The UK’s Labour Party kicks off its election campaign with claims that it has suffered a sophisticated cyber-attack, Apple’s credit card is accused of being sexist, and what is Google up to with Project Nightingale?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by John Hawes.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
I see that 10 times a day you appear to be running vigorously.
Okay, breathe, breathe, we don't want you to die.
Smashing Security, episode 154: A Butt-Tuck of Biometrics, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 154.
My name is Graham Cluley.
My name is Graham Cluley.
And I'm Carole Theriault.
Hey, and we're joined this week.
Okay, it's very late, everybody. We're doing this late. It's going to be a silly episode. I'm warning you now.
We are joined this week by John Hawes.
Hello. I'm not being silly at all. I'm being very serious.
Good. Now, John, I'm going to describe you and I want you to tell me if this is a fair description or not. Okay.
A diplomatic man who advises cyber companies around the world to get along and play nice and build fair standards.
A diplomatic man who advises cyber companies around the world to get along and play nice and build fair standards.
You missed handsome.
Oh. Yeah, you missed the beard. You missed six foot four, not five foot four.
A five foot four man. That's how I like to start all descriptions.
There's nothing wrong with being any number of foot fours. But he is notable by his ostentatious height, I feel.
I don't do it on purpose.
That's what you say, John. Carole, what have we got coming up on the show this week?
First, thank this week's sponsor, LastPass. Their support helps us give you this show for free. On today's show, Graham is delving into the UK Labour Party DDoS Non-Fiasco.
John is looking into why Apple credit card is being called sexist. And I'm going to get on my soapbox about private health info and Google.
All this and loads more coming up on this episode of Smashing Security.
John is looking into why Apple credit card is being called sexist. And I'm going to get on my soapbox about private health info and Google.
All this and loads more coming up on this episode of Smashing Security.
Super duper stuff. Now, chums, we here in Britain, we're all British.
Chums?
Yes. Yes.
Oh, don't.
Yes, John.
Sorry. Yes.
Let's not even start. We have got an election on our hands. Election, I said. Yes, that's true. In one corner is the bumbling Etonian Boris Johnson.
Now, we should explain the various participants for people who don't live in the UK, because not everyone around the world who listens, we are very popular around the world.
We shouldn't just assume everyone knows what's going on in British politics. Shall we explain who everybody is?
Now, we should explain the various participants for people who don't live in the UK, because not everyone around the world who listens, we are very popular around the world.
We shouldn't just assume everyone knows what's going on in British politics. Shall we explain who everybody is?
Yeah, not everyone. Are you insane? Just the main players. Just the main players.
There are four main players. So we have in one corner the bumbling Etonian Boris Johnson. From time to time he's been described as a malevolent baked Alaska.
He's like an ugly Hugh Grant.
Or there's an image of Donald Trump's hair and Owen Wilson's face. Does look a lot like Boris Johnson. Anyone's wondering what he looks like.
It's also been suggested he looks a little bit like an unmade bed mixed up with a head injury. He campaigned, remember the big Brexit referendum?
He campaigned to leave Europe, but a lot of people suspect he really wanted to stay in. Whereas his opposite number in another corner is Jeremy Corbyn, right?
He's the ultra left-wing.
He campaigned to leave Europe, but a lot of people suspect he really wanted to stay in. Whereas his opposite number in another corner is Jeremy Corbyn, right?
He's the ultra left-wing.
He's our Sanders representative.
Yeah, yeah, yeah. He's the leader of the Labour Party. He looks like a geography teacher. Campaigned to stay in Europe, maybe because he loves geography.
Very elderly geography teacher.
Yeah, quite elderly, with the patches on his elbows and everything. Now, somewhere in between these guys, we've got Nigel Farage.
Wait, whoa, somewhere in between? This is like Pluto to Uranus.
No, sort of nestled in the nook of Boris Johnson, we have Nigel Farage.
He's the plain-talking, beer-swilling, man of the people who happens to be a commodities broker who wants us to cut ourselves off from the continent at any cost.
And we've also got, let's not forget, the head girl, goody two-shoes, Jo Swinson. She's leader of the Liberal Democrats.
Yeah, she wants to kick Brexit to the curb, snuggle up with Europe, and promise to be their BFF forever.
He's the plain-talking, beer-swilling, man of the people who happens to be a commodities broker who wants us to cut ourselves off from the continent at any cost.
And we've also got, let's not forget, the head girl, goody two-shoes, Jo Swinson. She's leader of the Liberal Democrats.
Yeah, she wants to kick Brexit to the curb, snuggle up with Europe, and promise to be their BFF forever.
Okay, so an easier way to put this, if you've got Jeremy and Jo in one corner and you've got Johnson and Farage in the other.
Yeah, well, I don't think Jeremy necessarily is in Jo's corner. It's slightly complicated when it comes to Jeremy.
But we're going to simplify for our listeners.
Nigel and Boris all keep denying that they're each other's buddies, but keep trying to be buddies.
Yeah. Okay.
Anyway, in summary, Brexit's bloody confusing, has divided the country, and is the backdrop for what is probably going to be the most ruthless British general election in our lifetimes.
Okay. Yeah.
And of course, we've mentioned those four people, but let's not even begin to start on what other countries they might have a vested interest in a particular result. Anyway. Yes.
We are recording this week's show on Tuesday, and I've had a crazy day. We were planning originally to record this at lunchtime, weren't we?
And well, that got blown out of the water.
And one of the reasons was that when I got up this morning, news broke that the UK's Labour Party said that they had suffered a sophisticated large-scale cyber attack, in their words.
We are recording this week's show on Tuesday, and I've had a crazy day. We were planning originally to record this at lunchtime, weren't we?
And well, that got blown out of the water.
And one of the reasons was that when I got up this morning, news broke that the UK's Labour Party said that they had suffered a sophisticated large-scale cyber attack, in their words.
Do you know, I had a problem with that as soon as I read that, because sophisticated, it takes a while to establish whether an attack is sophisticated.
Right. But so many companies claim it, they've suffered a sophisticated ransomware attack.
I know.
Well, it's like they don't want to say it was a really elementary one, do they?
Nope.
You have to have a computer, which is quite sophisticated.
I suppose.
You can't just do it with a pen and paper.
I suppose not.
It's gonna be tricky.
Well, my phone went crazy at this news. BBC TV News, they wanted to get me to a studio, but I thought, well, we're planning to record a podcast. I can't do that. Sod that.
So we ended up doing it via Skype. And while I was doing it, I was recording this while I was recording their TV slot. My camera started to slide down. It wasn't completely affixed.
So we ended up doing it via Skype. And while I was doing it, I was recording this while I was recording their TV slot. My camera started to slide down. It wasn't completely affixed.
And so this doesn't sound very sophisticated. It wasn't.
So you had one of those moments like that guy whose kids came in while he was talking?
It wasn't quite like that, but it was a bit like 1960s Batman where the villains always have a sloping floor on their HQ. So bam, water. Wham! So anyway, not that sophisticated.
Turns out that this attack on Labour wasn't that sophisticated either, because it was a DDoS attack, a distributed denial of service attack, which of course are often powered by botnets of computers around the world clogging up websites and making them fail to work properly.
Turns out that this attack on Labour wasn't that sophisticated either, because it was a DDoS attack, a distributed denial of service attack, which of course are often powered by botnets of computers around the world clogging up websites and making them fail to work properly.
Yeah, they've been around for more than a decade.
Yeah, yeah, yeah.
Pretty cheap.
Not complicated at all.
$50 for 3 hours or something.
Well, yeah, exactly. You could just purchase some DDoS time with a PayPal account virtually, couldn't you?
I mean, ironically, Labour were using a DDoS mitigation service called Cloudflare, which many people will know, and they were ultimately able to get Labour back up and running as well.
But there are many DDoS-as-a-service booter sites, so sort of online sites you can go to to sort of purchase a denial of service attack if you wanted to launch one, which are themselves protected by Cloudflare.
I mean, ironically, Labour were using a DDoS mitigation service called Cloudflare, which many people will know, and they were ultimately able to get Labour back up and running as well.
But there are many DDoS-as-a-service booter sites, so sort of online sites you can go to to sort of purchase a denial of service attack if you wanted to launch one, which are themselves protected by Cloudflare.
Exactly.
There is some Cloudflare, you know, they're playing both sides of the coin. Yeah, yeah. A bit like Facebook sometimes.
They'd like to say knitting with three needles.
Right. Now, inevitably, there's been lots of talk about who might be responsible for this DDoS attack.
The Libyans.
Farage. Well, he was at the pub one night, had a few too many.
A bit drunk.
And he goes, I got an idea.
I got an idea.
Like I could do this.
Well, it could have been them. It could have been— maybe it was Russia, because of course Russia might have a vested interest in the pro-Boris party.
You're always blaming Russia for everything.
Oh yeah, bless them. Yeah, maybe it's the French. Maybe the French just don't like us. I mean, they're still technically at war with us 300 years later, aren't they?
Maybe it was Boris himself.
Maybe it was Boris himself.
But do any of these people have a vested interest in slightly embarrassing Jeremy Corbyn?
Well, maybe they didn't know how embarrassing. Maybe they thought if we knock out Labour's digital campaign, they won't be able to do anything.
They won't be able to move and motivate their forces and get them, you know, canvassing wildly for Jeremy and his potential referendum.
They won't be able to move and motivate their forces and get them, you know, canvassing wildly for Jeremy and his potential referendum.
Definitely not sophisticated then.
Not that sophisticated. Maybe it was Boris himself. Remember Boris was getting private technology lessons from Jennifer Arcuri when he went round to her flat.
That was the claim at least. Maybe it was kids, 'cause it could be a kid, right? With a DDoS attack.
That was the claim at least. Maybe it was kids, 'cause it could be a kid, right? With a DDoS attack.
It could be a kid. Hey, Graham, Graham, Graham. You digress. So, so the Labour Party got hit by DDoS.
Yes, yes.
And it wasn't anything complicated or, Did they steal anything? No, the DDoS doesn't steal anything. It just brings down services. So why did they go public?
Well, yeah, good question, I think, is should they have gone public about it? Should they have been so loud about it?
I certainly think they tried to make a little bit of political capital out of it with the suggestion that maybe they were being targeted, whereas they didn't really know whether it was gonna be a 14-year-old kid or not who had done it against them.
I certainly think they tried to make a little bit of political capital out of it with the suggestion that maybe they were being targeted, whereas they didn't really know whether it was gonna be a 14-year-old kid or not who had done it against them.
Okay, but really, do you think that's a good PR strategy to say, let's go out there and say that we've been targeted? Because then what, you get more headlines?
You get more inches in the papers.
You get more inches in the papers.
We know what they got more of.
What?
They got more DDoS attacks because then it appears other people thought, well, little kids thought, oh yeah, that'd be a laugh, wouldn't it?
Let's have a go at Uncle Jeremy with his political party. Let's launch a DDoS attack against him. So others began to do it as well.
Any script kiddie with a botnet decided they could have a go and sort of encouraged, I think.
Let's have a go at Uncle Jeremy with his political party. Let's launch a DDoS attack against him. So others began to do it as well.
Any script kiddie with a botnet decided they could have a go and sort of encouraged, I think.
You can see the IT guy calling up Cloudflare going, hi, so we just need to have a few, a bit of ramp up.
So I think maybe the truth was that it didn't have that much impact on them for a relatively short time.
And many companies up and down the country are being affected by DDoSes every week, right? And maybe they were a bit too quick and maybe they did over-egg what happened.
And then the media of course were getting really excited about the fact that it could be a state-sponsored attack. Seems in truth it was very unsurprising.
And many companies up and down the country are being affected by DDoSes every week, right? And maybe they were a bit too quick and maybe they did over-egg what happened.
And then the media of course were getting really excited about the fact that it could be a state-sponsored attack. Seems in truth it was very unsurprising.
This is tricky. This is tricky, right?
'Cause in a way I'm kind of happy that they came out and said, "Hey guys, we're having a problem." I don't that they said sophisticated without actually looking at it.
That seems a bit early in the game. I think anyone who uses any adjectives they can't defend, you know.
'Cause in a way I'm kind of happy that they came out and said, "Hey guys, we're having a problem." I don't that they said sophisticated without actually looking at it.
That seems a bit early in the game. I think anyone who uses any adjectives they can't defend, you know.
It seems to be the habit though, isn't it? Whenever a security incident does occur, people love to say sophisticated.
They said it with TalkTalk, for instance, which was sophisticated.
They said it with TalkTalk, for instance, which was sophisticated.
Do you remember when APT came out as the new term?
What was it?
Advanced? What was it? What's it stand for?
Persistent threat.
Persistent threat. And that was a way of basically saying, yeah, we got screwed by some—
A thing.
A thing that we couldn't stop.
You can't blame us because it was advanced and it was persistent and it was a threat.
And coincidentally, the same day they announced this problem, there was an exclusive report in the Times newspaper saying that they had stumbled across a data breach on the Labour website.
Now, I don't think this is connected at all, and I don't actually think that the Labour website was hacked.
What it appears they had was they had an online donation tool and it was generating an RSS feed containing people's names and the sums of money which they had donated to the Labour Party via this page.
And coincidentally, the same day they announced this problem, there was an exclusive report in the Times newspaper saying that they had stumbled across a data breach on the Labour website.
Now, I don't think this is connected at all, and I don't actually think that the Labour website was hacked.
What it appears they had was they had an online donation tool and it was generating an RSS feed containing people's names and the sums of money which they had donated to the Labour Party via this page.
They must have clicked a box saying, I don't mind everyone knowing.
Well, I hope that's not how The Times portrayed it. The Times say that the form asked for people's first names, but a number of people also entered their surnames.
And that's why it ended up on the RSS feed.
And that's why it ended up on the RSS feed.
This was going out to anybody that subscribed to the feed, got a list of everybody that donated to the party.
I think that is basically the sum of it.
That's not really a breach, that's just a boob.
And there'll probably be plenty more boobs.
It's gonna be boobtastic.
Boobtastic election, which the tabloids are going to love, aren't they?
It already has been.
John, what have you got for us this week?
Well, so I wanted to talk about Apple's sexist credit card.
Okay, not controversial.
Well, no, actually a little.
Oh.
So I'm not sure if you're aware, but Apple has a credit card.
Why? What's the point?
Well—
To buy stuff, Graham. That's what credit cards are for.
It's very Apple-y.
Oh, okay.
It's laser-etched. White titanium.
Oh, it's sexy.
It's very slick and shiny. Very Apple-y. If you're the kind of person that Apple stuff, you probably want one of these.
As I say, white titanium with a name and a little Apple logo and the little chip and pin thing on it. There's no numbers. There's no numbers. It's just smooth.
As I say, white titanium with a name and a little Apple logo and the little chip and pin thing on it. There's no numbers. There's no numbers. It's just smooth.
Okay, well it's cool not having numbers maybe if you lose it. But if you're such an Apple fan, why wouldn't you just use Apple Pay?
Aha!
Oh, okay.
Because the idea is you can't apply for the credit card through any other means than through your iPhone or Mac.
Right. Okay, so only Apple users can get an Apple Card? Yes, okay.
It's proof that you're not just a person that likes Apple stuff, that you actually have Apple stuff.
Oh, okay.
So it's like your cult membership card.
Yeah.
Right. And yeah, I don't know if they could be—
Are you wearing a black cashmere turtleneck? Check.
Exactly. Anyone can go out and buy a cashmere turtleneck these days, and people might think that you have an Apple Mac.
Yeah. Soy flat white? Check.
Getting the Apple Card? Much more difficult.
Right.
Although apparently the white titanium does get discolored if you put it in a leather wallet or a jean pocket, which is a little disappointing.
But yeah, so they describe it as a new kind of credit card. It's created by Apple, not a bank.
But yeah, so they describe it as a new kind of credit card. It's created by Apple, not a bank.
Mm.
What could go wrong, right, Graham?
Yeah, so what's this? But you say it's sexist.
Well, so it's not even a new thing. I think they announced it back in March. It was available sometime August, but suddenly in the last week or so, it's been all over the headlines.
So about a week ago, a chap called David Heinemeier Hansson, who's a Danish tech entrepreneur, best known as the creator of Ruby on Rails.
So about a week ago, a chap called David Heinemeier Hansson, who's a Danish tech entrepreneur, best known as the creator of Ruby on Rails.
Oh yeah, right.
Yeah.
So he tweeted, which is how news happens these days, that he applied for one of these cards and also his wife applied for one and he got a credit limit approved, which was 20 times higher than his wife.
So he tweeted, which is how news happens these days, that he applied for one of these cards and also his wife applied for one and he got a credit limit approved, which was 20 times higher than his wife.
20 times?
20 times.
So if hers was, if hers was 5 grand, his would be 100?
Yes.
Oh my gosh.
Yeah, but they might have different credit histories.
Well, no, they claim they've shared everything together forever and ever. He's Danish, he's been living in America for I don't know, 10, 12 years or something.
She says, oh, my credit limit's actually higher than his, so I don't know why I've got a lower than his. And then Apple co-founder Steve Wozniak, Woz, cuddly Woz.
She says, oh, my credit limit's actually higher than his, so I don't know why I've got a lower than his. And then Apple co-founder Steve Wozniak, Woz, cuddly Woz.
Yes.
He stepped in and said, oh, same thing happened to me. I got 10 times more than my wife, despite, you know, everything we have is shared, is mutual.
So we should have exactly the same kind of credit limit.
So we should have exactly the same kind of credit limit.
So we have two quite big characters in the tech world basically saying, we're confirming this has happened to us.
Yes.
And that they're in the cult. That's also what they're telling everybody.
Well obviously, I mean, Steve Wozniak is, well, he is officially still an employee of Apple.
Is he really?
1985, he stepped down, but apparently he's a ceremonial employee.
Bless him.
I don't know what ceremonies he does.
Like a ceremonial goat.
Yeah.
So, yeah, so what's this about? Right.
Yes. Then somebody from the New York State Department of Financial Services tweeted saying, oh, this sounds like it all sounds awfully dodgy. We will investigate.
And now suddenly there's headlines all over the world saying, oh, Apple's credit card massively sexist and Department of Financial Services is launching a probe.
And now suddenly there's headlines all over the world saying, oh, Apple's credit card massively sexist and Department of Financial Services is launching a probe.
So what, two people can tweet that their wives appear topless?
Not just anybody though. People that have a lot of followers.
I'm surprised that starts off a huge investigation if these people haven't even formally complained.
Also, it's not necessarily a huge investigation. It's just somebody tweeting, oh, we'll have a look. Oh, yeah. Nobody has said we are launching a massive probe here.
They've just said, oh, that sounds interesting. Let's have a look. Yes. I happen to work for the Department of Financial Services.
They've just said, oh, that sounds interesting. Let's have a look. Yes. I happen to work for the Department of Financial Services.
Not everything's dealing with Apple.
I'm not necessarily qualified to say we're launching a massive probe right now.
Okay.
Right.
Anyway, so then.
Oh my goodness. Yes.
People kind of think about this and hang on. So even though Apple's card says it's created by Apple, not a bank.
Yeah.
Obviously it is a credit card. So it has to actually be provided by a bank of some kind. Which in this case is Goldman Sachs.
So they're backing it. They're backing all the money and they're backing the background vetting.
They're doing the credit card basically. Apple is creating it in the sense of designing what it looks like. Everything else is Goldman Sachs.
I can't help but notice that in the name Goldman Sachs is the word man, of course. Possibly a slightly sexist organization.
Very. Also known as the vampire squid. And, you know, mainly an investment bank, so not with much history of consumer credit card business.
So maybe they didn't really know what they were doing, whatever.
So maybe they didn't really know what they were doing, whatever.
2008 was a bit rough.
In the last couple of days, Goldman Sachs put out a statement again on Twitter, obviously.
It's so weird, isn't it?
With this, you know, starts off with the typical, you know, your concerns are important to us, we take them seriously, all that stuff, blah blah.
But they also said, we do not know your gender or marital status.
But they also said, we do not know your gender or marital status.
I think we know Woz is a man.
Blah, blah, blah, blah.
And we believe him when he says he's married.
And they also say that some customers have told us they've received lower credit lines than expected.
In many cases, this is because their existing credit cards are supplemental cards under their spouse's primary account.
In many cases, this is because their existing credit cards are supplemental cards under their spouse's primary account.
Okay, so they're basically saying, look, there are reasons we're doing this. It's not all black and white like you think. There's complications. Yeah. Okay.
Well, it seems to make sense, except Apple has said they don't offer joint cards. Everyone has to apply individually. You have to do it from your own phone, right?
You can't just fill out a form and say, oh, can I have one for my wife too?
You can't just fill out a form and say, oh, can I have one for my wife too?
Correct. Gotcha.
You have to do it yourself. So that bit seems to be self-debunking. And Mrs.
Hansson, who described herself as a meek housewife who's not at all keen on publicity, she blogged about the matter and agreed to have the blog reposted on Fast Company.
Hansson, who described herself as a meek housewife who's not at all keen on publicity, she blogged about the matter and agreed to have the blog reposted on Fast Company.
Mm-hmm.
Or that kind of meek, right?
Basically said, as a female person, I find this quite scary that I'm being offered much less credit limit than my husband just because he's a man, because that's the only difference that they can see between the two of us.
Wait, hang on. This is a bit peculiar. I mean, it's hard to imagine that there's an individual at Goldman Sachs or Apple who's making this kind of decision.
So there probably is a bit of code or something.
So there probably is a bit of code or something.
That was actually, that was another thing that Mr. Hansson said, that when he did get in touch with Apple, the Apple person said, oh, there's nothing we can do.
It's all about the algorithm. We have no control over this.
It's all about the algorithm. We have no control over this.
No one's looking after that algorithm? No one's there to review it?
Well, that's, this is the problem. So Goldman Sachs, whatever they say about we don't know about your gender status or your marital status, et cetera, et cetera.
All they're doing is buying in a database from Experian or whatever. And they're saying, okay, so if someone has a score of this, then they get this, whatever.
They're reading in somebody else's score that's been applied to you based on data that's been gathered about you from somewhere that you don't know about and that they don't know about and deciding how to interpret it pretty much at random really, because it's the first time they've done it because they've not done a credit card before.
All they're doing is buying in a database from Experian or whatever. And they're saying, okay, so if someone has a score of this, then they get this, whatever.
They're reading in somebody else's score that's been applied to you based on data that's been gathered about you from somewhere that you don't know about and that they don't know about and deciding how to interpret it pretty much at random really, because it's the first time they've done it because they've not done a credit card before.
Well, you haven't explained that it's not sexist though.
Well, that's— I'm not saying it's not sexist. I'm not. I'm just saying it's not, it's not Apple that's being sexist. It's not necessarily Goldman Sachs that's being sexist.
It's the whole—
It's the whole—
John, I'm gonna put— no, come on. Is this sexism or not?
AI algorithms, machine learning, what they are doing is they're taking in huge amounts of data and they're interpreting it.
They're looking at it and if that data is biased towards a particular gender, then the output of the AI machine learning algorithm is gonna be biased.
They're looking at it and if that data is biased towards a particular gender, then the output of the AI machine learning algorithm is gonna be biased.
And if there is hundreds of years worth of evidence that people with the occupation of meek housewife are worse at paying off their debts than developer of Ruby Rails.
Yeah.
Or something like that.
No, but that's not what they're finding. That's the problem here. They're not finding that. Her credit score was better than his. Isn't that what you said? Mrs.
Hansen's credit score was better than Mr. Hansen's?
Hansen's credit score was better than Mr. Hansen's?
She did claim that. Yeah.
Yeah.
So she had a better credit score, yet he got 20 times, not 20%, 20 times more money. And now all this is not real money, this is just a loan, right, from someone.
God knows what the interest rate is with the Apple Store. It's probably 25% APR just to have the cool tech in your hand.
God knows what the interest rate is with the Apple Store. It's probably 25% APR just to have the cool tech in your hand.
Oh, they claim it's very good.
Okay, well, maybe I should get one. Guys, I kind of think you guys are outrageous. You're both a bit outrageous, actually. If it was the other way around, you'd be freaking out.
You'd be freaking out.
You'd be freaking out.
I think, I think a lot of people—
If your wives went out and got 20 times the money on their credit limit and you didn't, I wouldn't be aware. You would when you got the bills.
Is this all just a fuss because it's the Apple Card, which doesn't have a number and it is laser etched? And I wonder if this actually also happens on plenty of other cards.
Yeah, that's a really good point, Graham.
And people are just creating a fuss because it's got the word Apple attached.
That's exactly what I was trying to say, is that it's not Apple that's doing this. It's not even Goldman Sachs that's doing this.
It's whoever is providing them with, this is your credit rating data. Which is based on, you know, whatever they can find out about you, or they can be asked to find out about you.
Maybe they're not, you know, going around to your house and looking through your bins.
It's whoever is providing them with, this is your credit rating data. Which is based on, you know, whatever they can find out about you, or they can be asked to find out about you.
Maybe they're not, you know, going around to your house and looking through your bins.
Yeah. In other words though, this could be a much bigger problem. So Apple may be the tip of the iceberg, but it might be actually systemic across all credit cards.
I think it's systemic across all, anything that involves machine learning, that it has to be fed with data. And the data has to come from people, and people are biased.
And if you have 20 years of historic data from something to base a decision on, you have no way of knowing how much of that data was gathered by racists or sexists or anti-ginger people or whatever.
And if you have 20 years of historic data from something to base a decision on, you have no way of knowing how much of that data was gathered by racists or sexists or anti-ginger people or whatever.
Right. Well, hey, listeners, you know, follow John's advice. Just who cares? Just deal with it. Buy it. Deal with the bias.
Put your money in gold, bury it at the end of the garden, never spend it. That's not what I'm saying. Have much better stuff to feed your machine learning algorithms.
Why are you pushing gold rather than silver or some other metal?
Okay, tin. Tin works very well. As a West Country lad, do it in tin.
Or Cornish pasties?
No, don't bury pasties. Do not bury a pasty.
Kroll.
Sorry, yeah, carry right on.
Kroll, what have you got for us this week? Sweet.
Okay, well, first listen to this sound. Are you intoxicated by this sound? Do you feel it's mocking you with its joyous tweet tweet? It is, of course, the nightingale.
Ah, a brown thrush. And it's often referred to in poetry because it's the male bird's sweet, sweet, intoxicating nocturnal song that they refer to.
Ah, a brown thrush. And it's often referred to in poetry because it's the male bird's sweet, sweet, intoxicating nocturnal song that they refer to.
They don't refer to it as a brown thrush though.
No, no, they tend to avoid that. Yeah, brown bird. How about that?
Now I'm speaking of the nightingale because Google has a new secret project that's come to light called Project Nightingale. And I mean, what are they trying to say?
That Google are our nightingale? That they have so intoxicated us with their free services that we can't think straight?
Now I'm speaking of the nightingale because Google has a new secret project that's come to light called Project Nightingale. And I mean, what are they trying to say?
That Google are our nightingale? That they have so intoxicated us with their free services that we can't think straight?
I expect they're not trying to say that. I expect that would be a bad marketing message.
Are they trying to sing us to sleep?
No, you probably haven't heard of Project Nightingale, but don't worry, it's only hit the streets this week.
The Wall Street Journal published an explosive article on the company's new foray into private medical data.
So in an exclusive interview penned by Rob Copeland, we learned that Google had teamed up with Ascension Health to secretly collate and crunch personal health information of millions of Americans across 21 states.
Who is Ascension, you ask?
The Wall Street Journal published an explosive article on the company's new foray into private medical data.
So in an exclusive interview penned by Rob Copeland, we learned that Google had teamed up with Ascension Health to secretly collate and crunch personal health information of millions of Americans across 21 states.
Who is Ascension, you ask?
Who is Ascension?
I was asking.
Well, they're only the second largest nonprofit health system in the states, and their strapline on their homepage is, we are Ascension, driven by compassion and a dedication to provide personalized care for all, especially those most in need.
Now, it turns out when they say personalized, they mean it.
So Google have been reportedly mashing personal health information, such as diagnoses, laboratory test results, hospitalization records, basically a complete health history, including patient names and date of birth.
And get this, the Wall Street Journal says neither patient nor doctor were notified.
Now, it turns out when they say personalized, they mean it.
So Google have been reportedly mashing personal health information, such as diagnoses, laboratory test results, hospitalization records, basically a complete health history, including patient names and date of birth.
And get this, the Wall Street Journal says neither patient nor doctor were notified.
Ooh.
Whoa, right?
Sounds rather suboptimal.
Totally. So I did, of course, you know, I went and looked at the HIPAA privacy rule because that's what regulates—
You know how to have a good time. And thank goodness, Kroll, that you are on our podcast and you are the person who reads the terms and conditions. You read the privacy policies.
I just looked at the summary this week. I was busy.
So that's more than any of us, the rest of us would do. All right, good.
A major goal of the HIPAA privacy rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare.
So you can already see the push-me-pull-you happening here, right? No, well, I also get it, right?
You want to protect the identity of the person, but you also want to say, look, I've got someone here having a triple bypass, I need some help.
Here's the stats, here's his blood type, what can I do? So I can understand that.
Now, the Wall Street Journal reported that Ascension employees raised questions about the way the data was being collected and shared, but privacy experts said it appeared to be permissible under federal law because the HIPAA Act, which came into effect in 1996, apparently, quote, this is from the Wall Street Journal, generally allows hospitals to share data with business partners without telling patients, as long as the information is used only to help the covered entity, which would be the hospital, carry out its healthcare functions.
So you can already see the push-me-pull-you happening here, right? No, well, I also get it, right?
You want to protect the identity of the person, but you also want to say, look, I've got someone here having a triple bypass, I need some help.
Here's the stats, here's his blood type, what can I do? So I can understand that.
Now, the Wall Street Journal reported that Ascension employees raised questions about the way the data was being collected and shared, but privacy experts said it appeared to be permissible under federal law because the HIPAA Act, which came into effect in 1996, apparently, quote, this is from the Wall Street Journal, generally allows hospitals to share data with business partners without telling patients, as long as the information is used only to help the covered entity, which would be the hospital, carry out its healthcare functions.
Help is the important word there.
So people raised an alarm. People said, oh wait, should we really be doing this?
Should we be sharing Joe Schmo's private hospitalization records with Google?
And they were told, hush, hush, hush, hush.
Yes, hush, hush. Shh, shh, shh, shh. Don't speak. I know just what you're thinking. Yeah. That's what happened. Now, why didn't Google want to tell anybody?
And they probably didn't want to tell anyone because they didn't want their competitors alerted.
Because this must be a sword in the sides of Google's competitors, namely Apple, Microsoft, and Amazon, all of whom are also aggressively pushing into the health market.
Now, do you guys remember? I'm just going to take a left slant here.
And they probably didn't want to tell anyone because they didn't want their competitors alerted.
Because this must be a sword in the sides of Google's competitors, namely Apple, Microsoft, and Amazon, all of whom are also aggressively pushing into the health market.
Now, do you guys remember? I'm just going to take a left slant here.
Oh yeah.
Do you guys remember a few weeks ago, a few weeks ago, Google bought Fitbit for $2.1 billion. Oh yes. $2.1 billion. Okay, now please don your conspiracy hats.
I have one for you to noodle on. So guy buys Fitbit gadget, right? Guy enters in all his data, right?
So his height, his weight, where he goes, how fast he got there, what method of transport he used, how much sleep he got. Graham, you had one, didn't you have one of these?
I have one for you to noodle on. So guy buys Fitbit gadget, right? Guy enters in all his data, right?
So his height, his weight, where he goes, how fast he got there, what method of transport he used, how much sleep he got. Graham, you had one, didn't you have one of these?
I didn't have a Fitbit, no. I had something from another manufacturer. But there are a lot of these things around, aren't there?
I remember there was a few years ago, I can't remember if we spoke about it, there was the Icon Smart Condom, for instance. Do you remember that?
And what it did was it— you were able to track the exercise of your man bits. And it would also detect chlamydia and syphilis and even had a micro USB port. So you could charge it.
I remember there was a few years ago, I can't remember if we spoke about it, there was the Icon Smart Condom, for instance. Do you remember that?
And what it did was it— you were able to track the exercise of your man bits. And it would also detect chlamydia and syphilis and even had a micro USB port. So you could charge it.
Yeah, you wouldn't want it running out, would you?
Mid-session. So there you are. Guy's bought the Fitbit gadget, paid money for it, entered in all his data, right?
And then the Fitbit gadget company somehow amasses all of Guy's personal data over the years and months he's used this little gadget.
And Fitbit's done this to millions of others out there as well. And then Fitbit decides to start flirting and sassing in front of some of the high rollers like Google. Right?
Flashing a thigh full of PII. Butt cheek of biometrics.
And then the Fitbit gadget company somehow amasses all of Guy's personal data over the years and months he's used this little gadget.
And Fitbit's done this to millions of others out there as well. And then Fitbit decides to start flirting and sassing in front of some of the high rollers like Google. Right?
Flashing a thigh full of PII. Butt cheek of biometrics.
Oh, right. Yes.
Good.
Very good, Carole. Must have taken you hours. No wonder you're busy today.
Oh, about a minute. About a minute. Now, one of my Fitbit friends— I have a few, and I can speak for them.
Oh, right.
Okay.
Yeah. So my best friends are Fitbit people. Said that they've never even thought to remove it when they were, you know, doing the five-knuckle shuffle stuff, pooping, right?
So they deem— he deems he probably has all those behavioral biometrics as well.
So they deem— he deems he probably has all those behavioral biometrics as well.
Okay, I see that 10 times a day you appear to be running vigorously.
Okay, breathe, breathe. We don't want you to die.
I'm very funny.
Okay, here's a serious question, serious question. So $2.1 billion.
How much of that do you think basically been given to Fitbit for the data that Fitbit has collected throughout the years and processed at the user's expense effectively?
Because some people actually pay more, right? They paid for additional services so they can give even more intrusive data to Fitbit.
So people have actually paid monthly services to Fitbit when they're using it. So in other words, think about it, right?
How valuable would Fitbit have been if they could sell themselves without any data, right? Without the data at all. And I get it, right?
I get the service becomes moot because without the data history, you don't want to use it as a user, right? You don't have any service.
You can't, you know, you'd cry because it's like, oh, my big records with my Five Knuckle Shuffle. You know, I've lost all that.
How much of that do you think basically been given to Fitbit for the data that Fitbit has collected throughout the years and processed at the user's expense effectively?
Because some people actually pay more, right? They paid for additional services so they can give even more intrusive data to Fitbit.
So people have actually paid monthly services to Fitbit when they're using it. So in other words, think about it, right?
How valuable would Fitbit have been if they could sell themselves without any data, right? Without the data at all. And I get it, right?
I get the service becomes moot because without the data history, you don't want to use it as a user, right? You don't have any service.
You can't, you know, you'd cry because it's like, oh, my big records with my Five Knuckle Shuffle. You know, I've lost all that.
So surely Fitbit users have the right and ability to log into their account and wipe it out, don't they? Do they? If they felt strongly enough about it. I'm sure many wouldn't.
I'm sure it's really simple to do as well.
And also, what proportion of Fitbit users actually paid any attention to the news in the Financial Times that Google had bought a stake in their company or whatever?
But I have a solution. Unlike John, who delivered a story with just doom and gloom saying, yeah, well, there you go. The bias is there. Right? I have a solution.
Thank you, Carole.
Okay. So when a company sells itself, I say a third party has to value the company with and without its collated data from its big mass of users.
And the company value associated with the collected user data, so basically the money that they make because they're snarfling up all the user data, should be distributed amongst the users who gave that data.
So effectively, like a financial shareholder system, but with information.
So you've given us free information, we've become billionaires off your back, here's a little kickback, thank you very much. It's pretty good.
And the company value associated with the collected user data, so basically the money that they make because they're snarfling up all the user data, should be distributed amongst the users who gave that data.
So effectively, like a financial shareholder system, but with information.
So you've given us free information, we've become billionaires off your back, here's a little kickback, thank you very much. It's pretty good.
Well, that sounds wonderful, Carole. Can you imagine any companies doing this?
Yes. Oh, excellent.
Go, go do it, people. Prove me right.
And what are people going to do with this data once they've become owners of it again?
Well, they're owners that can lease out their data when they put it into these services.
Rather than services saying, hey, here's a little shiny thing you can wear on your wrist that helps you keep fit, which was the sales pitch, and people put it on and they use it and all that data gets amassed, now it's being used in ways that they didn't ever predict beforehand.
Don't you think they should be asked, going, oh, by the way, you gave us, you lent us this information, do you mind if we sell it on?
Rather than services saying, hey, here's a little shiny thing you can wear on your wrist that helps you keep fit, which was the sales pitch, and people put it on and they use it and all that data gets amassed, now it's being used in ways that they didn't ever predict beforehand.
Don't you think they should be asked, going, oh, by the way, you gave us, you lent us this information, do you mind if we sell it on?
You're thinking people would get some money out of this? They'd be saying, oh, you've been wearing this pedometer for 6 months. You can have—
You can't say pedometer.
We're not allowed to say pedometer? What, they get like 0.3 cents or something for their 6 months of walking time?
I used to have Irwin Toy Shares when I was a kid and I would get something like 61p a quarter.
That's pretty good going. Very nice.
Thank you, Grandad. Yes.
Well done, Carole. Good to see a—
It's a great suggestion, and I look forward to hearing the first companies that take it on. Yes.
And well done you for coming up with a topic where you have some positive advice at the end. A suggestion, unlike you, John. You could learn something from that, John.
You could learn something from that.
You could learn something from that.
Can I just put a slight downer on this one?
Oh, I thought you would.
Well, not in a— but in a positive way.
You're going to put a downer in a positive way. This will be interesting. With a smile. We'll be the judge of whether this is done in a positive way or not.
Fuck my life.
Look, Google, what Google is doing here, right, is trying to amass massive amounts of data about people's walking and wanking habits and making use of it to analyze the human and be better at spotting when something weird's happening with your butt or whatever.
You're sick. And we can tell because 10 million other people, when they suddenly, their left knee went wobbly, a month later developed, I don't know, some horrible brain disease.
And they're doing that for the good of humanity to be able to, it's not ideal that Google's doing it. It should be someone, it should be governments and universities really.
But somebody has to be doing it.
You're sick. And we can tell because 10 million other people, when they suddenly, their left knee went wobbly, a month later developed, I don't know, some horrible brain disease.
And they're doing that for the good of humanity to be able to, it's not ideal that Google's doing it. It should be someone, it should be governments and universities really.
But somebody has to be doing it.
No, no, exactly. That's the sales pitch too, right? That's what Ascension and anyone else who partners in this way with other companies, tech companies, are gonna say to you.
They're gonna say, look, this saves lives. That's why you wanna do this, right? And that is the sales pitch.
But the other side, the flip side of the coin is, well, when is it gonna be that insurers get access to the data and can deny you?
Or when is it when employers get access to this data and they decide, oh wow, you're gonna be, you're at risk of Parkinson's, so we're not gonna hire you.
I see how it's going to be sold to us as a really great thing, but I don't hear enough about how the flip side, when it's going to be misused and how we're going to—
They're gonna say, look, this saves lives. That's why you wanna do this, right? And that is the sales pitch.
But the other side, the flip side of the coin is, well, when is it gonna be that insurers get access to the data and can deny you?
Or when is it when employers get access to this data and they decide, oh wow, you're gonna be, you're at risk of Parkinson's, so we're not gonna hire you.
I see how it's going to be sold to us as a really great thing, but I don't hear enough about how the flip side, when it's going to be misused and how we're going to—
Yeah, I don't imagine Google saying that to people.
Here's a really serious point, Graham. I didn't smile once.
Well, lots of gravitas. Well done.
Gravitas. That's me. Middle name.
Gravity-ass.
Okay, hand on heart time. How many of you can say that your password hygiene is squeaky clean? If you're feeling it could use a tune-up, maybe check out LastPass Enterprise.
With central admin oversight, controlled shared access, automated user management, you help every employee become part of your security solution.
Find out more at lastpass.com/smashing.
Plus, I would like to extend a personal invitation to an upcoming LastPass event on Wednesday, November 27th in the wonderful city of Manchester.
Occasional Smashing Security guest host Jessica Barker and yours truly are going to be talking about all things security related. We would love to see you there.
Check out the registration page on lastpass.com/Manchester. On with the show and welcome back.
With central admin oversight, controlled shared access, automated user management, you help every employee become part of your security solution.
Find out more at lastpass.com/smashing.
Plus, I would like to extend a personal invitation to an upcoming LastPass event on Wednesday, November 27th in the wonderful city of Manchester.
Occasional Smashing Security guest host Jessica Barker and yours truly are going to be talking about all things security related. We would love to see you there.
Check out the registration page on lastpass.com/Manchester. On with the show and welcome back.
And you join us on our favorite part of the show, the part of the show that we like to call pick of the week.
Pick of the week.
Pick of the week.
Pick of the week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they like.
Have you ever had a record?
Yes, I have actually, yes.
Vinyl?
After 154, you've had everything.
Doesn't have to be security related necessarily.
Should not be.
And my pick of the week this week is a podcast. I was going up to a conference up north in Cheshire and I had to entertain myself listening to something.
Is it Smashing Security?
Not Smashing Security.
No, no, no. That's security related, surely.
We have had people come on and recommend their own podcasts in the past, of course, during the Pick of the Week.
It may not be the right forum for this one.
No, the podcast which I listened to is called The Missing Crypto Queen.
Ah, darn it, I was supposed to listen to that. Yes, you were.
I did tell you.
I'm sorry, you did tell me.
Yes, I did.
I've been very busy.
Well, you know what, Carole? I've been very busy, but I've watched two of your art documentaries on YouTube.
Aren't they great?
They are wonderful. I'm really loving them. So if anyone hasn't checked out your pick of the week from last week, go and do that.
It was a doozy.
Anyway, The Missing Crypto Queen is a fascinating podcast about the millions of people who invested huge amounts of money in a bogus cryptocurrency called OneCoin, and how they used a cult-like multi-level marketing operation to get other people to give all of their earthly belongings and invest them as well.
Ooh, so why didn't you tell me that when you were telling me listen to it? All you said is listen to this.
Yeah, yeah.
Okay, so the interesting thing about OneCoin was it turned out it didn't have a blockchain. It was a cryptocurrency without a blockchain.
If you bought some OneCoin, what that gave you was access to a website which told you there was a number on the website which showed you what the value of OneCoin was.
If you bought some OneCoin, what that gave you was access to a website which told you there was a number on the website which showed you what the value of OneCoin was.
Are you kidding?
Every day the number would go up and you would think, "I'm going to be so rich." And then you'd get all of your friends to buy OneCoins and you would make more money that way and you'd get more and more OneCoin.
This was all being masterminded by a woman called Dr. Ruja Ignatova, who was very public and giving presentations. And then a couple of years ago, she vanished.
And the big question of the podcast is why did she vanish and where did she go?
This was all being masterminded by a woman called Dr. Ruja Ignatova, who was very public and giving presentations. And then a couple of years ago, she vanished.
And the big question of the podcast is why did she vanish and where did she go?
And what happened to her?
Jamie Bartlett from the BBC presents this story, and it is fascinating. At the end of every episode, there's a cliffhanger and you go, oh, you're thinking, what is going to happen?
No, I don't think any human would make those noises, but yeah, maybe a whale.
But it takes you all around the world. At one point you're in a sort of marina filled with luxury yachts because they're trying to track her down.
Then there's a Romanian beauty pageant being run by the OneCoin cryptocurrency.
Then there's a Romanian beauty pageant being run by the OneCoin cryptocurrency.
Okay, I'm totally, I'm gonna totally download this. I love this. It sounds great.
I really recommend it.
No spoilers, but it was put together by the BBC, but you will find it in most good podcast apps as well as BBC Sounds, and it's called The Missing Crypto Queen.
No spoilers, but it was put together by the BBC, but you will find it in most good podcast apps as well as BBC Sounds, and it's called The Missing Crypto Queen.
Cool.
Great suggestion. Okay, it sounds great.
Sounds interesting.
Looking forward to it. Yeah.
John, what's your pick of the week?
So I want to talk a little bit about a TV show which is on Amazon Prime. I assume you can just kind of rent it from Amazon too, if you don't like the Prime thing.
It's called Undone and they actually describe it in the blurb on the Amazon page as genre bending, not gender bending, genre bending.
It's called Undone and they actually describe it in the blurb on the Amazon page as genre bending, not gender bending, genre bending.
It really is.
It's really well written and it's really, it's kind of, it's interesting and there's good characters and there's good dialogue.
What's the premise of the show though, John?
Well, exactly, it's bonkers. So it's a kind of relationship stroke personal drama about a young lady in Texas who's got a boyfriend and has had a car crash and her dad's died and—
Basically, is she losing her mind or she got secret powers?
Exactly. Thank you.
When I looked this up though, it's on Wikipedia. It's in the mental illness in television category, which is very underpopulated.
It only has 10 entries, but it includes Legion, which is a great, great show. Flowers, which was also excellent. Nighty Night, which is great. Mr. Robot.
I'm not sure how that's not strictly supposed to be there, I guess. But yes, there is a, there is a kind of a, you know, it is she crazy or is she time traveling? Nobody knows.
There's a whole thing about that. But for me, I mean, the main thing about it is the, just the look of it. It uses rotoscoping.
So like coloring in of, so filming actual live people and then drawing over them afterwards, like, the famous A-ha Take on Me video, the 1970s Lord of the Rings movie, which was also great.
It only has 10 entries, but it includes Legion, which is a great, great show. Flowers, which was also excellent. Nighty Night, which is great. Mr. Robot.
I'm not sure how that's not strictly supposed to be there, I guess. But yes, there is a, there is a kind of a, you know, it is she crazy or is she time traveling? Nobody knows.
There's a whole thing about that. But for me, I mean, the main thing about it is the, just the look of it. It uses rotoscoping.
So like coloring in of, so filming actual live people and then drawing over them afterwards, like, the famous A-ha Take on Me video, the 1970s Lord of the Rings movie, which was also great.
Yes, I remember that.
Apparently the lightsabers in the original Star Wars movies, they did like that too.
Oh really?
Yeah, so someone was— they were just carrying sticks and then someone drew over them frame by frame.
And someone said, why did we film it like this? This looks ridiculous.
Why didn't we just have glowy sticks? They're in every shop, right?
Exactly.
Oh yeah.
And then so the background— so the backgrounds are like either oil paintings and sometimes they're cartoons and sometimes they're 3D animations and sometimes it's a mixture of all of them.
And then so the background— so the backgrounds are like either oil paintings and sometimes they're cartoons and sometimes they're 3D animations and sometimes it's a mixture of all of them.
And it doesn't feel too gimmicky? It doesn't take away?
No, no, it looks spectacular and it really works with the story because it's all a bit kind of, you know, is this a dream? Is this real?
So the kind of slightly wobbly, slightly weird looking visuals really kind of worked with that. And it's only, it's very short. It's like 8 30-minute episodes.
So 4 hours, you can totally binge it in a night.
So the kind of slightly wobbly, slightly weird looking visuals really kind of worked with that. And it's only, it's very short. It's like 8 30-minute episodes.
So 4 hours, you can totally binge it in a night.
Isn't that funny how that's become short to us in this time? It's like, I could do that in a night.
Totally, totally do it in a night. I didn't do it in a night, but I totally could have done. It's very much, you get to the end of each episode, it's like, what the hell is going on?
What's going on? I want to see more.
And I loved it. It was great.
I agree. I've watched it as well. I think it's awesome. And what I liked— I love the rotoscoping as well because that's just underused.
But in this one, it's used quite well and kind of quirkily. But it's the script. It's tight.
And you really, really believe, like, you're really in the situation the characters are finding themselves in.
And the characters are all believable and kind of just a little squiff. And I love it.
But in this one, it's used quite well and kind of quirkily. But it's the script. It's tight.
And you really, really believe, like, you're really in the situation the characters are finding themselves in.
And the characters are all believable and kind of just a little squiff. And I love it.
And it's called Undone on Amazon.
Yes, Undone. It's on Amazon Prime, Amazon stuff, generally streaming, downloading from Amazon.
Fantastic. Crow, what's your pick of the week?
Okay, I got a weird one this week. So I was just mooching along my feeds, right? I have pick of the week feeds.
I don't know if you do, Graham, but you know, it gets hard after 150-something episodes to come up with cool picks of the week. Oh, really? Oh really, you don't have any trouble?
I don't know if you do, Graham, but you know, it gets hard after 150-something episodes to come up with cool picks of the week. Oh, really? Oh really, you don't have any trouble?
No, never had any trouble at all.
All right, okay, good. So I have a few feeds and I came across this kind of nascent YouTube channel. How often does that happen, right?
Like a tiny little thing with hardly any followers but somehow just as magical in a way. This video, this YouTube video, is all about how to play Monopoly in less than 30 minutes.
Now I love Monopoly, I seriously love Monopoly, but I freaking hate how long it can go. Right? Like I lose the will to live.
Like a tiny little thing with hardly any followers but somehow just as magical in a way. This video, this YouTube video, is all about how to play Monopoly in less than 30 minutes.
Now I love Monopoly, I seriously love Monopoly, but I freaking hate how long it can go. Right? Like I lose the will to live.
It's an all-day thing, right?
I love to finish the game. It can be. And it's so obvious, an hour in or two in the game, who's gonna slam dunk the game, right? You always know who's gonna do it.
And by then you don't care. You're beyond caring. You don't care who's gonna win. You just wanna get outta there.
I lie on the ground just going, "I just don't care." But I can care for 30 minutes. Even I can do that. And this little vid had some very good tips. Now take a listen.
I'm just gonna do a snippet here.
And by then you don't care. You're beyond caring. You don't care who's gonna win. You just wanna get outta there.
I lie on the ground just going, "I just don't care." But I can care for 30 minutes. Even I can do that. And this little vid had some very good tips. Now take a listen.
I'm just gonna do a snippet here.
Everyone loves a good old-fashioned game night, but when it comes to playing Monopoly, we usually end up hating our friends by the end of the game.
And that's partially because the game lasts way too long. So this video is going to teach you how to play Monopoly in under 30 minutes.
In this video, I'll teach you how to speed up the game, but I assume that you already know the basics of how to play.
My first tip is to draw a question mark on the back of all the chance cards and a CC on the back of all the community chest cards.
Although this might sound silly to do, people always seem to forget which one is which during the game.
Now take all that fake money that comes with the game and toss it out the window.
And that's partially because the game lasts way too long. So this video is going to teach you how to play Monopoly in under 30 minutes.
In this video, I'll teach you how to speed up the game, but I assume that you already know the basics of how to play.
My first tip is to draw a question mark on the back of all the chance cards and a CC on the back of all the community chest cards.
Although this might sound silly to do, people always seem to forget which one is which during the game.
Now take all that fake money that comes with the game and toss it out the window.
We're not going to use any of it.
We're gonna use poker chips instead, which are much more efficient.
Those fake bills are always hard to count because they stick together and there's never enough of them and they always get lost.
Those fake bills are always hard to count because they stick together and there's never enough of them and they always get lost.
Oh, and you know the other thing? In modern Monopoly sets they only print the denomination of the money on one side, and the other side is blank.
Yeah, because they're so cheap.
It's so cheap. In fact, with a lot of these games now, I will go onto eBay and buy old 1970s versions of the board games because they're so much better quality.
I've done that too, actually.
Scrabble, the old Scrabble board, spectacular.
Yeah.
I'm going to tell you something, okay? And I should have researched this before I got on the call, okay?
But this is a memory of two years ago listening to a podcast, so I may get some facts wrong.
I think it was Stuff You Should Know, and they were doing a podcast about Monopoly, right? Yeah, stuff you should know about Monopoly.
And apparently, if I remember correctly, a woman created the game because she was so frustrated with the banks and the lending system and how the rich got richer and the poor got poorer, and created the game against the capitalists.
And who's the game company that bought it? I can't remember, but that company tried to buy it from her and she said, no, you can't have it, right?
It's to make fun of you, not for you. And so they created, if I remember correctly, a fake persona to buy it from her, and she didn't know it was them.
And they got the rights, and then they created it to this big capitalistic game.
But this is a memory of two years ago listening to a podcast, so I may get some facts wrong.
I think it was Stuff You Should Know, and they were doing a podcast about Monopoly, right? Yeah, stuff you should know about Monopoly.
And apparently, if I remember correctly, a woman created the game because she was so frustrated with the banks and the lending system and how the rich got richer and the poor got poorer, and created the game against the capitalists.
And who's the game company that bought it? I can't remember, but that company tried to buy it from her and she said, no, you can't have it, right?
It's to make fun of you, not for you. And so they created, if I remember correctly, a fake persona to buy it from her, and she didn't know it was them.
And they got the rights, and then they created it to this big capitalistic game.
Yeah.
So there you go. Monopoly was really on Bernie Sanders' side. Who knew?
Who would have guessed that? Fascinating.
Does everybody that's involved have to be in on it, or is it—
Are there different rules, Carole?
Yes, there's tiny different rules. So if you watch the video, when you pass Go, you only get $100. So basically the whole game is prolonged by how much money you make.
So you never collect money in the parking section when you, you know, the free parking, you get all the money, you don't do that.
So you never collect money in the parking section when you, you know, the free parking, you get all the money, you don't do that.
I don't think you were ever meant to get money on free park. I mean, that was a rule we played in our house, but I think that's because they wanted to keep it under an hour.
But I think in the official rules, you don't get money if you land on free parking.
But I think in the official rules, you don't get money if you land on free parking.
Listen, I think you are wrong.
I think you're wrong.
I think it's an urban myth.
I think you're incorrect. Anyway, I think, you know, anyone who can play Monopoly for 30 minutes, anyone can do that.
And if you have a Monopoly lover in your house, check out the rules and then you can play for 30 minutes and everyone's happy. Win-win.
And if you have a Monopoly lover in your house, check out the rules and then you can play for 30 minutes and everyone's happy. Win-win.
I think it would be a lot better if you could just rock up at a Monopoly game and everyone else is playing seriously and you force the game to finish in 30 minutes using special talent that you've learned from this YouTube video.
You're so underhand, John.
What? No, not—
No, I feel sorry for your wife. That's what I feel.
So yes, what a way to think. Well, on that controversial note, we've just about wrapped it up for this episode.
John, I'm sure lots of our listeners would love to know more about what you do, but you have no social media presence whatsoever, do you?
John, I'm sure lots of our listeners would love to know more about what you do, but you have no social media presence whatsoever, do you?
No, no, I'm very secretive. I'm just a meek housewife.
But you can follow us on Twitter @SmashingSecurity, no G. Twitter wouldn't allow us to have a G. And we're also on Reddit if you want to carry on the discussion up there.
Just look for the subreddit with the name Smashing Security.
Just look for the subreddit with the name Smashing Security.
And once again, thank you to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free.
And thank you awesome, wonderful listeners and Patreon supporters. It would literally be futile and ridiculous for Graham and I to do this show without you.
So thank you for existing. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
And thank you awesome, wonderful listeners and Patreon supporters. It would literally be futile and ridiculous for Graham and I to do this show without you.
So thank you for existing. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
Until next time, cheerio, bye-bye, later. Cheerio. I can't remember if we spoke about it. There was the iCon Smart Condom, for instance. Do you remember that?
The world's— and what it did was it met— you were able to track the size of your man hand bits. And it would also detect chlamydia and syphilis and even had a micro USB port.
I'm just gonna charge it up.
The world's— and what it did was it met— you were able to track the size of your man hand bits. And it would also detect chlamydia and syphilis and even had a micro USB port.
I'm just gonna charge it up.
So, yeah, you wouldn't want it running out, would you? Mid-session.
You know what, for Christmas, for the Christmas special, I reckon we should get out of being timely and just choose one of the best stories of all time.
I think we should just do an unboxing and review.
You can.
Yeah, you can't.
Yeah. Okay.
Ew.
No, let's not. Let's get some bananas in.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
John Hawes
Show notes:
- That "sophisticated" Labour cyber-attack – don't panic — Graham Cluley.
- General election 2019: Labour Party hit by second cyber-attack — BBC News.
- Election 2019: Security flaw leaves donors’ details online — The Times.
- Apple's 'sexist' credit card investigated by US regulator — BBC News.
- Apple's credit card caper probed over sexism claims – after women screwed over on limits — The Register.
- Google has access to detailed health records on tens of millions of Americans — Ars Technica.
- Google’s ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans — WSJ.
- Google buys Fitbit for $2.1 billion — Ars Technica.
- Smart condom ring i.Con is like a Fitbit for your man bits — CNET.
- The Missing Cryptoqueen — BBC Sounds.
- Undone — Amazon Prime.
- Speed Monopoly – How to Play in under 30 minutes! — YouTube.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
