutine?
It's not Vladimir. It's delicious, that's all I gotta say.
I have yet to have really great poutine, so—
Oh, well, come to Montreal.
No, I've been! When I went, I didn't have good poutine.
I was this is crap. Mon dieu!
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Maria Varmazis:
Show notes:
- Our Podcast Awards trophy acceptance video — Even though we didn’t actually win, we still thought you might like to see it.
- Virus Bulletin conference, Montreal — Say “Hi” to Carole if you see her there.
- Everything that went wrong during Theresa May’s 2017 conference speech – YouTube
- Die Hard on the One Show – Charlie Brooker's Weekly Wipe – YouTube
- Conservative Party conference app reveals MPs' numbers – BBC News
- The Tories Say They Were "Let Down" By A Conference App Platform After It Allowed Access To The Personal Numbers Of Hundreds Of MPs
- Conference apps are crap and (mostly) pointless
- Security Update – Facebook Newsroom
- The Facebook Security Meltdown Exposes Way More Sites Than Facebook
- Investigating sources of PII used in Facebook’s targeted advertising (PDF) — Research from Northeastern University.
- Facebook Is Giving Advertisers Access to Your Shadow Contact Information
- You Gave Facebook Your Number For Security. They Used It For Ads — The EFF is not impressed.
- The The One Show Show on iTunes
- manwhohasitall (@manwhohasitall) on Twitter
- Tiburn Enterprise Star Trek PC at Lenovo Tech World 2018 – YouTube
- Lenovo Sets Computer to Stun, Unveils Star Trek Enterprise PC
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: Boxcryptor
Boxcryptor encrypts your sensitive files and folders in Dropbox, Google Drive, OneDrive and many other cloud storages. It combines the benefits of the most user friendly cloud storage services with the highest security standards worldwide. Encrypt your data right on your device before syncing it to the cloud providers of your choice. Visit www.boxcryptor.com now.
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
