Smashing Security podcast #107: Sextorting the US army, and a Touch ID scam

I would imagine these people weren't connecting with these women and entering on an online romantic relationship because they both shared a love of jigsaws. I think the initial— it could have been, it could have been.

I mean, if you want to catfish me, you just have to be obsessed with ferrets. Okay, but you'd probably have to be a brunette because I'm not a huge fan of blondes.

Okay, all right, thank you.

Well, there you go, this show takes a new turn.

Smashing Security, Episode 107: Sextorting the US Army and a Touch ID Scam, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 107. My name is Graham Cluley.

I'm Carole Theriault.

Hello, Carole!

Every episode you mangle my name.

What have I said? Carole.

Carole.

Carole Theriault. Yes, Carole Theriault. And we're joined by a special guest, someone who hasn't been on the show before, have you? It's Zoe Rose. Hello, Zoe.

Hello. Well, according to the recorder, I'm actually Zoe, but—

That's right.

Our web-based recording software can't handle extended characters properly. And so it's—

Isn't it an umlaut?

It is.

Yeah. Yeah. It's messed it up, hasn't it?

Yeah. It's just a dash. I usually get a box sometimes an X.

Do you find sometimes that the extended character in your name actually causes problems when you're creating accounts online?

Yes. So sometimes programs accept the extended character but can't handle it. So instead of using it and just showing it up, probably it shows up the first time, but in the backend it's actually this really messed up thing that I don't even recognize. And so what happened recently, I was writing an exam and in the system, every time I logged in, my name got longer and longer. And it ended up being a full sentence, it looked like a full sentence. It was huge.

So we met at a security conference in Seville where we were both speaking, but why don't you explain to people what you do for a living?

I guess my unofficial title is ethical hacker, where I basically was hired at this current organization for my hands-on experience, my ability to look at humans and human behavior and do a bit of social engineering, but for good, to help raise awareness and build balanced cybersecurity programs.

Okay.

So we have a fantastic lineup today. Graham, you are talking about the US military and how they've gotten duped by somebody.

By sexy ladies, yes.

By sexy ladies. And Zoe, you are talking all about iOS apps not being always perfectly clean from bad stuff.

Correct.

And I'm talking about how much we hate passwords, but don't worry, someone has a solution for us all.

Passwords are pretty cool. If you've got a good password manager, passwords are all right.

Yeah, absolutely. Password managers make everything much easier, don't they?

Yes, it's true, we love password managers, and we believe that your company could really benefit from running an enterprise password manager. Password manager like LastPass as well. Protect your organization. Make sure that all of your staff are using sensible, secure, unique passwords and have proper management about their password security. Go and check them out at lastpass.com/smashing, and thanks to LastPass for supporting the show. And welcome back. Now, chaps, can you imagine how lonely it must be if you're a serving member of the Army or the Navy or the Air Force and you're away for months and months on end on the other side of the world, must be miserable, mustn't it?

Especially if you're fighting for something you don't necessarily believe in.

That's got to suck doubly. Well, yeah, that wouldn't be much fun. But you know, you're away on active service for months at a time. You're not seeing your loved ones. You're finding it hard to maintain a long-distance relationship. You know, maybe your partner has got off with the milkman or something like that. You're just feeling generally disconnected from the world, aren't you?

Yeah, and people, we need connection, we need collaboration and communication.

And one of the ways in which people are trying to fix that problem is they might turn to the internet and social media, because even if you're serving these days, you're probably taking some internet-enabled device or a smartphone with you in an attempt to keep in contact. So you're using the internet, using social media while you're away serving your country. But beware, take heed of my words which are coming, because investigators have just broken up a criminal ring, which has targeted over 400 members of the US Army, Navy, Air Force, and Marine Corps via social media forums and online dating sites.

A criminal ring which were targeting people in the Army. So you're saying these poor, lonely soldiers, not only they have to contend with everything that they have to contend with, but they are also being targeted.

That's right. And so what this investigation has done, it's an investigation, by the way, called Operation Surprise Party.

I love it.

That's a fun title. That's jolly.

That's the best part of being in security is choosing the titles, I think.

Yeah, working out the code name or the name of the operation. Operation Surprise Party is an 11-month investigation carried out by NCIS, the National Criminal Investigative Service. NCIS, I believe, have their own TV show, don't they? It's CSI. Where they're doing sort of naval criminal—

Oh, NCIS.

Oh, is that how you say it?

That's how I've always thought. I didn't have no idea what you were talking about until I saw it.

Oh dear.

No, no, it's cute. It's cute. Are you saying I'm not on fleek and I don't know all these? I don't know all the current phrases. Okay, NCIS. Okay.

And what was happening was this. The bad guys were posing convincingly as attractive young women.

Convincingly.

Yes, well, exactly. Otherwise it wasn't going to work.

Exactly. How do you convince someone of attraction?

Well, let me explain. They weren't actually doing this face to face in real life. They were doing this over the internet. And so they managed to fool people into believing that they were genuinely the people whose photographs that they were using. Because what they were doing was they were trying to hook the hearts of lovelorn military members, and they managed to steal $560,000 from over 400 members of the military.

That's called a honey trap, isn't it?

Exactly, or catfishing.

Yeah, yeah, yeah.

The interesting thing is, well, how did it work? How did this scheme work? Well, let me explain to you exactly how it worked, and you can try and work out how it worked. Tell me how it worked. Right, well, the bad guys would connect with a member of the US Army or Navy or Air Force posing as an attractive female. It was typically that way. It sounds as though most of the victims were men.

I love how the word attractive is in there. That's not, you know, personal choice.

It's just what, they don't like blonde, blue-eyed— No, no, I haven't said blonde hair and blue-eyed. Who says blonde hair and blue eyes is attractive?

Society?

Well, some members of society. Other ones like brown-eyed brunettes or ginger-haired girls or blue-haired girls.

I think gingers are much better. Oh, there you are.

Great colour.

So the thing was that I would imagine these people weren't connecting with these women and entering on an online romantic relationship because they both shared a love of jigsaws. I think the initial— it could have been, it could have been.

I mean, if you want to catfish me, you just have to be obsessed with ferrets. Okay, but you'd probably have to be a brunette because I'm not a huge fan of blondes.

Okay, all right, picky.

Well, there you go, this show takes a new turn. I'm very excited.

The point is this: so if you're trying to target Zoe, then yes, okay, you have to be into ferrets and you have to be a blue-eyed blonde— no, sorry, a brunette. See how rubbish I am at these? A brownette. But what happened was this, right? So they're lured into this online romance and the inevitable happens. Saucy photographs are exchanged. Now, have you worked out how at this point they make their money?

I don't know how that works. It's hi, hi, want to see my boobs? Sure. Is that really— is that how it works these days?

No, I feel like— I feel like— haven't you seen the memes online? It's send nudes. That's all they do.

Send nudes and then I'll speak with you.

Yeah.

Don't even— let's not even type. It's too hard to type. I mean, to be honest, show me your junk.

Pretty much. I mean, I don't know how to date, so don't ask me.

But I've just been out of the world too long.

I don't think I've ever been in it. I've always been dating.

So you might imagine that what the bad guys then do is that they blackmail the people they've been speaking to, saying, "Haha, we've got pictures of your—" Would that be that productive though?

Because I mean, some people would just be, "Yeah, that's cool." Well, you wouldn't necessarily want it sent to your mother or to— You know what, I feel like my mum would be like, "Yeah, I made that." So we have, of course, seen many situations where sextortion occurs. Someone catfishes you, they get pictures of you and they say, "Haha, we are going to send this to your online contacts and your Facebook friends and your family and, you know, the people who you work with, and it's going to be embarrassing for you unless you give us money."

What happened here is that the bad guy would then contact the member of the US military claiming to be the young woman's father and saying that the young woman was underage. Oh, shit. That's brilliant.

Because you know what? That's like—

I think the word you're looking for there, Zoe, is evil. It's not brilliant, it's evil.

But it is brilliant though if you think about it because they don't really have to prove they're underage. The minute you say that, everyone's like, holy shit, stop everything and freak out because they have to get rid of all the images, they have to do disclosures. Even being an ethical hacker, I can find illegal stuff online but the minute I find anything about children, I have to report it or I'm in trouble. I mean, it's evil, yeah, but it's a brilliant approach.

It's brilliantly evil. Graham, where did you meet this ethical hacker? So this happens to them, that the panic just must be unbelievable.

They get contact by someone who they believe is the father and they're going, oh my goodness. Yeah. Or worse, I'm in a spot of bother here. And also the bad guys would get in touch claiming to be a police officer, saying that they were demanding money on behalf of the family in exchange for not pursuing charges.

Wow. I'd just be like, out of your jurisdiction, dude.

Well, you would imagine that someone who's working for the military might think, well, you know, maybe I would tough this out, but I wonder what would my commanding officer think?

I suspect they'd be dishonourably discharged, wouldn't they? I would imagine so. I would hope so.

Yeah, they think they've got pictures of kids in compromising positions on their phones, right?

Yep. Okay, so— Nasty. Yeah. So the plan was the catfished military members, you know, would be so frightened obviously of the damage to their careers, damaged relationships, etc., over possessing what they now believe to be illegal images of juveniles, that they would pay up. And plenty did. As I said, over $560,000 was stolen by this gang. Now, what's interesting I think is who was behind this dastardly scheme? And this is where it takes a complete twist to the surreal. Okay. Because the people who were perpetrating this were prisoners.

Prisoners?

They were inmates in South Carolina's jail system.

Wow. And they have— That's brilliant.

They have all— they have— there she goes again.

They must have the best phishing campaign ideas.

That's it.

They're just locked in their cells for hours and hours thinking, how could we make some money?

Time rich. Well, yeah.

And that's how you become most creative, right? Yeah. Having a proper sleep schedule.

Oh my goodness. So what Operation Surprise Party has uncovered is over 200 people in the prison system. Shut up. With some civilian assistance as well. So there were people on the outside as well who were working on this. There's been a bunch of arrests.

But who would be doing the online bit? But who— they don't have phones, or they do have phones?

Oh no, they have phones. Am I just being naive? Many of them have access to computers. Some of them have to pay for it, for the official access, and there's all kinds of scams being done by corporations there as to how much prisoners have to pay to get online access. But you also get smartphones smuggled in as well. Anyway, so there have been hundreds of arrest warrants, summonses for people involved in this, and charges.

I'm surprised someone's already in jail. Well, exactly.

Isn't it fascinating that the criminals are already there? I think we may have to send someone in actually to find out, mightn't we? Graham, I vote you. I vote you. I'll enter the South Carolina prison system. There are apparently another 250— another 250 additional people still being investigated and could face possible future prosecution. So this was huge. And I imagine the prisoners were all sort of gobbing off to each other, telling each other what they were doing. And so it's like all of them, it's like, no, no, no, I don't want to go around the exercise yard for an hour. I'd rather go to the library for a while and be on the computer. Thank you very much.

I'm just trying to think of all the upskilling they're doing. That's brilliant.

Contact Zoe, guys.

So Zoe, what story have you got for us this week?

Yeah, so I've got also a scam, but it's a bit different. Nowadays we have apps for pretty much everything that run our lives. We have organiser apps, apps that help us clear our minds and de-stress, track our eating, help us find friends and possibly partners, speak new languages. But also we have apps that help us with healthier lifestyles.

Many, in fact. Yes, too many, I say.

But anyway, there's also this strange belief that for phone security, Android versus Apple debate, it's always clear-cut and it's easy to understand, but it's not actually that easy. I get that question a lot, and my statement is usually, you know, the process of getting into the Apple Store versus getting to the Android Store by default does weed out some things, not everything, but does kind of help.

Because they have this walled garden thing. Yes. Oh no. I know, it's a shock, isn't it, Carole?

I know, I'm gonna have a seat. I hope you're sitting down, yes.

There was an app that incorporated into the design the requirement to scan your fingerprint to access your health records. And whilst you didn't have to scan your fingerprint, if you waited and it said, "Okay, continue," it would ask you again. And so logically, you know, from user experience and user design, you think that means it's an authentication for the app. Absolutely. But what it actually was is you were then permitting that app to charge you £99.99. So a very expensive fitness app.

So it told you to place your fingerprint on the Touch ID sensor on the iPhone, and then it suddenly rapidly switched to an in-app purchase, and your finger was still there.

Within a second. My apps don't switch and open that quickly. I wouldn't be able to fall for this scam because my phone's so shit. But anyway, so luckily for this Reddit user, they didn't have a card on file. But if you're like me and signed up for your Apple ID years ago, you had to have a card or even just a gift card. And so most people do have their cards built in because it's easy to purchase that way, which is so much more convenient.

It would be a complete pain if you had to enter your credit card number every time you wanted to make a purchase on the App Store.

Exactly. So yeah, so it's that whole usability versus security issue. And in this case, the usability kind of enabled these, I don't know if you call them hackers, but these malicious actors to get quite a few purchases.

The users must be so pissed off. Does Apple pay them back?

Well, that's the thing is that I read an article on it and it's you can contact Apple to request a refund. But it doesn't actually say anybody did get a refund or if you could get a refund.

So I'm actually quite curious. It's not there's a big road, this is what you do. Everyone who's been affected, we're here to help you.

I have asked for refunds on apps before. Have you? Oh yeah. Either because I just decided I didn't like the app very much. It's just, oh, you know, wasn't a very good game, for instance. And Apple has never questioned it. They've just automatically done it. I think rather Amazon, they think, you know, we'll take this on the chin, we'll refund you, no questions asked.

But so long as our algorithm says that you haven't done it more than 2 times a month.

But the thing from my point of view is that's the purchase of the app. What about purchases in the app? Can you get refunds on that?

Well, those are, yeah, those are still purchases through the App Store process. So it's not money which goes directly to the creator of the app because of course Apple wants its share, doesn't it? 20 or 30%, or who knows how much they skim off. So you can get those back through the same method as well. And sometimes you can say, oh, I purchased this by mistake, which I think would probably be the correct choice in this particular case. But you should also probably tell Apple that this was an app which was acting in an inappropriate fashion.

So they did actually notify Apple, and it's since been taken off. They actually identified two separate apps that were seemed to be made by the same creator that did the same thing. But the interesting part, it gets more interesting than that, is when I go and look for a new app, you read the reviews. And when I advise people looking for a new app, I say read the reviews. But what I don't clarify, and what I probably should, and what I personally do, is I read the negative reviews. If you just go on there and read the positive reviews, you can see fake reviews where they did actually receive multiple 5-star reviews. And so as a normal typical user, you might not, you know, go further than that. But when I go and read reviews, I actually look at the negative reviews and see why they chose the 1 or 2s.

Yeah, they have to follow specific processes. It takes two weeks to even get through.

Do you know which ones I best?

What is the 2s, 3s, and 4s? There's quite a bit to it. Yeah, but one Reddit user actually found that that doesn't necessarily mean every app in the Apple Store is safe. Really?

Yeah, those are quite good. Yeah, because they're always, eh, you know, it was okay, nice box. Yeah, you know, a bit tinny.

I don't know. Zoe, Zoe, Zoe, can I ask, before deciding to come on the Smashing Security podcast, did you check out our reviews?

You know, I really your accents, and so I feel having a conversation with you would be quite lovely. No, I didn't. I'm a terrible person. I know.

Ignore him. Ignore him.

Carole, what's your topic this week?

Despite password managers lifting the burden, there's still many hoops we've gotta go through, right? There's the two-factor authentication, long unique passwords everywhere, the old accounts we haven't deleted, and we go through all this to keep our private identities private. So when two industry giants decide to pool the resources to address this problem, I perked up. Giant number one, whose Richie Rich rate class rivals Apple and Amazon's ridiculous financial heights, we have Microsoft. They haven't they just said they're around a trillion dollars in value as well. And giant number 2 tells us that it's for everything that money can't buy. Do you remember that slogan, Graham?

Everything that money can't buy. Yeah.

Is that Mastercard? That's right. Yeah.

I thought money can't buy you love. Can Mastercard buy you love?

Yes, it can, because you can buy flowers and apparently that works.

No. Not for Zoe. Give her a ferret on a stick.

She'll be happy. Yeah, on a stick? That sounds quite horrible. I'm also allergic to flowers, so that probably won't help.

Oh, that's very sad. I know, and my last name is Rose. The irony. Oh, Avril, we think of you. We have these two giants, right? Tech and credit. And they're joining forces to rid the world from the pain of passwords. Now, according to the press release issued on Monday from Mastercard, these guys feel our pain. They feel that we have a huge burden upon our shoulders to remember all these passwords in a world that's getting ever more complex. And it's nice of them to think about us, don't you think?

Very philanthropic of them. Yes, very caring.

And they really want to come up with a solution. So they say in the release that today's digital identity landscape—they really said that. That's really a term they used. They say it's patchy and inconsistent. I mean, what are these guys up to?

I really wish that it was patched, actually.

That's the main problem. So Mastercard explains that a universally recognized digital identity could, quote, unlock new and enhanced experiences for people as they interact with businesses, service providers, and community online.

So they're basically saying the one problem that a lot of people have with password managers—not me because I password managers—but the one problem in that centralized single point of failure is they're going to enable that but on our own identification to make it easier to potentially—

It's even bigger than that, Zoe. Close your eyes if you would, everyone, unless you're driving. Do not close your eyes if you're driving. And imagine a future when filing taxes and applying for passports or receiving government payments becomes frictionless. Opening a bank account and getting a loan or a mortgage approved is speedy and easy. You have heavily personalized shopping experiences that sounds awful to me, but people seem to want it both online and in stores. And everything gets to cooperate, so email, social media, streaming service, and rideshare platforms, they all get to interact.

So OPSEC is dead?

They're suggesting you use your real identity effectively as your password. Hell no. A single sign-on to things both real as well as digital. Start their tweet with voting, driving, applying for a job, renting a home, getting married, and boarding a plane. What do these things all have in common? You need to prove your identity. So they are really going for it here.

I'll be honest, I like not having to prove my identity sometimes. Like, if I go to the bar or the pub and I get some rando being like, hey, how are you? I give them a random name, and often it's dependent on what day of the week it is. So if it's Wednesday, it's like Wendy, you know, which causes a lot of awkwardness when I see them on a separate day of the week.

This is why you introduced yourself to me as Thor when we were in Seville, is it? I could pass for a Thor, couldn't I?

I was perusing Reddit this morning and this girl said that she was being, you know, aggressed or harassed by some guy in a bar, so she started barking at him and he left her alone.

I love it. Oh, that's brilliant, I need to meet this woman.

She sounds like the woman of my dreams. I upvoted.

I upvoted. But yeah, it's nice to be able to do things without having to identify. Like Reddit, for example. I like that I don't have to sign in.

Exactly, me too. I see two mega issues here, I'm sure there are more. So one is you can change your password, but you cannot change your identity. So it's a when, not if, it gets compromised.

And then what? Well, and look at the whole Equifax situation. All of those Americans, that really caused lifelong issues with credit ratings, with everything, social insurance.

How are they proposing this is going to work, Carole?

Very sketchy so far on the details on that one. So watch this space.

I figured it out. Tell us. Magic.

Well, because I know the UK government, I was at a conference a year or two ago, have been pushing hard for a sort of single sign-on for all kinds of government things which you may want to do. And there has been thought about rolling this out across other organizations as well.

And there's that one company that I heard of a while ago called Sovereign or something like that, that had the same kind of idea where it's a centralized location and you can permit certain services to have temporary access to only the information you need, for example. Yeah, which sounds great, but yeah, I don't know, I'm still I like passwords though. So also the other thing is, if I go to the US, used to be that I could decline giving my password, but if it was biometrics, that's not something I, you know, now I think they can still ask my password, but still this sounds the same thing. It's kind of enabling both me, but also anyone else that wants to stalk me or, you know, exactly because everything gets tied together.

So right now we almost have more freedom because the databases are disparate and uncorrelated. If you think about the Chinese social credit score system and its plans to tie together citizens' social profiles with their bank accounts and their transport and their salaries, and that everything goes through the single system, huge amounts of information come together. So it means that they can say to you who you should and shouldn't marry, right? The systems can tell you, yes, loan this person money or don't loan them money.

But I think there will be people considering the security implications and, you know, oh, well then, you know what?

I should just stop talking. No, they've got this covered. They've got it covered.

Well, but I'm thinking of the Grindr app. Like, brilliant idea, dating for gay men, or to meet other men, not necessarily dating. Brilliant idea, clearly was designed with the idea of security and privacy, you know, designed with the right intentions, and yet it was still misused in the US for a man to be physically and verbally abused in his home and robbed, and in Cairo for the police to target gay men— not necessarily arrest them for being gay because that's not illegal, but to target them and arrest them for other reasons. So I feel like no matter what they implement, I would be quite cautious. And it's scary. It's really scary because I can change my password. I can't change who I am. I've tried.

Let me be devil's advocate just for a second. Okay, so we've said that, you know, oh, we don't really like the sound of this compared to the password managers that we're using. 'Cause we all, you, all three of us use password managers and we've— for the average person on the street who is currently reusing the same password on multiple websites, same one on their Gmail as on their eBay as on their Amazon, et cetera, et cetera. Then maybe something like this could be more secure.

Don't you find something scary, Graham, about the idea that your personal beliefs and interactions are jumbled up with your work and your systems and your taxes and your bank? And, you know, if your personal beliefs or race or religion or identity or clothes shows or whatever, Doctor Who, become not so popular one day, won't this be a handy tool to red flag you?

Doctor Who isn't that popular this year. Or chess, for example.

I love Doctor Who.

No, this year, Zoe, it's not been as good. The writing's really deteriorated.

Yeah, but the actress is brilliant. I'm not—

I haven't got a problem with her. I think it's great that they got a female Doctor.

I'm sure she's very grateful that you have no problem with her.

She is.

She's been in touch. She's high-fiving.

I got an email from someone in prison who—

But on the other side, if you think about it, if their password is compromised and their

Now, look, I agree with you. I don't think this is why Microsoft and Mastercard got together to propose this idea of a single sign-on identity. But it does seem to me like serious oversight not to discuss the potential catastrophic downsides to this in exchange for this streamlined future.

account's compromised, often they can go to the bank and get, you know, the anti-fraud stuff. Yeah, it's just scary.

And you know, to your point, Graham, so when I was doing some research on this story, I just, you know, looking at headlines, just going through, you know, all the headlines that were on it, they were all very positive about this. And then I'm thinking, that's interesting, you know.

They can get their— you know, but they can't change who they are.

I mean, I suppose they pay a lot of money in ads as well. So maybe—

Oh my goodness, you're so cynical.

Well, I don't like this idea of single sign-on.

I think there's a lot of issues in it. Is this because you're almost 50? Is this what's happening now?

I am so far off. You're all 50, sir. How old are we now? How old are we becoming soon, mister?

What, we together? If we add our ages up? Let's move on. Yes, shall we? Shall we? Many of us have worked in big companies, right? And we know that it only takes one person to make a boo-boo to allow the hackers in. Imagine running a company, hiring new staff and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare! That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise. LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory. As an administrator, you can create highly secure passwords for your new starters right from the onset. That means no snafus. Listeners can check it out for themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass. And welcome back, and you join us on our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.

You have to do it too, Zoe. I do? Jeez, Graham, she's never even heard the show.

You know what, but I'm pretty, so that gives me social points, doesn't it?

It's— it's— well, you've got a lovely voice. We can't tell if you're visually appealing via a podcast. Oh, they can.

They'll look at my social profile and they'll be like, oh, she's amazing.

Just say Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. It doesn't have to be security-related necessarily. Could be. Well, mine definitely isn't security-related this week. Very good. You may remember in a past episode of Smashing Security, I recommended a game which was available for iOS, and it's on Steam, and it's on the Nintendo Switch and other things like that, called The Adventures of Bertram Fiddle. Well, there is now episode 2 out, and last weekend I played it. Episode 2, A Bleaker Predicament.

I'm actually quite happy about that because I really loved that game. I actually played it.

It was a great fun game. They're calling it the greatest adventure game of 1884. Like its predecessor, it is available for the iPhone, the iPad, Steam, which means you can run it on Windows and Mac. But as I said, my son and I, we were playing it this weekend on the Nintendo Switch. It's a very funny point-and-click adventure game. Not too tricky, not that long. I mean, we finished it in a weekend.

It's got some rather witty puns in it, if I remember correctly.

There's a lot of double entendre, which kept you entertained.

And was your son going, why are you laughing, Dad?

No, he just found the words funny without realizing quite what was being said. But it is very amusing, and it's British, and it's done by an independent game producer called Rumpus. I think they're based down in Bristol, and more power to their elbow, I say, because I really like Bertram Fiddle, and I think you might enjoy it as well. And that is why it is my pick of the week.

Excellent! I really like it.

What's your... My pick of the week actually is a device, and whilst it is not necessarily security-related, it will help you become a better tech because it's helping you with your sleep. So I attended a keynote by Timur Arina— I might be saying that wrong, I've really apologized to him. He discussed this interesting trend where we become more and more reliant on technology, and we started to acquire wearables that help us be human again, essentially. They help us to be human? Yeah, well, because as we—

They say go to bed, eat, answer the phone, defecate.

There are definitely things that I do not realize that I should know because it's a human thing. I don't have an appetite because I just don't, so I don't remember to eat. I actually have to have technology to remind me to eat. I have to have technology to help me sleep because I have really, really severe insomnia.

Feel free there on that one.

Yeah. Whilst they're very fundamental and you should know how to do them, get up and walk around for a minute and then sit back down, don't sit on your computer and work on your phishing campaigns for 16 million hours.

Yeah. So tell us about this ring. What does it do?

To give you a context of why I the ring so much before I tell you exactly what it does is I've had an Apple Watch and I've had other tools and stuff, and I find them too interactive because I'm constantly getting updates. And the most annoying was in September 2017, I was hospitalized for a lung infection because I have very, very severe asthma, and my bloody Apple Watch told me to breathe. I was— oh my God, yeah, I was trying to, that's why I'm here, you—

Yes, you're trying to recuperate. Breathe, breathe. Yeah, I was so angry.

I stopped wearing it.

Yeah, yeah, I bet, I bet. Yeah, I bet.

But anyway, so why this is my pick of the week is actually it's a wearable that's very minimalistic. It's called the Oura Ring. And it sits calmly on your finger and it monitors your sleep. It monitors while you're active and while you're inactive and helps you identify not just your sleep.

It's very pretty, I have to say, it's very pretty.

Also your deep sleep, your REM sleep, and all of that. You do have to put it on a charger, but I think it lasts quite a few— if I remember, it lasts quite a few days because remember, it's— there's got—

There's no screen on it. Yeah.

Oh, remember the old Nokias? Oh, I love the Nokias. I kind of want to buy one. You know, I kind of want to buy one of the new ones just to support, but I don't, I don't think they're quite as— yeah, I know, right?

So the main positive for you with this is that it doesn't irritate you basically because it's not doing the notifications, it's not distracting you.

Yeah, it's improvement to my life through a passive as I need it. And it helps you sleep better. And it looks cool.

And you have to put it on a particular finger? It can go any finger? Yeah, so they— beforehand when you purchase it, you purchase the ring but also a free sizing kit. So they send you that first.

Oh, I see. So even if you had a particularly fat finger, or if you wanted to—

Oh, you worried, Graham? I'm just checking. It is definitely finger, is it?

I mean, where else would you put it? He's suggesting it might be a cock ring.

No, no, no, no, no, no. I see you have toes, your big toe. Big toe.

In that case, I suspect that your blood flow monitoring would be quite inaccurate. So I don't suspect it would be that useful. Moving on.

Carole, what's your Pick of the Week?

My Pick of the Week is certainly gonna bring us back to Earth. Because, okay, basically, let me admit something, okay? I had trouble this week. I couldn't find a good Pick of the Week. So basically, took the story that I was thinking of doing that I didn't do. So it's basically—

You're having a second crack at a security story. I know, I know.

I've never done— it just was a kind of cool thing, okay? It was just a cool article. So we all know about the Marriott Hotel chain, the whole data breach, 500 million user accounts last week. Big fat ouch for everybody and the guests and everybody. But there was an interesting article on CNET that took an angle I hadn't thought about before. What do you do if your passport number gets stolen?

Ah, yes. I read this one. It's interesting.

Yeah, because a lot of hotels, particularly those in Europe, right, require the guests to relinquish their passport so they can record the number. And so I was thinking, huh, I wonder how big a deal it is. The article— I'll save you a click— says don't worry, the passport number is not the same thing as your actual passport. Thank God we have one of those, because if you lose your passport or if your number gets stolen, you can order a new passport. With a new number. Isn't it nice to have a piece of identity that can change if it's stolen? Isn't that nice? So maybe my pick of the week is passports. If you think that your passport was stolen, so basically you want to make sure before you do anything, was it stolen or was it not stolen? And if it was stolen, your recourse is to order a new one. Yes, that's out of pocket, that costs money, but you do get a new number. So for those that are worried, that's what you do, because there's about 500 million of you out there that are affected by this, probably.

The one thing I thought was interesting about this one is who's responsible for that? At the moment, I don't think there's any way to do that, but if they're causing— if their lack of security controls are causing millions of people to have to renew their passports or get new passports, and the increase of work on the passport company, shouldn't they be held responsible for that? Because if a ton of people have to get new passports and they would all have to be urgent, they'd have to be more expensive, they'd have to require more staff. And over time, especially now this time of year, people want to go visit their friends.

No, you'd cross-sue Marriott for it. And then maybe Marriott would cross-sue the government for telling them to have to keep this information. I mean, wouldn't all these problems go away if people just stored less info?

Well, that was the other thing I saw in another article was if you cannot secure this information, reliably, if you can afford to do this, then don't take it. Exactly! Actually, I don't think that was an article. I think that was my friend's tweet.

I think I just stole it. Well, he/she's right.

I'm a terrible person. It was Iain's tweet.

I have to question, however, the whole value of a passport at all, because I was once in Vancouver with a colleague of mine who lost her bag containing her passport, and she managed to— and she was flying back to the UK. And she managed to get through Heathrow Airport. Is she super cool? She's very cool. With just her business card and the words to the man at the passport desk saying, Google me.

She sounds brilliant. She managed to get through.

I also had a police report. Oh, you did? I also had a police report, yes.

That's brilliant, I love it.

I had also had an interview with— I can just picture you being like, "Do you know who I am?" No, no, no, I was panicking. They wouldn't let me in and I really wanted to come home. And they're like, "Well, how can you prove that you work in the UK? How can you prove?" And I'm like, "I don't know, Google me." How long ago was that? That was a long time ago.

10 years? 15? Brilliant, I love it.

That was a long time ago.

My respect for you has raised to a new level.

Well, on that shock horror revelation that someone is appreciating Carole, we have just about wrapped it up. Zoe, if anyone wants to follow you on the social networks— I do, yes! What is the best way to do that?

It would probably be to go on the Twitterverse and look at @5683monkey, although if you really want, there's also 5683ferret, which is my ferret, and lately they've become more popular than me, so I wouldn't be offended.

And if you want to follow us on Twitter, we're at Smashing Security, no G. Twitter won't allow us to have a G. And you can check out our online store, you can grab t-shirts and mugs and stickers and things like that at smashingsecurity.com/store.

Thank you for listening once again. We're thrilled if you like what you hear. Now, I read today that podcasts are plateauing. No, no, no. It's true that those that are listening to podcasts are just listening to more, and that's where the growth's coming. This is bad for all of us. So this week, if you want to help us grow, get someone who's never heard a podcast to listen to one. Find a topic they love and get them a source of pure joy. If they're interested in three hilarious security-minded folks yakking about cyber snafus, unlikely, send them to Smashing Security.

And also a big high-five to our sponsors this week who made the show possible, which is LastPass. Thank you guys at LastPass. If you want to learn more, you can get in touch with us at . But until next week, cheerio, bye-bye, bye everybody!

Oh, should I say bye? Perfect. I don't even think we need a teaser at the end anymore. That's perfect. Oh, I'm terrible at this. No, you're great. You have to come on again, right?