Smashing Security podcast #176: Hacking hacks and university attacks

News slash news slash smashing security has made it to the finals of the european security blogger awards. If you can be asked please go to smashing security.com slash vote and vote for your favorite security podcast. Voting closes on the 11th of May so don't delay or I'll electrocute your eardrums. That's smashingsecurity.com slash vote. Now, on with the show. Smashing Security, episode 176. Hacking Hacks and University Attacks, with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security, episode 176. My name's Graham Cluley.

And I'm Carole Theriault.

And, Carole, we are joined this week by someone who's brand new to the show. He hasn't been on before, but really warm welcome to Rik Ferguson.

Hello, Rik.

Hello there. Thank you very much.

It's kind of embarrassing that Rik hasn't been on yet, actually. It's really embarrassing. Rik, I am so glad you're here, and it's so good that we... See, we kept best for last. Is this maybe our last show, Graham?

Oh, well, that we could be.

Just kidding, kidding, kidding, kidding.

Rik, I'm sure lots of people already know you, but how would you quickly summarize? Who are you? Why are you here? Why have we brought you on to smashing security?

I am the vice president of security research at Trend Micro. I've had a couple of decades and a half of lifetime in this industry. And my basic responsibilities are about creating, engaging and informative content and making sure people get to see it, read it, listen to it, whatever it might be.

Cool.

Can I say how I know Rik and why I remember Rik?

Oh, okay, yes.

Because I met Rik at a trade show, and I remember meeting him very clearly, and there's a reason for that. It's because you, Rik, had just broken the tendon on an index finger. And you told me about it in graphic detail to the point where I felt it, and you explained to me how it snapped, how you – I think you were putting a bedsheet. This is what I remember. This is maybe over 10 years ago, right? You were putting a bed sheet on or something and you tucked your fingers in and it just snapped off.

Oh, my God, yes. Exactly that. And it wasn't the worst part of that story, actually, is that it wasn't my index finger. Some other part of your anatomy. It was the middle finger.

Next to my index finger, yes.

That's right. So I had to have it splinted for about six weeks. And I was still working and I was still giving presentations at shows and things. And it was my right hand. So whenever I'm holding the clicker, I'm holding the clicker in my right hand with a splinted middle finger. And every time I'm waving my arms around, talking to the audience, giving everyone the bird.

So every time I make a bed or I tuck something in, I think of it. And I remember, I say, remember what happened to Rik? So there you go.

But the thing with breaking the tendon in my fingers, this is how stupid I am. I was kneeling on the bed, attempting to tuck the sheet in on the far side. So of course the sheet wasn't moving very much because I was on it.

And that's how you become the Vice President Security Research. Okay, Carole, what's coming up on the show this week?

Oh yes, we were digressing. First, thanks to this week's sponsor of LastPass. Their support helps us give you this show for free. Now on today's show, Graham tells us how a bunch of journos suffered a scoop snag. Rik finds out how the UK is getting on with its COVID infection tracing app. And I'm going old school, reminding us that good old phishing attacks are still big business for scummy scammers. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, it is truly a tough time for newspapers. Less and less of the things are being sold than ever because, well, I think people are getting a lot of their news for free online, hoping to make money by going digital, selling subscriptions, have a paywall, monetizing the content via advertising. But even that isn't going well during this time of coronavirus. A lot of advertisers are actually choosing to block their adverts from appearing alongside C-19-related content, because they think it would basically leave a bad taste in people's mouth to see an advert for a holiday or whatever it was, along something about coronavirus. But don't forget. Yeah. So they're choosing not to appear there, right? They're actually blocking those words, which is a real problem for the press because all they're writing about at the moment is coronavirus. So the newspapers online are getting loads of traffic, which they're having to pay for, of course, in terms of servers and bandwidth. But they're not making enough advertising revenue. maybe that's an extreme example. But I think a lot of them are concerned that it's just something that they don't want to be associated with or they don't want anyone to think, how can you have this advert alongside reports of thousands of people dying?

Because you know someone's going to screenshot that stuff and then it's going to be all over Twitter, all over Instagram, whatever it might be. So when there's that weird juxtaposition, people always catch it, share it, point it out, even when it's inadvertent like that. Oh, yeah, of course. It's not as though it's deliberate. And meanwhile, news agents are all shut. People aren't commuting. People aren't picking up their free newspaper to get on the train and reading it that way. So far fewer newspapers are being sold, and they're not making as much money from the websites. And there's a real crisis going on right now as a result.

I just thought people got bored of me or something. Stop calling.

So one of the newspapers which has noted this drop is the British newspaper, The Independent. They went fully digital four years ago. They haven't existed in paper form since 2016. Do you

know what? That shows how bad the news is because I didn't know that.

Right. And the independent staff got told by their senior managers last week to get on a Zoom call to discuss salary cuts and furloughing. A lot of those workers must have been really worried about that. Not worried because I don't know if you saw this story which came out a few days ago about the phishing attacks which come out. So what the bad guys are now doing is they're disguising their phishing attack as a Zoom invitation from your HR department to talk about your performance. So imagine that. Imagine getting one of these emails. Clayton says, oh, you've got to have an urgent Zoom call with HR about your performance. You're going to be worried about that. That's not the kind of thing the independent were worried about. It wasn't even Zoom bombing either. There's been lots of Zoom bombing, of course. People taking over the screen, showing pornographic content, playing loud rock music, Rik.

Generally. That was a rumor. That was a rumor.

Generally being a bit of an arse. You know, that is a problem. Actually, what happened during the independent Zoom call was the opposite of Zoom bombing.

No one showed up?

Well, no. A hundred odd people. No, it was run silent, run deep. A hundred odd people did make the Zoom call, but they were joined by someone they weren't expecting.

Elon Musk showed up again.

No, no, no. They were joined by someone who didn't try and draw attention to himself. It turned out to be a reporter from a rival newspaper. According to The Independent, they checked their Zoom log files and they saw that an account registered to a journalist who worked at the Financial Times, one of their rivals, briefly joined the video call, which was just intended for The Independent's own staff.

I wonder if he was still on the mailing list. Did he used to work?

No, no, no. He's never worked for them.

So he just somehow he got a leak that this is the call number and he just joined.

I guess he's got a buddy who works there. He sent him the link or something like that. Anyway, what happened was this. This interloper, his video camera was switched off and no one saw his face. But briefly, in the 16 seconds that he was connected, the name flashed on screen of Mark DiStefano. And DiStefano used to work at BuzzFeed, but is now the media and tech reporter at the Financial Times. And so he briefly, because of course you get people's names when they're on the Zoom call right at the bottom of their window.

Is that why he pulled out?

And if you've got it on speaker view rather than gallery view, which is a per user choice, right? So if you have it on speaker view, if he made a little bit of noise at his end, even tapping the table or whatever, then his black screen with his name on it is going to have filled the screen of anyone who has it in speaker view.

I suppose that's right, yeah. But he was only connected for 16 seconds. So how much useful information could he have taken?

Why was he only on there for 16 seconds? I think because his name showed up. I think he thought he could sneak on and then went, oh, oh, oh.

He scarpered. He scarpered after 16 seconds, maybe realising that he was still logged into his Zoom account, which was revealing his name. Because then someone anonymously connected to the video call. Again, with his camera turned off. So, oops, oops. Makes me think of Mr. Ben as if by magic a shopkeeper appeared. And they stayed until the very end of the call, listening in. And while this call was- No one noticed at the time, right? Well, I think someone probably did notice, or maybe it was being recorded for other staff, because there were some staff in the US, for instance, who weren't able to actually get on the call. They were going to be briefed about the changes later on. But what was happening was at the same time as the call, the Twitter account of Mark DeStefano at the FT was basically live tweeting information about what was going on on the call. So he definitely wasn't on the call.

What a scoop.

And so he was given the highlights. And later on, he posted a story and he quoted sources who were on the call. Well, yeah, sources who were on the call, i.e. himself. According to The Independent, they said the anonymous user account was linked to the mobile phone of Mark DeStefano. And of course, he published all this information. The Independent weren't very impressed.

Yeah, well, okay, can we talk about this? Let's talk about it. Can we talk about whether he did anything wrong here? Yes. Because we know that Zoom can be set up in a way to allow people entry, vet people, send specific links, all that kind of stuff.

So- Well, there's that. But I think there's the fundamental sort of question of-

I mean, it is newsworthy. I'm sure he got a lot of clicks for it.

I think the thing is, he went against the code of conduct of his employer. At the end of the day, right? The employer says, you can't do that.

Okay, what's the code of conduct?

So the FT's code of conduct specifies that their journalists mustn't seek or obtain or publish material gathered by intercepting private or mobile telephone calls or messages or emails. You cannot misrepresent yourself. You cannot use subterfuge. Anything like that can only be done if it's in the public interest and only when the material cannot be obtained by other means. And The Independent say, we had a press release all ready to go. So if they'd just simply asked us for a statement as to what was happening at our newspaper, we would have told them. But because he was publishing details of it before they went public, there were employees, maybe stateside and who weren't able to make the Zoom call, who found out because of him at a rival newspaper, which isn't very nice to find out that maybe you've lost your job. Did he lose his job or we don't know yet? DeStefano has been suspended by the FT as a result of this.

All of those policies and things are all in the wake of what became known as the phone hacking scandal. In reality, it's no different to that. It just happens to take place on a computer rather than in your voicemail box.

Wendy Deng's finest moment. I mean, I wouldn't really say this was hacking. But then phone hacking wasn't really hacking, was it?

No, absolutely. Just in the public imagination, I guess that's what hacking is, right?

Okay, so did The Independent scream bloody murder? Or what do they want from it? They wanted his skin?

Well, I think right now what they're asking for is some kind of explanation. Because they say, look, this was inappropriate. It was unwarranted intrusion into our employees' privacy. And they want to make sure that it's not going to happen again. Now, the funny thing is that people have gone back through Mark DeStefano's tweets over the last few weeks. Turns out the beginning of April, he reported on an internal video call at another newspaper,

The Evening Standard. According to sources on the call?

Well, yes, exactly. And they've looked through their logs and it appears, again, linked to the same mobile phone. So it appears there might have been a bit of a history of this.

There's a history with phone hacking dating back decades now. So it seems to be part of a standard journalistic toolbox now is that anything is fair game if you can get access to it.

And I think there's pressure on the journalists obviously to have scoops and to be the first out with the news and so that's a conflict which is going inside them. But my feeling is if this isn't really in the public interest and suddenly this information could have been gathered via traditional routes rather than unauthorized access to a private Zoom call, then that does begin to sound a bit like the Computer Misuse Act, doesn't it? Even if it's not technically hacking, it's unauthorized access. And I know as security researchers, and you must have this as well, Rik, at your company, there are quite clear rules. Even though you might be capable of doing something, there's a lot of things that you will not do because it would be breaching computer crime laws.

Yeah, some of it is unethical, some of it is illegal. And in many cases, the other thing that you have to consider is admissibility of evidence. If you are gathering stuff which is going to be passed to law enforcement for an eventual prosecution, you want that stuff to be able to be used in court. And if it's been obtained illegally, unethically, you can't do that.

Okay, so I'm still noodling on this, right? So if, say, this meeting was happening in a restaurant, and I happened to be at the next table and I could overhear it and I was a journo and taking notes, that would be okay, presumably. Because it's taking place in a public forum. And there's no presumption of privacy.

Somehow that to me feels okay. What wouldn't feel okay would be if you'd snuck into the offices and dressed like a plant of the company and hidden in a cupboard.

What's his name? Hung from the ceiling.

Oh, like Thom Cruise, you mean? That sort of thing, it begins to feel like, well, you've actually trespassed on the property. In a way, you've trespassed on the Zoom call as well.

That's interesting. That is really interesting. Does the same standards of privacy? I guess by the FT's code of conduct, yes. And I don't know, actually, by the law, the Computer Act law.

Well, I guess it depends on whether they feel there's enough evidence or indeed if the paper wanted to pursue it. I'm surprised he still has a job, but he's done it more than once.

Well, it's only just come out that it appears, allegedly, Mark DeStefano has done this. But as Rik was saying, we saw phone hacking in the past. We have seen email accounts hacked. I remember this extraordinary story. Do you remember Canoe Man?

How could I forget Canoe Man? Oh, my God. It says something. Tell me about Canoe Man because I do remember him. Canoe Man was a guy called John Darwin who faked his own death at sea about 20 years ago. And then he walked into a police station five years later, claiming to have no memory of what had happened to him. And his wife acted all surprised. And, oh, he's back from the dead. How fantastic. He couldn't explain where he'd been. And it later transpired that he and his wife had been in Panama buying property and they'd been photographed with all the insurance money.

The best bit for nine months. He had built hollow walls in his house. And so he was living inside the walls of the house. So she was obviously giving him food through a trap door somewhere. And he had a little air hole and lived there. He was

basically secretly living in a secret room of his house. Even his kids didn't know he was there. And he'd been going out sometimes for walks and things and got more audacious. But yeah, they'd claimed life insurance, pension policies, and they'd want to start a new life together in Panama. A Sky News reporter hacked into the email account of canoe man John Darwin. Oh, I didn't remember this. Oh, yes, I will put a link in the show notes to an article I wrote at the time about this in order to try and find out more as to what they've been plotting together. And again, like you were saying, Rik, the danger of that is, of course, you could compromise evidence.

The thing is you could argue a public interest in that one because of the financial implications of them trying to make an illegal claim and so on. So there's an arguable public interest. But in terms of listening into a Zoom call where people are being told some pretty bad news about their jobs, I mean, the Computer Misuse Act is pretty clear. It's also very gendered as well, I've just noticed. The only people who break the Computer Misuse Act are all called he.

Shall we clutch onto that as our defense? Shall we?

Yeah, if DiStefano identifies as they or she, probably they're okay.

Rik, what story have you got for us this week? Well, obviously, you know, the news, as you said before, is full of coronavirus and COVID-19 related stories. You know, we have a rolling blog on the Trend Micro blog of all the different threats and criminal actors using it as leverage, whether that's business email compromise or phishing or malware. I mean, there's not a spike in cybercrime, but certainly cybercriminals have taken to using COVID-19 as a lure for things that they would be messaging otherwise if COVID-19 wasn't around.

Yeah. And it's veritable crazy how different it is from country to country. Right. And there are a lot of conversations I've had with people who don't work directly in the information security space, and even some that do actually, maybe who haven't done the reading or whatever, have some huge concerns about privacy. They're talking about, I don't want my location to be shared with the government at all times. walk around, it's like, stay the fuck away from me. Stay the fuck away from me. But what will happen is effectively, you'll get a notification on your device that says, hey, a couple of weeks ago, you bumped into a person, and that person has later gone on to be confirmed as having COVID-19. You need to get yourself checked out, or you need to self-isolate, or whatever the local policies are around the next steps to take. So would it give me their phone number? Oh, no. You as a person who have come into contact with somebody else, you don't need to know who they are, and you won't know who they are. You'll just know that you have come into contact with someone who later went on to be confirmed. So they've worked really hard. And actually, two of the companies that have worked hardest, I think, to address those privacy concerns are Apple and Google being the major manufacturers. Yeah, they love each other. But they've actually been working really closely and coming up with what I think is a very good decentralized system. But then what I was really disappointed to read is that our National Health Service in the UK is effectively rejecting Google and Apple's model, and they want to go for a centralized model. So what have they got against what Apple and Google are proposing? What's their issue with it? Get on your So who is going to have access? Which third parties? How will that be managed? Rik. And there's a question of who now and who in the future. Once you've given up data, it's not just about how do we use it today? How do you know that data has been effectively secured, as you mentioned, but then how do you know that data is being effectively aged out and effectively deleted, and that it's not being repurposed and reused for something that you didn't consent to in the first place? These are all kind of the reasons why GDPR was born. Graham. So we've talked a little bit about these tracing apps in the past and different ways in which they could work. And one of my concerns is if all this data is being stored centrally, of course, is that going to affect take up as to how many people want to actually install this app and are prepared to run it? Or will people leave their smartphones at home? Now, we're obviously a security podcast, so we probably have a lot of... Carole. Not that obviously, actually. Well,

One, if your device is dead, the app's not going to work anyway. Two, if you find out that after installing that app, your battery runs down really quickly, you're going to remove the app, defeating the object. So the manufacturers will have a much better handle on power management. And in some cases, they have privileged access that the non-manufactured app developers won't have. And the other one, yeah, is absolutely about product adoption. If you can't allay people's privacy concerns, then you're not going to get that critical mass of people that you need installing the app and rendering it useless. Carole. But yeah, but like we talked about last week, Colombia came up with a really cute workaround by giving you a free gig of data every month if you downloaded the app. Graham. No, it doesn't have your battery life, does it though? But no, okay, look, don't worry, chaps, I have solved this problem, okay? If this is being done without the sort of informed participation of Apple and Google, if the NHS are going to go alone, what they will do is this. They will first of all tell you that you have to carry your phone with you all the time and that your phone has to have the NHS app installed upon it, right? There'd just be a little bit of legislation. They'll roll it out saying that's the rule from now on. But the other thing will be that everyone has to wear a backpack full of batteries, which is going to permanently power your phone. And that way you can leave Bluetooth turned on all the time. It's not going to run out. Carole. Better exercise. People will be fitter. Rik. Yes, that's the thing. I was going to say every conspiracy theory needs a kernel of why is this conspiracy happening? What's the reason for it? And it's to tackle the obesity process and that's why the NHS are involved. Graham. Carole, what's your story for us this week? Carole. Okay, so we are heading to the land of higher education. Don't worry Graham, I know this is unfamiliar territory but I gotcha. Graham. You know that's really offensive, is it? Yes, why? Why is it offensive? I did get to higher education. I just didn't... it just wasn't formally called a university. What was it called? It was a polytechnic that I went to. And I went to a polytechnic. I got my higher national diploma. Good. And there you go. Carole. I was just saying, if you were worried about, you know, being in university grounds, even digitally, I was here for you. That's all. I don't know why you're being all sensitive. Rik. Do you remember when all the polytechnics changed to universities and they all had to have new names? Yes. And mine got renamed. I'm very annoyed about it, but it wasn't the university when I was there. Rik. I was going out with a girl from Nottingham at the time, and her father was a lecturer at the traditional old Nottingham University. He was a lecturer in mining or something like that, mining technology, something like that. That's true. In fact, one of the things, this is my token of proof that it was true, he presented me with a mummified monkey wearing a waistcoat with a rope around its neck, which they had found up a chimney in Nottingham. A nice gift to receive from a prospective father-in-law. Anyway, he told me the story. I don't know if it's apocryphal or not, but Nottingham Polytechnic, they had to obviously change their name when they became a university and they had settled on the name totally logical name of City University of Nottingham-on-Trent. And they'd gone with it and they were very happy with it and didn't realize until they got all their stationery printed up that the acronym was unfortunate, to say the least. Childish and slightly vulgar. Carole, continue. Carole. Yeah, well, I was going to go down the security route, as this is a security podcast, and say that a lot of these institutions have security that's not always been stellar, shall we say. So, for instance, this week, Sky News reported that the University of Warwick suffered multiple data breaches. And it was hacked in 2019 when a staff member installed a remote viewing software, letting hackers gain access to student info, personal info, staff members, volunteers, the whole thing. But no one was informed because no one knew that it actually had been hacked because security was so poor on the system, they had no idea what was going on. Now, they've all cleaned this up. There's someone new in charge. But this wasn't the only university-based security news this week. There's a new phishing attack, which was reported by Proofpoint, that has been targeting specific groups of people, including staff and students at U.S. colleges and universities. Now, tell me, pretend you guys are phishers trying to dupe a user to click on a link and download something nasty, and you're targeting unis. How would you go about it? Graham, I'm not going to say this will be hard for you, okay? Rik. But put yourself in the shoes of someone who has gone to university. Graham. Sorry, am I targeting university students or university staff? Both, both. Well, I mean, students is all free beer, isn't it? That's what you do. Rik. Yeah, that's good. Entrance to the student union, because of coronavirus, we're having to restrict entry and we're having a strict queuing system and you need to book your place in the queue to get into the union bar. Carole. Oh, you guys would be good phishers. These guys just use sex. That's what they did. Damn! And we know maybe during these times of staying at home, there must be quite a few sex-starved students out there right now, right? They're probably climbing the walls at home with mom and dad in the other room. Graham. They're all going to be on Zoom and FaceTime. I'm sure the sex is still happening, just not in the same room as the other person. Carole. Yeah. God, eh? To have full visibility of that. Rik. I'm sitting here in stunned silence. That's why there's no sound from this microphone. Carole. So these guys got an email, right? So the huge phishing campaign went out. Now, I've sent you guys the image of the email inside the documents. You guys can take a look here. So it came just for our listeners, right? The subject is waiting for your reply. All right, yeah. And then you go in and you have this in big font. It says, make your choice. And you have two scantily clad women, one blonde and one brunette. So, you know, they're not the same. Rik. You know, it reminds me of from the birth of the commercial web, it reminds me of the website Hot or Not. Carole. It does. It is a bit Hot or Not, yeah. Yes, and maybe it's using that same kind of trigger selection. It's quite clever psychologically because it doesn't say you can't choose one of these. It just says make your choice and you select. Now, right. Rik. Yeah, you may have chosen not to click, which would have been the best choice. Carole. This is the big reveal. No matter who you click on, you still get the prize of downloading the Hubigon remote access Trojan known as a RAT. Now, this RAT's been around for at least 10 years and has loads of features and capabilities like allowing people to access the infected machines, remote access. It has rootkit functionality. So it means, you know, webcam monitoring, log your keystrokes, steal your passwords. So all the stuff that we don't talk about a lot anymore. We don't really talk about RATs and Trojans as much, do we? But they're still out there. Rik. Oh yeah, they're still huge. You know, we tend to talk about them and I don't know whether this is because cybersecurity companies don't do much consumer messaging anymore or I don't see it very much anymore, but we tend to talk about them in an enterprise scenario and they are APTs. They're Swiss army knives in an enterprise scenario. If you can get, you know, a remote access Trojan on a system, then it gives you access to information. It gives you access to functions. It gives you access to architecture and infrastructure. Graham. So Carole, so you're saying that this particular campaign of the scantily clad ladies, this was targeting university students. Is that right? Carole. No, university students and staff.

I mean, looking at the screenshots, I'm amazed. But I suppose you could say that about quite a lot of widespread cyber criminal campaigns rather than targeted ones. I'm amazed it was successful because you make your choice. And I don't know. The assumption is maybe that you're going to download some video, get some pictures. I'm not sure what. But what you get is a download for an executable called Sex Live. So first of all, alarm bells should start ringing. But then you look at where it's coming from, and it's coming from gogominor.com. I mean, that's alarm bells, klaxons, foghorns, and what more do you want?

Exactly. Isn't this old school?

You don't need those executables to have a camera rendered in a browser, right?

It makes me think that the guy who's behind this is in his 50s.

It's old school phishing. It's not me, I'm just saying.

So there you go. So old school stuff like this still works and advice because, you know. So we're going to see, I think, a little rise in consumer phishing scams. I know there's a lot out there, but I think now that people are trapped at home and don't have the IT person around the corner, I can imagine we're going to see a lot of scams for this is how you can make sure your Zoom call stays safe, right? Leading to something bad. And one of the real sweet spots here for the bad guys are the companies that have basically always had a staff on site, haven't had to worry about remote workers, may not have a huge security budget because they may be just a small SMB. And they're now having to have all their workers use their own machines from home to contact the network and they may not have the security layers in place. So, you know, companies beware.

It's nasty stuff and people are having to be their own IT department right now, aren't they? Because the IT department isn't necessarily available to sort them out.

Yeah. And how many of us are doing home support for our families and friends as well?

Basically, the upshot is if you want to avoid a mountain of pain, avoid clicking on phishes. That's it. Maybe you don't have a single sign-on password manager, or maybe you do and you're not really happy with it. Well, why don't you start a free 14-day trial of LastPass Enterprise and you can manage every access point with integrated single sign-on and password management. Let me tell you about some extra features. Central admin dashboard, easy user management, group management, directory integrations, federated login, more than 100 security policies, advanced reporting, multi-factor authentication options, password sharing, and the list goes on. Check it out at LastPass.com forward slash smashing. On with the show.

And welcome back. Can you join us at our favourite part of the show? The part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Oh, impressive. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily. Better not be. Now, my pick of the week this week is not security related, but it deals with an issue that many, many of us have, which is that someone will come into the living room and say, I really want to watch Paddington 2 or I want to watch Shark Attack 3 with John Barrowman. And you think, oh, it is a great movie. But you think, oh, my goodness, where will I find it? And where will I find it the cheapest? It's like, OK, yes, it's there on Amazon, but then I have to pay for it. Is it on iPlayer? Is it on Netflix? You're always

Looking for a deal, eh?

Well, yes, I am, Carole, exactly. So the website which will help you out with this particular conundrum is called justwatch.com. And what it means is if you don't have a clue whether a particular movie or TV show is on Amazon or Netflix or iPlayer or something you need to splash some cash on, you just type in the name of your movie and it will tell you everywhere that it is and what you will have to pay if anything, on those particular services. And very handy it is too, because you spend a lot less time wasting around. And when the kids want to watch some animated nonsense, you can find it for free instead of forking out for it. It's also available as an app for the iPhone and Android as well. I hate to poo-poo on your parade. What's your problem? What do you mean what my problem is? What's your problem with it? What's it said?

Well, collect information from my IP address and the browser I'm using. Well, yeah, every server. The site you came from. We might also give this to third parties. Yeah, okay, okay. But, you know. Collect your zip code to find out what cinema is relevant to you.

I haven't told it my zip code. I haven't told it that.

I don't know why. Okay. I know you didn't go to university. I'm sorry for the university comment.

I don't have zip codes. This is a

Zip code-less nation.

Oh, thank you very much, Rik. Yeah, so, yeah. Older than North American. Very good. Rik, what is your pick of the week?

My pick of the week is something which I didn't know was a thing, and I definitely didn't know it was a thing that I could get really cheap, particularly during this pandemic lockdown period.

He says toilet paper. We're going to have crazy.

No, do you know what? I have an Amazon subscription for toilet paper, and it arrived about a week before lockdown and we're like, we have a house full of toilet paper. We get it once every two months, this massive box of it. So that's a top tip for the future. Subscribe for those things that you don't want bulking up your boot when you go shopping. And if you want Rik's home

address, just email us at studio at smashingsecurity.com.

It's gold leaf. My pick of the week actually is something which in the UK is called Fire for Kids Unlimited. In the US, I think it's called Kindle Unlimited for Kids. I'm an Amazon Prime member anyway, many people. And I discovered that for 99 pence, I could get Fire for Kids Unlimited for three months, which means that my kids on their paper whites can access tens of thousands of books. So there's no reason for them to come to me and say, I'm bored, I have nothing to do. There's nothing new for me to do. I can't go to the bookshop. You have tens of thousands of books. Go read them and leave me alone. I have a podcast to do with Graham and Carole. And I spent 99p on it.

You guys, you're deal finders.

It's just such a great deal. And if they use it, we'll carry on with it. But 99p for three months is perfect for this period. I think the deal is still out there.

Do they have to create book reports for you?

Yes, they have to do PowerPoint presentations. Come back, kids, when you've read all of the books. We may be allowed to go outside by then. Carole, what's your pick of the week? Well, mine is free. There's no money. Okay, do you know Jeopardy! The TV show that is very popular in the Americas.

I had heard of Jeopardy! I just didn't know quite how it worked. But okay.

Yeah, but if I said to you, Alec Trebek, what would you say? I don't know.

He could be anybody. I wouldn't even know what words you had just put together there. That just sounded a sound. It sounded something Quebec. Trebek.

He is our Nicholas Parsons.

Oh, I was in a band called The Rockin' Thunders at university, and we were a joke band and we had a song, we wrote a song which should have been a hit which was called A Night Out with Nicholas Parsons. The whole premise of the song revolved around a contest that had been set by Sarsen's Vinegar to think of a slogan and the winner would get A Night Out with Nicholas Parsons.

Do you have a recording of that Rik?

I think there is one in existence. We could

put it at the end of the show, sign us in, sing us out.

Well the chorus is just the word shit repeated five times.

Okay. Maybe we'll leave it to everyone's imagination. Anyway, Alec Trebek has been the host of Jeopardy! since 1984. Mr. Trebek is sick, and he's recently announced that he has survived one year of cancer, right? And I was reading about this, and he's one of those people you just love. He's just one of those good people. I found this guy who is obviously a Jeopardy! fan. And if you click on the link in the show notes, he has created an entire website of every question that's ever been asked on Jeopardy! since 1984.

Oh, the J Archive.

Yes.

So. Oh, Carole doesn't use HTTPS. I know it doesn't use HTTPS. You complained about Just Watch's privacy policy. Oh, my word.

I know, but you don't have to enter any information here, Mr. Graham. Just for those who don't know the way the game show works is I put the answer in a form of a question and you give me the question in the form of an answer.

Okay my brain has just warped okay carry on.

Okay it's not hard so I'm gonna ask you guys a few questions okay okay in the category for drinks for 200 this children's cocktail is ginger ale and grenadine garnished with a maraschino cherry.

What is a gateway drink?

Yes, but that's not the right answer, Graham, and it starts with letter S, if that helps.

I don't know the names of any drinks.

What is a Shirley Temple?

Correct! Oh, very clever, very clever. For the category of visual alliteration for 400, answer this cheery literary feline left his smile behind when the rest of him disappeared.

Who is the Cheshire Cat?

Correct! I knew that but I thought I had to buzz. Okay. Okay, now you guys have to really pay attention because you're both musos on this one. In the Dylan category for 800, take a load off and tell us the name of this group, formerly the Hawks, who backed Dylan starting in 1965.

Who are the band?

Correct! Do we have to buzz? There you go. See? Fun game. So if you click on the link, they give you the entire game grid that you get on the game show and you could actually play with friends, read out the questions, do it for fake money or for real money, have some fun. Right, Graham?

This is j-archive.com. I think this would give me a heart attack Carole. That was quite a lot of pressure. That was high stakes stuff.

Yeah, really?

Yeah. My buzzer was broken. I was going to say you need to get out more, but yeah.

Yeah. That we all. On that topical gag, we've just about wrapped it up for this week Rik. I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that and find out what you're up to?

The best way is Twitter. I'm too old for Instagram and I'm too old for Snapchat, so it's rick_ferguson at Twitter. No TikTok account. My other half is addicted though, so I hear it a lot. I just don't see it much.

And you can follow us on Twitter at smashingsecurity, no G. Twitter at the last have a G, and you can also join the Smashing Security Reddit community. Just look for Smashing Security subreddit up there.

And as always, thank you, beautiful people. You are keeping Smashing Security alive by listening to us every week, literally. And for those of you that have kept supporting us via Patreon through all this, you're in for a pretty sweet treat very soon. Also, a huge, huge thank you to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.

Until next time, cheerio. Bye-bye. Stay safe. See ya.

Wouldn't want to be ya. Yeah, I would. I would. Yeah.

Now, Carole, you keep on saying our listeners are literally keeping us alive each week. You emphasise literally. That's because she's American. It's a habit my son seems to have got into is everything is literally.

So he just calls me American and Graham doesn't even notice. Doesn't even notice.