A bad software update causes big headaches for Dutch police, but brings temporary freedom to criminals. SIM swaps are in the news again as fraudsters steal millions. And does your cloud photo storage service have a dirty little secret?
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Rip Off Britain’s David McClelland.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Newsflash!
Newsflash!
Smashing Security has made it to the finals of the European Security Blogger Awards.
If you can be arsed, please go to smashingsecurity.com/vote and vote for your favorite security podcast.
Voting closes on the 31st of May, so don't delay or I'll electrocute your eardrums. That's smashingsecurity.com/vote. Now, on with the show.
Smashing Security, Episode 128: Shackled Ankles, Photo Scrapes, and SIM Card Swaps with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 1000000. It's binary crawl. Episode 128. My name is Graham Cluley.
If you can be arsed, please go to smashingsecurity.com/vote and vote for your favorite security podcast.
Voting closes on the 31st of May, so don't delay or I'll electrocute your eardrums. That's smashingsecurity.com/vote. Now, on with the show.
Smashing Security, Episode 128: Shackled Ankles, Photo Scrapes, and SIM Card Swaps with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 1000000. It's binary crawl. Episode 128. My name is Graham Cluley.
Thanks for that. I'm Carole Theriault. Mansplaining. Love it.
And we're joined by special guest broadcaster and binary expert and technology guru David McClelland. Hello, David. Hello. Hello.
How are you doing?
Save me from Graham.
We're doing pretty gorgeous and we've got a fun-packed show ahead of us tonight.
Well, you know, they do say, you know, speaking of binary there are, oh no, gosh.
1-0.
Yes, I was going to go down that joke line, but I realised it doesn't quite sound as good when you say it out loud as it does when you see it written down on paper.
Oh, making it up as we go along, folks, making it up.
Oh, making it up as we go along, folks, making it up.
Things can only get better. Carole, what have we got lined up on the show this week?
Oh, of course, another entertaining and dare I say it, pertinent episode of Smashing Security this week, thanks to our sponsors, Gartner, Recorded Future, and LastPass.
Now Graham, you plan to prattle about Holland's use of ankle bracelets. David dishes out the dirty on the latest SIM swapping news.
And strike a pose, kids, because I'm delving into the world of all things photo storage related, and it ain't pretty.
All this and much more coming up on this episode of Smashing Security.
Now Graham, you plan to prattle about Holland's use of ankle bracelets. David dishes out the dirty on the latest SIM swapping news.
And strike a pose, kids, because I'm delving into the world of all things photo storage related, and it ain't pretty.
All this and much more coming up on this episode of Smashing Security.
Now, chaps, chaps, I've got a question for you. And is this—
Whoa, whoa, whoa, whoa, whoa, whoa. Okay, stop, stop.
What?
I have a joke first. Okay, no, I know, I know, I know, I know. But I have a really, really good joke. And if I don't tell it now, I'm gonna forget. And okay, you ready?
Okay, it's a really good joke. Is it? Go on then. Let's hear it.
Hey officer, how did the hackers get away? I don't know. Ransomware.
Oh gosh.
You're welcome.
How come I've never heard that before?
Thank you, Reddit.
That's quite good actually, Carole.
I know. Okay, sorry, that's why I interrupted. Carry on.
Now, David Carole, have you ever found yourself manacled?
I've manacled other people.
I bet you have. Have you ever been shackled, handcuffed to a midget on a stag weekend in Lithuania, David? Anything that? Maybe you don't want to say too much.
It's nothing to be ashamed of.
It's nothing to be ashamed of.
In this era of Fifty Shades of Grey, don't give that piece of schlock an era title.
God.
Okay, carry on.
I've done my research into Fifty Shades of Grey, and it turns out it's not unusual for people to practice their reef knots, pop down the hardware store to pick up some cable ties and masking tape.
This is what they're all up to these days. It was never like this when I was courting. It was all about milkshakes and going to the malt bar and mini golf and cucumber sandwiches.
It was all an era of innocence back in my day, but the youngsters today are up to all kinds of kinky stuff, and maybe some of our listeners are as well. We're not going to judge.
We're not the judging kind, right?
This is what they're all up to these days. It was never like this when I was courting. It was all about milkshakes and going to the malt bar and mini golf and cucumber sandwiches.
It was all an era of innocence back in my day, but the youngsters today are up to all kinds of kinky stuff, and maybe some of our listeners are as well. We're not going to judge.
We're not the judging kind, right?
Well, yeah, you certainly aren't. You're woke, right?
Absolutely.
The world of lust and perversion may have passed me by, and that means that the best chance I have of feeling hard steel clamped around my extremities is if I get arrested one day, right?
And that's the point of my story in today's podcast, because we are going to return to the land of the Dutch.
The world of lust and perversion may have passed me by, and that means that the best chance I have of feeling hard steel clamped around my extremities is if I get arrested one day, right?
And that's the point of my story in today's podcast, because we are going to return to the land of the Dutch.
This is podjacking, isn't it? That's what you've just done.
Now, do you remember last week we talked about those chaps in Dutchland?
Yeah, so cool.
I love the Dutch. I do love the Dutch. And they seem to be becoming a regular feature of our show because it turns out that they've been up to something again.
From time to time, even in the free and easy Netherlands, police have reason to trouble criminals with a kindly reminder to behave themselves.
Or if that doesn't work, because they're quite tough on law and order over there, they may force them to wear an ankle bracelet, which can monitor their movements.
You know these kind of things, Carole? David, have you seen these?
From time to time, even in the free and easy Netherlands, police have reason to trouble criminals with a kindly reminder to behave themselves.
Or if that doesn't work, because they're quite tough on law and order over there, they may force them to wear an ankle bracelet, which can monitor their movements.
You know these kind of things, Carole? David, have you seen these?
Yeah, I think everyone in the universe knows what you're talking about.
Yeah, I'm not talking about Fitbits. These, if that's— Right? It's not one of those.
Funny. Well, it is. It is.
Well, maybe, but I mean, these are worn by people who are under house arrest or on parole, and it's sending a radio frequency signal containing their location back to HQ, right?
And if an offender moves outside of their allowed geofence, it goes, "Brrp, brrp, brrp, brrp, brrp." Right? And the police get notified.
And if an offender moves outside of their allowed geofence, it goes, "Brrp, brrp, brrp, brrp, brrp." Right? And the police get notified.
Or if they try and tamper with it or saw through it with a little hacksaw, it goes, "Brrp, brrp, brrp, brrp, brrp." Wouldn't it be better just to have little mini spikes on the inside of the ankle bracelet that if they started screwing around, they would just start digging in slowly into the flesh?
This isn't Myanmar, Carole. You can't do things like that. Especially not in Netherlands.
Just thinking, you know. It's a police resource being wasted.
You're going back to Fifty Shades of Grey, I think. That's the sort of thing they might want to do over there. Anyway, right.
So have you ever considered what might happen if that monitoring technology goes a bit wonky?
So have you ever considered what might happen if that monitoring technology goes a bit wonky?
Oh.
What the impact may be on the criminals themselves?
No.
Guess what? It's just happened. Just happened. Dutch police. There was a duff software update pushed out and it crashed hundreds of these devices.
They were monitoring something like 750 people in the Netherlands.
They were monitoring something like 750 people in the Netherlands.
Okay.
With these ankle monitoring devices, and they all kind of went—
Thank goodness that none of them had Carole's spikes on there. Otherwise, that would have been pretty painful for a lot of criminals.
Goodness me.
Poor little criminal.
So according to the Dutch government, this disruption occurred and the signals weren't being received from the ankle bands last week.
So does that mean criminal could just go, okay, I can get out of my whatever, my limited geolocation pen?
Yeah, exactly. They could get outside of their sort of allowed area. They could, hey, you know, even though it's 9 PM at night, I can go down the Aldi or the Lidl or supermarket.
I can't do anything.
Or I could go to the dodgy end of town, or I could go and visit those people I'm not supposed to visit, maybe intimidate some witnesses. You know, it's quite serious.
But did they even know that their ankle bracelets had broken?
Well, I suppose word must have got round because the way in which the police responded to this was that they began to ring up criminals or began to ring up people who were wearing these things and made house visits and said, hey, look, we just want to make sure you're behaving yourselves and you stay inside your house.
Some people were actually preemptively arrested and jailed. They were rounded up by the authorities, the most high-risk suspects.
So word must have got round that maybe these things weren't working.
But I say, it's no laughing matter, really, especially for those who may have been fearful that someone who committed a crime against them may have not been monitored by the authorities.
Some people were actually preemptively arrested and jailed. They were rounded up by the authorities, the most high-risk suspects.
So word must have got round that maybe these things weren't working.
But I say, it's no laughing matter, really, especially for those who may have been fearful that someone who committed a crime against them may have not been monitored by the authorities.
I have a question.
Yes.
Did the authorities let the residents know that basically there were some criminals that were not being monitored?
Yes. In fact, local media reported, "Schlagthoffers en neistabberbaren worden, ze schnell mojiglijk againvermerd," was actually what— sorry.
Well, as our Dutch listener base knows, that is me explaining that people who have been victims of crime and people who were witnesses in cases were told that unfortunately the people we're monitoring, we're not currently monitoring.
So, you know, keep away from your windows or keep your head down.
Well, as our Dutch listener base knows, that is me explaining that people who have been victims of crime and people who were witnesses in cases were told that unfortunately the people we're monitoring, we're not currently monitoring.
So, you know, keep away from your windows or keep your head down.
Yeah, think Mad Max, go nuts, guys.
Well, fortunately they did manage to fix the problem within about 24 hours.
But astonishingly, this isn't the first time that the Dutch authorities have been caught with their clogs off over their ankle monitoring system.
But astonishingly, this isn't the first time that the Dutch authorities have been caught with their clogs off over their ankle monitoring system.
That's a stupidly long time, 24 hours, do you not think?
Well, I don't know the exact— I'm just saying roughly, but I mean, the thing was there was some sort of outage of the mobile phone system.
These things are operating over the GSM network. And I suppose it's a bit like if here in the UK, for instance, was it T-Mobile or Orange or Vodafone or one of those anyway?
They went out, didn't they, for about a day and a half?
These things are operating over the GSM network. And I suppose it's a bit like if here in the UK, for instance, was it T-Mobile or Orange or Vodafone or one of those anyway?
They went out, didn't they, for about a day and a half?
Yeah, I think it was O2 a little while ago as well.
I named everyone else. Okay, so maybe it was O2. You know, we get our facts straight here. But the impact was a bit like Mad Max, wasn't it, Carole?
It was a bit beyond the Thunderdome because people could not cope anymore because I don't have a data connection or I can't communicate with my family.
Not the first time this has happened in the Netherlands. Last August, something similar happened. There was a widespread outage of the Dutch mobile phone network.
Over half of the suspects the Ministry of Justice were monitoring at the time went dark. And so they didn't know where they were or what they were up to.
It was a bit beyond the Thunderdome because people could not cope anymore because I don't have a data connection or I can't communicate with my family.
Not the first time this has happened in the Netherlands. Last August, something similar happened. There was a widespread outage of the Dutch mobile phone network.
Over half of the suspects the Ministry of Justice were monitoring at the time went dark. And so they didn't know where they were or what they were up to.
It's an interesting thing though, isn't it? Because you kind of want people out of jail.
So electronic monitoring seems like a great way to be able to reduce costs, but also give people some kind of limitations on their freedoms. But not if it doesn't work.
So electronic monitoring seems like a great way to be able to reduce costs, but also give people some kind of limitations on their freedoms. But not if it doesn't work.
I mean, what used to happen before all these technologies?
Was there just a really long rubber band or something that they would tie around people's ankles so you couldn't get too far away from them?
Was there just a really long rubber band or something that they would tie around people's ankles so you couldn't get too far away from them?
Yes, that's exactly what they did.
Is it? Exactly, yes, yes.
You're so smart, Graham. Thank you very much.
But I guess the other worrying thing here is that by the looks of it, all of this was caused by a dodgy software update.
You know, it's as though once again someone's rolled out a new software patch to hundreds, thousands, whatever of devices, and somehow the testing just hasn't worked properly.
So again, that's the thing that needs to be sorted out.
I get that we can leverage technology to civil liberties, whatever you want to call it, but if you don't test it, then this stuff is going to happen.
That's the thing that's particularly upsetting here for me.
You know, it's as though once again someone's rolled out a new software patch to hundreds, thousands, whatever of devices, and somehow the testing just hasn't worked properly.
So again, that's the thing that needs to be sorted out.
I get that we can leverage technology to civil liberties, whatever you want to call it, but if you don't test it, then this stuff is going to happen.
That's the thing that's particularly upsetting here for me.
Right, so maybe if you're going to push out an update to the sort of ankle monitoring systems, for instance, don't send it out to everyone.
Maybe you have a subset of less criminal people, people who've been jaywalking, people who didn't tip at the barbers.
And those people— you wouldn't have a crime that though in the Netherlands, would you?
But you need to find some sort of lesser crime, try it with them first of all, and if they have a problem with them, don't roll it out to absolutely everybody.
Maybe you have a subset of less criminal people, people who've been jaywalking, people who didn't tip at the barbers.
And those people— you wouldn't have a crime that though in the Netherlands, would you?
But you need to find some sort of lesser crime, try it with them first of all, and if they have a problem with them, don't roll it out to absolutely everybody.
Yeah, maybe the Dutch police could just walk in and whoever the provider of this technology is go, dudes, we're the police. We really need to up our game.
You know, I think I'd pay attention.
You know, I think I'd pay attention.
Yes. Well, remember, it is Holland as well. So I mean, they are—
What, they just go out for a spliff afterwards?
They're just going to be quite relaxed, I think, for a moment.
All of these stereotypes about the Dutch. I used to live in Amsterdam. Oh, interesting. 10, 11 years ago now.
Yes, I was working out there and learnt as much of the language as I possibly could and really, really enjoyed it, you know, from a linguistic point of view.
I love my languages, halfway between German and— obviously geographically halfway between German and English, but as soon as you get out of the way of all the J's then, and a lot of K's there as well, as soon as you get those out of your head and learn, it just makes sense.
The language is beautiful to speak. It doesn't really sound it necessarily, but as soon as you get under the skin of it, I loved it.
Yes, I was working out there and learnt as much of the language as I possibly could and really, really enjoyed it, you know, from a linguistic point of view.
I love my languages, halfway between German and— obviously geographically halfway between German and English, but as soon as you get out of the way of all the J's then, and a lot of K's there as well, as soon as you get those out of your head and learn, it just makes sense.
The language is beautiful to speak. It doesn't really sound it necessarily, but as soon as you get under the skin of it, I loved it.
Ooh, you see, Graham, that's what it really sounds like.
He should have done this story rather than me, shouldn't he?
Yeah.
David, what's your story for us this week?
What do SIM cards and bitcoin have in common, Graham and Carole?
An I? Two syllables.
Okay, okay. Let me enlighten you. So, first of all, two-factor or multifactor authentication. I think we can all agree that in principle, that's a good thing.
Check.
Exactly. Now, traditionally, sending a text message to a phone has been one of the more popular ways of doing this.
And the logic being that if a scammer did manage to brute force, socially engineer, or otherwise get hold of potential victim's username and password, it's unlikely they'd have visibility of the victim's smartphone too.
So that's why we've seen a number of service providers over the years, haven't we?
Banks, financial services, warn enforcing this, relying on this to an extent to confirm logins or new payees or even password resets.
Because text messages, mobile phones, they're infallible, right? Well, yeah, no, of course not. And this is where so-called SIM swap fraud is.
It's really quite clever, I guess, inasmuch as our friends the fraudsters manage to hijack a victim's mobile phone number. And to do this, they pull a social engineering coup.
And the logic being that if a scammer did manage to brute force, socially engineer, or otherwise get hold of potential victim's username and password, it's unlikely they'd have visibility of the victim's smartphone too.
So that's why we've seen a number of service providers over the years, haven't we?
Banks, financial services, warn enforcing this, relying on this to an extent to confirm logins or new payees or even password resets.
Because text messages, mobile phones, they're infallible, right? Well, yeah, no, of course not. And this is where so-called SIM swap fraud is.
It's really quite clever, I guess, inasmuch as our friends the fraudsters manage to hijack a victim's mobile phone number. And to do this, they pull a social engineering coup.
Woo!
But not on the victim themselves, but on the mobile operator, and they call up the mobile network, pretend to be the victim, and they tell a story about how they've lost their phone or their SIM's got damaged, but it's okay because they've picked up another SIM, and could you just port that number onto my new SIM so I can get on with my life?
Shall we roleplay that? Shall we have a go at that and see how well it works? So, Carole, would you be the mobile phone operator?
Absolutely.
Hi there. And I'll be— David, would you like to be the fraudster, or shall I be the fraudster?
Oh no, no, no, you be the fraudster.
All right. Okay. Okay. So, Carole, pick up the phone.
Normally it takes about 4 hours before he picks up. Yeah, I'm giving you the hold music. Hello, you've reached Carole Theriault at company. How can I help you?
Oh, hello, Carole. It's George Clooney here. You may have seen me in television programmes such as ER. Now, I've lost my phone. I've had it stolen.
Oh, Georgie!
Yeah, and it's a bit of a nuisance, to be honest.
I've got a new phone with a new SIM, but what I really need, you see, is I need my number switched over, because everyone's trying to contact me, and so they want to have a word with me.
So can we switch over my old number to this number, please?
I've got a new phone with a new SIM, but what I really need, you see, is I need my number switched over, because everyone's trying to contact me, and so they want to have a word with me.
So can we switch over my old number to this number, please?
We would need to answer a few security questions before we do that, I'm afraid.
Go ahead, go ahead, no problems at all.
First off, can you give me the name of your pet? Yes, I can. Tiddles? Correct, correct. It is Tiddles. No problem. Here you are. You have a new number. Thank you very much.
Thank you very much. And thank you, Wikipedia, as well, for giving me the information. And that's exactly how it works, people.
Now, the first thing that George Clooney would know about this is when his phone doesn't work. Picks up his phone in the morning and it just says no service.
And if you're anything like me, you'll just put it down to a dodgy network, you might eventually reboot your phone, wait a bit longer before—
And if you're anything like me, you'll just put it down to a dodgy network, you might eventually reboot your phone, wait a bit longer before—
I'd go back to bed being like, hallelujah.
Exactly, before you drum up the mental strength to get onto the phone, probably speaking to the bozo who's just given your phone number away to somebody else.
And all that time, the fraudsters have done their work and they are long, long gone. Now, this isn't new for many of us.
And I first came across this, what, 3 or so years ago when it started to become fairly mainstream in the UK. Quite a big problem in the United States.
Speaking of which, we've learned a little bit more in the last week or so about who it is who's been perpetrating these SIM swap frauds and what they've been doing them for, allegedly.
I should stick allegedly in there somewhere. And so some of the sums of money that are involved as well.
And all that time, the fraudsters have done their work and they are long, long gone. Now, this isn't new for many of us.
And I first came across this, what, 3 or so years ago when it started to become fairly mainstream in the UK. Quite a big problem in the United States.
Speaking of which, we've learned a little bit more in the last week or so about who it is who's been perpetrating these SIM swap frauds and what they've been doing them for, allegedly.
I should stick allegedly in there somewhere. And so some of the sums of money that are involved as well.
And the way in which they make this comes back to this issue of password resets and websites and services which use your mobile phone as a form of authentication.
The point is, once they've grabbed the phone number off someone else, they get your texts rather than you getting them.
So they're able to get those magic numbers which help them into a site.
The point is, once they've grabbed the phone number off someone else, they get your texts rather than you getting them.
So they're able to get those magic numbers which help them into a site.
It's almost like they are now in charge of getting the two-factor authentication.
Exactly. And that's exactly what has been happening here. So there's been a couple of cases that have kind of risen to the top at the same time.
One of them, there's a hacking group known as The Community that has been outed, and one of the suspects is this 20-year-old Irish dude who was arrested last week, I think, who, if he's found guilty, could face 100 years in jail for stealing around $2.5 million worth of bitcoin.
How did they steal it? Yeah, SIM swap fraud, targeting victims, assuming their mobile identity, and resetting their crypto wallet passwords.
And other members of that community also include three former employees of mobile phone providers.
One of them, there's a hacking group known as The Community that has been outed, and one of the suspects is this 20-year-old Irish dude who was arrested last week, I think, who, if he's found guilty, could face 100 years in jail for stealing around $2.5 million worth of bitcoin.
How did they steal it? Yeah, SIM swap fraud, targeting victims, assuming their mobile identity, and resetting their crypto wallet passwords.
And other members of that community also include three former employees of mobile phone providers.
No way!
Inside job, people.
Juicy, juicy.
Inside job, yeah. But the numbers get bigger because also last week, in a separate case, entrepreneur and bitcoin investor was awarded a payout in the region of $75 million.
Unbelievable.
I know, from a so-called bitcoin bandit. Him and his team stole $24 million worth of cryptocurrency.
Obviously, the value of that particular cryptocurrency's inflated somewhat between the theft and the award.
They don't actually say whether that cryptocurrency was bitcoin or not, I noted.
But yes, so it's New Yorker Nicholas Trulia who has to pay compensation and punitive damages, according to Reuters. And the investor victim was Michael Terpin.
And again, it was SIM swapping. They SIM swapped their way to that small fortune.
But also, interestingly, the victim here, Michael Terpin, is launching a case to sue the mobile network AT&T for a whopping $224 million for gross negligence.
Obviously, the value of that particular cryptocurrency's inflated somewhat between the theft and the award.
They don't actually say whether that cryptocurrency was bitcoin or not, I noted.
But yes, so it's New Yorker Nicholas Trulia who has to pay compensation and punitive damages, according to Reuters. And the investor victim was Michael Terpin.
And again, it was SIM swapping. They SIM swapped their way to that small fortune.
But also, interestingly, the victim here, Michael Terpin, is launching a case to sue the mobile network AT&T for a whopping $224 million for gross negligence.
It's just ridiculous. It's like the guy I was talking a few weeks ago, the guy was suing Apple for a billion dollars. It's just, ah, it's such a joke.
Carole, what's your story for us this week?
How do you guys store photos? Like, do you use photo storage apps or anything like that?
I do a few different things, but I must admit, I do use one very convenient cloud storage option.
You have a cloud storage option for your photos? I do too. Graham?
Yeah, we have an Amazon Prime account and that comes with something called Amazon Photos and I think they get uploaded to there.
There's a lot of big ones. There's Google Drive, there's Microsoft OneDrive, there's Dropbox, all these.
But there's also a few smaller players, right, that provide additional services that go maybe above and beyond what you can get with these big players.
And we're going to focus on one of these photo cloud storage players, one called EverAlb.
Now I would us to pretend that this is an app that has been recommended to us by a new Smashing Security listener.
And let's say we mentioned the show that we were looking for a photo storage solution and they said, "Hey, check out EverAlbum, it's so great, it's so great." Let's say this just happened.
Do you go and install it right away? This is a free app, so there's no money having to be exchanged.
But there's also a few smaller players, right, that provide additional services that go maybe above and beyond what you can get with these big players.
And we're going to focus on one of these photo cloud storage players, one called EverAlb.
Now I would us to pretend that this is an app that has been recommended to us by a new Smashing Security listener.
And let's say we mentioned the show that we were looking for a photo storage solution and they said, "Hey, check out EverAlbum, it's so great, it's so great." Let's say this just happened.
Do you go and install it right away? This is a free app, so there's no money having to be exchanged.
It's been recommended by one of our listeners. I inherently trust them though, because they've already shown great quality, great taste.
Actually, I'm really hoping that Dave's a little bit more skeptical about doing that. Bit of digging. Where would you start in that situation?
So you might kind of, I don't know, start at the website, just check out their webpage and see what they do. What is it?
And, you know, it would say it helps you capture and rediscover your life's memories. And you're kind of thinking, okay, marketing spiel, right?
And then you're kind of reading down and you kind of go, oh, it frees up space on my device by removing photos from your camera roll. And you're, okay, that's cool.
So you might kind of, I don't know, start at the website, just check out their webpage and see what they do. What is it?
And, you know, it would say it helps you capture and rediscover your life's memories. And you're kind of thinking, okay, marketing spiel, right?
And then you're kind of reading down and you kind of go, oh, it frees up space on my device by removing photos from your camera roll. And you're, okay, that's cool.
That's cool.
And then you go, it also can grab pictures from all your feeds and store them in one container.
You know, if you're on WhatsApp or Instagram, or if you're on, you know, your iMessage or whatever the equivalent of Android is.
You know, if you're on WhatsApp or Instagram, or if you're on, you know, your iMessage or whatever the equivalent of Android is.
Oh, I see. So if you're putting up photos on Facebook, for instance, they will also be backed up to EverAlbum.
Exactly, right? So all your pictures get up there and it's great for you as a user, they say, because, you know, all your stuff's in one place. Because I do find that annoying.
There's pictures all over the place and they're not always, you know.
There's pictures all over the place and they're not always, you know.
How much do you have to pay for this?
Free. Oh, it's free.
It's completely free. Excellent, excellent. I'm totally, totally convinced now that this is going to be a porn.
And they say things high-resolution photo storage, get your space back, share your best moments. You can share photos and stuff with people.
And they say secure and private backup, right? Your photos—quote—your photos are always private until you decide to share.
Add an extra level of security with Touch ID protection. Okay, so right now, so you're seeing that again, this is all what they are saying about themselves.
That's what I'd be thinking at this stage, right? I'd be, well, what other people say? What, what are third parties say?
And you can see on the site that App Annie says one of the fastest growing photo apps worldwide in 2016.
And Wired says EverAlbum challenge to Google and Dropbox for storing photos online. Next Web bringing the emotion back to photos. So you're kind of thinking, okay.
And they say secure and private backup, right? Your photos—quote—your photos are always private until you decide to share.
Add an extra level of security with Touch ID protection. Okay, so right now, so you're seeing that again, this is all what they are saying about themselves.
That's what I'd be thinking at this stage, right? I'd be, well, what other people say? What, what are third parties say?
And you can see on the site that App Annie says one of the fastest growing photo apps worldwide in 2016.
And Wired says EverAlbum challenge to Google and Dropbox for storing photos online. Next Web bringing the emotion back to photos. So you're kind of thinking, okay.
I'm always nervous of quotes this.
It's a bit the quotes which you see on the front of books or outside West End shows where it says, "A marvel," it says, and they leave out the word "hardly" in front of it.
It's a bit the quotes which you see on the front of books or outside West End shows where it says, "A marvel," it says, and they leave out the word "hardly" in front of it.
Exactly, because it's on their website, right?
Right. And heaven forbid that some journalists write those quotes just so that their own names get emblazoned on the front of, you know, books and posters and so on.
That would never happen to a legitimate, you know, responsible journalist.
That would never happen to a legitimate, you know, responsible journalist.
Stop jesting.
Yeah, so at this point I might, I don't know about you guys, but I might go to the Apple or the Android store just to see what people say about the app, how many ratings it has, that kind of thing, right?
And say you saw 6,000 ratings and they had 4.5 out of 5 stars.
Typical review would be like, digging it, I honestly love this app and literally use it repeatedly throughout each and every day.
Yeah, so at this point I might, I don't know about you guys, but I might go to the Apple or the Android store just to see what people say about the app, how many ratings it has, that kind of thing, right?
And say you saw 6,000 ratings and they had 4.5 out of 5 stars.
Typical review would be like, digging it, I honestly love this app and literally use it repeatedly throughout each and every day.
Yeah, people are going to find that reassuring, right?
And so you're thinking, oh, would you install at this point? You've already installed, Graham. But Dave, would you— David, would you install at this point or?
Well, I mean, apart from the fact that it's free, I'm just trying to think about what the red flags are here. I mean, clearly you've read the terms of service.
You've been through those with a fine-tooth comb to make sure that you understand exactly what it is they're going to be doing with all of these photos.
And if there's nothing naughty there, then yeah, you know, maybe it's good.
You've been through those with a fine-tooth comb to make sure that you understand exactly what it is they're going to be doing with all of these photos.
And if there's nothing naughty there, then yeah, you know, maybe it's good.
And until April 15th, you would have read that terms and conditions and thought, OK, I'm pretty cool with this.
You might even have done some digging elsewhere and gone to Good Housekeeping, who gave it 4 out of 5 stars, or TechCrunch that said it was amazing, right?
You might even have done some digging elsewhere and gone to Good Housekeeping, who gave it 4 out of 5 stars, or TechCrunch that said it was amazing, right?
Good Housekeeping.
Yeah.
I know. Get all your recommendations. Trust me.
Their tech section's great, Graham. You should try it.
I think it's a trusted household brand. I think consumers would trust something like Good Housekeeping. I do.
All right.
And then Gizmodo. So for people like you, Gizmodo said, listed it as one of the best photo album apps you've probably never heard of, right? As a kind of cool hipster app.
The fact that it's free isn't necessarily a bad thing because of course—
There's in-purchase things.
Yeah, exactly. Because there may be sort of professional tiers where you pay or something for more features, you know, and little crowns.
I don't know what the feature would be, but it might be there's something which they're offering, which they say, look, you can do this, or you can print off albums or create collages of your pictures, but you have to have a silver membership to do that.
So it's not necessarily a bad thing because there might be some kind of upsell.
Carole, I have to say that if your answer is yes, we should feel comfortable installing this, this is possibly the dullest and weakest security you have ever brought to our podcast of 128 episodes, and that's saying something.
I don't know what the feature would be, but it might be there's something which they're offering, which they say, look, you can do this, or you can print off albums or create collages of your pictures, but you have to have a silver membership to do that.
So it's not necessarily a bad thing because there might be some kind of upsell.
Carole, I have to say that if your answer is yes, we should feel comfortable installing this, this is possibly the dullest and weakest security you have ever brought to our podcast of 128 episodes, and that's saying something.
So back in your box, okay? Because just last week, MSNBC News delivered what I feel is an incredibly scoopy story.
Right.
All about EverAlbum. And what they were really up to with all our photos, all 13, get this, 13 billion of them that they've collected from millions and millions of users.
That's a lot of selfies, isn't it? Goodness me.
What MSNBC's investigation team uncovered is that the photos people were sharing were being and are being used to train the company's facial recognition system, and that Ever then touts this technology to private companies like law enforcement and the military.
Security.
So in other words, what began in 2013 as another cloud storage app has pivoted towards a much, much, much more lucrative business known as EverAI for artificial intelligence.
And the clincher is all without telling the millions of users who own the copyright to all those photos.
And the clincher is all without telling the millions of users who own the copyright to all those photos.
Yes. Well, that would have ruined their business model, wouldn't it? Telling people that's what they were going to do with it. But you can't tell someone you're stealing from them.
That would defeat the purpose.
Especially when they'd already taken all the photographs and they said, oh, okay, although we've got these under the auspices of just being all friendly photo storage and all the rest of it, we're not going to tell the people that all those photos you've given us in the past, we're going to use those for facial recognition as well.
Yeah, Jacob Snow, a civil liberties attorney, said they are taking images of people's families' photos from a private photo app and using it to build surveillance technology.
Hugely concerning, he says. Now let's be clear, they are not being accused of sharing these photos with third parties.
Rather, the billions of images are being used to instruct an algorithm on how to identify faces.
And every time an Ever user enables facial recognition, which is a feature in the app, and they enable that on their phones to group together images from disparate apps and technologies and services, Ever's facial recognition technology learns from the matches and trains.
And that knowledge powers the company's commercial facial recognition products. So my question is, is this cool or not? What do you think, boys?
Hugely concerning, he says. Now let's be clear, they are not being accused of sharing these photos with third parties.
Rather, the billions of images are being used to instruct an algorithm on how to identify faces.
And every time an Ever user enables facial recognition, which is a feature in the app, and they enable that on their phones to group together images from disparate apps and technologies and services, Ever's facial recognition technology learns from the matches and trains.
And that knowledge powers the company's commercial facial recognition products. So my question is, is this cool or not? What do you think, boys?
Well, I think they've been a bit wimpy. I don't know why they've stopped at this. Why haven't they taken people's photographs and begun to plaster them all over lunchboxes?
Why don't they be, you know, there's a million ways in which they could exploit these photographs and this data if they wanted, just doing facial recognition.
Where's their American entrepreneurial spirit, the swine. So what a ghastly, dastardly thing to do.
Why don't they be, you know, there's a million ways in which they could exploit these photographs and this data if they wanted, just doing facial recognition.
Where's their American entrepreneurial spirit, the swine. So what a ghastly, dastardly thing to do.
Yeah, I don't want to sound all conspiracy, but I'm willing to bet there's more than a smattering of startups out there and app firms that are touting for our attention today and are doing exactly, or something very similar to this.
And they're doing it without our knowledge and consent because there's not enough liability laws in this space to help control this kind of behavior.
And they're doing it without our knowledge and consent because there's not enough liability laws in this space to help control this kind of behavior.
Well, you mentioned tech startups. It's not just the tech startups that have been doing some interesting things in this area as well.
So NBC and the amazing Olivia Solon, I think it was back in March, wasn't it? Yes.
So they did an exposé on something that IBM has been doing with its facial recognition AI, where it's been taking a look at faces that are in the public domain, specifically from Flickr, photo sharing site ex of Yahoo, Flickr.
And it's been basically taking a lot of the photos that were uploaded there under Creative Commons licenses, license terms, which in theory means that people are able to download them and start using them.
But, and I think this is the thing, that the people who were uploading those images to Flickr didn't realize that their faces or the images they were uploading of their friends, family, whatever, would be used specifically for research purposes and for developing an even stronger AI for IBM's Watson system.
And, you know, there is now a way that photographers can request their images be removed from IBM's facial recognition AI system.
So it's not just the startups, it's the big players that are in this as well, and they will get their hands on whatever dataset they can legitimately or illegitimately use to try and beef up their bots' brains.
So NBC and the amazing Olivia Solon, I think it was back in March, wasn't it? Yes.
So they did an exposé on something that IBM has been doing with its facial recognition AI, where it's been taking a look at faces that are in the public domain, specifically from Flickr, photo sharing site ex of Yahoo, Flickr.
And it's been basically taking a lot of the photos that were uploaded there under Creative Commons licenses, license terms, which in theory means that people are able to download them and start using them.
But, and I think this is the thing, that the people who were uploading those images to Flickr didn't realize that their faces or the images they were uploading of their friends, family, whatever, would be used specifically for research purposes and for developing an even stronger AI for IBM's Watson system.
And, you know, there is now a way that photographers can request their images be removed from IBM's facial recognition AI system.
So it's not just the startups, it's the big players that are in this as well, and they will get their hands on whatever dataset they can legitimately or illegitimately use to try and beef up their bots' brains.
Yeah, and that's really interesting because I'm just thinking actually while you were saying that, that from what I read, EverAlbum changed their privacy policies based on this MSNBC, you know, working on the story.
So they did this prior to it and updated their privacy policy. I think it was April 15th, if I remember correctly.
And I just wonder how that GDPR, that old favorite, how that applies because obviously a face, whether there's your names associated to it or not, it's obviously a pretty big identifier of who you are.
So is your face anonymous? Or not. It was an interesting question.
Anyway, we're going to see a lot more of this crop up as we descend into the stinky bowels of all things digital and technology. So watch this space. Clunk flush.
So they did this prior to it and updated their privacy policy. I think it was April 15th, if I remember correctly.
And I just wonder how that GDPR, that old favorite, how that applies because obviously a face, whether there's your names associated to it or not, it's obviously a pretty big identifier of who you are.
So is your face anonymous? Or not. It was an interesting question.
Anyway, we're going to see a lot more of this crop up as we descend into the stinky bowels of all things digital and technology. So watch this space. Clunk flush.
Descend into the stinky bowels. Clunk flush. Thank you, Carole Theriault. Excellent. Oh, I think we need a little refresh now, don't we?
Need something just to cleanse the palate a little bit. Something like a sponsor break.
If you're baffled by threat intelligence and how it might be able to help secure your company, the Threat Intelligence Handbook from Recorded Future is the book for you.
It'll tell you what threat intelligence is and what it isn't, and you'll learn how other firms are applying threat intelligence inside their organizations.
Grab it now for free at smashingsecurity.com/intelligence.
Need something just to cleanse the palate a little bit. Something like a sponsor break.
If you're baffled by threat intelligence and how it might be able to help secure your company, the Threat Intelligence Handbook from Recorded Future is the book for you.
It'll tell you what threat intelligence is and what it isn't, and you'll learn how other firms are applying threat intelligence inside their organizations.
Grab it now for free at smashingsecurity.com/intelligence.
We are also sponsored this week by our friends at LastPass. Now, Graham, isn't it something like 90% of security breaches involve a stolen password or a poor password?
Yeah, stolen passwords, poorly chosen passwords, reused passwords.
Passwords are really sort of the hinge pin of so many security attacks which happen, which means that you probably want an enterprise password manager like the one offered by LastPass.
Passwords are really sort of the hinge pin of so many security attacks which happen, which means that you probably want an enterprise password manager like the one offered by LastPass.
Listeners can learn all about LastPass Enterprise at lastpass.com/smashingsecurity. Smashing Security.
You don't have to say forward slash, by the way, Kian, just say slash, just so you know.
And last but not least, we are supported this week by Gartner. Gartner is the world leading research and advisory company, and they are having a big event.
It's massivo, I'll tell you. All of the big security vendors are gonna be there.
They're gonna be talking about cyberattacks, artificial intelligence, blockchain, machine learning, and much more.
It's all taking place between June 17th and 19th at the Gaylord National Convention Center in National Harbor, Maryland.
So I'd really recommend that if you are a CISO, IT security and risk professional, you probably want to go to the Gartner Security and Risk Management Summit.
They're gonna be talking about cyberattacks, artificial intelligence, blockchain, machine learning, and much more.
It's all taking place between June 17th and 19th at the Gaylord National Convention Center in National Harbor, Maryland.
So I'd really recommend that if you are a CISO, IT security and risk professional, you probably want to go to the Gartner Security and Risk Management Summit.
And listen up, listeners, you can receive $350 off the registration fee by using the code SMASHING with a G. To learn more, visit smashingsecurity.com/gartner.
And welcome back. Can you join us on our favorite part of the show, the part of the show that we like cool. Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.
Could be a funny story they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.
Should never be.
And my Pick of the Week this week is not security-related.
Good.
Now, my son — yes, well, my son, he's a young lad, and like every other young lad, he's rather addicted to screens, and I'm trying to manage that with some success sometimes and disastrous consequences other times.
But one of the things which I found him watching is a YouTube channel which I actually approve of, which is not true of most of the YouTube channels he watches.
They're mostly full of cretins with purple hair and screaming all the time, getting very excited, lots of fast editing. I'm just like, oh, this is horrible and ghastly.
But what is wonderful is a YouTube channel called Oversimplified, and the person behind Oversimplified — yeah, well, as a fellow artist, now I was about to say, Carole, because his artwork does remind me of another celebrated artist who has exhibited recently at the Oxford Art Week.
Yes, we just finished. It is a stick figure kind of artwork.
And what he does is he will take something from history and he will explain it in a fashion which is both understood by an 8-year-old boy and his middle-aged father. Brilliant!
I love this. It is wonderful and it's entertaining and it's educational.
And so my son will be sat there eating his cornflakes in the morning and he will be watching videos about the Cold War or World War II.
But one of the things which I found him watching is a YouTube channel which I actually approve of, which is not true of most of the YouTube channels he watches.
They're mostly full of cretins with purple hair and screaming all the time, getting very excited, lots of fast editing. I'm just like, oh, this is horrible and ghastly.
But what is wonderful is a YouTube channel called Oversimplified, and the person behind Oversimplified — yeah, well, as a fellow artist, now I was about to say, Carole, because his artwork does remind me of another celebrated artist who has exhibited recently at the Oxford Art Week.
Yes, we just finished. It is a stick figure kind of artwork.
And what he does is he will take something from history and he will explain it in a fashion which is both understood by an 8-year-old boy and his middle-aged father. Brilliant!
I love this. It is wonderful and it's entertaining and it's educational.
And so my son will be sat there eating his cornflakes in the morning and he will be watching videos about the Cold War or World War II.
Or the Emu War.
Or the Emu War. I haven't watched that one yet. I don't know about that. And American Revolution is there. Yeah.
Yes.
He's watched that one. In the space of 10 or 15 minutes, he's suddenly become an expert in these things. And it's very family friendly.
It's amusing, but it really, and it's absolutely ignited this love of history within him. And he finds them both amusing.
It's amusing, but it really, and it's absolutely ignited this love of history within him. And he finds them both amusing.
Oh, listen to the proud dad in Graham.
It's nice. It's nice. There you go.
There you go.
So my pick of the week is the Oversimplified channel on YouTube, and we will include a link in the show notes.
If you go to smashingsecurity.com on each episode, you will find our show notes there if they're not displayed properly inside your podcast app. Oversimplified on YouTube.
If you go to smashingsecurity.com on each episode, you will find our show notes there if they're not displayed properly inside your podcast app. Oversimplified on YouTube.
And looking at these videos on here, there aren't that many of them. What are there, about 15 or so there? Probably less than that.
But I can tell from the animation that a lot of care goes into creating these.
But I can tell from the animation that a lot of care goes into creating these.
Oh yes.
And there's another edutuber, CGP Grey, who I'm sure many people have come across before. He's great. And I follow another podcast called Cortex that he works on with Mike.
And yeah, hearing the stories of how much research goes into the creating of these and making sure that the scripts are absolutely correct before you get anywhere near the animation, it's very easy to dismiss cartoony-type educational videos on YouTube.
A, because they're on YouTube. B, because they're, you know, cartoon animation, whatever.
But actually, if what I think from what you're saying and what I get from similar channels is true, then actually these are priceless.
So yeah, I'll certainly be taking a look through these myself.
And yeah, hearing the stories of how much research goes into the creating of these and making sure that the scripts are absolutely correct before you get anywhere near the animation, it's very easy to dismiss cartoony-type educational videos on YouTube.
A, because they're on YouTube. B, because they're, you know, cartoon animation, whatever.
But actually, if what I think from what you're saying and what I get from similar channels is true, then actually these are priceless.
So yeah, I'll certainly be taking a look through these myself.
Let's put David's suggestions in these notes as well.
Yes, CGP Grey, that's his name, isn't it?
CGP Grey, yes.
Yes, with Mike Hurley. He does the Cortex podcast, which is good stuff.
I think he did the video about the difference between England, the United Kingdom, and Great Britain, which I remember got lots of —
I think he did the video about the difference between England, the United Kingdom, and Great Britain, which I remember got lots of —
Yes, he did.
Lots and lots of views. You know, something even us people who live in the UK, we really struggle to answer those questions.
What is the difference?
I can't tell. British Isles, who knows? David, what's your pick of the week?
Well, I guess I'm going to cheat a little bit in the means of self-promotion and say that BBC Rip Off Britain is on television at the moment.
This is a series that I've been working on since 2012 as their tech face.
And I know we're not meant to be talking about security-related things, but there are a few security stories that I've been covering this series, including things along the lines of Facebook and how some fraudsters are copying Facebook pages and how, as consumers, you can tell the difference between a business's genuine Facebook page and a fraudster's copycat version of them.
And obviously, there can be some pretty big money that gets lost as a result of that. And also this scam called brushing, which, if you haven't come across it before.
It's quite counterintuitive. Well, it is.
Let's say that you order stuff from Amazon, and then all of a sudden you start getting stuff arriving on your doorstep that you haven't ordered.
And you're thinking, "What on earth is all this about?" And you're thinking, "Well, do I send it back to Amazon, or do I keep it?" And then more and more and more stuff starts to arrive.
Now, you are a "victim," in inverted commas, of a brushing scam. It doesn't sound too bad because you're receiving free stuff on the face of it.
But what's actually happening there is that it's all about gaming the online review systems.
And, you know, in a marketplace where there's lots and lots of traders selling fairly similar things, it's those who shout loudest or have the most 5-star reviews and glowing reviews that tend to go to the top of the pile and make the most sales.
So the long and short of it is this is a way of getting verified purchase reviews.
These items have been, in theory, fraudulently bought, fake purchases, but they're verified purchases.
They just send them out to random people, let's face it, and then post glowing reviews of them, those glowing reviews force those items through to the top of the searches on Amazon or other marketplaces as well.
This is a series that I've been working on since 2012 as their tech face.
And I know we're not meant to be talking about security-related things, but there are a few security stories that I've been covering this series, including things along the lines of Facebook and how some fraudsters are copying Facebook pages and how, as consumers, you can tell the difference between a business's genuine Facebook page and a fraudster's copycat version of them.
And obviously, there can be some pretty big money that gets lost as a result of that. And also this scam called brushing, which, if you haven't come across it before.
It's quite counterintuitive. Well, it is.
Let's say that you order stuff from Amazon, and then all of a sudden you start getting stuff arriving on your doorstep that you haven't ordered.
And you're thinking, "What on earth is all this about?" And you're thinking, "Well, do I send it back to Amazon, or do I keep it?" And then more and more and more stuff starts to arrive.
Now, you are a "victim," in inverted commas, of a brushing scam. It doesn't sound too bad because you're receiving free stuff on the face of it.
But what's actually happening there is that it's all about gaming the online review systems.
And, you know, in a marketplace where there's lots and lots of traders selling fairly similar things, it's those who shout loudest or have the most 5-star reviews and glowing reviews that tend to go to the top of the pile and make the most sales.
So the long and short of it is this is a way of getting verified purchase reviews.
These items have been, in theory, fraudulently bought, fake purchases, but they're verified purchases.
They just send them out to random people, let's face it, and then post glowing reviews of them, those glowing reviews force those items through to the top of the searches on Amazon or other marketplaces as well.
I give up.
I know, it's crazy.
It's just so gross. Everything's so gross.
I think something like this has been happening at my house because we get regular deliveries from Amazon, which are a complete mystery to me.
But it's 4 times a day someone comes along delivering a parcel or something. I'll have to speak to my wife to find out if that's—
But it's 4 times a day someone comes along delivering a parcel or something. I'll have to speak to my wife to find out if that's—
Anyway, so that's not really my pick of the week.
Oh, okay. Right. Right.
My real pick of the week, I guess, is— so I have a friend called Geoff, and a couple of years ago he traveled around the UK visiting every single train station, or 2,563 railway stations in Great Britain.
Okay.
And this was part of a big Kickstarter campaign, and he made videos on all of them. This sounds like Trainspotting stuff, but it's not.
I've watched a lot of these. Is it Geoff Marshall?
It is Geoff Marshall. Indeed.
He's your cohort on the podcast you used to do, and maybe hopefully will come back, Fraculous.
Indeed, of course he is, yes.
And he's a complete train nutter, isn't he?
He's a complete train nutter. He's obsessed with the underground to the extent that he's held the world record for what's called the London Tube Challenge.
And this is where you have to visit every station on the London Underground in a shorter amount of time as possible.
And it's no mean feat, but let me tell you, it's very, very competitive.
And this is where you have to visit every station on the London Underground in a shorter amount of time as possible.
And it's no mean feat, but let me tell you, it's very, very competitive.
How long did it take? It would take half a day.
I think it's, off the top of my head, 16 hours or something like that. So literally, you are catching the first tube.
Carole, seriously, this is brilliant. You've got to look up this guy on YouTube.
And listeners should too.
Yeah, absolutely, because it's very interesting. I mean, I'm not into trains, but I have been quite obsessed in my time with some of Geoff's videos. They're really enjoyable.
So a couple of years ago, he travelled around to all 2,563 railway stations in Great Britain along with his now wife, Vicky. And this year he visited—
What a woman!
She's great. So let me just say that—
She must be.
While Geoff goes away and does train stuff, she goes exploring.
You know, they get off in all the various towns and she'll find the local castle or whatever it is, and/or local beauty spot, and she'll tell some terrific history stories about that.
It's very engaging viewing. They're both lovely, lovely people. I love them to bits. And this year they went and did the same thing, but in Ireland.
They visited all— hang on, let me get this right— 198 stations in Ireland and Northern Ireland.
And once again, they did a Kickstarter campaign, and people are very, very happy to donate to this. And a load of videos came out as a result of it.
Very, very different to the UK inasmuch as they're visiting stations that— obviously I'm talking to viewers or listeners to Smashing Security around the UK.
They're stations you may be familiar with. In Ireland, it's a different country, different culture in many ways.
And you learn so much about the history of a culture and its people through how they get to work, through how they travel from place to place.
And these historical train stations are fascinating.
You know, they get off in all the various towns and she'll find the local castle or whatever it is, and/or local beauty spot, and she'll tell some terrific history stories about that.
It's very engaging viewing. They're both lovely, lovely people. I love them to bits. And this year they went and did the same thing, but in Ireland.
They visited all— hang on, let me get this right— 198 stations in Ireland and Northern Ireland.
And once again, they did a Kickstarter campaign, and people are very, very happy to donate to this. And a load of videos came out as a result of it.
Very, very different to the UK inasmuch as they're visiting stations that— obviously I'm talking to viewers or listeners to Smashing Security around the UK.
They're stations you may be familiar with. In Ireland, it's a different country, different culture in many ways.
And you learn so much about the history of a culture and its people through how they get to work, through how they travel from place to place.
And these historical train stations are fascinating.
If you watch A to Z, all the movies and shows he's put out, would you see every single station that's in Ireland and Northern Ireland?
Yes, indeed. He's managed to get a video tag of every single station.
So, he would have Coleraine train station, where I spent many, many a night trying to get into a town to go into a club.
Yes, I remember it well.
I will locate that.
I don't think he's put all the videos online just yet. I'm just looking at the website.
Looks like Northern Ireland main may not have been updated all the videos yet, but he's obviously been to all of them and taken videos.
Looks like Northern Ireland main may not have been updated all the videos yet, but he's obviously been to all of them and taken videos.
Yeah, look forward to seeing that.
He's a serious chap. I mean, you know, this was Kickstarted. It's going to be the business, right?
Yes. And he also put out a feature-length documentary on that as well. So yeah, look it up. It is youtube.com/allthestations, all one word.
And yeah, there's a load of stuff on there, you know.
I couldn't be happier to support Geoff in what he does because I think he loves going on adventures and certainly does he do that. Cool.
And yeah, there's a load of stuff on there, you know.
I couldn't be happier to support Geoff in what he does because I think he loves going on adventures and certainly does he do that. Cool.
Well, he's got that great characteristic about him, which is sheer enthusiasm.
And when someone is as enthusiastic about a topic, even if it's something which doesn't appeal to your own heart, you can be carried along with it, can't you?
And I think he's definitely got that about him.
And when someone is as enthusiastic about a topic, even if it's something which doesn't appeal to your own heart, you can be carried along with it, can't you?
And I think he's definitely got that about him.
And that's why tuning into anything on BBC Four, television channel BBC Four, history documentary, whatever it is, you're watching people who are so passionate about their subject.
You can't help but go along on whatever their story is.
You can't help but go along on whatever their story is.
Fantastic. Well, great pick of the week. Thank you very much, David. Carole, no pressure, but that was a good one. What have you got for us?
Apologies, Graham. So I am sure you have something to apologise to me for, something big. Okay, so just do your thing.
Go ahead, show everyone how you would normally deliver a solid apology.
Go ahead, show everyone how you would normally deliver a solid apology.
Go ahead. What? Carole, I'd like to apologise for, oh, there've been so many things. What, something recently? Is there something in particular you're thinking of?
No, I'm just looking at the method. Just go ahead. Just go ahead.
Carole, I'm sorry that you thought that I made a mistake and somehow you have taken offense by what I did when I did it in the best interests of the podcast.
You see what I mean, folks? And we've all received shitty apologies. Did you remember receiving a really excellent one? Because I have.
When you get a really excellent apology, you basically forgive the perpetrator or the apologist.
So just this morning, I was cleaning up my pigsty that was my house following a few weeks of art gallery parties and art production and all kinds of crazy things.
And I was listening to the latest TAL podcast.
When you get a really excellent apology, you basically forgive the perpetrator or the apologist.
So just this morning, I was cleaning up my pigsty that was my house following a few weeks of art gallery parties and art production and all kinds of crazy things.
And I was listening to the latest TAL podcast.
Sorry, TAL, This American Life.
You're supposed to know these things. Oh, episodes 674, entitled Get a Spine. You have a bad back, right, Graham?
It's a little bit wonky.
Yeah, so it made me think of you. Get a spine, right?
Now, after a very cute intro about asking people what they do this little intro interviewing people asking them why they've ghosted people in their life that they've been dating.
They go into this apology and it's an 8-minute apology. And Nancy Updike, she's a fab producer on This American Life, and she says it's startling because it was not curt or vague.
It wasn't a lawyered-up mess of non-contrition in a passive voice. It is a true reckoning, and it's great. So I'm telling everyone, go listen to this episode.
Again, it's episode 674 from This American Life. And I think more apologies that are heartfelt and vulnerable and strong are needed in this world. So there you go.
That's my pick of the week. Apologies. Good ones, Graham. Good ones.
Now, after a very cute intro about asking people what they do this little intro interviewing people asking them why they've ghosted people in their life that they've been dating.
They go into this apology and it's an 8-minute apology. And Nancy Updike, she's a fab producer on This American Life, and she says it's startling because it was not curt or vague.
It wasn't a lawyered-up mess of non-contrition in a passive voice. It is a true reckoning, and it's great. So I'm telling everyone, go listen to this episode.
Again, it's episode 674 from This American Life. And I think more apologies that are heartfelt and vulnerable and strong are needed in this world. So there you go.
That's my pick of the week. Apologies. Good ones, Graham. Good ones.
Okay, well, I will go and find it.
I have, while you've been speaking, I have dug out from my little notepad how to say sorry, because sometimes I do have to say sorry, and I have a little 3-part guide as to how to say sorry.
Now, I don't know how often I put this into practice, but would you me to explain what the 3 stages are?
I have, while you've been speaking, I have dug out from my little notepad how to say sorry, because sometimes I do have to say sorry, and I have a little 3-part guide as to how to say sorry.
Now, I don't know how often I put this into practice, but would you me to explain what the 3 stages are?
Well, act them out. Act them out to David. Say you've done David an injustice.
That's too much imagination. I'm going to explain to you how it's done right, and for the benefit of the listeners as well.
Okay, go ahead.
Number 1, right, first thing you do: acknowledge how your action affected the other person, right? So you say, you know, that must have sucked.
I can see that the fridge has fallen on your foot and you've hurt yourself or something. Number 2, and this is an important one, say you're sorry.
I'm sorry I dropped the fridge on your foot, which has caused pain. Number 3, describe what you're going to do to make it right or make sure it doesn't happen again.
Next time, I won't try and pick up the fridge, or I'll ask a competent adult to pick it up instead, and I'll ask you to move your foot and step away beforehand.
I can see that the fridge has fallen on your foot and you've hurt yourself or something. Number 2, and this is an important one, say you're sorry.
I'm sorry I dropped the fridge on your foot, which has caused pain. Number 3, describe what you're going to do to make it right or make sure it doesn't happen again.
Next time, I won't try and pick up the fridge, or I'll ask a competent adult to pick it up instead, and I'll ask you to move your foot and step away beforehand.
You know what? That is nothing compared to this apology.
Okay. And the final thing is don't excuse or explain. And that's it. And that apparently, those 3 steps, I've been told—
No, no, no, no, no. Well, say for example, this whole apology is actually about sexual harassment, right? So that's a big deal.
And yes, the woman called them out publicly, and he then apologized publicly, and that apology was received and accepted by the person who he sexually harassed because that's how good it is.
So take a listen to it.
And yes, the woman called them out publicly, and he then apologized publicly, and that apology was received and accepted by the person who he sexually harassed because that's how good it is.
So take a listen to it.
That's a pretty good apology because that's a pretty—
Me listening to it also forgave him. Like, from my own— if I was thinking in my head, if this were happening to me and this was the apology I got, I would take it.
I'd be like, okay, done. For real. I'm not kidding. So take a listen. It's good. And I'm, you know, well done to This American Life for publishing something so cool.
I'd be like, okay, done. For real. I'm not kidding. So take a listen. It's good. And I'm, you know, well done to This American Life for publishing something so cool.
Interesting. Well, with that insight into a little chink inside Carole's heart where empathy lies.
Can I just say one more thing actually to make this a little bit more interesting? The guy who delivers this apology is someone a little bit famous.
He is a co-creator, the creator of one of my preferred TV shows, Rik and Morty. And he was also on the NBC comedy show called Community. And that's where it all happened.
He is a co-creator, the creator of one of my preferred TV shows, Rik and Morty. And he was also on the NBC comedy show called Community. And that's where it all happened.
Not the community, the hacking community.
No, no, not the community. That's why I smirked earlier. But there you go. Interesting. So it kind of gives it all a bit of a little twist. There you go.
Well, you know what? What a great show it's been this week. All kinds of things for us to explore and for listeners to check out. Listen to things, watch videos.
Yeah, you did great, Graham.
Discover. No, I'm not talking about me. I'm saying, you know, we've had Geoff Marshall's train videos. We've got your episode of This American Life. I call it your episode.
I wish I produced it.
But I think on that note, it's a perfect time to wrap things up. David, thank you so much for joining us on the show this week.
I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
Well, it's probably on Twitter where I am @DavidMcClelland. David McClelland, all the C's, all the L's.
And you can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G. And you can also join us on Reddit. We have a Smashing Security Reddit up there as well.
And if you want to cover yourself with t-shirts and stickers and mugs and things like that to promote our podcast, go to smashingsecurity.com/store.
And if you want to cover yourself with t-shirts and stickers and mugs and things like that to promote our podcast, go to smashingsecurity.com/store.
Not if you have a skin condition. We are hugely obliged this week. Smashing Security sponsors: LastPass, Gartner, and Recorded Future.
Their support helps us give you this show for free, so be sure to check out their offers. And high five to all you listeners out there!
Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
Their support helps us give you this show for free, so be sure to check out their offers. And high five to all you listeners out there!
Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
Terrific! Until next time, cheerio, bye-bye, bye-bye, everyone!
David, David, I have a question for you.
Shoot.
Who is your favorite? Julia Somerville, Angela Rippon, or Gloria Hunniford?
Oh, you can't say that.
I'm just asking, he might say it. Why are you ruining my podcast?
Shut up.
I could not possibly say that. I will say that all three of the ladies are amazing. Amazing in their own ways, and they all bring something very different to the show.
And Angela Rippon is as formidable in real life as she comes across on screen. She does not suffer fools gladly. But yeah, they're all great.
And Angela Rippon is as formidable in real life as she comes across on screen. She does not suffer fools gladly. But yeah, they're all great.
You handled that beautifully.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
David McClelland – @davidmcclelland
Show notes:
- Vote for Smashing Security in the EU Security Blogger Awards
- Software update crashes police ankle monitors in the Netherlands — ZDNet.
- Irishman facing more than 100 years in US prison for alleged $2.5m cryptocurrency fraud — Independent.ie
- U.S. investor awarded $75 million in cryptocurrency crime case — Reuters.
- The SIM Swap Fix That the US Isn't Using — Wired.
- Everalbum Photo Organizing App — YouTube.
- Facial recognition's 'dirty little secret': Millions of online photos scraped without consent — NBC News.
- Everalbum Review — Good Housekeeping.
- OverSimplified — YouTube.
- CGP Grey — YouTube.
- The Difference between the United Kingdom, Great Britain and England Explained — YouTube.
- BBC One – Rip Off Britain, Series 11, Episode 3 — BBC iPlayer.
- All The Stations.
- Get a Spine! — This American Life.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: Recorded Future
For anyone who is baffled by threat intelligence, and the benefits that it can bring to your company, this is the book for you.
“The Threat Intelligence Handbook” is an easy-to-read guide will help you understand why threat intelligence is an essential part of every organisation’s defence against the latest cyber attacks.
Download it for free at www.smashingsecurity.com/intelligence now.
Sponsor: Gartner
Gartner’s Security & Risk Management Summit, running from June 17-20 2019 in National Harbor, Maryland, is the premier cybersecurity conference for CISOs, IT Security & Risk Professionals. Get the latest unbiased research and advice on cyber attacks, and emerging technologies including AI, blockchain, machine-learning and more.
Smashing Security listeners can save $350 off the standard registration rate by using the code “SMASHING”. Go to smashingsecurity.com/gartner for more information.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
