Smashing Security podcast #118: The ‘s’ in IoT stands for security

What we need is a march. What we need is a parade of Jibo's twerking their way to Trafalgar Square, demanding that they be put back online. What do you want, Jibo? When do you want it? At some stage in the future. Smashing Security, episode 118. The S in IoT stands for security with Carole Theriault and Graham Cluley.

The lovely Carole Theriault. Well, I've decided...

What's all this about? Bring back the old Carole Theriault.

I'm going to be very nice today. I've decided all day I'm nice to all people. And I've not been great at it. So this is going to be the true test, this episode.

What's brought this on? Have you had a bad review on iTunes or something? What's changing your character?

No, I just, I don't know. Just didn't want to be grisly.

Oh, okay. All right. Well, we're joined this week by a special guest. It's technology journalist and star of the Cybercrime Investigations podcast, Geoff White. Hello, Geoff.

Hi, how are you guys doing?

All right, not too bad. Great. Thanks for coming on the show, Geoff. I know you're super busy. So nice to have you here.

No, it's really nice. I am, as some people know, writing a book about cybercrime at the moment. So frankly, any excuse to do anything other than write a book is... If anybody's got any ironing, I'll take that in.

Do you iron? Because I hate ironing.

I hate it, but only marginally less than I hate writing a book.

Are you writing it longhand or are you typing it? Have you got a quill? Are you carving it into a piece of stone?

I'm doing it in semaphore, which just makes the whole thing much easier. It's my preferred medium. I tried modern dance, but that was more difficult.

Well, Carole, what have we got coming up on this week's show? Another doozy is lined up this week. Graham, you are going to be introducing us to the Jibo or Jibo. Geoff, you're off to Saudi Arabia and looking at a slightly creepy app. And I'm hitting the slopes with a new not-so-smart toy that fits into your brain bucket or helmet. All this coming up on Smashing Security.

Right, well, chaps, we are all familiar, aren't we, with digital assistants or dinguses, or maybe it should be dingai, things like Siri, Google Assistant, or dare I whisper it, Alexa. Well they're not the only digital assistants that people have in their homes. Have either of you ever heard of the Jibo?

No.

No but hang on does this oh because I'm called Geoff with a G I'm already interested because it sounds a Jibo sounds like something that G White should have.

Oh I'm afraid it's Jibo with a J obviously I imagine you look down at Geoff's spelt with a J it's the inferior spelling but it's like Graham with an E I tend to look down on them as well.

I totally understand where you come from. You just feel like a better person.

Yeah, Carole with an E. Exactly. See, I'd pronounce that Jibo then, wouldn't that make... Oh, I don't know. Anyway, sorry. As if this podcast is about pronouncing names properly. Do you know where you are?

Right, Carole? Exactly, Graham. So the Jibo is a chubby robo-buddy developed by robotics boffins who came from MIT. And it was an attempt to make home-based robots more social and, well, just generally cuter. And the Jibo is kind of cute. It's animated. It's got more character than the likes of Siri and Alexa.

You mean animated like it moves around?

Oh, yes, Carole, it does. OK, OK. Let me point you towards a video of the Jibo, not just looking at you and blinking and taking photos and having a conversation with you, but also dancing. Bops around.

Wow. Better dancer than my husband. That wasn't very nice. Cute. You say cute. I say slightly vulgar. It's a little bit like twerking, I think, is what it appears to be doing.

You think that looks vulgar?

Yes, I do. Definitely twerking.

Yeah, I kind of see that. Sorry to interrupt, but I've just looked at the picture of this thing. It's been bugging me what it reminds me of. This thing is the bastard love child of Hal from 2001, A Space Odyssey, and a minion. Yes! That's what it looks like. It's a cross. Hal meets minion in space.

Yes, it is Hal, though. The one eye, the one glowing eye.

Yeah, yeah, yeah. Anyway. Exactly. Sorry, Graham, I've interrupted. Sorry about that. No, no, no, no, no, no. It made the story much more interesting. Absolutely. It's much better than what I said.

No, please be nice, Carole.

Anyway, some people loved the Jibo. It could do cool things like facial recognition. We're big fans of facial recognition on this podcast, aren't we? It could learn your name. It could turn towards you when you entered the room and sort of knew where you were and how to address you. But it wasn't all fun. Jibo couldn't make phone calls or read you notifications or give you directions or read the kids' bedtime story. You couldn't disable its camera or microphone other than to completely and utterly shut it off. So it was out of the race when you compare it to the other home assistants. And it cost 899 US dollars.

Oh, that's an expensive widget.

It's a lot more than an Amazon Echo, isn't it? Or a Google Home, which can arguably do a lot more. So for some time, despite new features occasionally being added to the Jibo, people have been worried about its future because it costs so much money. And how could it compete with Google and Amazon? And those fears were only compounded late last year because Jibo's intellectual property got gobbled up by an investment firm, which clearly had no interest in really keeping the devices alive. And this week, and this is why I'm talking about it now, this week, the axe appears to have finally fallen on this social robot because a new update was pushed out to Jibo. And as with any other update pushed out to Jibo, the owners could ask it, well, what does your new update do? Because as it installed, it would say, fantastic, wonderful new things are being installed. It would say, but to get the details, you had to press a button. And some of the owners made a video of the robot explaining what its update was going to do.

Well, it's not great news. The servers out there that let me do what I do are going to be turned off soon. Once that happens, our interactions with each other are going to be limited. I want to say I've really enjoyed our time together. Thank you very, very much for having me around. Maybe someday, when robots are way more advanced than today, and everyone has them in their homes, you can tell yours that I said hello. I wonder if they'll be able to do this.

Owners are getting dumped by their robot?

And at that point, the robot began to dance. Swan song. Death dance. I've got issues with it. You've got issues with it, Geoff. You should check out the Jibo owners' Facebook group. According to Motherboard, some owners have been explaining to their young children that Jibo was dying and how they hugged Jibo hard and how parents and children were left in tears at the loss. Can you imagine? Right, so people have paid 900 bucks for this thing, right? At that point, they've bought a product which functions at the time you buy it in a certain way. Later, because it's connected to the internet, is then effectively disabled. That surely, that's got to be against trading standards, hasn't it? I mean, you can't disable the product somebody's bought that was functioning at the time they bought it. Where'd you get your money back? Yeah. This is insane. I wonder if you could decouple it from its software so you could just actually play around with it, basically unbrick it. Maybe then you'd separate the software from the hardware. But yeah, you're right. But you don't have it. You don't get your money back. You don't have an ongoing contract. It's not like you just pay each month. This is, you bought, you paid your money, you connected the server. Was it in the contract that at some stage? I mean, I just think, you know, I think legally we need to sort this out because this will happen to other things, won't it? Unless we, Jibo is a line in the sand. We've got to kind of, we've got to make a decision here. Are we happy with this or not? What we need is a march. What we need is a parade of Jibos twerking their way to Trafalgar Square, demanding that they be put back online. Yeah, to the high court. What do you want, Jibo? When do we want it? At some stage in the future. From my understanding, they will still be able to twerk and tell jokes and purr and laugh and all those important things. But anything which required internet access, like telling the weather report or offering you a word for the day or looking up stuff on Bing, search engine that used, that's all going to be disabled. You're not going to be able to do that anymore. And I think you're right, Geoff. I think you're right. There's lots of IoT gadgets out there which are reliant on external services. And you're sort of in the lap of the gods as to whether they ever get turned off or not. This company appears to basically be going kaput. Its intellectual property has been bought. So someone may be able to adapt it and sell it on to others who knows in the future. Yeah, but that's not what you purchased it for. That wasn't your understanding at the time. And there's no recourse. Basically, Geoff, they've gone bust. And therefore, like any store, all the support and consumer service is gone. But if it's interesting in that normally I buy a product, I take it home. If the store closes, I'm not bothered because I've got the product. If what you're saying is the product is an ongoing product that's continually supplied to me after a one-off payment, well, then you can't withdraw the continuous supply because that's what I paid for. But I don't know, it's interesting. I don't think this is covered by law, is it? IoT 101, yeah. I've just got this lovely image of a line of Jibos making their way through the snow back to the home base, like, go home, Jibo, go home. Crying, crying. They're all sobbing, twerking occasionally really miserably. They're twerking miserably. Twerking miserably as they sob their way back to Jibo HQ. It's true, though, isn't it? I mean, you buy a product, but you're not actually owning all of it, are you? Because some of it is out of your control, and someone else can pull the plug on that bit, and the impact. We saw this thing with the Nike Adapt BB trainers. We spoke about them a couple of episodes ago, predicting that they might cause problems. Sure enough, right after we published the episode, there was an update pushed out which bricked the trainers so people couldn't unlace their trainers any longer. But the other thought which came to me the other day was these trainers were costing $350, which is about a third of a Jibo, isn't it? But they're still trainers. They're still shoes, which means they're going to wear out in a year to 18 months. And you'll have to spend another $350 in order to have self-lacing trainers. Whenever you buy an IoT gadget, you're not just buying the gadget itself, you're buying into its infrastructure. And if the company goes kaput like Jibo appears to have done all the servers are turned off, your gadget isn't going to behave the same anymore or at all. I'm actually talking about an IoT gadget too, so we can do a twofer on the advice at the end of my section if you like. What do you like, twofer? Well, you'll see I'm getting cool on my lingo. Well, as well as being nice, you're now being cool with your lingo as well. Yeah. Wow, it's all changed. I'm lining my story. But first... Yes, Geoff, what's your story for us this week?

Well, I was going to talk about not IoT stuff, but app stuff, and particularly an app that's been making the news recently, which is a Saudi Arabian app called Absher. Okay. It's interesting. What this app does is what I think a lot of governments are getting quite interested in, which is whereby citizens can sort of interact with their government digitally. And I do see the win there as a broad trend, you know, not having to queue post offices for driver's licenses and that kind of thing. A lot of our interactions, you know, with the state can now be carried out. India has done a lot of headway in this area, hasn't it? With mixed success. You know, the Aadhaar card, the Aadhaar system, yes, which I think is an instructional lesson to any government thinking of introducing any kind of digital identity or ID card because there have been many, many instances where that's gone wrong. I mean, brave effort to try that in a country as populous and complicated as India. That really was one to watch. But Saudi Arabia's gone a slightly different route, has looked at this app. And citizens, as I say, can interact with it, can do various government interactions. And one of the things they can do is talk about renewing driver's licenses and also travel documentation and travel permits and so on. And this is where it gets slightly difficult because in Saudi Arabia, under the country's rules, women, before they travel, need to get, it seems, a guardian, either husband or father, a male figure, to sanction and to permit that travel movement.

Grief.

Yeah, but now they can drive. I think it was last year, the year before, they were, OK, you can drive a car.

I think they're only allowed to drive if they have a Jibo in the passenger seat next to them or a man.

Drive me home. I'm broken now. Yes. So there have been changes across the Middle East in terms of that, you're right. But the actual travel outside of borders and getting on a plane flying out of Saudi Arabia still needs to be sanctioned, it seems under current rules. Now, what this app does is gives the person who owns the app the ability to permit or deny that travel almost instantaneously. And it seems get text messages, SMS messages when the person tries to attempt to travel.

My goodness.

Yes. So it is sort of a kind of remote control operation of that. What I find interesting about this is, and there is some difference of opinion on this. So for some people, they say, well, actually, this is good because this rule does exist, and this app speeds it up. So no longer do you have to, you know, go to your husband with your husband to the airport or the visa place or whatever, he can just sanction your travel immediately on the app. So I get that line of argument slightly. What I find interesting about this is this rule in Saudi Arabia existed way before this app. This is not a new rule that's been introduced with the app. What I find interesting is the app's one of these examples where technology just highlights, brings something to the surface, which is already there. But the technology just kicks it on and puts the fast forward on it to the point where suddenly everybody thinks, oh, actually, yes, that is quite a concerning rule. So this is the case with the Absher app. There is also now an ongoing row about whether this app breaches the terms and conditions for Google Play Store and for Apple's App Store. It seems there was a conversation between Google and the US political representative, during which Google said, well, no, we don't think it breaches our rules. There's some doubt over whether that's Google's official position. And the question is, well, this is the laws of the land. This is the laws of Saudi Arabia. You know, if all the app is doing is allowing people to use those rules as they're written, does that breach the terms and conditions? Under what terms would you do it? So I find it's an interesting gnarly one, this gnarly nest of thorns or whatever you call it. It brings to mind China's social credit system. They've banned millions and millions. But this is for domestic travel, right? You know, it's almost a punishment for bad behaviour. It's interesting. I think as governments move into this space, I mean, in the UK, obviously we are nowhere near what's happening in China and Saudi Arabia.

Oh, give it a few months, Geoff. Come on.

There's one or two cameras around. Yeah, there might be, being increasingly equipped with facial recognition. I mean, I know that, you know, government digital services, which sits at the heart of British government, is trying to bring everything together. And again, I do see the logic of that. We've had instances, haven't we, where social services know about somebody, but the health service didn't know about them and the police didn't know about, you know, linking bits of government up and making it easier. Yes. The danger is that just allows government a lot more oversight, a lot more insight and potentially control over what you do as a citizen. And I think, you know, we can look places like, as you say, India, China, but also Saudi Arabia to see the ramifications this kind of tech can have. And it comes down to trust, doesn't it? And government trust and, you know, trust in your government in order whether you decide it's a good thing or not thing. But as governments change fairly regularly, it's a difficult thing to set a precedent on for the rest of time. Ages ago, I interviewed the wonderful Sir Tim Berners-Lee. Wonderful man, a very difficult interviewer, it has to be said. His mind is about in 15 different places at once. And if you're lucky, you'll keep up with seven of them. But he said, he made an interesting point. He said, look, he said, in the UK, we trust governments and distrust corporations. In the US, they trust corporations and distrust governments. What worries me about things like Absher is we're now in a situation where no matter who you distrust they're involved governments and tech companies coming together and i do find that interesting space interesting territory and what do you think is the right position for the likes of google and apple who are obviously providing these apps through the app stores i mean traditionally their attitude has been well your app has to follow the rules and the laws and the legislation of the country in which it's been distributed this is putting them potentially in hot water as well You can imagine many people being upset about this kind of app being allowed or some of the things which could appear in other countries around the world. Is that them just being pragmatic or should they take more of a stance to say, actually, we don't really like the way you're treating women in your country? Well, it's tricky, isn't it?

And it's a slight replay of the trouble Google got into over China and still has been over China. If you want a global service, if you want to be available globally, which obviously people like Google do, you've got to, as you say, take account the local laws. But if the local laws are deeply undemocratic or anti-democratic, or if you're put under pressure as a company to go against your values, I mean, in China, Google's solution, certainly for a long time, has been just not to go there, not to get involved. Well, yeah, subject to recent headlines. But what's interesting in this case is this is a particular app in a particular country. I mean, for an entire country like China, for an entire service like Google, just to go, no, we don't go there. It's not an easy decision to make. But once you've made it, it's blankets. It's like Google, China, no. But if you'd go around and say, okay, it's Saudi Arabia, we don't do this app. Okay, Brazil, do we do this app? Do we do that app? You have to start making really piecemeal decisions. I think that's where it gets difficult. And, you know, Google don't want to go there legally. You know, we've seen this in the past. Google don't want to get involved in these individual country disputes legally. Fascinating. That's a big one to chew on for a little podcast like ours. But I like to throw raw meat your way. Roar. You can stodge it down. And chew on it, as you will. Well, Geoff, let's munch on some more of your gristle right now. Good God. What have you got for us?

So downhill skiing, that's what I want to talk about today. Now, downhill skiing has come a long way since my day of hitting the slopes every winter weekend. First, there's the language or lingo. Now, I'm going to test you guys out. So I want you to translate the skier lingo into English. Okay. Watch out for those death cookies near the magic carpet. This sounds like a script from a Cheech and Chong movie. Well, what is it? So watch out for the ice near the chairlift. What? Oh, right. Okay. Or, whoa, I thought she was a ripper until I saw that yard sale. That means I thought she was a good skier until she tumbled over and lost her gear across the slope. So yeah, ski language has evolved.

Because you litter all your stuff over like a yard. I like that one. All these examples you've been giving us, they're very kind of gnarly surf dude. Isn't there another kind of skier who's like, oh yeah, absolutely, bloody brilliant.

I don't think that's the kind of skier that's going to be buying the device I'm going to be introducing you during this talk. Another thing that's upgraded is, of course, equipment. There's so much fancy equipment today. You've got head mounted cameras and ski airbags and smart boots and connected skis. And of course, you also have super cool headphones. We're talking about the Chips 2.0 helmet speakers. I hate them already. And I hate everybody who has them. So if you go, Graham, that would be wonderful for you because you don't really like falling over, right? We've been skating before.

I don't mind falling over. It's just hitting things having fallen over. So you could have this ski airbag. And if you're on the slopes and you took a tumble, it would just go. I could do with that most Saturday nights, actually. I didn't see that.

What I hate is the name because it's called The Chips. So in telling the story, it's very difficult. The chips. The chips. Oh, I'm offended. The chips are Bluetooth headphones that fit inside your brain bucket or lid or hat and helmet. Now, these do not resemble chips in the British sense of the word or in the North American sense. They kind of look like two Oreo cookies connected by a wet noodle. Sorry, is noodle a term as well? No, noodle is here. I'm putting the link in here so you guys can take a quick look at these babies. Now, these babies cost around $130 American. There's a rechargeable battery that gives you a full day of audio playtime and quoting the blurb on the website. That way you can listen to that heat playlist while you carve the pow pow. I hate these people. It also has mitten friendly tap button to answer phone calls so you can lock in that après reservation, quote unquote. I was really starting to realize I was not their target market in any way here.

Trevor, my man, it's Kyle. Jenna and I are on our way up to the slopes right now. I'll radio you on the chips when we get up there.

Hey, Dr. Macarena, this is Speed Demon. You copy? This is Dr. Macarena. I read you loud and clear at speed, demon. Hey, how's it going on the mountain today? Have you been up to chair 23? I heard it's pretty sweet. I've just been checking out the park, but I'll have to go check out the top right now. How about we take two more laps and meet at the bottom for beers? My treat. Sounds like a plan. Two quick laps, and I'll see you on the sun deck. Dr. Macarena, over. However, I want you to meet Alan

Mooney. Now, Alan loves snow sports as much as he loves his tunes. So he said it was a no-brainer to buy the chips or a pair of chips. I don't know. He wrote, they fit into audio-equipped helmets and have these huge 40mm drivers. I'm not sure what that means. But he says, warm ears and good bass. Now, one of the wicked cool features that sets the chips apart is its built-in walkie-talkie. So this is a little gizmo that lets you push-to-talk communication with your crew with limitless range. It boasts this on the website. Limitless range. Limitless. So you're there at Zermatt, but you can speak to someone in Abu Dhabi. Not a lot of skiing in Abu Dhabi, though, has to be said. Well, I don't know, because it's using the app. So I guess if you're registered, potentially, I don't know. Oh, all right. Okay. All right. Okay. So this is all pretty sexy. Imagine the three of us hitting the moguls. And with a simple touch of the ear, Graham, you could ping Geoff and say, dude you totally stomped that 180 to face plant yard sale. According to that, that means landing a trick in a super cool fashion. So snow sport loving Alan is excited about his new purchase, the chips, and he wants to start playing around with the short range walkie-talkie feature on his new the chips. So he starts setting it up, his new ski group, and he discovers the chips have a glaring problem. As Alan sets up the group, he notices that he can see all chip users, all of them. He searches his own name and lo and behold, he finds himself. It turns out that Alan was able to find out quite a bit of private info about all chips users. Oh, I didn't mention this, but Alan actually works at Pentest Partners, so actually knows how to look into these things. So what kind of information were they storing? What details would they have about you? Doing a bit of pokery with the insecure direct object references, he was able to pull all the usernames and associated email addresses from the API. He retrieved their password hash and password reset code in plain text. He was able to view their phone number, extract users' real-time GPS positions, and even listen on private walkie-talkie chats. Now get this, it gets even worse. And I'm quoting Gareth Kornfield from The Register here. When Alan queried the API with the letter A, intending to find his own name and add it to a user group he wanted to set up, the API returned 19,000 results. Every single registered user whose first name started with A. So, Alan, being a pen tester and all, does the right thing and contacts Outdoor Tech, the makers of the stupidly named the chips. Thank heavens for that. And so they were able to fix the problem promptly, resolve it. Yes, yeah. Really? That's exactly what happened. No, he got one response and then nothing. They waited three weeks and nothing, nothing, nothing. So this is when Alan and his pen test team decided they would just go public with the vulnerability in the CHIPS 2.0, saying, quote, the vulnerability hadn't been acknowledged and no remediation actions had been proposed. So the danger of this is that anyone would be able to potentially access details of all of these people who purchased the – I can't call them the chips. But anyway, this particular ski headphone things, right? But would you really – even if you did manage to get all their email addresses and things, would you even want to contact them? Because they'd be all bros and bumps and I'm carving, man. It's all about the death cookies. Rubbing the pow-pow. Why would anyone want to contact these people? Well, that's a very good point. But I think it also goes to point, same as your story, right? It goes to say that these devices can have a lot of bells and whistles, but at the same time, if they don't have security down, it's a bit of a nightmare. And I think there's a bigger moral of the story here, actually. What the heck are people doing listening to tunes as they barrel down steep, icy, snowing hills? I skied for years. You would be crazy to do that. It's insane. It's also, I mean, you know, that's not very nice of me. I'm sorry. You're in a beautiful, tranquil place, having a lovely sport. And you're interrupting it with your tunes. I mean, that's the whole point of skiing is the tranquility and the being out there and stuff. It's insane. I just think you're knitting with one needle when it comes to assessing risk if you're doing that. That's basically it.

Yeah. I mean, it's dangerous, isn't it? Going off a mountain. Yeah. Knitting with one needle as well. The other thing is, it's just depressing, isn't it? You know, as a company, you get contacted. There's a really cynical equation goes on there, isn't there? Of like, we could do something about this. It's clearly, you know, a problem. But we genuinely don't think our users give enough of a toss to actually care about this.

Yeah. What blows my mind is these guys are pen testers. So they call up. They must have identified themselves. We are pen testers. We saw this flaw. We think you need to fix it before we go out to the public. And they reply once and then nothing. Now, I don't know what that reply said. Who knows if they told them, no, we don't. I don't know. Maybe they're disputing it. But at the same time, like, guys, if you've got a problem, don't do that. It's just going to blow up in their face.

Maybe there's a more innocent explanation. I mean, if their app and if their IoT device is so rubbishly put together, maybe they've also not configured their email system properly. Maybe they're not actually expecting ever anybody to send them an email about some technical query and so it's all ending up in the junk folder or in dev null.

Well okay that's possible but still don't make devices and sell them to the public.

Yeah whoa dude we got an email dude gnarly. That kind of thing.

Whoa I thought it was Carole who said that. We've got very similar voices.

Oh wow I thought we were all gonna be nice on this.

I made no promises. A nice Carole. I'm trying to challenge her. I'm smiling. The ice cream is getting thinner. I don't know if you've noticed the cookies are getting thinner. Ski this way, Graham.

If you're baffled by threat intelligence and how it might be able to help secure your company, the Threat Intelligence Handbook from Recorded Future is the book for you. It'll tell you what threat intelligence is and what it isn't. and you'll learn how other firms are applying threat intelligence inside their organizations. Grab it now for free at smashingsecurity.com slash intelligence. Quote, most business security breaches are the result of one thing, sloppy password practices. Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts. Unquote. That's my co-host, Graham Cluley. This is what he says on the LastPass Enterprise page. And most of you know how much I hate to admit when he's right, but he is. Sloppy passwords are a huge contributor to security breaches within an organization. The way to manage that is get a password manager. And the one we recommend is LastPass Enterprise. Check it out at lastpass.com slash smashing. On with the show. And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week

Thank you, Carole. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they like. It doesn't have to be security related necessarily. Shouldn't be.

Well, my Pick of the Week this week is not security related.

Exquisite.

Necessarily or otherwise. There is a TV programme which has come back to our screens here in Great Britain and possibly you can use cheeky methods to access it yourself via iPlayer. Who knows? It is the return this week of one of my favourite TV programmes, Fleabag.

What is your pick of the week? I'm going to go for a book that I've been reading, because when you try and write a book, you try and read other people's books to find out what they did wrong. Cut and paste? Cut and paste, Geoff? No no no. Jill Abramson didn't she was in the last month or so but it's interesting I obviously I am intensely aware now of plagiarism cases and I follow them quite closely. What exactly made them realize it was plagiarism? How much money did they lose? So it's interesting. I look, I can't guarantee that everything in my book will be original thoughts that you've never heard before. But there are moments where you just look, well, hang on, you've taken paragraphs of somebody else's stuff and literally reproduced it. It's one thing saying, oh, well, actually you kind of ripped off my idea there. It's another thing saying you've taken the words I put in my book and you've used them in your book. I'm pretty sure I won't be falling into that trap.

I once got approached, sorry to distract you, I once got approached by a guy who claimed that I had stolen his idea of people should use different passwords for different websites and he claimed that he had originated this idea and that I shouldn't be telling people in the press to do the same thing.

But anyway so I've been reading different books and one of the books I've been reading recently which I think is really interesting and I really like it's called Moneyland. It's by a guy called Oliver I think the surname is pronounced Bullough or Bulloch. I'm not sure. B-U-L-L-O-U-G-H. It is about the international money system and finance system. So basically, if you are mega rich, how do you steal your money? How do you hide your money? How do you transfer your money? And then how do you spend your money? So you just ask Trump. More specifically, you ask his legal counsel. Oh, yes. I know where he is right now. But what's interesting about this is, not that I feel a huge amount of sympathy for the filthy rich, but it is an interesting, there's a lot of work involved in making these things happen, avoiding tax and so on. And spending it, you've got to spend, you can't put these banknotes under the sofa, you've got to spend it. So the work and the effort involved with spending it becomes a whole industry in itself. It is fascinating, this book. You know, I was just talking about this with a friend yesterday. I was talking about, you know, how when you're young, you think the rich just kind of swan around having a life of leisure, right? I did. And then you're thinking today, the richest people like Geoff Bezos, I don't think, I'm sure he probably gets up at 5am every day. I don't want to be him. He had certain number of extracurricular activities that he was getting involved in. I mean, this is the thing. I'm just impressed by, I mean, you know, just having time to do the ironing and empty the dishwasher, let alone having an affair. And you run one of the world's richest companies. How have you had time to… How did you iron your shirt? Exactly. Crisp shirts and an affair. You hire someone. Yes, no, true, true. Maybe he hired someone to have the affair for him, too. But no, Moneyland is interesting. What's interesting is there's this analogy in the beginning, which I love, which is you look at the world and it's countries, right? On the globe, the countries are marked out, right? Imagine you just get white spirit and you wash off all of that and you have a smooth planet where you can literally pick the legal jurisdiction of one country and you can pick the tax system of another country and you can pick the banking system from here. Interesting idea. Where the countries no longer exist, there's this smooth globe where none of it exists. Borders don't exist. That analogy, I think, is really interesting. Anyway, it's a fantastic book. I'm really enjoying it. Cool. I might check that out. That sounds... Moneyland, it's called. Okay. Fantastic. Thank you very much, Geoff.

Carole, what's your pick of the week?

Okay. I have a question for you. What is the one human condition that doesn't impact the person that has the condition, but everyone around him or her? Oh, everyone? Well, depending on how close you are to them, yeah. Maybe up to 10 metres in some cases maybe 50.

Is it going to be body odor or something? Well that's a good one. It's snoring.

Now have any of you either of you been accused of snoring?

No I'm not a snorer.

Well I tend to every time I've been accused of it it's actually been by someone who snores themselves who are trying to deflect the blame for the snoring.

I would argue that being accused of snoring is nothing compared to the sheer hell of sleeping next to a snorer every single night, especially if they have sleep apnea. So no names, but someone in our household is a champion apnea riddled snorer.

Is it your cat?

Could be. No name. He I'm sorry or she could win olympic medals at snoring okay almost gave it away there. There has been a desperate attempt in our household to nail down a solution. There are widgets you stick into your nostrils specialist pillows tape to paste on the bridge of your nose liquids you squirt in your throat and in our home these have failed.

Have you tried sorry to drop but have you there's the whole thing about sewing ping pong balls into the back your pyjamas. Oh yeah. Oh yeah.

Guys, guys, guys. I've solved the problem. Years passed and Carole's attempts failed. But the last one did not. The last one succeeded. And I'm going to share with you today my pick of the week. You ready? Drum roll, please. I can hear it. It is. It's exciting. Yes. The didgeridoo.

Is that a euphemism?

Nope. A little didgeridoo. Now, a didgeridoo, for those who don't know, is a super long wooden tube used in Australia as part of their mating rituals or something.

Australians have mating rituals? I don't think so. I wouldn't let that get in the way.

It's a musical instrument, okay? And it sounds a bit like this, okay? It's not for everyone, but take a listen. Anyway, those dulcet tones you just heard. To make those dulcet tones, you need to master circular breathing. And that, my friends, builds muscles and stress out your jaw muscles in a way that certainly in my household has magically magicked the snoring away.

No way, really?

Seriously. No joke. Now, it's the circular breathing. You actually could probably get away without buying the didgeridoo, but I suggest you get maybe a mini one, a short one. Just to try a half do a semi do do be do be do so you have to learn how to do the circular breathing it's really useful to do with the didgeridoo and then you can do it without the instrument at all so it can be a beautiful decorative object in your house choose when you like because I was saying what you've done though is you've obviously got rid of the sound of awful snoring but you've substituted it with the sound of a didgeridoo.

Well, exactly. Is that an improvement? That's what I'm thinking. You've improved sleep inside your house, but what about your neighbours as someone is learning how to play the didgeridoo?

Okay, I understand. I did spot that irony as well. However, the actual instrument was only used for about a week or so because that person has figured out how it all works to do the circular breathing. They can practice without having the confirmation of the noise. So you only basically use it. Get one, share it around that snoring neighbourhood.

Carole, you know on YouTube some of the world's most popular videos involve cats doing unusual things if you take a video of your cat on the didgeridoo playing it if it's really got that good now that it doesn't snore I think you're onto a winner monetize that video you're away did you re-mew and on that bombshell on that comedic bombshell it's about time to wrap up the show Geoff, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

Twitter, I am GeoffWhite, Geoff with a G, remember? GeoffWhite247.

Yeah, not J. GeoffWhite247 on Twitter. And you can follow us on Twitter at SmashingSecurity. No G. Twitter wouldn't allow us to have a G. And we're on Reddit as well. You can carry on the discussion of things you've heard about on the show on Reddit. Just go to smashingsecurity.com/Reddit to find our area up there. Hat tip to this week Smashing Security sponsors LastPass and Recorded Future their support helps us give you this show for free and high fives to all of you for listening you crazy cats want to spread the love give us a smashing review or get a friend to subscribe it all helps us grow check out smashingsecurity.com for past episodes and for details on how to get in touch with us fantastic and until next time cheerio bye bye bye later dudes gnarly and welcome back can you join us on our favorite part of the show the part of the show that we like to call pick of the week

Oh is it me? Right. What? I'm used to having a cue. Somebody in my ear saying part of the show that we like to call pick of the week

Oh I see. Right. OK. Shall we do that again then? Right. Part of the show that we like to call pick of the week.

Pick of the week. Pick of the week.

Thank you, Carole. Pick of the week.