Smashing Security podcast #132: CBP cyber attack, an iPhone privacy boost, and Twitter list abuse

Okay, so let's see if we get this right. So this is like me. So I get a job with the government. Unlikely.

I'd like to see that happen. I get a job with them. What are you talking about? I'm an angel. No, but that would make you terrible for that job.

Smashing Security. Episode 132, CBP Cyber Attack, an iPhone Privacy Boost, and Twitter List Abuse, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 132. My name is Graham Cluley. And I'm Carole Theriault. And we're joined this week by the ever-popular Maria Varmazis. Hello, Maria.

Hi! Yay! Fans go wild! Oh my god, that's awkward. I'm always happy to be here Thank you for having me

Well we're delighted to have you back on the show Because it is something of a mini celebration today Because Not that mini

I say yay for you both Non-sarcastic applause

Because if you haven't been following us on Twitter or Reddit First of all where have you been But secondly you may have missed the news Right We had big news last week didn't we Carole When we were up in London We

did we won Best Cybersecurity Podcast at a Blogger Awards that's affiliated with the Info Security Show. Pretty exciting.

Basically, it's a flipping big deal. This is like getting a Tony or an Emmy or an Oscar. Exactly. One of those. And we now are the proud owner of our second Best Podcast trophy. Corolla, I believe you're going to keep this one in your lavatory at home. Is that right? No. Not actually in the lavatory. For what purpose?

No, it will be nowhere near the lavatory. That would be a horrific place to put an award.

But what we need to do is we need to thank everybody who voted for us. Thank you very much if you did that. Thank you for listening to the show. I voted. And for choosing us. You voted, Marie. I did. I sure did. Anyway, enough of the self-congratulation.

Well, it's not self-congratulation. We're saying thank you to everyone who helped us get where we are now. That includes listeners, sponsors, people who voted. You all rock. Absolutely.

What's coming up on this week's show, Carole?

Well, thanks to this week's sponsors, LastPass and Edgewise, their support helps us give you this show for free. Now, put your hot cuppas down, folks. We don't want any spillages during this episode of Smashing Security. Graham checks in with US borders to find out exactly what the hackers got away with. Maria heads to the Apple Grove, delving into all things iOS 13. And last but very much not least, I look at a new way Twitter trolls might be targeting folks. All this and more coming up on this episode of Smashing Security.

Now, chaps, I want to talk to you about the United States Customs and Border Protection Force, the CBP. Oh, yes. They are the largest federal law enforcement agency at the Department of Homeland Security. And of course, they're doing a very important job. They're stopping unauthorized immigrants from entering the United States of America. And in the absence of a huge, huge, beautiful wall, it's up to the CBP to police the border with Canada, preventing Winnebago's crammed full of lumberjacks from entering the country illegally. I'm sure you appreciate that, don't you, Maria?

You mean the Americans trying to go into Canada, right? I'm not sure which way it works.

But, you know, basically there's a lot of Canadians trying to sneak in. They've got harmful imports, maple syrup, universal health care, gun control, all those sort of things. Weed. Weed. Now, it's quite possible that CBP also keep an eye on the United States other borders as well, but we never hear about those. Anyway, they are in the news this week for a security screw up. What? Because. No. Yes. No. It's hard to believe. A government agency have messed up when it comes to security, not because they allowed some Canadian bacon to be snuck over the border. Very cute, Grim. But instead because they have been careless with their data, or so it appears. Okay. Now, Customs and Border Protection, they have confirmed publicly that hackers stole the photographs of travellers and vehicle licence plates travelling in and out of the United States. Oh. Now, you're probably imagining that the hackers broke into the government computers or something like that. Yeah, right.

Into the network where they have a cache of images or something. Not

at all. Okay. The CBP's personal security, their actual organizational security, their network wasn't infiltrated by hackers. Okay, bravo. Instead, it appears that a subcontracting company working for the CBP copied the photos of travelers and license plates onto its own computers. which was in violation of policies and without the knowledge or authorization of the CBP. And that subcontractor then suffered a malicious cyber attack.

Okay, so let's see if we get this right. So this is like me. So I get a job with the government with the CBP.

I'd like to see that happen. I get a job with them. What are you talking about? I'm an angel. No, but that would make you terrible for that job. Yes, you're not qualified, girl. I'd be like, come on in, guys. Have you been to the United States? Come on in. Everyone's

welcome. Let's have a party. Yeah, I know. Okay, right. Okay, so I get a job kind of manning the borders. Right. And I'm a consultant for the CBP, right? Yes, yes. And I'm taking pictures of all this stuff for the CBP, but as well as giving them, I keep a copy secretly and put it on my own network at home, which does not have the right protections in place to protect me from said cyber attack.

It's a bit like that. Or it's a bit like if you posted it up on Pinterest or your Tumblr, pictures you were taking at work.

Or it's like if you had sensitive data at your job and then you copied it to your personal laptop and then you lose your laptop in a cafe.

I have never done that ever. I'm sure you haven't. I have never copied a phone number over and sent it to my personal email or anything. Never ever. No one's ever done homework on the

weekend, you know. No, and lost it in a taxi.

The reality is this is something which happens all the time, right? People take their work home or they send it to their Gmail or Yahoo account or they copy it onto their laptop because they want to do some work. In this case, this subcontractor, we don't know exactly why they did it. But according to the CBP, less than 100,000 people have been affected. And it was a few specific lanes at a single land border over a period of a month and a half. So passports and other travel documentation weren't compromised. And it appears that air travellers aren't included in the haul.

Just your faces are compromised. That's right. Okay.

Is it possible that it's just one bad apple in this subcontracting unit that did it if it's a few specific lanes at a particular land border?

Well, it's a bit of a mystery as to why this happened. And it's possible that they were taking the data maybe to do some troubleshooting or maybe they needed a sample of data because they were wanting to analyse pictures and see whether their analysis would work better. And they obviously couldn't do that on a government computer without permission. And they're thinking, oh, we've got access to this data. We're able to see it. Yeah, hoover the data. Let's hoover it up. Yeah, hoover up the data

and let's see what we can do. So this is not a supply chain attack where somebody compromises a subcontractor and then pivots into the main network. This is somebody messed up policy-wise. Yeah.

It appears the hackers never managed to gain access to the CBP actual network. So it was just the subcontractor. But obviously, the implication is kind of the same. Exactly. Yeah. And this is the issue is whether subcontractors working for your organization are treating your data securely. And if their security is as good as yours. And it's hard to know. I mean, everyone's going to say and rubber stamp it and say they're doing a good job, aren't they?

Are they? Are they going to say that? Oh, yeah. I suppose if they want the contract. If they want the contract.

Or they may be completely unaware. They may think, yes, of course we take security seriously.

Can you imagine them going, to be honest, I'm doing a terrible job with my security. Just be real.

Look, I'm the IT guy and I have no idea what I'm doing. All cards on the table.

Oh, I'm shit. Can I have the job? Please give me money.

Now, the CBP hasn't named the subcontracting company that was actually hacked. Presumably, they want to save it some embarrassment. However, the cat might have been let out of the bag. Very good. Thank you. You see, there's only one US government contract which provides license plate reading technology at the US's land borders. OK,

so hardly an investigative journalist job here. It's real gumshoe work. Yeah, OK.

And that particular contractor is a Tennessee-based company by the name of Perceptics. And basically their technology says, well, look, we can recognise cars and their drivers from camera footage, right? All very cool if you want to do that kind of thing. Now, when the CBP shared its press statement regarding the security breach, they sent to journalists at the Washington Post a Word document, and although they didn't name in their statement the contractor in that Word document, they did send the Word document with a file name which included the name Perceptics. Which did rather let the cat out of the bag. So you can put one and one together and easily make two.

Well, it may be that they did that on purpose as well.

Yeah, we're not saying, but we're kind of saying.

Oh, I see. You're like, we don't want to name them, but actually we're really pissed with them.

Oh, oops. Yeah. You know where I'm at. Like, oh, oops, I dropped this. Hope nobody sees that. Yeah.

Oh, gosh. Now, to add to the intrigue, just a couple of weeks ago, the Register was contacted by someone who called themselves Boris Bullet Dodger. Nice. Subtle. Okay, yep. Now, Mr. Bullet Dodger, he shared with the Register evidence that suggested hackers had made available on the dark web hundreds of gigabytes of data seemingly snuffled up from Perceptics servers, including databases, spreadsheets, HR records, business plans, financial figures, personal information, and, yes, thousands and thousands of images of what appeared to be license plate captures. That happened a couple of weeks ago. That's not the only data, though, that they actually managed to snuffle up from Perceptics Network, because they also took a few MP3 files from users' desktops, including... This is the best part. Including Superstition by Stevie Wonder, a variety of AC/DC and Cat Stevens songs.

I'm thunderstruck. Very good.

And Wannabe by the Spice Girls. Oh, yeah.

That's my jam. Do you think they just hoovered up everything and that came along? Or do you think those were individually selected?

It looks like somebody completely owned the Perceptics network.

If you want to own Perceptics, you've got to get with my friends.

Now, you definitely wouldn't want that falling into the wrong hands. But there's clearly a significant amount of sensitive information here which is falling into the hands of hackers about the monitoring of U.S. borders. And that's pretty embarrassing, isn't it? So the important thing to remember is this, right? The U.S. government contractor, which may or may not have been Perceptics, they didn't have permission to move the data to their own systems. Maybe they did it for testing purposes or troubleshooting. And we don't know, but it probably wasn't done with malicious intent. But the point is they didn't seek authorization. And lo and behold, their security was insufficient. And the CBP would never have given them permission to do this because obviously it would have been quite sensitive. And they don't like to bring themselves into controversy, do they? They don't like to have people pointing a finger at them.

So basically an American government agency and their American subcontractor messed up and compromised the info of non-Americans. Most likely a lot of people who are not American that somehow seems about right.

Well they have all yours after the Equifax. Oh yeah that's like not even.

Every American's got their info like forget it yeah exactly.

Why worry right yeah everyone can join the party now just go to America finally fantastic everyone's invited let's go. Maria what's your story for us this week?

As we mentioned at the top of the show I'm going to be talking about Apple and iOS 13 which was recommended to me by a number of folks on Twitter. So thanks, Twitter netizens. I was kind of feeling lazy and didn't know what I wanted to cover this week. So I appreciate the tip from everyone. The iOS 13 beta is currently in developer-only beta, but it will be in public beta later this summer. And iOS 13 is the new upcoming version of Apple's iOS for your iPhone. Yes, quite exciting. They always roll out some interesting new features. And I don't want this to be just a rehash of the Apple press release. There's some interesting stuff here. So I wanted to call out two specific security and privacy features that Apple's announcing because there's some stuff there we should dig into. Okay. So first, Apple's going to be slapping greedy apps that want all your location data all the damn time. So up until now, up until iOS 12, you can set location data to be shared with an app either always, while the app is in use, or never. So they're now going to be rolling out a new option that says location sharing, allow it just once. So basically, hey, you app, you need to ask me every damn time you want to use my location. I'm pretty sure that Android users have had that option for a while. I'm pretty sure. Don't quote me on that one. But that's a great option. I think I would definitely be using it a lot.

But I kind of already do that, but in a much more manual way. So I have it all off on most apps all the time. And then I'm like, oh, yeah, OK, now I'm using this map app to get from A to B. So I'll turn on location data for the length of my journey and then turn it off at the other end. But you do have to remember to turn it off. You have to check your phone a lot. When I go to the loo, I just check my settings. Well, it's a very productive time for your poo time, you know, whatever.

That's quite interesting, Carole. So if you turn it on, it doesn't, other than the bit about going to the loo, but if it doesn't turn itself off at the end. And so if you allow it just once, Maria, to say, yes, you can use it during this session, when does it turn off?

That's a great question. I can't tell you specifically. I have not been able to use the public beta yet. It's not out. Anyone out there listening who's used this and checked it out, please tweet us and let us know. I think some of our listeners have the developer beta access, which I don't have yet. So if they know, I'd love to know that. I agree. Carole, I do the same thing. Everything is off. And then if it really nags me, I might turn it on and I have to remember to turn it off again, which is annoying, doable, annoying, but doable.

Yeah. There's something I want to complain about at some point. I'll do it later. But I have an Apple thing I really want to complain about. Let's rip it into them.

That sounds good. Yeah. So as part of this, in addition, Apple will also show you the location data that your app is receiving. So quite literally, they will put the locations, coordinates, on a map on a screen and say, hey, this is literally all the data this app is getting from you about where you are. Do you still want them to have this?

I love this so much because this is actually translating what it means that when they say hoovering up your location data, you see how exact it is. Within a few feet, they're right. Yeah, it's like you might be thinking they know generally maybe what state I live in, but no. So, for example, I saw somebody tweeting about this because they had developer beta access. This person's name is Sam Sophus. I probably mispronounced his last name. Sorry.

Well, hang on. Why is his thermostat traveling across San Francisco?

Right. Why does his thermostat? Yeah, because it's his phone. It's his phone. It's connected to your phone. Oh, I see. Yeah, his Nest thermostat knows where he lives, as another Twitter user said, where he lives, where he works, his favorite restaurant, his gym, where he shops. Why does your thermostat need that information? Why is that needed?

And not just Nest, right? That's Google services. So all your location data is being... Yeah, and why? Exactly, Graham. Good question. Why? Right.

And that's the question that I think Apple's trying to get its general users to start asking itself is going, wait, why do you need that, actually? Maybe I'll turn that off.

I mean, the only thing I can think of is maybe if you were in a different time zone, so it may collect time zone data if you wanted to control your thermostat back at home.

Are we really defending this? I'm not. I'm just struggling to understand why it would even be interested in that data. Because they can, I think. It's just because if you're going to offer it up, they'll be, I'll take it, yeah, all right.

Yeah, Google has shown itself to have such restraint when it comes to our information and private stuff.

And let's be real, it's not just Google. Any app developer, they're, I'll just take your data. I'm not going to protect it, as we well know. I'll just grab it and hoard it like I'm a squirrel with lots of acorns and I'll figure out what to do with it later.

You are a squirrel. Put it in your little pouty face.

Yeah, the data. And just a little footnote to the Apple location data thing. They're going to also apply these limits to apps that also try to sniff out location via Wi-Fi and Bluetooth, those guys that try to circumvent those location sharing permissions by figuring it out through Wi-Fi and Bluetooth. They're tamping down on that as well. So I don't know the technical details. This is what they've said, but I think some of our listeners may know. And when I get my hands on the public beta, I will try that out for myself. So that's location data. That's iOS 13's location data update. Now, let's get to what I think is the even juicier bit. I'm curious to hear what you think. So as many listeners know, I am basically contractually obligated to mention Facebook every time I'm on the show.

But not in a positive way, I've noticed. It's not they're paying you.

Not in a positive way. No, they are definitely not paying me. I mean, they're very free to. They've got a lot of money, but no, they're not paying me.

So tell us, this single sign-in from Apple.

Yeah, so they are entering the third-party sign-in game directly in competition with Facebook and Google, and they are requiring it. So all developers who are making or updating their apps for iOS 13 were told in writing, if you offer a third-party sign-in for your app, you must put in Apple's third-party sign-in option as well. You don't have to put it first, but it has to be there. So it's a requirement. And the reason that Apple's offering is different from what Facebook and Google are offering is that instead of offering up your personal details on a silver platter for that app or website service, you can actually ask Apple to sign you up and sign you in with essentially anonymized data.

I've been thinking about this thing from Apple. They can hide your own email address and get you in without providing any personal information to the third party.

Facebook, if you use Facebook or Google's third party sign in, it'll give the app developer not just your name and your email, but they'll pass along any other data that they've got on you that the app developer wants. Right. Apple says—I'm taking their word for it right now because I can't dispute it—Apple says they will only give the name and email nothing else about you. Apple will not track you on the phone either, so it won't have any data on you. This is what they say anyway. And, Carole, as you mentioned, you can actually ask Apple to basically sign you up for that service with a burner email. So Apple will generate a random email address that forwards to your real email so the app guys don't get your real email. And you can just disable that burner email at any time if the app starts spamming you. So if you've been using 10-minute mail for years to get around app signups, this sort of allows you to streamline that process.

And the beauty of this, of course, is that those email addresses are going to be unique, just like your password should be unique. And so it'd be difficult for the app developers or big tech companies to begin to piece together a picture of who you are based purely on your username.

Right. It's a serious game changer, I think. Also, because I use a lot of Apple products for the last, whatever, 10, 15 years, they basically know everything about me already. So I'm in bed with this. I this. I trust them. I use their services. I buy their very expensive products. Love some of them, others.

But because you're actually paying them quite a lot of money for that hardware and for that software, they have less interest in collecting a huge amount of personal information about you compared to some of the other tech companies.

Hey, you know what I admire? They could be also doing that, right? They could be charging an arm and a leg for their tech and also collecting and selling off my data. But they've chosen not to. So in this day and age where everyone's making money through data hoovering and data repurposing. And ads and ads and ads and ads. They are really playing a big differentiator game. And I think it's excellent. I think it's very exciting. It's sort of

The luxurification of privacy. So as long as you can afford... I mean, I'm not saying that you can't get privacy outside of an Apple product, but Apple is making it part of their differentiator that, hey, we make privacy even easier for you as long as you can afford our products and are always locked into buying our products will give you this as part of the overall experience.

One of the things I like about this, and of course we'll have to wait until it all rolls out properly so we all get a copy of it and make sure that it works properly, but from the sound of things, this could address that issue which we so commonly see about where a website is hacked and the hackers then have your username or your email address and your password and they use that password with that email address against all manner of other online accounts. With this, because each username is unique, they won't be able to use that username to break into your Gmail or your Amazon or anything else. Right, credential

Reuse is basically taken away here. So that's a differentiator from Facebook and Google as well. You don't have that unique username.

Are you saying it makes hacking exponentially harder?

I think it honestly, as you said, it's a potential game changer. I'm trying not to sound like I'm working for Apple PR, but there is a lot here that's making privacy easier, basically circumventing the whole begging and pleading for people to use unique passwords, keep an eye on when their credentials get pwned. The options that we'd given people were take care of all this kind of manually and figure it out for yourself. Or if you want to use something a little easier like a third-party sign-in with Facebook or Google, be okay with divvying up all your private info and giving that away. And now there's this nice other option where you can actually maintain what sounds like a pretty good sense of privacy and not give away all this demographic info. That's pretty fantastic. The other thing with this whole third-party sign-in is that to use it, you have to have 2FA enabled. You have to have two-factor authentication enabled. So if you are not okay with Apple owning your biometrics in some way with Face ID or Touch ID, you won't be able to use this. But that's the factor that it uses to authenticate you. Exciting if you're trying to adopt two-factor authenticating.

Oh, so you can't authenticate with a password.

Correct. You have to use face or touch ID as your second factor. Oh, you see, that's interesting. I don't like that. Yeah. And that one I haven't seen mentioned many places. It's like, oh, it uses two-factor authentication. I'm like, great, that's awesome. But that specifically is face or touch ID, or at least that's what it sounds like right now when I was reading through the documentation. Although, of course, maybe that will encourage people who leave their phones permanently unlocked to enable face or touch ID to actually... Well, it's not a second factor in that case, right? It's got to be not just something...

It feels to me like...

I have to say I'm going to be optimistic about this because there are gazillions of people out there who are using Apple devices who may very well begin to use this feature when they sign up for sites. And I have some more trust at the moment, I think, that Apple's going to get it right than the typical human being would in terms of choosing their email address and password.

Yeah, or Google or Facebook, who've had 10 years to work on this and have basically just let us down.

Yeah, as I said earlier, I'm a little about the idea of privacy being a luxury that you have to buy into from Apple. There are ways to do this on your own, but it's just a lot harder. Lots of great things, though, come into the world, and they're expensive at first, like solar panels. I mean, I really do. And I mean, the way Apple is selling this to its developers, who I'm sure are kind of like, eh, about this whole thing about getting less data, is that Apple's saying, hey, if you're getting this anonymized user info from us, you can be sure that it's an actual real user trying to sign into you as opposed to some spammer. So that's how they're angling it. I don't know if that tracks, but that's what they're saying. Watch the space. All right. So what was your complaint? Yes, you have a complaint about Apple that you want to share with everybody.

Yeah.

Well, my complaint has to do with Bluetooth. So I don't use Bluetooth headphones very often. When I connect, when I need to use Bluetooth I do with my location sharing, I like to turn it on and I like to turn it off, right? So my normal protocol would be to have Bluetooth off by default and then I would turn it on. It seems as though every time I turn it off it says, oh, OK, we'll keep it turned off for 24 hours then turn it back on for you tomorrow because it's annoying. And there's no way you can get out of that. I hate that. Yeah, I hate that it decides that it's going to turn itself back on for you. It drives me crazy. What do you mean how I'm turning it off?

See, that's the mystery. Is that my problem? That's your problem. If you do it that way, you're right. It does kind of say, oh, well, we'll just temporarily do this. I think if you go through settings, then it will permanently turn it off.

All right. I'll check it out. Yeah, we'll try that out.

I think that sounds right to me as well, but it shouldn't be buried like that.

Just call me an Apple genius. Well, I'm not until I try it, until I use it. I think you'll find. I'll wait. I'll wait till I find it. I'm pretty sure it's going to work, Carole. I need proof. I need proof. I'm pretty sure. Pretty sure it's going to work. Okay. Take his word for it.

Carole, what have you got for us this week?

Okay, Twitter. We're talking Twitter. Now, both of you, Graham and Maria, you're both avid Twitter users. And I wanted us to analyze the guts of this CNBC article and see what you guys think. So aside from following specific people and reading, liking, replying to their tweets, you can also create lists of accounts that you want to follow. Yes. Yes. Right. So a Twitter list is basically, for those who don't know, is a list curated by you or by someone else. You can create your own list to subscribe to certain accounts that are created by others. You can actually subscribe to other people's lists so you can save yourself the work, I guess. So, for example, if Graham was following Infosec bods, I could follow his list if it was public and, you know, basically cover up all the data that you get. Yes. Yep. And you can also see a list timeline. So you can see a stream of tweets from the accounts that are actually on that list alone.

Yeah, it's like a recommendation that you curate, right? Right. These are people that are worth listening to. I find it very handy, actually. I'm not sure how people manage to use Twitter without lists, because if you follow any number of people, a certain number of people, it's impossible to keep track of it all. So I sort of have a list which is don't miss. So people who I definitely want to see every tweet from those small number of people there.

This might be why you're much more interested in Twitter than I am, because I have no lists. Oh, right. Oh, wow.

Yeah, you're missing out on an actually decent feature.

Well, am I? Because listen to this.

Did I set you up for that or what?

So according to a CNBC article published this week, a few people have complained about suddenly receiving a barrage of hateful tweets. Almost like someone has put a bullseye on their Twitter back.

Oh, no, this would never, ever happen on Twitter. Harassment? People would never send it. Harassment on Twitter? No one would be mean on Twitter. No, I don't buy it. Fake news. But it seems as though these trolls were coming out of nowhere and suddenly accusing them of all sorts of stuff that they didn't necessarily believe or support. So they're getting all these awful tweets and they decide to do some digging. And they're kind of trying to go, what the heck is going on here? Ooh. So, yeah. So you, for instance, Carole, you might be added to a list called Apple fans or something. And Maria, you'd be Deep Space Nine dweebs. No, no, no.

It would be more like I would be added to a list called Apple fans suck.

Oh, I see. Or Apple shills. Yes. Or something like that. Oh, shills. OMG. Yes. For example, Graham, you might create a list, my favorite people, where Maria and I would be featured very highly there. Maria, yeah. And just like you could create a list like that, a troll could create a list of so-called enemies. Right. I see. So they create a list of people they want to attack and then they share it with their evil buddies, whether on Twitter or elsewhere. Yes, attack my pretties, attack! Can I be a hipster for a second and say this doesn't surprise me at all? No, I'm going to be a total... I'm just laughing at hipster. No, I was doing that before it was cool.

And apparently the current way that the people who were reported in the article from CNBC handle it is they basically on a monthly basis or weekly basis go and check. And this is where I want you guys to confirm this is possible, right? They go and check where they're listed. So where are their Twitter usernames listed? And if the list seems troublesome or worrisome based on the fact that maybe there's no followers or the name's outrageous, they remove or delete themselves from said Twitter list. Psst, listeners. Okay, I make a bit of a boo-boo here. These people aren't able to delete themselves from said lists. But what they can do is block the creator of the list and block all the followers of that list. And in that way can kind of control the stem of misinformation and attack.

Now watch Graham actually figure this out. I don't see an option for that. I think maybe what you could do is you could block the person who owns the list. But if their buddies are also using that list, that doesn't block them, does it?

Yeah, maybe they're using a blockchain or something, but still, this is... Don't mention blockchain. Oh, sorry. Okay, so what is Twitter doing about it? Not much, say a number of reports.

Yeah. She refuses to use an Oxford comma.

I just forget sometimes. And thanks to algorithmic logic, if a user gets enough report, it's enough for Twitter to indiscriminately suspend an account.

Yeah, it's the vagaries of Twitter support. Yeah, exactly. According to a lot of just completely anecdotal anecdata, when I see a lot of Twitter got it wrong kind of support stuff, it seems it's not super hard to game it. Yeah. And use it against somebody in a retaliatory way. You see that a lot on Twitter, especially in the political spheres. It's interesting, which

is why I stay out of

that world on Twitter for the most part. They say the best advice is not to attract the attention of trolls, but that in itself. I don't exist. Don't put me in front of a camera.

I wonder if there's also an issue here, because if you're looking at the lists which you've been put on, if that list was given a benign name, really cool cyber security guys.

Graham's the best. Or something that. You may think, oh, well, I obviously have no problem with that. But it could actually be used for something unpleasant, couldn't it? And I think because you're in a list, there is a sense that you've okayed your belonging there. You haven't. It has nothing to do with you, but somehow...

Well, that's interesting as well, isn't it? Because people might see that you are on the neo-Nazi list, for instance. It's no, I didn't want to join that club.

I think that's the issue with the idea of being in the list. I think it's embarrassing to some people because the club might be something they agree with at all or be a contentious point or a socially manipulative point. If it doesn't exist already, Twitter needs to implement a way for people to easily remove themselves from lists. Just kind of how there was for a while on Facebook.

My guess is that you have to block the person who created the list. That sounds about right.

So what, you block the person that created the list and therefore they can't add you to a list?

Maybe your existence on that particular list vaporizes because they can no longer follow you.

That seems plausible. That's my guess. Anyway, anyone can confirm it. We're all ears.

That's right. Lots of feedback from the listeners we're asking for this week. Please be kind. So, Kroll, imagine a hacker has gained access to one of the computers inside your organisation. Dun, dun, dun. And, of course, they're going to take advantage of any flat networks and ineffective security controls to try and move laterally towards their intended targets, which is going to be all that juicy data your company collects. Gotcha, yep. Right. Now, traditional solutions, they often find it difficult to reliably distinguish between legitimate software access in that data and unapproved applications, yeah? Okay, yeah, yeah, yeah. Right, and that's where our sponsor comes in this week. Edgewise is the industry's first zero-trust segmentation platform. Okay. It has a simple-to-use interface, which lets you stop data breaches by allowing only verified software to communicate within your cloud or data center. Clever. Yeah, really smart. In a nutshell, Edgewise's data-centric approach makes micro-segmentation simpler and more secure. Okay, I want to learn more. Well, that's easy. All you have to do is go to edgewise.net and request a trial of their one-click micro-segmentation. Oh, awesome. Boom.

Hey, Graham. Yes. There are people out there with companies a little bit bigger than ours. And one of the issues that they face is visibility and oversight. And when it comes to cybersecurity, that is super important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass Enterprise. They offer centralized admin oversight and control shared access and automated user management. All this stuff makes your life easier. Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashing. Let me try that again, folks. Check it out at lastpass.com/smashing.

Perfect. Do you want to make it more conversational? I don't

I don't know. I think that sounded great.

And welcome back. Can you join us at our favourite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book, whether they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security related necessarily. Better not be. And my pick of the week this week is not security related. You'll be very pleased to hear, Carole. Super pleased. Now, way back in 2003, an anime, is it anime? Is that how you said? An anime show called Firestorm hit TV screens in Japan.

We're talking anime on this podcast? I'm so here for it.

Hang on. This is just the build up to my pick of the week. Oh, okay. And this Japanese TV show, no one would really have cared about it, apart from the fact that one of its creators was Gerry Anderson, who in the 60s, of course, was famous, and the 70s, was famous for such classics as Thunderbirds, Captain Scarlet, and UFO and Space 1999. Now, this Firestorm TV show never really caught fire, but, and so it's little more than a curiosity for most of us, but wait, because Gerry Anderson's son, Jamie Anderson, he has picked up his late father's mantle and he is rebooting Firestorm in the style of classic puppets based Thunderbirds.

Oh that's where it comes from because you're a big Thunderbirds fan.

I'm a big fan of the Gerry Anderson stuff.

I was kind of going I'm surprised I was surprised I was with Maria there.

I'm excited but I didn't think y'all So if you go and check out FirestormHQ.com or I'll also put into the show notes the show notes a link to the YouTube trailer a 10 minute mini episode you will see the puppets are back but unlike in the 1960s you're not going to see any strings it is filmed in ultra marionation even better than super marionation which they used to use resets miniatures practical effects and it looks wonderful it really is bringing back that Gerry Anderson magic currently it's only a 10 minute mini episode but it looks like they're going to produce.

I hope they haven't lost too much of the puppeteering, you know? It's such a difficult balance when you do digital puppeteering.

Go a couple of minutes into the episode, and you'll see some of the characters, and you'll see they really are...

Yeah, but I'm also seeing James Bond-style explosions here.

You know, the original Thunderbirds and Captain Scarlet were full of action as well. There was all sorts of explosions.

Yeah, but I'm seeing tinfoil sets, so, you know, it's not... It's pretty cool.

Pretty cool stuff. And there you are well I wanted to throw us back to some classic sci-fi TV in this week when sadly Paul Darrow Avon from Blake's 7 passed away who was a real hero for all of us have you seen Blake's 7 Maria?

I have not I have not you're just missing out guys but anyway Avon was a... It's a name I'm familiar with I've just not seen it though.

FirestormHQ.com is my pick of the week go and check it out cool Maria what's your pick of the week? So I have a pick of the week but I want to mention while we've been recording this episode, Nintendo just announced they're making a sequel to Breath of the Wild for the Switch. What does AITA stand for? It's something you should know.

It's a question. AITA, am I the asshole? So this is a subreddit where people ask the question, am I the asshole in this situation? And they then write out a situation they've been in, it's sort of moral quandary where somebody gets mad at somebody else or there's some sort of fallout or just a general sense of malaise. And then he kicks them in the butt

and goes am I the asshole? Was it wrong of me to do that?

Was it wrong of me to spit on their face or whatever? I don't know. They ask the question and then the commenters weigh in. No, you're not the asshole. There's no asshole in this situation. Yes, you're the asshole. And it's NTA or AITA. It's such a great fun read and if you

and so you're basically polling the internet to find out do most people think you're being an arsehole a lot my

favourites are when people in the comments completely disagree if the person is or isn't an arsehole and it's just like it gets real heated and you know you've got people all over the world weighing in on these moral quandaries and sometimes it's like social issues yeah should

I give you one?

Yeah go for it. I love how Carole likes my big italy song. Oh I love it, I'm a total addict, I love this separate. Am I the asshole for wanting a salary as a SAhM, Graham? Am I the asshole for wanting a salary as a stay-at-home mom?

SAhM, stay-at-home mom. I didn't know what that was, I'm teaching you, I'm teaching you the low hand. Okay so that's like the title. And then basically they're like, sorry guys, I just need to know if I'm the asshole, I want money, first thing, stay home and mom because it's a lot of freaking work.

Not salary from a company presumably, but salary from maybe the breadwinner in the house. And then people are going you're the asshole. Other people are saying you're not the asshole.

justify it. They write out whole explanations about why they think this.

a great time waster. I love it.

It really is. High five Maria, cool.

I'll go and check it out.

That's my pick of the week. You're definitely not an asshole, I try not to be an asshole, me too.

Well let's see how Carole does with her pick of the week.

Do you try not being an asshole Graham?

I don't try. It's just genetic right? It just comes to you naturally? pick of the week is trees.

Are we talking Reddit's definition of trees?

Look, we all agree though, tree's really important right? Yes. It's the biggest plant on the planet, gives us all the oxygen stuff, and stores carbon, and stabilizes the soil, and if you don't believe any of this, go read Harari's Homo Sapiens. Very educational.

I did not know about trees. There's a search engine that I discovered called Ecosia, E-C-O-S-I-A. Ah yes. I'm going to be really dumb right now. This is not one of those things where it's built actually on top of like a Google, like the Google search technology. I don't think that's a dumb question because I was trying to find that just before we started recording. I'm thinking that they didn't build their own search engines. by Bing. Bing. It says it's powered by Bing. Okay. And I thought oh that must be it. Okay. There are a lot of websites that do stuff like this. That's really interesting that this one does something ecological. I've seen some that do sort of a similar, not a filter, but I guess a filter over search results. And it's like a kid-friendly search engine. And they try to make sure that schools only use that kid-friendly search engine, but it's really powered by Google in the back end. So this is a Bing version. That's cool. I think it is cool. Well, Carole, at least hopefully some trees are being grown as a result of your browsing. Maybe. Maybe they are. Okay. Only, please. Yeah, I'm at M-V-A-R-M-A-Z-I-S, M-Varmazis, it's my name, and it's a Twitter and if you are on infosec.exchange via Mastodon I am at Maria so much easier on that.

And you can follow us on Twitter at Smash Insecurity no G Twitter won't allow us to have a G and we're also on Reddit go and find us there after you've spent some time on the Am I the Arsehole subreddit you can go pop over to Smash Insecurity on Reddit as well.

Huge thank you to sponsors LastPass and Edgewise their support helps us give you this show for free so be sure to check out their offers And thank you, lovely listeners. Check out SmashingScrew.com for past episodes, sponsorship details, info on how to get in touch with us.

Until next time, cheerio.

Bye-bye.

Later. Bye.

Bye-bye, guys. Bye-bye.

And in-game with iOS 13. And this is directly in competition with Facebook and Google. So all app developers were told for iOS... Oh,

Everything all right? Yeah, yeah, Carrie, I'm just telling you recording right now. Hi, girls, mom.

Is that Facebook's marketing department wanting to make an offer to Maria?

Oh, they're telling me, please stop talking about us. Actively hurting us. Yeah. Nothing else is. Yeah, literally just me. Yeah,

It's nothing to do with me, says Zuck. I'm great. You're the problem, Maria. Do you think they were listening in?

Maybe they were. Of course they were. Maria still uses Facebook. So tell us, so this single sign-in from Apple.

Yeah, so they are entering the third-party signing game.