Smashing Security podcast #122: The big fat con at Office Depot

Now, what drew their attention to this initially was one of the vendors of one of these alarm systems put up on their website that the security of their system was unhackable.

Ah, see, red flag to a bull. That's all the thing which instills confidence, isn't it?

Yeah, that is a hornet's nest you do not want to whack, right? Because when you say unhackable to a bunch of hackers...

Roll up your sleeves, lick your lips. That is red meat.

Yeah. Oh, really? Watch this. Hold my beer.

Smashing Security, Episode 122, The Big Fat Con at Office Depot, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 122. My name is Graham Cluley.

And I'm Carole Theriault. Hello, Carole.

Hello, Graham. Well, that's a strange way of pronouncing my name. What a peculiar person you are. And we are joined this week by returning guest, one of our fan favourites, is Dave Bittner from the CyberWire and Hacking Humans podcast. Hello, Dave.

Hello, hello. Nice to be back. Fellow podcaster on the CyberWire and Hacking Humans.

Yeah. That's right. I work with them as well.

Because both of you do Hacking Humans, don't you? You both appear on that.

We do.

Well, Carole does CyberWire as well. She's all over the place.

Oh, she is all over the place. Madame Internationale. Can't get rid of her.

Yeah. So, Carole, what have we got coming up on the show this week?

Well, you, Graham, looks like you're going to get your IT wear serviced at Office Depot. Dave gives us the dirty down low on third-party car alarms. And I dive into a privacy dilemma, specifically for apartment and condo dwellers. Hmm. All this and so much more coming up on Smashing Security.

I like how you script your hmm.

I know I did. I put it right in there. Hmm.

Now chaps, we are all a little bit nerdy at least, aren't we? I mean we're into computers, we're savvy around the keyboard, we feel comfortable.

Not that nerdy.

But compared to the average person, compared to your auntie Marge.

Or she's not average, she's pretty awesome.

Oh, okay. But compared to the typical person, we probably know a little bit more. But there are so many people these days who are using computers and are dumbfounded when something goes wrong with them and they need some help. And if they don't have a nerd on call.

Or the nerd doesn't pick up.

Right. Yeah, yeah, totally. Tell me about it. Exactly. Oh, I recognize that number.

With my family, I say, I pick up the phone and I say, hello, Dave's free lifetime unlimited tech support. Dave speaking. How may I help you?

Well, imagine you weren't related to Dave. What would you do? Chances are you might pop down to the local shopping mall and see whether there is a techie shop which is offering you a free PC health check.

Oh, like a Currys or something where they sell computers, that kind of thing.

Right. Or it's weird, isn't it, that Currys sell computers. Do they even exist anymore?

I don't think they do.

They do exist. But I just think that's like trade descriptions. They don't actually sell curries, but they do computers. It seems so wrong.

Oh, for God's sake.

But maybe in the United States, you would go to a store like Office Depot or Office Max.

Oh, yeah. I know Office Depot.

Right, where they have free PC health checks. And if you went there to get a free PC health check, or as they sometimes call it, a professional tune-up. And these are things which have been advertised on radio commercials and print and online. And normally they say, look, this is normally worth $19.99, or even as much as $60. But we're going to offer this to you for free if you come to Office Depot.

Ah, so the idea is bring in your computer. We'll do a quick scan on it. Make sure it's, you know, make sure the basics are covered. And maybe you'll buy, you know, some printer paper.

Maybe you will. Maybe you will. But, you know, it's a friendly, generous thing to do.

Loss leader.

Yeah. And obviously, sometimes there'll be a problem with the computer as well, which they might be able to sell you some antivirus software or something like that.

Oh, totally. Yeah, good point.

So if you go in, you come across one of their experts, and they will say, you know, when was the last time you had a professional tune-up done on your PC?

I don't even know what that means.

No, well, that's the same with me. I've never had my PC professionally tuned up. It's not a car. So the answer is instantly you're just thinking, oh, crumbs. You know, I haven't, you know, no, I've never done it. They can go, sharp intake of breath between the teeth.

You've never had your USB ports rotated? Ooh. And so they run this program on your computer, which will try and make your PC run faster or check for viruses, things like that. And the program they run, this PC health check program they run, first thing it does is it displays a message. It says, does your computer have any of the problems listed below? And it gives you four options. So we'll either say frequent pop-ups or other problems preventing you from browsing the internet, or has it become much slower or too slow to use? There'll be a member of staff who's walking you through it. And so he's asking you questions. You may well be looking at the screen at the same time, but he or she is choosing the options.

seen that ever in my life.

So, and so you go through this process and maybe you answer some of those questions. Say, well, yes, that does something. My computer does crash sometimes or it does seem a little bit slow. Well, the workers at Office Depot and Office Max, they're all part of the same company these days. They were selling this service or rather they're giving this service away for free. But it was actually something which did bring in a decent amount of cash. Because at the end of the process, if there was a problem with the computer, they could sell you some kind of repair service. And PC Health Check was responsible for a substantial share of the store's tech service revenues. And in fact, staff were being encouraged all the time, if anyone comes through the door, really try and get them to bring their computer in so that we can take a look at it, work out what the problem is. Don't wait for them to come in with the computer saying they've got a problem. Encourage them. Say, oh, you know, maybe you should get that checked out. Let's make an appointment for you. Now, this PC Health Check software was created by a company called Support.com.

Sounds very legitimate and nice. Yeah,

they've bought an expensive domain name there probably, right? Right. And Support.com, they have a website where the Office Depot staff can download the latest version of PC Health Check. And it would keep a record of when the software was downloaded and used by staff, and it would send those records to the management of Office Depot, allowing them to monitor and compare different stores' performance, you know, how many health checks are going on. Right.

So, you know, is Dave, who works at this Office Depot, doing enough of these tune-ups compared to everybody else? Exactly. Right. So it's employee monitoring kind of

thing. Right. And many of the staff were being incentivized with weekly goals as to how many PC health checks are you doing. You too, could be an employee of the week. To be honest, this is all good, right? Because this is all helping people deal with problem PCs and maybe finding malware. You know, what could possibly go wrong with this? You know, it's fantastic news. What a great altruistic thing that Office Depot is doing. But the PC Health Check software, when it did its quick malware scan, turns out it wasn't actually looking for any malware. Okay. It was actually producing a report describing the computer's security status as poor. And it would say it found malware symptoms or infections, regardless of which checkboxes had been ticked. So if you remember at the beginning, I said there are four checkboxes at the beginning saying, does it sometimes slow down or does it sometimes crash? Any of those boxes were ticked. It would say you've got a problem and you've got a security problem. And you would be advised to get some costly, up to $180, diagnostic repairs, protection service.

Hold on a second. Okay, so I go into Office Depot with my computer and I say, hey, something, check this out. You want to tune up? You're begging to look at it. Here you go. Yes. They asked me one of those four questions. If I said no to all of them, nothing would happen. I guess they'd say, oh, you're all fine. But if I said yes to any of them it would just build a negative report on my machine saying it's infected. It

showed a little progress as though it's scanning something.

As though it's scanning as

though it was scanning something and it would look at various things like the disk integrity but including the security and it would come up with the conclusion that your security was poor and there was malware or malware symptoms on the computer.

Come with me let me bring you to the cybersecurity range. Available at Office Depot.

Understandably, in this day and age, people would be scared by that. It's also

kind of like asking a barber if you need a haircut. Yeah. Right? Yeah. Exactly.

Right. Yeah. And so you'd end up paying maybe up to $180 and you'd get your copy of McAfee and you'd get 12 months virus removal support. Feeling relieved.

Yes. You'd be so grateful. Thank the Lord. Thank you for begging me to come in. You were so right. Now,

you would be, I suppose you could make the argument that you would be leaving in a better position than when you came in because now you might have some actual real antivirus running, whereas before you didn't.

You could say that. I mean, obviously, you could also use some free antivirus or an antivirus of your choice. But it might be. I mean, $180 is a lot more than most people pay for antivirus software, isn't it? I guess that's because you've benefited from a professional tune-up. That's right, professional check which has happened.

You always trust those three little letters.

Pro. So I dug into this and it turns out that from 2009 until June 2011, the health check software said your system could be infected with malware. For the next four years or so, it started to say it had found malware infections on your system regardless of there being nothing there. And then from October 2015, it said it identified potential malware symptoms. So basically, over time, PC Health Check became more aggressive with some of its reports and so it became a little bit scarier for some periods of time. But here's the thing — the companies knew about this. Office Depot had known about this since 2012. In May 2013, Office Max even warned its stores that it shouldn't run the software, it shouldn't run the PC Health Check after PCs had been serviced. Because if they did that, the warning message would come up. So if you brought in your computer to get fixed and they fixed it, they actually told their staff, don't run the check again because it'll still say there's a problem on the computer.

So it was all smoke and mirrors, the whole thing.

Yes. Support.com even contacted the sales management team at Office Depot to remind them, by the way, this is the way the software works. It's unbelievable.

It is really gross. So Office Depot — we have them here, right? We do, yeah. There's one right down the street from where I stand right now.

I will drive by and I will shake my fist angrily at them. You rascals.

You won't be the only one who's annoyed because the staff working at the stores, they weren't oblivious to what was going wrong either. You know, some of them obviously were genuinely technical rather than the typical person you meet in such stores. And some tried to blow the whistle. Some claimed it was deceptive practice. Some even left their jobs over this. Well, the ones who kept quiet were getting all these bonuses because they were bringing in the cash.

Oh, this is so disgusting.

Now, eventually, in November 2016, one of these guys working at Office Depot went to the CBS TV show This Morning and he blew the whistle, right? And they went undercover. They took computers into the stores to see what would happen. They even bought brand new computers from one Office Depot, drove around to the next Office Depot with that new computer, and were told, "Oh, dodgy security on this one." And I've actually got a clip right here where you can see some of that report.

Office Depot technicians repeatedly told us our computers were infected and that they could fix them for a hefty fee. "It looks like it's 180 right now. Okay, so this is what I need to get rid of that malware." The only problem? All the PCs were brand new and fresh out of the box. We even purchased one of the new computers at Office Depot. But when we brought it to technicians at a different store... "Malware symptoms were found in the machine." Office Depot employee Shane Barnett says his bosses ignored his repeated warnings and were more concerned about sales and quotas. "I refuse to do it. They're like, you have to hit these numbers. I'm like, I'm not going to make things up so you can hit your numbers. I'm not going to do it."

So really astonishing practice. Well, and this is the sort of thing I think we've seen with auto repair shops before, where I've seen this exact same thing, where your consumer advocate on your local TV station, they'll take a brand new car just taken off the lot, and they'll take it over to a repair shop and they'll get a little old lady to drive the car or someone who looks like they might be an easy mark for these repair scammers. And they'll say, "Oh, gosh, you know, you got a problem with your pressure release valve on your widget."

My dipstick had to be recalibrated once.

Yeah. How interesting that computers are the new frontier for this, right? I guess not that new.

I think that's a great comparison, though, because I mean, I know I'm absolutely clueless about cars. And you know, I wouldn't have a clue. You know, if someone said to me, "Oh, something's wrong," I actually had to pay a bill at a garage just this week and they were listing all these things. And it's just like, well, I don't know. You know, I'm just going to have to give you the money. I don't know if that's a reasonable amount of money. I don't know if that was actually a problem. Yeah. And I guess it's the same for most people when it comes to computers. These are highly technical things which do require sometimes some maintenance, but that's out of the bounds of the typical user, isn't it? That's something they're not capable of doing.

Right. If you don't have someone you can run things by, you're going to be susceptible to these things. Well, Support.com, who wrote the PC Health Check software and Office Depot and Office Max, they made millions, tens of millions of dollars in revenue from this PC Health Check program. And until it got onto the TV screens, it had been going on for something like seven years, this scam.

I don't know what that should be. Dave will moon them when he drives by next time.

Well, I do that already. I mean, that's standard operating procedure. While driving? That's pretty hard. I'm a man with many skills, Carole.

Dave, what's your... hitch up your trousers and tell us. Oh, thank you very much. What's your story for us this week? Good thing we're not on YouTube. My story comes from a company called Pentest Partners.

Ah, see, red flag to a bull.

Yeah. That's all something which instills confidence, isn't it, when you see a claim like that?

That is a hornet's nest you do not want to whack, right? Because when you say unhackable to a bunch of hackers…

Roll up your sleeves, lick your lips, yeah. That is red meat. Yeah. Oh, really? Watch this. Hold my beer.

reference. Yes. Yes. Are you impressed? No. I am very impressed.

Carole, are you impressed? No.

It's not a peephole in a hotel room door. It's an IDOR. No. Yes. Yes. But what it is, it's a thing. So it's where you're passing a parameter, which may be the user ID, and maybe a number. And simply changing the number allows you to access someone else's account or information. So it's a very sloppy way of building a system. Of protecting accounts. Yeah, yeah. Right, right. So the app had this vulnerability.

50, I guess. Okay, then. And

you find one that's close to you on the map.

Oh, you have a GPS coordinate? Because it tracks GPS real time. Oh, gosh.

Kill the engine. What? Why would you want that functionality anyway? Why have they built that in? That is

in there in case someone steals the car, that while the bad guy is driving the car away, you can shut the car down.

And he's pressing on the gas. They didn't think that maybe

that could be abused by someone. No, no. Oh. Oh, my God. Can they eavesdrop? They can. No way. They can. They can snoop on the passengers in the car through the mic.

a good job these alarms are unhackable, isn't it? Thank God. That would be a problem if they were. Thankfully, the marketing team have assured us that it's unhackable. We think it would be better if we said unhackable rather than hackable. The nerds are like, well, I don't think you can read. Just leave it to us. Thank you. We're building a website. Pipe down, nerd boys.

There's such irony in this too, isn't there? They're saying, we're going to keep your car more secure by actually putting your life at risk.

Yes. You've spent money getting this other alarm system and the app and all the rest of it thinking I'm going to secure my car better. And it's made it worse.

So fortunately, there is a happy ending to this story. Pentest partners did reach out to the companies involved. And to their credit, all the companies fixed these things within a matter of days. The vulnerabilities were easy to find, easy to fix, and they turned it around quickly and pushed out updates. As with everything, there could be people out there who have not yet updated their systems. And they estimated that there could have been about 3 million people who were vulnerable based on the number of installations. But yeah, really an interesting story. I actually interviewed one of the guys who did the research here. So if you're interested in hearing more about it, one of our Cyber Wire Research Saturday shows, you can go look it up. I guess we'll have a link in the notes as well. So he tells the story and it's a

doozy. It's quite a story. Yeah, Graham, you know what? When he was talking about CAN buses or whatever, I was just thinking you should ask Dave next time you have a car problem. He seems to know a lot more than we do.

Do you often have a bit of oil on your hands? Are you a bit like Cooter in the Dukes of Hazzard?

Oh yeah, that's me, all right. Good, good.

Carole, what's your story for us this week?

So I think the three of us all own houses or at least we're in the agonizing process of handing over incredibly large chunks of money of our paychecks to pay for these said houses. And home ownership is really the American dream, isn't it? I mean, who wouldn't want to spend weekends trying to evict a zillion wasps from their attic or unclog a stinky drain or repave the driveway? I mean, so fun, guys. So fun.

Living the dream. Living the dream.

And it's a pretty different lifestyle to those that live in condos or apartments because you don't need to worry about maintenance so much. I mean, I guess you pay for it, right? You pay a fee and then it gets all taken care of. And that means you can actually go to the park and do something fun instead of all these crazy jobs. And there seems to be a growing trend towards renting. And the reason is pretty simple. Many people can't afford to buy where they work. Take the tech sector. They're a well-paid bunch comparatively, right, compared to other industries. And San Francisco is a big tech hub. Can you guess how many potatoes the average home in San Francisco costs? Sorry, they buy things with

potatoes now in San Francisco. What do you expect?

Yes, read the news, Graham. Read the

news. Inflation's really bad, so yeah.

1.6 million is the average house price in San Francisco. And the average detached home in London, Graham? I have no idea. It's almost a million quid. Really? Yeah, so about a million dollars. That's insane. So how many people in tech can afford those prices, right? And if the techies can't afford it, you've got to consider all the backbone of society, right? Teachers, cabbies, artists, cops, podcasters. We don't stand a chance. So all this to say more and more of us are renting. But it seems that there's an unusual situation that renters might be facing that private house owners do not. Is it

where to keep all the potatoes?

Exactly, yeah. You don't have a basement. Actually, it's an ethical dilemma, and I thought we could noodle on it. So in the news this week was the Atlantic Plaza Towers. Now, this is a 700-unit rent-stabilized apartment complex in Brooklyn. And they recently sent out letters to tenants saying they would soon be introducing facial recognition. They had a flyer from the management, and it said, your daily access experience will be frictionless, meaning you touch nothing and show only your face. From now on, the doorway will just recognize you. So they didn't obviously hire a very expensive marketing firm to do that one. So the idea is that yeah, this is the way to go, facial recognition. Now, the apartment complex already has 24-hour security in its lobbies and a functioning camera system. So the question is, why is management forcing tenants to submit photographs for its new facial recognition system. Not all tenants are super pleased with this. Some of them are quite peed off, and they're talking to the housing rights attorneys and logging complaints. And I don't know, I wanted to know what you guys think. Do you think it's different having facial recognition versus CCTV? Because CCTV is kind of an invasion of privacy, so it's not a privacy thing so much. But facial recognition...

CCTV is introduced typically to improve security, isn't it? That's the argument is we will, if something bad happens, we'll have a record of it and we'll be able to follow up on it because we'll have some sort of video content which we'll be able to see to

The cops. Right, if the cops came over and said we'd like to see the CCTV footage from this time to this time, you can then look at it. But they are the ones who are coming to do the work. It's not basically taking a picture of every single person saying Dave Bittner at 9:02 has walked into the building.

And it's also not making your access to the building contingent on the ability to recognize you. With CCTV, I can wear a hat and sunglasses and a fake beard. And not that I do that every day, but I could and still go about my business. With this, I couldn't get in the building without it actually recognizing who I am.

Exactly. And there's another really interesting thing. So this New York Times journalist, Genia Belafonte, wrote on this story a few days ago. And she says it is not an accident these systems would arrive in otherwise low-tech disadvantaged communities like Atlantic Plaza Towers. The comment was left there like that. And I thought, well, maybe these people are less likely to complain than, say, the hoi polloi living on Fifth Avenue, right? It's going to be hard to find a replacement place to live. And then there's this other weird problem that comes up. Facial recognition may not be that reliable. Some studies that have been done by Stanford MIT find that gender and skin type bias is alive and kicking. So an examination of facial analysis software showed an error rate of 0.8% for light-skinned men, but 34% for dark-skinned women. So if 10 dark-skinned women walked in front of it, it would get three to four wrong. Oh, my golly. Does that mean that if the facial recognition system doesn't recognize you because you happen to be a darker-skinned lady living in a rent-controlled apartment, can you not get access to the building?

So are they purely going to use facial recognition? There's no sort of backup system. There's no, well, if it won't let you in, you can use this fob or you can ring the bell to get the security guard.

I would imagine what happens is the security guard is there also. They'd have to be, because what happens if you're outside the building and someone is out there chasing you or trying to do something bad to you and you can't get in because it doesn't recognize your face? Well, now the apartment complex is in big trouble.

Yeah, exactly. If Monique from apartment 920 can't get in her apartment because the facial recognition system just says, oh, you're not her. I mean, what happens if something happened to your face, you fell over Graham, right?

Yes, yes. Or what if I grabbed Dave Bittner in a headlock, had him under my arm, and yanked his head up to the camera to let me in?

Keep going. Is that your dream? I'm sorry. I said you're laughing. Oh, yeah. I said it out loud. Yeah. All right.

Another similar project, not without its own controversy, is called Project Greenlight. This is in Detroit. This is a system of monitored, interconnected security cameras outside businesses. And it's been going for about three years. It's kind of a pilot to see if all this interconnectivity will help reduce crime. It started with only eight businesses, but now 400 businesses in the area are involved. And I read somewhere, but don't quote the number, but I seem to remember somewhere it said that crime has gone down 11%. And they're claiming because of this system. Now, it gets interesting because the Detroit Housing Commission and police are ironing out an agreement that will bring 26 real-time, that's what they call them instead of facial recognition, real-time cameras to Sheridan Place 1 and 2. These are two high-rise towers on Jefferson Avenue that cater to elderly and near-elderly community. And one of the problems is it needs a mobile phone, and not everybody, especially those that are older, have access to smartphones. Once again it's security seems to be pitted against privacy.

I think there's an important component of this, which is for the three of us here talking, you know, three middle-aged white people, it'd be easy for us to overlook that there's a racial component to this, particularly here in the U.S. where in these rent stabilized apartments, you have a high percentage of these folks are going to be people of color and they are rightfully sensitive to being kept track of by the police, surveilled by the police, by ICE. So I think there's a compelling case to be made that whether or not, regardless of the legality of this, that they have a justifiable sensitivity to this sort of surveillance.

Just to be devil's advocate for a second on that point, though. If they had a fob or some other electronic means for gaining access to the building, that could be recorded as well. So that would just as easily say, oh, Brian Smith just entered the building at 7:03 PM or whatever, in the same way that facial recognition would. But for some reason, facial recognition gives us the jeepers a little bit more, doesn't it?

It does, but also if my cousin Lenny wants to get in the building, I can loan him my fob. And I can't do that with facial recognition.

The fob is not compiling a list of my biometrics.

And don't forget John Travolta and Nicolas Cage when they swapped faces. Well, there's that. That got very confusing, didn't it?

It's not at all an edge case. No, that could happen. I don't know. I think unless people make a stink about this, I think it's going to be the accepted norm sooner than later.

And furthermore facial recognition systems, you know there seem to still be headlines about them being fooled or tricked or into thinking they're seeing someone and they're actually seeing someone else instead. You know there's ways to get around them. And I can't imagine that they're going to have a terribly expensive top quality system in this particular property.

And when they say they're not going to share any of this information with anyone, well, my response would be prove it.

Yeah, we're unhackable. Right, right, exactly. No one's going to get to our fairly, very secure unhackable servers.

If you're baffled by threat intelligence and how it might be able to help secure your company, the Threat Intelligence Handbook from Recorded Future is the book for you. It'll tell you what threat intelligence is and what it isn't, and you'll learn how other firms are applying threat intelligence inside their organizations. Grab it now for free at smashingsecurity.com slash intelligence. Quote, most business security breaches are the result of one thing, sloppy password practices. Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts. Unquote. That's my co-host, Graham Cluley. This is what he says on the LastPass Enterprise page. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses a saint they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related, necessarily.

Oh. Yes. There's only one of two in the world.

So it is claimed by no less an illustrious organ than the BBC News website. So I'm going to believe them. Yeah, I listened to a show on BBC, actually. There's a big pain research centre in Oxford, actually, that does this kind of stuff. And there was someone in there that didn't feel any pain. Maybe he was the other person. There's a pain research centre in Oxford. What do they get up to? And one of the universities. So they basically shock you and do different levels of pain. Some of it can be quite intense. So is it electric or is it? Yeah, it'd be electric. Are they dropping something on your foot or what? What do they do?

Yeah, they have a sledgehammer. They have a sledgehammer and they sledgehammer your hand and then they see how you react.

Is this legal to inflict this kind of pain? Well, you got to read the Eulagram. It's in there. It's the sort of thing you expect business executives to pay good money for. But you're saying this is some research project.

Anyway, I was stealing your story. Go back to your story.

No, I'm fascinated. Anyway, Jo Cameron, apparently she only realises her skin is burning when she's doing the ironing when she smells the singed flesh.

Wow. It's like heroes. The woman in heroes. The girl in heroes. The cheerleader. Save the cheerleader. Save the world.

It also means that she never feels anxious or afraid. So there's some good aspects to it potentially. Oh, wow. She only figured out she was different when she was about 65 because she was having some operations for osteoarthritis and the doctor kept asking her, you know, are you in any pain? And they kept on sending it to hospital because she would walk and she'd claim her hip would come out and the hospital would say, well, does it hurt? And she'd say, no. So they'd say, well, come back when it hurts. And her hip would keep popping out. And eventually they thought, we've got to get rid of this woman. We'll x-ray her. And they thought, oh, you've actually got quite serious problems. But the no pain gene has meant that she wasn't aware of them. So it's quite an interesting little story about actually how important pain can

I read this story this week, too, and I think it's fascinating. And the other little details that caught my eye, one was that she doesn't scar the way most people do. Oh, really? And also because of her lack of anxiety, she spent some of her professional career working with folks who have developmental disabilities who could be violent or unpredictable. And it just didn't bother her. She was fine. Other people would be upset or would feel anxious about this. She could just roll with it and just be fine.

Well, I don't know what she did for a living, but it seems to me that maybe she should have been hired by someone like the SAS or Delta Force to go into dangerous places and sort out the baddies, you know, because she would have been like Schwarzenegger, wouldn't she? Yeah. Anyway, get this. This is the thing, the little detail which really interested me. Apparently, she lives near Loch Ness. Ooh. Do, do, do, do, do, do, do, do, do. I don't know if it's connected at all. But anyway, I found it very interesting. And that is why this Scottish woman is my pick of the week. He says in a Scottish accent. Oh, is that what that was? Yes, my pick of the week. I were doomed. Yeah, we are doomed. Dave, what's your pick of the week? Well, I have a fascination with abandoned things. I was thinking dirty socks, tissues.

Yeah, they were text games, because they weren't video games. They were text adventure games. Zork? Right, exactly. Yeah, yeah. Yes. Yeah, twisty, windy passages.

Well, the first game that I remember playing on a TRS-80 Model 1 was called Lost Dutchman's Gold. And it was, you would go and explore in an old abandoned mine and you were looking for the Lost Dutchman's Gold. And so I found myself thinking when we're at this fork in the road in this video and the guy, which way should we go? And I found myself thinking, go east, go east. Get Lantern. I'm playing along It's all my Watch out for the grue There's a

Monster just around the corner So Spelunking, that's what you're doing You were spelunking

Now, turns out you can play Lost Dutchman's Gold Online And I have a link for it here The original text adventure game It is available It's a UK site, BBC Micro I'm

Starting now, I'm playing right now Oh, It's in a little emulator in your browser. And it's emulating a BBC computer. This is fantastic. I hope you don't end up a ghost me. Yes. Press space. Yeah. Imagine 10-year-old version of me being completely drawn in by this. This is totally cool, Dave. I'm playing it right now. So some of you might have enjoyed the Dirty John podcast. I may have actually had it as a pick a week in the past. So it's produced a few years back by Wondery. And it's not porny. It's a fascinating look at crazy human behavior. What's

The premise of the show? I haven't heard Dirty John. Dirty John?

Well, Dirty John is about this guy called John Meehan. He's a pretty good looking medical professional who seems to really have a way with the ladies. Or does he just really know how to pick his targets? You need to decide. So I think that Wondery was able to sell its rights to Netflix because Netflix last year put together an eight part drama on Dirty John. It wasn't my favorite thing, but a few weeks ago, they put out a Dirty John documentary. It's called Dirty John, the Dirty Truth. And this is face-to-camera interviews with all the people closest to John Meehan and what role they played in it and how they were impacted by his behavior.

This guy's a pickup artist?

I don't want to give it away.

Oh, okay.

Because it's kind of shocking. You remember Staircase, Graham? We watched that. It's much shorter. It's only an hour and a half or so. So it's on par with that. I was watching with my husband. We'd stop it. We'd just go, what the F?

And can we just watch the documentary if we haven't heard the podcast?

Yeah, yeah, yeah. Totally. If you want to watch the drama, do it first. Then listen to the documentary. Don't do it the other way around. So yeah, so my Pick of the Week is all things Dirty John related. Go to Netflix or go to Wondery. Just hit up the podcast. And I actually will, in the show notes, I'm also going to put an article from Bazaar that actually details out the timeline because once you've read it and listened to it or watched it, you're going to go, what? How? And then when they have it all outlined, you're like, aha. So I hope I have piqued your interest.

You have intrigued me, Carole.

Yeah, I think you'll like it, Mr. Cluley. I think you'll like it.

Okay. I may well check it out in the next couple of days. Thank you very much. And that just about wraps it up for this week Dave thank you for coming on the show this week if people want to find out more about you and what you get up to what's the best way to do that?

You can go to thecyberwire.com to find out everything there. I am at Bittner on Twitter.

Sounds good. Superb and we are on Twitter as well we're at smashinsecurity no G, Twitter wouldn't allow us to have a G and we have an active discussion group up on Reddit you can get to our subreddit very easily by going to smashingsecurity.com slash reddit.

And hat tip to this week's Smashing Security sponsors, LastPass and Recorded Future. Their support helps us give you this show for free. And thank you, lovely listeners. Where would we be without you? If you like what you hear and you want to help us grow, tell your friends about the show or leave us a nice review. It all really, really helps.

And you can check out smashingsecurity.com for past episodes and for details how to get in touch with us. Until next week, cheerio. Bye-bye. Bye.

Bye. Take the tech sector it's hard to say take the tech sector. Thank you.