The man who hacked the UK National Lottery didn’t end up a winner, Japanese Love hotel booking tool suffers a data breach, and just what is 23andMe planning to do with your DNA?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Thom Langford.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
The question I wonder throughout the series is whether the Messiah figure is a con artist or not, right?
And they play on it, they revealed that when he was a boy, he entertained people with magic on the streets.
And they play on it, they revealed that when he was a boy, he entertained people with magic on the streets.
As I remember, in one of the parables, Jesus does saw a woman in half. That was one of the tricks he pulled off in the New Testament.
Did he then get one of those big hula hoops, run it round her?
Smashing Security, episode 161. Love, Lucky Dips, and 23andMe with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 161.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
Hello, Carole.
Hi, Graham.
Strange. And we're joined today by a special guest. We have someone who's never been on the show before, shockingly enough. It is Thom Langford. Hello, Thom.
Well, hello. It's funny you should say never been on the show before because I'm really pleased to be on this enormous inaugural episode, I have to say.
So honored to be on this very first Graham Cluley Smashing Security. Carole— I can't even pronounce her surname. You know, to be on the very first one. Theriault.
So honored to be on this very first Graham Cluley Smashing Security. Carole— I can't even pronounce her surname. You know, to be on the very first one. Theriault.
Yes, Ontario without the O-N, you see.
Got you. But yeah, to be on the very first one is such an honor and privilege.
Now, Thom, I'm sure lots of people do know who you are, but for those people who don't, who are you? Why should we care? And is it true you're the sole founder of Host Unknown?
Well, let me answer those in reverse order. Yes, I am the sole founder of Host Unknown. There is only one. You can ask all three of us and we all agree. And who I am, I'm ex-CISO.
It's a bit when people leave the army, they retain their titles, you know, because it makes—
It's a bit when people leave the army, they retain their titles, you know, because it makes—
You're a Vietnam vet.
Yeah, exactly. It makes them feel self-important. You know, I've left the army 20 years ago, but you can call me Colonel.
I work 3 hours a day now, but I used to really work hard.
Yeah, that's right. That's right. So I used to work hard. I'm rather proud of the fact that I managed to double the average tenure of a CISO by staying there for just over 4 years.
But the last year I set up by myself, own consultancy, blah, blah, blah, TL2 Security, been doing that this last year. It's been more fun and harder work than I expected.
And I'm looking forward to another year of it, to be honest with you.
But the last year I set up by myself, own consultancy, blah, blah, blah, TL2 Security, been doing that this last year. It's been more fun and harder work than I expected.
And I'm looking forward to another year of it, to be honest with you.
Huzzah!
Fantastic. Carole, what is coming up on today's show?
Well, first, thanks to this week's sponsor, LastPass. Its support helps us give you this show for free.
Now, on today's show, Graham tells us how a National Lottery hacker got his just desserts.
Thom is visiting the shadier, and dare I say, seedier side of the Japanese love hotel business. And I'm going to coin a new buzzword, DNA mining. Let's see if it sticks.
All this and oh, so much more coming up on this episode of Smashing Security.
Now, on today's show, Graham tells us how a National Lottery hacker got his just desserts.
Thom is visiting the shadier, and dare I say, seedier side of the Japanese love hotel business. And I'm going to coin a new buzzword, DNA mining. Let's see if it sticks.
All this and oh, so much more coming up on this episode of Smashing Security.
Now, chums, chums, I think all of us from time to time have had a little dream, haven't we? We've thought, wouldn't it be wonderful to be a millionaire? Oh, it'd be fantastic.
Imagine the bling, the fast cars, the loose women, the pedalos in the south of France. Wouldn't you enjoy that? It'd be terrific.
Imagine the bling, the fast cars, the loose women, the pedalos in the south of France. Wouldn't you enjoy that? It'd be terrific.
I have never been driven by that, actually, I don't think.
What, by pedalo?
I love a pedalo, but I don't think I need to be a millionaire to have one or to use one, right?
In the south of France with loose women and fast cars and bling. Not interested. Not interested in that.
Yeah, you can get that TV show anywhere anyway.
Well, lots of people would like to achieve it.
And if we wanted to, let's just imagine, Carole, just imagine for the purposes of a podcast, which is what we're putting together today, that we did want to be millionaires.
And let's decide that the way in which we're going to do it, the three of us are going to hack into a website.
And if we wanted to, let's just imagine, Carole, just imagine for the purposes of a podcast, which is what we're putting together today, that we did want to be millionaires.
And let's decide that the way in which we're going to do it, the three of us are going to hack into a website.
You, me, and Thom. All right.
Yeah.
Excellent.
Okay, good. Good luck with that.
Yeah.
Certainly with me on your team.
I'll be—
Yeah, I'm on team duty.
Now, some people say it's not that hard to crack into a website because lots of people use the same passwords, right?
If you grab a username and password from one data breach, you can then apply that to unlock accounts on other websites, right? Simple technique.
You don't have to be a mastermind, Carole. Good news.
If you grab a username and password from one data breach, you can then apply that to unlock accounts on other websites, right? Simple technique.
You don't have to be a mastermind, Carole. Good news.
Many people don't even have passwords in place. So, you know, there's that.
I think even I could hire somebody to do that for me.
Now, that's all very well, but what happens if you don't know who is using the same password?
So if you've got the results of a data breach and you're thinking, well, I'm going to hack into some of these people's accounts, you've still got to work out who is using the same password on different sites.
Otherwise you're wasting time. And so there are tools out there. There's a tool called Sentry MBA, for instance.
So if you've got the results of a data breach and you're thinking, well, I'm going to hack into some of these people's accounts, you've still got to work out who is using the same password on different sites.
Otherwise you're wasting time. And so there are tools out there. There's a tool called Sentry MBA, for instance.
Okay.
A hacking tool that's been around for a few years, which helps with credential stuffing attacks.
In other words, they scoop up a whole long list of usernames and passwords, and then they will use that list to try and log into a particular website.
In other words, they scoop up a whole long list of usernames and passwords, and then they will use that list to try and log into a particular website.
Okay. So say, for example, my email address was in this list and my password, my favorite animal is a cat. Right?
Right.
Are you saying they would try and use that password just to see if I'm using the same password on multiple sites?
Yeah.
Okay. Gotcha. Gotcha.
Now there are ways of stopping credential stuffing if you are running the website. For instance, you could spot multiple attempts to access from the same IP address.
Mm-hmm.
So if you are seeing somebody who's basically spraying a website trying to log into lots of different account names, lots of different account users using lots of passwords and they're coming from the same computer, you can say, hmm, a bit suspicious that.
I don't think that's probably what we want to go on. Now, that's a good technique to build into your website, a good protection method.
I don't think that's probably what we want to go on. Now, that's a good technique to build into your website, a good protection method.
It's a behavioral algorithm or something, right?
In a way, yes, because it's not a normal human behavior to act that, is it?
Mm-hmm.
And also, if you come from different countries, for instance, or different time zones, it'll spot that as a, hang on, you've been logging in from London for the last six years and now you're coming in from Moscow.
How dare you go on holiday?
Yeah, well, there is that too.
Why is Thom trying to come in from Bangkok? When normally he's from Bermondsey, that kind of thing.
Yeah, that's right.
Now, tools like Sentry MBA, they try to get round that by using proxies to attempt to log into accounts.
So rather than being the same IP address each time, they might log in from lots of different ones. So you don't see all of these attacks coming from the same place.
And again, all of this is configurable with hacking tools like Sentry MBA, which make it so much easier. So we've got the tool, guys, to hack into the website.
So rather than being the same IP address each time, they might log in from lots of different ones. So you don't see all of these attacks coming from the same place.
And again, all of this is configurable with hacking tools like Sentry MBA, which make it so much easier. So we've got the tool, guys, to hack into the website.
Okay.
Let's hack into the website of the UK National Lottery, run by an outfit called Camelot in Great Britain.
That would seem quite difficult to do, no?
Well, it's not that you're necessarily going to hack into the millions and millions which they have control over. You're going to hack into different user accounts.
And that actually is what happened in late 2016. There was a guy in Notting Hill.
And that actually is what happened in late 2016. There was a guy in Notting Hill.
You know what the thing I like about this podcast is it's so timely. The news comes in.
Tell me about it.
It's like it happened yesterday.
Well, there was this chap in Notting Hill, not Hugh Grant or— oh, fuck, fuck, shit. What? No, none of that. His name was Anwar Batson.
Okay.
And what he did was he downloaded that hacking tool, the Sentry MBA, and he joined a WhatsApp group devoted to hacking. And he used an alias. The alias was Rose Gold.
Ooh.
And in that WhatsApp group, he met a couple of other fellas, and he produced for them a configuration file to run the hacking tool against the National Lottery website.
So the configuration tool basically customizes the tool specifically for this particular attack. And he wrote up a deal with them.
He said, look, what we'll do is we will split the proceeds of any money which you make from hacking into those accounts.
So the configuration tool basically customizes the tool specifically for this particular attack. And he wrote up a deal with them.
He said, look, what we'll do is we will split the proceeds of any money which you make from hacking into those accounts.
2016 and all the details.
Yeah, yeah, yeah.
We're gonna come up to date because— and so it was in November 2016, National Lottery warned players that around 26,500 accounts had been accessed and they forced a password reset.
And this really had repercussions on the National Lottery. Camelot, who run the lottery, they say they spent £230,000 quid investigating the attacks, tightening up their security.
They say 250 customers closed their accounts as a result of the bad publicity.
We're gonna come up to date because— and so it was in November 2016, National Lottery warned players that around 26,500 accounts had been accessed and they forced a password reset.
And this really had repercussions on the National Lottery. Camelot, who run the lottery, they say they spent £230,000 quid investigating the attacks, tightening up their security.
They say 250 customers closed their accounts as a result of the bad publicity.
I don't even understand what a National Lottery account would give you. What, do you put money in every month to play? Is that how it works?
You can do.
I think so, yeah.
You put your payment details in there.
Yeah.
So, or you can have your card details in there, so it takes money out every month to pay for your lucky dip.
Right, right.
Every single week on the same numbers or whatever. So yeah, it's a financial transaction website.
Right. Okay.
And Camelot also paid out tens of thousands because they were planning to have a staff training event and it had to be postponed in the wake of the hack because everyone was required to sort of deal with the consequences of the hack and the repercussions.
And so they lost about £40,000 that way as well. Anyway, Batson was arrested in May 2017. Look, I'm almost getting up to date, by the National Crime Agency.
And initially he denied he was involved in the attack. He said, "Oh no, my devices, my computer, my smartphone has been cloned.
There's a bunch of guys online, they're trolling me." Do you say trolling or trolling? Trolling sounds like something they do in Norway, people pretending to be rogues.
"No, that's not me." People are pretty— but NCA officers, they examined his devices, they found conversations between Rose Gold and others on WhatsApp where they discuss the hacking, the buying, the selling of usernames and passwords and so more.
And so they lost about £40,000 that way as well. Anyway, Batson was arrested in May 2017. Look, I'm almost getting up to date, by the National Crime Agency.
And initially he denied he was involved in the attack. He said, "Oh no, my devices, my computer, my smartphone has been cloned.
There's a bunch of guys online, they're trolling me." Do you say trolling or trolling? Trolling sounds like something they do in Norway, people pretending to be rogues.
"No, that's not me." People are pretty— but NCA officers, they examined his devices, they found conversations between Rose Gold and others on WhatsApp where they discuss the hacking, the buying, the selling of usernames and passwords and so more.
I think that's the thing I find most surprising is that they trusted WhatsApp because back in 2016, I don't think they had end-to-end encryption.
So it seems like a weird channel to me.
So it seems like a weird channel to me.
I thought they were one of the first to bring that on. I don't know when they did it, but I think they were one of the first.
I may be wrong on that.
Yeah, I don't know. I've never really used WhatsApp, so I'm not, and it certainly has end-to-end encryption now, doesn't it?
Yeah, well, yeah, it has for a number of years, but yeah.
You're painting a very dull picture of yourself.
Yourself, Graham. You don't do the lottery. You're not on WhatsApp. You're going to tell us next you're not on Facebook. Yeah.
Yeah.
As if. Come on. Seriously, Thom.
So Batson, he kept on claiming that he wasn't Rose Gold, but the officers who were searching his house found all these clothes which were addressed to someone who was calling himself Rose Gold.
So Batson, he kept on claiming that he wasn't Rose Gold, but the officers who were searching his house found all these clothes which were addressed to someone who was calling himself Rose Gold.
It's always the little things, right?
It is the little things.
Criminal mastermind.
Let me tell you. There's another little quirk in the story as well.
When he was defending himself, defence team, they were in court at the end of last year and they were asked to produce character references to say, "Look, although he's been a very naughty boy, it's not his normal behaviour and he's very good." And the judge was looking at these character references and he said, "These aren't really character references in relation to him committing a crime." In fact, what he'd put forward were actually references from a previous employer to someone when he was applying for a job.
And so he gave this to the court and the judge was saying, "You can't just hand in these as character references, because we all know that people lie on those things anyway, or quite often write them themselves."
When he was defending himself, defence team, they were in court at the end of last year and they were asked to produce character references to say, "Look, although he's been a very naughty boy, it's not his normal behaviour and he's very good." And the judge was looking at these character references and he said, "These aren't really character references in relation to him committing a crime." In fact, what he'd put forward were actually references from a previous employer to someone when he was applying for a job.
And so he gave this to the court and the judge was saying, "You can't just hand in these as character references, because we all know that people lie on those things anyway, or quite often write them themselves."
I probably would have done that.
I've been on— No, but I'm glad you've saved me from the embarrassment should I ever find myself in this situation, because I would get a client saying, "She's great." Well, I think being on time and the ability to make good tea does not necessarily count as a character reference.
Maybe on the tea, as long as it's not a suspicious colour, but you know. So Batson ended up being convicted in relation to the hack of one particular National Lottery account.
He gave the username and password of a lottery player, a certain Dr. Iain Bentley, to one of his accomplices, who stole the entire contents of the account.
And they stole a grand total of £13. And Batson split £5. Are you kidding me? No, I'm not kidding you.
He gave the username and password of a lottery player, a certain Dr. Iain Bentley, to one of his accomplices, who stole the entire contents of the account.
And they stole a grand total of £13. And Batson split £5. Are you kidding me? No, I'm not kidding you.
And that's how much he made out of doing all this?
He made £5.
He made a fiver.
He made £5, which has now resulted in him getting a 9-month sentence in jail.
So all I can say is that if you're finding London house prices rather expensive and can't afford to rent anywhere, just £5 will get you 9 months in Her Majesty's Prison.
Free food, you don't have to pay for that.
So all I can say is that if you're finding London house prices rather expensive and can't afford to rent anywhere, just £5 will get you 9 months in Her Majesty's Prison.
Free food, you don't have to pay for that.
Plenty of evening fun in the cells.
I think that's what they call a lucky dip, actually, Thom. All right, enough, enough. Thom, what is your story for us this week? Please keep it clean, no smuttiness.
Well, I do have a little bit of sinfulness, but a very good friend of mine put me onto this story, so I won't claim credit for finding it, but there is a hotel brand in Japan called Happy Hotels.
I'm keen to know what their tagline is, because they're actually a love hotel chain.
I'm keen to know what their tagline is, because they're actually a love hotel chain.
So what is a love hotel?
Yes, Thom, tell us. What is a love hotel, Thom?
It's a hotel one makes beautiful love to a woman in, I guess. Oh. It exists.
I didn't know it existed.
So gender-specific.
Wow, okay. This is very true.
'Cause love is made by a man to a woman. It's never a woman to a man or a woman to a woman or any other combination. It's good to know where you stand on this, Thom.
Hey, I only go from personal experience. Okay, so we're two—
Or more. Humans.
Two people now.
Or more. Humans. A number of people.
Humans and/or others, maybe quadrupeds. What about self-love? Selfless.
I don't think you need to book a hotel room for that, Chris.
You just need a lock on the toilet door.
Just need an office at the bottom of the garden.
That'll do. Yeah.
Is that— works for you, right? In your new love office.
Oh, we digress.
Anyway, keep on track.
Anyway, anyway, since Graham picked me up on my gender-specific non-inclusive speech.
Actually, what does that mean, then?
So Happy Hotels is a love hotel where you take— you can hire a room— stop you gossiping— hire a room for a few hours or a night without interacting with any hotel employees.
So there's no awkward glances.
So there's no awkward glances.
Just the surveillance cameras.
Just the surveillance cameras. Well, I don't know, maybe not. Anyway, it feels like this is the entire story in and of itself.
However, they've been hacked and the customer detail, including email address, birth dates, gender— see, it is important— phone numbers, login address, credit card info, all of which is compromised.
However, they've been hacked and the customer detail, including email address, birth dates, gender— see, it is important— phone numbers, login address, credit card info, all of which is compromised.
And that's got to be embarrassing because I'm guessing many people who frequent these love hotels might be doing so without the thumbs up from their maybe everyday partner.
Oh, I see, right?
So it's a bit like the Ashley Madison fiasco.
Well, precisely.
And the thing about this is, you know, all joking aside, and all the sort of, you know, let's stick our morals and ethics where the sun don't shine here because it's all really important.
There's nothing wrong. All that aside, actually, there is a very human cost. We saw with the Ashley Madison breach that there were very real consequences.
I believe there were two suicides as a result of the information coming out. You know, what seems like a — I was going to say, you know, a harmless criminal act, if you will.
But, you know, what seems like a stick-up effectively in the old-fashioned terms of give us your money. And it wasn't — oh, Graham, you've got a filthy mind.
But someone else is saying it, you know, it's not just an exchange of money or even give us some money and we'll give you your details back or whatever.
But there are real other implications to this that result in a lot of pain and death.
And the thing about this is, you know, all joking aside, and all the sort of, you know, let's stick our morals and ethics where the sun don't shine here because it's all really important.
There's nothing wrong. All that aside, actually, there is a very human cost. We saw with the Ashley Madison breach that there were very real consequences.
I believe there were two suicides as a result of the information coming out. You know, what seems like a — I was going to say, you know, a harmless criminal act, if you will.
But, you know, what seems like a stick-up effectively in the old-fashioned terms of give us your money. And it wasn't — oh, Graham, you've got a filthy mind.
But someone else is saying it, you know, it's not just an exchange of money or even give us some money and we'll give you your details back or whatever.
But there are real other implications to this that result in a lot of pain and death.
Because with Ashley Madison, there were even blackmailers, weren't there, who went through the database, they wrote letters and sent emails threatening to tell people's spouses, and I guess potentially this could happen with the Love Hotel breach as well.
Yeah, exactly.
And I think a lot of people will respond to these kinds of stories, and even these kinds of allegations, you know, about the after-effects, saying, well, people shouldn't be doing this sort of thing anyway, you know, it's immoral, it's unethical, they're hurting their spouses, significant others.
But actually, that's the old victim blaming coming out. We should be focusing on this as a criminal act. It should be treated as a criminal act.
And I think a lot of people will respond to these kinds of stories, and even these kinds of allegations, you know, about the after-effects, saying, well, people shouldn't be doing this sort of thing anyway, you know, it's immoral, it's unethical, they're hurting their spouses, significant others.
But actually, that's the old victim blaming coming out. We should be focusing on this as a criminal act. It should be treated as a criminal act.
What, going to the love hotel?
No, the hack, he means.
But the actual hack should be just seen as a criminal act, end of story. It doesn't matter the circumstances.
Absolutely.
And even, you know, the police, the law enforcement agencies, they don't view it like that. You know, at least I'd like to think so.
So, you know, us shouting from the peanut stands, as it were, we need to focus more on the criminal act rather than the people that were affected.
So, you know, us shouting from the peanut stands, as it were, we need to focus more on the criminal act rather than the people that were affected.
Unfortunately, it doesn't make as good a media story, right? People love covering the drama of people whose lives are being shattered.
Now, I might, Thom, want to revisit my argument of places for self-love, because surely that would be an argument that you could use with your loved one at home.
Saying, look, I needed a few hours to myself.
Now, I might, Thom, want to revisit my argument of places for self-love, because surely that would be an argument that you could use with your loved one at home.
Saying, look, I needed a few hours to myself.
A few hours? You don't need a few, you need about 18 seconds. What are you talking about?
Well, maybe you take a nap afterwards.
Oh, I see.
Right?
Like, you know?
Absolutely.
And maybe—
Often I can't even make it to the door of the hotel, so.
Look, so anyone out there may want to kind of visit that argument.
Right. So you're suggesting if anyone's being blackmailed for going to a love hotel, say that you would just go in there for a Tommy Tank. Exactly.
Or whatever.
Tommy tank.
And you went on your own and that's that. And what's — there's nothing to it.
And to think people say we never offered advice on this podcast.
I think that's good consumer advice.
Carole, what's your story for us this week?
Okay, well, we're talking DNA tests.
Oh, it's all sort of connected.
That's what they did in the hotel afterwards.
I'm gonna focus on 23andMe for this story, but I think many of the points will apply to other corporations in the DNA snarfling field.
According to Bloomberg, more than 10 million customers have taken 23andMe DNA tests.
According to Bloomberg, more than 10 million customers have taken 23andMe DNA tests.
So this is, this is this deal where you sort of spit into a, or whatever, into a test tube, you send it off to 23andMe, and they'll analyze it and come back with some—
Yeah, we're gonna go visit their website in one second, actually.
Okay.
So yeah. Do you know anyone who's done this kind of stuff, either of you?
Yes, I do.
And did they learn anything?
I haven't done it myself.
No one called you up and said, my dad's not my dad!
It's not the Jeremy Kyle Show.
There's a few subreddits on that subject. I have to say, there's loads of them that come in about that sort of thing. But I mean, I've not done it myself.
I would be fascinated to find out about it because I'm kind of slightly alien. Well, yes, to a certain extent.
I really like the idea that most— the average Briton is a real sort of mongrel of genetics, given that our whole history, you know, we've been invaded by the Vikings, by the French, by the Germans, by the— well, just about everybody.
I would be fascinated to find out about it because I'm kind of slightly alien. Well, yes, to a certain extent.
I really like the idea that most— the average Briton is a real sort of mongrel of genetics, given that our whole history, you know, we've been invaded by the Vikings, by the French, by the Germans, by the— well, just about everybody.
When I look at you, Thom, I see a little bit of Attila the Hun. I have to be honest.
Yeah, I like to think so.
Now why don't you guys go visit the site actually?
Okay, what's the URL?
So you go to 23andme.com.
The number 23andme.com.
Yeah, that's right. Yeah, and take a look around. And what I'm looking for is maybe you guys just take a little sniff around. It's not too complex a website.
And just let me know what you think the top-level messages are on the site.
And just let me know what you think the top-level messages are on the site.
So I'm sort of seeing that it'll help me exercise more.
It'll make me healthier because I know my body better and I'll know if I've got any nasty genetics, which might give me health problems in the future.
That's sort of message I'm getting.
It'll make me healthier because I know my body better and I'll know if I've got any nasty genetics, which might give me health problems in the future.
That's sort of message I'm getting.
Mine's, mine's just taken me to a register your kit page.
Oh, interesting.
It's very interesting. So I might have to try that again, but.
Yeah. So from what I saw on the site, right, effectively they seem to be selling 3 services. One is Health and Ancestry, another one called Ancestry and Traits for $99. This is US.
Or you have VIP Health for a whopping $499.
Now what's interesting is 23andMe does research and through this research has been able to create an antibody and it has agreed to license this antibody to a Spanish drug maker.
Called Almirall SA.
Or you have VIP Health for a whopping $499.
Now what's interesting is 23andMe does research and through this research has been able to create an antibody and it has agreed to license this antibody to a Spanish drug maker.
Called Almirall SA.
All right, and what's this antibody do?
So this antibody is developed to treat inflammatory diseases such as lupus or Crohn's disease, right? Very unpleasant. Yes, nasty.
I had an inflammation once actually when I was in Japan in a hotel, but it went away after a few seconds. Yes, that's right.
So Almirall now have the rights to develop and commercialise a drug for worldwide use. Certainly, it seems that the VPs at 23andMe are thrilled, right?
One of them was quoted saying, "This is a seminal moment for 23andMe. We have now gone from database to discovery to developing a drug." I'm making up my own jokes now.
One of them was quoted saying, "This is a seminal moment for 23andMe. We have now gone from database to discovery to developing a drug." I'm making up my own jokes now.
Okay, carry on.
I missed it.
Oh, no, I heard it too, Graham.
Yeah, yeah, let's move on, Carole. Don't worry, none of the listeners will have caught it. Yeah, as it were.
So Spider-Man, isn't it?
I feel like I'm out of the joke loop. Seminal. Yes. Okay, good, good. Excellent, excellent. Well done. I can— yes, good.
Okay, so how old do you feel now, Graham? Because I feel like I'm about to die.
So this deal is a big deal, okay? Because 23andMe are in the business of providing you personal insight into your genetic history should you decide to spit in a tube.
But it's also in the business of using that trove of genetic material to create antibodies that it can eventually turn into drugs, or allow to be turned into drugs by drug companies.
Now, just as a, for what it's worth, back in 2018, GlaxoSmithKline purchased a $300 million stake in 23andMe.
And this allows the pharmaceutical giant to use the trove of genetic data to develop new drugs.
So I'm looking at all this and I want to talk to you guys about it and noodle about it because something doesn't sit right with me.
But it's also in the business of using that trove of genetic material to create antibodies that it can eventually turn into drugs, or allow to be turned into drugs by drug companies.
Now, just as a, for what it's worth, back in 2018, GlaxoSmithKline purchased a $300 million stake in 23andMe.
And this allows the pharmaceutical giant to use the trove of genetic data to develop new drugs.
So I'm looking at all this and I want to talk to you guys about it and noodle about it because something doesn't sit right with me.
Okay.
So 23andMe is a private US-based company.
And on their website that you've looked at, it presents a nice clean image saying spit in a tube, we'll analyze it and we'll give you the info and all the predictions for an agreed price.
And maybe as a user, you might be presented with a statement at some point that says something along the lines of, I agree to let 23andMe use this information for medical research.
Now, to me, medical research means we are doing work to improve this service we provide to you, our customer, right? Better predictions, better analysis.
I don't think most people think it means that 23andMe are going to partner with the likes of GlaxoSmithKline and Almirall to make some serious moolah from an antibody developed from your raw genetic data.
And on their website that you've looked at, it presents a nice clean image saying spit in a tube, we'll analyze it and we'll give you the info and all the predictions for an agreed price.
And maybe as a user, you might be presented with a statement at some point that says something along the lines of, I agree to let 23andMe use this information for medical research.
Now, to me, medical research means we are doing work to improve this service we provide to you, our customer, right? Better predictions, better analysis.
I don't think most people think it means that 23andMe are going to partner with the likes of GlaxoSmithKline and Almirall to make some serious moolah from an antibody developed from your raw genetic data.
I mean, I think it's a good thing overall. I mean, there's plenty of pitfalls, but I think overall it's a good thing. It's crowdsourcing, right?
You know, you're getting a whole bunch of information, lots of information from a lot of people that allows you to do stuff.
Now, I think you're right that probably people don't know it's going to be used to create drugs.
But I do remember a few podcasts ago, Carole, you were talking about the Fitbit and Google thing and how you would— the shareholder scheme, as it were, of 'Here's my data.
I need to get some of that money that you're selling the company for.' It could be a similar thing if you're a contributor to 23andMe and your genetic material has been used to help create a life-saving drug.
Maybe you become a shareholder in that drug.
You know, you're getting a whole bunch of information, lots of information from a lot of people that allows you to do stuff.
Now, I think you're right that probably people don't know it's going to be used to create drugs.
But I do remember a few podcasts ago, Carole, you were talking about the Fitbit and Google thing and how you would— the shareholder scheme, as it were, of 'Here's my data.
I need to get some of that money that you're selling the company for.' It could be a similar thing if you're a contributor to 23andMe and your genetic material has been used to help create a life-saving drug.
Maybe you become a shareholder in that drug.
You know what, I think that's a really great idea. So I've made a little play on what we could do here too. So I love that you've said that.
Love it.
Yeah. So I think what bugs me though is not whether it's good or not good.
Again, you know how you said earlier in your story, put your morals in your back pocket or where the sun don't shine? Let's do that with this one as well.
My concern is the website's basically saying, we have a very clear transaction here. Spit in a tube, I'm going to give you some information.
I'm arguing that that's not where they're actually getting their money. Their money is coming from these big drug deals that they're going to make.
I'm going to put forward the term DNA mining, for big profits.
And maybe there ought to be regulations in place to protect, you know, the primary shareholder of that genetic data, right? Which is, who's that? That's me or you, whoever.
I mean, there's not even a bloody thank you or a whiff of compensation to all the people whose DNA has been used to make, you know, mucho dinero for 23andMe.
Not only is there no thank you, if you go look at the current, the company's current policy, right, that's on their website, they ask you to agree to a waiver of property rights.
So, quote, "You acquire no rights in any research or commercial products that may be developed by 23andMe or its collaborating partners.
You specifically understand that you will not receive compensation for any research or commercial products that include a result from your genetic information or self-reported information." So that's not very nice.
Again, you know how you said earlier in your story, put your morals in your back pocket or where the sun don't shine? Let's do that with this one as well.
My concern is the website's basically saying, we have a very clear transaction here. Spit in a tube, I'm going to give you some information.
I'm arguing that that's not where they're actually getting their money. Their money is coming from these big drug deals that they're going to make.
I'm going to put forward the term DNA mining, for big profits.
And maybe there ought to be regulations in place to protect, you know, the primary shareholder of that genetic data, right? Which is, who's that? That's me or you, whoever.
I mean, there's not even a bloody thank you or a whiff of compensation to all the people whose DNA has been used to make, you know, mucho dinero for 23andMe.
Not only is there no thank you, if you go look at the current, the company's current policy, right, that's on their website, they ask you to agree to a waiver of property rights.
So, quote, "You acquire no rights in any research or commercial products that may be developed by 23andMe or its collaborating partners.
You specifically understand that you will not receive compensation for any research or commercial products that include a result from your genetic information or self-reported information." So that's not very nice.
But people do have the option not to, not to spit in the tube, right? And not to share their information.
I understand that, but I wish that argument was made much more clearly, much more upfront on the website. Because once you've spat in the tube—
Unless they make it more, the whole model transparent and it's $25 and we'll give you the full, you know, the full test and the full report, etc.
But your data will be used for medical research or $500 and we'll destroy your samples once they've been reported. Yeah, that would, that would make more sense.
But your data will be used for medical research or $500 and we'll destroy your samples once they've been reported. Yeah, that would, that would make more sense.
This is what makes me nervous is that we got these huge multinational companies now who are gathering humongous databases of people's genetic DNA information.
And who knows how that data might be used in the future or might be abused. And people are just sort of willingly handing it over.
I certainly wouldn't be comfortable if someone were to scrape up some of my saliva, if I spluttered during a presentation at a conference and sent it off to someone's database.
And who knows how that data might be used in the future or might be abused. And people are just sort of willingly handing it over.
I certainly wouldn't be comfortable if someone were to scrape up some of my saliva, if I spluttered during a presentation at a conference and sent it off to someone's database.
I'll throw out your water bottle for you, Mr. Cluley.
Think how much money we could make with an army of Clueleys.
Oh, just if they were to grab the, you know, a few loose hairs from my eyebrows and try and clone— you know, it's just horrendous enough as it is.
I feel uncomfortable about these things, although there's clearly amazing medical advances which could potentially be made.
I'm not sure we're quite ready and whether we've thought through all the implications of these things.
I feel uncomfortable about these things, although there's clearly amazing medical advances which could potentially be made.
I'm not sure we're quite ready and whether we've thought through all the implications of these things.
All is not lost, right? So 23andMe do seem to have some good privacy pages, and they say you can delete everything and your DNA by deleting your account on the site.
So look it up in your own country, in your own jurisdictions. They do have pages on GDPR and all that, so it may be different for different places.
So look it up in your own country, in your own jurisdictions. They do have pages on GDPR and all that, so it may be different for different places.
Some great bedtime reading.
But I would compare this approach, 23andMe's approach, to the National Institutes of Health, so NIH, right?
And they have this project called All of Us, which aims to collect the data from at least 1 million Americans in an effort to further medical research and discovery.
And this to me seems a much better approach because everyone's informed as to why they're collecting this information, what the point is.
So transparency, to your point, Thom, transparency. It's all about transparency. We need more of it, otherwise, how are you going to get our heads around this crazy-ass world?
And they have this project called All of Us, which aims to collect the data from at least 1 million Americans in an effort to further medical research and discovery.
And this to me seems a much better approach because everyone's informed as to why they're collecting this information, what the point is.
So transparency, to your point, Thom, transparency. It's all about transparency. We need more of it, otherwise, how are you going to get our heads around this crazy-ass world?
Wise, sage words.
Boom, boom.
Exactly. Hey, Graham.
Yes.
There are people out there with companies a little bit bigger than ours, and one of the issues that they face is visibility and oversight.
And when it comes to cybersecurity, that is super important. So listeners, listen up.
If you do not have a password manager in your organization, please check out LastPass Enterprise.
They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashingsecurity.
Let me try that again, folks. Check it out at lastpass.com/smashingsecurity.
And when it comes to cybersecurity, that is super important. So listeners, listen up.
If you do not have a password manager in your organization, please check out LastPass Enterprise.
They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashingsecurity.
Let me try that again, folks. Check it out at lastpass.com/smashingsecurity.
Smashing.
Perfect.
Do you want to make it more conversational? I don't know.
I think that sounded great.
And welcome back. Can you join us on our favourite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week. Pick of the Week. Pick of the Week. There you go. You can have that for free.
Thanks.
Thanks, Terry. Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Yeah, just my story.
Well, my Pick of the Week this week is not security-related.
Good.
But it is technology-related.
Okay.
Because, well, let me paint a picture for you.
Right now, I am speaking to you from my love shack at the bottom of the garden, and it's very, very windy outside, and I don't know whether the wind is being picked up by my microphone or not, but it's certainly pretty noisy in here.
Right now, I am speaking to you from my love shack at the bottom of the garden, and it's very, very windy outside, and I don't know whether the wind is being picked up by my microphone or not, but it's certainly pretty noisy in here.
What's that, Cluley?
Now, I'm not using my laptop to record this right now, right? I'm using a desktop computer, which thankfully is quite quiet.
But if I was using my MacBook Pro, it wouldn't be unusual for it to start going— and the fan to start up.
The problem with a laptop with the fan going crazy is that it obviously runs down the battery. And also, that's not the only thing which can run down the battery pretty quickly.
Also, my MacBook Pro has something called a Turbo Boost mode, right, which Apple have turned on by default, right? They just enabled it to get maximum CPU.
And it's not as though my computer needs maximum CPU all the time.
I don't really need the maximum power, and if I can turn off Turbo Boost, my CPU won't get so hot and the fan won't come on. And this is the brilliant bit.
I am now running a program called Turbo Boost Switcher, and what it does is it means my MacBook Pro is now cooler, not just to look at, but cooler in temperature, and my battery is lasting up to 25% longer.
But if I was using my MacBook Pro, it wouldn't be unusual for it to start going— and the fan to start up.
The problem with a laptop with the fan going crazy is that it obviously runs down the battery. And also, that's not the only thing which can run down the battery pretty quickly.
Also, my MacBook Pro has something called a Turbo Boost mode, right, which Apple have turned on by default, right? They just enabled it to get maximum CPU.
And it's not as though my computer needs maximum CPU all the time.
I don't really need the maximum power, and if I can turn off Turbo Boost, my CPU won't get so hot and the fan won't come on. And this is the brilliant bit.
I am now running a program called Turbo Boost Switcher, and what it does is it means my MacBook Pro is now cooler, not just to look at, but cooler in temperature, and my battery is lasting up to 25% longer.
Ooh!
And it's a really clever program.
If you actually buy the professional— if you actually buy— there's a free version, but if you buy the real thing, which is what I've bought for about $9, it's got some nice features.
Like, for instance, if it works out that you're on battery and not plugged in, it will automatically disable Turbo Boost, right, to preserve more battery.
If you actually buy the professional— if you actually buy— there's a free version, but if you buy the real thing, which is what I've bought for about $9, it's got some nice features.
Like, for instance, if it works out that you're on battery and not plugged in, it will automatically disable Turbo Boost, right, to preserve more battery.
I mean, you did warn me that I would like this. I do!
And if, for instance, if the fan— so I've also programmed it.
I said, if the fan starts going crazy and my computer gets really hot, even if I'm plugged in, then turn off turbo boost.
And you can even say to it, look, you can have turbo boost running when you run these particular applications.
So if you've got something which is really CPU intensive, you can run the turbo boost then, but when you're not running that application, turn it off.
So you get the performance you want when you want it.
I said, if the fan starts going crazy and my computer gets really hot, even if I'm plugged in, then turn off turbo boost.
And you can even say to it, look, you can have turbo boost running when you run these particular applications.
So if you've got something which is really CPU intensive, you can run the turbo boost then, but when you're not running that application, turn it off.
So you get the performance you want when you want it.
This is a serious ad, Ben.
Well, should be sponsored, shouldn't they?
So, Graham, while you were doing your bit here, I happened to look at my battery and it was at 9% on my laptop because I'm not doing this recording from home.
Oh, you're not plugged in?
I was, but the plug I was using obviously wasn't working. So that's why you may have heard me crash around. I'm sure we'll mute that for the listeners.
But that's why I crashed around during your story because I was going, oh no, oh no, we might lose everything.
But that's why I crashed around during your story because I was going, oh no, oh no, we might lose everything.
There you go.
So there you go. Okay. I'm interested.
So Turbo Boost Switcher, links in the show notes. And that is my pick of the week.
Nice. Yeah.
Thom, what's your pick of the week?
Nothing so practical, but we've all heard about unsolicited dick pics.
What is up with you with the love hotels and the dick pics? He's coming in strong on his first inaugural visit to Smashing Security.
Graham's gotta have a hobby.
I don't think any dick pic is actually solicited, surely. No one actually wants to see your penis, Thom.
Well, you say that. You say that.
There is an STD clinic that has started a service where if you don't want to see a doctor, a real person, you can send them a picture of your old chap.
And it's all of its— in all of its STD glory. And they will diagnose it for you.
There is an STD clinic that has started a service where if you don't want to see a doctor, a real person, you can send them a picture of your old chap.
And it's all of its— in all of its STD glory. And they will diagnose it for you.
Oh, for goodness' sake.
The picture gets sent to a, inverted commas, private inbox. And they will diagnose visually.
So, gents, if you want to send a dick pic but don't like the idea of it being unsolicited, you can just go to this STD clinic and just send away, and they actually won't mind.
You know, all they'll say is, you're all clear.
So, gents, if you want to send a dick pic but don't like the idea of it being unsolicited, you can just go to this STD clinic and just send away, and they actually won't mind.
You know, all they'll say is, you're all clear.
Okay, I have a number of questions here.
Okay, I don't see— it's such a simple story, come on, you know.
Thom, it's great. Okay, Thom, does this only work for people with penises, or can people with, you know, sporting the vagine— can they take part in this as well?
With the bobs and vagines? I'm not entirely sure. I would have to find out. I'm, you know, my earlier faux pas, I'm not going to be gender specific in this case.
So I imagine that maybe there is some— maybe that's a service to come, you know, soliciting vagine pics.
So I imagine that maybe there is some— maybe that's a service to come, you know, soliciting vagine pics.
Carole, just can't we just go on to your pick of the week? I mean, really? This is just—
Because my thought was, how many times do you send a dick pic before they say, "Please stop. There's nothing wrong with you." Other than the fact you're sending dick pics.
Maybe it'll get people off the streets. Maybe it'll do a service to all the women who get unwanted dick pics, now that there's an outlet for them to send it to.
Yeah, yeah. I mean, maybe that becomes a service in and of itself.
Exactly.
You could actually subscribe to a service that allows you to send dick pics.
Are we still talking about this?
Are we seriously still talking about this?
Can we just move on?
The unsolicited solicited dick pic service, £9.99 a month for up to 50 unsolicited dick pics that you can send.
Send to Thom Langford at—
Whoa!
Okay.
Crow, what's your pick of the week? Quick.
Well, from dicks to messiahs. Not the Messiah, but season 1 of the Netflix series called Messiah. Now, have any of you seen it?
I haven't seen—
I've seen the trailer. Yeah.
And I read an article in The Guardian or some such, which was rather critical of the program.
Interesting.
Wasn't it swing enough?
So this is a 10-parter Netflix series. And we basically follow someone who emerges as a kind of cult-like figure.
Some see him as messianic, others like the CIA see him as a grave disruptor. Right?
Some see him as messianic, others like the CIA see him as a grave disruptor. Right?
And a grave disruptor.
No, not a grave disruptor.
Oh, okay, right, I understand.
The story is compelling, okay? But critics are all muddled on this.
Some are calling it cumbersome and bland—seriously, two words I would not use to describe the show at all, it was anything but—and others saying the show showed that, you know, us humans are simply hardwired for hope.
I don't know, but the question I wonder throughout the series is whether the Messiah figure is a con artist or not, right? That's basically the—that's the thing.
Some are calling it cumbersome and bland—seriously, two words I would not use to describe the show at all, it was anything but—and others saying the show showed that, you know, us humans are simply hardwired for hope.
I don't know, but the question I wonder throughout the series is whether the Messiah figure is a con artist or not, right? That's basically the—that's the thing.
That's the whole hook, right?
That's the hook, right? And they play on it. They revealed that when he was a boy, he entertained people with magic on the streets.
They kind of allude to maybe him being a con artist, but then he does something quite special, and you're thinking, wow, how did he do that?
They kind of allude to maybe him being a con artist, but then he does something quite special, and you're thinking, wow, how did he do that?
As I remember, in one of the parables, Jesus does saw a woman in half. That was one of the tricks he pulled off in the New Testament.
Did he then get one of those big hula hoops and run it around it?
But you know, it's weird because of the times we are living in, it somehow feels dangerous and brave storytelling to be talking about something, you know, that's religiously based, culturally based, and all that.
So I don't know, somehow I kind of—to me it gives it a bit of artistic integrity because it has, you know, some guts.
So I don't know, somehow I kind of—to me it gives it a bit of artistic integrity because it has, you know, some guts.
Have you watched some of it? Have you watched it?
I've watched it all. Oh, yeah, I've watched the whole first series.
That's my question, right?
Yeah.
Is there going to be a second series, and do we have to wait 2,000 years for it to come back?
Have you been waiting the last 52 minutes to say just that one line?
Look, it's not perfect, right? But I think it's a smart person's kind of mystery thriller. You know, and it lets you talk if you watch it with someone, right?
It will certainly lead to conversations.
I don't know, these are highly divisive topics, but somehow bubble-wrapped in the context of a Netflix story, you can kind of talk about them more easily, I think.
So I think that's kind of a cool thing.
It will certainly lead to conversations.
I don't know, these are highly divisive topics, but somehow bubble-wrapped in the context of a Netflix story, you can kind of talk about them more easily, I think.
So I think that's kind of a cool thing.
I'm gonna watch it with my Lord and Savior Jesus Christ.
I mean, who knows, maybe these are the kind of shows we need to all calm the fuck down a bit, you know, be nice to one another.
Yeah, Messiah, calm the fuck down.
And on that slightly sacrilegious note, it just about wraps it up for this week. Thom, I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that?
What's the best way for folks to do that?
So you can go to my Twitter, which is @ThomLangford. That's Thom with an H after the T, or my website ThomLangford.com. Thom with an H after the T.
That's where it's all going down.
And you can follow us on Twitter @SmashInSecurity, no G, Twitter won't allow us to have a G. And you can carry on the discussion on Reddit as well.
So go and check out our Smashing Security subreddit.
So go and check out our Smashing Security subreddit.
And a huge thank you to all of you for pointing your ears our way, supporting us on Patreon, and giving us swoon-worthy reviews.
Also a big shout out to this week's Smashing Security sponsor, LastPass. Its support helps us give you the show for free.
Check out Smashing Security smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
Also a big shout out to this week's Smashing Security sponsor, LastPass. Its support helps us give you the show for free.
Check out Smashing Security smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
Until next time, cheerio, bye-bye, au revoir, bye-bye, sayonara, whatever.
Yeah, I don't think whatever is—
Whatever. Do you know any Japanese from your trips to the love hotels?
Yeah, one room please, one hour.
You guys, smarty.
Is it Carole or Carole? I'm sorry.
Honestly, it's Carole Theriault. So Carole Theriault tends to go—
So we just got to say it with a French accent. Exactly, which is quite difficult.
20 years. 20 years I've known you, Carole. And you've never told me that before, how to say your name.
Really?
You've never said that you've been mispronouncing her name all this time.
Yeah, I've never mentioned that once.
Not once, never in one show. Never ever. You're right.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
@thomlangford.bsky.social
@
Show notes:
- Cyber criminal jailed over National Lottery hack — National Crime Agency.
- Man who hacked National Lottery for just £5 is jailed for nine months — Hot for Security.
- Booking data stolen from Japanese short-time love hotel booking service HappyHotel — SiliconANGLE.
- 23andMe Licenses Drug Compound to Spanish Drugmaker Almirall — Bloomberg.
- Big Data and the End of Painful, Invasive Medical Procedures | — Wired.
- How 23andMe Won Back the Right to Foretell Your Diseases — Wired.
- Privacy policy. — 23andMe.
- Turbo Boost Switcher for macOS.
- Embarrassed patients can now send photos of genitals to doc for STI checks — The Sun.
- Messiah trailer — YouTube.
- Messiah — Netflix.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
