Smashing Security podcast #111: When rivals hack, and ‘extreme’ baby monitors

There's another app they talk about called Snooza Hero, and this attaches to a child's diaper and monitors baby's abdominal movements to track— not poop— breathing.

I don't think that's what they breathe through. I think that may be your first error there. Smashing Security, episode 111: When Rivals Ransomware, Ransomware Rules Hack, and Extreme Baby Monitors with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 111. My name is Graham Cluley.

Ooh, how binary. I'm Carole Theriault.

And hello, Carole.

I know I geeked out there for a second.

You did, you did. You caught me off guard there. Whoa, whoa, man. And we are joined by special guest returning to the show, ethical hacker, Zoe Rose. Hello, Zoe.

Hello.

Such a good job title, eh? Ethical hacker. It's like social warrior somehow.

Rocket scientist. It's pretty cool.

I kind of like the whole professional stalker. I'd be happy with that.

Really?

Yeah.

I went to the dentist this week and they have a thing where it's what's your job? And of course, in my head, I'm well, why do you care? What business is it of yours? Right? And then I just thought, I'm just going to write podcast host. And then I felt a bit, I don't know, oh, that's it. Yeah, exactly.

A job for which no qualifications are ever required and in fact often a disadvantage, a podcast host.

Yeah, ours is really good. Just people don't know that. Not everybody anyway. Not yet.

So what's coming up on today's show, Carole?

Well, we've got a pretty cool lineup this week. We have you, Graham, talking about how a company shouldn't try and take down its competition. And Zoe from her sick bed talks about the cyber impact of the US government shutdown. Yours truly delves into the crazy world of smart baby monitors. You won't believe what they can do now. All this coming up. Are you not running a password manager in your organization? What are you thinking? Check out LastPass Enterprise. Just go to this URL: lastpass.com/smashing. Here you can learn all about what password managers can do for your firm, and you can learn more about LastPass Enterprise. I mean, if you want to solve poor password hygiene, if you fancy securing every password-protected entry point in your business, slide on over to lastpass.com/smashing. I use them, so you should check them out. Hey, Graham?

Yes?

So I've got a problem.

Yes.

I use a cloud service. I put all my files and data up there, and I'm kind of nervous about prying eyes looking at it. Any advice?

Yeah, you've got to encrypt it.

Before I load it up?

Well, I would recommend so, because any file which you put on Dropbox or Google Drive or OneDrive or those other sort of cloud services, it could be accessed by that company or indeed law enforcement or any hacker who broke into your account. So what I would recommend is use a piece of software like Boxcryptor. It's what I run on my computer, and any file before it gets uploaded to those cloud services gets encrypted with my own keys, which I control. So the cloud service itself can't see the contents of the files which I'm putting on the cloud drive. It's all encrypted.

Cool, I'll check it out.

Go to Boxcryptor.com, and thanks to Boxcryptor for supporting the show this week. Now, do you chaps remember Mirai? Of course you do. In October 2016, the IoT, Internet of Things, botnet which launched a massive distributed denial of service attack on DNS service company Dyn. A law enforcement official just confirmed to me a few minutes ago that a second major cyberattack is underway right now. Throughout the day, it has been affecting internet traffic up and down the East Coast.

It's believed a virus harnessed the power of hundreds of thousands of internet-connected cameras, kettles, and thermostats to target sites in America and Europe.

The powerful and sophisticated cyberattacks coming wave after wave. Internet users in at least 6 countries, but mostly here in the U.S., unable to load popular websites like Twitter, Netflix, Amazon, PayPal, and a long list of others.

Smashing Security.

Everybody got hit.

Yeah, Amazon, Reddit, Netflix, Twitter, Spotify, GitHub, all of these sites went down. Massive, massive attack. One of the hardest-hitting attacks the internet had ever seen. And the perpetrators of that attack, probably worried that they were going to get caught— spoilers, they actually were— although they only got probation, interestingly. But anyway, that's a whole different story. Those guys who were behind the attack, they released their source code onto the internet, maybe hoping that other people would create their own botnets. And so—

World disruption.

Yeah. If the source code is distributed, it means if law enforcement find it on your hard drive, it doesn't mean necessarily that you're the guy who wrote it. So you put it out there for everyone to copy. Well, it might do.

It might.

But you know, it's a way maybe of covering tracks, but it did allow others to create their own versions of the botnet from the blueprints of the original.

Yeah, just confusing and making the mess much, much worse.

Right. And it was a very successful piece of code. And some took that code and they used it to cryptomine, for instance. They exploited zero-day vulnerabilities, whereas others simply took it to launch more DDoS attacks. And that is what Danny Kaye did.

Danny Kaye.

Do you remember Danny Kaye? Zoe, you're probably too young to know who Danny Kaye is.

I have no idea who Danny Kaye is. What?

You have no idea? You're North American.

I'm guessing that they're important.

Danny Kaye. Don't you remember? Wonderful, wonderful Copenhagen, friendly old girl of a town. 'Neath her tavern. Do you remember that? What about this one?

You should sing more often.

Thumbelina, Thumbelina, tiny little thing. Thumbelina. Danny Kaye was a song and dance guy. He made loads of—

Based in the UK.

No, he's American, for goodness sake.

Well, I'm not American either.

North America. You don't have any culture in Canada. You borrowed a lot of American stuff. It would've been in the similar—

Have you heard of Poutine?

Have you heard of Avril Lavigne, Graham? Bieber, for goodness' sake, he's one of us. Anyway, it's not that Danny Kaye. It's a different guy.

Oh my God.

So you're just making fun of us for no reason.

I'm not suggesting Danny Kaye, Danny Kaye, who's been dead for 30 years, I'm not suggesting he's been launching DDoS attacks. No, first of all, I am going to take you to Liberia in Africa.

Okay.

Yeah, Africa, eh?

Yeah, I hear the drumbeats.

Yeah, right.

Yeah, yeah, good.

Okay, we're there.

In Liberia, there is a big telecoms company called Lone Star.

Okay.

And it has a rival called Cellcom. All right, now Lone Star is the leading phone and internet company in Liberia. If you're in Liberia and you're trying to get internet access, you'd probably go to Lone Star, right? But that was upsetting to the guys who worked at its arch-rival, Cellcom. And one of them decided he would use some dirty tricks to get the upper hand in the market.

Ooh.

So yes, someone working for Cellcom decided they would hire a hacker.

It was not me. Just gonna say.

I'm ethical. I wouldn't do such a thing.

Not an ethical one, Zoe. A naughty hacker.

A naughty, naughty hacker. Okay.

With instructions to ruin Lone Star's service and reputation. And they approached Danny Kaye, not the one I was talking about, but a different Daniel Kaye, a British cybercriminal, to do their dirty work. And they offered him $10,000.

Oh, nice. Maybe it shouldn't be.

Now you're tempted. Now you're thinking about it, aren't you?

Oh, that would be quite lovely. Imagine how many ferrets I could buy with that.

Oh, here we go with the ferrets again. Daniel Kaye also known as Popopret or BestBuy — yeah, I imagine that domain name's gone if he's trying to grab it. He is one of the many folks who downloaded the source code for Mirai when it was published.

Aha.

And in November 2016, from his base in Cyprus, he hijacked a huge number of Chinese-manufactured webcams, ones branded Dahua.

Okay.

Without the owner's knowledge. And ordered his army of zombies, which he was now under control — not real zombies, but zombie devices — to attack Lone Star Systems, all controlled from his mobile phone. That's what hackers can do these days, launch DDoS attacks from their mobile phone and command thousands and thousands of devices.

So this guy's got control of the webcams and he's got them to attack Lone Star Systems.

Yeah, exactly. Lone Star's infrastructure is getting bombarded with all this traffic. So this is what Kaye was doing. And sure enough, Lone Star's infrastructure crashed. And Kaye thought, well, that's not quite good enough. What I'm also going to do is I'm going to grab all of these Deutsche Telekom routers, which I've hijacked in Germany, and I'm going to get all of those to attack Lone Star too. And at its height, the botnet had recruited over 1 million devices worldwide.

Gee.

So it's a pretty big deal, just the original Mirai attack. And the consequence was it wasn't just Lone Star which had a connectivity problem, but Liberia itself. The whole country effectively fell off the internet.

Yeah, I guess that makes sense, doesn't it?

And users in Liberia were there trying to use their mobile phones and suddenly, hang on, my mobile phone doesn't have any connection any longer. I can't communicate with the outside world because the system has gone down.

And they wouldn't even be able to use Wi-Fi because that would be all clogged up too.

Exactly.

Right now I can visualise all of this. You should read children's stories.

It's that simple.

Don't be insulted. Don't be insulted.

That's not an insult.

Exactly.

I'm visualising all of the little bits jumping off the edge of the world because, you know, they fall off the internet.

Like lemons, aren't they, bits? There's a world bit shortage, you know. We've got to look after the bit. We have to. Anyway. It did lots of damage to Lone Star too. Lone Star's former chief executive, who has the name Babatunde Osho—

Oh, I love it.

Well, I don't know if I got it right. He said that it had been a devastating attack. He said it seriously compromised our ability to provide a reliable internet connection to our customers. And Daniel Kaye's actions prevented our customers from communicating with each other.

He wasn't going to say it was nothing, was he?

No, but they had an impact on the bottom line as well because people switched to competitors. People decided they didn't trust Lone Star anymore. Their annual revenue dropped by tens of millions of dollars, they claim, and they've got liabilities. They have to pay out for all the people who lost connectivity as well. So it was a pretty big deal. The National Crime Agency in the UK, they're the ones who prosecuted and caught Daniel Kaye, and they took him to court.

Right.

Where he admitted all sorts of wrongdoing. Interestingly, by the way, British law, unlike some other countries, allows a cybercriminal to be persecuted for an offense anywhere in the world. So although he was at one point being spoken to by the German authorities, he was brought back to the UK in order to get him for the Liberia attack, and he's now been jailed for 32 months.

Huh.

Now, there's one extra little wiggle in the story though, which is that remember I said that an employee of Cellcom, the company, had hired him to launch this attack. And there is now legal action being taken by Lone Star against Cellcom. They're suing them for the attack. They're saying, okay, so we've got the hacker, great, but who paid them to do this? There's no indication that Cellcom knew that one of its employees had hired Daniel Kaye to hack and to launch this DDoS attack. But in his own testimony, Kaye says that he was hired by the company's CEO. So they can say that none of our employees.

Yes.

I'm not pointing any fingers.

Actually, a CEO is an employee.

A CEO is an employee.

So you can't say that.

And maybe Kaye was telling a fib or—

But maybe he's saying none of my employees. Or something like that.

Yeah, oh, very clever.

I don't know anyone that hired outside of me or something, just cut off the last bit.

If anyone was negatively affected by my actions, I would like to offer an apology.

Yeah.

So companies, watch out because it's not always just pizza-eating bad guys who are launching DDoS attacks.

It could be greedy rivals.

Yeah, it could be rivals as well.

You know what? That is actually more common than you could imagine. I'm actually surprised, having the cases that I've worked on, that it has been a rival. Maybe they'd be better if they had more sauna.

Sauna?

Yeah, just relax in a sauna.

I can think of nothing less relaxing than being in a sauna dripping with sweat. No, it's more the other naked people with pieces of birch. I don't want to be around that. What's gonna— why am I in this water park?

With ladles, with ladles. Yeah, with ladles.

What, ladles? Yeah, don't they?

I used to have a ladle.

But why is there multiple ladles?

Can people bring their own?

Yes. You don't want to reuse someone else's ladle. You don't know what's been dangling in it.

Oh, okay.

Yes.

Very good advice.

Yeah.

No, I just got back from camp and after class, after jiu-jitsu, we all go into the sauna and it's really hard to be angry at people when you're all sat naked being drenched in sweat. Because you all look miserable and you are pretty miserable, but it feels really good. And then you go out in the snow and freeze your butt off, and then you come back. So I feel like if they all spent that bonding time of freezing their butt and then warming it, they'd be less grumpy.

You know what, jail suddenly seems so much more appealing. Zoe, what's your story for us?

So everybody knows about the government shutdown. The exceptionally long government shutdown in the US of A.

Yeah, yeah.

And on my Twitter feed, all I've seen is fast food. Don't know why, but that's what's going on right now. So they're ordering a lot of fast food, but what they're not doing is renewing their TLS certificates.

So Zoe, for people who aren't up to speed on website security, what actually are these certificates and what do they do? What's the benefit of having them in place?

I remember Troy Hunt explained it. It's that little handbag in the top corner of the URL bar.

You might have a handbag, I have a padlock next to HTTPS.

Yeah, but apparently some people think it's a handbag because it's on shopping websites.

Of course, I love it.

Yeah, I know, that made me so happy. I then wanted to get a handbag that looked like it.

Specifically, it's telling you that any information you send from your computer to its server is encrypted in transit.

Correct. And then anything back is again encrypted.

So tell us, what's going on with TLS certificates?

Well, apparently, according to the government's website, nothing. They're not updating them. So essentially, their websites are— well, two things: they're manually set, so somebody manually has to renew the certificates every year or whenever they expire, which sounds like, oh, it's not that big of a deal, but could you imagine how many websites they have? And it's a pretty big, important thing that you go to your website of the government and it's like, "Oh, is it secure? No." Do they actually care? They care more about a wall to physically block it than online security, which is a much bigger landscape.

In these government shutdown scenarios, they only keep a skeleton staff to look after the critical systems. Like food ordering. Yeah, like food. Well, didn't he do that himself?

Actually, I have no idea. It's just all over my feed and it's really annoying because I've blocked him, so you'd think it would stop showing up. Anyway, it's annoying.

But so what you're saying is they didn't think that these certificates were critical.

And that's what the second point I was going to make is, is not only are they manually doing it, but they also are not prioritizing their citizens' security, right, when they access these websites.

Right.

And whilst you think, okay, well, you know, that's still available, maybe that's okay. But not all the websites are available because some websites, they've set up HSTS, I think is the thing.

Yeah.

So basically it means if it's not going to it securely, it's not going to go to it at all, which my security by design heart is like, that is lovely, except for the fact that when you don't renew it it's not going to be able to be accessed.

Can I ask you a question, Zoe?

Yeah.

So imagine if you had been working for a month now for the government without pay, and you were in charge of updating these certificates. As an ethical hacker background person, which way do you go?

Well, I am a very strange person, and I really—

No, I can confirm this.

But no, I do a lot of volunteer work. The reason I got into security has always been to be the person I needed 10 years ago. So I would prioritise doing the certificate renewal. However, I do not work for the government and I don't know what other tasks they've got going on. So I imagine, not to be all pointing the finger, it's their fault, they're horrible people, but I imagine their task list went from being pretty big but manageable to being holy moly, I am drowning.

Well, and also, I mean, there probably are considerable numbers of websites which are affected by this. There can be costs associated Well, yes, you can do that, and then if you were using Let's Encrypt, then they would be automatically renewing themselves, right? Yeah, and there is no cost. with getting a new website security certificate. So they clearly haven't been set up in that fashion, which is a choice which they've made, which is fair enough. But if you have a country where they keep on having government shutdowns and these sort of things happen, I think we've had 4 in the last couple of years, then now's the time to take action, isn't it? To prevent it from being a problem in future.

Because everybody knows that, you know, your disaster recovery, your business continuity plans, they're all fine and dandy until something happens. Then you realize, oh, this wasn't covered. So it could potentially be that they just didn't put 2 and 2 together before it shut down, because there was— they did mention in some articles that there was some certificates that did expire right before the shutdown but never got a chance to be renewed, right? So they're out of date still. So I can't imagine it's malicious. I can't imagine it's a lack of caring. I suspect it's just they're doing— the people that are actually trying, they're doing as best they can. They're going to miss things. It's just unfortunate that the general public are the ones that are being punished for this because the information isn't always available because some of the sites are not available and the sites that are potentially could be compromised.

And the longer the shutdown carries on, the more websites are going to start to crumble a little bit, or things aren't going to be renewed, or updates aren't going to occur.

I always view hacktivists as people that do political graffiti on websites because as the websites are, you know, compromised, as the systems are more vulnerable, because if they're not doing certificates automated, you know, what's their vulnerability testing like? What's their patch management testing like? It's a huge concern, especially if you're a country that some places don't seem to like you that much, you know. I mean, I'm not pointing the finger at anyone, but I mean, that's a potential that they're increasing their risk.

Oh, absolutely. I mean, if a new vulnerability became publicly known about some web server software which is widely used in the US government, is there anybody to roll out that patch across those systems urgently, or is there going to be a big data breach? Yes.

Can you imagine that phone call? Hi, Frank.

Hi.

Yes, sorry, I know you haven't been paid for 6 weeks, but can you help us out here?

Yeah, I know that you're angry and potentially a disgruntled employee that may become an insider threat, but could you fix this quickly? We're not going to pay you for it, but we'll give you a pat on the back. But, Let's Encrypt.

Help us out.

Kroll, what have you got for us this week?

I think we can all agree that generating fear and doubt is a surefire way that companies adopt to land grab customers, bump up profits, that sort of thing. Insurers will convince you that, of course, something bad might happen. Wouldn't it be great if they were there for you? Say there's a car accident or you get robbed or you lose your job. You've got ads aimed at teens as well, telling them they won't feel so awkward and insecure if they have the latest smartphone or if they eat avocados. What? It's true. We've also got what I want to focus on today. And this is a plethora of smart devices aimed specifically at parents, smart baby monitors. Now, we all know there's a lot of joys to being a brand new parent, right, Graham? You come home with this brand new life that you've created.

You do. You do, yes.

And now the scary bit is you've got to keep him or her alive.

Oh, it's petrifying.

Yes, I bet it is. Exactly. Now, of course, parents are naturally built for this job. Otherwise, none of us would be here today. I mean, it's as natural as falling in love or having a poop, right?

Oh, I'm female. We do not do those disgusting things.

At least not at the same time.

And now, baby monitors. This niche industry has skipped along at quite a clip. Recently, we are now beyond smart baby monitors. Let me introduce you to extreme baby monitors.

Extreme?

Extreme.

Do they monitor the baby's What, really?

Do they?

According to an article in Marketplace, there's some crazy stuff out there. Check this out. Now let me introduce you to Owlet.

heart and breath and all

Now this is $300. It's a smart sock that wraps around a child's foot and it claims it can monitor the child's heart rate and oxygen levels while they sleep.

the other things?

Okay.

Right? And parents can have an accompanying app for sleep data and they can monitor their child and see everything and kind of track stuff.

Mm-hmm.

There's another app they talk about called Snooza Hero.

Snooza Hero.

And this attaches to a child's diaper and monitors baby's abdominal movements to track—

Oh!

Not poop. Breathing.

I don't think that's what they breathe through. I think that may be your first error there.

So if the child doesn't move for 15 seconds, the company says the device will vibrate in an effort to rouse the child. And if movement stops for 15 seconds on 3 occasions, parents will be alerted. Okay, now this runs at $110.

$110 diaper.

Dollars.

No, I meant $110 diaper.

Are they reusable or do you have to get a new one?

Well, it's not a diaper. It's kind of this thing attaches to the child's diaper.

You know what? This sounds like— I attended a talk recently that was absolutely brilliant.

It's you're reading my mind.

This guy and his obsession with technology. It was great. But he even mentioned, you know, I have to take time off and go out to the country and have no access to technology. And now this company is starting babies young. Pretty soon we're not going to be able to— we're not going to be able to function without technology. Another interesting point he made was how we have all this technology to teach us how to be human again.

Yeah, it's crazy, isn't it? Because that's exactly it.

Yeah.

So it seems as though these two tools seem to market themselves So I did a little digging into these two extreme baby monitors. And I don't mean just reading their web pages for their marketing campaigns. I looked into their T&Cs and privacy agreements. And I want to invite you on my little choo-choo train of basic recon. as a way of easing your parental anxiety about your baby. And this is to help people who have to purchase any smart device, be it for your baby, your home, your health. These are the kind of things I say you need to look at. Right. So first stop is data collection. What are they collecting from you and what do they do with it? The Smart Sock creators, Owlet, they grab info like sleeping habits from your baby and your use of the app. So your IP address, length of time you use it, your location, web browser info, and even unique device identifiers. And in their privacy agreement, they state that we may share your information with our vendors, service providers, and other third parties that perform services on our behalf. So they're okay to share information. Snooza says they don't disclose any personal information to third parties whatsoever, and they purely just use the information to provide services.

Yeah, but what if they get, you know, purchased?

Well, very good point. And even with those good intentions, you might say at this point, okay, I'm more happy with looking at Snooza, for example, in this situation. You know, they're not selling my data. They're not leaving that door open in their privacy agreement. But the second stop, of course, is security, right? So even if they have no intention of sharing the data, if they're a victim of a data breach attack or something, then the intention is moot. So I wanted to look at their infosecurity in their agreement.

Right?

Honestly, I found both websites to have crappy info about how they see security, and neither filled me with confidence. Now, that's not to say that they have crappy security. The information they provide on their site and in their agreements is about as bog-standard as you can get. And I think it's probably okay if it was a Joe Schmo retail product, but it's not, right? It's a smart device. So they have little lines like, we take reasonable steps to, and we use certain technical safeguards, but there's nothing specific.

Do they say we have bank-level or military-level security?

Ha ha ha ha ha ha ha.

No. They never say what bank, do they? That's the thing which worries me.

Well, I always, I'm always like, I've worked for banks. You have that level of security? Oh, but no, that's interesting.

Now, neither guarantee the security of your data. And okay, I get that. But neither say what recourse will be available to you as a customer should they get hit by a breach or whatever. So in other words, they're basically saying, use this product and trust our data collection and management at your own risk.

And it's also saying we don't actually know what the risk is, so please don't sue us.

That's true of most companies though, isn't it, Carole? You know, I mean, most companies on their websites probably say, look, we're not going to guarantee anything, we're certainly not going to claim this is wrapped around your baby's body. I mean, I'm glad you said body. I was wondering what you're going to go there.

Well, it's wrapped around the baby's bottom.

Oh, there you are.

Yeah.

And the foot.

Now we're at our final, third and final stop, right? Of our top level. So it's trust. So who is saying that this smart device works, right? Who's overseeing the use of it? What's the security of it? You know, what's the quality of the smart baby monitor? To my mind, the website should be full of endorsements from trusted consortiums and organizations or whatever, loaded with trusted medical professionals recommending them.

At the very least, they have a Kardashian, shouldn't they, on the front page?

Or 9 out of 10 doctors.

Kanye and Kim with North West saying, we put this on our baby's bottom, and as a result, there are no unexpected gusts. We're able to monitor their breathing. Everything's wonderful. That's the sort of thing I think in today's social media obsessed age, we need people like them to tell us which smart devices to get.

Could it sync to a Twitter account? The baby poops.

I think you've just given them an idea. Thank you for that, Zoe.

So none of these sites seem to have anything that I could find which suggested, yeah, this is endorsed by something trustworthy.

Not even a psychiatrist or something?

No, they have parents saying, oh, this makes me sleep much better at night. They have those kind of messages, but nothing from any authority. And the problem is this, you know, smart companies are jumping on the bandwagon to secure market share, to make a buck. I don't feel they're consulting internet security experts enough or providing sufficient evidence that they're taking security seriously.

Well, they haven't called me, so clearly—

Or if they are, they're not then communicating. Exactly right.

Yeah.

So I have a solution here. So if you're a consumer, if you're a consumer, be you a company or an individual, you've got to get comfortable with reading the small print. You've got to read the privacy agreements, and you've got to ask yourself, what do they collect? What do they do with it? And who's recommending this product? And as a manufacturer, why are you not partnering with trusted security teams that can help you bake in security from the get-go? Think about future-proofing so it can be updated in future and then brag about it all over your site. You know, it'll build public confidence. It'll lead the way for others to do the right thing to protect consumers.

Yeah, I mean, there are some websites that do it. An example is 3ma. I really like the way that they explain how their software works because they're security-focused, they're privacy-focused, and so they make sure to explain to their users, who tend to be technical anyway, but they explain it quite non-technically and it's brilliant. I wish more organizations took the time to do that.

Yeah, you know, if you take these steps, it'll help avoid stories and headlines like Engadget's "Fisher-Price baby monitor is a rash machine" is what the review said. So look, it says Sproutling, which is the name of the Fisher-Price baby monitor. Sproutling isn't really a baby monitor. It's a solid sound machine paired with a terrible sleep tracker and buggy app. Almost nothing works as it's supposed to, and there are countless questionable design decisions. And beware if your child has sensitive skin, the wearable will not sit well with them. And it's $250.

Oh man.

And, you know, this is a kind of recognized name, right? Fisher-Price is not something that, you know, it's not some new kid on the block. So, you know, keep your wits about you. Be savvy out there.

The New Kids on the Block might be available if Kanye West isn't available because they're not such big stars these days.

Getting there. Just a thought.

Just a thought.

You're so hip with the kids, James.

Oh, yep. That's me.

Yep.

Thank you.

And you join us on our favorite part of the show. The part of the show that we call Pick of the Week.

Pick of the Week.

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. It doesn't have to be security-related necessarily.

Week. I got

Definitely shouldn't be.

Well, mine isn't security-related necessarily. Congratulations, Graham.

it this time. Thank you.

Mine is. No, it's all right if it is, Zoe. It's all right. We're coming to you in a moment.

Okay, I've got a different one.

It doesn't have to be necessary. I've got a different one.

I've got a book.

Don't listen to her, Zoe.

Yes, definitely listen to me.

The Namib Desert in southern Africa is not my pick of the week, but it is believed to be the oldest desert in the world, having been there for 55 million years. I don't know how they test that.

So just a couple years, then, yeah.

Just sand dunes and all the rest of it. And a Namibian artist going by the name of Max Siedentopf has set up a sound installation somewhere at a secret location in the 81,000 square kilometre desert to play on endless loop the song Africa by Toto.

Oh my God, that is noise pollution beyond anything I can imagine.

I have included a link to YouTube. It's set to play forever. It's a solar-powered MP3 player with only one track being Toto's Africa.

God, listen to the wind. It kind of enhances the song, if that's possible.

No! Is it really that good a song though?

No, Zoe, it is not.

If you are marooned in the Namib Desert and feeling a bit lonely and you start stumbled across it. It would be rather magical experience, I think.

How far would that sound carry? There's nothing blocking it, it's just sand.

Won't the speakers and that just be covered and it will just be underground?

One can only hope. Do you know what I would have loved for you? I would have loved that you were out in the desert and singing out there for everyone in the desert to hear.

A bit more Danny Kaye? Is that what you'd like? Salty old queen of the sea, once I sailed away.

Oh, please, Graham. Seriously, we really want to continue our friendship. This is the second time in the show.

Zoe, what's your pick of the week?

I've read a brilliant book, actually, and I am completely lying. I did not read it. I listened to it on audiobook.

Oh, you experienced it. That's what my brother and I call it.

Yeah, yeah, yeah. And it is called The Brain: The Story of You by David Eagleman.

Okay.

And it's actually read by the author, which I love because often it's read by someone else and it makes me sad. And he has a nice voice, which is important. But essentially, it is a book talking about the brain. It's talking about the development of the brain from being a baby. It's talking about, as you get older, how you learn things, how do you become natural at things, why you act the way you act, you know, all of those good stuff. Anything from, you know, why you're born without knowing how to walk, for example, whereas animals just get up and walk.

Well, Siedentopf says that he hopes the song will play for 55 million years, but he does accept that the harsh environment, the

And why— another example is people that have received Botox actually have a harder time understanding other people's emotions because they don't have the muscle feedback from their face. Because when I'm talking to somebody, I mimic them, I mirror them slightly, and that feedback actually helps me understand, which I thought was actually brilliant.

desert, might mean that the installation is devoured by the dunes. All I can tell you is, if I hadn't become a podcaster, I would have loved to have been a modern artist and done something this.

He's a pretty big dude, David Eagleman.

Yeah, you know, he's got—

He's a neuroscientist, Stanford University. Yes, I thought I knew, I thought I'd read something from him, but I don't think I have. A big recommendation from Zoe to read David Eagleman's The Brain.

And as with all the pick of the weeks and other things which we've mentioned in the show, we put this as a link in our show notes. And so if you go to your podcast app, you should be able to view the show notes there or go to smashingsecurity.com. Carole Theriault, what's your pick of the week?

Okay, mine is also a book.

You're both such eggheads.

Oh, I hadn't— I had a nap to begin with.

Okay, there's no time for that now.

So during the break, I was able to catch up with some reading, and my pick of the week is a book called The Coddling of the American Mind. It's written by Greg Lukianoff and Jonathan Haidt. The book looks at the issue of an increasing number of students wanting to be almost protected or safeguarded from arguments they find challenging or upsetting or whatever. And this book is kind of— looks at all this from different points of view, but with always social psychology or cognitive behavioral therapy in mind. So it details some pretty harrowing situations, from screaming matches between students and teachers to riots where students display classic mob tendencies in order to get their demands met. And the book tries to figure out how did this happen? Why are students acting this way now? And how do we stop it from getting worse? How do we fix it? How do we address what's going on? Anyway, really, really interesting read. It does talk a lot about cognitive behavioral therapy. So if you want to learn about that, it's a great intro. The two authors actually collaborated on an article with the same title, The Coddling of the American Mind, for The Atlantic a few years back. So you could check that out first if you think that's interesting. Then I suggest buying the book or experiencing the book as an audiobook. There you go.

Oh, you know him right now.

Did you read it, Carole, or did you experience it?

No, I read it. I read it. No, I read it.

Well, it must have had a lot of time.

I think it's like, I like dividing my life. I spend a lot of time online, right? And I spend a lot of time listening to podcasts. And so sometimes I need to unplug, and a book is something I've always gone to for that. So I'm a bit of a bookworm, old school.

Paper book, or was it a Kindle or a hard copy book, actually.

Yeah, yeah, yeah.

Well, there you go. Well, jolly bloody good, Carole. Well done, you. That just about wraps it up for this week. Zoe, if anyone wants to— of course they will— if folks out there want to follow you on the social medias, what's the best way to do that?

Twitter, mainly. Yeah, Twitter. Because if you add me on Facebook, I'll think you're a creep. It's true though, people I'd meet, I'm like, who are you? Anyway, so yes, Twitter, you can follow me at 5683monkey, or if you ferrets, 5683ferret. I've gotten a lot of followers on that one recently, so don't know what that says about me, but love it.

Okay, fantastic. And you can follow us on Twitter at Smashing Security, no G. Twitter won't allow us to have a G. And you can also check out our online store where folks have been buying an array of fun mugs and t-shirts and stickers emblazoned with our logo or our catchphrases at smashingsecurity.com/store.

Thank you as always for listening to the show. And thank you to our sponsors this week, Boxcryptor and LastPass. And if you the show as much as we like making it, throw some love our way in the form of telling your friends or even leaving us a review.

Fantastic. Until next time, cheerio. Bye-bye.

Bye everyone.

Now you can tell that person they can give you a 5-star because they gave you 4 stars.

Remember?

Yes. Why did they give us 4 stars again?

I need to come back apparently.

Oh yeah, yeah, go change your star rating, dude.