Journalists spying on their rivals, the NHS rejects Apple and Google’s approach to Coronavirus-tracing, and universities are hit by an old-fashioned sexy lady attack.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Rik Ferguson.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Newsflash!
Newsflash!
Smashing Security has made it to the finals of the European Security Blogger Awards!
If you can be arsed, please go to smashingsecurity.com/vote and vote for your favourite security podcast.
Voting closes on the 11th of May, so don't delay or I'll electrocute your eardrums. That's smashingsecurity.com/vote. Now, on with the show. On with the show.
Smashing Security, Episode 176: Hacking Hacks and University Attacks with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 176.
My name's Graham Cluley.
If you can be arsed, please go to smashingsecurity.com/vote and vote for your favourite security podcast.
Voting closes on the 11th of May, so don't delay or I'll electrocute your eardrums. That's smashingsecurity.com/vote. Now, on with the show. On with the show.
Smashing Security, Episode 176: Hacking Hacks and University Attacks with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 176.
My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, we are joined this week by someone who's brand new to the show. He hasn't been on before, but really warm welcome to Rik Ferguson. Hello, Rik.
Hello there. Thank you very much.
It's kind of embarrassing that Rik hasn't been on yet, actually. It's really embarrassing. Rik, I am so glad you're here. And it's so good that we— see, we kept best for last.
Is this maybe our last show, Graham?
Is this maybe our last show, Graham?
Oh, well, that could be.
Just kidding, kidding, kidding, kidding.
Rik, I'm sure lots of people already know you, but how would you quickly summarise? Who are you? Why are you here. Why have we brought you onto Smashing Security?
I am the Vice President of Security Research at Trend Micro.
I've had a couple of decades and a half of lifetime in this industry, and my basic responsibilities are about creating engaging and informative content and making sure people get to see it, read it, listen to it, whatever it might be.
I've had a couple of decades and a half of lifetime in this industry, and my basic responsibilities are about creating engaging and informative content and making sure people get to see it, read it, listen to it, whatever it might be.
Cool.
Can I say how I know Rik and why I remember Rik?
Oh, okay, yes.
Because I met Rik at a trade show and I remember meeting him very clearly, and there's a reason for that. It's because you, Rik, had just broken the tendon on an index finger.
Oh my God, yes.
And you told me about it in graphic detail to the point where I felt it. And you explained how it snapped, how you, I think you were putting a bed sheet, this is what I remember.
This is maybe over 10 years ago, right? You were putting a bed sheet on or something and you tucked your fingers in and it just snapped off.
This is maybe over 10 years ago, right? You were putting a bed sheet on or something and you tucked your fingers in and it just snapped off.
Exactly that. And the worst part of that story actually is that it wasn't my index finger.
Oh, some other part of your anatomy.
It was the middle finger next to my index finger.
Yes, that's right.
So I had to have it splinted for about 6 weeks, and I was still working and I was still giving presentations at shows and things.
And it was my right hand, so whenever I'm holding the clicker, I'm holding the clicker in my right hand with a splinted middle finger.
And every time I'm waving my arms around talking to the audience, giving everyone the bird.
And it was my right hand, so whenever I'm holding the clicker, I'm holding the clicker in my right hand with a splinted middle finger.
And every time I'm waving my arms around talking to the audience, giving everyone the bird.
So, but every time I make a bed or I tuck something in, I think of it and I remember, I say, remember what happened to Rik? So there you go.
But the thing with breaking the tendon in my finger is I was, this is how stupid I am. I was kneeling on the bed attempting to tuck the sheet in on the far side.
So of course the sheet wasn't moving very much because I was on it.
So of course the sheet wasn't moving very much because I was on it.
And that's how you become the vice president.
Security research.
Okay, Carole, what's coming up on the show this week?
Oh yes, we were digressing. First, thanks to this week's sponsor, LastPass. Their support helps us give you this show for free.
Now on today's show, Graham tells us how a bunch of journos suffered a scoop snag. Rik finds out how the UK is getting on with its COVID infection tracing app.
And I'm going old school, reminding us that good old phishing attacks are still big business for scummy scammers.
All this and much more coming up on this episode of Smashing Security.
Now on today's show, Graham tells us how a bunch of journos suffered a scoop snag. Rik finds out how the UK is getting on with its COVID infection tracing app.
And I'm going old school, reminding us that good old phishing attacks are still big business for scummy scammers.
All this and much more coming up on this episode of Smashing Security.
Now, chums, it is truly a tough time for newspapers.
Less and less of the things are being sold than ever because, well, I think people are getting a lot of their news for free online.
Hoping to make money by going digital, selling subscriptions, have a paywall, monetizing the content via advertising. But even that isn't going well during this time of coronavirus.
A lot of advertisers are actually choosing to block their adverts from appearing alongside C19-related content because they think it would basically leave a bad taste in people's mouth to see an advert for a holiday or whatever it was along something about coronavirus.
Less and less of the things are being sold than ever because, well, I think people are getting a lot of their news for free online.
Hoping to make money by going digital, selling subscriptions, have a paywall, monetizing the content via advertising. But even that isn't going well during this time of coronavirus.
A lot of advertisers are actually choosing to block their adverts from appearing alongside C19-related content because they think it would basically leave a bad taste in people's mouth to see an advert for a holiday or whatever it was along something about coronavirus.
But don't forget.
Yeah. So they're choosing not to appear there. Right.
They're actually blocking those words, which is a real problem for the press because all they're writing about at the moment is coronavirus.
So the newspapers online are getting loads of traffic, which they're having to pay for, of course, in terms of servers and bandwidth.
But they're not making enough advertising revenue.
They're actually blocking those words, which is a real problem for the press because all they're writing about at the moment is coronavirus.
So the newspapers online are getting loads of traffic, which they're having to pay for, of course, in terms of servers and bandwidth.
But they're not making enough advertising revenue.
Do you not think it's short-sighted of the advertisers not to put their name there?
Because I can see from a direct standpoint, if you were saying, hey, holidays in the sun on sale right now.
Because I can see from a direct standpoint, if you were saying, hey, holidays in the sun on sale right now.
Well, maybe that's an extreme example.
But I think a lot of them are concerned that it's just something that they don't want to be associated with, or they don't want anyone to think, how can you have this advert alongside reports of thousands of people dying?
But I think a lot of them are concerned that it's just something that they don't want to be associated with, or they don't want anyone to think, how can you have this advert alongside reports of thousands of people dying?
Because you know someone's going to screenshot that stuff and then it's going to be all over Twitter, all over Instagram, whatever it might be.
So when there's that weird juxtaposition, people always catch it, share it, point it out, even when it's inadvertent like that.
So when there's that weird juxtaposition, people always catch it, share it, point it out, even when it's inadvertent like that.
Oh yeah, of course. It's not as though it's deliberate. And meanwhile, newsagents are all shut. People aren't commuting.
People aren't picking up their free newspaper to get on the train and reading it that way.
So far fewer newspapers are being sold, and they're not making as much money from the websites. And there's a real crisis going on right now as a result.
People aren't picking up their free newspaper to get on the train and reading it that way.
So far fewer newspapers are being sold, and they're not making as much money from the websites. And there's a real crisis going on right now as a result.
Is there? Oh, okay.
No, in the newspaper industry, Carole. Of course there's—
Okay, now I just—
I thought it was just a prolonged holiday.
Yeah, right.
I just thought people got bored of me or something and stopped calling.
So one of the newspapers which has noted this drop is the British newspaper, The Independent. They went fully digital 4 years ago. They haven't existed in paper form since 2016.
Do you know what? That shows how bad the news is because I didn't know that.
Right. And The Independent staff got told by their senior managers last week to get on a Zoom call to discuss salary cuts and furloughing.
A lot of those workers must have been really worried about that.
Not worried because I don't know if you saw this story which came out a few days ago, about the phishing attacks which come out.
So what the bad guys are now doing is they're disguising their phishing attack as a Zoom invitation from your HR department to talk about your performance.
So imagine that, imagine getting one of these emails, it says, oh, you've got to have an urgent Zoom call with HR about your performance. You're going to be worried about that.
That's not the kind of thing The Independent were worried about. It wasn't even Zoom bombing either.
There's been lots of Zoom bombing, of course, people taking over the screen, showing pornographic content, playing loud rock music, Rik. Generally, that was a rumour.
That was a rumour. Generally being a bit of an arse, you know, that is a problem. Actually, what happened during the Independent Zoom call was the opposite of Zoom bombing because—
A lot of those workers must have been really worried about that.
Not worried because I don't know if you saw this story which came out a few days ago, about the phishing attacks which come out.
So what the bad guys are now doing is they're disguising their phishing attack as a Zoom invitation from your HR department to talk about your performance.
So imagine that, imagine getting one of these emails, it says, oh, you've got to have an urgent Zoom call with HR about your performance. You're going to be worried about that.
That's not the kind of thing The Independent were worried about. It wasn't even Zoom bombing either.
There's been lots of Zoom bombing, of course, people taking over the screen, showing pornographic content, playing loud rock music, Rik. Generally, that was a rumour.
That was a rumour. Generally being a bit of an arse, you know, that is a problem. Actually, what happened during the Independent Zoom call was the opposite of Zoom bombing because—
No one showed up?
Well, no. 100-odd people—
No, it was run silent, run deep.
100-odd people did make the Zoom call, but they were joined by someone they weren't expecting.
Elon Musk showed up again.
No, no, no. They were joined by someone who didn't try and draw attention to himself, it turned out to be a reporter from a rival newspaper.
According to The Independent, they checked their Zoom log files, and they saw that an account registered to a journalist who worked at the Financial Times, one of their rivals, briefly joined the video call, which was just intended for The Independent's own staff.
According to The Independent, they checked their Zoom log files, and they saw that an account registered to a journalist who worked at the Financial Times, one of their rivals, briefly joined the video call, which was just intended for The Independent's own staff.
I wonder if he was still on the mailing list. Did he used to work?
No, no, no.
Okay.
He's never worked for them.
So he just somehow, he got a leak that this is the call number and he just joined.
I guess he's got a buddy who works there who sent him the link or something like that. Anyway, what happened was this. This interloper, his video camera was switched off.
And no one saw his face. But briefly, in the 16 seconds that he was connected, the name flashed on screen of Mark DiStefano.
And DiStefano used to work at BuzzFeed, but is now the media and tech reporter at the Financial Times.
And so he briefly— 'cause of course you get people's names when they're on the Zoom call, right? At the bottom of their window.
And no one saw his face. But briefly, in the 16 seconds that he was connected, the name flashed on screen of Mark DiStefano.
And DiStefano used to work at BuzzFeed, but is now the media and tech reporter at the Financial Times.
And so he briefly— 'cause of course you get people's names when they're on the Zoom call, right? At the bottom of their window.
Is that why he pulled out?
And if you've got it on speaker view rather than gallery view, which is a per-user choice, right?
So if you have it on speaker view, if he made a little bit of noise at his end, even tapping the table or whatever, then his black screen with his name on it is gonna have filled the screen of anyone who has it in speaker view.
So if you have it on speaker view, if he made a little bit of noise at his end, even tapping the table or whatever, then his black screen with his name on it is gonna have filled the screen of anyone who has it in speaker view.
I suppose that's right, yeah. But he was only connected for 16 seconds. So how much useful information could he have taken?
Why was he only on there for 16 seconds? I think because his name showed up. I think he thought he could sneak on and then went, oh, oh, oh.
He scarpered. He scarpered after 16 seconds, maybe realising that he was still logged into his Zoom account, which was revealing his name.
Because then someone anonymously connected to the video call. Again, with his camera turned off.
Because then someone anonymously connected to the video call. Again, with his camera turned off.
So, oops, oops.
Makes me think of Mr. Ben, as if by magic, a shopkeeper appeared.
And they stayed until the very end of the call, listening in. And while this call was—
No one noticed at the time, right?
Well, I think someone probably did notice, or maybe it was being recorded for other staff, because there were some staff in the US, for instance, who weren't able to actually get on the call.
They were going to be briefed about the changes later on.
But what was happening was at the same time as the call, the Twitter account of Mark DeStefano at the FT was basically live-tweeting information about what was going on on the call.
They were going to be briefed about the changes later on.
But what was happening was at the same time as the call, the Twitter account of Mark DeStefano at the FT was basically live-tweeting information about what was going on on the call.
So he definitely wasn't on the call.
What? Scoop!
And so he was given the highlights. And later on, he posted a story and he quoted sources who were on the call. Well, yeah. Sources who were on the call. I.e., himself.
According to The Independent, they said the anonymous user account was linked to the mobile phone of Mark DeStefano. And of course, he published all this information.
The Independent weren't very impressed.
According to The Independent, they said the anonymous user account was linked to the mobile phone of Mark DeStefano. And of course, he published all this information.
The Independent weren't very impressed.
Yeah, well, I'm— okay, can we talk about this?
Let's talk about it.
Can we talk about whether he did anything wrong here?
Yes.
Because we know that Zoom can be set up in a way to allow people entry, vet people, send specific links, all that kind of stuff.
So, well, there's that, but I think there's the fundamental sort of question of—
I mean, it is newsworthy. I'm sure he got a lot of clicks for it.
I think the thing is he went against the code of conduct of his employer.
Yes.
At the end of the day, right? The employer says you can't do that.
Okay, what's the code of conduct?
So the FT's code of conduct specifies that their journalists mustn't seek or obtain or publish material gathered by intercepting private or mobile telephone calls or messages or emails.
You cannot misrepresent yourself. You cannot use subterfuge.
Anything like that can only be done if it's in the public interest and only when the material cannot be obtained by other means.
And The Independent say, we had a press release all ready to go.
So if they'd just simply asked us for a statement as to what was happening at our newspaper, we would have told them.
But because he was publishing details of it before they went public, there were employees, maybe stateside and who weren't able to make the Zoom call, who found out because of him at a rival newspaper, which isn't very nice to find out that maybe you've lost your job.
Right?
You cannot misrepresent yourself. You cannot use subterfuge.
Anything like that can only be done if it's in the public interest and only when the material cannot be obtained by other means.
And The Independent say, we had a press release all ready to go.
So if they'd just simply asked us for a statement as to what was happening at our newspaper, we would have told them.
But because he was publishing details of it before they went public, there were employees, maybe stateside and who weren't able to make the Zoom call, who found out because of him at a rival newspaper, which isn't very nice to find out that maybe you've lost your job.
Right?
Did he lose his job or— we don't know yet.
DeStefano has been suspended by the FT as a result of this.
All of those policies and things are all in the wake of what became known as the phone hacking scandal.
Yes.
In reality, it's no different to that. It just happens to take place on a computer rather than in your voicemail box.
Wendy Deng's finest moment.
I mean, I wouldn't really say this was hacking. But then phone hacking wasn't really hacking, was it?
No, absolutely. Just in the public imagination, I guess that's what hacking is, right?
Yeah, okay. So, did The Independent scream bloody murder? Or what do they want from it? They want his skin?
Well, I think right now what they're asking for is some kind of explanation, because they say, look, this was inappropriate.
It was unwarranted intrusion into our employees' privacy. And they want to make sure that it's not going to happen again.
Now, the funny thing is, that people have gone back through Mark DeStefano's tweets over the last few weeks.
Turns out, at the beginning of April, he reported on an internal video call at another newspaper, the Evening Standard.
It was unwarranted intrusion into our employees' privacy. And they want to make sure that it's not going to happen again.
Now, the funny thing is, that people have gone back through Mark DeStefano's tweets over the last few weeks.
Turns out, at the beginning of April, he reported on an internal video call at another newspaper, the Evening Standard.
No!
According to sources on the call?
Well, yes, exactly. And they've looked through their logs, and it appears, again, linked to the same mobile phone. So it appears there might have been a bit of a history of this.
Like I said, there's a history with phone hacking.
Yeah.
Anyway, right. Dating back decades now. So it seems to be part of a standard journalistic toolbox now is that anything is fair game if you can get access to it.
And I think there's pressure on the journalists, obviously, to have scoops and to be the first out with the news. And so that's a conflict which is going inside them.
But my feeling is, if this isn't really in the public interest and some of this information could have been gathered via traditional routes rather than unauthorized access to a private Zoom call, then that does begin to sound a bit like the computer misuse act, doesn't it?
Even if it's not technically hacking, it's unauthorized access.
And I know as security researchers, and you must have this as well, Rik, at your company, there are quite clear rules.
Even though you might be capable of doing something, there's a lot of things that you will not do because it would have breached computer crime laws.
But my feeling is, if this isn't really in the public interest and some of this information could have been gathered via traditional routes rather than unauthorized access to a private Zoom call, then that does begin to sound a bit like the computer misuse act, doesn't it?
Even if it's not technically hacking, it's unauthorized access.
And I know as security researchers, and you must have this as well, Rik, at your company, there are quite clear rules.
Even though you might be capable of doing something, there's a lot of things that you will not do because it would have breached computer crime laws.
Yeah, some of it is unethical, some of it is illegal, and in many cases, the other thing that you have to consider is admissibility of evidence.
If you are gathering stuff which is gonna be passed to law enforcement for an eventual prosecution, you want that stuff to be able to be used in court.
And if it's been obtained illegally or unethically, you can't do that.
If you are gathering stuff which is gonna be passed to law enforcement for an eventual prosecution, you want that stuff to be able to be used in court.
And if it's been obtained illegally or unethically, you can't do that.
Okay, so I'm still noodling on this, right?
So if, say, this meeting was happening in a restaurant and I happened to be at the next table and I could overhear it and I was a journo and taking notes, that would be okay, presumably.
So if, say, this meeting was happening in a restaurant and I happened to be at the next table and I could overhear it and I was a journo and taking notes, that would be okay, presumably.
Because there's no—
Right, 'cause it's taking place in a public forum.
Yes, and there's no presumption of privacy.
Somehow that to me feels okay. What wouldn't feel okay would be if you'd snuck into the offices—
And dressed like a plant.
—of the company and hidden in a cupboard.
What's his name? Hung from the ceiling.
Oh, like Thom Cruise. Thom Cruise, yeah. That sort of thing, it begins to feel like, well, you've actually trespassed on the property.
In a way, you've trespassed on the Zoom call as well. So that's interesting.
In a way, you've trespassed on the Zoom call as well. So that's interesting.
That is really interesting. Does the same standards of privacy— I guess by the FT's code of conduct, Yes. And I don't know actually by the law, the Computer Act law.
Well, I guess it depends on whether they feel there's enough evidence or indeed if the paper wanted to pursue it and maybe wouldn't.
I'm surprised he still has a job, that he's done it more than once.
Well, it's only just come out that it appears allegedly Mark DiStefano has done this. But like Rik was saying, we saw phone hacking in the past. We have seen email accounts hacked.
I remember this extraordinary story. Do you remember Canoe Man?
I remember this extraordinary story. Do you remember Canoe Man?
How could forget Canoe Man?
Oh my God. It says something to me. Tell me about Canoe Man, because I do remember him, but—
Canoe Man was a guy called John Darwin who faked his own death at sea about 20 years ago, and then he walked into a police station 5 years later claiming to have no memory of what had happened to him.
And his wife acted all surprised and, oh, he's back from the dead, how fantastic.
He couldn't explain where he'd been, and it later transpired that he and his wife had been in Panama buying property, and they'd been photographed with all the insurance money.
And his wife acted all surprised and, oh, he's back from the dead, how fantastic.
He couldn't explain where he'd been, and it later transpired that he and his wife had been in Panama buying property, and they'd been photographed with all the insurance money.
The best bit, for 9 months, he had built hollow walls in his house. Yes. And so he was living inside the walls of the house.
So she was obviously giving him food through a trapdoor somewhere. And he had a little air hole and lived there.
So she was obviously giving him food through a trapdoor somewhere. And he had a little air hole and lived there.
Yeah, he was dead. He was basically secretly living in a secret room of his house. Even his kids didn't know he was there.
And he'd been going out sometimes for walks and things and got more audacious.
But yeah, they'd claimed life insurance, pension policies, and they'd want to start a new life together. Yeah, in Panama.
A Sky News reporter hacked into the email account of Canoe Man, John Darwin.
And he'd been going out sometimes for walks and things and got more audacious.
But yeah, they'd claimed life insurance, pension policies, and they'd want to start a new life together. Yeah, in Panama.
A Sky News reporter hacked into the email account of Canoe Man, John Darwin.
Oh, I didn't remember this.
Oh, yes, yes. I will put a link in the show notes to an article I wrote at the time about this. In order to try and find out more as to what they'd been plotting together.
And again, you were saying, Rik, the danger of that is, of course, you could compromise evidence.
And again, you were saying, Rik, the danger of that is, of course, you could compromise evidence.
The thing is, you could argue a public interest in that one because of the financial implications of them trying to make an illegal claim and so on and so on.
So there's an arguable public interest.
But in terms of, you know, listening into a Zoom call where people are being told some pretty bad news about their jobs, I mean, the Computer Misuse Act is pretty clear.
It's also very gendered as well, I've just noticed. The only people who break the Computer Misuse Act are all called he.
So there's an arguable public interest.
But in terms of, you know, listening into a Zoom call where people are being told some pretty bad news about their jobs, I mean, the Computer Misuse Act is pretty clear.
It's also very gendered as well, I've just noticed. The only people who break the Computer Misuse Act are all called he.
Shall we clutch on to that as our defence?
Yeah, if Di Stefano identifies as they or she, probably they're okay.
Rik, what story have you got for us this week?
Well, obviously, you know, the news, as you said before, is full of coronavirus and COVID-19 related stories.
We have a rolling blog on the Trend Micro blog of all the different threats and criminal actors using it as leverage, whether that's business email compromise or phishing or malware.
I mean, there's not a spike in cybercrime, but certainly cybercriminals have taken to using COVID-19 as a lure for things that they would be messaging otherwise if COVID-19 wasn't around.
So you can't avoid COVID-19 in the news. And one of the news stories that caught my interest over the past few days actually is a global one, but also with a very strong UK focus.
A lot of different countries are either deploying or talking about deploying mobile apps to track movements and keep people safe and notify people if they've come into contact with someone who later goes on to develop COVID-19.
Yeah, and it's veritably crazy how different it is from country to country.
Right, and there are a lot of conversations I've had with people who don't work directly in the information security space, and even some that do actually, maybe who haven't done the reading or whatever, have some huge concerns about privacy.
They're talking about, I don't want my location to be shared with the government at all times. And if you do a bit of reading, it's pretty clear that that's not what's happening.
It's not GPS reporting, for example. They're not literally drawing a map of where you go and who you bump into in any way.
Probably wouldn't have the accuracy required if you were using GPS to say whether or not you'd been near enough to someone who went on to become infected.
So they tend to be using Bluetooth, but there are two conflicting models at the root of it all. There's a centralized and a decentralized way of doing this.
Now, Australia rolled out their app earlier this week, and that is using a decentralized model.
And what that means is that all of the data about the people that you've come in close proximity to is held on your own device.
And it's only later when you, if you choose to identify as being diagnosed, being infected, that that data is then used in order to notify the other Bluetooth IDs, which are changed and rotated and so on.
We have a rolling blog on the Trend Micro blog of all the different threats and criminal actors using it as leverage, whether that's business email compromise or phishing or malware.
I mean, there's not a spike in cybercrime, but certainly cybercriminals have taken to using COVID-19 as a lure for things that they would be messaging otherwise if COVID-19 wasn't around.
So you can't avoid COVID-19 in the news. And one of the news stories that caught my interest over the past few days actually is a global one, but also with a very strong UK focus.
A lot of different countries are either deploying or talking about deploying mobile apps to track movements and keep people safe and notify people if they've come into contact with someone who later goes on to develop COVID-19.
Yeah, and it's veritably crazy how different it is from country to country.
Right, and there are a lot of conversations I've had with people who don't work directly in the information security space, and even some that do actually, maybe who haven't done the reading or whatever, have some huge concerns about privacy.
They're talking about, I don't want my location to be shared with the government at all times. And if you do a bit of reading, it's pretty clear that that's not what's happening.
It's not GPS reporting, for example. They're not literally drawing a map of where you go and who you bump into in any way.
Probably wouldn't have the accuracy required if you were using GPS to say whether or not you'd been near enough to someone who went on to become infected.
So they tend to be using Bluetooth, but there are two conflicting models at the root of it all. There's a centralized and a decentralized way of doing this.
Now, Australia rolled out their app earlier this week, and that is using a decentralized model.
And what that means is that all of the data about the people that you've come in close proximity to is held on your own device.
And it's only later when you, if you choose to identify as being diagnosed, being infected, that that data is then used in order to notify the other Bluetooth IDs, which are changed and rotated and so on.
So as you walk around, it's stay the fuck away from me, stay the fuck away from me.
But what'll happen is effectively you'll get a notification on your device that says, hey, a couple of weeks ago, you bumped into a person, and that person has later gone on to be confirmed as having COVID-19, you need to get yourself checked out, or you need to self-isolate, or whatever the local policies are around the next steps to take.
So would it give me their phone number?
Oh no, you as a person who've come into contact with somebody else, you don't need to know who they are, and you won't know who they are.
You'll just know that you have come into contact with someone who later went on to be confirmed.
So they've worked really hard, and actually two of the companies that have worked hardest, I think, to address those privacy concerns are Apple and Google being the major, you know, best buds, manufacturers.
Yeah, they love each other, but they've actually, no, they've been working really closely and coming up with a very, what I think is a very good decentralized system.
But then what I was really disappointed to read is that our National Health Service in the UK is effectively rejecting Google and Apple's model and they want to go for a centralized model.
You'll just know that you have come into contact with someone who later went on to be confirmed.
So they've worked really hard, and actually two of the companies that have worked hardest, I think, to address those privacy concerns are Apple and Google being the major, you know, best buds, manufacturers.
Yeah, they love each other, but they've actually, no, they've been working really closely and coming up with a very, what I think is a very good decentralized system.
But then what I was really disappointed to read is that our National Health Service in the UK is effectively rejecting Google and Apple's model and they want to go for a centralized model.
So what have they got against what Apple and Google are proposing? What's their issue?
Get on your soapbox, Rik, go for it.
So the basic point that the NHS are making, and I suppose this is something where a medical health professional would be far more qualified to have an empirical point of view, is that they will get a much greater view of how COVID-19 is spreading in the community if they have access to all of the data which is otherwise dispersed and decentralized and stored on individual devices.
So if the NHS argues, if all of that decentralized data is centralized in a database that they have access to, then they can draw much greater conclusions about how the disease is spreading.
But of course, it raises much greater privacy concerns.
So if the NHS argues, if all of that decentralized data is centralized in a database that they have access to, then they can draw much greater conclusions about how the disease is spreading.
But of course, it raises much greater privacy concerns.
And you have one big centralized location, which, you know, I'm sure is going to be really, really anonymized and encrypted and looked after.
But a lot of people are gonna have access to that data. So who is gonna have access? Which third parties? How will that be managed?
But a lot of people are gonna have access to that data. So who is gonna have access? Which third parties? How will that be managed?
And there's a question of who now and who in the future. You know, that's— right. Once you've given up data, it's not just about how do we use it today?
How do you know that that data has been effectively secured, as you mentioned, but then how do you know that that data is being effectively aged out and effectively deleted and that it's not being repurposed and reused for something that you didn't consent to in the first place?
These are all kind of the reasons why GDPR was born.
How do you know that that data has been effectively secured, as you mentioned, but then how do you know that that data is being effectively aged out and effectively deleted and that it's not being repurposed and reused for something that you didn't consent to in the first place?
These are all kind of the reasons why GDPR was born.
So we've talked a little bit about these tracing apps in the past and the different ways in which they could work.
And one of my concerns is if all this data is being stored centrally, of course, is that going to affect take-up as to how many people want to actually install this app and are prepared to run it, or will people leave their smartphones at home?
Now, we're obviously a security podcast, so we probably have a lot of— not that obviously, actually.
Well, we probably have a higher proportion of privacy-conscious listeners than the typical show.
And so we probably have an audience which would be more reluctant to run an app which did something like this.
But in this current crisis, I think even they, there would be a, probably a larger proportion who would be prepared to do it than—
And one of my concerns is if all this data is being stored centrally, of course, is that going to affect take-up as to how many people want to actually install this app and are prepared to run it, or will people leave their smartphones at home?
Now, we're obviously a security podcast, so we probably have a lot of— not that obviously, actually.
Well, we probably have a higher proportion of privacy-conscious listeners than the typical show.
And so we probably have an audience which would be more reluctant to run an app which did something like this.
But in this current crisis, I think even they, there would be a, probably a larger proportion who would be prepared to do it than—
Yeah, and in the age of conspiracy theories as well, you know, it doesn't take much for it to spread over whichever social network and put everybody off.
To my mind, there are two key things that speak very strongly for allowing those operating system manufacturers and device manufacturers in some cases to play a leading role, at least in this.
One of them is making the best use of the hardware, because it's gonna be on all the time broadcasting and transmitting and receiving all the time over Bluetooth.
So you want something which isn't gonna suck up your battery life and kill your device super quickly. One, if your device is dead, the app's not going to work anyway.
Two, if you find out that after installing that app, your battery runs down really quickly, you're going to remove the app, defeating the object.
So the manufacturers will have a much better handle on power management. And in some cases, they have privileged access that the non-manufacturer app developers won't have.
And the other one, yeah, is absolutely about product adoption.
If you can't allay people's privacy concerns, then you're not going to get that critical mass of people that you need installing the app and rendering it useless.
To my mind, there are two key things that speak very strongly for allowing those operating system manufacturers and device manufacturers in some cases to play a leading role, at least in this.
One of them is making the best use of the hardware, because it's gonna be on all the time broadcasting and transmitting and receiving all the time over Bluetooth.
So you want something which isn't gonna suck up your battery life and kill your device super quickly. One, if your device is dead, the app's not going to work anyway.
Two, if you find out that after installing that app, your battery runs down really quickly, you're going to remove the app, defeating the object.
So the manufacturers will have a much better handle on power management. And in some cases, they have privileged access that the non-manufacturer app developers won't have.
And the other one, yeah, is absolutely about product adoption.
If you can't allay people's privacy concerns, then you're not going to get that critical mass of people that you need installing the app and rendering it useless.
But yeah, but we talked about last week, Colombia came up with a really cute workaround by giving you a free gig of data every month if you downloaded the app.
Oh, it doesn't help your battery life, does it though? But no, okay, no, I don't worry, chaps, I have solved this problem, okay?
If this is being done without the sort of informed participation of Apple and Google, if the NHS are gonna go alone, what they will do is this.
They will first of all tell you that you have to carry your phone with you all the time, and that your phone has to have the NHS app installed upon it, right?
There'd just be a little bit of legislation, they roll it out saying that's the rule from now on.
But the other thing will be that everyone has to wear a backpack full of batteries, which is going to permanently power your phone, and that way you can leave Bluetooth turned on all the time, it's not going to run out.
If this is being done without the sort of informed participation of Apple and Google, if the NHS are gonna go alone, what they will do is this.
They will first of all tell you that you have to carry your phone with you all the time, and that your phone has to have the NHS app installed upon it, right?
There'd just be a little bit of legislation, they roll it out saying that's the rule from now on.
But the other thing will be that everyone has to wear a backpack full of batteries, which is going to permanently power your phone, and that way you can leave Bluetooth turned on all the time, it's not going to run out.
Better exercise, people will be fitter.
Yes, that's the thing I was going to say, every conspiracy theory needs, you know, a kernel of why is this conspiracy happening? What's the reason for it?
And it's to tackle the obesity crisis.
And it's to tackle the obesity crisis.
And that's why the NHS are involved, you see. Carole, what's your story for us this week?
Okay, so we are heading to the land of higher education. Now don't worry, Graham. I know this is unfamiliar territory, but I gotcha.
You know that's really offensive, don't you? Is it? Yes. Why? Why is it offensive? I did get to higher education. I just didn't— it just wasn't formally called a university.
What was it called? It was a polytechnic that I went to. And I went to a polytechnic. I got my Higher National Diploma. Good. And I— there you go.
What was it called? It was a polytechnic that I went to. And I went to a polytechnic. I got my Higher National Diploma. Good. And I— there you go.
I was just saying, if you were worried about, you know, being in university grounds, even digitally, I was here for you. That's all. I don't know why you're being all sensitive.
Do you remember when all the polytechnics changed to universities? And they all had to have new names.
Yes, and mine got renamed. I'm very annoyed about it, but it wasn't the university when I was there.
I was going out with a girl from Nottingham at the time, and her father was a lecturer at the traditional old Nottingham University.
He was a lecturer in mining or something like mining technology, something like that. That's true.
In fact, one of the things, this is my token of proof that it was true, he presented me with a mummified monkey wearing a waistcoat with a rope around its neck.
Which they had found up a chimney in Nottingham.
He was a lecturer in mining or something like mining technology, something like that. That's true.
In fact, one of the things, this is my token of proof that it was true, he presented me with a mummified monkey wearing a waistcoat with a rope around its neck.
Which they had found up a chimney in Nottingham.
A nice gift to receive from a prospective father-in-law.
Anyway, he told me the story.
I don't know if it's apocryphal or not, but Nottingham Polytechnic, they had to obviously change their name when they became a university, and they had settled on the name, totally logical name, of City University of Nottingham on Trent.
And they'd gone with it, and they were very happy with it, and didn't realize until they got all their stationery printed up that the acronym was unfortunate, to say the least.
I don't know if it's apocryphal or not, but Nottingham Polytechnic, they had to obviously change their name when they became a university, and they had settled on the name, totally logical name, of City University of Nottingham on Trent.
And they'd gone with it, and they were very happy with it, and didn't realize until they got all their stationery printed up that the acronym was unfortunate, to say the least.
Childish and slightly vulgar. Carole, continue.
Yeah, well, I was going to go down the security route, as this is a security podcast, and say that a lot of these institutions have security that's not always been stellar, shall we say.
So for instance, this week, Sky News reported that the University of Warwick suffered multiple data breaches. Yes.
And Smashing Security was hacked in 2019 when a staff member installed a remote viewing software, letting hackers gain access to student info, personal info, staff members, volunteers, the whole thing.
But no one was informed because no one knew that it actually had been hacked because security was so poor on the system. They had no idea what was going on.
Now they've all cleaned this up. There's someone new in charge. But this wasn't the only university-based security news this week.
There's a new phishing attack which was reported by Proofpoint that has been targeting specific groups of people, including staff and students at US colleges and universities.
Now, tell me, pretend you guys are phishers trying to dupe a user to click on a link and download something nasty, and you're targeting unis. How would you go about it?
Graham, I'm not going to say this will be hard for you, okay?
So for instance, this week, Sky News reported that the University of Warwick suffered multiple data breaches. Yes.
And Smashing Security was hacked in 2019 when a staff member installed a remote viewing software, letting hackers gain access to student info, personal info, staff members, volunteers, the whole thing.
But no one was informed because no one knew that it actually had been hacked because security was so poor on the system. They had no idea what was going on.
Now they've all cleaned this up. There's someone new in charge. But this wasn't the only university-based security news this week.
There's a new phishing attack which was reported by Proofpoint that has been targeting specific groups of people, including staff and students at US colleges and universities.
Now, tell me, pretend you guys are phishers trying to dupe a user to click on a link and download something nasty, and you're targeting unis. How would you go about it?
Graham, I'm not going to say this will be hard for you, okay?
But put yourself in the shoes of someone who has gone to university.
Sorry, am I targeting university students or university staff?
Both, both.
Well, I mean, students. Students is all free beer, isn't it? That's what you do.
Oh yeah, that's good.
Entrance to the student union, because of coronavirus, you know, we're having to restrict entry and we're having a strict queuing system and you need to book your place in the queue to get into the union bar.
Oh, you guys would be good phishers. These guys just use sex. I mean, that's what they did. Bam!
And we know maybe during these times of staying at home, there must be quite a few sex-starved students out there right now, right?
They're probably climbing the walls at home with mom and dad in the other room, or—
And we know maybe during these times of staying at home, there must be quite a few sex-starved students out there right now, right?
They're probably climbing the walls at home with mom and dad in the other room, or—
They're all gonna be on Zoom and FaceTime. That's where it's all— I'm sure the sex is still happening, just not in the same room as the other person. Yeah, God, eh?
To have full visibility of that.
I'm sitting here in stunned silence. That's why there's no sound from this microphone.
So these guys got an email, right? So the huge phishing campaign went out. Now I've sent you guys the image of the email inside the documents. You guys can take a look here.
So it came just for our listeners, right? The subject is "Waiting for your reply." And then you go in and you have this in big font.
It says, "Make your choice." And you have two scantily clad women, one blonde and one brunette. So, you know, they're not the same.
So it came just for our listeners, right? The subject is "Waiting for your reply." And then you go in and you have this in big font.
It says, "Make your choice." And you have two scantily clad women, one blonde and one brunette. So, you know, they're not the same.
You know what it reminds me of from the birth of the commercial web? It reminds me of the website Hot or Not.
It does. It is a bit like Hot or Not, yeah.
Yes. And maybe it's using that same kind of trigger selection. It's quite clever psychologically because it doesn't say you can't choose one of these.
It just says make your choice and you select.
It just says make your choice and you select.
Now, right. Yeah. You may have chosen not to click, which would have been the best choice.
This is the big reveal. No matter who you click on, you still get the prize of downloading the Hubigon remote access Trojan known as a RAT.
Now, this RAT's been around for at least 10 years and has loads of features and capabilities like allowing people to access the infected machines, remote access it, has rootkit functionality, so it means webcam monitoring, it can log your keystrokes, steal your passwords.
So all the stuff that we don't talk about a lot anymore. We don't really talk about RATs and Trojans as much, do we? But they're still out there. Oh yeah, they are very huge.
Now, this RAT's been around for at least 10 years and has loads of features and capabilities like allowing people to access the infected machines, remote access it, has rootkit functionality, so it means webcam monitoring, it can log your keystrokes, steal your passwords.
So all the stuff that we don't talk about a lot anymore. We don't really talk about RATs and Trojans as much, do we? But they're still out there. Oh yeah, they are very huge.
We tend to talk about them, and I don't know whether this is because cybersecurity companies don't do much consumer messaging anymore, or I don't see it very much anymore, but we tend to talk about them in an enterprise scenario, and they are APTs.
They're Swiss Army knives in an enterprise scenario.
If you can get a remote access Trojan on a system, then it gives you access to information, it gives you access to functions, it gives you access to architecture and infrastructure.
They're Swiss Army knives in an enterprise scenario.
If you can get a remote access Trojan on a system, then it gives you access to information, it gives you access to functions, it gives you access to architecture and infrastructure.
So, Carole, you're saying that this particular campaign with the scantily clad ladies, this was targeting university students, is that right?
Yeah, university students and staff.
I mean, looking at the screenshots, I'm amazed, but I suppose you could say that about quite a lot of widespread cybercriminal campaigns rather than targeted ones.
I'm amazed it was successful because you make your choice and I don't know, the assumption is maybe that you are going to download some video, get some pictures, I'm not sure what, but what you get is a download for an executable called 'X Live.' So first of all, alarm bells should start ringing, but then you look at where it's coming from, and it's coming from gogominer.com.
I mean, that's alarm bells, klaxons, foghorns, and what more do you want?
I'm amazed it was successful because you make your choice and I don't know, the assumption is maybe that you are going to download some video, get some pictures, I'm not sure what, but what you get is a download for an executable called 'X Live.' So first of all, alarm bells should start ringing, but then you look at where it's coming from, and it's coming from gogominer.com.
I mean, that's alarm bells, klaxons, foghorns, and what more do you want?
Exactly. Isn't this old school?
You don't need those executables to have a camera rendered in a browser, right?
It makes me think that the guy who's behind this is in his 50s. It's old-school phishing.
It's not me, I'm just saying.
So there you go. So old-school stuff like this still works. And advice, because we're gonna see, I think, a little rise in consumer phishing scams.
I know there's a lot out there, but I think now that people are trapped at home and don't have the IT person around the corner, I can imagine we're gonna see a lot of scams for "This is how you can make sure your Zoom call stays safe," right?
Leading to something bad.
And one of the real sweet spots here for the bad guys are the companies that have basically always had a staff on site, haven't had to worry about remote workers, may not have a huge security budget 'cause they may be just a small SMB, and they're now having to have all their workers use their own machines from home to contact the network.
And they may not have the security layers in place. So companies beware.
I know there's a lot out there, but I think now that people are trapped at home and don't have the IT person around the corner, I can imagine we're gonna see a lot of scams for "This is how you can make sure your Zoom call stays safe," right?
Leading to something bad.
And one of the real sweet spots here for the bad guys are the companies that have basically always had a staff on site, haven't had to worry about remote workers, may not have a huge security budget 'cause they may be just a small SMB, and they're now having to have all their workers use their own machines from home to contact the network.
And they may not have the security layers in place. So companies beware.
It's nasty stuff, and people are having to be their own IT department right now, aren't they? Because the IT department isn't necessarily available to sort them out.
Yeah. And how many of us are doing home support for our families and friends as well?
Basically, the upshot is if you want to avoid a mountain of pain, avoid clicking on fishes. That's it.
Maybe you don't have a single sign-on password manager, or maybe you do and you're not really happy with it.
Well, why don't you start a free 14-day trial of LastPass Enterprise and you can manage every access point with integrated single sign-on and password management.
Let me tell you about some extra features: central admin dashboard, easy user management, group management, directory integrations, federated login, more than 100 security policies, advanced reporting, multifactor authentication options, password sharing, and the list goes on.
Check it out at lastpass.com/smashing. On with the show.
Maybe you don't have a single sign-on password manager, or maybe you do and you're not really happy with it.
Well, why don't you start a free 14-day trial of LastPass Enterprise and you can manage every access point with integrated single sign-on and password management.
Let me tell you about some extra features: central admin dashboard, easy user management, group management, directory integrations, federated login, more than 100 security policies, advanced reporting, multifactor authentication options, password sharing, and the list goes on.
Check it out at lastpass.com/smashing. On with the show.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Woo! Oh, impressive. Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Better not be.
Now, my pick of the week this week is not security related, but it deals with an issue that many, many of us have, which is that someone will come into the living room and say, I really want to watch Paddington 2, or I want to watch Shark Attack 3 with John Barrowman.
And you think, oh, such a good film. It is a great movie. But you think, oh my goodness, where will I find it? And where will I find it the cheapest?
It's like, okay, yes, it's there on Amazon, but then I have to pay for it. Is it on iPlayer? Is it on Netflix?
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Better not be.
Now, my pick of the week this week is not security related, but it deals with an issue that many, many of us have, which is that someone will come into the living room and say, I really want to watch Paddington 2, or I want to watch Shark Attack 3 with John Barrowman.
And you think, oh, such a good film. It is a great movie. But you think, oh my goodness, where will I find it? And where will I find it the cheapest?
It's like, okay, yes, it's there on Amazon, but then I have to pay for it. Is it on iPlayer? Is it on Netflix?
Have I— You're always looking for a deal, eh?
Well, yes, I am, Carole. Exactly. So the website which will help you out with this particular conundrum is called justwatch.com.
And what it means is if you don't have a clue whether a particular movie or TV show is on Amazon or Netflix or iPlayer or something you need to splash some cash on, you just type in the name of your movie and it will tell you everywhere that it is and what you will have to pay, if anything, on those particular services.
And very handy it is too, because you spend a lot less time wasting around when the kids want to watch some animated nonsense.
You can find it for free instead of forking out for it. It's also available as an app. It's an app for the iPhone and Android as well.
And what it means is if you don't have a clue whether a particular movie or TV show is on Amazon or Netflix or iPlayer or something you need to splash some cash on, you just type in the name of your movie and it will tell you everywhere that it is and what you will have to pay, if anything, on those particular services.
And very handy it is too, because you spend a lot less time wasting around when the kids want to watch some animated nonsense.
You can find it for free instead of forking out for it. It's also available as an app. It's an app for the iPhone and Android as well.
I hate to poo-poo on your parade.
Oh, go ahead.
I would just say, just check the privacy notice first. I'm just looking at it now and there's a few little hmm.
What's your problem? What do you mean what's my problem? What's your problem with it?
Well, collect information from my IP address and the browser I'm using. Well, yeah, every time. The site you came from. We might also give this to third parties.
Yeah, okay, okay, but you know. Collect your zip code to find out what's available to you.
Yeah, okay, okay, but you know. Collect your zip code to find out what's available to you.
I haven't told it my zip code. I haven't told it that.
I don't know why. Okay, just— I know you didn't go to university.
I'm sorry about the university comment. Don't have zip codes. This is a zip codeless nation.
Oh, thank you very much, Rik. Yeah, so yeah. Very good. Rik, what is your Pick of the Week?
My pick of the week is something which I didn't know was a thing, and I definitely didn't know it was a thing that I could get really cheap, particularly during this pandemic lockdown period.
He says toilet paper. We're going to have a crazy—
No, do you know what? I have an Amazon subscription for toilet paper, and it arrived about a week before lockdown, and we're like, we have a house full of toilet paper.
We get it once every two months, this massive box of it. So that's my, that's a top tip for the future.
Subscribe for those things that you don't want bulking up your boot when you go shopping.
We get it once every two months, this massive box of it. So that's my, that's a top tip for the future.
Subscribe for those things that you don't want bulking up your boot when you go shopping.
And if you want Rik's home address, just email us at .
It's gold leaf. My pick of the week actually is something which in the UK is called Fire for Kids Unlimited. In the US, I think it's called Kindle Unlimited for Kids.
I'm an Amazon Prime member anyway, like many, many people, and I discovered that for 99 pence I could get Fire for Kids Unlimited for 3 months, which means that my kids on their Paperwhites can access tens of thousands of books.
So there's no reason for them to come to me and say, I'm bored, I have nothing to do, there's nothing new for me to do, I can't go to the bookshop, I can't— you know, you have tens of thousands of books, go read and leave me alone.
I have a podcast to do with Graham and Carole, and I spent 99p on it.
I'm an Amazon Prime member anyway, like many, many people, and I discovered that for 99 pence I could get Fire for Kids Unlimited for 3 months, which means that my kids on their Paperwhites can access tens of thousands of books.
So there's no reason for them to come to me and say, I'm bored, I have nothing to do, there's nothing new for me to do, I can't go to the bookshop, I can't— you know, you have tens of thousands of books, go read and leave me alone.
I have a podcast to do with Graham and Carole, and I spent 99p on it.
You guys, you're deal finders.
It was— it's just such a great deal. And if they use it, we'll carry on with it. But 99p for 3 months is perfect for this period. I think the deal is still out there.
Do they have to create book reports for you?
Yes, they have to do PowerPoint presentations.
Come back, kids, when you've read all of the books.
We may be allowed to go outside by then.
Carole, what's your Pick of the Week?
Oh, well, mine is free. There's no money. Okay. Do you know Jeopardy!, the TV show that is very popular in the American— What is Jeopardy!? Jeopardy! is a game show.
Do you know what that is? Oh, that was a joke. Oh, really? Oh, sorry, I didn't even get it. Oh my God, I'm so bad. Jesus Christ. I was just trying— 'cause Graham had no idea.
Graham, I just spoke to him before the show. He had no idea. So I just assumed. I had heard of Jeopardy!.
Do you know what that is? Oh, that was a joke. Oh, really? Oh, sorry, I didn't even get it. Oh my God, I'm so bad. Jesus Christ. I was just trying— 'cause Graham had no idea.
Graham, I just spoke to him before the show. He had no idea. So I just assumed. I had heard of Jeopardy!.
I just didn't know quite how it worked. But okay.
Yeah, but if I said to you, Alex Trebek, what would you say?
I don't know. Is he—
I think he could be an actor. I wouldn't even know what words you had just put together there. That just sounded like a sound.
Sounded like something Quebec. Trebek. He is our Nicholas Parsons.
Okay? I was in a band called the Rockin' Thunders at university.
Oh. We were a joke band and we had a song, we wrote a song which should have been a hit, which was called A Night Out with Nicholas Parsons.
The whole premise of the song revolved around a contest that had been set by Sarson's Vinegar to think of a slogan and the winner would get a night out with Nicholas Parsons.
The whole premise of the song revolved around a contest that had been set by Sarson's Vinegar to think of a slogan and the winner would get a night out with Nicholas Parsons.
Do you have a recording of that, Rik?
I think there is one in existence.
We could put it in the— we could put it at the end of the show, sign us and sing us out.
Well, the chorus is just the word shit repeated 5 times.
Maybe we'll leave it to everyone's imagination. Anyway, Alex Trebek has been the host of Jeopardy! since 1984. Yes. He's now— Mr.
Trebek is sick and he's recently announced that he has survived one year of cancer. Right. And I was reading about this and he's one of those people you just love.
You just— he's just one of those good people. I found this guy who is obviously a Jeopardy! fan.
And if you click on the link in the show notes, he has created an entire website of every question that's ever been asked on Jeopardy! since 1984.
Trebek is sick and he's recently announced that he has survived one year of cancer. Right. And I was reading about this and he's one of those people you just love.
You just— he's just one of those good people. I found this guy who is obviously a Jeopardy! fan.
And if you click on the link in the show notes, he has created an entire website of every question that's ever been asked on Jeopardy! since 1984.
Oh, the J Archive. Yes. So— Oh, Carole doesn't use HTTPS. I know it doesn't use HTTPS. You complained about Just Watch's privacy policy. Oh my word.
I know, but you don't have to enter any information here, Mr. Graham.
Just for those who don't know, the way the game show works is I put the answer in the form of a question and you give me the question in the form of an answer.
Just for those who don't know, the way the game show works is I put the answer in the form of a question and you give me the question in the form of an answer.
Okay, my brain has just warped. Okay, carry on.
Okay, it's not hard. So, I'm gonna ask you guys a few questions, okay? Okay.
In the category for Drinks for $200, this children's cocktail is ginger ale and grenadine garnished with a maraschino cherry.
In the category for Drinks for $200, this children's cocktail is ginger ale and grenadine garnished with a maraschino cherry.
What is a gateway drink?
Yes, but that's not the right answer, Graham. And it starts with letter S, that helps.
Well, I don't know the names of any drinks. What is a Shirley Temple?
Correct! Oh, very clever, very clever.
For the category of Visual Alliteration for 400, answer: This cheery literary feline left his smile behind when the rest of him disappeared.
Who is the Cheshire Cat?
Correct! I knew that, but I thought I had to buzz. Okay.
Okay. Now you guys have to really pay attention because you're both musos on this one.
In the Dylan category for $800, take a load off and tell us the name of this group, formerly the Hawks, who backed Dylan starting in 1965.
In the Dylan category for $800, take a load off and tell us the name of this group, formerly the Hawks, who backed Dylan starting in 1965.
Who are The Band?
Correct! We have to buzz. There you go. See, fun game.
So if you click on the link, they give you the entire game grid that you get on the game show and you could actually play with friends, read out the questions, do it for fake money or for real money, have some fun.
So if you click on the link, they give you the entire game grid that you get on the game show and you could actually play with friends, read out the questions, do it for fake money or for real money, have some fun.
This is j-archive.com. I think this would give me a heart attack, Carole. That was quite a lot of pressure.
That was high stakes stuff. Yeah, really?
Yeah, my buzzer was broken. I was going to say you need to get out more, but yeah.
Yeah, don't we all?
On that topical gag, we've just about wrapped it up for this week. Rik, I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that and find out what you're up to?
What's the best way for folks to do that and find out what you're up to?
The best way is Twitter. I'm too old for Instagram and I'm too old for Snapchat. So it's Rik_Ferguson at Twitter.
No TikTok account?
No. My other half is addicted though. So I hear it a lot. I just don't see it much.
And you can follow us on Twitter at Smashing Security. No G. Twitter won't allow us to have a G. And you can also join the Smashing Security Reddit community.
Just look for Smashing Security subreddit up there.
Just look for Smashing Security subreddit up there.
And as always, thank you, beautiful people. You are keeping Smashing Security alive by listening to us every week, literally.
And for those of you that have kept supporting us via Patreon through all this, you're in for a pretty sweet treat very soon.
Also, a huge, huge thank you to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
And for those of you that have kept supporting us via Patreon through all this, you're in for a pretty sweet treat very soon.
Also, a huge, huge thank you to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio. Bye-bye. Stay safe. See ya.
Wouldn't want to be ya. Yeah, I would. I would.
Yeah.
Now, Carole, you keep on saying our listeners are literally keeping us alive each week. And you emphasize literally. That's because she's American.
Yeah, it's a habit my son seems to have got into, is everything is literally.
Yeah, it's a habit my son seems to have got into, is everything is literally.
So he just calls me American and Graham doesn't even notice. Doesn't even notice.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Rik Ferguson – @rik_ferguson
Show notes:
- Vote for Smashing Security in the EU Security Blogger Awards!
- Financial Times reporter accessed private calls at Independent and Evening Standard — The Independent.
- FT suspends journalist accused of listening to rival outlets' Zoom calls — The Guardian.
- Sky News admits it hacked Canoe Man’s email — Naked Security.
- Is it ever acceptable for a journalist to hack into somebody else’s email? — Naked Security.
- NHS rejects Apple-Google coronavirus app plan — BBC News.
- Threat Actors Repurpose Hupigon in Adult Dating Attacks Targeting US Universities — Proofpoint.
- Warwick University kept data hack secret from students and staff — Birmingham Live.
- JustWatch – The Streaming Guide.
- Just Watch — Apple App Store.
- Just Watch — Google Play.
- Fire for Kids Unlimited — Amazon UK.
- Kindle Limited for Kids — Amazon.com.
- J! Archive.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
