WannaCry’s “accidental hero” pleads guilty to malware charges, Samsung and Nokia have fingerprint fumbles, the NCSC publishes a list of 100,000 dreadful passwords, and Apple finds itself at the centre of an identity mix-up.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by John Hawes.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Both John Hawes and I club together and are presenting our stuff at a venue.
Oh my goodness.
It's very exciting.
I know. And John is doing—
It's not nude modeling, is he?
He is. He's doing nude modeling.
Oh.
Let me send you a link, Graham.
No, no, no, no, please don't. No, no, no. Please, no, no, please. Smashing Security, Episode 125: Pick of the Thief, with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 125. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 125. My name is Graham Cluley.
And I'm Carole Theriault.
Hello, Carole.
Hello. How was Easter? Did you fatten up on chocolate?
No, no, no. I'm not someone who eats chocolate anymore or sweets.
Yes.
Oh. It's day 2 in the Cluley household. There's no chocolate being eaten.
Oh, right.
Okay.
Wow. Okay.
Yeah. I'm doing pretty incredibly well.
Well done.
Thank you very much. And further cause for celebration is that we are joined by a special guest, Mr. John Hawes from Ampso. Hello.
Hi, John.
Good to have you back, John.
Good to be here.
Now, has anything crazy been happening over the Easter break in the world of computer security? Quite a lot as it happens, and some of it we're gonna be talking about today.
Thank God, otherwise we wouldn't have much to talk about today.
Well, one of the things which happened, Carole, have you heard of Marcus Hutchins?
What, Michael Hutchins from INXS?
That's right, yes. Also known as MalwareTech.
Oh.
Yes, different one.
That's a different person.
He is the chap, the accidental hero, who defeated WannaCry, if you remember that from a year ago.
Well, hero, quote unquote.
In his own words, accidental hero, because he registered a domain name which crippled WannaCry and stopped it from causing even more problems for the likes of the National Health Service.
He, of course, was arrested in the United States.
He, of course, was arrested in the United States.
That's right.
As he attempted to fly back to the UK from the Black Hat conference.
And in August 2017, as we discussed way back on episode 38, he pleaded not guilty to charges related to writing and potentially selling malware called Kronos.
And in August 2017, as we discussed way back on episode 38, he pleaded not guilty to charges related to writing and potentially selling malware called Kronos.
Mm-hmm.
Now, he got a lot of support from the tech community, some of whom donated money to his defense fund.
And plot twist, he has now done a plea deal and admitted that he did create, and in partnership with someone else called Vinny K, sell malware between 2012 and 2016.
And plot twist, he has now done a plea deal and admitted that he did create, and in partnership with someone else called Vinny K, sell malware between 2012 and 2016.
That doesn't necessarily mean that he is 100% guilty, though.
Knowing the little that I know about the American system, 98% of cases are pled out, and often you're facing such huge incarceration or such long sentences that it's not worth trying to fight for your innocence.
Knowing the little that I know about the American system, 98% of cases are pled out, and often you're facing such huge incarceration or such long sentences that it's not worth trying to fight for your innocence.
Like 170 years and things.
Yeah, versus doing two.
He did have something like about, I think it was like 10 or 12 charges against him, and he's only pleaded guilty to two of them.
Exactly. And he'd probably be facing doing those consecutively, right? That would be a risk.
I don't know if it would've been, but anyway, he has made a public statement where he says he regrets what he did and accepts full responsibility for his mistakes.
He says it was in his years prior to his career in security. It's interesting seeing how people have responded. Some people have said, "You're a bad man, Mr. Grinch.
You know, you've done bad. You could never be good." Other people think very much, "Oh, he should be forgiven for what he did." In his youth, although he wasn't that young.
He was still doing these kind of things when he was about 21, 22.
He says it was in his years prior to his career in security. It's interesting seeing how people have responded. Some people have said, "You're a bad man, Mr. Grinch.
You know, you've done bad. You could never be good." Other people think very much, "Oh, he should be forgiven for what he did." In his youth, although he wasn't that young.
He was still doing these kind of things when he was about 21, 22.
So he's owning up to it. He's saying publicly, mea culpa, dudes.
Yep.
Okay, that's a different story.
And he's also said that there is a misconception that to be a security expert, you must dabble in the dark side. He says it's not true.
You can learn everything you need to know legally. Stick to the good side. Quite sort of wise words. We will link to the court documents.
We can read more about the case if you're interested in the show notes. My guess is he's going to end up with some time in jail.
He's already been stuck out in the States for a long time, but I'd imagine maybe he'll get 6 months to 12 months or something in jail before he eventually comes back.
You can learn everything you need to know legally. Stick to the good side. Quite sort of wise words. We will link to the court documents.
We can read more about the case if you're interested in the show notes. My guess is he's going to end up with some time in jail.
He's already been stuck out in the States for a long time, but I'd imagine maybe he'll get 6 months to 12 months or something in jail before he eventually comes back.
He might get off with time served.
Yeah, look at it kind of cynically. Potentially this could also make him, couldn't it? Because it makes him all the more notorious.
He became an internet celebrity through the WannaCry thing, then his arrest, and now through this as well. May end up on the speaking circuit, who knows?
Anyway, one of the hot stories going on in the world of computing right now. What else we got coming up on this episode of Smashing Security, Carole?
He became an internet celebrity through the WannaCry thing, then his arrest, and now through this as well. May end up on the speaking circuit, who knows?
Anyway, one of the hot stories going on in the world of computing right now. What else we got coming up on this episode of Smashing Security, Carole?
Well, on this episode, Graham, you are talking about a rather unusual way to bypass fingerprint security.
John's delving into the truth about how we use passwords, the good and the bad. And I'm looking at how some young guy is planning to get payback from an identity theft snafu.
All this and so much more coming up on Smashing Security.
John's delving into the truth about how we use passwords, the good and the bad. And I'm looking at how some young guy is planning to get payback from an identity theft snafu.
All this and so much more coming up on Smashing Security.
So chaps, I don't know if you're aware, but there have been some changes in the way recently smartphones have been handling fingerprint scanning.
In the original days, I mean, I think probably most famously we had Touch ID, didn't we, on the old Apple iPhones? It was part of the case, as it were.
It was part of— on the bevel, wasn't it? There was a big round circle which you pressed to scan your fingerprint.
Well, more modern smartphones like the Samsung Galaxy now actually have an in-screen fingerprint scanner. So last month—
In the original days, I mean, I think probably most famously we had Touch ID, didn't we, on the old Apple iPhones? It was part of the case, as it were.
It was part of— on the bevel, wasn't it? There was a big round circle which you pressed to scan your fingerprint.
Well, more modern smartphones like the Samsung Galaxy now actually have an in-screen fingerprint scanner. So last month—
What, the entire screen can take your fingerprint?
No, no.
Or just in one location?
There'll just be a part of the screen. So it's not a physical button.
You just touch the actual visible screen where it's displaying a fingerprint icon, and that will scan your fingerprint. You see, it's really clever technology, right? If it works.
Now, last month, the Samsung Galaxy S10 came out, and one of its big features was its next-generation vault-like security with its ultrasonic fingerprint scanner fused directly onto its front screen, which it said could even work when your hand was wet.
You just touch the actual visible screen where it's displaying a fingerprint icon, and that will scan your fingerprint. You see, it's really clever technology, right? If it works.
Now, last month, the Samsung Galaxy S10 came out, and one of its big features was its next-generation vault-like security with its ultrasonic fingerprint scanner fused directly onto its front screen, which it said could even work when your hand was wet.
Ultrasonic.
Ultrasonic, because a scanner which is working through the screen, my understanding is it has to work in a different way because obviously you're touching glass rather than something on the edge.
I don't really know how this works, Carole, I should be honest. Let me refer to the blurb from Samsung themselves.
They say, using ultrasonic pulses, we detect the 3D ridges and valleys of your fingerprint, so only you can access your phone. It's secure and convenient, they say.
I don't really know how this works, Carole, I should be honest. Let me refer to the blurb from Samsung themselves.
They say, using ultrasonic pulses, we detect the 3D ridges and valleys of your fingerprint, so only you can access your phone. It's secure and convenient, they say.
Okay.
Sounds great, doesn't it?
Okay. I feel I can understand what maybe the bypass is, but I'm going to wait. I'll wait and I'll tell you if I was right or wrong.
Okay.
Well, so what happened was a couple of weeks ago, so just a couple of weeks after this phone came out, an Imgur user called Darkshark, he posted a video demonstrating how he was able to unlock the Samsung Galaxy S10 with a 3D copy of his fingerprint.
And he was able to make this at home. He captured a photograph of a print he had left on a wine glass, and he then printed it onto the finger of some gloves.
And he was able to give these rubber gloves to people and they could open his phone.
And the outcome of all this was he said, well, look, there's nothing really stopping me stealing your fingerprints without you ever knowing, then printing gloves of your fingerprints, and I can go about and commit crimes and break into your phone.
And some people said, well, hey, whoa, whoa, whoa. They said, well, where are you gonna get our fingerprints from?
Well, so what happened was a couple of weeks ago, so just a couple of weeks after this phone came out, an Imgur user called Darkshark, he posted a video demonstrating how he was able to unlock the Samsung Galaxy S10 with a 3D copy of his fingerprint.
And he was able to make this at home. He captured a photograph of a print he had left on a wine glass, and he then printed it onto the finger of some gloves.
And he was able to give these rubber gloves to people and they could open his phone.
And the outcome of all this was he said, well, look, there's nothing really stopping me stealing your fingerprints without you ever knowing, then printing gloves of your fingerprints, and I can go about and commit crimes and break into your phone.
And some people said, well, hey, whoa, whoa, whoa. They said, well, where are you gonna get our fingerprints from?
Do you want a drink? You could just, not very hard, okay.
Well, there's that way, but also you could just steal your phone because your phone, everybody's phone is gonna be covered in their fingerprints, isn't it?
Unless you're wearing gloves, Carole.
Unless you're wearing gloves, Carole.
Is he walking around with one of those posh little CSI brushes to find the fingerprint?
No, no, no, no, listen.
If he just steals your phone, he takes it back to his lair inside the volcano where he then gets the photograph of your fingerprint and creates his gloves, right?
So phones are being lost all the time and they're covered in fingerprints. They're covered in the very thing that you use to unlock it.
If he just steals your phone, he takes it back to his lair inside the volcano where he then gets the photograph of your fingerprint and creates his gloves, right?
So phones are being lost all the time and they're covered in fingerprints. They're covered in the very thing that you use to unlock it.
I got you. So phones are actually considered maybe less of a commodity now that they're so hard to break into.
And he has found a way to make them viable again because he can break in.
And he has found a way to make them viable again because he can break in.
Certainly in the case of this one, yeah. And it turned out to be ridiculously easy. He said that he could do it in about 3 minutes with his 3D printer.
It makes stealing phones worthwhile again, basically.
Yeah, right, right.
Yeah.
Wasn't there a similar thing with the— I think it was the iPhone first added their fingerprint reader that people were doing it with gummy bears.
Maybe, I don't know. I think maybe the Chaos Club in Germany, I think maybe they had managed to do this with some smartphones as well.
It's just that the ease and speed with which he was able to do this, and it didn't require a lot of technical know-how from the sound of things, required a decent 3D printer to create these things.
Now, I thought that would be hard to beat. I thought, well, that sounds pretty impressive.
Here we've got new technology which has been vaunted as more secure than past fingerprint technology, turned out to be not very good at all.
And Samsung hopefully are going to release an update. And then The Nokia 9 PureView Android smartphone came out.
An update was pushed out to this in the last couple of weeks, which purportedly improved its in-screen again. So it's inside the screen fingerprint scanner.
It's just that the ease and speed with which he was able to do this, and it didn't require a lot of technical know-how from the sound of things, required a decent 3D printer to create these things.
Now, I thought that would be hard to beat. I thought, well, that sounds pretty impressive.
Here we've got new technology which has been vaunted as more secure than past fingerprint technology, turned out to be not very good at all.
And Samsung hopefully are going to release an update. And then The Nokia 9 PureView Android smartphone came out.
An update was pushed out to this in the last couple of weeks, which purportedly improved its in-screen again. So it's inside the screen fingerprint scanner.
Okay.
And a number of users discovered there was a problem with this, including a British user interface developer from Birmingham who calls himself—
Birmingham.
He calls himself Decoded Pixel. On Twitter.
And that's pretty good, actually.
Thank you very much. And he found, and he made a little video, that the Nokia 9 smartphone can be unlocked by anyone. Oh, doesn't matter if you have fingers or not.
In fact, Decoded Pixel discovered that it could be unlocked by someone wearing leather gloves or even something as banal as a packet of chewing gum.
In fact, Decoded Pixel discovered that it could be unlocked by someone wearing leather gloves or even something as banal as a packet of chewing gum.
Well, leather gloves sounds easier than chewing gum.
Well, you might just have a packet of chewing gum in your pocket. You may not be wearing it. It's a hot day, Carole. You may not be wearing leather gloves.
Do you mean chewing gum?
No, no, no.
Or do you mean the packet?
Just the packet.
It is vaguely finger-shaped, I guess, a packet.
Maybe. You could probably mould it into that sort of shape if it isn't, I suppose.
So he's made this video and you can go and check it out online and we'll link to it in the show notes again, where there's a locked phone.
And he demonstrates, first of all, himself unlocking it with his thumb. And then he takes a packet of chewing gum, plonks it on the screen, and it recognises that as his finger.
And then he tries it with a coin, and he even got someone else's finger involved in the video, a stunt finger, which unlocked it as well.
And lots of other users of the Nokia 9 are discovering this as well. So the actual smartphone fingerprint scanner, which was supposedly updated, appears to be weaker.
So he's made this video and you can go and check it out online and we'll link to it in the show notes again, where there's a locked phone.
And he demonstrates, first of all, himself unlocking it with his thumb. And then he takes a packet of chewing gum, plonks it on the screen, and it recognises that as his finger.
And then he tries it with a coin, and he even got someone else's finger involved in the video, a stunt finger, which unlocked it as well.
And lots of other users of the Nokia 9 are discovering this as well. So the actual smartphone fingerprint scanner, which was supposedly updated, appears to be weaker.
Just completely pointless.
It's not been upgraded at all. It looks like it's completely feeble.
I think there's potentially an awful lot of emphasis being put on maintaining security and privacy of your smart devices by fingerprint scanners, but you might be wise not to rely on them, at least not to rely on them only to secure your devices.
Maybe a good old PIN would be better.
I think there's potentially an awful lot of emphasis being put on maintaining security and privacy of your smart devices by fingerprint scanners, but you might be wise not to rely on them, at least not to rely on them only to secure your devices.
Maybe a good old PIN would be better.
It wasn't clear. Is the Nokia 9 supposed to be super secure? Do they say that it's a secure phone?
Well, I'm sure they don't say it's an insecure phone, but—
Just having fingerprint scanning kind of implies that it's doing it for security purposes, not just for a laugh.
You would expect if they're asking for fingerprint authentication, it would actually authenticate the fingerprint or make some token gesture of it.
Whereas if you're wearing a pair of marigolds and that will unlock it, you know, that's— Or a packet of Wrigley Spearmint gum will open it.
Whereas if you're wearing a pair of marigolds and that will unlock it, you know, that's— Or a packet of Wrigley Spearmint gum will open it.
Have they come out and said, have they come out and said, oops, sorry, sorry, sorry, we're on this. It was a bug.
Well, we are recording this on Tuesday and it's been a long Easter weekend. Yes, we'll see. We will see whether they come out with another update.
But interestingly, this update, supposedly one of the improvements was supposed to be to the fingerprint sensor because some users have actually said they had problems with earlier versions of the Nokia 9 as well.
And maybe it's actually even got worse with this latest update. So if you have a Nokia 9, be very careful. Could it be—
But interestingly, this update, supposedly one of the improvements was supposed to be to the fingerprint sensor because some users have actually said they had problems with earlier versions of the Nokia 9 as well.
And maybe it's actually even got worse with this latest update. So if you have a Nokia 9, be very careful. Could it be—
So you said he demonstrated by showing it working with his thumb.
Could it be that he just left a fingerprint on the screen and the reader was scanning that fingerprint rather than whatever was on top of it?
Could it be that he just left a fingerprint on the screen and the reader was scanning that fingerprint rather than whatever was on top of it?
Maybe.
Maybe he had particularly greasy fingers.
I don't know.
He'd eaten a big bag of crisps. Then slapped his thumb on it.
Yeah.
The fingerprint is then moulded onto that place, and then anything he puts on just smooshes that grease into the screen. I love it.
I love it. John, what's your story for us this week?
So I wanted to talk a little bit about authentication as well. Not so much about the fingerprints and things, but more passwords.
I know that's something that all security people tend to talk about pretty much all the time, but it's something that always seems to come up.
So the last few weeks we've had a whole bunch of password snafus. Facebook was storing possibly hundreds of millions of passwords in plain text, I think, from Instagram users.
I know that's something that all security people tend to talk about pretty much all the time, but it's something that always seems to come up.
So the last few weeks we've had a whole bunch of password snafus. Facebook was storing possibly hundreds of millions of passwords in plain text, I think, from Instagram users.
And you couldn't make it up.
Kind of said, oh yes, we, oops, we forgot we were doing that. We'll delete them.
And then a week later said, oh, well, actually there's another few hundred million we forgot to mention as well.
And then a week later said, oh, well, actually there's another few hundred million we forgot to mention as well.
Which rather like the Mueller report, they snuck out just before the Easter break, didn't they?
So gross.
What was the Instagram revelation as well? I think a lot of the tech press maybe missed it.
It's another Facebook story.
I think it was last week, maybe the week before, where they were asking people for password to their email service, claiming it was required to verify their login or something.
And then they went into 1.5 million people's email accounts and scraped all their contacts and fed them into the great Facebook mall.
I think it was last week, maybe the week before, where they were asking people for password to their email service, claiming it was required to verify their login or something.
And then they went into 1.5 million people's email accounts and scraped all their contacts and fed them into the great Facebook mall.
Incredible, isn't it? Again, you know, I feel we shouldn't even call it scraped. We just say they stole them. You know, they just took them without permission.
They just grabbed people's address books and took them and who knows what they were planning to do with them.
But if they hadn't been caught out by the press and maybe they'd have never fessed up to this.
They just grabbed people's address books and took them and who knows what they were planning to do with them.
But if they hadn't been caught out by the press and maybe they'd have never fessed up to this.
Shame.
Shame.
I think in that case, they'd said they used to do it regularly and they had a little message saying, if you give us your password, we'll scrape your contacts.
And then at some point they took off the message but kept on doing the scraping or something. Yeah, it was a horrible mess basically.
Facebook has not been doing very well on the security front lately. Yeah, but you know, both those cases, those are both pretty bad things from both sides though.
I mean, storing passwords in plain text, that's a bad thing to do from the provider side.
But from the user side, you know, if someone says to you, can I have a password for your email account?
And that person is not your email provider, you shouldn't be giving it to them. You shouldn't give anybody a password for something that is not their service.
And then at some point they took off the message but kept on doing the scraping or something. Yeah, it was a horrible mess basically.
Facebook has not been doing very well on the security front lately. Yeah, but you know, both those cases, those are both pretty bad things from both sides though.
I mean, storing passwords in plain text, that's a bad thing to do from the provider side.
But from the user side, you know, if someone says to you, can I have a password for your email account?
And that person is not your email provider, you shouldn't be giving it to them. You shouldn't give anybody a password for something that is not their service.
Well, that's the thing. We're teaching people all the time, you know, to be very careful who they give their passwords to, make sure you give them to the right people.
So if it doesn't matter that it's Facebook asking for your Yahoo password, you should be equally skeptical about that.
And Facebook even doing that sort of normalizes the behavior, doesn't it?
So if it doesn't matter that it's Facebook asking for your Yahoo password, you should be equally skeptical about that.
And Facebook even doing that sort of normalizes the behavior, doesn't it?
So then the other thing that came out, I think over the Easter weekend for some reason, the National Cybersecurity Center here in the UK released a most hacked password list.
Is this a list of the passwords that have been most hacked from them?
No, this is, so this is, they've taken it, I think it's from the Have I Been Pwned database.
Oh, our friend Troy Hunt.
Yes, this is a pretty standard story in security circles.
I mean, dozens of organizations release lists like this every few months and they make very easy fodder for quick blog posts and articles and very easy to do.
I'm sure all of us have written several dozen of these pieces and they've done it quite nicely.
You know, they've kind of flicked through it and gone, oh, look, here are the most popular superhero passwords and the most popular football team passwords.
Just to kind of really broaden their reach out into various different kinds of publications to pick up the story for them.
I mean, dozens of organizations release lists like this every few months and they make very easy fodder for quick blog posts and articles and very easy to do.
I'm sure all of us have written several dozen of these pieces and they've done it quite nicely.
You know, they've kind of flicked through it and gone, oh, look, here are the most popular superhero passwords and the most popular football team passwords.
Just to kind of really broaden their reach out into various different kinds of publications to pick up the story for them.
Okay, and what's the number one? Is it password?
123456, obviously.
Oh, that's the number one? 123456.
23 million people were using that one apparently. Well, they don't really say exactly how. I think they said they looked at the top 100,000 breaches or something.
Well, I think they've released a list of the 100,000 most commonly used passwords, which you can download from their website.
Yeah, so their push is basically to say, here, take this list, and if you're a website admin, make sure you're using this as a blacklist and don't let people use these passwords.
Cool. I like that idea.
Well, yeah, it's all right as an idea, but I mean, really? And we were just saying password managers, you should have a unique password.
If your password is something that has ever been used anywhere else, then you shouldn't be using it.
If your password is something that has ever been used anywhere else, then you shouldn't be using it.
I know, but think about it from an admin's point of view, right? He's sitting there or she's sitting there managing potentially thousands of different accounts, right?
And good way to just block stupid answers, or that maybe requirements of length or complexity might not be really popular. So you could just say, uh-uh, not that one.
And good way to just block stupid answers, or that maybe requirements of length or complexity might not be really popular. So you could just say, uh-uh, not that one.
And you can also link into the Pwned Password API, something Troy Hunt runs. So you could link your service in with that.
So when a user creates password, it will say, actually, this is a password that has been previously breached and this many times and encourages more random use of passwords.
And of course, is encouraging password management as well.
I find a certain irony here that The NCSC, who of course are part of GCHQ, an intelligence agency which hacks into people's accounts and acquires information from foreign governments, they are actually sharing with the world what appears to be a list of the most commonly used passwords.
That in itself sort of makes an endorsement for this list, doesn't it?
Because if you wanted to hack into accounts, maybe this list would be quite a good place to start if you wanted to work your way, you know, spraying passwords into a system.
This is the GCHQ-approved list.
So when a user creates password, it will say, actually, this is a password that has been previously breached and this many times and encourages more random use of passwords.
And of course, is encouraging password management as well.
I find a certain irony here that The NCSC, who of course are part of GCHQ, an intelligence agency which hacks into people's accounts and acquires information from foreign governments, they are actually sharing with the world what appears to be a list of the most commonly used passwords.
That in itself sort of makes an endorsement for this list, doesn't it?
Because if you wanted to hack into accounts, maybe this list would be quite a good place to start if you wanted to work your way, you know, spraying passwords into a system.
This is the GCHQ-approved list.
They do acknowledge that at some point somewhere in one of their posts on this, they do say, oh, this is all public information anyway.
We're not publishing anything that isn't already out there.
We're not publishing anything that isn't already out there.
Exactly. And I mean, how else do you get people to kind of look out for it within their network?
And the bad guys have many, many millions more than this 100,000 list anyway.
I mean, of course they do.
They've got access to vast amounts of data.
Anyway, so basically, that's another one. Don't use ridiculously simple passwords and don't allow people to use ridiculously simple passwords.
But really, I mean, the solution to all of these is two-factor authentication. I mean, that's pretty much—
But really, I mean, the solution to all of these is two-factor authentication. I mean, that's pretty much—
Not fingerprint scanners.
Yes. Well, maybe not ideally fingerprint scanners.
Not on the Samsung or the Nokia.
If you had reliable 2FA in place, none of these would be a problem anymore because you can just make your password public.
And as long as your two-factor authentication is secure, then you're fine. Using fingerprint readers, even face readers on phones these days are becoming pretty mainstream.
So more and more people are getting on board with what two-factor authentication is.
They're understanding it better, and I think that is something that's really going to ramp up in the next 6 months or so because of PSD2, the European Union Payment Services Directive.
And as long as your two-factor authentication is secure, then you're fine. Using fingerprint readers, even face readers on phones these days are becoming pretty mainstream.
So more and more people are getting on board with what two-factor authentication is.
They're understanding it better, and I think that is something that's really going to ramp up in the next 6 months or so because of PSD2, the European Union Payment Services Directive.
Okay.
Do you know about that?
No.
It's basically a new set of rules for banks and things that is, it's actually already been implemented, but it has to be— the final deadline for adopting all of its rules is, I think, middle of September this year.
Okay.
And one of those rules is that banks must use, I think they call it strong authentication, basically 2FA for transactions.
So when you go into a physical shop, you have your card, you have a chip in the card, that's something you have, and then you have the PIN as something you know.
So it's kind of two factors, but they're also looking at putting an extra factor on there.
And there was a big rash of stories around Christmas time that some of the UK banks had already started implementing this and there were people who were turning up in the shop and trying to use their card and being told, oh, we need a special code off your phone and their phone was dead and it was a nightmare and they couldn't buy their Christmas presents and their children were crying and—
So when you go into a physical shop, you have your card, you have a chip in the card, that's something you have, and then you have the PIN as something you know.
So it's kind of two factors, but they're also looking at putting an extra factor on there.
And there was a big rash of stories around Christmas time that some of the UK banks had already started implementing this and there were people who were turning up in the shop and trying to use their card and being told, oh, we need a special code off your phone and their phone was dead and it was a nightmare and they couldn't buy their Christmas presents and their children were crying and—
Ah!
Yeah.
So basically that kind of stuff is going to be picking up quite a lot through this year because by the middle of September, all banks across Europe are going to have to implement some kind of better, stronger authentication for payments, especially mainly on the internet.
But it looks like it's also going to be happening in person as well.
So basically that kind of stuff is going to be picking up quite a lot through this year because by the middle of September, all banks across Europe are going to have to implement some kind of better, stronger authentication for payments, especially mainly on the internet.
But it looks like it's also going to be happening in person as well.
As long as they don't start asking for urine samples.
Well, this is the thing. What are they going to do? I mean, exactly.
But if you have your child there screaming, maybe the child could also donate a little bit of, you know, pretty soon it's going to be a DNA swab.
The one that I've been— so I wrote a few articles about this last year or so, and I keep getting contacted by people saying, oh, nice article about this.
Do you know anything about this type of 2FA, people trying to basically persuade me to write about their 2FA, but a lot of them are talking about contextual data.
So that's getting the something you are component of a two-factor system just based on something you are being the sort of person that goes to the corner shop at 2 AM and buys 50 quid's worth of booze.
Do you know anything about this type of 2FA, people trying to basically persuade me to write about their 2FA, but a lot of them are talking about contextual data.
So that's getting the something you are component of a two-factor system just based on something you are being the sort of person that goes to the corner shop at 2 AM and buys 50 quid's worth of booze.
I've nailed you, Carole. I've got you.
Which, from a usability point of view, it's pretty easy. You don't have to worry about it.
It basically just means the bank is monitoring everything you do and building a profile of you so it can say, oh, he's not the sort of person that would buy a TV online at 4 AM and have it shipped to Nigeria.
It basically just means the bank is monitoring everything you do and building a profile of you so it can say, oh, he's not the sort of person that would buy a TV online at 4 AM and have it shipped to Nigeria.
Yeah, but it does suck when everything gets frozen when you find yourself on holiday in the Bahamas.
Exactly. Yes. And it also means that the banks have to gather huge amounts of data on all of their customers at all times. Which is a bit of a minefield in itself.
Well, there's a lot of loyalty cards and things which have been doing that for years, haven't they?
Exactly. Yes, well, maybe that's the thing.
Maybe the supermarkets will start using their loyalty card data to guess whether their customers are really the person they claim to be based on what they're buying.
Maybe the supermarkets will start using their loyalty card data to guess whether their customers are really the person they claim to be based on what they're buying.
John, you've covered a lot of topics here, a lot of different aspects here.
In depth.
Yes, it was a little bit of a scattergun approach.
No, no, it's interesting.
No, it's very good. Very good.
Anyway, password managers, it seems.
Yes.
Yet again.
Password managers and authenticator apps.
Yeah.
Right.
Good. And yeah, stop using dumb passwords.
And don't eat crisps when you're using your phone.
Carole, what's your story for us this week?
So my dad had years of drama because someone with his exact name, well, the same middle initial, his exact birthday, who lived in a neighboring town, somehow got his personal information misentered into some important database.
And the misentry impacted mobile phone usage purchases, traveling, credit scores, tax payments, health records, everything. Both guys suffered, right?
And it was a total pain to sort out. The two guys ended up getting in touch, and both were contacting the various bodies to get the problem rectified.
And the misentry impacted mobile phone usage purchases, traveling, credit scores, tax payments, health records, everything. Both guys suffered, right?
And it was a total pain to sort out. The two guys ended up getting in touch, and both were contacting the various bodies to get the problem rectified.
So this really happened? It wasn't that your father didn't have a secret second family or something on the other side of town? Okay, so this— okay, all right, interesting.
And even with both parties working to end the mix-up, it took years, right?
So I can only imagine how annoying it would be if your identity was stolen and used for nefarious purposes without someone wanting to help you fix the whole snafu.
I mean, how the heck do you regain your identity? And how do you seek retribution for the sheer pain and the assness of it all? I thought you'd like that one.
Now, I have a story all about this, okay?
And I want you to hear me out and put yourself in the protagonist's shoes because I want you to tell me what you would do if this were to happen to you. Okay?
So I can only imagine how annoying it would be if your identity was stolen and used for nefarious purposes without someone wanting to help you fix the whole snafu.
I mean, how the heck do you regain your identity? And how do you seek retribution for the sheer pain and the assness of it all? I thought you'd like that one.
Now, I have a story all about this, okay?
And I want you to hear me out and put yourself in the protagonist's shoes because I want you to tell me what you would do if this were to happen to you. Okay?
Yep, ready.
All right, so you're about 17, 18, a young adult, right? And you're living in New York.
New York.
You probably have a really strong New York accent.
Hey, okay.
Oh yeah, East Shore, Max.
Hey, okay.
And maybe you're out one night, maybe you're having spaghetti and tomato sauce or something, and then you head home and you maybe listen to some ASMR podcast to lull you to sleep and you're snoozing away and suddenly bang, bang, bang, bang on the door, right?
It's 4 AM. WTF is going on? You look outside, you see cops and they're there with an arrest warrant for you. Okay, and you are panicking. You asked to see the arrest warrant.
And while all the information is correct, your name, address, the mugshot is not you. It doesn't remotely look like you.
It's 4 AM. WTF is going on? You look outside, you see cops and they're there with an arrest warrant for you. Okay, and you are panicking. You asked to see the arrest warrant.
And while all the information is correct, your name, address, the mugshot is not you. It doesn't remotely look like you.
That's not me. That's Mr. Terrio.
And even the cops see that it doesn't look like you.
Right.
Right?
Right.
Now, do you think the cops just back off with sincere apologies or—
Of course not. It could be a disguise. It could be a disguise, couldn't it?
No, you get hauled in. And that's what happened to Hussein Ba.
This is the actual New York 18-year-old who was bolted awake by the sound of cops pounding at his door to arrest him, and they hauled him in anyways.
Now, it turns out Ba was a person of interest in an Apple Store theft that happened in Manhattan, and sadly, Ba was no stranger to these accusations.
Now, the following is with much thanks to insurancejournal.com because they laid it out really well.
This is the actual New York 18-year-old who was bolted awake by the sound of cops pounding at his door to arrest him, and they hauled him in anyways.
Now, it turns out Ba was a person of interest in an Apple Store theft that happened in Manhattan, and sadly, Ba was no stranger to these accusations.
Now, the following is with much thanks to insurancejournal.com because they laid it out really well.
I'm a big fan, one of my favorite insurance websites, yes.
In doing this story, I was looking around and a lot of people were quoting the same sources, but—
I'm very impressed, Carole. I'm very impressed.
Now, Mr. Ba claims that about a year ago he lost his learner's driver's license, which had his name, address, date of birth, sex, height, and eye color.
Yeah.
The document specifies on it that it cannot be used for identification purposes. Okay, so remember that. And also, it does not have a photo.
Mm-hmm.
Okay. So he lost this interim permit, didn't report it to the police. He knew he was going to get an actual permit shortly, didn't care.
Right. Yeah.
Later on, he receives a summons for $1,200 for an Apple Store theft at a Boston Back Bay store. Apparently, the theft included multiple Apple Pencils. Now, when I say pencils—
Is that what, when I steal the biros from Argos?
They retail at $99 each, so I hope not.
Oh, okay.
Okay. They're pencils you use on your iPad Mini or something.
Stylus.
Oh, I'd say for drawing on the—
And they're quite small, so probably easier to steal, right?
And it's all very free and easy in the Apple Store. You kind of come in, you mess around with the hardware.
Yeah, shove a ton of pencils down your pants and then—
Exactly. Exactly. Yes. Yeah.
Now, the problem was Mr. Ba had never been to Boston until this court appearance, this court summons, which meant he'd come.
Now, Apple has a security firm that it hires called Security Industry Specialists. Now, they help protect Apple stores from theft.
And they sent a rep to these proceedings in Boston, and the rep said he witnessed a suspect steal Apple Pencils on a security video.
Okay, so when Ba's attorney said, hey, let me see this video, the guy said, sorry, it doesn't exist anymore. Huh, weird.
Now, Apple has a security firm that it hires called Security Industry Specialists. Now, they help protect Apple stores from theft.
And they sent a rep to these proceedings in Boston, and the rep said he witnessed a suspect steal Apple Pencils on a security video.
Okay, so when Ba's attorney said, hey, let me see this video, the guy said, sorry, it doesn't exist anymore. Huh, weird.
Okay, whether using VHS tapes or something, so I think Apple would have not a problem with storage, you know.
Okay, the whole thing basically ended well because Ba was able to prove that he'd not been in Boston on the day of the theft and goes back home to New York only to receive a handful of other notifications about other stores and other Apple thefts.
One in New York City, one in Delaware, one in New Jersey.
And then months later, at 4 AM in the morning, we have the New York City Police rapping on his door with an arrest warrant for robberies at the Manhattan store.
And this is where the arrest warrant has the right information but the wrong mugshot.
One in New York City, one in Delaware, one in New Jersey.
And then months later, at 4 AM in the morning, we have the New York City Police rapping on his door with an arrest warrant for robberies at the Manhattan store.
And this is where the arrest warrant has the right information but the wrong mugshot.
I would be a little bit peeved by this point, I think. I'd be a little bit annoyed.
Okay, that's great. And John, are you feeling a little bit, because this is a bit of a hassle, right? You've been, you know, going around the country trying to clear your name.
It's more the 4 AM thing that I'd be annoyed.
I have checked out John's mugshot on the Smashing Security website, and he does bear an uncanny similarity with someone. I'm not quite sure who.
But yeah, there is— Yes, so what happened next, Carole?
But yeah, there is— Yes, so what happened next, Carole?
So mystery number one, whose pic is on the police warrant? Because it's not Mr. Baz, and what's going on?
Right.
After a bit of detective-ing, they realize it's probably a pic of the thief. And the thief used Baz's learner driver license, you know, during a purchase or one of his heists.
So apparently Apple security technology identifies suspects of theft using facial recognition technology.
The detectives suspect that the person who had committed the crimes presented Baz's interim permit as identification during one of his multiple offenses.
They assumed that that face was tied to that information. So it was Apple's facial recognition software that basically tied it all together.
So apparently Apple security technology identifies suspects of theft using facial recognition technology.
The detectives suspect that the person who had committed the crimes presented Baz's interim permit as identification during one of his multiple offenses.
They assumed that that face was tied to that information. So it was Apple's facial recognition software that basically tied it all together.
Why was he giving identification to do a crime?
So he may have gone in and done a crime as well, you know, I'm buying one Apple Pencil, right, and I've got 12 down my pants.
Yeah, it was a pic of the thief. Pic of the thief.
So Baz's attorney was able to explain the situation to the DA and then get everything sorted out, right?
So the whole thing went away because they were able actually to get their hands on the surveillance footage, the one that the Apple security firm said didn't exist.
So the whole thing went away because they were able actually to get their hands on the surveillance footage, the one that the Apple security firm said didn't exist.
Oh, there was a backup, right?
Okay, so it's all a big complex thing, right? And a bit of a nightmare. Now, Baz has issued a lawsuit, right, suing Apple. He's had a bit of a bad time, hasn't he?
Yes, yes, right, right. Yes.
And the lawsuit's accusing Apple of using facial recognition technology in store.
So Bloomberg writes that Baz claimed his name may have mistakenly been connected to the thief's face in Apple's facial recognition system, which he says the company uses in stores, you know, to track people suspected of theft.
So Bloomberg writes that Baz claimed his name may have mistakenly been connected to the thief's face in Apple's facial recognition system, which he says the company uses in stores, you know, to track people suspected of theft.
And presumably everyone else too, right?
Once Apple, though, had tied Baz's name to the wrong face, Baz had no way to correct the error.
Lazy. Just lazy.
What a mess.
So, okay, so here we go. So Mr. Baz has had about a year of crap as far as I worked out, thanks to losing his learner's permit.
Yes.
Yes.
And I get that Apple should not have accepted learner's permit as, you know, as ID. That was a mistake. And Apple misidentified him, you know, as a thief.
And he suffered court summons and all this stuff. Woke up at 4:00 AM, right? The worst thing ever, John.
And he suffered court summons and all this stuff. Woke up at 4:00 AM, right? The worst thing ever, John.
Yeah.
And, you know, it's taken a year to clear his name. And, you know, it's, you know, he said it led to severe stress and hardship. So how much is Baz going to sue for?
What would be an appropriate amount for that amount of BS?
What would be an appropriate amount for that amount of BS?
The whole of Apple.
Let me just remind myself. He's based in America, isn't he?
Yeah, he's based in the States.
New York.
And he's suing. I'm imagining it will be quite a large amount of money.
Yeah. Why don't you give me what you think it might be and what you think it should be? You think I was putting you in the position, right? This has happened to you. This has happened.
I'm going to say— I think he might be suing for $10 million. Okay. And I think he should really probably be happy with— he'd be very happy with $100,000.
A new iPhone? Okay.
I don't get up at 4 AM for less than $100 million.
You and Linda Evangelista.
Yeah.
Okay, well, you're both wrong. Okay. He is suing for $1 billion.
A billion?
A billion. Okay, so I've worked it out because I'm good at maths, as we all know, right? As we know, and it works out to roughly $270,000 a day for his hardship.
How many Apple Pencils can he buy for $1 billion?
I mean, how is this remotely justifiable? I see. And I don't understand why the courts wouldn't just throw it out immediately, just like, you're having a laugh.
Well, it's just a negotiation, isn't it, Carole? It's just a haggle. That's what it is. They— you know, it bugs me.
Does it?
Yeah.
Does that really work though? If Apple's saying here's $10K and he's saying no, I want a billion and they go, okay, we'll go halfway between. Pretty sure they don't.
Look, it is, that's what they're going to argue for. They're going to argue for a percentage of the request. Well, if it's not going to be the billion, we need a percentage.
Even 1% is pretty shit high. You know?
Anyway, I just think it's insane and but an interesting idea on the idea of actually trying to sue based on facial recognition falsely tying you to another person and then confusing that information and making your life hell for a while as you try and clean that all up.
Even 1% is pretty shit high. You know?
Anyway, I just think it's insane and but an interesting idea on the idea of actually trying to sue based on facial recognition falsely tying you to another person and then confusing that information and making your life hell for a while as you try and clean that all up.
Well, an overreliance in a way of computers and technology, isn't it? Whereas a human could have said, well, hang on a moment, that's clearly—
Well, thank God we're all heading towards the dark ages rather than relying more and more on computers every year, Graham.
Wait till we get the RoboCops.
I thought we'd get through without mentioning Brexit, but there you are. We've done it again.
Through stories, realistic scenarios, the MetaCompliance guys provide animated e-learning and even games like phishing drills to test your knowledge.
Plus, these guys get passwords, they get GDPR, they get security, and they've won awards for security awareness.
Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance and entering the code SMASHING. That's smashingsecurity.com/metacompliance.
Quote, most business security breaches are the result of one thing: sloppy password practices.
Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts.
Plus, these guys get passwords, they get GDPR, they get security, and they've won awards for security awareness.
Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance and entering the code SMASHING. That's smashingsecurity.com/metacompliance.
Quote, most business security breaches are the result of one thing: sloppy password practices.
Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts.
Unquote.
That's my co-host Graham Cluley. This is what he says on the LastPass Enterprise page, and most of you know how much I hate to admit when he's right, but he is.
Sloppy passwords are a huge contributor to security breaches within an organization.
The way to manage that is get a password manager, and the one we recommend is LastPass Enterprise. Check it out at lastpass.com/smashing. On with the show.
Sloppy passwords are a huge contributor to security breaches within an organization.
The way to manage that is get a password manager, and the one we recommend is LastPass Enterprise. Check it out at lastpass.com/smashing. On with the show.
And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the thief. Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
It should not be.
Now, my pick of the week this week is not security related.
Instead, it harks back to a wonderful era of television known as the 1960s, and specifically the work of Gerry Anderson, who made such fantastic shows as Stingray and Captain Scarlet and the Mysterons.
Now, you may think that those shows are just part of yesteryear.
If it— for anyone who's listening, has never seen a Gerry Anderson show, the thing is, they were all done with marionettes. And so there was puppets.
And the most famous show of all is one called Thunderbirds.
Instead, it harks back to a wonderful era of television known as the 1960s, and specifically the work of Gerry Anderson, who made such fantastic shows as Stingray and Captain Scarlet and the Mysterons.
Now, you may think that those shows are just part of yesteryear.
If it— for anyone who's listening, has never seen a Gerry Anderson show, the thing is, they were all done with marionettes. And so there was puppets.
And the most famous show of all is one called Thunderbirds.
Aha, that's where I know.
Which was a tremendous TV program and still beloved by kids today.
And International Rescue, you know, there'll be some disaster or something will be falling down or people drowning and they'd come in and they'd come and save them with their fantastic gadgets.
A couple of years ago, a guy called Stephen Larivière, who was obviously a bit of a fan of Thunderbirds, he raised over £200,000 in a Kickstarter campaign to remake some classic Thunderbirds episodes.
Because back in the 1960s, they made three episodes just for vinyl records, just for LPs. So just audio. And he said, why don't we take those recordings and film those episodes.
We've got the original voices, Brains and Lady Penelope and Scott Tracy and so forth, and remake them using superb Supermarionation techniques. And they did it.
And International Rescue, you know, there'll be some disaster or something will be falling down or people drowning and they'd come in and they'd come and save them with their fantastic gadgets.
A couple of years ago, a guy called Stephen Larivière, who was obviously a bit of a fan of Thunderbirds, he raised over £200,000 in a Kickstarter campaign to remake some classic Thunderbirds episodes.
Because back in the 1960s, they made three episodes just for vinyl records, just for LPs. So just audio. And he said, why don't we take those recordings and film those episodes.
We've got the original voices, Brains and Lady Penelope and Scott Tracy and so forth, and remake them using superb Supermarionation techniques. And they did it.
But with that, does he have the original puppets too?
He has some of the original puppets. And this was all done in coordination with the Gerry Anderson estate and his son, Jamie Anderson, as well. And it looks tremendous. Wonderful.
Five, four, three, two, one.
Five, four, three, two, one.
Thunderbirds are go! Graham, can I say something? I think this is your best pick of the week ever.
Really?
Yep. Very, very cool.
Oh, wow. Cool. This is quite something.
Well, I've put a couple of links in the show notes where you can check out some trailers and a short documentary, a half-hour documentary, all about the making. It is wonderful.
And I think it's awesome. And that is why Thunderbirds 50th Anniversary, Thunderbirds 1965, is my pick of the week.
Well, I've put a couple of links in the show notes where you can check out some trailers and a short documentary, a half-hour documentary, all about the making. It is wonderful.
And I think it's awesome. And that is why Thunderbirds 50th Anniversary, Thunderbirds 1965, is my pick of the week.
Brilliant. Are they going to do any Captain Scarlet?
They haven't done any Captain Scarlet. Captain Scarlet actually was my favourite more than Thunderbirds.
So I have to say there was something very dark and mysterious about Captain Scarlet and the Mysterons. What they did do is they made their own short clip.
There is a TV show called Endeavour, which is about the early days of Inspector Morse.
Inspector Morse is a young man in the '60s, and I believe there was an episode set on a studio where they were making one of these puppet shows.
And they actually remade a classic— they made up their own classic Supermarionation episode to appear in this episode of Endeavour.
Again, you can see some clips of that over on the Century 21 Films website.
So I have to say there was something very dark and mysterious about Captain Scarlet and the Mysterons. What they did do is they made their own short clip.
There is a TV show called Endeavour, which is about the early days of Inspector Morse.
Inspector Morse is a young man in the '60s, and I believe there was an episode set on a studio where they were making one of these puppet shows.
And they actually remade a classic— they made up their own classic Supermarionation episode to appear in this episode of Endeavour.
Again, you can see some clips of that over on the Century 21 Films website.
They dropped some murder clues into that?
Well, I don't know. I haven't seen it, John, but it's quite possibly— who knows? Maybe someone was strung up by the strings or something. Anyway, lovely, lovely, lovely.
And I think it'd be a hard one to beat. So John, what's your pick of the week?
And I think it'd be a hard one to beat. So John, what's your pick of the week?
Some time ago, I think it was probably the first time I was on the show, my pick of the week was a game called Clash of Clans.
Yes. Yeah.
I still play a little bit, but there's a kind of sister game from the same company. It's called Clash Royale.
It's quite a different kind of game, although it kind of has some of the same characters in it. And it's a very simple kind of tower defense thing.
You're paired up with a random person and you have to attack their towers and try and stop them attacking your towers.
You have a range of characters you can choose from and you pick your card deck and you have to hope that yours matches up against theirs so you can fight them evenly and stuff like that.
It's very simple and very fun. It takes about 3 minutes to play a game. But my favorite thing about it, it has this little in-game kind of chat system or heckling or something.
And there's just little buttons along the bottom of the screen and you don't really, there's not really a lot of choices.
You can basically say, I think, good luck, well played, good game. Thanks, wow, oops.
And then there's a few little kind of emoticons, things like thumbs up, angry, club, crying, laughing.
They've added a bunch more of the little pictures recently, but they're a bit gimmicky. I try and stick with the old school ones.
But it's amazing how in-depth the conversation you can have with whatever random child in China you happen to be playing against.
With just this little tiny selection of words and images, you can have a proper little chat going on. It's really quite fun.
And I find anybody that basically, there's a lot of people that just use angry face all the time. Don't like them, they're clearly douches. And there's also the laughing face.
Very, very few occasions where you can use that appropriately. So it's actually a very, very small set of things that you can legitimately use to have a polite conversation with.
And you can get a real sense of the sort of person you're talking to.
It's quite a different kind of game, although it kind of has some of the same characters in it. And it's a very simple kind of tower defense thing.
You're paired up with a random person and you have to attack their towers and try and stop them attacking your towers.
You have a range of characters you can choose from and you pick your card deck and you have to hope that yours matches up against theirs so you can fight them evenly and stuff like that.
It's very simple and very fun. It takes about 3 minutes to play a game. But my favorite thing about it, it has this little in-game kind of chat system or heckling or something.
And there's just little buttons along the bottom of the screen and you don't really, there's not really a lot of choices.
You can basically say, I think, good luck, well played, good game. Thanks, wow, oops.
And then there's a few little kind of emoticons, things like thumbs up, angry, club, crying, laughing.
They've added a bunch more of the little pictures recently, but they're a bit gimmicky. I try and stick with the old school ones.
But it's amazing how in-depth the conversation you can have with whatever random child in China you happen to be playing against.
With just this little tiny selection of words and images, you can have a proper little chat going on. It's really quite fun.
And I find anybody that basically, there's a lot of people that just use angry face all the time. Don't like them, they're clearly douches. And there's also the laughing face.
Very, very few occasions where you can use that appropriately. So it's actually a very, very small set of things that you can legitimately use to have a polite conversation with.
And you can get a real sense of the sort of person you're talking to.
If you were a criminal or a drug dealer or something like that, John, do you think you could use this communication system to communicate your secret messages?
Is this a replacement for something like Signal? Would the intelligence services be able to intercept what you're communicating with your angry face and your thumbs up?
Someone in China?
Is this a replacement for something like Signal? Would the intelligence services be able to intercept what you're communicating with your angry face and your thumbs up?
Someone in China?
I don't know. You might have to kind of prearrange a few particular signals. I don't know if you could say, you know, we're hitting the Barclays Bank at 9 AM tomorrow morning.
That would be difficult.
That would be difficult.
The specifics would be hard.
Yeah, it's more of a feeling kind of thing. You just get a sense of personality. Yeah, Graham.
Right.
Well, sorry. But there's also, I mean, it does have a, there's a, you can have a team, your clan, and you can, there's an actual chat thing that you can have with them.
I don't do that bit.
I don't do that bit.
No. Sounds more fun what you're doing, I think, to be honest. So that's Clash Royale, comes strongly recommended from you. Thumbs up, right?
Thumbs up.
Wow.
Thanks. Good game.
Carole, what's your pick of the week?
Well, all three of us are based in Oxford. And two of us on this podcast today are taking part in an upcoming Oxfordshire art festival.
Oh, really?
So I'm giving that a shout out. Yeah. And it's not you, Graham.
No, it's not.
So Oxfordshire Art Week starts in May next month, and it's where artists or designers exhibit their work across Oxfordshire.
So there's 500 locations across the county, and there's group exhibitions and individual artists. Some of them are in their own home, right?
And 100,000 people come to this every year, and it's free, and you can see what all kinds of different artists are up to.
And this year, both John Hawes and I, along with a few others, have clubbed together and are presenting our stuff at a venue.
So there's 500 locations across the county, and there's group exhibitions and individual artists. Some of them are in their own home, right?
And 100,000 people come to this every year, and it's free, and you can see what all kinds of different artists are up to.
And this year, both John Hawes and I, along with a few others, have clubbed together and are presenting our stuff at a venue.
Oh my goodness, it's very exciting.
I know. And John is doing—
It's not nude modeling, is he?
He is. He's doing nude modeling.
Oh.
Let me send you a link, Graham.
No, no, no, no, please don't. No, no, please.
Yeah, I'm sending you a link right now. Don't worry, don't worry.
Okay, let's check this out.
Okay.
Okay, here's John's nude modeling career.
I'm not sure I should want to— Oh!
Oh! It's not John.
It's not me that's nude.
But it is a nude model.
It's the models that are nude.
Yeah, so John makes models, small models. They're amazing.
I prefer the term sculptures.
Sculptures. I'm sorry. You see, I'm doing cartoons. So of course, I lower the tone on this whole artist thing.
And we also have an artist called Calista, and she's doing these amazing ink sketches on self-help wisdom. So kind of distilling all that.
And we've got another guy called Ollie who does these rude lighting with lampshades made out of cuttings from harlequin romances, and I think he's using Fifty Shades of Grey.
Oh fuck, I think I just got the joke because he's making lampshades shades of grey.
And we also have an artist called Calista, and she's doing these amazing ink sketches on self-help wisdom. So kind of distilling all that.
And we've got another guy called Ollie who does these rude lighting with lampshades made out of cuttings from harlequin romances, and I think he's using Fifty Shades of Grey.
Oh fuck, I think I just got the joke because he's making lampshades shades of grey.
Oh yeah, there it is.
Yeah, see what he's done there?
That's funny. Do you think that's what he was doing?
If you the idea of nosing at people's art, you might meet Graham because Graham's certainly going to come and visit during Art Week.
If you the idea of nosing at people's art, you might meet Graham because Graham's certainly going to come and visit during Art Week.
I'm not going to miss this now. No, I'm coming to this.
So you can go to artweeks.org as the website, so A-R-T-W-E-E-K-S. smashingsecurity.org.
Right.
And you can come visit us. We are listed on the map, entry 127 to 129 in East Oxford.
Oh, crikey.
And love to meet some smashers face to face.
Wow. Well, Carole, this has really upped the artistic stakes for this episode. And John, I'm looking forward to checking out your little naked sculpture as well.
What a delight that'll be to see you in the clay.
What a delight that'll be to see you in the clay.
He's the real artist.
He is.
Yeah. Well, that just about wraps it up for this week. Thank you very much, John, for joining us this week.
Thanks for having me.
Folks at home, you can follow us on Twitter at SmashingSecurity, no G. Twitter allows us to have a G, and you can join the discussion on Reddit.
We've got an active community up there. Quickest way to find us is at smashingsecurity.com/reddit.
We've got an active community up there. Quickest way to find us is at smashingsecurity.com/reddit.
And shout out to this week's Smashing Security sponsors, LastPass and MetaCompliance. Their support helps us give you this show for free. And huge thanks to you guys.
We'd be lonely souls without you. Thank you for listening and helping us grow.
We'd be lonely souls without you. Thank you for listening and helping us grow.
And check out smashingsecurity.com for past episodes and to follow us there. Until next time, cheerio, bye-bye.
Later.
Bye-bye.
So, Art Week.
Art Week.
Mm-hmm.
In this world, of unwanted commodity. Crow takes the ordinary to fabricate the desirable. What does that mean?
Keep reading.
Just kidding. Beautiful, useful stuff. Also small naked people.
And you're snoozing away and suddenly bang, bang, bang, bang on the door, right? It's 4 AM.
Oh, the dog's barking.
Do you want to go take care of that?
Yes.
Hang on.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
John Hawes
Show notes:
- "Gents! Stop airdropping your pics!" — Smashing Security episode 038, where we discussed the arrest of Marcus Hutchins.
- Marcus Hutchins plea agreement — PDF
- Statement from Marcus Hutchins (aka MalwareTech)
- "Stick to the good side." — Marcus Hutchins on Twitter.
- The Samsung Galaxy S10's ultrasonic fingerprint scanner is hacked — Graham Cluley.
- Video of Nokia 9's fingerprint sensor failure — Decoded Pixel on Twitter.
- Nokia 9 buggy update lets anyone bypass fingerprint scanner with a pack of gum — ZDNet.
- Most hacked passwords revealed as UK cyber survey exposes gaps in online security — NCSC.
- Facebook hoovered up 1.5 million users' email contacts without permission… "unintentionally" — Graham Cluley.
- Facebook: we logged 100x more Instagram plaintext passwords than we thought — Naked Security.
- Second Payment Services Directive (PSD2): 8 things businesses needs to know — Information Age.
- Teen sues Apple over accusations of Apple Store thefts — 9to5Mac
- Student Sues Apple for $1 Billion, Blames Face-Recognition Tech for False Arrest — Insurance Journal.
- Thunderbirds – 50th Anniversary Specials — Century 21 films
- Thunderbirds 1965 – Documentary — YouTube.
- Clash Royale: Enter the Arena.
- Oxfordshire Artweeks.
- Details of Carole and John's exhibition — Oxfordshire Artweeks.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: MetaCompliance
People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management. Listeners can get a 10% discount off their products by quoting the code SMASHING. Visit www.smashingsecurity.com/metacompliance now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
