WannaCry hero Marcus Hutchins (aka MalwareTech) pleads not guilty to malware charges, the Scottish parliament is hit by a brute force attack, IoT smart locks aren’t so smart, and.. ahem.. someone is sending intimate pics via AirDrop to unsuspecting commuters.
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by technology journalist Geoff White.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Before we start the show, we'd like to give a shout out to our sponsors. This episode of Smashing Security is supported in part by Recorded Future.
They're the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical, open, and dark web sources to give organizations unmatched insight into emerging threats.
You should sign up for their free daily threat intelligence updates at recordedfuture.com/intel. And thanks to Recorded Future for supporting the show.
Smashing Security Episode 38: Gents, stop AirDropping your pics! With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Episode 38 of Smashing Security for the 17th of August 2017. My name is Graham Cluley, and I'm joined as always by my gorgeous co-host, Ms.
Carole Theriault. Hello, Carole.
They're the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical, open, and dark web sources to give organizations unmatched insight into emerging threats.
You should sign up for their free daily threat intelligence updates at recordedfuture.com/intel. And thanks to Recorded Future for supporting the show.
Smashing Security Episode 38: Gents, stop AirDropping your pics! With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Episode 38 of Smashing Security for the 17th of August 2017. My name is Graham Cluley, and I'm joined as always by my gorgeous co-host, Ms.
Carole Theriault. Hello, Carole.
How are you?
I'm wondering how you can see me actually, as we're not in the same room.
I just remember what you looked like.
What, from 4 years ago when we actually hung out in person? I'm doing brilliantly. Thank you for asking.
Oh, smashing. And we are joined this week by a special guest, investigative journalist Geoff White.
Normally you'll see him popping up on Channel 4 News or the BBC talking about technology, sort of cybercrime stuff. But Geoff, hello, welcome to the show.
You are off to the Edinburgh Festival. You're doing a show called "The Secret Life of Your Mobile Phone." Tell us about yourself, what you do, and tell us about this show.
It sounds interesting.
Normally you'll see him popping up on Channel 4 News or the BBC talking about technology, sort of cybercrime stuff. But Geoff, hello, welcome to the show.
You are off to the Edinburgh Festival. You're doing a show called "The Secret Life of Your Mobile Phone." Tell us about yourself, what you do, and tell us about this show.
It sounds interesting.
Well, yeah, we've managed to sort of blag our way into the Edinburgh Festival, which is full of, obviously, full of thespians and actors.
So myself and a colleague of mine called Glenn Wilkinson, who's an ethical hacker or a penetration tester, to give it the more humorous name, are off up with our show to Edinburgh Festival.
So as you say, normally I cover cybersecurity full-time. I tend to do the more investigative stuff, the longer-term stuff.
The problem we had after a while was this whole thing of personal data.
The problem is it isn't personal data when these mega hacks happen and millions of records go missing, or when you expose some creepy vulnerability, people look and go, well, yeah, but that's not me, is it?
It's not my phone, it's not my data. So I realized that to really make data personal, you have to make it that person's data.
And the only way to do that is in a theater venue, with an audience face-to-face. So we cooked up this thing called The Secret Life of Your Mobile Phone.
We effectively take an audience of people, we hack their phones with their permission, I should point out.
We give them a significant warning at the beginning about what's going to happen. And then what we do is we track live and in real time where all of the data from their phones goes.
So we show them which countries it goes to, which companies get it, where they are in the world. We talk them through what a cookie looks like.
We show them what cookies they're throwing out.
And we also show them how the signals given out by their phones, mostly by Wi-Fi, can be used to kind of profile them and track them and target them.
And we also explain, by the way, we explain net neutrality using Mr. Potato Head. That's a high point.
So myself and a colleague of mine called Glenn Wilkinson, who's an ethical hacker or a penetration tester, to give it the more humorous name, are off up with our show to Edinburgh Festival.
So as you say, normally I cover cybersecurity full-time. I tend to do the more investigative stuff, the longer-term stuff.
The problem we had after a while was this whole thing of personal data.
The problem is it isn't personal data when these mega hacks happen and millions of records go missing, or when you expose some creepy vulnerability, people look and go, well, yeah, but that's not me, is it?
It's not my phone, it's not my data. So I realized that to really make data personal, you have to make it that person's data.
And the only way to do that is in a theater venue, with an audience face-to-face. So we cooked up this thing called The Secret Life of Your Mobile Phone.
We effectively take an audience of people, we hack their phones with their permission, I should point out.
We give them a significant warning at the beginning about what's going to happen. And then what we do is we track live and in real time where all of the data from their phones goes.
So we show them which countries it goes to, which companies get it, where they are in the world. We talk them through what a cookie looks like.
We show them what cookies they're throwing out.
And we also show them how the signals given out by their phones, mostly by Wi-Fi, can be used to kind of profile them and track them and target them.
And we also explain, by the way, we explain net neutrality using Mr. Potato Head. That's a high point.
Oh, we could have done with that in our net neutrality episode. We needed a way to explain it simply.
I think that sounds like a genius idea. Are you going to record this? Are people going to be able to watch it, even those that can't get up to Edinburgh?
We try, it's a tricky one. We try to keep the whole thing offline. There are highlights online, you can watch sort of clips online.
We try to keep the whole thing offline because, you know, it's our show and we want to try and stop people copying it, but because we have a Luddite mentality about copyright.
But B, also the whole thing works when you're actually in the room.
So putting it available online, we'd be back to the same problem of people thinking, "Oh yeah, I saw your show, but it doesn't affect me." Everybody who's seen the show so far, no one can walk out of that venue and not think it applies to them because it does apply.
We have shown it applying to your phone. So it needs to be up close and personal.
We try to keep the whole thing offline because, you know, it's our show and we want to try and stop people copying it, but because we have a Luddite mentality about copyright.
But B, also the whole thing works when you're actually in the room.
So putting it available online, we'd be back to the same problem of people thinking, "Oh yeah, I saw your show, but it doesn't affect me." Everybody who's seen the show so far, no one can walk out of that venue and not think it applies to them because it does apply.
We have shown it applying to your phone. So it needs to be up close and personal.
Cool. And of course, a criminal could do the same kind of thing which you and your ethical hacking friend are doing as well.
They could set up an evil twin hotspot, say, in a cafe or an airport. People just mindlessly connect to it, and they'd be able to see everything which you're seeing in this show.
I mean, it's a very real threat, isn't it?
They could set up an evil twin hotspot, say, in a cafe or an airport. People just mindlessly connect to it, and they'd be able to see everything which you're seeing in this show.
I mean, it's a very real threat, isn't it?
It really is.
I mean, you know, as Glenn Wilkinson, the guy I do the show with, says, you know, this hack, what's called the karma attack, where you impersonate a Wi-Fi hotspot, you know, it's 10 years old, but it's still working for us.
And what's really scary is what you said there is people connect to a Wi-Fi hotspot.
Well, actually, no, you switch your phone's Wi-Fi on and it's automatically going to try and connect without you necessarily knowing.
So we just get the audience to switch their Wi-Fi on and that's it. They start connecting to the internet through our kit.
It's bewildering that this still works after this amount of time.
I mean, you know, as Glenn Wilkinson, the guy I do the show with, says, you know, this hack, what's called the karma attack, where you impersonate a Wi-Fi hotspot, you know, it's 10 years old, but it's still working for us.
And what's really scary is what you said there is people connect to a Wi-Fi hotspot.
Well, actually, no, you switch your phone's Wi-Fi on and it's automatically going to try and connect without you necessarily knowing.
So we just get the audience to switch their Wi-Fi on and that's it. They start connecting to the internet through our kit.
It's bewildering that this still works after this amount of time.
Well, it sounds like an interesting show.
Go and check out Geoff if you are up in Edinburgh, and we'll put a link in the show notes where you can find out some more about Geoff and his show.
What we're really here for is to talk about what's been going on in the wonderful world of computer security in the last week. We're all going to choose a topic and—
Go and check out Geoff if you are up in Edinburgh, and we'll put a link in the show notes where you can find out some more about Geoff and his show.
What we're really here for is to talk about what's been going on in the wonderful world of computer security in the last week. We're all going to choose a topic and—
You should go first, Graham. You should definitely go first.
You think so? Well, I think first of all, maybe we just need to quickly touch on what's been going on with Marcus Hutchins, aka MalwareTech.
If you remember, he was the WannaCry accidental hero, the man who single-handedly crushed the WannaCry ransomware, which was ravaging National Health Service here in the UK by finding a kill switch for it.
And of course, he hailed very much as a hero by everybody for what he did, which was fantastic. But—
If you remember, he was the WannaCry accidental hero, the man who single-handedly crushed the WannaCry ransomware, which was ravaging National Health Service here in the UK by finding a kill switch for it.
And of course, he hailed very much as a hero by everybody for what he did, which was fantastic. But—
Well, except for the guys who were running the attack.
Well, yeah, I suppose they weren't so keen, but Marcus got arrested, of course, after the DEF CON conference, he was in Las Vegas and he was caught as he was planning to board his plane back to the UK.
And he's now appeared in court in Milwaukee.
He's pleaded not guilty in connection, not with WannaCry, but in connection with another piece of malware, a banking Trojan called Kronos.
And there's a suggestion that he, well, the allegation is that he may have written code which ultimately ended up inside the Kronos malware.
And he's now appeared in court in Milwaukee.
He's pleaded not guilty in connection, not with WannaCry, but in connection with another piece of malware, a banking Trojan called Kronos.
And there's a suggestion that he, well, the allegation is that he may have written code which ultimately ended up inside the Kronos malware.
There were some very odd, I was trying to follow this in terms of the comments made in the accusation against the allegation against him and also the comments made by his lawyer in the US.
And it was just very confusing in that there seemed to be contradictory messages about whether he was claiming he'd actually designed this piece of malware.
If so, whether he'd given it to anybody else.
I couldn't quite work out what the defense was going to be, and the defense seemed, from the quotes I read anyway, seemed to be a little all over the place.
I'd imagine though, if it comes to court, you know, who knows whether it will or indeed when, they'll have nailed that down.
But the weird thing is I don't think on your own computer designing a piece of software like this is necessarily a crime.
If I'm just designing it, it's the point at which you give it to somebody else, sell it to somebody else.
And I think that'll be, if this does, I say, you know, it does come to court, that'll be an interesting crux to this, I think.
And it was just very confusing in that there seemed to be contradictory messages about whether he was claiming he'd actually designed this piece of malware.
If so, whether he'd given it to anybody else.
I couldn't quite work out what the defense was going to be, and the defense seemed, from the quotes I read anyway, seemed to be a little all over the place.
I'd imagine though, if it comes to court, you know, who knows whether it will or indeed when, they'll have nailed that down.
But the weird thing is I don't think on your own computer designing a piece of software like this is necessarily a crime.
If I'm just designing it, it's the point at which you give it to somebody else, sell it to somebody else.
And I think that'll be, if this does, I say, you know, it does come to court, that'll be an interesting crux to this, I think.
It is.
I'm of the opinion as well, though I've been working in antivirus for 25-odd years, I do believe on your own computer, if you want to write malware, you go ahead and write malware.
I'm of the opinion as well, though I've been working in antivirus for 25-odd years, I do believe on your own computer, if you want to write malware, you go ahead and write malware.
Yeah, the problem though is everyone's connected to the internet. They're not writing it in a, you know, in a box.
But I've read the transcript of the hearing in Las Vegas, the initial hearing, and it is interestingly worded because it was slightly different to how some of the media the prosecutor said that Hutchins had admitted he had written code which had eventually ended up inside the Kronos malware, which isn't the same as saying you wrote the Kronos malware.
He could have written a tiny line of code that just fetches something that could be used both for good and for bad.
Absolutely.
It could have just been plugged in. It could be nothing. So I think right now everyone has to just hold their breath and wait, you know, until we get more information.
Because I agree with Geoff, it's hard to know what's going on right now.
Because I agree with Geoff, it's hard to know what's going on right now.
The situation right now is he's pleaded not guilty. They've tagged him. He's now in Los Angeles. He works for a security company out there and he's back online.
You can follow him on Twitter as well, where no doubt he'll be tweeting away.
And so that's been one of the big stories of the week, but that wasn't actually what I wanted to talk about.
What I actually want to talk about was there've been some more brute force attacks against politicians' email accounts in the United Kingdom.
In this case, what's happened this week is Scottish Parliament has been attacked.
Staffers at Holyrood and members of the Scottish Parliament have been discovering that people have been trying to crack into their email accounts using this brute force technique, which isn't a sophisticated technique.
I mean, you can find automated tools freely available on the internet, which let you submit thousands and thousands of password attempts in seconds.
You know, it's like starting with Arnold Aardvark and working your way up. And we saw a similar attack a few weeks ago.
I think it was back in June against Westminster, against politicians in London.
You can follow him on Twitter as well, where no doubt he'll be tweeting away.
And so that's been one of the big stories of the week, but that wasn't actually what I wanted to talk about.
What I actually want to talk about was there've been some more brute force attacks against politicians' email accounts in the United Kingdom.
In this case, what's happened this week is Scottish Parliament has been attacked.
Staffers at Holyrood and members of the Scottish Parliament have been discovering that people have been trying to crack into their email accounts using this brute force technique, which isn't a sophisticated technique.
I mean, you can find automated tools freely available on the internet, which let you submit thousands and thousands of password attempts in seconds.
You know, it's like starting with Arnold Aardvark and working your way up. And we saw a similar attack a few weeks ago.
I think it was back in June against Westminster, against politicians in London.
Isn't it weird though, that they wouldn't be able just to discover it based on, you know, using software?
Wouldn't the government be using software to kind of go, "Hmm, a lot of traffic coming in from here."
Wouldn't the government be using software to kind of go, "Hmm, a lot of traffic coming in from here."
So it looks like none of the accounts in this Scottish example have actually been compromised as far as we've been told so far.
But what's happened is some users have been locked out of their accounts.
And that actually suggests to me that maybe some of the preventative measures which they put in place to prevent a brute force attack from succeeding actually worked.
They detected that something unusual was going on, which would be, for instance, 1,000 attempts to log into an account and getting the password wrong 1,000 times.
You know, that sort of account lockout is a good idea. And that's a typical countermeasure which can be used against a brute force attack.
The problem with account lockout, of course, is that it locks out legitimate users as well.
But what's happened is some users have been locked out of their accounts.
And that actually suggests to me that maybe some of the preventative measures which they put in place to prevent a brute force attack from succeeding actually worked.
They detected that something unusual was going on, which would be, for instance, 1,000 attempts to log into an account and getting the password wrong 1,000 times.
You know, that sort of account lockout is a good idea. And that's a typical countermeasure which can be used against a brute force attack.
The problem with account lockout, of course, is that it locks out legitimate users as well.
You end up with almost denial of service attack, don't you, by default, because everybody's inconvenienced, you know?
Mm-hmm.
That's right. And that's why I think it's not a good idea to lock out someone from their account after maybe 3 attempts.
But if you lock out someone after 30 attempts or 100 attempts, or if you slow down the attacks so people can only try a few passwords every hour or progressively make that delay between entering a new password, even a few seconds can make a dramatic difference to slow down a brute force attack.
But if you lock out someone after 30 attempts or 100 attempts, or if you slow down the attacks so people can only try a few passwords every hour or progressively make that delay between entering a new password, even a few seconds can make a dramatic difference to slow down a brute force attack.
Basically, you're saying they've locked out everyone in order to kind of safeguard the accounts is what?
No, I think some of the accounts, people automatically got locked out because there were so many failed attempts to log in.
These attacks, I mean, the brute force attacks are incredibly noisy. Yeah. If you look at any institution, whether it's the NHS, government, you know, a local council or a business.
You know, how many of these brute force attacks go on all the time? And is it just that it was Westminster and Scottish Parliament's turn, or was it a directed, targeted attack?
And if it's the latter, who on earth would do that? I mean, as soon as you get rumbled, you're locked out.
You know, it's exactly the opposite of what people who are interested in getting into an organization want to do, which is to be stealthy, get in, stay in, and stay undercover as long as possible.
You know, how many of these brute force attacks go on all the time? And is it just that it was Westminster and Scottish Parliament's turn, or was it a directed, targeted attack?
And if it's the latter, who on earth would do that? I mean, as soon as you get rumbled, you're locked out.
You know, it's exactly the opposite of what people who are interested in getting into an organization want to do, which is to be stealthy, get in, stay in, and stay undercover as long as possible.
It's strange, and it runs contrary to the story which we're hearing from some people. Some people have suggested, oh, this must have been a state-sponsored attack.
No, no, no. I'd be stunned, stunned if that was.
Exactly. It doesn't feel like that.
There are attempts made, for instance, you know, you get the LinkedIn breach database, the database of passwords which came out of LinkedIn years ago and other big hacks.
And you might try those passwords against particular people's credentials. But a brute force attack sounds a little bit dumber.
Although ultimately, you know, brute force attacks, given enough time, will work. It's just whether your site or your web service is going to allow a brute force attack to continue.
There are attempts made, for instance, you know, you get the LinkedIn breach database, the database of passwords which came out of LinkedIn years ago and other big hacks.
And you might try those passwords against particular people's credentials. But a brute force attack sounds a little bit dumber.
Although ultimately, you know, brute force attacks, given enough time, will work. It's just whether your site or your web service is going to allow a brute force attack to continue.
It's a great way to distract attention, isn't it, as well? If you're wanting IT staff to be focused elsewhere. Just saying. Yes.
Conspiracy theory number 12. I love it.
It's a bit like one of these Ocean's Eleven style heists, isn't it?
If you want to steal one thing, you'll divert everyone's attention to the hippopotamus in the lift or whatever it is that you've created as a huge distraction.
If you want to steal one thing, you'll divert everyone's attention to the hippopotamus in the lift or whatever it is that you've created as a huge distraction.
Don't remember that from the film.
I don't remember that.
It's a bit rude of me talking about Catherine Zeta-Jones like that, but it's— Oh! Is she even in it? I don't know. I have no idea what I'm talking about here.
But there are things you can do to prevent brute force attacks. And obviously put in more checks, heighten the security.
If you determine that unusual levels of attempted logins are happening, you could have a CAPTCHA in place, although CAPTCHAs can be irritating.
So you might want to use Google's reCAPTCHA or even their invisible one. You can demand stronger passwords from your users in the first place. You can have two-step verification.
Troy Hunt, who runs the Have I Been Pwned website— we should try and get him on the show sometime because we keep on plugging his sites— he's just opened a new product called Pwned Passwords.
You can actually download 300 million passwords that they know have already been breached.
When people create an account, you can run it past that database and you can say, actually, don't choose that password because we know that one's been breached in the past, and it might be a dumb password.
And that maybe will encourage people to use stronger passwords. Passwords, I don't know, but it seems like a neat kind of idea.
But there are things you can do to prevent brute force attacks. And obviously put in more checks, heighten the security.
If you determine that unusual levels of attempted logins are happening, you could have a CAPTCHA in place, although CAPTCHAs can be irritating.
So you might want to use Google's reCAPTCHA or even their invisible one. You can demand stronger passwords from your users in the first place. You can have two-step verification.
Troy Hunt, who runs the Have I Been Pwned website— we should try and get him on the show sometime because we keep on plugging his sites— he's just opened a new product called Pwned Passwords.
You can actually download 300 million passwords that they know have already been breached.
When people create an account, you can run it past that database and you can say, actually, don't choose that password because we know that one's been breached in the past, and it might be a dumb password.
And that maybe will encourage people to use stronger passwords. Passwords, I don't know, but it seems like a neat kind of idea.
Well, once again, people, password managers are a good idea to think about.
Passwords, yeah, because they would generate stronger passwords for you. That's absolutely true. And long, complicated ones rather than people reusing them.
And there's also some great advice if you want to read more about brute force attacks over on the OWASP Foundation, the Open Web Application Security Project Foundation website.
I'll put a link in the show notes where you can read more about that. But yeah, politicians there, I wonder what they might have in their email which would be of interest.
And there's also some great advice if you want to read more about brute force attacks over on the OWASP Foundation, the Open Web Application Security Project Foundation website.
I'll put a link in the show notes where you can read more about that. But yeah, politicians there, I wonder what they might have in their email which would be of interest.
Oh yeah, we've not seen any of that in the last few years.
Well, this is the thing. So, you know, with the Westminster attack, obviously 90 accounts were compromised.
I was slightly huffy that they put out the line that "only" in inverted commas, 90 accounts compromised.
I was slightly huffy that they put out the line that "only" in inverted commas, 90 accounts compromised.
You know what they actually— do you remember what they said actually, Geoff? They said less than 1% of the 9,000 accounts we look after.
So look, if you're a constituent of that MP, hang on, do they get written to to say, you know, sorry, some of your data is personal, very personal data potentially, of constituents potentially.
You know, imagine the ICO has been informed, but do users, do constituents get informed if data's been breached?
I mean, on the one hand, national security might say, oh no, don't tell anybody. On the other hand, it's like, well, this is people's data.
So I don't know what's going to happen with that.
You know, imagine the ICO has been informed, but do users, do constituents get informed if data's been breached?
I mean, on the one hand, national security might say, oh no, don't tell anybody. On the other hand, it's like, well, this is people's data.
So I don't know what's going to happen with that.
We need an investigative journalist to look into this.
Get on it, Geoff, get on it.
Okay, Geoff, what have you got for us this week?
Well, I'm quite interested as ever in the Internet of Things, partly because the phrase winds me up like you wouldn't believe.
The internet is things, you know, it's always been the fiber optic cable switches, routers, you know, to say the Internet of Things is glibly assuming that it used to run on kind of hot air and bacon.
So the Internet of Things obviously is now a headline. And my favorite story from this week of the Internet of Things gone wrong is the digital locks, the remote access locks.
There's a company called LockState, who are a US company. As the name suggests, they make digital locks. These are connected to the internet.
And as such, which is probably quite a good feature, these locks can update themselves over the internet. Unfortunately, it seems that—
The internet is things, you know, it's always been the fiber optic cable switches, routers, you know, to say the Internet of Things is glibly assuming that it used to run on kind of hot air and bacon.
So the Internet of Things obviously is now a headline. And my favorite story from this week of the Internet of Things gone wrong is the digital locks, the remote access locks.
There's a company called LockState, who are a US company. As the name suggests, they make digital locks. These are connected to the internet.
And as such, which is probably quite a good feature, these locks can update themselves over the internet. Unfortunately, it seems that—
You don't even have to start, you could just go dot, dot, dot, and the rest was history.
Yeah.
Normally we'd be saying, thank goodness, there's finally an IoT device which can actually update itself. No, that's what we've been calling for.
And so, but now you're going to tell us—
And so, but now you're going to tell us—
You know, ordinarily nappies for adults are a great idea. So this update went out to a set of locks.
Unfortunately, the update applied to one set of locks, a newer version, but got applied to the older set of locks and, in sort of techies' parlance, bricked the locks.
The locks just stopped working. This wouldn't have been so bad. It's hundreds of locks, so it's not the thousands and thousands, but it is a significant number of locks.
And what makes it slightly more worrying is LockState are— describe themselves as a global partner for Airbnb.
Unfortunately, the update applied to one set of locks, a newer version, but got applied to the older set of locks and, in sort of techies' parlance, bricked the locks.
The locks just stopped working. This wouldn't have been so bad. It's hundreds of locks, so it's not the thousands and thousands, but it is a significant number of locks.
And what makes it slightly more worrying is LockState are— describe themselves as a global partner for Airbnb.
Yeah.
Because of course, if you're trying to let somebody into your flat, you don't necessarily have to be there. You can remote lock, you can give them the code and so on.
So this caused problems obviously for Airbnb customers who are trying to get into properties. Now there's a few depressing things about this story.
Number one is the fixes that were offered by this company were, well, one of them was take the back off the lock, send it to us. We'll update it. We'll send it back to you.
That could take about a week.
So this caused problems obviously for Airbnb customers who are trying to get into properties. Now there's a few depressing things about this story.
Number one is the fixes that were offered by this company were, well, one of them was take the back off the lock, send it to us. We'll update it. We'll send it back to you.
That could take about a week.
Are they paying postage?
I don't know whether they're paying for, you know, hotel accommodation while I'm locked out of my flat.
Exactly.
Changes of adult nappies. But the response was slightly lackluster. A lot of customers felt also looking at LockState's Twitter feed.
I mean, it's in the tweets and replies, you know, there's a lot of people saying, oh God, I'm locked out. What can you do?
And in fairness, LockState were contacting me on Twitter and reaching out fine. But on the front page, of LockState's Twitter account.
And last time I checked their website, there's barely a mention of this. And I just feel, you know, it's not like nobody knows this has happened.
I understand you kind of don't want to make a huge fuss about it, but the fact that on the front page of your website you don't have a thing saying, look, we're on it, here's the deal, I find that a depressing response in this day and age.
I mean, it's in the tweets and replies, you know, there's a lot of people saying, oh God, I'm locked out. What can you do?
And in fairness, LockState were contacting me on Twitter and reaching out fine. But on the front page, of LockState's Twitter account.
And last time I checked their website, there's barely a mention of this. And I just feel, you know, it's not like nobody knows this has happened.
I understand you kind of don't want to make a huge fuss about it, but the fact that on the front page of your website you don't have a thing saying, look, we're on it, here's the deal, I find that a depressing response in this day and age.
And it's all so common, isn't it, that organizations, they'll have a breach and they may even admit they've had a breach, but you go to their website, you go to their Twitter account, and you won't find a mention of it, or it's so hidden away in a PDF somewhere on their website.
And there should always be a single line of something just saying, yeah, we screwed up, but look, here's what we're doing about it.
And there should always be a single line of something just saying, yeah, we screwed up, but look, here's what we're doing about it.
I've been a crisis PR person for a number of years. And yeah, I think the number one advice is don't hide your failings.
If you can kind of own up quickly and solve it as fast as possible, I think we all like it better.
If you can kind of own up quickly and solve it as fast as possible, I think we all like it better.
Like Donald Trump did this week over Charlottesville, for instance, he recognised he'd caused a problem. He may be—
How long? 48 hours?
He'd misspoke. Yes, but he'd misspoke, but then he came back, Carole, with a much better stat— Of course, then he came back again. Yeah, flim-flam. And made it worse.
'Cause he likes to get his facts right.
He does. He's very keen on that.
Very keen on that.
The other thing, the thing I find most depressing about this entire lock state story is, you know, thankfully this system comes with a failsafe.
There is a key that can activate the lock. And I just imagined myself getting my brand new lock state lock and fitting the door and thinking, "Oh, there's a spare key. That's great.
It's a really good idea. Where shall I store that? I'll store that in my flat." Yeah, underneath the welcome mat.
Because if you have to carry the key around just in case the lock goes wrong, what was the point of having the digital lock in the first place?
There is a key that can activate the lock. And I just imagined myself getting my brand new lock state lock and fitting the door and thinking, "Oh, there's a spare key. That's great.
It's a really good idea. Where shall I store that? I'll store that in my flat." Yeah, underneath the welcome mat.
Because if you have to carry the key around just in case the lock goes wrong, what was the point of having the digital lock in the first place?
It's nonsense.
But there is actually, on the subject of locks, there has been a nice fun story, a happy story about a family who were locked out of their Toyota Estima.
Yeah, this is the Higgins family. Father John lost the key to the imported car when he bent down to tie his son's laces one day.
Well, immediately I'm, you know, how would you— is he standing above some furnace or something?
What's— how do you— the key goes missing under strange circumstances, but it's the only key that will work on this car because they haven't got a spare because it's an imported, I think a secondhand version.
So friendly neighborhood hacker, because he put out a, you know, a Facebook alert for this lost key. Has anybody found it? We're locked out of our car.
It's months, I think, they were locked out of the car, just pushing it around a wheelbarrow. And eventually this hacker says, well, I can probably help you out.
They wheel it to a garage where the hacker unpacks the electronic systems behind the car, finds the chip apparently on which the key code is stored, and recodes the chip with the new key, and they get into their vehicle.
So happy ending, although you then think hang on, how many hackers can do that?
Yeah, this is the Higgins family. Father John lost the key to the imported car when he bent down to tie his son's laces one day.
Well, immediately I'm, you know, how would you— is he standing above some furnace or something?
What's— how do you— the key goes missing under strange circumstances, but it's the only key that will work on this car because they haven't got a spare because it's an imported, I think a secondhand version.
So friendly neighborhood hacker, because he put out a, you know, a Facebook alert for this lost key. Has anybody found it? We're locked out of our car.
It's months, I think, they were locked out of the car, just pushing it around a wheelbarrow. And eventually this hacker says, well, I can probably help you out.
They wheel it to a garage where the hacker unpacks the electronic systems behind the car, finds the chip apparently on which the key code is stored, and recodes the chip with the new key, and they get into their vehicle.
So happy ending, although you then think hang on, how many hackers can do that?
I just would have broken the window.
Well, but then you can't start the car. You've got to cure a car with a broken window.
I'm sorry, I was thinking back to when I actually did that before IoT and cars.
Yeah, you've got a literal wheelbarrow in that case. People just chop litter through the broken window and have people sleeping in it.
I'm just feeling sorry for this family who went on holiday with their Toyota Estima, presumably got locked out of the property because it was using one of these smart locks, thought, okay, we'll spend the night in the car.
Oh no, we can't get in that either. You've got all these bricked devices left. What you actually need is a real brick.
We should all carry a brick around so we can smash a small window in order to get into our properties or into our cars.
Oh no, we can't get in that either. You've got all these bricked devices left. What you actually need is a real brick.
We should all carry a brick around so we can smash a small window in order to get into our properties or into our cars.
I sometimes get accused of being the tinfoil helmet man.
You're in good company here.
I'm in the company of the brick man. Brick solution.
Yeah, you guys could become superheroes.
Brick man, brick man and tinfoil helmet It's a terrible metaphor.
All right, Carole. So what have you got for us this week?
Well, Bluetooth. I want to talk about Bluetooth. All right. So these days, we've got many devices that have Bluetooth switched on all the time.
This is largely thanks to the popularity of wireless headphones and wearables, not to mention all the IoT devices Geoff was just talking about, or even retail apps, those things that track you around stores, you know, that offer you click and collect or in-store navigation functionality.
But I'm thinking that not many people are actually managing the Bluetooth restrictions as well as maybe they should.
So we want to just look into how they can do that on iPhone particularly. And I want to talk about AirDrop in a second.
So this was inspired by a story in the New York Post earlier this week. This is involving 28-year-old Britta Carlson, who was on a New York train heading to a concert.
And her phone makes this weird sound, right? The one that she's not familiar with. And so she looks at the phone, there's a message displayed and it says iPhone 1.
'Would like to share a note with you.' She hits accept and was horrified with what she saw.
This is largely thanks to the popularity of wireless headphones and wearables, not to mention all the IoT devices Geoff was just talking about, or even retail apps, those things that track you around stores, you know, that offer you click and collect or in-store navigation functionality.
But I'm thinking that not many people are actually managing the Bluetooth restrictions as well as maybe they should.
So we want to just look into how they can do that on iPhone particularly. And I want to talk about AirDrop in a second.
So this was inspired by a story in the New York Post earlier this week. This is involving 28-year-old Britta Carlson, who was on a New York train heading to a concert.
And her phone makes this weird sound, right? The one that she's not familiar with. And so she looks at the phone, there's a message displayed and it says iPhone 1.
'Would like to share a note with you.' She hits accept and was horrified with what she saw.
We're on Tinder.
What did she say?
I'm going to quote here. I'm quoting, 'It was just a huge close-up picture of a disgusting penis,' unquote.
I don't think we needed the word disgusting. Surely they're all disgusting.
Yeah, and she said that it really felt like someone had just flashed her. That's what she said, right? So of course then she's panicking about who sent it.
It.
Now, the image was sent— she has an iPhone— so the image was sent via AirDrop.
And now AirDrop is this neat little feature in Apple which makes use of Bluetooth to create a kind of peer-to-peer Wi-Fi network between devices.
So each device creates a firewall around itself, and the connection and the files that are sent are encrypted.
So this is great if you want to share pictures and files with friends and family and colleagues, maybe even YouGram, right?
Not so great if the settings are allowing anonymous strangers to send you pictures of their genitals.
And now AirDrop is this neat little feature in Apple which makes use of Bluetooth to create a kind of peer-to-peer Wi-Fi network between devices.
So each device creates a firewall around itself, and the connection and the files that are sent are encrypted.
So this is great if you want to share pictures and files with friends and family and colleagues, maybe even YouGram, right?
Not so great if the settings are allowing anonymous strangers to send you pictures of their genitals.
So you can, so there must be a setting somewhere in the phone where you can either accept or—
Hey, hey, I'm getting to the advice section. I'm getting there. Just slow down, buddy.
Oh, I'm sorry, sorry, sorry, sorry.
So the thing is, the thing is that the Bluetooth tethering range is limited. So that basically means that someone that's using AirDrop has to be nearby.
She knew the person who was sort of willy waving at her was—
No, 'cause she was in the subway. Yeah. But it had to be someone close by, maybe in the same carriage.
Something like that.
Yes.
Crikey. Yeah.
Right. And that nearby penis.
It's a nearby penis. Penis proximity.
So the message she got was just titled Straw, and it was sent basically by an anonymous stranger. She couldn't locate the perp, right?
And it turns out that Apple's AirDrop doesn't keep a log of these transactions.
So I have seen reports of people saying, oh, anyway, people are saying we can find out who sent these. I can't. I don't see how that can happen if Apple couldn't do it.
And it turns out that Apple's AirDrop doesn't keep a log of these transactions.
So I have seen reports of people saying, oh, anyway, people are saying we can find out who sent these. I can't. I don't see how that can happen if Apple couldn't do it.
If there was a national database of penises, would be possible to do some sort of penis recognition.
Didn't we cover— didn't we have some porn site?
Dave McClelland, who was a guest a few— yeah, Pervert, yes, who was on our show a few weeks ago, who was talking all about a porn site which was asking you to photograph— I don't know why he talked about this, but he was talking about a website which is using penises for authentication purposes.
That's right. And was asking you to upload images to it. I mean, if Apple worked with that company, presumably maybe there'd be some correlation which could be drawn.
That's right. And was asking you to upload images to it. I mean, if Apple worked with that company, presumably maybe there'd be some correlation which could be drawn.
Honestly though, as a girl, I mean, I don't know, as a girl, you guys tell me if I'm being a, you know, genderist, but I think I'd find that really disturbing.
If, you know, I'd probably laugh out loud, but then I'd panic that I insulted the perv when I realized that he was just around, right? Peacocking at me and waiting for my reaction.
If, you know, I'd probably laugh out loud, but then I'd panic that I insulted the perv when I realized that he was just around, right? Peacocking at me and waiting for my reaction.
So this goes, but I mean, bluetoothing, I think it was called bluetoothing back in the day, because when Bluetooth first came out, you could send unsolicited messages, unsolicited contact.
And I thought that had been for exactly that reason, that bluetoothing became this thing where you'd try and, if you heard a shriek at the other end of the train carriage, you knew you'd hit the right spot or whatever with your offensive message or rude message or whatever.
But I can't believe that they've brought that vulnerability back.
And I thought that had been for exactly that reason, that bluetoothing became this thing where you'd try and, if you heard a shriek at the other end of the train carriage, you knew you'd hit the right spot or whatever with your offensive message or rude message or whatever.
But I can't believe that they've brought that vulnerability back.
Well, there are ways to handle this.
There are things that you can do and I would recommend, I know, you know, I'd recommend you talk to everyone around, check your kids' phones and your family's phones to make sure the settings like this.
So number one, let's talk Bluetooth, right? So Bluetooth, you can basically toggle between on and off. And that basically means I'm discoverable or I'm not discoverable.
Now Graham and I, before the show, had a little bit of a barney about Bluetooth because I'm a person who likes to have it turned off because I don't need every supermarket I go into to, if I have my Bluetooth turned on, to know what aisle I'm going down to try and gamify it better so that I buy things I shouldn't buy, right?
I don't need to know that I go down aisle 3 all the time. So I find that a bit disturbing. But Graham, you seem to be fine.
There are things that you can do and I would recommend, I know, you know, I'd recommend you talk to everyone around, check your kids' phones and your family's phones to make sure the settings like this.
So number one, let's talk Bluetooth, right? So Bluetooth, you can basically toggle between on and off. And that basically means I'm discoverable or I'm not discoverable.
Now Graham and I, before the show, had a little bit of a barney about Bluetooth because I'm a person who likes to have it turned off because I don't need every supermarket I go into to, if I have my Bluetooth turned on, to know what aisle I'm going down to try and gamify it better so that I buy things I shouldn't buy, right?
I don't need to know that I go down aisle 3 all the time. So I find that a bit disturbing. But Graham, you seem to be fine.
Framing me. I do have Bluetooth turned on on my phone, but I'm very careful about what I allow to connect to it.
And certainly with AirDrop, which is the iOS technology which has been used to spread these rude pictures, I do use AirDrop.
I have a use for AirDrop inside my office, but what I only do is I only allow people who are contacts to send me an AirDrop message.
And certainly with AirDrop, which is the iOS technology which has been used to spread these rude pictures, I do use AirDrop.
I have a use for AirDrop inside my office, but what I only do is I only allow people who are contacts to send me an AirDrop message.
Well, that's exactly the advice, isn't it? So with the AirDrop, so iPhone users, you can just check your AirDrop settings by swiping upwards on your home phone from the bottom.
And if you do, you can see whether your AirDrop is turned on or off, or if it's allowing it for contacts or for everyone.
And if you've got everyone there, tsk, tsk, tsk, turn that off and choose contacts only.
Although contacts is also an interesting choice because I have a lot of people in my phone whose penises I don't want to look at. Maybe I should have a penis contact list.
And if you do, you can see whether your AirDrop is turned on or off, or if it's allowing it for contacts or for everyone.
And if you've got everyone there, tsk, tsk, tsk, turn that off and choose contacts only.
Although contacts is also an interesting choice because I have a lot of people in my phone whose penises I don't want to look at. Maybe I should have a penis contact list.
I think penes is the plural.
My favourites. Favourites.
The penes.
On a more serious note, if I can, I was going to say I was dying to squeeze that one in there, but let's move on. Look at what's behind this.
What's interesting is there's an entire edifice behind the drive behind Bluetooth, because what's interesting is everybody switched their Bluetooth off because it used up batteries and it's annoying.
We now have Bluetooth Low Energy.
And what's interesting is because Bluetooth is such a short-range thing, and because, as you say, they can tell which aisle, not just which aisle in the supermarket, they can tell which vegetable you're in front of.
What's interesting is there's an entire edifice behind the drive behind Bluetooth, because what's interesting is everybody switched their Bluetooth off because it used up batteries and it's annoying.
We now have Bluetooth Low Energy.
And what's interesting is because Bluetooth is such a short-range thing, and because, as you say, they can tell which aisle, not just which aisle in the supermarket, they can tell which vegetable you're in front of.
They can see what tampons I'm looking at. It's really annoying.
Exactly.
Now, what's interesting is the drive among advertisers are super, super excited about this, and marketers, because they can do really localized advertising, coupons for that brand of tampon or that vegetable, whatever.
But in order to do that, people have to have their Bluetooth switched on.
Now, at the moment, they can do, if they want, they can do push notification if they change the systems, which means you have no option.
Your phone comes up with a, "Hey, Geoff, you're in front of the potatoes, buy some." I feel the industry is holding back from that because they don't want to creep people out.
But as you start to get Bluetooth headphones, as you start to get Bluetooth enabled by default, these advertising methods are going to start coming through.
I really think we're going to see a boom in this.
Now, what's interesting is the drive among advertisers are super, super excited about this, and marketers, because they can do really localized advertising, coupons for that brand of tampon or that vegetable, whatever.
But in order to do that, people have to have their Bluetooth switched on.
Now, at the moment, they can do, if they want, they can do push notification if they change the systems, which means you have no option.
Your phone comes up with a, "Hey, Geoff, you're in front of the potatoes, buy some." I feel the industry is holding back from that because they don't want to creep people out.
But as you start to get Bluetooth headphones, as you start to get Bluetooth enabled by default, these advertising methods are going to start coming through.
I really think we're going to see a boom in this.
I actually recently bought an iPhone and I bought the 6S so I wouldn't have to deal with the whole wireless headphones, which would require me to have Bluetooth on all the time.
And the reason Graham, for example, needs Bluetooth on all the time is 'cause he uses it in his car. So he pairs it with his car 'cause he's got a fancier car than I have.
So there's a lot of technology out there making it very easy for people to have it on all the time. And I think there is a cost.
The other cool idea here is that you can actually, so when your Bluetooth is turned on, you are effectively discoverable. And it might be a good idea to change your phone's name.
And you can do that in Settings, General, and About.
So using a code name or initials or something that doesn't infer, well, in this case, as we're talking about dick pics, infer gender or age might be a good thing.
If you had John Smith written there, maybe you'd be less likely to get that.
And the reason Graham, for example, needs Bluetooth on all the time is 'cause he uses it in his car. So he pairs it with his car 'cause he's got a fancier car than I have.
So there's a lot of technology out there making it very easy for people to have it on all the time. And I think there is a cost.
The other cool idea here is that you can actually, so when your Bluetooth is turned on, you are effectively discoverable. And it might be a good idea to change your phone's name.
And you can do that in Settings, General, and About.
So using a code name or initials or something that doesn't infer, well, in this case, as we're talking about dick pics, infer gender or age might be a good thing.
If you had John Smith written there, maybe you'd be less likely to get that.
I think that's a good idea. I changed the name of my iPhone to Carole Theriault. And the number of penis pictures I'm now getting is enormous being sent to me.
It is, just going back quickly to, you know, to the show that we do, that we're doing up at Edinburgh, it is astonishing the number of people who name their phones after themselves.
And what we do in the show is we show where people, you know, we can find people's work Wi-Fi networks, who know where they work. We can locate their home Wi-Fi.
We can also then tell what their name is. So you get a—
And what we do in the show is we show where people, you know, we can find people's work Wi-Fi networks, who know where they work. We can locate their home Wi-Fi.
We can also then tell what their name is. So you get a—
Yeah, but Geoff, I'm not sure that's fair because I think when you get a new iPhone, it says, what's your name? And then it automatically assumes you want to be called by your name.
So I think it actually might be in the setup section. So it's a good idea for everyone, just check your phone's name, you got Settings, General, and About on the iPhone.
Just see what's written there and maybe change that to make it a little less all about you.
So I think it actually might be in the setup section. So it's a good idea for everyone, just check your phone's name, you got Settings, General, and About on the iPhone.
Just see what's written there and maybe change that to make it a little less all about you.
At least that during setup isn't asking you for your stripper name or your porn name.
And then it would get, of course, what is it, your mother's maiden name and the street where you used to live, which obviously would be useful information for thieves as well.
But the advice you are giving people, Carole, is if you're going to have AirDrop on, make it contacts only. Of course, this—
And then it would get, of course, what is it, your mother's maiden name and the street where you used to live, which obviously would be useful information for thieves as well.
But the advice you are giving people, Carole, is if you're going to have AirDrop on, make it contacts only. Of course, this—
If you're going to have it on, I say turn it off whenever you're not using it.
Okay, but sometimes there are situations where you want it on.
In this particular case, this victim on the New York underground system, she had enabled it so everyone could contact her. I think she was using it like that for her office.
Wouldn't it be great if Apple gave you an option of saying, turn it on for everybody but only for half an hour, and then switch back to contacts?
Because you will forget to change it back.
In this particular case, this victim on the New York underground system, she had enabled it so everyone could contact her. I think she was using it like that for her office.
Wouldn't it be great if Apple gave you an option of saying, turn it on for everybody but only for half an hour, and then switch back to contacts?
Because you will forget to change it back.
I love that idea. Yes, call them now. That's a great idea.
I'll have a word with Tim.
Yeah, no worries. Now, one thing, I saw a lot of articles about this piece this morning, and there's a lot of in the titles I'm seeing cyberflashing, you know, a trend.
I don't think via AirDrop it is a trend. From my research this morning, I don't think it's been happening very often. I saw one case in 2015.
There was a few in 2016, but I haven't really seen any others. So I think that is a bit of hyperbole.
However, there is a problem with— and there's many reports of women on dating apps receiving unwanted pics of male junk.
So that led to this interesting and related conundrum for me. So we all know that flashing in public is illegal in most places that I frequent anyway.
In the US, for example, indecent exposure— basically, I think that you have to purposely display your genitals in public causing others to be alarmed or offended.
And in the UK you can get a 2-year prison sentence if you're convicted under the Sexual Offense Act.
However, seems to be quite gray as to whether sending someone a dick pic, for instance, is considered indecent exposure. So it's this digital problem of cyberflashing.
I don't think via AirDrop it is a trend. From my research this morning, I don't think it's been happening very often. I saw one case in 2015.
There was a few in 2016, but I haven't really seen any others. So I think that is a bit of hyperbole.
However, there is a problem with— and there's many reports of women on dating apps receiving unwanted pics of male junk.
So that led to this interesting and related conundrum for me. So we all know that flashing in public is illegal in most places that I frequent anyway.
In the US, for example, indecent exposure— basically, I think that you have to purposely display your genitals in public causing others to be alarmed or offended.
And in the UK you can get a 2-year prison sentence if you're convicted under the Sexual Offense Act.
However, seems to be quite gray as to whether sending someone a dick pic, for instance, is considered indecent exposure. So it's this digital problem of cyberflashing.
It's interesting because it's not actually— it's not publication or exposure generally, is it, to the public?
You're actually targeting it to a specific person, albeit a stranger you don't know. But there's indecent communications legislation.
So if you send someone a picture through the post of your junk—
You're actually targeting it to a specific person, albeit a stranger you don't know. But there's indecent communications legislation.
So if you send someone a picture through the post of your junk—
Yeah.
So maybe that's the legislation that would apply. But you are— I don't think flashing legislation would apply to that.
Yeah.
Barrack room lawyer here.
No, but I think you may be right. And it's very— it's going to get grayer and grayer as our world becomes more online.
How do we apply our old laws to this new world that we're living in? Yeah, very deep.
How do we apply our old laws to this new world that we're living in? Yeah, very deep.
Yeah.
Well, thanks, Carole.
Nice.
Anytime. Cheery note to perk us up.
Get it?
Really? We're gonna make innuendos about the word.
You didn't even laugh at my peacocking joke. I thought that would.
I didn't notice it.
Oh, well, I was talking too fast. Above your head.
Let's find out who our sponsor is this week, shall we? Who is going to be our sponsor this week?
Sponsors.
Yeah, we love sponsors. Are you going to interrupt me? I thought you were going to interrupt me. Say, Graham, who's the sponsor? Graham. Hi, Graham. Let me guess. Hi. Hi. Hi.
Graham, who's our sponsor this week?
Our sponsor is Recorded Future. You know them. They're cool. They do all kinds of cool things.
Like?
They look on the web. They look on the dark web.
They peruse the internet in its darkest corners and they work out what are the new emerging threats and vulnerabilities from the world of hacking and cybersecurity.
And then they bundle it all up. They wrap it up in a beautiful ribbon and send it to you in a free email.
They peruse the internet in its darkest corners and they work out what are the new emerging threats and vulnerabilities from the world of hacking and cybersecurity.
And then they bundle it all up. They wrap it up in a beautiful ribbon and send it to you in a free email.
If you want to be ahead of the game, I guess you get their free daily email.
Of course you do. But first of all, you've got to sign up for it. Otherwise they won't know to send it to you. They're not that clever. Go to recordedfuture.com/intel.
And thanks to Recorded Future for supporting the show. Welcome back to the show. And it's our favourite bit of the show. This is what we like to call Pick of the Week.
And thanks to Recorded Future for supporting the show. Welcome back to the show. And it's our favourite bit of the show. This is what we like to call Pick of the Week.
Pick of the Week. Gotta say it, Geoff.
Pick of the Week.
Thanks, Geoff. It's important.
I feel cheap.
You can have a shower after this.
Hey, look, we've plugged your Edinburgh show enough. You can at least say Pick of the Week for us.
Pick of the Week.
So Pick of the Week could be a funny story, a book that we've read, a TV show, a movie, a record, an app. It doesn't have to be security-related necessarily.
And my pick of the week this week, I'm a bit of a chess fan. I'm not very good at playing chess, but I love chess. And right now there is an incredible tournament going on.
It has been going on for a few months. It'll be going on for a little bit longer. It's going on around the world, but right at this specific moment, the Grand Chess Tour is in St.
Louis in America where they are having a rapid and blitz chess tournament. I know I can hear the excitement right now.
No, no, no, it's not boring because normally a chess game will last about 4 or 5 hours, which I accept maybe not everyone will enjoy watching, right?
And my pick of the week this week, I'm a bit of a chess fan. I'm not very good at playing chess, but I love chess. And right now there is an incredible tournament going on.
It has been going on for a few months. It'll be going on for a little bit longer. It's going on around the world, but right at this specific moment, the Grand Chess Tour is in St.
Louis in America where they are having a rapid and blitz chess tournament. I know I can hear the excitement right now.
No, no, no, it's not boring because normally a chess game will last about 4 or 5 hours, which I accept maybe not everyone will enjoy watching, right?
You don't even get cucumber sandwiches, though, do you?
I bet. It is fantastic though. Anyway, what's happening right now is a rapid and blitz tournament.
So it's only 4 hours.
No, no, no. So the rapid tournament, you have about 25 minutes each, and the blitz tournament, I think you have about 5 minutes each. So this is rapid fire chess.
This used to be called bullet chess, wasn't this bullet chess?
There is bullet, there's blitz, and there's rapid.
I don't know a lot about chess, so you're saying in this rapid chess someone has 5 minutes to make a move or finish a game?
In blitz chess, yeah, yeah.
No, no, 5 minutes to make a move?
No, no, the whole game.
Okay.
And then you're clocked out. So as Geoff's just said, there's also bullet chess where I think it's just a minute for the entire game, and you've never seen anything like it.
It's so exciting. Anyway, there are some amazing players. Leon Aronian, crazy player. He's been doing some fantastic games.
Hikaru Nakamura, and the return after 12 years, the incredible Garry Kasparov is back from retirement playing chess. And it's terrific to watch.
You can watch this live streaming on the internet. Oh no, it's not mate because he could go to d6 anyway. Knight c6 is King d6.
It's so exciting. Anyway, there are some amazing players. Leon Aronian, crazy player. He's been doing some fantastic games.
Hikaru Nakamura, and the return after 12 years, the incredible Garry Kasparov is back from retirement playing chess. And it's terrific to watch.
You can watch this live streaming on the internet. Oh no, it's not mate because he could go to d6 anyway. Knight c6 is King d6.
Oh, and Gary is playing Knight c6. Queen takes c6.
It was mate because of Queen d7, but now he's— oh, he's winning the queen back!
Yes, he's playing Rook d6.
He's winning the queen back!
Rook d6. And what's that pawn endgame?
And the pawn on f4—
What's the pawn endgame? Look at Gary, he's devastated.
The pawn on f4 is winning.
Oh my goodness.
After Queen takes d6, King d6 takes on f7, the king is coming back to e7. Wow, wow, that was very exciting, but not exciting in the way that Garry Kasparov's fans would have had it.
Oh my God, I feel a chill. I feel this stone cold chill. I can't— I'm— you can go and check it out on YouTube.
I'll put a link in the show notes as well, so you can— and there's live commentary on the games as well.
I'll put a link in the show notes as well, so you can— and there's live commentary on the games as well.
You have insomnia?
I know. Hey, I've basically been doing no— don't tell the wife— I've been doing no work all week because I've been watching these broadcasts.
Does she like being called 'the wife'?
Well, she is 'the wife'. She's not 'a wife'. I can't say 'a wife'. Why would I tell a random wife? I'm telling my wife.
Oh, okay.
But that's just possession as well. That could cause controversy in the household. Anyway, go and check it out if you're into chess. If you're not into chess, don't go and watch it.
Well, let's hurry up the show so I can go check it out.
Alright, alright. Geoff, Pick of the Week.
Tell us your Pick of the Week. My Pick of the Week is tech-related actually, but in a sort of vintage tech-related way. The demise of the LoveFilm DVD-by-post service.
They're still doing that?
Yes. And that just shows, doesn't it, how out of touch you are with the diversity of people in this country.
You know, my mum, for example, I went home to visit and she said, "Oh, should we watch DVD?" And I sort of felt like being invited on the Antiques Roadshow.
And so they've got— so this is basically, you know, Amazon like, nope, streaming is the way forward. DVDs no more.
And obviously that does throw up the question of what they do with all of the old DVDs. LoveFilm's catalogue covers apparently more than 80,000 titles.
Amazon has told the BBC that they will donate the DVDs to charity partners. And I just have this image of a guy going to Oxfam with bin bags. Here you go.
You know, my mum, for example, I went home to visit and she said, "Oh, should we watch DVD?" And I sort of felt like being invited on the Antiques Roadshow.
And so they've got— so this is basically, you know, Amazon like, nope, streaming is the way forward. DVDs no more.
And obviously that does throw up the question of what they do with all of the old DVDs. LoveFilm's catalogue covers apparently more than 80,000 titles.
Amazon has told the BBC that they will donate the DVDs to charity partners. And I just have this image of a guy going to Oxfam with bin bags. Here you go.
And Oxfam's like, whoa!
You know what, actually, that would be amazing for a lot of charities, actually. You know, I can imagine that would be a good thing.
I don't know. I'm interested what charities think about this. They must get inundated with these old rubbish DVDs. Oh, here's my All Creatures Great and Small collection DVDs.
Do they actually manage to sell any of that stuff?
Do they actually manage to sell any of that stuff?
They're probably pleased people have finally stopped bringing in their AOL sign-up DVDs and things like that. LoveFilm ones. Oh, Craig will shift these now too.
They don't have to go to charities that are actually reselling. It could actually just go to a place which is helping people, you know, just be on the shelves. I don't know.
Not everyone can afford a Wi-Fi connection, you know, a strong one for streaming. So I don't know. I think it could be really good if they do that.
Not everyone can afford a Wi-Fi connection, you know, a strong one for streaming. So I don't know. I think it could be really good if they do that.
That is true. But I used to love the DVD. I used to love getting those little packages.
Me too.
And that little thing they had that kept the discs in, and then you'd return them and you'd think, what's next on my list? Oh, it's rubbish.
Yeah, it was kind of at the time it felt revolutionary. They had such cool little envelopes, didn't they? Which sort of folded over.
And isn't it 3 a month you were allowed for a fixed fee?
For several years I managed to keep doing the free trials with different email addresses. I probably wish I shouldn't say that on the podcast, but—
You're the one that led to their demise.
So now we're all wondering why they've gone kaput.
RIP LoveFilm DVD. We know who's responsible.
I think Amazon have a bit of money though, right? I seem to remember them being quite profitable.
He's all right.
Well, the main guy does. We don't know about anybody else.
None of the rest of them are making any money, but Geoff is doing all right. Not our Geoff. Geoff Bezos.
Geoff spelled the wrong way.
Yes, exactly. So your pick of the week is basically the death of LoveFilm, is that what you're saying?
The death of the DVD generally. Oh yeah.
That is strange, isn't it, that technology is already gone?
I own stuff. I'm a big owner of stuff because then no one can take it away from you or change it.
So this is a really interesting thing, you know, if we're streaming all the films now, they can change the films they did with Star Wars, this big controversy about that.
So I'm slightly worried by the fact that if the studio says, actually, we're going to recut this film, put out a new version, if I had the DVD, they couldn't take that back.
Whereas now, I know this might sound paranoid, but I do just, you know, I own the stuff. It's control, it's power.
So this is a really interesting thing, you know, if we're streaming all the films now, they can change the films they did with Star Wars, this big controversy about that.
So I'm slightly worried by the fact that if the studio says, actually, we're going to recut this film, put out a new version, if I had the DVD, they couldn't take that back.
Whereas now, I know this might sound paranoid, but I do just, you know, I own the stuff. It's control, it's power.
Yeah.
Carole, what's your pick of the week?
Mine is brain food for those fascinated by science, morality, culture, politics, life. And this is the podcast called Waking Up with Sam Harris.
Now, Sam Harris is no small-time fish. He's written a number of books. He's considered quite a genius in many, many circles.
But I had never listened to his podcast and someone recommended it to me.
So I took a listen as I was on my way to Cambridge last weekend, and after only three episodes, I am delighted and feel much brainier, which, you know, it's hard for me because I'm, you know, I'm up there on the scale.
So as I was talking about cyber flashing earlier, I would recommend checking out the episode called Living with Violence, a conversation with Gavin de Becker.
Now, de Becker is a three-time presidential appointee. He did pioneering work changing how U.S. governments evaluated threats to the highest officials.
He looks after lots of people in Hollywood. He's the business.
In fact, years ago when I was on my way to university, my dad actually sat me down and made me watch a PBS episode with him explaining how women could protect themselves better on the streets, on their own.
Now, Sam Harris is no small-time fish. He's written a number of books. He's considered quite a genius in many, many circles.
But I had never listened to his podcast and someone recommended it to me.
So I took a listen as I was on my way to Cambridge last weekend, and after only three episodes, I am delighted and feel much brainier, which, you know, it's hard for me because I'm, you know, I'm up there on the scale.
So as I was talking about cyber flashing earlier, I would recommend checking out the episode called Living with Violence, a conversation with Gavin de Becker.
Now, de Becker is a three-time presidential appointee. He did pioneering work changing how U.S. governments evaluated threats to the highest officials.
He looks after lots of people in Hollywood. He's the business.
In fact, years ago when I was on my way to university, my dad actually sat me down and made me watch a PBS episode with him explaining how women could protect themselves better on the streets, on their own.
So he's a guest on the latest Sam Harris.
So he's a guest on the latest Sam Harris podcast, and the whole format is really a kind of conversation between Sam Harris and experts in their field.
All right.
So I definitely would check it out. So check out Living with Violence in Conversation with Gavin de Becker and get smarter.
And the podcast is called Waking Up with Sam Harris. Yes. Okay.
I can say it a 15th time if you.
Ouch.
Burning hot today. Burning hot.
Well, as you're such hot stuff, have we got any other business for our listeners this week?
We have a new Facebook group, which Graham is managing beautifully. You can find it at smashingsecurity.com/facebook. And you can buy a t-shirt.
We were talking last week about a global thermonuclear war. So the cotton here is good. It'll protect you. You can find it at smashingsecurity.com/store.
We were talking last week about a global thermonuclear war. So the cotton here is good. It'll protect you. You can find it at smashingsecurity.com/store.
Yes. And I checked just before we started recording, someone has bought a t-shirt and they've bought a sticker.
And I think the sticker, the t-shirt combined with a whole bunch of Love Film DVDs, you could create a shelter out of them, I think, if there is a nuclear winter.
And I think the sticker, the t-shirt combined with a whole bunch of Love Film DVDs, you could create a shelter out of them, I think, if there is a nuclear winter.
This is dangerously close to false advertising, you guys.
There's so many lawsuits coming your way. So on that note, I think that's just about all we've got time for. So, thank you for tuning in. Thank you, Geoff, for joining us this week.
Really appreciate it.
Really appreciate it.
And it's been a pleasure.
Good luck with your show up in Edinburgh. I hope it goes well.
Thank you.
Yes. Best of luck.
If you at home enjoyed the show, please tell your friends. Let us know what you think.
You can go to our website, smashingsecurity.com, or drop us a line at , or even leave us a little review on somewhere like iTunes.
That'd be nice, wouldn't it, Carole?
You can go to our website, smashingsecurity.com, or drop us a line at , or even leave us a little review on somewhere like iTunes.
That'd be nice, wouldn't it, Carole?
Yes. Or anywhere else.
Why not?
Feedback's good. Feedback is good.
Until next time, toodle-oo, bye-bye. Bye-bye! See ya! Oh, don't say cheerio then, all right, just be me then. All right, see ya! Carole doesn't say— she never can say goodbye.
It's the—
It's the—
I can't say goodbye.
Exactly. Geoff got it.
It sounds lame. How many people say goodbye?
Well, I just think it's polite. You know, we're a friendly show.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Geoff White – @geoffwhite247
Show notes:
- "The Secret Life of Your Mobile Phone" — Geoff White’s show at the Edinburgh Festival Fringe
- MalwareTech is back online, as he pleads not guilty to Kronos malware charges — Graham Cluley.
- Scottish parliament hit by cyber-attack similar to Westminster assault — The Guardian.
- Hackers try to break into Scottish parliament email accounts weeks after Westminster attack — Graham Cluley.
- Blocking Brute Force Attacks — Advice from OWASP.
- Hundreds of 'smart' locks bricked by flubbed remote update — Graham Cluley.
- Friendly neighborhood hacker helps family regain access to locked car — Graham Cluley.
- AirDropping penis pics is the latest horrifying subway trend — New York Post.
- Is there a way to view AirDrop transfer history? — Apple Support community.
- What Is AirDrop? How Does It Work? — Lifewire.
- Exposing yourself is illegal – so why should the law tolerate cyber-flashing on online dating apps? — The Independent.
- Saint Louis Rapid & Blitz — Grand Chess Tour.
- Amazon's LoveFilm postal rentals is shutting down — Radio Times.
- "Waking up with Sam Harris"
- Smashing Security podcast on Facebook
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsor: Recorded Future
This episode of Smashing Security is made possible by the generous support of Recorded Future – the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical, open, and dark web sources to give organizations unmatched insight into emerging threats. Sign up for free daily threat intelligence updates at recordedfuture.com/intel. Thanks to Recorded Future for their support.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on iTunes or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
