A rapping bank worker is accused of stealing from the vault, the devices that can hide your car’s true mileage, and why it may be a case of “No No No” rather than “Ho Ho Ho” when it comes to IoT toys this Christmas.
And as Carole sups the mulled wine, Graham has problems with his internet connection…
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire’s Dave Bittner.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
And so when they eventually got around to making Die Hard, they were contractually obliged to give Frank Sinatra first refusal on starring in the movie.
Oh, he was still alive then?
Yes.
It wasn't a Weekend at Bernie's scenario?
No, I think if you're dead, Carole, they don't have to offer you the job.
Right.
Yeah.
Kill me.
You got Tony Bennett wheeling him around Hey Frank, what should we do? What do you say we drop this guy off the side of the building? What do you say, Frankie baby?
Frank doesn't like to talk so much anymore.
Frank doesn't like to talk so much anymore.
Smashing Security, Episode 159: Rap, Robbery, and IoT Holiday Hell with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 159.
My name is Graham Cluley.
My name is Graham Cluley.
159, Graham. Geez. I'm Carole Theriault.
Hello, Carole.
All right, Graham, you sound a bit weird. What's going on?
Where are you calling me from? Well, are you in the loo? I'm at a mystery location. I've been sent somewhere on Her Majesty's Secret Service.
I don't want to go into precise details, but I've ended up in a fairly small room.
I don't want to go into precise details, but I've ended up in a fairly small room.
Are you sitting on a crapper device?
I'm quite comfortable, thank you. I've got everything I should need.
Are you far enough away from home that when you do flush, the water goes in the opposite direction?
Well, look, I don't know how much of this echo you're going to be able to hear, but it is a little bit echoey where I am, yes. And I'll leave the rest to your imagination.
Those dulcet tones were those of Dave Bittner from the Cyberwire. Welcome, Dave.
Hello. It's nice to be back.
We're going to do a gentle episode because Graham's whispering. He's using his whisper shout. Hi, everyone.
Right. It's a special intimate holiday episode of Smashing Security.
Yeah, exactly. Holidays, Christmas, New Year, the whole thing. Yeah. This is actually— I think this is our last episode of 2019, right, Carole?
Oh, you know, before the onslaught of 2020, when we get Brexit done, right? That's what's going to happen.
Oh, it'll be done in no time at all.
And you guys, the voting polls over in the States.
Yes.
I've just been reading that John McAfee has announced he will be running again as an independent.
Well, that's certainly a game changer.
Yeah. I'm going to have a bite of cake right now while you talk about that.
Okay, Carole, as your mouth's full, tell us what's coming up on this week's episode.
It really is full though. Thanks to this week's sponsors, LastPass. Its support helps us give you this show for free.
You can't do the sponsor message where you've got your cake hole filled literally with cake.
I don't like the word cake hole.
They paid good money to promote themselves on our podcast.
Give me a second, I'm just going to have a sip of malt wine.
What?
You're hitting all the food groups there, aren't you, Carole? Cake, wine.
Yeah. Okay, I'm ready. Thanks to this week's sponsors, LastPass. Its support helps us give you this show for free.
Now Graham is gonna tell us why you shouldn't assume that your social network is your private kingdom. Dave is gonna chat about an automotive man-in-the-middle attack.
I'm gonna be all ears. And I'm heading down the IoT toy avenue to see what potholes we should avoid. All this and loads more coming up on this episode of Smashing Security.
Now Graham is gonna tell us why you shouldn't assume that your social network is your private kingdom. Dave is gonna chat about an automotive man-in-the-middle attack.
I'm gonna be all ears. And I'm heading down the IoT toy avenue to see what potholes we should avoid. All this and loads more coming up on this episode of Smashing Security.
Well, chums, there's a few interesting sayings, aren't there? Like the one about you wouldn't put a fox in charge of a hen house, right? Have you ever tried that?
Getting a fox, yeah, saying, look, you've got a new job, come on, you know, act as security at the hen house. You don't do it. It's a disaster, isn't it? Dave, have you?
You wouldn't put a cock in the White House either. You wouldn't put a fox in the hen house. As simple as that. There's a very good reason they can't be trusted, right?
Foxes generally can't be trusted. Or rather, they can be trusted. They can be trusted to behave in a particular way. They can be trusted to do something very, very bad.
Getting a fox, yeah, saying, look, you've got a new job, come on, you know, act as security at the hen house. You don't do it. It's a disaster, isn't it? Dave, have you?
You wouldn't put a cock in the White House either. You wouldn't put a fox in the hen house. As simple as that. There's a very good reason they can't be trusted, right?
Foxes generally can't be trusted. Or rather, they can be trusted. They can be trusted to behave in a particular way. They can be trusted to do something very, very bad.
I wonder how you would do in a pen full of delicious foods and sandwiches and donuts, whether you would be trusted.
So if I was putting a larder full of cheese sandwiches, for instance, right? How well I'd do at looking after them.
Yeah. And keeping them exactly—
There were no adults around.
Yeah. Yeah.
Yeah.
I think nothing needs to be said.
Yeah.
When I was in college, I had a roommate who was a pizza delivery man, and sometimes he would get hungry, so he would slice off a little sliver of one of the slices, and then he'd readjust all the other pieces to try to fill in the missing gap.
When I was in college, I had a roommate who was a pizza delivery man, and sometimes he would get hungry, so he would slice off a little sliver of one of the slices, and then he'd readjust all the other pieces to try to fill in the missing gap.
I love it.
I'm just picturing Graham doing that with a pile of cheese sandwiches. Like, no one will notice. I'll just take this one here. I'll slide these over here. We're good here.
Well, it's something like that, which the FBI— yes, the FBI are now investigating cheese sandwich theft and pizza slice theft.
The FBI claims has happened in Charlotte, North Carolina, because a 29-year-old bank employee of the Wells Fargo Bank, he has been charged with stealing $88,000 from the bank's own customers.
The FBI claims has happened in Charlotte, North Carolina, because a 29-year-old bank employee of the Wells Fargo Bank, he has been charged with stealing $88,000 from the bank's own customers.
Well, that means from the bank, surely, right?
Well, yes, that's the interesting thing, isn't it? When you give money to a bank, you know, you've only got their word for it really that it's still your money.
You've basically given them money, haven't you? You're kind of loaning it to them really, and you hope that when you come back and ask for it, that they've still got it.
Well, yeah, so he was pinching this money, allegedly, I should say.
You've basically given them money, haven't you? You're kind of loaning it to them really, and you hope that when you come back and ask for it, that they've still got it.
Well, yeah, so he was pinching this money, allegedly, I should say.
Okay, how did he do this? How did he do this?
Okay, his name is Arlando Henderson. And he was effectively given the keys to the vault by the bank itself.
What he would do, one of his jobs was that people would come into the bank and they would bring in a big pile of cash, right?
So I imagine there are some businesses which aren't getting the money electronically, aren't getting it on checks, but are getting it in a big sort of wodge, right?
You get a great big bag full of cash, you plonk it down on the bank and say, thank you very much.
What he would do, one of his jobs was that people would come into the bank and they would bring in a big pile of cash, right?
So I imagine there are some businesses which aren't getting the money electronically, aren't getting it on checks, but are getting it in a big sort of wodge, right?
You get a great big bag full of cash, you plonk it down on the bank and say, thank you very much.
That happens to Dave every Friday, right?
I was thinking about the time you spent working in that gentleman's club, Carole. Shush.
And yeah.
And this is what it's like to do a podcast with two middle-aged white men. I'm just kidding. I'm just kidding. Wow.
Seasonal.
Yeah.
So I think people in those circumstances, they expect the bank to be trustworthy, don't they? So I think people don't actually count the money, right?
They just bring in a bag of cash and say, I want to deposit this. And the bank's machine goes counting up all of the money, all of the coins, working out what the total is, right?
And then the person behind the desk says, oh yes, that's, you know, £17,027. Well, no, it wouldn't be pounds and cents, would it? We haven't quite arrived yet.
They just bring in a bag of cash and say, I want to deposit this. And the bank's machine goes counting up all of the money, all of the coins, working out what the total is, right?
And then the person behind the desk says, oh yes, that's, you know, £17,027. Well, no, it wouldn't be pounds and cents, would it? We haven't quite arrived yet.
No, it would be real money.
So, yes, exactly. That isn't real money anymore. So $17,000 or something like that, right? And off you go and you think, well, marvelous.
You know, my bank account has been credited to that amount.
Now, Orlando Henderson, according to the FBI, was being a little bit naughty, and what he was doing was he would take that big bag of cash, he would put it through the machine, the counting machine, and then he would say to the person, "It's not $17,033.
Instead, what you've got here is maybe $10,033," and then he would take off the $7,000 himself.
You know, my bank account has been credited to that amount.
Now, Orlando Henderson, according to the FBI, was being a little bit naughty, and what he was doing was he would take that big bag of cash, he would put it through the machine, the counting machine, and then he would say to the person, "It's not $17,033.
Instead, what you've got here is maybe $10,033," and then he would take off the $7,000 himself.
Okay, I used to do this when I was a waitress, right?
So you used to do what?
At this particular restaurant I worked at, we had to share the tips with everyone in the restaurant, including the bosses, which I found unfair.
So yeah, I would basically shove my pockets with any of the change that I got.
Now, it wasn't a lot of money, it wasn't a big fancy place, but yeah, say you'd gotten, you know, I don't know, $20 during that night, you would try and pocket 4 or 5 for yourself.
So yeah, I would basically shove my pockets with any of the change that I got.
Now, it wasn't a lot of money, it wasn't a big fancy place, but yeah, say you'd gotten, you know, I don't know, $20 during that night, you would try and pocket 4 or 5 for yourself.
I was in college, I was a waiter. I was actually a singing waiter on a lunch and dinner cruise boat, which is a whole other story. Of course you were.
But we had to share our tips with the— I'll wait while Graham—
But we had to share our tips with the— I'll wait while Graham—
Sorry. I'll grab a picture of Graham.
Don't fall off the loo.
Don't fall off the loo. Yeah, I'll just wait. I'll wait. Are we good?
Okay, yeah, we're good. I'm just imagining it.
Yeah, so it's everything that you're imagining and more. 'Cause remember also, it was the end of the '80s, beginning of the '90s. So also, that just looked fabulous. I bet it did.
So, but we had to share our tips with the bartenders.
And I would tell you, at the end of the night, when you were there counting up whatever tips you got, those bartenders were eagle-eyed, looking over you, doing the math in their heads, making sure that you weren't shorting them.
So, but we had to share our tips with the bartenders.
And I would tell you, at the end of the night, when you were there counting up whatever tips you got, those bartenders were eagle-eyed, looking over you, doing the math in their heads, making sure that you weren't shorting them.
So basically, he's doing the same kind of thing. But from a bank.
Allegedly, yes.
Right.
And so he's been charged more than 30 counts of financial institution fraud, theft, embezzlement, money laundering, other charges as well. All kinds of naughtiness.
Now you might be wondering, well, where's the computer angle in all this? Where does that, you know, because it's a bit of an old-fashioned fraud, this, right?
He would take the money, he would pop off down the road, and he would pay in lots and lots of money on a regular basis in an ATM to another bank where he had a bank account.
That's where he was siphoning off all this money which he was stealing. But where things began to go wrong for him was because he was a bit of a social media slut, right?
Oh, Graham started posting.
Now you might be wondering, well, where's the computer angle in all this? Where does that, you know, because it's a bit of an old-fashioned fraud, this, right?
He would take the money, he would pop off down the road, and he would pay in lots and lots of money on a regular basis in an ATM to another bank where he had a bank account.
That's where he was siphoning off all this money which he was stealing. But where things began to go wrong for him was because he was a bit of a social media slut, right?
Oh, Graham started posting.
Hmm, I'm just thinking you might know what that's like.
Season of cheer and goodwill.
What do you—
Carole, can we just for one episode—
Very active in the social sphere, would you not say? That's true.
And if someone was very sexually active with lots of different people on different networks, you might say they were a bit slutty. So it fits.
And if someone was very sexually active with lots of different people on different networks, you might say they were a bit slutty. So it fits.
He started posting photos on Facebook, on Instagram, many of which appeared to show him waving around large wads of cash and smoking something which I believe the young children call a doobie.
Ganja. Great. Okay.
A Narnia wand.
A Mary Jane pipe.
A twigarette. A Handsworth firework. A hedge monkey. A puff puff pass. A rasta blaster.
Oh, is this where you put all your work into your story?
Is that where it was? A jazz cigarette.
A jazz cigarette's my favourite. I love that.
Right? A jazz cigarette.
So he was posting all these, but keep up the sort of Shizzle My Nizzle, Puff Daddy, Straight Outta Compton look, he was also fancying himself as something of a rap star, going by the nickname AC Fawazy.
So he was posting all these, but keep up the sort of Shizzle My Nizzle, Puff Daddy, Straight Outta Compton look, he was also fancying himself as something of a rap star, going by the nickname AC Fawazy.
Easy to type.
Yeah, it rolls off the tongue, doesn't it?
Yeah.
And so he was actually not only posting up pictures of his glamorous lifestyle as a bank teller in reality, but also pictures of himself in front of the white Mercedes, which he'd bought and his great big wads of cash.
He even posted a rap video, which I've linked to in the show notes, and we can check that right now.
He even posted a rap video, which I've linked to in the show notes, and we can check that right now.
No, no, that's not—
Of him with an AK-47 sitting on his sofa.
Okay, so he's knitting with one needle.
Well, what he's done is he's made a tremendous goof, of course, because this—surprise, surprise—raised suspicions amongst his colleagues and amongst the bank.
And when they were trying to work out who might have been grabbing all this money and they went through the list of employees on Facebook and Instagram, there was this chap in front of these luxury cars pimping himself as some kind of rap star.
Literally with the money in his hands. And some of his buddies up on the social media was just— they were posting comments, and who carries that much money around with them?
And when they were trying to work out who might have been grabbing all this money and they went through the list of employees on Facebook and Instagram, there was this chap in front of these luxury cars pimping himself as some kind of rap star.
Literally with the money in his hands. And some of his buddies up on the social media was just— they were posting comments, and who carries that much money around with them?
Haven't you heard of a bank?
One of his friends responded. Well, ironically enough, yes, he had several. Yes. And as a consequence, of course, he could now well end up with a criminal record.
Potentially, he could be jailed for up to 25 years if found guilty. The authorities are now investigating smashing security in this.
But once again, we find ourselves in this position of really as a sort of a service, I think, for the general public of criminals out there.
We need to tell them, look, if you're going to rob a bank, and in particular if you're going to rob the bank where you actually work, it's probably best not to brag about it and post photographs of the evidence up on Instagram and make rap videos about it as well, because something bad's going to happen.
Can I tell you a secret?
Potentially, he could be jailed for up to 25 years if found guilty. The authorities are now investigating smashing security in this.
But once again, we find ourselves in this position of really as a sort of a service, I think, for the general public of criminals out there.
We need to tell them, look, if you're going to rob a bank, and in particular if you're going to rob the bank where you actually work, it's probably best not to brag about it and post photographs of the evidence up on Instagram and make rap videos about it as well, because something bad's going to happen.
Can I tell you a secret?
The money actually doesn't make people happy. It's other people being jealous of them that makes them happy. So that's why they do it. Say what? Right.
It's not that drink the Cristal is to show all your friends you're supping back the Cristal. Who's this friend of yours named Cristal?
It's not that drink the Cristal is to show all your friends you're supping back the Cristal. Who's this friend of yours named Cristal?
It's a fancy champagne.
Dave, what's your story for us this week?
Well, I want to take us on a little trip. I want to start off by going back to the heady days of the early 1980s. Okay, I'm there. Oh, yes. They were the best.
Ronald Reagan is president. Drugs are bad. Drugs are bad. Yeah. And a middle-aged man named Bill Bittner decides he wants to buy a car. That man would be my father. Aw.
Ronald Reagan is president. Drugs are bad. Drugs are bad. Yeah. And a middle-aged man named Bill Bittner decides he wants to buy a car. That man would be my father. Aw.
Aw.
He has a little bit of money in his pocket. He's a hard worker. And he's driving along and he sees on a roadside used car lot a beautiful Cadillac Seville.
And he's thinking, how can I possibly afford that? You know, I've spent all my money sending my son to college and he's ended up a singing waiter in some restaurants.
What a waste of money.
What a waste of money.
Yeah, well, true. All true. So here's the crazy part about this story. So I put a picture of the car in our show notes so you can both see this land yacht of a vehicle, right?
This is everything bad about 1980s Detroit automotive manufacturing in one beautiful two-toned package.
This is everything bad about 1980s Detroit automotive manufacturing in one beautiful two-toned package.
Hey, my boyfriend had one of those when I was a kid, when I was 16, 17, my first boyfriend. We borrowed Dad's car. Yeah, awesome. Yeah.
You used to date Dave Bittner?
So here goes my father fishtailing into this used car lot running up to the man in his white loafers and his wide tie and saying, "Let's make a deal." And they do.
My father comes home with this car, the apple of his eye, the object of his desire.
My father comes home with this car, the apple of his eye, the object of his desire.
Oh, you were placed? I hear a bit of, you know, "Dad abandoned me for the car" feeling.
I'm fine, Carole. I'm fine. So time passes. And as most of these cars did, this car goes horribly wrong.
The transmission fails, there's trouble with the engine, and he takes it into the service place and he says, "Please fix the car." And they look at it and they give it a once-over and they come back to him and they say, "Sir, we've looked at this car and the things that have gone wrong with this car do not align with the number of miles on the odometer of this car." This car claims to have around 40,000 miles on it, and the things that are going wrong, the amount of wear that we see inside the engine bay, this car probably has 80,000 or so miles on it.
The transmission fails, there's trouble with the engine, and he takes it into the service place and he says, "Please fix the car." And they look at it and they give it a once-over and they come back to him and they say, "Sir, we've looked at this car and the things that have gone wrong with this car do not align with the number of miles on the odometer of this car." This car claims to have around 40,000 miles on it, and the things that are going wrong, the amount of wear that we see inside the engine bay, this car probably has 80,000 or so miles on it.
Oh, so he had been duped.
Someone had done— He had been duped.
Now, was he furious? Well, he kind of—
He's not a confrontational kind of person, so he did not go back to the roadside used car lot, which at this point was probably gone. Right?
This is a fly-by-night kind of place, clearly. So, you will recall back in the pre-digital days, this was a mechanical affair.
There was a cable that went from inside the engine compartment to a physical device on the dashboard that was the odometer. This is the thing that— Yes.
The digits roll over, and that shows how many miles there are on the car. And people back then would have to, they'd call it cracking open the odometer, to roll it back.
And this, of course, is a crime.
You're not allowed to do that because if you alter the mileage on the car, that could change the value of the car, which is exactly what happened to my poor sweet father.
So time passes.
Just a couple weeks ago, I was watching one of my favorite YouTube channels, which is called BigClive.com, and Clive takes apart electronic devices A very charming fellow.
And he had a device that someone had sent in to him, and this is basically an electronic man-in-the-middle attack.
It's a little device that goes on a modern vehicle's CAN bus, and the CAN bus is the controller area network.
That's the electronic communications bus that runs all over your car that communicates with all the different devices that need to talk to each other.
So what this device does is it takes the readings from the ECU, which I think is the electronic control unit. It's "wah wah wah wah" for me.
This is a fly-by-night kind of place, clearly. So, you will recall back in the pre-digital days, this was a mechanical affair.
There was a cable that went from inside the engine compartment to a physical device on the dashboard that was the odometer. This is the thing that— Yes.
The digits roll over, and that shows how many miles there are on the car. And people back then would have to, they'd call it cracking open the odometer, to roll it back.
And this, of course, is a crime.
You're not allowed to do that because if you alter the mileage on the car, that could change the value of the car, which is exactly what happened to my poor sweet father.
So time passes.
Just a couple weeks ago, I was watching one of my favorite YouTube channels, which is called BigClive.com, and Clive takes apart electronic devices A very charming fellow.
And he had a device that someone had sent in to him, and this is basically an electronic man-in-the-middle attack.
It's a little device that goes on a modern vehicle's CAN bus, and the CAN bus is the controller area network.
That's the electronic communications bus that runs all over your car that communicates with all the different devices that need to talk to each other.
So what this device does is it takes the readings from the ECU, which I think is the electronic control unit. It's "wah wah wah wah" for me.
Carry on.
I'm just going to pay attention.
You get all this, Carole, I appreciate it.
Yeah, yeah, I love cars. So it's the computer in the car that's keeping track of how many miles are on the car.
Now in modern cars, there can be multiple places where the mileage is stored, and this is to keep people from modifying the mileage, doing essentially an electronic rollback.
This value is stored in multiple places, and the ECU checks to make sure that they're all in agreement.
However, however, and here's where it gets good, however, the display on the dashboard is being sent a signal over the CAN bus from the ECU.
The ECU says, hey, display on the dashboard, this is how much mileage this car has. Display says, got it, this is what I'm going to show. Yes, there's a massaging.
Now in modern cars, there can be multiple places where the mileage is stored, and this is to keep people from modifying the mileage, doing essentially an electronic rollback.
This value is stored in multiple places, and the ECU checks to make sure that they're all in agreement.
However, however, and here's where it gets good, however, the display on the dashboard is being sent a signal over the CAN bus from the ECU.
The ECU says, hey, display on the dashboard, this is how much mileage this car has. Display says, got it, this is what I'm going to show. Yes, there's a massaging.
There's a massage in the middle.
Yeah, if you're lucky. Now, this device would intercept the signal from the ECU that said, hey, display, this is how much mileage to display.
It would answer back and say, yeah, got it.
And then in the meantime, it would alter that value lower it by, let's say, 40,000 miles and send that value to the display on the dashboard. Right.
So the car always knew the correct amount of mileage, but you, the driver, wouldn't. The brains of the car thinks that there's nothing going wrong.
It's communicating with the display and they're all talking to each other, and as far as it's concerned, everything's fine.
But this man-in-the-middle attack is intercepting that message altering it, sending it to the display.
So if now you go to, let's say, sell your car or get your car appraised for sale or something like that, the person looks at the display and it's much lower than it should be.
Sorry, I triggered— that was Siri. That was me.
So the display is now showing something that is inaccurate, but as far as the car is concerned, it doesn't know that there's anything wrong.
So on this video from BigClive.com, he basically reverse engineers this device. And what's interesting, it's not terribly complicated. You can buy these online for under $20.
And it's not that hard to install.
It would answer back and say, yeah, got it.
And then in the meantime, it would alter that value lower it by, let's say, 40,000 miles and send that value to the display on the dashboard. Right.
So the car always knew the correct amount of mileage, but you, the driver, wouldn't. The brains of the car thinks that there's nothing going wrong.
It's communicating with the display and they're all talking to each other, and as far as it's concerned, everything's fine.
But this man-in-the-middle attack is intercepting that message altering it, sending it to the display.
So if now you go to, let's say, sell your car or get your car appraised for sale or something like that, the person looks at the display and it's much lower than it should be.
Sorry, I triggered— that was Siri. That was me.
So the display is now showing something that is inaccurate, but as far as the car is concerned, it doesn't know that there's anything wrong.
So on this video from BigClive.com, he basically reverse engineers this device. And what's interesting, it's not terribly complicated. You can buy these online for under $20.
And it's not that hard to install.
Really?
Really. So this, I guess what surprised me about this was that I would have thought that there would be some sort of security over the CAN bus.
At this point in time, there'd be some sort of security on the CAN bus. And evidently, there isn't.
The CAN bus sort of trusts that anything coming from inside the car is trustworthy.
At this point in time, there'd be some sort of security on the CAN bus. And evidently, there isn't.
The CAN bus sort of trusts that anything coming from inside the car is trustworthy.
And is this on all cars?
I would say most modern cars, certainly. Yeah, I think CAN bus technology goes back certainly to the '90s.
So anything you're going to have in the last 10 years, the systems are all going to be running, they're going to be slinging data around on a CAN bus for sure.
There are some things that have a higher level of security, like the anti-lock brake actuators, things like that. But overall— Oh, that's nice. At least a few. Yeah, yeah.
But the amount of security built into the CAN bus protocol is quite limited.
I think this is an area where they didn't think they'd have a problem, so maybe they need to take another look at it. Anyway, do check out the video.
It's interesting reverse engineering of this thing, and I thought it was quite fascinating.
So anything you're going to have in the last 10 years, the systems are all going to be running, they're going to be slinging data around on a CAN bus for sure.
There are some things that have a higher level of security, like the anti-lock brake actuators, things like that. But overall— Oh, that's nice. At least a few. Yeah, yeah.
But the amount of security built into the CAN bus protocol is quite limited.
I think this is an area where they didn't think they'd have a problem, so maybe they need to take another look at it. Anyway, do check out the video.
It's interesting reverse engineering of this thing, and I thought it was quite fascinating.
I know, I'm just really, cars and I don't really get each other at all. When people start talking cars, I kind of just turn into a weird zombie. I start, you know, just go, uh.
So I'm so sorry.
So I'm so sorry.
Hello, Graham?
Have we lost him? Dave, I think we've lost Graham.
And you mean actually lost him, not just intellectually?
Well, I don't think we ever had him intellectually, really. Let's be honest. I think he's dropped off the call, and I suggest you and I just carry on without him.
Shall we just see what happens?
Shall we just see what happens?
I know, dirty. It's the moment I've been waiting for. Yeah, fuck you, Cluley.
Okay.
You know, Carole, I've never really had the opportunity to tell you how I really feel about you. And now, at last, with Graham out of the way. Tell me after the show.
First. Very good. Very good.
You invite me in to do my story.
Say, and Carole, what do you have? Oh, and Carole, what do you have for us this week?
Well, thank you so much, Dave. Now, have you been frantically shopping this Christmas season?
By frantically shopping, I think you could say that I've been spending a lot of time in the Amazon app on my phone, but yes.
Yeah, look, thinking about gifts for people, thinking what you want to gift yourself, all that stuff.
Yeah, 'tis the season.
It is the season, baby. Now, what proportion of your Christmas purchases do you think are smart, or would you say have the IoT or Wi-Fi enabled or internet enabled toys?
Well, I mean, for the kids, yeah, for the kids, lots of things, because if it's not connected, they don't want it these days.
Hey, I'm going to do Graham. Yeah, same here. Yeah, exactly the same. My kid would be like, that's dead to me if I can't use internet.
Okay, but seriously, I don't think it surprises me at all. I mean, there is a veritable glut of smart shit out there being marketed to kids and adults, right? With money to burn.
Phones and tablets and smart TVs and speakers and smart irons. I'm sure that exists somewhere. It must.
The question is, is it so smart of us to buy all this stuff without really thinking about whether it's safe or not? In fact, I'm sure lots of us think about it.
It's a whisper in our brain, is this gonna be safe? Yeah, probably.
Okay, but seriously, I don't think it surprises me at all. I mean, there is a veritable glut of smart shit out there being marketed to kids and adults, right? With money to burn.
Phones and tablets and smart TVs and speakers and smart irons. I'm sure that exists somewhere. It must.
The question is, is it so smart of us to buy all this stuff without really thinking about whether it's safe or not? In fact, I'm sure lots of us think about it.
It's a whisper in our brain, is this gonna be safe? Yeah, probably.
I think that's fair for most people.
I think maybe we probably give it a nanosecond more time than most people just because of the horrible things that we know, but then we just go on with our lives and do it anyway.
I think maybe we probably give it a nanosecond more time than most people just because of the horrible things that we know, but then we just go on with our lives and do it anyway.
Do you have a home assistant at home? A home speaker thingy?
I do not, but we have Siri is everywhere in our house because we're very Apple-centric.
So we rely on her to do things turn the lights on and off and tell us when doors are open and so on and so forth.
So we rely on her to do things turn the lights on and off and tell us when doors are open and so on and so forth.
Graham here would probably make some quip, yeah, she even comes uninvited, when you're recording a podcast. But you know, it is Christmas, right?
And I know that even if people are worried and thinking, I probably need to look into this, but I don't have time, they're just going to buy the smart tech anyway.
So what I'm thinking is maybe you and I can share because Graham's not here because he couldn't be bothered to join us on this call.
We can share some advice on what people should look out for before they walk away with a cyber time bomb that's just waiting to mess up.
And I know that even if people are worried and thinking, I probably need to look into this, but I don't have time, they're just going to buy the smart tech anyway.
So what I'm thinking is maybe you and I can share because Graham's not here because he couldn't be bothered to join us on this call.
We can share some advice on what people should look out for before they walk away with a cyber time bomb that's just waiting to mess up.
I love this idea. Let's do it together.
Well, yay. There are lots of toy firms that are primarily toy firms, which means they make toys, right?
They're not necessarily au fait with making the technology or cybersecurity, right? That's not their wheelhouse. Right.
They're not necessarily au fait with making the technology or cybersecurity, right? That's not their wheelhouse. Right.
You don't know who they jobbed out the programming to.
Exactly, exactly. UK consumer watchdog Which found that even Mattel smart toys were among those dinged because they were found to have security flaws.
And this is this year, they've just put out this report. So there's this toy, this physical toy that Mattel makes called Bloxels, okay?
And it's basically a toy that allows you to build your own video game.
And there's an app associated with it, and there's also this web portal for consumers, like an education consumer web portal that was created, like you said, by a third party.
And one of the things that these guys found was that there was no moderation.
So kids could create games, put loads of inappropriate content such as swearing, which is what they tried, but you can, you know, to your heart's content, and then would put the game up there for other kids to play with.
The other problem was that accounts could be created with very weak passwords, right?
So that totally can destroy your entire security posture if you've got passwords that can be 4 characters long.
So basically, reputable, trusted toy makers have to really, really think hard about who they partner with to IoT-ize their toys, because faults on the connectivity side can lead to big headaches for your brand.
Yeah, and as buyers, we've got to be careful about what IoT machines we allow in our homes because we're giving this to the people that we basically love most of all to play with.
Rule number 2. Rule number 2. How smart is it, right? So what technology is it making use of or is enabled by default? So is there a Bluetooth connection? Is there a Wi-Fi connection?
Does it have a mobile app that's associated?
Are all these components necessary for the device or for the service you're trying to use, or can some elements be turned off or disabled?
If you think, for example, a mobile app, there may be settings that automatically turn on during the default installation, and I'd recommend you go look at those access rights, right?
Do you need to have a microphone as part of this thing? Does the microphone need to be turned on? What about the photo album?
Do you want them to have access to the photo album, to your contact list? And before you say, "Yeah, no problem," as soon as you click yes, they just hoover all that data up, right?
Every time afterwards, they just collect the changes. So think really hard before you say yes to those things.
And this is this year, they've just put out this report. So there's this toy, this physical toy that Mattel makes called Bloxels, okay?
And it's basically a toy that allows you to build your own video game.
And there's an app associated with it, and there's also this web portal for consumers, like an education consumer web portal that was created, like you said, by a third party.
And one of the things that these guys found was that there was no moderation.
So kids could create games, put loads of inappropriate content such as swearing, which is what they tried, but you can, you know, to your heart's content, and then would put the game up there for other kids to play with.
The other problem was that accounts could be created with very weak passwords, right?
So that totally can destroy your entire security posture if you've got passwords that can be 4 characters long.
So basically, reputable, trusted toy makers have to really, really think hard about who they partner with to IoT-ize their toys, because faults on the connectivity side can lead to big headaches for your brand.
Yeah, and as buyers, we've got to be careful about what IoT machines we allow in our homes because we're giving this to the people that we basically love most of all to play with.
Rule number 2. Rule number 2. How smart is it, right? So what technology is it making use of or is enabled by default? So is there a Bluetooth connection? Is there a Wi-Fi connection?
Does it have a mobile app that's associated?
Are all these components necessary for the device or for the service you're trying to use, or can some elements be turned off or disabled?
If you think, for example, a mobile app, there may be settings that automatically turn on during the default installation, and I'd recommend you go look at those access rights, right?
Do you need to have a microphone as part of this thing? Does the microphone need to be turned on? What about the photo album?
Do you want them to have access to the photo album, to your contact list? And before you say, "Yeah, no problem," as soon as you click yes, they just hoover all that data up, right?
Every time afterwards, they just collect the changes. So think really hard before you say yes to those things.
Well, but also, I think in the heat of the moment on Christmas morning when the wrapping paper is being flung hither and yon, that kid who's just trying to get that thing working, they're just going to click through yes, yes, yes, yes, take it all in order to start playing.
So maybe, inserting yourself in that process to slow it down and say, okay, does your new Transformers Optimus Prime really need to be able to download the entire family's contacts list?
So maybe, inserting yourself in that process to slow it down and say, okay, does your new Transformers Optimus Prime really need to be able to download the entire family's contacts list?
Or couldn't you— okay, wouldn't a bright parent open it up really carefully the night before, get it all set up and battery operated and get everything charged, set all the devices to be perfectly safe, and then put it back in the packaging?
That's what you should do, right?
That's what you should do, right?
Yeah, yeah, sorry kids, we gotta send these toys out to IT for provisioning.
No, you do it before they get it, when you're in your bedroom at 2 o'clock in the morning. Yeah, exactly.
Right, so this is where we are now. Instead of putting together a bicycle the night before, you're putting in Wi-Fi passwords.
Exactly. Okay, rule number 3: find out about the security settings on the particular device you're looking to purchase, right?
For me, the most important would probably be, can it get updates? Like, is it even physically possible for it to get some software updates? And how would that work?
What do I have to do to make sure that happens? Is it on by default? Is it not? Whatever. And then does it have any user authentication, right?
Like when I plug it in and give it my Wi-Fi, does it say to me, who are you?
And what secret word or secret handshake can we use to make sure I know it's you other than just your name?
For me, the most important would probably be, can it get updates? Like, is it even physically possible for it to get some software updates? And how would that work?
What do I have to do to make sure that happens? Is it on by default? Is it not? Whatever. And then does it have any user authentication, right?
Like when I plug it in and give it my Wi-Fi, does it say to me, who are you?
And what secret word or secret handshake can we use to make sure I know it's you other than just your name?
Lots of devices don't have any of that, right? And they don't require you to change the default password.
Yeah, or in some cases you can't even change it. Now if you can change it, how long and complex password can you do?
Because as we talked about, if it's only limited to 4-character PIN code, right? So those are the big ones I think of. Two more, two more, and we're done.
But you can interrupt anytime, I don't mind. Okay, this is the big one and the hard one, but what information is being collected from your kid, right?
Or what is being shared with third parties? So we live in a bit of a tech wild west.
I know I keep saying that, but even tech daddy Google, you know, the ones that are basically paving the way for everyone else and setting the ethical standards for how we should use computing, was fined $170 million squidoodles to settle with an FTC accusation that they were violating children's privacy on YouTube.
You get well-respected companies like LeapFrog, this was just in the summer, which had serious vulnerabilities in their LeapPad Ultimate tablets that could allow a hacker to track the location of a child and then talk to them through the device's built-in chat called Pet Chat.
Because as we talked about, if it's only limited to 4-character PIN code, right? So those are the big ones I think of. Two more, two more, and we're done.
But you can interrupt anytime, I don't mind. Okay, this is the big one and the hard one, but what information is being collected from your kid, right?
Or what is being shared with third parties? So we live in a bit of a tech wild west.
I know I keep saying that, but even tech daddy Google, you know, the ones that are basically paving the way for everyone else and setting the ethical standards for how we should use computing, was fined $170 million squidoodles to settle with an FTC accusation that they were violating children's privacy on YouTube.
You get well-respected companies like LeapFrog, this was just in the summer, which had serious vulnerabilities in their LeapPad Ultimate tablets that could allow a hacker to track the location of a child and then talk to them through the device's built-in chat called Pet Chat.
Well, you know, I was recently chatting over on the CyberWire with Emily Wilson.
She's a fraud expert at a company called Terbium Labs, and she was making the point that when it comes to kids, parents might want to consider coming up with sort of false aliases for their children to use to log on to these things because that way you can try to delay or head off this aggregate data collection that's happening with all of us, where these people like Google and Facebook are collecting these dossiers about all of us.
If you can delay that for your child, that might be a good thing to consider.
So when you're putting in your child's name and those sorts of things, maybe you could even make it a fun thing with the child to come up with some sort of fun name that's not their own.
I'm being a bit doom and gloom here, right?
She's a fraud expert at a company called Terbium Labs, and she was making the point that when it comes to kids, parents might want to consider coming up with sort of false aliases for their children to use to log on to these things because that way you can try to delay or head off this aggregate data collection that's happening with all of us, where these people like Google and Facebook are collecting these dossiers about all of us.
If you can delay that for your child, that might be a good thing to consider.
So when you're putting in your child's name and those sorts of things, maybe you could even make it a fun thing with the child to come up with some sort of fun name that's not their own.
I'm being a bit doom and gloom here, right?
Okay, so you change the name, right? And you build a profile, you and your kid build a profile.
But it's the other information that annoys me, all the secret information they're hoovering up from your location, for example.
So say it's a tablet that your kid takes around with them whenever they go, and you've allowed an app on there that's allowed to hoover up all your navigation information, information that is taken from that thing.
And that's not something you would think about unless you read the T's and C's.
And you don't have to read all the T's and C's, if you were just to do one bit, right, you just go read the privacy notices.
Because what you're looking for is what information are you taking from me, how is that information stored and used, and who else will have access to this, if anybody.
Those are in my view, the biggest questions.
But it's the other information that annoys me, all the secret information they're hoovering up from your location, for example.
So say it's a tablet that your kid takes around with them whenever they go, and you've allowed an app on there that's allowed to hoover up all your navigation information, information that is taken from that thing.
And that's not something you would think about unless you read the T's and C's.
And you don't have to read all the T's and C's, if you were just to do one bit, right, you just go read the privacy notices.
Because what you're looking for is what information are you taking from me, how is that information stored and used, and who else will have access to this, if anybody.
Those are in my view, the biggest questions.
Well, and do you have the fortitude to say to your child, no, you're not going to have this year's hot toy because it's not safe, it's not private, it's not secure?
Are you willing to take that heat? Are you willing to live through that tantrum?
Are you willing to take that heat? Are you willing to live through that tantrum?
So I thought you might say something like this, Dave. So I thought my rule number five is to go old school, right?
So as you have kids, I'm gonna give you my old school examples, right, for old school cool suggestions.
And I want you to tell me whether you think it'll work with your kids, okay, or kids you know. All right, option number one. Yeah, mix cassette tapes.
Now you may not know, but I am on trend. They are seriously making a comeback.
So if you can find your teen some old blank tapes and a working boombox as long as the tape recording component works.
And then they have to try and make a mixtape from radio we did in the '80s, '80s style. Did you ever make these when you were a kid?
So as you have kids, I'm gonna give you my old school examples, right, for old school cool suggestions.
And I want you to tell me whether you think it'll work with your kids, okay, or kids you know. All right, option number one. Yeah, mix cassette tapes.
Now you may not know, but I am on trend. They are seriously making a comeback.
So if you can find your teen some old blank tapes and a working boombox as long as the tape recording component works.
And then they have to try and make a mixtape from radio we did in the '80s, '80s style. Did you ever make these when you were a kid?
Oh, did I ever make these when I was a kid. I was a master of the pause button.
Yeah, what about you, Graham? No, I never did that. Never knew anything about it. No surprise there. Anyway, Dave, you were saying?
Yeah, I mean, that's what we lived for.
There was no internet back then, so we were making mixtapes and passing them around, and you just sit by the radio, just— well, you're waiting for your favorite song to come on because you couldn't afford to go buy it at the record store.
So you— yeah, absolutely. Oh yeah, yeah.
There was no internet back then, so we were making mixtapes and passing them around, and you just sit by the radio, just— well, you're waiting for your favorite song to come on because you couldn't afford to go buy it at the record store.
So you— yeah, absolutely. Oh yeah, yeah.
And that's coming back. Casey Kasem was the first one.
He— yeah. Oh yeah, yeah. On Sundays. Yep. Now it's time for our long-distance dedication. You are—
You could, you could replace his voice.
Yeah, I've got a pretty good Casey Kasem, I have to admit. But yeah, spent lots of hours listening to him. Yeah, you could add a zero to your CyberWire paycheck.
Just pull out the Casey Kasem. Yeah. Yeah. So mixed cassette tapes. That's quite cool, right?
Okay, I can go with that.
I'm on board. Would any of your kids go for it?
I think so. My oldest probably would. Yeah.
I think Graham's joined us again. Oh, hello.
Well, Carole, I disagree. I don't actually think that Graham is a child predator, no matter what you say. So, and I think, I think we shouldn't kick him off the show.
But what's been going on? What? Oh, Graham, welcome back! We were just talking about you. Hey, I've taken over.
But what's been going on? What? Oh, Graham, welcome back! We were just talking about you. Hey, I've taken over.
Yeah, you know what, just, you know what, someone who leaves an auditorium, right, to go have a poop, they come back quietly, right? They don't call attention to themselves.
Yes, I'm just almost—
Yes, I'm just almost—
I'm wrapping up my section.
Thanks so much for being present.
Yeah, he needed to gather himself.
I didn't do a poop. It's a Huawei router. Blame Huawei. Thankfully, his username and password was admin.
He's an international traveler. We can't expect all of his time.
Carry on. Thank you. I'll try and catch up.
So the other thing that they could get, if they were into chess, for instance, right? Maybe a chess-styled salt and pepper shaker. Hello.
Which a Twitter user actually suggested to me that I buy for Graham. But as he couldn't even be bothered to listen to my story. No, I could be bothered.
Which a Twitter user actually suggested to me that I buy for Graham. But as he couldn't even be bothered to listen to my story. No, I could be bothered.
I was. Okay, so I think that would be a lovely gift for Graham.
But I think if you were to give a child a salt and pepper shaker shaped— I mean, that's, that's you're gonna lose your cool aunt, street cred. Yeah, I will very quickly. Yeah.
What about experiences though?
But I think if you were to give a child a salt and pepper shaker shaped— I mean, that's, that's you're gonna lose your cool aunt, street cred. Yeah, I will very quickly. Yeah.
What about experiences though?
Would you ever think about getting that for your kids?
If they were into food, you get them a cooking class, or if they're into eating, you book them a table somewhere and chef it up a bit? Absolutely. I that kind of stuff.
If they were into food, you get them a cooking class, or if they're into eating, you book them a table somewhere and chef it up a bit? Absolutely. I that kind of stuff.
Yep, yep. Experiences are better than stuff.
I had an experience last night. I was out for dinner and talking of salt and pepper, they had a salt and pepper thing and it had crickets inside it.
And when you scrunched it up, little bits of crickets went everywhere.
And when you scrunched it up, little bits of crickets went everywhere.
Where are you eating? Well, thanks for sharing that, Graham.
And the next day this place was shut down.
You're talking about salt and pepper. Yeah, no, thanks. Thanks so much. Maybe there's a friend's house. Yeah, yeah, no, no, it's good. Pick of the Week, anyone?
If Graham hadn't come back, we wouldn't— we would have missed that story. Yeah, can you imagine?
I'm gonna get more mulled wine. Guys, it's holiday season, and there are two things I know to be true during holiday season.
One, you're probably gonna get a new device that needs to be connected to the internet either at home or in the office.
And two, if you don't use a reputable password manager, you're very likely to forget your passwords when you get back to work. So why not check out LastPass?
LastPass makes password security effortless. It's good for employees, it's good for the home. With single sign-on, you can access all your accounts.
Do yourself a favor this holiday season and check out LastPass at smashingsecurity.com/lastpass.
One, you're probably gonna get a new device that needs to be connected to the internet either at home or in the office.
And two, if you don't use a reputable password manager, you're very likely to forget your passwords when you get back to work. So why not check out LastPass?
LastPass makes password security effortless. It's good for employees, it's good for the home. With single sign-on, you can access all your accounts.
Do yourself a favor this holiday season and check out LastPass at smashingsecurity.com/lastpass.
And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week?
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Definitely shouldn't be. It's the last episode of the year. Great.
For an awful moment there, I thought you had both fallen off the line and I was talking to myself.
Oh, imagine how you'd cope then. We'd be just fine. Great.
As our listeners know, well, yippee-ki-yay, Melon Farmer, because my Pick of the Week is related to a movie. Can you guess which one? Yes, Die Hard.
Maybe one of the ultimate Christmas movies of all time.
Maybe one of the ultimate Christmas movies of all time.
And it's not actually— Is your Pick of the Week Die Hard?
No, my Pick of the Week isn't Die Hard. My Pick of the Week is related to Die Hard, however, because regular listener Harry, who often tweets us on the Twittersphere. He's out there.
Hello, Harry.
Harry said to me, he said, he's Irish, by the way, he said, "Oh, Graham Begorra, you should make your pick of the week this thing on Netflix which I've seen." And he pointed me towards a Netflix series called The Movies That Made Us, which takes you behind the scenes of fabulous movies like, I don't know, Home Alone and Die Hard and others I can't remember at the moment.
It tells you the stories of the movies, and it's fairly light and frothy, but at the same time quite fun.
And so I thought, as it's Christmas and as I like Alan Rickman, I should watch the episode about Die Hard. And I found out facts I didn't know.
For instance, Die Hard— did you know Die Hard was originally written under a different name way back in the 1960s, and it was a sequel to Detective Oh, for goodness' sake, I haven't got that written down.
It's something like No One Lives Forever. It was something like No One Lives Forever or something like that.
Anyway, it was the sequel to another book which was turned into a Frank Sinatra movie.
So Die Hard is actually a sequel, and Frank Sinatra owned the rights to the sequel to the movie which is in— so the sequel which became Die Hard, right?
And so when they eventually got around to making this movie in the 1980s, they were contractually obliged to give Frank Sinatra first refusal on starring in the movie.
Hello, Harry.
Harry said to me, he said, he's Irish, by the way, he said, "Oh, Graham Begorra, you should make your pick of the week this thing on Netflix which I've seen." And he pointed me towards a Netflix series called The Movies That Made Us, which takes you behind the scenes of fabulous movies like, I don't know, Home Alone and Die Hard and others I can't remember at the moment.
It tells you the stories of the movies, and it's fairly light and frothy, but at the same time quite fun.
And so I thought, as it's Christmas and as I like Alan Rickman, I should watch the episode about Die Hard. And I found out facts I didn't know.
For instance, Die Hard— did you know Die Hard was originally written under a different name way back in the 1960s, and it was a sequel to Detective Oh, for goodness' sake, I haven't got that written down.
It's something like No One Lives Forever. It was something like No One Lives Forever or something like that.
Anyway, it was the sequel to another book which was turned into a Frank Sinatra movie.
So Die Hard is actually a sequel, and Frank Sinatra owned the rights to the sequel to the movie which is in— so the sequel which became Die Hard, right?
And so when they eventually got around to making this movie in the 1980s, they were contractually obliged to give Frank Sinatra first refusal on starring in the movie.
So he was still alive then? Yes. It wasn't a Weekend at Bernie's scenario? No, no.
I think if you're dead, Carole, they don't have to offer you the job, right?
Yeah. Kill me.
You got Tony Bennett wheeling him around. What do you say we drop this guy off the side of the building? What do you say, Frankie baby? Doesn't like to talk so much anymore.
I love Weekend at Bernie's.
I love Weekend at Bernie's.
It's a way better film. My husband and I argue about all the time. He's always Die Hard. Hey, I got him Shark Attack 3. Have you seen Shark Attack 3, Dave?
I have not seen any of the Shark Attack movies. I don't need to watch them.
Only Shark Attack 3. That's the only one that's good, and you just need to watch it for one line which comes about halfway through, and after that you'll love it.
It's from John Barryman. You'll know the line when he says it.
Yes, you don't need any— you just have to— everyone out there, this is my challenge to you.
Anyone who's adult, now I know what I'm doing with my winter break. It is—
Well an hour and a half of it, but it is a fantastic Bulgarian cinema at its finest. It is Bulgarian, isn't it?
Because there's a surprising number of Bulgarian actors in it, and you're thinking, why is this guy?
And he's obviously a friend of the producer or something who's in the movie, and somehow John Barryman as well. But yes, anyway, back to my pick of the week, Carole.
We'll come on to Shark Attack. Oh yeah, back to you, of course. So the series is called The Movies That Made Us, and it's quite entertaining.
And you find out all this stuff like Sinatra turned down the job, as did Burt Reynolds and Mel Gibson and Arnie and Sylvester Stallone.
And they were very worried about the movie because it had all these jokey bits.
But the biggest problem of all was, of course, Bruce Willis, who was considered this sort of jokey, arrogant, smug sort of Moonlighting character.
And he's obviously a friend of the producer or something who's in the movie, and somehow John Barryman as well. But yes, anyway, back to my pick of the week, Carole.
We'll come on to Shark Attack. Oh yeah, back to you, of course. So the series is called The Movies That Made Us, and it's quite entertaining.
And you find out all this stuff like Sinatra turned down the job, as did Burt Reynolds and Mel Gibson and Arnie and Sylvester Stallone.
And they were very worried about the movie because it had all these jokey bits.
But the biggest problem of all was, of course, Bruce Willis, who was considered this sort of jokey, arrogant, smug sort of Moonlighting character.
Sexy as all hell.
Do you think? Hmm. Yes.
Well, I don't know about now, but certainly during Moonlighting years and early Die Hards. Come on. Barefoot wearing a little tank top. Hello.
Right. Okay. Well, originally they actually hid his face from the posters because test audiences had just laughed at the idea of him being an action hero.
Well, who's laughing now? Right? Brucey.
I don't know if you've seen the latest Die Hard movie.
Not Sinatra. Well, still probably earning more than the podcast is anyway.
So that is thanks to Harry for listening to the show and suggesting to me that our listeners should watch The Movies That Made Us on Netflix.
And specifically, it wasn't just related, so I'm happy.
Yeah, there you go. That's all you can ask for these days, isn't it? That's it. Dave, what's your pick of the week?
My pick of the week is a podcast. It is called the Strong Songs Podcast. And this is a podcast in which the host Kirk Hamilton takes deep dives into pieces of music.
He is a musician and he knows his stuff. He knows music theory.
And he goes through a song and just deconstructs it, tells the audience what's going on inside that song, what's going on musically, what's going on lyrically.
What's going on with all the different instruments that are being played in the song, the structure of the song, and the way that he does it is so joyful.
He just loves everything about all of these songs that he talks about, and it's a contagious enthusiasm. He's done a variety of songs.
He's done everything from Think by Aretha Franklin. He did Like a Prayer by Madonna. He's done songs by—
He is a musician and he knows his stuff. He knows music theory.
And he goes through a song and just deconstructs it, tells the audience what's going on inside that song, what's going on musically, what's going on lyrically.
What's going on with all the different instruments that are being played in the song, the structure of the song, and the way that he does it is so joyful.
He just loves everything about all of these songs that he talks about, and it's a contagious enthusiasm. He's done a variety of songs.
He's done everything from Think by Aretha Franklin. He did Like a Prayer by Madonna. He's done songs by—
I Will Always Love You by Dolly Parton.
Barracuda by Heart. Yeah. He did Tiny Dancer and Goodbye Yellow Brick Road by Elton John.
Anything from KISS?
I don't think he's done anything by KISS yet, or Prince. He did Bohemian Rhapsody by Queen. He did Thriller by Michael Jackson. He did Single Ladies by Beyoncé.
Dave, I've just subscribed. You haven't got to say any more. It sounds absolutely fantastic.
It is. It is. My only wish is that there were more of them, which is the highest compliment I think I can give to a podcast. So do check it out.
I have a wish for you to do for them is get HTTPS on their website because that's pretty, you know, we are a security podcast.
I don't mean to bring security up in Pick of the Week, but come on, dude. You could just email him and say, dude, I'll show you how. I'll show you how I have friends.
I don't mean to bring security up in Pick of the Week, but come on, dude. You could just email him and say, dude, I'll show you how. I'll show you how I have friends.
Carole, he's on Lip Sync. He should be able to do that. Yeah, he should. Yeah, it doesn't work.
Yeah, it's only been a year old. He has no excuse. Come on.
No. Well, for goodness sake, man.
Yeah, but I will subscribe because the podcast doesn't, you know—
Yeah, you don't have to go to a podcast website to subscribe to it. Exactly. Yeah, I think that sounds absolutely—
But I did because I was listening to Dave and, you know, he's now put me at risk. Well, this—
Yeah, I'm here to serve. So I very much enjoy this podcast. And if you're a music fan, music geek like me, there's lots to enjoy here. So check it out. It is the Strong Songs Podcast.
I think we should just edit Dave saying, I very much enjoy this podcast.
Very perfect intro to the podcast, right? Into the show. Yes. Love this podcast. It's the best. It's the best. I'm right. All I want is more.
Right, right. I was thinking, as Dave was saying, you know, that the highest compliment he can pay is, I only wish there was more. Yeah, right, exactly.
If only we didn't have episode 159 of Smashing Security after how this has been.
If only we didn't have episode 159 of Smashing Security after how this has been.
Perfect, actually. We had a really nice time. We had no problems, Graham.
We had no issues. It was there in the middle.
Beautiful. So, Carole, your pick of the week. Well, my pick of the week. Now, I know last week I threw my toys out of the pram about pick of the week, and I'm sorry. Yes.
And as the holidays, and many of you will be hiding, no doubt, from the in-laws and the like, I thought I would give you something to distract you.
And this is Apple TV's show called Truth Be Told.
And the reason I've chosen it is because we, Smashing Security, will not be recording for a few weeks so we can recharge our batteries for 2020, because God knows Graham needs it.
But I thought I would check out a podcast-related series that would maybe tie you guys over until we return to the internet waves. So it's called Truth Be Told. Here's the premise.
So Poppy Parnell— okay, snappy name— this is played by Octavia Spencer. She's a true crime podcaster returning to the case of Warren Cave.
This is played by Aaron Paul of Breaking Bad fame. Warren was convicted 20 years ago of murdering his neighbor when he was only a teen.
Now Poppy, our star, has reason to believe that Warren might be innocent, but she's also got skin in the game because basically she got famous, you know, she wrote a series of stories that made her career, and she's concerned that her reporting led to his conviction.
So that's the story. So I thought, okay, that's kind of interesting, right? I can identify. I'm a podcaster. I like crime stuff. Great, right? But I don't know if I recommend it.
It's that kind of pick of the week, isn't it? 4 hours watching it. No, I spent 4 hours listening and I felt I would do a review, okay? Because it turned out—
And as the holidays, and many of you will be hiding, no doubt, from the in-laws and the like, I thought I would give you something to distract you.
And this is Apple TV's show called Truth Be Told.
And the reason I've chosen it is because we, Smashing Security, will not be recording for a few weeks so we can recharge our batteries for 2020, because God knows Graham needs it.
But I thought I would check out a podcast-related series that would maybe tie you guys over until we return to the internet waves. So it's called Truth Be Told. Here's the premise.
So Poppy Parnell— okay, snappy name— this is played by Octavia Spencer. She's a true crime podcaster returning to the case of Warren Cave.
This is played by Aaron Paul of Breaking Bad fame. Warren was convicted 20 years ago of murdering his neighbor when he was only a teen.
Now Poppy, our star, has reason to believe that Warren might be innocent, but she's also got skin in the game because basically she got famous, you know, she wrote a series of stories that made her career, and she's concerned that her reporting led to his conviction.
So that's the story. So I thought, okay, that's kind of interesting, right? I can identify. I'm a podcaster. I like crime stuff. Great, right? But I don't know if I recommend it.
It's that kind of pick of the week, isn't it? 4 hours watching it. No, I spent 4 hours listening and I felt I would do a review, okay? Because it turned out—
I see, it's all a little bit brothers and sisters, you know, for me to be—
What do you mean brothers and sisters? Is that like sons?
Oh, you know, navel-gazing and, am I good enough? Should I feel guilty? Do I love my dad enough?
There's a lot of that stuff going on, and there's all this Scandi Noir music, you know, deep and meaningful and hopeless and echoey.
You're constantly dealing with her feelings of guilt and her family's lack of support and her passion, you know. But I kept watching it, okay? And it's not even finished yet.
New episode comes out every Friday. I've watched about 4, and I think I like to scoff at it because she keeps missing the mark of what makes a great story in my opinion.
So if that grabs you as fun as a Christmas activity, check out Truth Be Told on Apple TV.
There's a lot of that stuff going on, and there's all this Scandi Noir music, you know, deep and meaningful and hopeless and echoey.
You're constantly dealing with her feelings of guilt and her family's lack of support and her passion, you know. But I kept watching it, okay? And it's not even finished yet.
New episode comes out every Friday. I've watched about 4, and I think I like to scoff at it because she keeps missing the mark of what makes a great story in my opinion.
So if that grabs you as fun as a Christmas activity, check out Truth Be Told on Apple TV.
Wow, thank you. Yeah, I'll get right on there. This is on the new Apple TV+ service. Yeah, I've joined.
Yeah, I'm part of the— I'm part of the fam. Oh yeah, right now so far I've only been, you know, been hanging around for about a week.
I've not really seen anything to make you click your heels. But, you know, watch this space.
I've not really seen anything to make you click your heels. But, you know, watch this space.
What's the big reason to get Apple TV Plus?
Because, you know, if, because we got a new device in our house that came with free, so we're checking it out. Oh, I see.
There's a free trial, is it?
Yeah, if you can. Yeah.
Oh, okay. Yeah, because I'm just thinking, you know, I've got so many of these things.
Yeah, we've been watching— I forget, I think it's called The Morning Show. Is that what it is? Jennifer Aniston. Is it good? Yes. Yes, I— my wife is into it.
She's several episodes in. I only watched the first one so far, and it was pretty good.
It was good enough that I would watch more of it, but I don't know that it'd ever actually be my pick of the week or anything.
She's several episodes in. I only watched the first one so far, and it was pretty good.
It was good enough that I would watch more of it, but I don't know that it'd ever actually be my pick of the week or anything.
But go fuck yourself, I've done 159 of these. And on that bombshell, Graham, I'm trying to give you your cues. Jeez. On that bombshell.
Time lag. I think we've just about wrapped it up. Dave, I'm sure lots of our listeners would love to hear more of your dulcet ASMR tones. Where could they do that?
And what's the best way for folks to follow you?
And what's the best way for folks to follow you?
So many opportunities, Graham. So many opportunities. I am, of course, the host of the Daily CyberWire podcast. I'm the co-host of the Hacking Humans Podcast.
I'm the co-host of the Caveat Podcast. Sometimes I appear on the Grumpy Old Geeks Podcast. Really, at this point, there are more podcasts that I host than I do not host.
So, and after our little time together, I think Carole and I have agreed that I'm gunning for you, Graham. So next, no, it's much nicer to me, Graham.
I'm the co-host of the Caveat Podcast. Sometimes I appear on the Grumpy Old Geeks Podcast. Really, at this point, there are more podcasts that I host than I do not host.
So, and after our little time together, I think Carole and I have agreed that I'm gunning for you, Graham. So next, no, it's much nicer to me, Graham.
You may want to up your game a little bit.
I could never replace Graham in Carole Theriault's heart.
Yeah, it's a special little box just for him.
Oh, say where you live on Twitter as well, Dave.
Go on. It's @Bittner, B-I-T-T-N-E-R.
Marvelous. And you can follow us on Twitter as well, @SmashingSecurity, no G. Twitter won't allow us to have a G. And you can also carry on the discussion on Reddit.
Go and find the Smashing Security subreddit up there.
Go and find the Smashing Security subreddit up there.
And once again, thanks to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free. And of course, thank you to you listeners.
How will we survive the next few weeks without you? Lord only knows. But we wish you at least a tolerable Christmas season and a wonderful night to bring in the new year.
And seriously, guys, in-betweeners and outliers, a huge thank you for listening to us every week, supporting us via Patreon, and giving us the coveted podcast reviews.
It's butt-jiggly wonderful of you. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
How will we survive the next few weeks without you? Lord only knows. But we wish you at least a tolerable Christmas season and a wonderful night to bring in the new year.
And seriously, guys, in-betweeners and outliers, a huge thank you for listening to us every week, supporting us via Patreon, and giving us the coveted podcast reviews.
It's butt-jiggly wonderful of you. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
Until the new year, cheerio, bye-bye. Happy Christmas.
Happy holidays. Happy Hanukkah!
How's the wine, girl?
I'm about 8 bottles in. No, I'm kidding. I've had a glass. I'm fine. Oh my God, I haven't eaten any cake, but now I am. Pecan banana cake.
Yeah. Delicious.
I think that show went pretty smoothly, all in all, didn't it?
Oh yeah, yeah, start to finish. Boy, that was—
Graham, you know what? It's totally fine. What? We've got this. Yeah, we've got it. Rock and roll.
It's awesome. What a way to end the decade. Oh my God, it's the last of a decade.
Dave's right. Yeah. My, how exciting.
Yeah, just wait till next year.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Dave Bittner:
Show notes:
- ‘No Chance:’ John McAfee Halts Crypto Promo as US 2020 Elections Near — Coin Telegraph.
- FBI Arrests Former Bank Employee Charged With Stealing Cash From Bank Vault — US Department of Justice.
- "Problem" video — Aceey4oez on Instagram.
- Man posted photos of himself with stacks of cash after stealing from bank: charges — Sydney Morning Herald.
- The 1980 Cadillac Seville.
- Naughty CANbus odometer "interface". (Fakes mileage.) — Bigclivedotcom on YouTube.
- Children’s data and privacy online Growing up in a digital age (PDF) — London School of Economics.
- Amazon Echo Dot Kids: Privacy violations puts kids at risk, lawsuit alleges — CBS News.
- Parents should be wary of all connected toys, expert says — IT Pro.
- Safety alert: see how easy it is for almost anyone to hack your child’s connected toys — Which?
- Kids’ karaoke machines and smart toys from Mattel and Vtech among those found to have security flaws — Which?
- FTC fines Google $170 million for violating children's privacy on YouTube — CBS News.
- The movies that made us — Netflix.
- Die Hard — Wikipedia.
- Strong Songs podcast.
- Truth Be Told Official Trailer — YouTube.
- Truth Be Told doesn’t know how to make a murderer — The Verge.
- Truth Be Told — Apple TV+
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
