Whatever happened to Crackas with Attitude, perfidious Albion College’s approach to locking down Coronavirus, and the Bridgefy mesh messaging app falls down when it comes to security.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Anna Brading.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hey dudes, it's Carole Theriault, and I'm here to give a shout out to our incredible Patreon supporters.
These are just some of the people that help to make Smashing Security free for all, even those that can't afford it, which in my view makes you cooler than rock stars.
This week, shout out goes to Geeky Grump I Am, Stephen Hodgson, Simon Inman, Carl Kronberg, Thom Ploger, Darren Kenny, Dan Billing, Gordon Everett, Eric, and perhaps my favorite username of all time, Chubby Ninja.
If you want to join this community of amazing people, all you got to do is visit smashingsecurity.com/patreon and know that we would absolutely love to have you on board.
Now let's get this show on the road.
These are just some of the people that help to make Smashing Security free for all, even those that can't afford it, which in my view makes you cooler than rock stars.
This week, shout out goes to Geeky Grump I Am, Stephen Hodgson, Simon Inman, Carl Kronberg, Thom Ploger, Darren Kenny, Dan Billing, Gordon Everett, Eric, and perhaps my favorite username of all time, Chubby Ninja.
If you want to join this community of amazing people, all you got to do is visit smashingsecurity.com/patreon and know that we would absolutely love to have you on board.
Now let's get this show on the road.
Imagine you two have kids of college age.
Okay, us two?
Yeah, both of you. Not together. Oh, thank God.
Smashing Security, episode 193: Hacking the CIA. Bridgophy and College Lockdowns with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 193.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
And we're joined by a blast from the past, someone we used to work with, Carole, and someone who's been on the show before. It's Anna Brading. Hello, Anna.
Hello. Thank you for having me back.
Hi, Anna. Hi.
Pleasure to be here. Is it? Is it?
Of course.
Yes.
Now, Anna, some of our listeners will know you, not only from your previous appearance on Smashing Security, but also because you were the host of the Naked Security podcast.
Yes.
There've been some developments, haven't there?
Well, there have. It's on a long pause, I think is the official line, but I am no longer at Sophos, so it's unlikely I'll be appearing on that again. So yes, very sad.
A big shame. So that means you're available, basically, if anyone's been interested in hooking up with you in a work fashion.
Well, maybe.
Oh, okay.
She's from Reading, everything goes.
Yes, in a work fashion, I am available if anyone wants to get in contact.
Reach out. We'll hand out your, what, your Twitter address or something later on, shall we?
Yeah, or feel free to look me up on LinkedIn.
All right. Oh yeah.
There's an extensive list of everything I've done on there professionally.
Yes. And hopefully nothing else. Carole, what's coming up on the show this week?
Well, first, thanks to this week's sponsor, LastPass. Its support helps us give you the show for free.
Now, coming up on today's show, Graham explains what crackers with attitude means. Anna deliberates some of the corona safeguarding tools found in schools.
And I tell you about a pretty nasty mesh networking app screw-up. All this and much more coming up on this episode of Smashing Security.
Now, coming up on today's show, Graham explains what crackers with attitude means. Anna deliberates some of the corona safeguarding tools found in schools.
And I tell you about a pretty nasty mesh networking app screw-up. All this and much more coming up on this episode of Smashing Security.
Now, chums, first of all, Carole, I think I need to correct you. In that introduction, I think you referred to crack-ass with attitude. What?
Is that what you told me to say?
Well, no, no, no. It's crackers with attitude. I don't think it's crack-ass.
Crack-ass.
I think crack-ass is something else instead.
It's something that you've had a lot of in your life, because your trousers are always hanging half— well, basically behind your knees.
Oh, charming.
Now, whatever happened to Crackers with Attitude?
Crackers with Attitude was an online hacking gang which was set up by a teenager, a chap just 15 years old, a Brit going by the name of Kane Gamble.
A rather unlikely name, to be honest, for a Brit. But there you are. Kane Gamble was the chap who founded the organisation.
And over a period of 8 months, until his arrest on the 9th of February, 2016, from his bedroom at his parents' home in Leicestershire, Gamble was gaining access.
He was cracking into the online accounts of high-profile figures.
Crackers with Attitude was an online hacking gang which was set up by a teenager, a chap just 15 years old, a Brit going by the name of Kane Gamble.
A rather unlikely name, to be honest, for a Brit. But there you are. Kane Gamble was the chap who founded the organisation.
And over a period of 8 months, until his arrest on the 9th of February, 2016, from his bedroom at his parents' home in Leicestershire, Gamble was gaining access.
He was cracking into the online accounts of high-profile figures.
Okay.
So what, you bet, celebrities and stuff like that?
Well, not so much celebrities. Not the sort of people that you'd see on MasterChef or Strictly Come Dancing. Although, who knows these days?
Instead, we're talking about the personal email account of the then Director of the CIA, John Brennan, and the Director of National Intelligence, James Clapper, amongst others.
So cracking into some pretty serious email accounts.
Instead, we're talking about the personal email account of the then Director of the CIA, John Brennan, and the Director of National Intelligence, James Clapper, amongst others.
So cracking into some pretty serious email accounts.
Well, serious if, depending on the defences they had in place, if the password was Bob the Cat, it might be easier than if it was 25, you know.
God, I need to change my password.
Random letter.
Yes.
Well, don't worry, because I don't think the passwords were as easy as that.
But actually, it didn't matter how carefully chosen the passwords were because of the methodology which Gamble used, which I will describe.
Now, once he gained access to the CIA boss's personal email account, he found a host of sensitive government files that you kind of assume a government official shouldn't be sending to his personal email address.
Now, you might be wondering, what type of personal email account John Brennan, the then director of the CIA, where would he have his email account, do you imagine?
But actually, it didn't matter how carefully chosen the passwords were because of the methodology which Gamble used, which I will describe.
Now, once he gained access to the CIA boss's personal email account, he found a host of sensitive government files that you kind of assume a government official shouldn't be sending to his personal email address.
Now, you might be wondering, what type of personal email account John Brennan, the then director of the CIA, where would he have his email account, do you imagine?
His personal email account?
Yeah, his personal one, yeah. What sort of service would he be using?
Something, surely something super secure. Hotmail?
Yeah. Yes, something like that. Well, you know, I'm not sure what's more embarrassing, being hacked as the director of the CIA or having an AOL email account. Because clearly, Mr.
John Brennan had received one of those CDs through the post back in 1994 and thought, "I should get on this internet thing," and set himself up with an AOL account.
John Brennan had received one of those CDs through the post back in 1994 and thought, "I should get on this internet thing," and set himself up with an AOL account.
You know what? I think that's normal.
I think there are so many people today that have old accounts they set up 20 years ago, and they're still running them because they don't know how to export them into a new app.
I think there are so many people today that have old accounts they set up 20 years ago, and they're still running them because they don't know how to export them into a new app.
I think that's a common problem. Yeah, people, particularly the less tech-savvy maybe, don't know how to migrate an email account.
But don't you think that when you're appointed the director of the CIA, that there might be some, I don't know, security-minded folks who might say, "Let's take a little look at your life and how we better protect you." Yeah, before 2018, I would have said, "Yes, of course there is." But, you know.
Well, Kane Gamble, this teenage student, he broke into the CIA director's contacts list as well.
But don't you think that when you're appointed the director of the CIA, that there might be some, I don't know, security-minded folks who might say, "Let's take a little look at your life and how we better protect you." Yeah, before 2018, I would have said, "Yes, of course there is." But, you know.
Well, Kane Gamble, this teenage student, he broke into the CIA director's contacts list as well.
His personal contacts list.
Into the personal one, that's right. But it seems that was a fair amount of work going on there.
His call logs and, quote, "extremely sensitive documents" on military and intelligence operations in places like Basingstoke and— no, no, no, in Iraq and Afghanistan.
His call logs and, quote, "extremely sensitive documents" on military and intelligence operations in places like Basingstoke and— no, no, no, in Iraq and Afghanistan.
OK, so do you not think this is happening everywhere? Because companies, particularly the government, would say you cannot have access to your work accounts from home.
We have a tight-knit perimeter, and you can only do it within the building, and yada, yada, yada.
We have a tight-knit perimeter, and you can only do it within the building, and yada, yada, yada.
Well, not so much these days, Carole.
Well, no, but this is pre-Rona.
This is pre-Rona. That's true.
But I would like to think that if someone was in a really important job like that, they might be able to give them some sort of secure device, a VPN to go through, which would put them in a secure tunnel to their communication phone.
We were doing that way back then, right?
But I would like to think that if someone was in a really important job like that, they might be able to give them some sort of secure device, a VPN to go through, which would put them in a secure tunnel to their communication phone.
We were doing that way back then, right?
Yeah.
That's how we did it.
Pain in the butt though.
Well—
God.
You had to make cookies for the IT team, didn't you?
Maybe it's just the path of least resistance. It's much easier to just send it to his AOL account.
Exactly.
I think that's not uncommon. Now, this hacker, Kane Gamble, once he grabbed all this information, of course, he started to try and embarrass him.
So he was posting some of it on Twitter.
So he was posting some of it on Twitter.
He's trying to embarrass the CIA agent?
That's right, CIA director, by posting it on Twitter, sharing it with WikiLeaks, generally causing mayhem. And the CIA tried to shut down the AOL account, right?
They contacted AOL support. But what Gamble actually did was he posted on Twitter a screenshot of the AOL inbox with the different requests.
So the CIA would send a request saying, can you shut down this account? AOL would reply saying, 'Are you sure?
We're just checking that you want this AOL account shut down.' And then Gamble would probably, 'Oh no, no, no, that's a hacker pretending to be the CIA.' What an idiot though, doing it, yeah.
They contacted AOL support. But what Gamble actually did was he posted on Twitter a screenshot of the AOL inbox with the different requests.
So the CIA would send a request saying, can you shut down this account? AOL would reply saying, 'Are you sure?
We're just checking that you want this AOL account shut down.' And then Gamble would probably, 'Oh no, no, no, that's a hacker pretending to be the CIA.' What an idiot though, doing it, yeah.
I don't know how I would get, say, for example, Gmail on the phone, right? I would assume it's quite complicated to do.
Oh, I think it is for the regular person, but probably if you're in law enforcement. So how did this hacker do it? Well, it wasn't really hacking in a way.
What he was doing was social engineering. He impersonated his victims and he called up call centres claiming he couldn't get into his account.
So he was conning them into divulging confidential information. And then he began to send emails from accounts.
He was accessing more sensitive military information, and this information was getting leaked.
And him and his gang were really in the habit of not just cracking into accounts, but then subjecting their victims and their families to online abuse, harassment, and of course, bragging about what they were doing on social media too.
What he was doing was social engineering. He impersonated his victims and he called up call centres claiming he couldn't get into his account.
So he was conning them into divulging confidential information. And then he began to send emails from accounts.
He was accessing more sensitive military information, and this information was getting leaked.
And him and his gang were really in the habit of not just cracking into accounts, but then subjecting their victims and their families to online abuse, harassment, and of course, bragging about what they were doing on social media too.
So he's a douche.
So he got access to something super valuable and then didn't know what to do, so just went after everybody and did some personal abuse, 'cause he's a kid.
Crackers with Attitude, they claim to have political motives, right? It was all about the Palestine and Israel and things like this is what they used to claim.
But the amount of information, it's staggering. Let me tell you some of the things.
What ended up happening was the hacker tricked Verizon, for instance, into revealing the CIA director's telephone number, his home address, his ISP account details, even his router's serial number.
He managed to get hold of the Social Security number.
He gained access to his Apple iCloud account and even his car insurance details, which is something I have trouble finding my car insurance details.
So, get a hacker to do it instead.
I mean, that's when you consider that's the director of the CIA who's having all that information collected about him, that's pretty worrying, isn't it?
But the amount of information, it's staggering. Let me tell you some of the things.
What ended up happening was the hacker tricked Verizon, for instance, into revealing the CIA director's telephone number, his home address, his ISP account details, even his router's serial number.
He managed to get hold of the Social Security number.
He gained access to his Apple iCloud account and even his car insurance details, which is something I have trouble finding my car insurance details.
So, get a hacker to do it instead.
I mean, that's when you consider that's the director of the CIA who's having all that information collected about him, that's pretty worrying, isn't it?
But once you get access to the email, how many emails would have that kind of information in there?
Yeah, exactly.
And it wasn't just John Brennan's accounts which he was targeting. He also targeted the CIA director's wife, Cathy. So he hijacked her Twitter account.
He impersonated her to trick AOL into changing her password. You know, you set up security questions to protect your account, to prevent other people from resetting your password.
He impersonated her to trick AOL into changing her password. You know, you set up security questions to protect your account, to prevent other people from resetting your password.
Yeah.
And so, the answers to those security questions were hacked, hacker, and V for Vendetta, which possibly could have been a bit of a giveaway.
Something odd was going on, rather than Kathy setting that. And then he began to make numerous phone calls to the house. Even calling them while Mrs.
Brennan was on the phone to AOL, telling them her account had been compromised. Oh my. So, you said, a bit of a douche. Well, it gets even douchier.
Something odd was going on, rather than Kathy setting that. And then he began to make numerous phone calls to the house. Even calling them while Mrs.
Brennan was on the phone to AOL, telling them her account had been compromised. Oh my. So, you said, a bit of a douche. Well, it gets even douchier.
Okay.
Then he attacked and targeted the US head of Homeland Security at the time, Jeh Johnson.
So he's feeling like a frickin' hero right now. Oh, yes. He's thinking, I'm in my bedroom. No one knows who I am. They would never imagine it could be me. This is fantastic.
Let's up the stakes.
Let's up the stakes.
And it's actually described in court documents how he was saying to one of his cohorts that he was basically quaking in his boots at what he thought was the biggest hack ever.
He was listening to voicemails sent to the head of Homeland Security, sending texts from the head of Homeland Security's phone, posting information online.
And then, and then, right? Let's take it up a further notch. He found out the head of Homeland Security had IoT devices in his house.
He was listening to voicemails sent to the head of Homeland Security, sending texts from the head of Homeland Security's phone, posting information online.
And then, and then, right? Let's take it up a further notch. He found out the head of Homeland Security had IoT devices in his house.
Oh, good.
Tell everyone about this, 'cause I'm apparently the only person in the world without them.
Carole, I don't really—
Good. Alexa, there's no Alexa in your house.
I don't want to talk about her.
Don't mention the A-word.
She was bought for me as a present. Well, she's in your house. I turn her off though.
Okay, smart.
I only put her on for requests for Frozen music and stuff like that for my son.
Well, via the Homeland Security head's Comcast account, which of course had also been hacked, he sent a message to the family TV set, which popped up a message saying, "I own you." He posted images on the daughter's— There's a 15-year-old daughter in this household.
Posted images on the account of that girl saying he'd like to bang her.
Posted images on the account of that girl saying he'd like to bang her.
Oh my God. Okay, see, that's now super, super gross.
Well, he is 15 as well. That's the other thing. Yeah, but still.
Yeah, but imagine being that girl.
I mean, you don't know who it is.
And then yeah, you're receiving that. That's horrible. Scary.
There was an executive assistant director at the FBI, a name of Amy Hess. She got targeted too. And he basically downloaded films onto her TiVo.
V for Vendetta, After Porn Ends, and Hackers, of course. I don't know that one. And check, this is the worst thing of all, actually, of everything that he did.
He changed her voicemail settings to Spanish.
V for Vendetta, After Porn Ends, and Hackers, of course. I don't know that one. And check, this is the worst thing of all, actually, of everything that he did.
He changed her voicemail settings to Spanish.
Oh no.
That's not that big a deal.
How do you get back?
Yes, I could. You'd work it out. I could work it out. I know enough Spanish, I could do it.
Oh, you're so good.
Estoy hasta, estamos hasta, right? Yeah, yeah, you're— yeah, you said, you can get by, right?
Practically.
You see, Anna, I used to read the shampoo bottles, right?
Yes, yes, but before the phones, when you're having a wazz, right, you read the shampoo bottles and you get the French.
Yes, you're having a what?
And you get it in German.
Yes, we've talked about this before, Anna and I, the shampoo bottles.
In the olden days, before you had a phone in the toilet with you, you had to read other things because it got boring.
In the olden days, before you had a phone in the toilet with you, you had to read other things because it got boring.
Is this what you're going to tell your kid, Anna, when they say, oh, in my day we didn't have phones?
Yeah, you had to shit alone.
No, but he already asks me when he's on the toilet to read him a book.
Oh, and you go, yes, my prince.
I started reading it and I thought, no, we've gone too far now.
It's getting stinky.
Another victim even had threatening phone calls made to the salon where she got her hair done.
So a lot of douche— douche now seems the wrong kind of word to use after this discussion.
So a lot of douche— douche now seems the wrong kind of word to use after this discussion.
Yeah, it does. It's full-on nasty and malicious.
Yeah.
In summary, he's a bit of a shit. And his crackers with attitude were, as you would say, crack-ass.
Yeah, I think my word was way better.
Yeah.
Yeah.
So the weak link here, of course, are call centers. These weren't elite-level hacking techniques being deployed. It was people impersonating other people and being convincing.
And that's something which is difficult for all of us to really get a handle on.
And we're so reliant on companies themselves having proper procedures in place to defend our accounts and not give in too easily.
And that's something which is difficult for all of us to really get a handle on.
And we're so reliant on companies themselves having proper procedures in place to defend our accounts and not give in too easily.
It's really complicated because, you know, part of me would to try and see how easy such a thing would be. But in fact, it's illegal to do so, right?
Unless you get the okay from the company beforehand, it's illegal to impersonate someone else and try and get private information.
Unless you get the okay from the company beforehand, it's illegal to impersonate someone else and try and get private information.
So would it be cool if one of us were to give the other permission to try and do this?
Yeah, should we try it?
As an experiment.
Who's going to be the easiest to crack?
Everyone stands back from the microphone, goes on mute.
Now, the reason why I'm talking about this today, because obviously this happened, you know, 4 or 5 years ago, is that there is a great article on the Motherboard website all about Kane Gamble, this 15-year-old who did this.
He's no longer 15, and he has now been released from prison.
And it talks about how he literally counted down the minutes until the 20th of April, 2020, waiting for it to be midnight, because at that point he was allowed to use the internet again, having been banned since his arrest way back in 2016.
And imagine not using the internet for that long.
Now, the reason why I'm talking about this today, because obviously this happened, you know, 4 or 5 years ago, is that there is a great article on the Motherboard website all about Kane Gamble, this 15-year-old who did this.
He's no longer 15, and he has now been released from prison.
And it talks about how he literally counted down the minutes until the 20th of April, 2020, waiting for it to be midnight, because at that point he was allowed to use the internet again, having been banned since his arrest way back in 2016.
And imagine not using the internet for that long.
You'd be reading shampoo bottles.
Well, exactly. Because what would you be able to do? You wouldn't be able to use the internet components of any smartphone.
If you had a Nest thermostat, does that count if it's internet-connected?
If you had a Nest thermostat, does that count if it's internet-connected?
I think I'd be fine.
Oh my god, I wouldn't.
I mean, we'd have a problem with the podcast, right? We'd have to do that in person, so that would suck.
Totally. You could send in your contributions by letter, and we could use a sock puppet to talk to.
I'd get to focus on my art, right? Get to focus on scriptwriting.
Baking?
Imagine not being able to take a sneaky look at Wikipedia if there's a pub quiz. Imagine—
I'd never have done that. Do you do that?
No, well, let's move on. But you know, anyway, no, of course not. I don't need to. But lots of people do.
Of course. Yeah, yeah.
Sounds you do.
Anyway, don't do it, kids, because even if you think you're having a laugh and a lark, like presumably they did, and they thought it was super cool—
Imagine 4 years without the internet, okay?
Just imagine that. Just presume— Well, I'm trying to say things which might actually influence kids. That would actually have quite a big impact on us.
There's a lot of kids listening to the show. So thanks, Daddy Cluley.
What would be worse, prison or no internet? Do you get internet in prison? You do, don't you?
I think you can get it illegally, because someone will bring in a tiny little— one of those little Nokia phones. Don't they sneak them in a cavity?
Would you rather that, Graham? Would you rather be in prison with internet or in your house with no internet? You can't even answer.
Oh my god.
I am under lockdown. Right, Anna, what have you got for us this week?
So last week you guys were talking on the podcast about contact tracing apps.
Yes, with Rory Kevlin-Jones.
Exactly.
And so you were talking about how the NHS in the UK had started with this centralized app where it stored some user data centrally, but obviously people weren't happy with that.
And then Google and Apple came along and were like, "Hey guys, we've got a decentralized way of doing it.
This is much better for privacy." And now the NHS has a decentralized app, so does Germany, and US states are doing the same.
Alabama, Virginia have both rolled out an app based on Google and Apple's Exposure Notification API.
And so you were talking about how the NHS in the UK had started with this centralized app where it stored some user data centrally, but obviously people weren't happy with that.
And then Google and Apple came along and were like, "Hey guys, we've got a decentralized way of doing it.
This is much better for privacy." And now the NHS has a decentralized app, so does Germany, and US states are doing the same.
Alabama, Virginia have both rolled out an app based on Google and Apple's Exposure Notification API.
And as Rory described last week, it's still rather up in the air as to whether any of these apps really work.
Exactly.
Regardless of the methodology.
No, they function. They just— we don't know if they help.
If they're effective.
Yeah, yeah.
We don't know how many people they've alerted, how many cases they prevented. So a college in the US has a better way of doing things. That's good.
Yeah.
So obviously there's a lot of chat at the moment about how schools and colleges and universities are going to keep their students safe from COVID when they go back for next term.
And a lot of students are coming back now after having 6 months away. They've been doing online learning, or maybe not much learning at all.
And so the schools are coming up with plans about how to prevent the spread of COVID. And different schools are trying out different prevention measures.
So in the UK, I know in England, they're not currently recommending that students wear masks, although there's a lot of chat about it at the moment.
And a lot of students are coming back now after having 6 months away. They've been doing online learning, or maybe not much learning at all.
And so the schools are coming up with plans about how to prevent the spread of COVID. And different schools are trying out different prevention measures.
So in the UK, I know in England, they're not currently recommending that students wear masks, although there's a lot of chat about it at the moment.
I find that shocking.
Well, in Scotland, they're considering it. Things might have changed.
I got a letter from my school— not my school, my son's school today, saying parents have to wear masks on the way in. Teachers, it's optional.
Whether they wear a mask or not, and the kids aren't going to be wearing masks.
Whether they wear a mask or not, and the kids aren't going to be wearing masks.
It is difficult.
How do you feel about that?
How do I feel about him going back to school, to be honest? It's a little bit, you know, but I'm also seeing the impact of him not going to school.
You know, he wants to be around his mates. He doesn't want to be around us grown-ups all the time.
You know, he wants to be around his mates. He doesn't want to be around us grown-ups all the time.
Yeah. My son is at preschool and he's 3, so it's not even like they're maintaining any kind of social distance.
Of course, I imagine.
Yeah. And if they fall over and they hurt themselves and they cry, the preschool teachers are still going to cuddle them and make sure they're okay.
But obviously, as a result of that, there's a risk. There's more of a risk to him, and there's more of a risk to them.
But obviously, as a result of that, there's a risk. There's more of a risk to him, and there's more of a risk to them.
Let me just put my garbage bag on. I'll be right there, sweetie.
Exactly. Strap on my mask.
I wish I was going to preschool. I'd love to have a little cuddle.
What, you want to wear diapers again and have a little cuddle?
It'd just be nice to have a cuddle occasionally.
Oh, Graham, how's it going with Mrs. Cluley, dude?
Well, it's all right, thank you very much.
Maybe you could ask her.
Well, yes, but it's not quite the same. You could dress up as a preschool child.
And she could wear a sort of prison uniform.
He would look great.
Little overalls.
Just something to consider.
Little turtleneck. Romper suit.
Anyway, so Mr. D. Trump has said he's going to send out 125 million reusable masks to school districts, although I'm not clear whether they're actually being mandated to use them.
I don't think they have yet. So Albion College has come up with this other way. And so when its students return from their break, they're going to be tested, which makes sense.
They're also banned from leaving campus to limit the risk of anyone bringing COVID in once school has started. So 14 weeks they're on campus.
I don't think they have yet. So Albion College has come up with this other way. And so when its students return from their break, they're going to be tested, which makes sense.
They're also banned from leaving campus to limit the risk of anyone bringing COVID in once school has started. So 14 weeks they're on campus.
So they're locked in. They're locked on campus.
Well, yeah, apart from not with a key, but with a phone.
I would hate that so much. When I went to uni, I spent 50% of my time off campus, right?
Yeah, you need your freedom. It's your first taste of freedom.
Where are you meant to take your laundry? Don't students take it home to their mum to get cleaned every week or something like that?
Well, they're gonna have to learn to do it themselves, Graham. That's the problem.
So what they're going to have to do is they have to install this app called Aura on their phones, which the college is saying should help deal with any outbreak on campus.
But the snag is that it tracks the students' locations at all times, and there's no opt-out.
So what they're going to have to do is they have to install this app called Aura on their phones, which the college is saying should help deal with any outbreak on campus.
But the snag is that it tracks the students' locations at all times, and there's no opt-out.
And that's mandatory? They have to have the app?
They have to. So parents have launched a petition, obviously, to make the use of the app optional, but so far the school is remaining strong on it.
It's saying, chill out, guys, the only time a student's location data will be accessed is if they test positive or if they leave campus without permission.
So actually, they're not going to be locked in with a key, but if they leave campus, the app will ping the college and the student's ID card will be locked, and they have to go through various things.
They have to quarantine and they have to be tested. So it's, yeah, quite a strict measure.
It's saying, chill out, guys, the only time a student's location data will be accessed is if they test positive or if they leave campus without permission.
So actually, they're not going to be locked in with a key, but if they leave campus, the app will ping the college and the student's ID card will be locked, and they have to go through various things.
They have to quarantine and they have to be tested. So it's, yeah, quite a strict measure.
I'm glad that parents are saying, hey, this is a bit weird. So I guess, but now it's too late for kids to register for another school. So you're kind of stuck.
But hang on, if Rory was here this week, not last week, right? His argument is there's a global bloody pandemic going on.
That wasn't his argument. He said that is an argument that he didn't necessarily agree with.
But he was presenting an argument, which was that maybe the privacy thing has been accentuated too much.
And there's a bigger worry here, which is that maybe these students can't be trusted or indeed people generally can't be trusted to be sensible.
And if you've got students going off here, there, and everywhere and having parties—
And there's a bigger worry here, which is that maybe these students can't be trusted or indeed people generally can't be trusted to be sensible.
And if you've got students going off here, there, and everywhere and having parties—
What rights do a college have to a student's free time and where they choose to go? These kids are not like 12-year-olds.
These are adults.
Some of them are over 18.
But colleges also have a responsibility to look after their students as well, right?
And if there's a few of them who are going crazy and might be bringing something in, I'm just saying, you know, there is a counter-argument.
And if there's a few of them who are going crazy and might be bringing something in, I'm just saying, you know, there is a counter-argument.
I don't think people who have the virus have gone crazy.
I don't think—
I don't think that's how it works.
No, no, but you know what I mean. No, it's the spring break crowd, right?
They're going off to Florida and they're out there on the beach and going, oh yeah, man, and having their Jagerbombs.
They're going off to Florida and they're out there on the beach and going, oh yeah, man, and having their Jagerbombs.
So just because there's a few douches out there, does that mean everyone has to be punished and locked in sardines for 14 weeks?
That's the thing. Yeah, I mean, you can see they lock them all in, you know. If they've tested them all and no one's got it, then it's not going to get in.
And I can see they're not— maybe they're worried about being sued or whatever. And they're saying you've all got fitness tracking tools on your phone.
It's basically the same, except obviously these tools don't track you all the time if you set it correctly. It's only when you've chosen to have your run or your cycle or whatever.
And you could remove them when you want, and it doesn't affect your education.
And I can see they're not— maybe they're worried about being sued or whatever. And they're saying you've all got fitness tracking tools on your phone.
It's basically the same, except obviously these tools don't track you all the time if you set it correctly. It's only when you've chosen to have your run or your cycle or whatever.
And you could remove them when you want, and it doesn't affect your education.
Hang on a moment, hang on a moment, right? So I'm just imagining I'm a student at a university.
Stretch your brain.
Well, actually, Graham, let's do some roleplay. Let's do some roleplay, Graham.
Yes.
Graham, okay, so imagine you two have kids of college age, okay?
Us two?
Yeah, both of you, not together.
Oh, thank God.
Yes, good to say. Don't want to think about that.
Oh God.
Oh, I need to wipe my mind. Carole, you've got little Tommy Theriault. Okay, Carole Theriault. And Graham, Colin Cluley. They've grown up and they're ready to fly the nest.
And they've chosen Albion. Right. So I'm going to be Colin, okay?
And they've chosen Albion. Right. So I'm going to be Colin, okay?
Yep.
Daddy!
Your voice hasn't broken yet.
Not yet, no. I mean, it's Graham, sorry. I am going to Albion College this month, but they're making me install an app that tracks me at all times. What shall I do?
I'm sort of tempted to say, why don't you get yourself a second smartphone and leave the one which is tracking you in your room when you want to go out to get your laundry done?
Ooh, good idea, Dad. I mean, good idea, Daddy!
That seems to be the flaw in the plan here, right?
Yeah, that's interesting, isn't it? Yeah. Because are they mandated to carry their phones around at all time? Will they be punished if they don't have their phones?
Are they going to be frisked? You can't be frisked. You have to keep distant. You can't frisk me.
You can frisk with those, you know, those garbage picker-uppers?
You know, the ones that don't let you bend over?
How easy is that to use that to frisk someone? I'm not sure.
I don't think I'd remember that.
Carole Theriault, this is Tommy.
Same question?
Yeah, no, no, no, no, different question.
Mummy, I've got a scholarship to go to Albion College in the United States of America, but if I get homesick, I won't be able to leave campus.
And if I do, they'll be able to tell from my location data and lock down my student ID. What should I do?
Mummy, I've got a scholarship to go to Albion College in the United States of America, but if I get homesick, I won't be able to leave campus.
And if I do, they'll be able to tell from my location data and lock down my student ID. What should I do?
Stay here, darling.
How come Tommy's got the posh jolly hockey sticks accent and mine's got this abomination?
I think it's a question of education, Graham. Do you want to know how it works? You want to know how the app works?
Okay, tell us.
Alright, go on. So when a student's tested for COVID, the results are fed into the app.
And if the results come back negative, the app displays a QR code, which then lets scanners around the campus know that the student's free of the virus.
So presumably they're going to have to scan themselves in.
If the results are positive or the student hasn't been tested yet, the QR code will say denied, and they won't be able to go to— I guess they'll get stuck in their room.
And if the results come back negative, the app displays a QR code, which then lets scanners around the campus know that the student's free of the virus.
So presumably they're going to have to scan themselves in.
If the results are positive or the student hasn't been tested yet, the QR code will say denied, and they won't be able to go to— I guess they'll get stuck in their room.
Hang on, hang on. This is another flaw in the system, isn't it? Because if it's a QR— Borrow your friend's phone.
Well, you can either do that or you do— I've seen people do this, which is when you have a cinema where they have the QR code, which has your ticket on it, you just take a screenshot of the QR code, don't you?
That's what you show. So you show it from 3 days ago when you were clear.
Well, you can either do that or you do— I've seen people do this, which is when you have a cinema where they have the QR code, which has your ticket on it, you just take a screenshot of the QR code, don't you?
That's what you show. So you show it from 3 days ago when you were clear.
That's true. Maybe there's a— maybe they've got some kind of date or something. They must have thought of that. But they have found— so they have found vulnerabilities, of course.
Oh, wonderful. Okay, Graham, can I hijack your story for a second?
Of course.
So Graham, say imagine you're going on a plane somewhere, right? You're a paying customer, these students are paying customers of the school.
And they're saying, look, we want to make sure you're okay. We're going to test you before you fly anywhere.
And we're going to monitor your entire trip everywhere you go and what you do.
And this is the airline because they have a responsibility for your safety even after they've dropped you off because they have to bring you back home. Would you be cool with that?
And they're saying, look, we want to make sure you're okay. We're going to test you before you fly anywhere.
And we're going to monitor your entire trip everywhere you go and what you do.
And this is the airline because they have a responsibility for your safety even after they've dropped you off because they have to bring you back home. Would you be cool with that?
No. No, I don't that idea.
Look, I have no problem if I had it. I think if I was found to be infected and someone said, look, we're going to slap a bracelet on you until you're clean.
That's going to track your movements because basically you're going to be staying at home or at the hospital presumably while you're sick. But not everyone gets sick.
That's going to track your movements because basically you're going to be staying at home or at the hospital presumably while you're sick. But not everyone gets sick.
Yeah, we could still be spreading it.
Yeah, but you know, you— of course you'd still be spreading it. So that's the thing.
So you'd be—
I guess what I'm saying is some people might be sick and still leave because they don't feel, and that's the issue, right?
Oh yeah, well, those people are one. Yeah, you shouldn't do that. If you've been tested positive, you've got to stay at home.
But it's— yeah, but it's not just— it's not the people that have tested positive, is it? It's just every single student in this school. Yeah. 1,500 students.
Maybe we should just brand the students on their foreheads. Why don't we just put the QR code there? Then they can't copy it off someone else's—
And also hard to change the QR code. Yes, more tricky.
Erasers don't work.
Carole, what's your story for us this week?
For another seriously fun topic, we're going to talk about protests. So there have been protests all around the world.
This is where large groups of people are banding together to fight injustices. In Hong Kong, we were fighting with mainland China.
Russian citizens were Vlad's questionable reelection. US MeToo and Black Lives Matter. India, Iran, Zimbabwe, and most recently Belarus.
And all these protesters in these different places have faced a similar problem, and that is the problem of communication.
When the services are jammed up with loads of traffic or worse, authorities effectively kill the internet, how do you stay in touch? Actually, let me sidestep for a second.
Here's an interesting stat on kill switches. So they're getting turned on more often.
So there was a report suggesting that 122 major internet shutdowns occurred in 2019 in 21 different countries.
This is where large groups of people are banding together to fight injustices. In Hong Kong, we were fighting with mainland China.
Russian citizens were Vlad's questionable reelection. US MeToo and Black Lives Matter. India, Iran, Zimbabwe, and most recently Belarus.
And all these protesters in these different places have faced a similar problem, and that is the problem of communication.
When the services are jammed up with loads of traffic or worse, authorities effectively kill the internet, how do you stay in touch? Actually, let me sidestep for a second.
Here's an interesting stat on kill switches. So they're getting turned on more often.
So there was a report suggesting that 122 major internet shutdowns occurred in 2019 in 21 different countries.
Oh, where they just turned off the internet?
Just turned off the internet to try and control the people. Yeah. And stymie communication. When you think about how reliant we are on it, eh, Graham?
Well, yeah. I bet lots of shampoo's being sold though, right?
You'll be in jail. You'll be fine. You'll have your own Wi-Fi in jail.
Does the kill switch reach the jails? Is Graham all right?
So when protesters get into the situation, there is a neat way to try and stay in touch with people who are nearby, and that is mesh networks.
So a mesh network, for those that don't know, is different from traditional networks.
In a mesh network, you have nodes that connect directly and dynamically rather than more traditional methods where there's a dependency on a single node to perform a task.
So, you know, they say that it reduces maintenance, speeds up latency issues, yada, yada, yada. And it allows people to talk without having to use their data plans necessarily.
So a mesh network, for those that don't know, is different from traditional networks.
In a mesh network, you have nodes that connect directly and dynamically rather than more traditional methods where there's a dependency on a single node to perform a task.
So, you know, they say that it reduces maintenance, speeds up latency issues, yada, yada, yada. And it allows people to talk without having to use their data plans necessarily.
Yeah, it's very cool. I've always wanted to use one of these, and I've always wondered when the opportunity might be.
So I've been at concerts, for instance, and I can't remember the name of it. There's one called Red something or Fire, I can't remember anyway.
But I've sort of opened the app thinking, oh, there must be someone else at this concert who's got this as well. And it never finds anybody.
So I'm obviously going to the wrong demographic or something other than some radical protest.
But I think the technology is really clever, 'cause like you said, it doesn't require 3G or 4G or mobile connection or internet or anything like that.
So I've been at concerts, for instance, and I can't remember the name of it. There's one called Red something or Fire, I can't remember anyway.
But I've sort of opened the app thinking, oh, there must be someone else at this concert who's got this as well. And it never finds anybody.
So I'm obviously going to the wrong demographic or something other than some radical protest.
But I think the technology is really clever, 'cause like you said, it doesn't require 3G or 4G or mobile connection or internet or anything like that.
And they use other comm tech, so they might use Bluetooth or a peer-to-peer Wi-Fi. But it does rely on people being near-ish.
That means Graham and I, don't worry, we'll never have to do this 'cause we're never together, right?
That means Graham and I, don't worry, we'll never have to do this 'cause we're never together, right?
We're socially distant.
Socially distant, responsibly socially distant. Now, there are a number of mesh networking-based apps out there that might help you with communication.
Right?
You have Signal offline messenger. You have the Voyager app, V-O-J-E-R.
And sadly, the brilliantly named Zombie Chat has been discontinued, but it was touted as a peer-to-peer post-apocalyptic communication tool for when zombies take over the planet.
And sadly, the brilliantly named Zombie Chat has been discontinued, but it was touted as a peer-to-peer post-apocalyptic communication tool for when zombies take over the planet.
I heard it was coming back from the dead.
Oh!
I hope it's resurrected.
But if you wanted to text your nearby mates without wasting your data plan, so Graham, pre-Corona, that was a perfect situation where this would be great at a concert, right?
You're trying to find your mates, trying to find your friends. Where are you? You know, oh, we're by the bleachers, or if you're at a sports event or at school.
You're trying to find your mates, trying to find your friends. Where are you? You know, oh, we're by the bleachers, or if you're at a sports event or at school.
Sometimes the mobile connection is all jammed up because everyone's using their phone. And so it would be good to be able to communicate some other method.
And if you're a journalist, for example, in a dangerous area, you need to keep in touch with your team, or if you're a protester, these apps can be a total lifesaver.
So the one I want to talk about is called Bridgefy and its marketing pitch, which presumably we can thank the Twitter co-founder Biz Stone, who is a backer of Bridgefy and the marketing dude behind this app.
So the one I want to talk about is called Bridgefy and its marketing pitch, which presumably we can thank the Twitter co-founder Biz Stone, who is a backer of Bridgefy and the marketing dude behind this app.
Right.
So Bridgefy is an offline messaging app that lets you communicate with friends and family when you don't have access to the internet by simply turning on your Bluetooth antenna.
Ideal for festivals, sporting stadiums, etc., etc. So it's pretty groovy, and they claim to have about 2 million downloads.
So that's not huge, they're not a market leader, but they're certainly making a few waves and probably catching the attention of investors.
Now, according to this article from Ars Technica, Bridgefy was initially set up to help those in rural areas with shitty connectivity to communicate.
And that we've been reading a lot about, that we're actually— there's Wi-Fi buses going into these rural communities just to try and provide some online assistance for students to help them do their homework.
So you can imagine this would be really cool to help people stay in touch, although 300 feet, right?
Ideal for festivals, sporting stadiums, etc., etc. So it's pretty groovy, and they claim to have about 2 million downloads.
So that's not huge, they're not a market leader, but they're certainly making a few waves and probably catching the attention of investors.
Now, according to this article from Ars Technica, Bridgefy was initially set up to help those in rural areas with shitty connectivity to communicate.
And that we've been reading a lot about, that we're actually— there's Wi-Fi buses going into these rural communities just to try and provide some online assistance for students to help them do their homework.
So you can imagine this would be really cool to help people stay in touch, although 300 feet, right?
You have to stay, you have to have small houses.
If you were in a tower block, you'd be perfect.
This is like a mobile cyber cafe, or it brings a hotspot into your area, does it?
Brings a hotspot into the area to allow kids to do, you know, if they don't have Wi-Fi at home.
But with this past year's increase in large, scary protests all around the world, Bridgefy company representatives began telling journalists that the app's use of end-to-end encryption protected activists against governments and counter-protesters trying to intercept text or shut down communications.
And earlier in the month, the CEO of Bridgefy continued to ride this wave, declaring that last year they'd become the protest app, right? He used those words.
So on the Google Play Store until recently, it said, don't worry, your messages are safe and can't be read by those people in the middle.
And the company encourages iOS users to have secure and private conversations using this app. So sounds amazing, right?
They take security seriously and they allow you to communicate without having, you know, if everything gets jammed.
But thank God some dudes decided to go do some digging and unveil some less digestible truths about this app.
So this is a paper called "No Boundaries: Exfiltration of Personal Data by Session-Replay Scripts." So the title says it all.
So these are researchers from University of London and they performed what they call a security analysis on this app and SDK, the protestors' so-called best friend.
And they found, let me quote them, "Our results show that Bridgefy permits its users to be tracked, offers no authenticity, no effective confidentiality protections, and lacks resilience against adversarially crafted messages." So they verified all these vulnerabilities by demonstrating a series of practical attacks on the app.
And I've linked obviously to the papers, so you can go see that on the Smashing Security website.
And they say if protesters rely on Bridgefy, an adversary could track them, produce social graphs about them, read their messages, impersonate anyone to anyone, shut down an entire network with a single maliciously crafted message.
But with this past year's increase in large, scary protests all around the world, Bridgefy company representatives began telling journalists that the app's use of end-to-end encryption protected activists against governments and counter-protesters trying to intercept text or shut down communications.
And earlier in the month, the CEO of Bridgefy continued to ride this wave, declaring that last year they'd become the protest app, right? He used those words.
So on the Google Play Store until recently, it said, don't worry, your messages are safe and can't be read by those people in the middle.
And the company encourages iOS users to have secure and private conversations using this app. So sounds amazing, right?
They take security seriously and they allow you to communicate without having, you know, if everything gets jammed.
But thank God some dudes decided to go do some digging and unveil some less digestible truths about this app.
So this is a paper called "No Boundaries: Exfiltration of Personal Data by Session-Replay Scripts." So the title says it all.
So these are researchers from University of London and they performed what they call a security analysis on this app and SDK, the protestors' so-called best friend.
And they found, let me quote them, "Our results show that Bridgefy permits its users to be tracked, offers no authenticity, no effective confidentiality protections, and lacks resilience against adversarially crafted messages." So they verified all these vulnerabilities by demonstrating a series of practical attacks on the app.
And I've linked obviously to the papers, so you can go see that on the Smashing Security website.
And they say if protesters rely on Bridgefy, an adversary could track them, produce social graphs about them, read their messages, impersonate anyone to anyone, shut down an entire network with a single maliciously crafted message.
Oh, yoink.
Wow.
So shitty, shitty security is what I'm saying.
So as a result, researchers conclude that participants of protests should avoid relying on this app until the vulnerabilities are addressed.
Now, I dashed, as soon as I read that, I dashed over to the BridgeFi website, right? To see if there was anything on there.
And I wouldn't mind if you guys went to that website, take a scan of their blog post. So this came out, look at the date that it came out.
So as a result, researchers conclude that participants of protests should avoid relying on this app until the vulnerabilities are addressed.
Now, I dashed, as soon as I read that, I dashed over to the BridgeFi website, right? To see if there was anything on there.
And I wouldn't mind if you guys went to that website, take a scan of their blog post. So this came out, look at the date that it came out.
Yes, just recent. Yes.
Very recent. Remember that the Twitter guy, the Twitter guy is the marketing brains behind this operation and a backer.
So it makes for an interesting read, 'cause we're all pretty strong at crisis communications.
We've had quite a bit of, you know, snafus in our careers that we've had to deal with, not of our faults, but that we had to get everyone else out of a pickle, right?
Sticky pickles happen. So let's see what you make of this post. So one thing I like, if you look down, you'll see there's a bulleted list.
So they say, these are things we are gonna fix, right? They say man-in-the-middle attacks done by modifying stored keys will no longer be possible.
One-to-one messages sent over the mesh network will no longer contain sender and receiver IDs in plain text. And people use this for privacy.
A third person will no longer be able to use the server's API to learn others' usernames. All payloads will be encrypted. So—
So it makes for an interesting read, 'cause we're all pretty strong at crisis communications.
We've had quite a bit of, you know, snafus in our careers that we've had to deal with, not of our faults, but that we had to get everyone else out of a pickle, right?
Sticky pickles happen. So let's see what you make of this post. So one thing I like, if you look down, you'll see there's a bulleted list.
So they say, these are things we are gonna fix, right? They say man-in-the-middle attacks done by modifying stored keys will no longer be possible.
One-to-one messages sent over the mesh network will no longer contain sender and receiver IDs in plain text. And people use this for privacy.
A third person will no longer be able to use the server's API to learn others' usernames. All payloads will be encrypted. So—
So it's all good news. That's what they're saying is good news. Great news. We're improving everything. There's even an exclamation mark near the top.
I know.
Isn't this great?
The tone bugs me because in a way they're doing what I'd like, they're doing what I want them to do. They're kind of coming clean saying we are up We're going to fix this.
And they do thank the researchers of London at the very bottom of the blog article, right? But this bugs me, the tone of this message.
Over the past year, we've learned a very valuable lesson. Users decide how an app is best used, not us. So not our fault, guys.
Our primary focus has been to provide users with a reliable way of communicating without the internet.
And while we never expected to become the default protest app, well, A, $2 million. And two, you, you claimed it in many articles. Yeah. Yeah.
So we're thankful that so many people have chosen BridgeFi as a communication tool to tackle blah blah blah. So I don't like it.
And they do thank the researchers of London at the very bottom of the blog article, right? But this bugs me, the tone of this message.
Over the past year, we've learned a very valuable lesson. Users decide how an app is best used, not us. So not our fault, guys.
Our primary focus has been to provide users with a reliable way of communicating without the internet.
And while we never expected to become the default protest app, well, A, $2 million. And two, you, you claimed it in many articles. Yeah. Yeah.
So we're thankful that so many people have chosen BridgeFi as a communication tool to tackle blah blah blah. So I don't like it.
Yeah. No.
And they don't apologize. I mean, I get it. Why play fast and loose with liability when it's your fault?
But they may have put a lot of people in danger and they've basically presented themselves as a secure place without actually having tested the app or cared enough to test it if they're making those calls.
But they may have put a lot of people in danger and they've basically presented themselves as a secure place without actually having tested the app or cared enough to test it if they're making those calls.
Yeah.
I've just been reading some of the technical details as to what was wrong with the app, and there's some very elementary security goofs which they made.
For instance, they've got an IDOR, the insecure direct object reference flaw.
This is one of the most commonly encountered flaws in online applications, a way of basically just change a parameter and you can access someone else's details.
For instance, they've got an IDOR, the insecure direct object reference flaw.
This is one of the most commonly encountered flaws in online applications, a way of basically just change a parameter and you can access someone else's details.
It's elementary to security dev world. Yeah.
Well, it really is. Now I'm sure that the chap from Twitter isn't maybe involved in the coding or whatever, but surely he has some influence and experience of trying to harden.
Let's get a pen tester and see how it does.
Well, you know, I think people, anyone involved in producing messaging apps, I think really needs to hire some hackers to hack themselves rather than wait for the bad guys to try and do it.
But I think the bigger problem here is that we've done our jobs very well, Anna and Graham, right? We've made security and privacy an important thing in people's lives.
We certainly helped with that fight over our little careers. So now people are using it as a kind of fashion statement or as a messaging purpose in order to get customers.
And it may not be true at all. So we can't believe the marketing stuff. You have to say, well, how do you do this? Show me, prove to me that you do this.
We certainly helped with that fight over our little careers. So now people are using it as a kind of fashion statement or as a messaging purpose in order to get customers.
And it may not be true at all. So we can't believe the marketing stuff. You have to say, well, how do you do this? Show me, prove to me that you do this.
This. Yeah.
And that puts a lot of onus on the buyer.
Yeah. And it's hard for the average user to understand enough.
Now, this app is not yet ready. They say they're going to fix everything, and for those that are still diehard fans, that should be done in about 2 months, they say.
September, mid to late September 2020, they say. I'm going to guess October, November, having worked in the world for a while.
September, mid to late September 2020, they say. I'm going to guess October, November, having worked in the world for a while.
So don't use it until then. It's interesting what you say, Carole, about this idea of how it's been used as a marketing tool. You know, these concepts of security.
I'm just reading this blog post which you've linked us to here about their commitment to privacy and security.
I'm just reading this blog post which you've linked us to here about their commitment to privacy and security.
Yes.
And they've got these bullets of all the things they fixed. And then they write, what does this mean in plain English? It means using BridgeFi will now be much, much safer.
Well, my response to that is it means using BridgeFi has been up until recently and possibly for the next couple of months less safe than you imagined it was in the first place.
Well, my response to that is it means using BridgeFi has been up until recently and possibly for the next couple of months less safe than you imagined it was in the first place.
Yeah, a big fucking shit show, not at all what you advertised.
Yeah.
That's what I think it is.
Anyway, wish you luck, BridgeFi, but it annoys me that people can go out and say, "We are end-to-end encryption," and tell journalists this and try to get away with it.
So I applaud the media outlets out there that are calling their attention to this, because this isn't cool.
Anyway, wish you luck, BridgeFi, but it annoys me that people can go out and say, "We are end-to-end encryption," and tell journalists this and try to get away with it.
So I applaud the media outlets out there that are calling their attention to this, because this isn't cool.
And also, well done to the researchers who found the vulnerabilities, who haven't been paid, I imagine, and did it off their own back. And appear to have done a good job.
Yes. And anyone who's interested, please click on the show note link.
Which of those links should you click on?
Show notes. Hey, you IT security guys out there, I know that you have a tough job.
If you want increased security without impacting productivity, if you want to secure every entry point to your business, if you want to unify access and authentication, then check out LastPass.
They have the tools to make your life easier. Learn more at smashingsecurity.com/lastpass. Oh, and the rest of you out there, don't freak out.
There's a free password manager for home use. Check it out at smashingsecurity.com/lastpass.
If you want increased security without impacting productivity, if you want to secure every entry point to your business, if you want to unify access and authentication, then check out LastPass.
They have the tools to make your life easier. Learn more at smashingsecurity.com/lastpass. Oh, and the rest of you out there, don't freak out.
There's a free password manager for home use. Check it out at smashingsecurity.com/lastpass.
And welcome back. Can you join us on our favorite part of the show, the part of the show that we like? Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Better not be.
Well, my Pick of the Week this week is not security-related. It has been the school summer holidays where I live. And also under lockdown means there's not much to do.
And one of the things that my son began to— he must have seen some YouTube video or something. He said, Dad, Dad!
And one of the things that my son began to— he must have seen some YouTube video or something. He said, Dad, Dad!
Oh, wow. Oh, that's your voice. What did Colin say?
He said, "I want to see the Marvel Avengers movies." And I thought, well, I've never seen any of those. Aren't there 80 gazillion of them?
And my wife expressed an interest as well, wanting to watch them. So we turned on Disney Plus for tenner or however much it costs a month. And we set off to watch them in order.
So we found an online list of how to watch the Avengers movies in order, because there's all these different characters and it's very complicated.
And my wife expressed an interest as well, wanting to watch them. So we turned on Disney Plus for tenner or however much it costs a month. And we set off to watch them in order.
So we found an online list of how to watch the Avengers movies in order, because there's all these different characters and it's very complicated.
Well, is there really a list across?
Yes, oh, Carole, you've got no idea the complexity.
My husband has been doing the same thing.
Do you watch this stuff, Anna?
No. Anna doesn't watch anime, does she? I'm too busy reading books.
I found them incredibly tedious. I would typically last about 20 minutes before falling asleep or walking off.
See?
Walking off to tinker with my website. I've got no interest in seeing robots fighting robots. It's bish bash, thump thump.
You're like, who gives a shit? It's like my dishwasher fighting my fridge.
Yeah, exactly, exactly. And when they've got masks on as well, there were a couple— the original Captain America movie, it's like, oh, they're humans.
They're humans in the Second World War. Okay, I can understand this. I can deal with it. Then he puts on his spandex and I'm like, oh, really?
They're humans in the Second World War. Okay, I can understand this. I can deal with it. Then he puts on his spandex and I'm like, oh, really?
Who wins? Who cares? You don't care.
Yeah. So we've been through about, I don't know, 10 of these movies so far. And each time I bail out quite early on because I think I can't watch this.
10? Over a weekend?
No, I didn't say over a weekend. Over the summer holidays.
Oh, okay.
Although my son, he would watch 10 over a weekend, to be honest. Anyway, and then one came on, which is called Thor: Ragnarok, and it's different.
And I went, oh my God, this one isn't shit all the others, because this one has got a sense of humor. This one, it's they've changed it.
It's whoa, whoa, whoa, how come now it's not all posturing?
And I went, oh my God, this one isn't shit all the others, because this one has got a sense of humor. This one, it's they've changed it.
It's whoa, whoa, whoa, how come now it's not all posturing?
Tell us a joke. Tell us one of the jokes.
There's still— well, well.
Go on then.
I'm not going to tell you a joke, but what I will do is I will link to the trailer in the show notes. And Carole, I will tell you who's in it.
Some of the people— that's Chris Hemsworth, right? Thom Hiddleston, Cate Blanchett, Mark Ruffalo playing the Hulk, and Geoff Goldblum.
Some of the people— that's Chris Hemsworth, right? Thom Hiddleston, Cate Blanchett, Mark Ruffalo playing the Hulk, and Geoff Goldblum.
Ah, Carole!
Bonjour, bonjour!
Now I've said Geoff Goldblum, you instantly kind of get the kind of kooky kind of humor.
It's the opposite of Thom Hanks.
Right, exactly, which is going on. Let me just cross my legs.
Anyway, it's so interesting to see this movie franchise, and I don't know what the later Avengers movies are going to be.
Maybe they return to form, I don't know, or have been rubbish. But the Thor: Ragnarok, I thought, simply because it's a little— it's, or no, it's actually an oasis.
It's an oasis in this desert of nothing.
Anyway, it's so interesting to see this movie franchise, and I don't know what the later Avengers movies are going to be.
Maybe they return to form, I don't know, or have been rubbish. But the Thor: Ragnarok, I thought, simply because it's a little— it's, or no, it's actually an oasis.
It's an oasis in this desert of nothing.
Okay, I want to go watch it. Come on, hurry on.
Well, I'm not saying it's that brilliant, but compared to the others, if you've made your way through the others, then thank goodness for Thor: Ragnarok, because it did make me laugh.
If I watch it, am I going to have to have watched all the other ones to know what's going on?
Well, I haven't watched any of the other ones, because I can't bear it. And it didn't completely keep my attention the whole time, right?
But I could see it was so much better than the others. And it did amuse me and make me laugh occasionally, even though I didn't know who absolutely everyone was.
But I thought this is good, and I was pleased to see them make this positive step. And that is why it deserves to be my pick of the week, Thor: Ragnarok.
But I could see it was so much better than the others. And it did amuse me and make me laugh occasionally, even though I didn't know who absolutely everyone was.
But I thought this is good, and I was pleased to see them make this positive step. And that is why it deserves to be my pick of the week, Thor: Ragnarok.
Yeah. Holiday August, Eilidh.
That's right.
Anna, what is your pick of the week?
So, who remembers the '90s?
I do. Yep, I was around then.
What were you two doing?
I was partying.
I think I was at primary school.
Were you?
In the '90s.
Yeah, sure.
You must have been really smart. Were you twenty-five and studying?
I'd been held back. I'd been held back for about a decade and a half.
Right, okay. So Graham was at primary school and Carole was partying.
Partying at uni, yep.
Yep, okay. So, yeah, so in the '90s, I was at primary school, some of it, and secondary school for some of it. Show off. I'm very young.
We spoke a lot about the information superhighway and the World Wide Web.
We spoke a lot about the information superhighway and the World Wide Web.
Yeah.
We got our internet via the AOL discs.
Oh, there you go.
Praise be to Al Gore for inventing it. What would we have done without him?
Yes, well done, Al Gore.
Al Gore?
Yes.
The internet superhighway, he did.
Oh, right. Is that his keyword? That was his—
That was his branding. So we also worried about the Y2K or Millennium Bug.
Oh yeah, yeah. I was working then.
Netflix and Spotify were in our fantasies only. And we were sort of getting our grips around mobile phones. What was your first mobile phone?
Nokia 3770, I think, something like that.
A Nokia, I think it was a 3310.
Oh, 3310 was the first one.
No, 5110 was first. That's what I heard. And then 33 came after.
I think I had my first Nokia in about 1992. So I don't know what the model was.
Your young Nokia. I still have my handset upstairs.
Do you?
Yeah, my first one. I didn't keep any others.
Does Snake still work?
Oh, I did have Snake. That changed the bathroom behaviour, didn't it?
Yes, no more shampoo bottles. And the battery lasted for a week.
It was brilliant. Yeah, and you can make phone calls.
Oh, sadly no podcast though. Exactly, exactly. And you know, I don't talk to many people on the phone, Carole. I'll make an exception for you.
We played on Game Boys, SNES, PlayStations. Maybe I did, maybe you guys didn't.
I actually got RSI from playing too many games of Super Mario World, and I had to give up playing computers because of my rage for computer games.
We played on Game Boys, SNES, PlayStations. Maybe I did, maybe you guys didn't.
I actually got RSI from playing too many games of Super Mario World, and I had to give up playing computers because of my rage for computer games.
I didn't know that. Yeah.
Oh yeah, I can't. Oh, it's too much.
Well, you turn into the Hulk or something. What happens?
Oh, it just makes me really angry in all walks of life.
Oh, that's just—
What if you don't win a game? If you lose a game?
Yes. Or just the intensity of it. I put everything into it.
I remember playing chess against you. That was—
Yeah, well, I didn't— I mean, I was never gonna win that, was I? There was no COVID. No Trump. No Brexit.
Well, there was a Trump, but not in the office.
Yeah, not a Trump making so much hassle. And there was the music, of course. So we had Britpop in the UK.
Oh yeah, Oasis, Pulp.
Yeah.
It was shit in the '90s, wasn't it?
You brought music.
Music was excellent in the '90s.
Yeah, no, it was awful.
What? DJ Jazzy Geoff and the Fresh Prince? Celine Dion? Hanson.
There were some great '90s acts.
There were boy bands. Oh, don't get me started on all the boy bands.
I bet you were an East 17 girl, aren't you, Anna?
Of course I was an East 17 girl.
Well, I couldn't name one song.
Oh, there was East 17 and there was Take That, Carole.
There was no way you were a Take That girl.
Take That for the good girls, and East 17 were not. There was obviously Backstreet Boys, there was NSYNC. I was all sorts.
Anyway, a personal highlight for me was Kris Kross, who were in America. I don't know, do you guys remember Kris Kross?
Anyway, a personal highlight for me was Kris Kross, who were in America. I don't know, do you guys remember Kris Kross?
I have no idea what you're talking about.
Kris Kross, the K-K's, right?
Yes, yes. And they were an American hip-hop duo who were both called Kris. But who inexplicably wore their clothes backwards.
I was actually sad to find out when I was Googling Kris Kross.
I was actually sad to find out when I was Googling Kris Kross.
Have they got a new album out? Is this your pick of the week?
I'm very sad to tell you that one of them actually died.
Oh dear.
I didn't know this.
And so it was quite difficult for me.
Was he walking across the road backwards or something?
Was it something related to having his clothes on the wrong way round? The hood blew up over his face. Couldn't see where he was going, got hit over.
I actually once tried dressing like Kris Kross for a day.
Backwards?
Yes.
How did it go?
It went really well. Middle-class white girl from the UK.
Come, come, you're not middle-class. You're an East 17 fan.
That's true. Yeah, I had to let it out somewhere, didn't I? So anyway, my pick of the week is a podcast which is called Sounds of the '90s.
Oh, I've seen this being touted. Is it great?
Annoyingly, it's just on BBC Sounds and not on any of the other podcast providers, which does irritate me. And it's Fearne Cotton.
So that's why I went, well, because I can't make up my mind whether I like her or not. But she relives the '90s through music, but also she's got guests on.
So she had Mel C and Geri from the Spice Girls. Tennis legend Tim Henman. And wait for this one, TV soap star Adam Rickett.
So that's why I went, well, because I can't make up my mind whether I like her or not. But she relives the '90s through music, but also she's got guests on.
So she had Mel C and Geri from the Spice Girls. Tennis legend Tim Henman. And wait for this one, TV soap star Adam Rickett.
Do you know what? This is so smart of a podcast, isn't it?
It's great.
They're all at home. They're Z-list now.
Yeah.
Right? They're free.
But they talk about songs of the '90s, and obviously there's a huge playlist, but they also talk about TV, film, clothes, soaps. All of it.
And because Fearne Cotton is a similar age to me, she's talking about things that struck a chord with me.
So it is a nice trip down memory lane for those of us who were around in the '90s. Graham might not remember because he was a bit young.
And because Fearne Cotton is a similar age to me, she's talking about things that struck a chord with me.
So it is a nice trip down memory lane for those of us who were around in the '90s. Graham might not remember because he was a bit young.
Or if people want to know what it was like, what we did when we didn't have phones. Yeah.
Yeah. When you had to sort of make sure you were at your television for 5:10 for Home and Away and 5:35 for Neighbours.
We're sounding so old now, aren't we? Carole, what's your pick of the week?
I have a pretty good group of awesome friends. Like Anna, you're definitely in our tier zero zone, right? Graham, definitely solid two. Solid tier two.
Still some work to be done there, Graham.
But I have a few other stellar friends, and one of them found herself in a bit of a situation. She has a daughter, a two-year-old brown multi-heritage daughter. This is her words.
And she just couldn't find any educational fun games or toys that would allow her to identify with, you know, so often you buy dolls for your kids and you buy someone that may look like them or that they can relate to, and she couldn't find any that matched her needs.
So what does she do? What does my friend Alexa do? She gets a bunch of people from around the world together and creates a toy. And it's, well, a game. It's called Super Sapiens.
And it's a deck of cards that focuses on inspiring women from around the world. And I've got a pack right here, and it's a 3-in-1 game.
So you have a snap game, a memory game, and a guess game. And it really— you can play with 3-year-olds to whatever age.
I think on the card she says— oh yeah, she says from age 3 to 103. So there you go. And some of the women who are featured, you have Fatima al-Fihri.
She was a Tunisian woman in the 1st century who founded the world's first university in Morocco.
And Marianne Kahn, a Jewish resistance fighter who snuck Jewish children out of Nazi-occupied France. So all of them are big topics.
And Alexa really believes that these are things that we should try and introduce to our kids slowly in a controlled way and in a way that's responsible so they can learn from you.
And she just couldn't find any educational fun games or toys that would allow her to identify with, you know, so often you buy dolls for your kids and you buy someone that may look like them or that they can relate to, and she couldn't find any that matched her needs.
So what does she do? What does my friend Alexa do? She gets a bunch of people from around the world together and creates a toy. And it's, well, a game. It's called Super Sapiens.
And it's a deck of cards that focuses on inspiring women from around the world. And I've got a pack right here, and it's a 3-in-1 game.
So you have a snap game, a memory game, and a guess game. And it really— you can play with 3-year-olds to whatever age.
I think on the card she says— oh yeah, she says from age 3 to 103. So there you go. And some of the women who are featured, you have Fatima al-Fihri.
She was a Tunisian woman in the 1st century who founded the world's first university in Morocco.
And Marianne Kahn, a Jewish resistance fighter who snuck Jewish children out of Nazi-occupied France. So all of them are big topics.
And Alexa really believes that these are things that we should try and introduce to our kids slowly in a controlled way and in a way that's responsible so they can learn from you.
What do you do with the cards?
Well, you have a deck and you, for example, there'll be 3 pictures of the same person. So if you're playing Snap—
Oh, I see. Okay.
And each one has a picture or illustration of the woman, and then there's a brief description of them.
But it just lets those names go through your head and get into your mental image of what are great people. And oh wow, some of them are women. So it's cool.
Plus, 75% of the profits go to Black, Indigenous, and people of color-led organizations. So that's pretty cool too.
If you like the sound of this, then you can check it out because she's just opened her Etsy shop and I will put a link on the Smashing Security webpage.
But it just lets those names go through your head and get into your mental image of what are great people. And oh wow, some of them are women. So it's cool.
Plus, 75% of the profits go to Black, Indigenous, and people of color-led organizations. So that's pretty cool too.
If you like the sound of this, then you can check it out because she's just opened her Etsy shop and I will put a link on the Smashing Security webpage.
Very cool. It is very cool.
I was amazed because I remember her having the idea early on.
We were in the pub pre-Rona, and she just mentioned— she was saying about this, she goes, "I think I'm just gonna do this."
We were in the pub pre-Rona, and she just mentioned— she was saying about this, she goes, "I think I'm just gonna do this."
What do you think? What do you think?
And I was thinking, oh God, that's hard.
You have to build, you know, you have to make something physical, you've got to store it, you've got to get it to people, you got to make sure, you know, there's so much involved.
I don't think I would do it. And she was like, "Oh, thanks for back." And then 4 months later, there it is. So I think amazing.
You have to build, you know, you have to make something physical, you've got to store it, you've got to get it to people, you got to make sure, you know, there's so much involved.
I don't think I would do it. And she was like, "Oh, thanks for back." And then 4 months later, there it is. So I think amazing.
Yeah.
So check it out, Super Sapiens, and you can find it on the Etsy shop. And well done, Alexa.
That's very cool. So Carole, I've had an idea which you can pass on to Alexa. Maybe she's already had this herself.
She might be listening since we're—
Oh, okay, since we're plugging her product.
Talk to her directly. Talk to her directly.
Hi, Alexa. I've had an idea. What about if people could pay you a bit of extra money and you could have some customized cards?
So then we could have a card with Carole Theriault, podcaster.
So then we could have a card with Carole Theriault, podcaster.
Yeah.
Anna Dastashi, right? Or something like that. Or you could— so you could make a pack and give it to your friends.
Or I don't know, it's just— I'm just thinking, wouldn't it be fun to be playing this game? And you're not in there, are you, Carole? No.
You're not in the collection as far as you know.
Or I don't know, it's just— I'm just thinking, wouldn't it be fun to be playing this game? And you're not in there, are you, Carole? No.
You're not in the collection as far as you know.
I didn't make the cut.
Oh, I see.
Yeah. Okay. Somehow I didn't cure cancer or anything, so I didn't make it.
Still time, Carole.
I've still got time. Exactly.
I'm still young.
Get a move on.
Yes.
Forever young.
They could do, she could do a pack of cards that had the greatest IT people in history, eh, Graham?
Oh, that's where he was going. Ah, but there's only, he said greatest 11th, maybe we'd have to focus on the top 10.
Yeah.
Well, on that controversial bombshell, we've just about wrapped it up for this week.
Anna, I'm sure lots of our listeners would like to follow you online, get in touch, offer you a job.
Anna, I'm sure lots of our listeners would like to follow you online, get in touch, offer you a job.
I'm @AnnaBrading on Twitter. And yeah, send me your requests for my work. I'm available for all your content needs. Not all of them, you dirty people.
And you can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G. And you can also join our subreddit, go and look for Smashing Security up there.
And don't forget, if you want to be sure never to miss another episode, please subscribe in your favorite podcast apps, such as Apple Podcasts, Spotify, or Pocket Casts, and you will be updated as soon as we push out a new episode.
And don't forget, if you want to be sure never to miss another episode, please subscribe in your favorite podcast apps, such as Apple Podcasts, Spotify, or Pocket Casts, and you will be updated as soon as we push out a new episode.
And thank you to all of you for listening, supporting the show, and sharing our work with your people. Also, high five to this week's Smashing Security sponsor, LastPass.
Its support helps us give you this show for free. Check out Smashing Security for past episodes, sponsorship details, and information on how to get in touch with us.
Its support helps us give you this show for free. Check out Smashing Security for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio. Bye-bye.
Bye-bye. Bye!
Oh dear, well look, I've almost run out of things to read on my shampoo bottle, so I'm gonna have to either flush or hang up.
I'm about to go and find mine. I've got a new shampoo, so it's quite exciting for me.
Ooh, Anna living the dream!
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Anna Brading – @annabrading
Show notes:
- CIA boss has his personal email account hacked… and yes, it’s on AOL — Graham Cluley.
- Two years' detention for UK teenager who 'cyberterrorised' US officials — The Guardian.
- Kane Gamble sentencing remarks (PDF).
- What It’s Like for a Hacker to Get Back Online After a Two-Year Internet Ban — Motherboard.
- Fearing coronavirus, a Michigan college is tracking its students with a flawed app — TechCrunch.
- Bridgefy, the messenger promoted for mass protests, is a privacy disaster — Ars Technica.
- Bridgefy’s Commitment to Privacy and Security.
- Mesh Messaging in Large-scale protests: Breaking Bridgefy — Technical paper by Martin R Albecht, Jorge Blasco, Lenka Marekova, and Rikke Bjerg Jensen of Royal Holloway, University of London.
- How to Watch The Avengers Movies in Order — Digital Trends.
- "Thor: Ragnarok" Official Trailer — YouTube.
- Sounds of the 90s with Fearne Cotton — BBC.
- Super Sapiens: a card game to help change the world — Etsy.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
