One year ago, a couple of buddies and I thought we should make a weekly security podcast. Today, and hundreds of thousands of downloads later, we celebrate our first birthday. :)
Is Face ID racist? Has Mr Robot infected your Firefox browser? Has Microsoft pushed a buggy password manager onto your Windows PC?
All this and much much more is discussed in the special first birthday edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by original co-host Vanja Švajcer.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Previously on Smashing Security. Cue the sad music. We have an announcement.
Oh, who's making the announcement?
I think you should, Van.
Oh, all right. So I have— I'm very sad to say that I will be taking a break from the Smashing Security podcast.
And so I'm hoping to come back certainly, but for the moment, it's going to be a break.
And so I'm hoping to come back certainly, but for the moment, it's going to be a break.
So Carole, this is our first anniversary episode.
Yeah.
What are we—
Yeah. Do you think we should get a special guest or something on? I don't know.
Is anyone really special?
Any ideas?
Any ideas? Anyone?
Smashing Security, episode 58. Face ID, Firefox, and Windows snafus, plus bitcoin FOMO with Carole Theriault. Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 58. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 58. My name is Graham Cluley.
I'm Carole Theriault.
And I'm Vanja Švajcer.
Hey guys, he's back.
Told you we had a special guest for this week.
It's been a while, hasn't it?
I'm not that special.
I agree.
Now, long-term listeners, of course, will know who Vanja Švajcer is. He was one of the original co-hosts of the Smashing Security podcast.
He lasted up until, I think, about episode— I can't remember what it was, but it was 13.
He lasted up until, I think, about episode— I can't remember what it was, but it was 13.
Then he got bored and effed off.
He cleared off.
Yeah, left us on our own to struggle.
Had to go and get a job.
But we've dragged you back, Vanja, because it is a very special episode indeed, isn't it, Carole?
It is.
Why is that?
Happy birthday to us.
Happy birthday to us.
Happy anniversary.
Exactly. We're one today. We are one.
We are one. We've made it to one.
That's right.
We've been quite a success.
Aww. Our very first episode we recorded, I'm not sure we put it up as a podcast, but we recorded it before Christmas, just before Christmas, round about on this date, on the 21st.
And it was a video chat. It was a Google Hangout.
And it was a video chat. It was a Google Hangout.
You know what we should do? We should put a link out to it when we put this out, just to show how far we've come and just show what we used to look when we were young.
Yeah, when we were podcast virgins. Now, of course, we're audio only. We decided it was safer for the internet that way.
Much safer.
It meant you didn't have to shower before recording. Always a plus.
Big plus.
I didn't always anyway.
Did you? Well, you have to do it once a week.
Thank God we do this in different rooms. Today's podcast is sponsored in part by OneLogin.
OneLogin provides single sign-on, which people think is a productivity tool, but it's very much a security tool.
Companies use hundreds of applications every day with the average worker having to remember about 40 passwords.
Unless you use a product like OneLogin, passwords go into spreadsheets, into emails, and end up on Post-it notes.
OneLogin allows IT to say which users have access to which applications at what time, and also enforce two-factor authentication.
So even if credentials are compromised, hackers can't get access to those corporate services.
And by connecting to Active Directory, access to all of these services is deprovisioned as soon as someone leaves the organization.
OneLogin has customers like Airbus, Royal Mail, BSI, and Dun & Bradstreet.
Find out more about OneLogin and download a free guide to identity access management at smashingsecurity.com/onelogin. That's smashingsecurity.com/onelogin.
OneLogin provides single sign-on, which people think is a productivity tool, but it's very much a security tool.
Companies use hundreds of applications every day with the average worker having to remember about 40 passwords.
Unless you use a product like OneLogin, passwords go into spreadsheets, into emails, and end up on Post-it notes.
OneLogin allows IT to say which users have access to which applications at what time, and also enforce two-factor authentication.
So even if credentials are compromised, hackers can't get access to those corporate services.
And by connecting to Active Directory, access to all of these services is deprovisioned as soon as someone leaves the organization.
OneLogin has customers like Airbus, Royal Mail, BSI, and Dun & Bradstreet.
Find out more about OneLogin and download a free guide to identity access management at smashingsecurity.com/onelogin. That's smashingsecurity.com/onelogin.
And welcome back.
And even though it's our birthday week, we are going to be doing the same old thing, which is looking back over the last week of security news and talking about some of the stories which caught our attention.
And I do— Which, what browser do you guys use? What's your favourite browser? Dare you tell me?
And even though it's our birthday week, we are going to be doing the same old thing, which is looking back over the last week of security news and talking about some of the stories which caught our attention.
And I do— Which, what browser do you guys use? What's your favourite browser? Dare you tell me?
I'll have to say Google Chrome.
Yeah, I'm using Chrome as well, although I'm thinking of going back to Firefox actually.
Right, I tend to use Chrome the most, although I'm sort of tempted a little bit to go to Safari.
But last month, Mozilla produced a brand spanking new version of their Firefox browser, which they call Firefox Quantum, and they're bragging and boasting about it, about how fast it is compared to Chrome, which of course leads the marketplace.
Most people are using Chrome.
But last month, Mozilla produced a brand spanking new version of their Firefox browser, which they call Firefox Quantum, and they're bragging and boasting about it, about how fast it is compared to Chrome, which of course leads the marketplace.
Most people are using Chrome.
It's supposed to be very good. Yeah. I think most of the people in close circles in groups, many groups and stuff are kind of saying how they're thinking of going back to Firefox.
Yeah.
So this new Firefox Quantum version of the browser is meant to be much, much faster. Yeah. Yeah. And that's a reason why, you know, some nerds are getting very excited about using it.
I used to use Firefox years ago as well.
But it wasn't just speed freaks who were pleased, the privacy-minded as well were also happy because this brand new version of Firefox included tracking protection.
So a way to easily stop sites from loading code that could be used to track you across multiple websites. So far, so super duper, right?
I used to use Firefox years ago as well.
But it wasn't just speed freaks who were pleased, the privacy-minded as well were also happy because this brand new version of Firefox included tracking protection.
So a way to easily stop sites from loading code that could be used to track you across multiple websites. So far, so super duper, right?
Exactly, exactly. I'm with you 100%.
Yeah.
And a good reason to possibly switch, especially— that was my reasons, especially compared to being inside the Google ecosystem, which always makes me a little bit You know, I don't want them getting their tentacles on me too much.
And a good reason to possibly switch, especially— that was my reasons, especially compared to being inside the Google ecosystem, which always makes me a little bit You know, I don't want them getting their tentacles on me too much.
Yeah, why not give everyone your information rather than just Google?
Well, then something bad happened because Firefox users began to spot something a little bit strange.
They noticed that unbeknownst to them, an extension had been added to their browser called Looking Glass.
They noticed that unbeknownst to them, an extension had been added to their browser called Looking Glass.
And they're thinking, oh, that sounds dodgy, sounds a bit strange, doesn't it?
You know, have I been drinking from the wrong potion bottle?
No, I think it sounds like a magnifier actually, just by the name.
Okay, all right. But if you hadn't installed it, maybe you'd be thinking, what's this?
Yeah. If you haven't expected anything, you suddenly see there's some kind of extension that you don't know about.
So you're a little bit curious. You think, oh, what's this? Even if it's disabled, you know, you might think, oh, what's this thing?
And you look at its description and it says, my reality is different than yours.
And you look at its description and it says, my reality is different than yours.
I know. Then alarm bells, right?
Ding, ding, ding, ding, ding, ding, ding. What is this?
And you think, oh, some bad guy has hacked my computer or some piece of spyware in my browser because it's a bad guy from alternate universe. Yes.
It's kind of a bit spooky, isn't it?
And you think, oh, some bad guy has hacked my computer or some piece of spyware in my browser because it's a bad guy from alternate universe. Yes.
It's kind of a bit spooky, isn't it?
Yeah.
Understandably, people were thinking this was malware or spyware.
Turns out that that actually would have been a fairly conventional explanation for what this extension or plugin was.
In fact, what it actually was was a little game or an add-on for an online game designed to promote the US TV show Mr. Robot.
If you've ever seen that hacking show, which is kind of— I've seen some episodes of it.
Turns out that that actually would have been a fairly conventional explanation for what this extension or plugin was.
In fact, what it actually was was a little game or an add-on for an online game designed to promote the US TV show Mr. Robot.
If you've ever seen that hacking show, which is kind of— I've seen some episodes of it.
It's now in its third series, isn't it?
Is it?
I've seen first two and I thought the first one was pretty good. And the second one, I'm not going to comment on.
I actually gave up. I gave up during the second one as well, actually.
I think I lasted a few more than two episodes.
It was kind of fun because I think although it clearly wasn't perfect and no show is perfect when it comes to describing hacking and computer crime and things, it was using some terms quite sanely.
Although obviously they have to make these things dramatic as well.
But compared to the typical show, compared to watching something like Spooks, you know, where we saw cyber attacks from Russia happening all the time, you know, affecting our traffic light system or something like that, you know, bringing riots to the streets of Britain.
I thought Mr. Robot was quite fun, but I haven't watched it for a couple of years, I must admit. But the thing was this, people were annoyed.
It was kind of fun because I think although it clearly wasn't perfect and no show is perfect when it comes to describing hacking and computer crime and things, it was using some terms quite sanely.
Although obviously they have to make these things dramatic as well.
But compared to the typical show, compared to watching something like Spooks, you know, where we saw cyber attacks from Russia happening all the time, you know, affecting our traffic light system or something like that, you know, bringing riots to the streets of Britain.
I thought Mr. Robot was quite fun, but I haven't watched it for a couple of years, I must admit. But the thing was this, people were annoyed.
Well, rightly so.
Surprise, surprise.
Rightly so. They didn't plug it in. They didn't, they didn't, they had nothing to do with this.
Suddenly this thing is sitting on their browser, and when they hover over it, it says, "My reality is different than yours." And so what it was meant to do is if you enabled it and if you happened to navigate to a particular Mr.
Robot webpage, you would see a clue necessary to get through the next level of the puzzle.
And it would also sort of invert text of certain buzzwords and keywords, computer and hacking related or Mr. Robot related, throughout the web for a few seconds.
So you'd see some bizarre behavior. And again, this is something which sounds like an old-school piece of malware, you know, sort of messing with your browser view.
And you might well imagine, you know, what's going on here. Well, as you can imagine, no one on the internet was upset at all about this.
Robot webpage, you would see a clue necessary to get through the next level of the puzzle.
And it would also sort of invert text of certain buzzwords and keywords, computer and hacking related or Mr. Robot related, throughout the web for a few seconds.
So you'd see some bizarre behavior. And again, this is something which sounds like an old-school piece of malware, you know, sort of messing with your browser view.
And you might well imagine, you know, what's going on here. Well, as you can imagine, no one on the internet was upset at all about this.
Not at all.
Everyone was completely and utterly fine and took it in their stride and said, that's fine. We don't mind Mozilla.
No, no, no.
So people were leaving comments saying, fuck off and apologize for this shit. And browsers that care about my privacy don't install potential spyware without notifying me.
What the fuck were these people thinking? Apparently it's time to switch browsers.
What the fuck were these people thinking? Apparently it's time to switch browsers.
The thing is, I kind of like the idea. I like the idea that people are trying to promote shows, promote entertainment in a way that's fresh, right?
We saw that with Stranger Things with the app, which we talked about in one of our Pick of the Weeks. And I suspect the idea of this plugin was along similar lines.
I just think it was implemented really badly.
We saw that with Stranger Things with the app, which we talked about in one of our Pick of the Weeks. And I suspect the idea of this plugin was along similar lines.
I just think it was implemented really badly.
Yeah, you don't really do that. You don't really install something with the default installation of the browser, right?
So if there was just an extension and they were promoting it somewhere in their own extension store or whatever, that would be fine.
So if there was just an extension and they were promoting it somewhere in their own extension store or whatever, that would be fine.
Yeah. And they could have let word of mouth spread. So they could have let Mr. Robot fans say, oh, there's this really cool extension for Firefox.
Join in the game, share it on Twitter, share it on Facebook, share it wherever, you know, and encourage people to try out Firefox.
Join in the game, share it on Twitter, share it on Facebook, share it wherever, you know, and encourage people to try out Firefox.
Yeah.
If they made it like a cryptic puzzle, for example, they need to you needed to solve, or like an Easter egg in, like, you remember those Easter eggs in like Microsoft apps in the beginning of 2000s?
Like, they were quite fun. But from the security point of view, they're a real nightmare, of course.
If they made it like a cryptic puzzle, for example, they need to you needed to solve, or like an Easter egg in, like, you remember those Easter eggs in like Microsoft apps in the beginning of 2000s?
Like, they were quite fun. But from the security point of view, they're a real nightmare, of course.
And pushing this out by default to people's computers, even though I believe it wasn't enabled by default, it was installed.
I was just gonna say it wasn't enabled by default, but it was installed. Yeah.
And what it reminds me of, do you remember when Steve Jobs, it was the most painful thing imaginable, when Steve, not Steve Jobs, Tim Cook from Apple, was on stage with Bono because they were pushing out the new U2 album to everyone's iPod, iPhone, whether they wanted it or not.
I think I still have it.
I'm sure you're not alone, Van.
But lots of people were really like, why?
What are you doing this?
You know, it's kind of like spam, wasn't it? And even Mozilla's own employees were tweeting. There's a guy called Steve Klappnick, for instance, who's one of the dudes at Mozilla.
And he said, how can we claim to be pro-privacy while surreptitiously installing software on people's computers. More importantly—
And he said, how can we claim to be pro-privacy while surreptitiously installing software on people's computers. More importantly—
Steve still has a job?
Yeah, I think he does. He hasn't tweeted yet, looking for a new job. But he says, more importantly, how did management not see this problem? I think that's really the thing.
How did no one raise a little flag and go, hello, you know, maybe not such a good idea.
How did no one raise a little flag and go, hello, you know, maybe not such a good idea.
Come on, come on, come on. Think of it the other way around. We always, as people, like to get something for free.
And I can imagine the marketing team sitting in there going, hey, we can give them a little bit extra. You know, let's give them this cute little plugin.
And I can imagine the marketing team sitting in there going, hey, we can give them a little bit extra. You know, let's give them this cute little plugin.
Well, the marketing team probably went, okay, we made this deal. They gave us money. You know, we can just put this extension in.
Apparently no money exchanged hands.
Really?
They just did this out of the— they just thought if we jump on the Mr. Robot wave, that's even worse. Maybe we'll get more dudes.
Product placement in Mr. Robot.
From now on, Mr. Robot only uses Firefox.
Maybe, but I know these sort of things happen inside companies, but you would kind of hope inside Mozilla that there'd be more stops and checks.
You know what? We haven't got to the best bit yet. They did own up and they did apologize for this as well.
They did. Yes. And it's good that they did that. Originally, though, what they said is they tried to give an explanation after the initial— I don't have a problem with that.
Well, here's what they said. They said Firefox and Mr. Robot have collaborated on a shared experience to further your immersion into the Mr.
Robot universe, also known as an alternate reality game. And, ah, the effects you're seeing are part of the shared experience. And Mr.
Robot centers around the theme of online privacy and security, one of our guiding principles here at Mozilla. It's like, whoa, hello, hello.
Well, here's what they said. They said Firefox and Mr. Robot have collaborated on a shared experience to further your immersion into the Mr.
Robot universe, also known as an alternate reality game. And, ah, the effects you're seeing are part of the shared experience. And Mr.
Robot centers around the theme of online privacy and security, one of our guiding principles here at Mozilla. It's like, whoa, hello, hello.
Yeah, you know, that was written, that was a PR answer. Yeah, so a bit barfy.
Okay, so they have now withdrawn the update. You can choose to install it if you want from the Firefox extension, but what a goof to make.
And well, everyone makes goofs. I just, what bugs me more than goofs is when people try and hide it or don't take ownership of it or don't apologize for it.
Yeah, that's always a bigger problem, really. I think everybody can make a mistake and you think of it like everybody can be hacked.
And there was no data loss here. No one's privacy was threatened. It was just a stupid, you know, stupid idea that probably was born from good intentions.
Probably was, wasn't it? And I think that's probably a good time to switch over to Vanja and find out what his story this week is.
Well, there are a few interesting stories this week. One of them was yours, Graham, the Firefox one.
And the story I've chosen is kind of almost along the same lines, I would say, but this time it's about Windows.
And it's about a Windows password manager called Keeper, which was included with some of the versions of Windows.
Well, our friend, Tavis Ormandy, who we kind of all know a little bit from our previous lives, discovered a password disclosure vulnerability in the password manager Keeper, which basically allows any attacker to set up a malicious webpage.
So when a user that's logged into the Keeper visits that page, the page can actually retrieve any of the passwords stored within. Which is in itself quite a bad—
And the story I've chosen is kind of almost along the same lines, I would say, but this time it's about Windows.
And it's about a Windows password manager called Keeper, which was included with some of the versions of Windows.
Well, our friend, Tavis Ormandy, who we kind of all know a little bit from our previous lives, discovered a password disclosure vulnerability in the password manager Keeper, which basically allows any attacker to set up a malicious webpage.
So when a user that's logged into the Keeper visits that page, the page can actually retrieve any of the passwords stored within. Which is in itself quite a bad—
Why?
—vulnerability.
Super duper, oh my God, bad. That's nightmare scenario, isn't it, really? Well, that's one of those things.
We always promote password managers and we say they're much safer than actually remembering your password.
And if you depend on that password manager and that password manager is not secure enough and can disclose one of your passwords, then surely that's pretty bad.
And if you depend on that password manager and that password manager is not secure enough and can disclose one of your passwords, then surely that's pretty bad.
Yeah. And it's people put everything in their password managers, right? People put credit card details.
And that's why I don't use password managers.
Yeah, well, good for you for having an amazingly sized brain.
Yeah, I have for every website, I have different password. Good. So you should. Vanja 1, Vanja 2, Vanja 3. Okay, hackers listening.
You've got your new target.
It's easy.
Anyway, I think what's even more concerning is this feature in Windows 10 you have basically in all of the consumer versions, which are, as far as I know, Home, Pro, perhaps there are some other ones.
There are so many versions of Windows these days.
There is a feature called Consumer Experience, which basically, as you create a new user and you start using your machine, it suggests new apps for you.
It also has the ability to install some of the apps, like bundled apps.
And so some of the people who are actually using Windows 10, when Keeper appeared on their desktop, they were not sure whether they installed it themselves or whether it comes bundled with all other Windows applications.
Well, it turns out actually that Windows installed these apps and Keeper is just one of them.
Some of the other ones are games if you're a complete consumer or things such as Netflix.
Anyway, I think what's even more concerning is this feature in Windows 10 you have basically in all of the consumer versions, which are, as far as I know, Home, Pro, perhaps there are some other ones.
There are so many versions of Windows these days.
There is a feature called Consumer Experience, which basically, as you create a new user and you start using your machine, it suggests new apps for you.
It also has the ability to install some of the apps, like bundled apps.
And so some of the people who are actually using Windows 10, when Keeper appeared on their desktop, they were not sure whether they installed it themselves or whether it comes bundled with all other Windows applications.
Well, it turns out actually that Windows installed these apps and Keeper is just one of them.
Some of the other ones are games if you're a complete consumer or things such as Netflix.
Let me get this straight. So it silently installs these apps or do they kind of declare?
They have no idea that those apps were installed by Windows.
It's the same as Mozilla.
It's the same kind of thing. Jeez. Basically.
And so nobody could agree which versions of Windows had this key per bundle.
Oh my God, because it seems that it's very much tailored and that the logic on when those apps are installed sits on the side of the Windows server rather than the actual desktop.
Oh my God, because it seems that it's very much tailored and that the logic on when those apps are installed sits on the side of the Windows server rather than the actual desktop.
This is really annoying because Windows now has security built in. So people tend to rely on Windows as their security provider for home users particularly.
And, you know, to get it this wrong.
And, you know, to get it this wrong.
Yeah, I mean, to be fair with them, those are the universal Windows applications rather than the Windows executable files, which you can have, which can contain malware.
Fair enough, yeah, they're very much controlled by the Microsoft or Windows App Store. So, but how do you know that some of the app was pushed?
Like if you're an ordinary user, you would have no idea if some app is a normal app or it could be malware.
Fair enough, yeah, they're very much controlled by the Microsoft or Windows App Store. So, but how do you know that some of the app was pushed?
Like if you're an ordinary user, you would have no idea if some app is a normal app or it could be malware.
And to continue from Carole's point, I mean, it will make people more wary of automatic updates and sort of handing over the keys to their computer to the likes of Microsoft, which you normally do for security updates.
And you say, that's fantastic. But meanwhile, they're doing all this sort of thing in the background. So there are now computers with Keeper installed on it.
Has Microsoft been able to remove the vulnerable version of Keeper?
And you say, that's fantastic. But meanwhile, they're doing all this sort of thing in the background. So there are now computers with Keeper installed on it.
Has Microsoft been able to remove the vulnerable version of Keeper?
Well, I think they created a new version, which is now pushed.
We snapped and pushed it.
Yeah, it may be pushed again.
Of course, for the people who haven't removed it themselves or who haven't disabled the automatic push, because I saw that there are actually quite a few people trying to find a way how they can disable this feature.
Of course, for the people who haven't removed it themselves or who haven't disabled the automatic push, because I saw that there are actually quite a few people trying to find a way how they can disable this feature.
So people are looking for registry hacks or something like that, aren't they?
Yeah, and it seems that in recent version, it's becoming more and more difficult to prevent these features.
And Microsoft is obviously using their desktop kind of resource as a platform for pushing adverts.
And Microsoft is obviously using their desktop kind of resource as a platform for pushing adverts.
I wish someone would push out something that would just be a plain Jane, do what it says on the box.
No tracking, no anything, no special features, not trying to give me any add-ons.
No tracking, no anything, no special features, not trying to give me any add-ons.
I'd push out something to Bill Gates' PC. Hey, he's doing things that.
Bill Gates is no longer in this at all.
Well, all right.
He's saving the world right now. So you leave him alone. Yep.
But the key difference here is Mozilla has apologized, right? And said, we won't do that again. We realize we goofed. Microsoft, no plans to change.
It's going to carry on pushing out apps to people's computers, isn't it? Silently without their permission.
It's going to carry on pushing out apps to people's computers, isn't it? Silently without their permission.
Yeah, it's just a standard feature of consumer versions of Windows.
Well, the good news is nobody at all uses Windows. Exactly, so don't worry about them.
What a non-story, Vanja. Yeah.
Total non-story, Vanja. Almost nobody, almost nobody. No one at all. So nothing to worry about there. Very good. Carole, what have you got for us this week?
Well, I want to talk about Face ID. Do you happen to know what the likelihood of a random person being able to open your phone is according to Apple?
Yeah, open my phone with Face ID? Yes, I do know. It's no chance at all because it doesn't have Face ID.
I have no Face ID either. So, another great story, Carole.
Yes, zero.
So, Apple say it's 1 in a million. No, it's zero. 1 in a million to get in. And they say it's way more secure than Touch ID, which was touted at 1 in 50,000.
Now Apple say, we expect Face ID to be the new gold standard for facial authentication.
I mean, Apple are so confident about the abilities of Face ID, they ditched the Finger ID option, right? So, you know, they're putting all their apples in this cart.
Now Apple say, we expect Face ID to be the new gold standard for facial authentication.
I mean, Apple are so confident about the abilities of Face ID, they ditched the Finger ID option, right? So, you know, they're putting all their apples in this cart.
Yeah, I'm not sure that's why they ditched Touch ID in the iPhone X though. I think it's because of this new screen, which stretches all the way. Yeah, the bevel-free screen.
They couldn't put Touch ID on as well. I mean, maybe they could have put it on the back, But that would have been too ugly for them, I imagine, or too copying Android phones.
They couldn't put Touch ID on as well. I mean, maybe they could have put it on the back, But that would have been too ugly for them, I imagine, or too copying Android phones.
But I actually find Touch ID pretty useful. The only thing that I'm slightly afraid of is somebody will cut my finger off.
Yeah, and if you're dead, they won't need to cut your finger off. They can just push you.
That's true. But if I'm alive, on the other hand, you know, it's better to give the finger off if somebody takes it.
You'll probably notice at least, Vanja. You might notice, maybe put up a fight.
That's what I do.
Where's my finger? But yeah, I like Touch ID as well. I find it really convenient. I'm in no rush to get a phone with Face ID.
Anyway, Carole, so yes, apparently it's more secure, right? I believe so. Yeah, well, according to Apple.
Anyway, Carole, so yes, apparently it's more secure, right? I believe so. Yeah, well, according to Apple.
So since the arrival of the iPhone X last month, we've been seeing Face ID results dribble in, right? And they're not all that.
So in October, a few select journalists got just 24 hours to play with the iPhone X before launch. And Steven Levy from Wired Magazine says, "Does it work?
Pretty much." Now, I've got a problem with that because you don't want— imagine someone saying that about a password. You know, it works pretty much. Sometimes. A lot of the time.
So in October, a few select journalists got just 24 hours to play with the iPhone X before launch. And Steven Levy from Wired Magazine says, "Does it work?
Pretty much." Now, I've got a problem with that because you don't want— imagine someone saying that about a password. You know, it works pretty much. Sometimes. A lot of the time.
Most of the time.
And actually, I saw, I think it was just last week, a past guest of ours, Troy Hunt.
He put up a video where he was testing Face ID, and he was able to find many circumstances in which it wouldn't work, including being out in the Australian sunshine.
Thank you very much for ruining my story.
He put up a video where he was testing Face ID, and he was able to find many circumstances in which it wouldn't work, including being out in the Australian sunshine.
Thank you very much for ruining my story.
Ha! No, no, you're fine, you're fine, you're fine. But yeah, he found exactly the same thing as Troy Hunt. So he said it works pretty much.
He said that it had problems with his real-life face. So despite a clear view of his face, the iPhone X would ghost him. So this is hardly a ringing endorsement, is it?
The Verge's Nilay Patel said he had problems pulling the iPhone X out of his pocket and having it failing to unlock.
He also said, as Troy Hunt said, that brightness and shade cause unlocking issues as well. So these are big problems. Accessibility is one of the founding CIA principles of security.
So that's confidentiality, integrity, and accessibility. Accessibility is a really important thing to have when you're talking about security.
And in my view, kind of a non-negotiable.
Now, in November, so just last month, a 10-year-old boy was found to be able to open his mom's phone using Face ID, not once, but repeatedly.
And the same kid was even able to open his dad's phone on a single occasion.
The dad is reported saying, my wife and I text all the time, and there might be something we don't want our son to see.
'Now my wife has to delete her texts if there's something she doesn't want Amar to look at.' So when I read this story, I was thinking, well, they must look a lot alike because they're related.
They're family. It's kind of interesting.
He said that it had problems with his real-life face. So despite a clear view of his face, the iPhone X would ghost him. So this is hardly a ringing endorsement, is it?
The Verge's Nilay Patel said he had problems pulling the iPhone X out of his pocket and having it failing to unlock.
He also said, as Troy Hunt said, that brightness and shade cause unlocking issues as well. So these are big problems. Accessibility is one of the founding CIA principles of security.
So that's confidentiality, integrity, and accessibility. Accessibility is a really important thing to have when you're talking about security.
And in my view, kind of a non-negotiable.
Now, in November, so just last month, a 10-year-old boy was found to be able to open his mom's phone using Face ID, not once, but repeatedly.
And the same kid was even able to open his dad's phone on a single occasion.
The dad is reported saying, my wife and I text all the time, and there might be something we don't want our son to see.
'Now my wife has to delete her texts if there's something she doesn't want Amar to look at.' So when I read this story, I was thinking, well, they must look a lot alike because they're related.
They're family. It's kind of interesting.
And I can imagine that, let's say, boy looks a lot like mom. But can he look like dad and mom at the same time? That's a bit tricky.
So I'm not saying that this story is not true, it's probably correct in many ways.
So I'm not saying that this story is not true, it's probably correct in many ways.
And he was only able to get into his dad's phone on a single occasion, but his mom's, they were able to do it repeatedly.
So this story calls into question that whole idea of confidentiality and integrity, you know, the components of CIA, right?
An unauthorized person can access the sensitive contents and edit, delete, add at will.
So this story calls into question that whole idea of confidentiality and integrity, you know, the components of CIA, right?
An unauthorized person can access the sensitive contents and edit, delete, add at will.
Yeah, but the whole concept of Face ID is pretty much compromised now. If somebody is very similar to you, they may be able to unlock your phone. What about your sister or brother?
What do you know? My brothers are twins, right? Trust me, they would not want to see each other's... So I'm with you, right? Maybe there's some physical resemblance issues here.
But then just recently, a Chinese woman known as Yan has added mucho fuel to this Face ID fire.
It turns out her coworker was able to unlock her iPhone X by simply looking at the phone.
But then just recently, a Chinese woman known as Yan has added mucho fuel to this Face ID fire.
It turns out her coworker was able to unlock her iPhone X by simply looking at the phone.
Well, if you stare long enough, it will unlock itself. Come on, do it, do it, unlock.
Now I've put a picture of the two women here and maybe they look slightly alike, but they're not twins by any stretch of the imagination.
One of them does look a bit grumpier than the other, I think.
Yeah, no, they don't even look related. Now the two apparently reset facial recognition settings multiple times to retry, and the same result happened.
The coworker could look at the phone and access everything inside. So she does what any of us would do, right?
She calls Apple and she says, maybe you can explain why my colleague can use Face ID and get into my phone, right? And you know what Apple says? "Bukening," which means impossible.
The coworker could look at the phone and access everything inside. So she does what any of us would do, right?
She calls Apple and she says, maybe you can explain why my colleague can use Face ID and get into my phone, right? And you know what Apple says? "Bukening," which means impossible.
I'm sorry? Bukening.
Bukening. Right? So Yan and her colleague head down to the nearest Apple shop to show off the flaw.
And in fact, it didn't matter which woman was the owner of the phone, the other woman could always get in.
And they were able to repeat the same outcome on different iPhone X models.
And in fact, it didn't matter which woman was the owner of the phone, the other woman could always get in.
And they were able to repeat the same outcome on different iPhone X models.
So have they been offered a different device model to exchange for the iPhone X?
They were offered a refund. Yes. So she was offered a refund. Now, what this has opened up, a brand new snafu.
This has led to some Twitter users asking whether Face ID might be racist. Or rather, if we go to Twitter user @BienSurJeT'aime, she argues devices can't be biased.
But if the creators don't account for their own biases, it shows up. Now, Apple are not alone facing such allegations.
You might remember Google Image Search faced a racial bias problem of its own last year.
An 18-year-old from Virginia showed that when he searched for 3 Black teenagers, he was shown decontextualized mugshots.
And when he searched for 3 white teenagers, he was served up stock photos of relaxed teens hanging out, you know, on various plain white backgrounds.
This has led to some Twitter users asking whether Face ID might be racist. Or rather, if we go to Twitter user @BienSurJeT'aime, she argues devices can't be biased.
But if the creators don't account for their own biases, it shows up. Now, Apple are not alone facing such allegations.
You might remember Google Image Search faced a racial bias problem of its own last year.
An 18-year-old from Virginia showed that when he searched for 3 Black teenagers, he was shown decontextualized mugshots.
And when he searched for 3 white teenagers, he was served up stock photos of relaxed teens hanging out, you know, on various plain white backgrounds.
So he was searching for those as search phrases? Oh, I see.
As search phrases. And looking in Google Image to see what results came back. Yeah, exactly. So it all has to come down to, are we testing our stuff enough?
I think people are using all these machine learning algorithms and they can have a bias as well, depending on what kind of data do you feed in.
You know, if you put the data that only has white people in, then surely perhaps they won't be able to recognize the difference between some other races in the same way.
You know, if you put the data that only has white people in, then surely perhaps they won't be able to recognize the difference between some other races in the same way.
But this is pretty bad for Apple, which is trying to get— I mean, the Chinese market is a really important one for them, isn't it?
And if they don't sort out something like this, they're going to find themselves in a situation.
And if they don't sort out something like this, they're going to find themselves in a situation.
So if we come back to the original statement from Apple, is Face ID the new gold standard for facial recognition? I think my answer on this is, hmm.
And my big problem with the whole Face ID thing is that you have to hold the phone in front of your face like a mirror to get in all the time.
And sometimes you just want to kind of, you know, pop the phone out of your pocket, take a quick look, see if you've gotten any messages and slap back in and not, you know, disrupt a meeting or disrupt what's going on around you.
And actually, just last week, Synaptics disclosed details of under-glass fingerprint sensors.
So this would allow a phone to be both button and bezel-free, yet still be unlocked with your thumb or with one of your fingerprints.
So who knows, Face ID might just be a flash in the pan.
And my big problem with the whole Face ID thing is that you have to hold the phone in front of your face like a mirror to get in all the time.
And sometimes you just want to kind of, you know, pop the phone out of your pocket, take a quick look, see if you've gotten any messages and slap back in and not, you know, disrupt a meeting or disrupt what's going on around you.
And actually, just last week, Synaptics disclosed details of under-glass fingerprint sensors.
So this would allow a phone to be both button and bezel-free, yet still be unlocked with your thumb or with one of your fingerprints.
So who knows, Face ID might just be a flash in the pan.
So I might be getting the iPhone XY.
Yeah, whatever it's called these days. The super-duper brand new iPhone.
All I know is I'm not going to buy one. I'm not going to buy an iPhone X because first of all, I want a 3.5mm headphone jack. And I want Touch ID. I'm perfectly happy with Touch ID.
I don't need all these newfangled gadgets. There's no requirement for it, so I'm going to stay away.
I don't need all these newfangled gadgets. There's no requirement for it, so I'm going to stay away.
We never agree. See, it's Christmas, we're agreeing. I love it, it's unbelievable.
Isn't it? Happy Christmas, guys. Happy Christmas and happy birthday to all of us. And we'll be right back with Pick of the Week after this break.
Today's podcast is sponsored in part by OneLogin. OneLogin provides single sign-on, which people think is a productivity tool, but it's very much a security tool.
Companies use hundreds of applications every day, with the average worker having to remember about 40 passwords.
Unless you use a product like OneLogin, passwords go into spreadsheets, into emails, and end up on Post-it notes.
OneLogin allows IT to say which users have access to which applications at what time, and also enforce two-factor authentication.
So even if credentials are compromised, hackers can't get access to those corporate services.
And by connecting to Active Directory, access to all of these services is deprovisioned as soon as someone leaves the organization.
OneLogin has customers like Airbus, Royal Mail, BSI, and Dun & Bradstreet.
Find out more about OneLogin and download a free guide to identity access management at smashingsecurity.com/onelogin. That's smashingsecurity.com/onelogin.
Companies use hundreds of applications every day, with the average worker having to remember about 40 passwords.
Unless you use a product like OneLogin, passwords go into spreadsheets, into emails, and end up on Post-it notes.
OneLogin allows IT to say which users have access to which applications at what time, and also enforce two-factor authentication.
So even if credentials are compromised, hackers can't get access to those corporate services.
And by connecting to Active Directory, access to all of these services is deprovisioned as soon as someone leaves the organization.
OneLogin has customers like Airbus, Royal Mail, BSI, and Dun & Bradstreet.
Find out more about OneLogin and download a free guide to identity access management at smashingsecurity.com/onelogin. That's smashingsecurity.com/onelogin.
Well, welcome back, and you come back to our favorite part of the show. It is our special birthday edition of Pick of the Week.
Pick of the Week. Our last pick of the week of 2018.
2017.
Last pick of the week of 2017.
Well, we're doing a future show. This is a two-year anniversary. Maybe I'll use it next year as well.
I don't think Vanja's done a pick of the week before. I think he was from the—
No, no, no. You know, I'm so much into security that I'm not sure if I would vote it for pick of the week when I was there.
But it turns out actually it's maybe even the more fun part of the show. Do you actually—
But it turns out actually it's maybe even the more fun part of the show. Do you actually—
Can I just ask, do you listen to the show, Vanja?
Yeah, Vanja, do you?
Yeah, I listen to at least one.
Wow, man, do you know where to put the knife?
No, come on, I listen to a lot of them. Iain and Mikko and— Anyone else? Don't strain yourself. Rich B. All the people on our doc. He hasn't been on for months.
John Lydon. All right, fair enough. Well done for scrolling down the list of guests. So, Vanja, I'll put you out of your misery.
My pick of the week was brought to my attention by ace cybersecurity reporter Lorenzo Franceschi Bicciari. I can never say his name.
Anyway, he writes for Motherboard all about computer security and is quite a good chap to read.
And he was talking about bitcoins and he was saying, you know, in the last month bitcoins have skyrocketed from, you know, $7,000, whatever whatever, to almost $20,000.
They're bordering on that, aren't they, at the moment?
There have been countless people doing their maths on their missed opportunity, and he brought my attention to a website where you can find out how much you have lost out by not investing in bitcoin earlier.
All you have to do, and I'll put the link in the show notes, is go to a website called bitcoinfomo.club.
FOMO stands for fear of missing and you tell it, oh, I would have invested maybe $1,000 in Bitcoin on this particular date, and it'll tell you what it would have been worth today.
So have you just done it? It's scary, isn't it? So I've worked out that I've been writing about Bitcoin since at least July, June or July 2011.
Okay, so around about 6 and a half years. Yeah. If I had bought $1,000 then, how much do you think it would be worth today?
My pick of the week was brought to my attention by ace cybersecurity reporter Lorenzo Franceschi Bicciari. I can never say his name.
Anyway, he writes for Motherboard all about computer security and is quite a good chap to read.
And he was talking about bitcoins and he was saying, you know, in the last month bitcoins have skyrocketed from, you know, $7,000, whatever whatever, to almost $20,000.
They're bordering on that, aren't they, at the moment?
There have been countless people doing their maths on their missed opportunity, and he brought my attention to a website where you can find out how much you have lost out by not investing in bitcoin earlier.
All you have to do, and I'll put the link in the show notes, is go to a website called bitcoinfomo.club.
FOMO stands for fear of missing and you tell it, oh, I would have invested maybe $1,000 in Bitcoin on this particular date, and it'll tell you what it would have been worth today.
So have you just done it? It's scary, isn't it? So I've worked out that I've been writing about Bitcoin since at least July, June or July 2011.
Okay, so around about 6 and a half years. Yeah. If I had bought $1,000 then, how much do you think it would be worth today?
Millions. A million. $1,363,525. Well, I'm actually, I think with all this bitcoin craze, there'll be so many missed millionaires.
It would be much worse than the dot-com boom at the beginning of 2000. It's where everybody was part of some kind of startup that just almost made it, but they never made it.
So this would be the same thing. You know that there's a term for people who miss that opportunity and have no coins? They are called no-coiners. No-coiners?
It's a derogatory term for people who allow— and you can spot them in any discussion because they always say, ah, bitcoin is going to crash. It's awful. This is such a con, right?
So you can spot a no-coiner that. I have something 0.0001 coin.
It would be much worse than the dot-com boom at the beginning of 2000. It's where everybody was part of some kind of startup that just almost made it, but they never made it.
So this would be the same thing. You know that there's a term for people who miss that opportunity and have no coins? They are called no-coiners. No-coiners?
It's a derogatory term for people who allow— and you can spot them in any discussion because they always say, ah, bitcoin is going to crash. It's awful. This is such a con, right?
So you can spot a no-coiner that. I have something 0.0001 coin.
So I'm not a no-coiner. I've got a similar amount. So I'm not a complete muggle.
Yeah, no, you're definitely not.
But you know what the problem is?
There are so many, you know, there will definitely will be rich people, but those rich people have to at some point convert that bitcoin into real money. And what is that point?
When do you actually do the conversion?
You know, if you're a millionaire, if you have $50 million in bitcoin, if you have a million even, when is the point where you say, now it's enough? Why is it now?
What if it goes— there are some predictions it's going to go up to $500,000 per coin.
There are so many, you know, there will definitely will be rich people, but those rich people have to at some point convert that bitcoin into real money. And what is that point?
When do you actually do the conversion?
You know, if you're a millionaire, if you have $50 million in bitcoin, if you have a million even, when is the point where you say, now it's enough? Why is it now?
What if it goes— there are some predictions it's going to go up to $500,000 per coin.
Vanja, I am perfectly happy with $1,363,525.
I'm really happy too.
Yeah, that'd be all right.
I'm glad you didn't get that money because then I think you wouldn't be interested in doing the Smashing Security podcast.
I'd do it every day. I wouldn't do any other work, Carole. Of course we would. We'd do it all the time. We wouldn't have to do anything else, would we?
Now, some people, of course, have simply mislaid their bitcoin wallets. They may have bought things.
You might have bought bitcoin years and years ago, or they've chucked out an old computer, forgetting that it contained their private keys, having thought that they were worthless.
There is a chap called James Howells, for instance. He bought 7,500 bitcoin back in 2009.
He is currently searching a landfill site in Newport, Wales, as that old computer has got bitcoins worth over £4 million on them.
Now, some people, of course, have simply mislaid their bitcoin wallets. They may have bought things.
You might have bought bitcoin years and years ago, or they've chucked out an old computer, forgetting that it contained their private keys, having thought that they were worthless.
There is a chap called James Howells, for instance. He bought 7,500 bitcoin back in 2009.
He is currently searching a landfill site in Newport, Wales, as that old computer has got bitcoins worth over £4 million on them.
Well, didn't they say that something about one-third of all bitcoins are actually lost in that sort of way? Ransomware the other.
I'm sure either they got hacked from Mt. Gox or one of the other Bitcoin exchanges, which is something to think of, or simply people mislaid them or they've forgotten about them.
They're on an old computer. You recycle computers, you accidentally wipe your files or something like that.
They're on an old computer. You recycle computers, you accidentally wipe your files or something like that.
So there was that recent news about the Bulgarian police also potentially seizing $4 billion worth in bitcoins. That's right. That's absolutely right.
Yes. We'll put a link to that in the show notes as well.
If you want to enjoy other people's misery, if you didn't join in the Bitcoin craze at the right time, you can go to a site called the Database of Lost Crypto Assets.
It's at omicoins.xyz, where they collect stories, unverified of course, of how people lost millions by, I don't know, wiping their hard drive or something like that.
Anyway, that is my little bit of joy for those people who didn't invest, and it's my pick of the week. Yay!
If you want to enjoy other people's misery, if you didn't join in the Bitcoin craze at the right time, you can go to a site called the Database of Lost Crypto Assets.
It's at omicoins.xyz, where they collect stories, unverified of course, of how people lost millions by, I don't know, wiping their hard drive or something like that.
Anyway, that is my little bit of joy for those people who didn't invest, and it's my pick of the week. Yay!
Vanja, what's your pick of the week? So my pick of the week this week is kind of an Eastern European type of joy, let's say. And it's about— Does it involve death and misery?
How did you guess, Carole?
How did you guess, Carole?
You know. I know you very well.
That's why. So, right.
It's on iTunes, there's a trend that many people are now publishing these so-called mindful apps, which kind of helps you lead more healthier and more fulfilled lives.
And one of those apps was recently published and it's called WeCroak. You were kidding. WeCroak.
WeCroak, which the sole purpose of the app is that at any random time of the day, it reminds the user, i.e., you, that you're going to die. I love it. I love it.
So, you know, you're washing the dishes, perhaps you're not happy for washing the dishes or doing, suddenly you get a message. Message, you will die.
And of course, they're not just messages very much plain like that, but there are some interesting thoughts from thinkers about how people reach this stage of life.
It's on iTunes, there's a trend that many people are now publishing these so-called mindful apps, which kind of helps you lead more healthier and more fulfilled lives.
And one of those apps was recently published and it's called WeCroak. You were kidding. WeCroak.
WeCroak, which the sole purpose of the app is that at any random time of the day, it reminds the user, i.e., you, that you're going to die. I love it. I love it.
So, you know, you're washing the dishes, perhaps you're not happy for washing the dishes or doing, suddenly you get a message. Message, you will die.
And of course, they're not just messages very much plain like that, but there are some interesting thoughts from thinkers about how people reach this stage of life.
Have you installed the app? Because I have. I've been running it for a few days. Is it good? I'm actually really enjoying it.
And has it made your life more miserable or more enjoyable?
Well, you said about 5 times a day, it pops up this message. I think it says something like, remember, you're going to die someday. And you can swipe and then you get a quote.
I don't the quote so much. So right now the quote is from Jimi Hendrix. Okay.
I don't the quote so much. So right now the quote is from Jimi Hendrix. Okay.
Do you know who that is, Graham?
I'm the one that has to die when it's time for me to die. So let me live my life the way I want to. I don't know when he said that. Yeah, well, whatever.
So I don't really those so much. But I do this perpetual reminder that I'm going to die because actually it has made me a little bit mindful.
So I don't really those so much. But I do this perpetual reminder that I'm going to die because actually it has made me a little bit mindful.
Yeah, I think so. Because you can be in some completely— in a situation where you don't enjoy it.
I actually haven't installed the app, but I did think about the app quite a few times during the last few days because in this, let's say, Christmas period can be quite stressful.
And sometimes you just think, why am I stressing? And just think about the WeCroak app and it's like, okay, dude, just chillax.
I actually haven't installed the app, but I did think about the app quite a few times during the last few days because in this, let's say, Christmas period can be quite stressful.
And sometimes you just think, why am I stressing? And just think about the WeCroak app and it's like, okay, dude, just chillax.
Chillax, you're going to die anyway.
If you're doing something you're not really enjoying it and it sometimes popped up at the most opportune moments and it's like, oh, this is quite good.
So if anything, it's actually cheered me up. I did have to pay 99 pence to install it.
So if anything, it's actually cheered me up. I did have to pay 99 pence to install it.
I would think, okay, they're exploiting us clearly with 99 pence.
I've probably got more than 99 pence of joy out of it. So I don't think view it as completely depressing.
At least if it's an advert-free experience, then I guess it's worth it.
Yeah, totally. I'd rather pay 99 pence and being bombarded by adverts for funeral parlors. Make your own dignitas.
My pick of the week is completely free, and you guys can enjoy it. So I just want to preface it with one thing.
You know that I'm not earnest very often, but this time of year, it's important to get a bit more serious occasionally.
So this is why I've chosen this pick of the week for you guys. So if you would just click on the link and—
You know that I'm not earnest very often, but this time of year, it's important to get a bit more serious occasionally.
So this is why I've chosen this pick of the week for you guys. So if you would just click on the link and—
I'm looking on the link.
First or the second one? Oh, for goodness sake.
Oh, this is vulgar. Come on, no, I don't like this.
Why don't you look at the second one?
I'm going to look at the second one.
It's kind of cute. Come on.
Graham is just— I'm just a bit English for that. I can't deal with that.
You know, about twerking, there was this Croatian show, Croatia's Got Talent, and there was a girl who did the twerking.
Video, and there was a huge discussion in all the serious newspapers.
Obviously, Croatia being a Catholic country, we don't anything showing off any sexuality on government-paid TVs, on the national TV.
Video, and there was a huge discussion in all the serious newspapers.
Obviously, Croatia being a Catholic country, we don't anything showing off any sexuality on government-paid TVs, on the national TV.
So, Carole, there you are. For those— do you want to explain what we've just watched?
Well, I think it'd be better coming from you. I think you can do this.
Okay, so on both occasions, there is a woman who has face paint on her, and she's wearing some sort of G-string. She's not the woman. There's a sound.
I've explained this really badly. There's a— this woman has a nose, not in itself that unusual.
But the nose, the two nobbles of the nose appear to be the buttocks of a painted-on woman.
And then she wiggles her nose around to make it look like her nose is twerking or the bottom. You just have to see it. But no, don't see it.
But the other one has the Grinch on it and the reindeer. It's a little bit, a little less uncouth, but still.
I've explained this really badly. There's a— this woman has a nose, not in itself that unusual.
But the nose, the two nobbles of the nose appear to be the buttocks of a painted-on woman.
And then she wiggles her nose around to make it look like her nose is twerking or the bottom. You just have to see it. But no, don't see it.
But the other one has the Grinch on it and the reindeer. It's a little bit, a little less uncouth, but still.
I'd say it's pretty cute. And it's a festive season.
I don't think you just killed something that could have been very cute. You're Mr. Grumpy. Be careful, Mr. Grumpy, 2018's coming.
Hang on.
Luckily, Graham has the app installed.
Any moment now, WeCroak is going to pop up for me and say, get over yourself, Graham.
You're going to die. Good, looking forward to it.
Carole, thank you for the last pick of the week of 2017. It is the last pick of the week of 2017 because we are going to take a short break, aren't we? Our first ever break.
Wow, a two-week break.
You guys, I come back and you make a big break. That's not good. Even if it was only for one episode.
That's why we got you on, you see, because you're going to be so satisfying to all our listeners that they're going to be just fine for the next few weeks until we get back on.
All right then.
So if you want to keep up with us, not that we'll be doing very much over the next couple of weeks, have a happy Christmas and follow us on Twitter @SmashInSecurity, no G.
Twitter still hasn't given us enough characters to put a G in our Twitter handle.
You can join us on Facebook at smashingsecurity.com/facebook, and we have gifts galore in our online store at smashingsecurity.com/store.
So all that remains is, Vanja, are you going to come back again?
So if you want to keep up with us, not that we'll be doing very much over the next couple of weeks, have a happy Christmas and follow us on Twitter @SmashInSecurity, no G.
Twitter still hasn't given us enough characters to put a G in our Twitter handle.
You can join us on Facebook at smashingsecurity.com/facebook, and we have gifts galore in our online store at smashingsecurity.com/store.
So all that remains is, Vanja, are you going to come back again?
If you let me. We'll think about it.
Until next time, thanks for tuning in. If you know someone who might like the podcast, tell them about it.
Or just steal their phone and subscribe them. So much easier.
Oh yeah, that's the kind of thing that Mozilla would do, isn't it? Until next time. Cheerio. Bye-bye. Happy Christmas.
Happy Christmas. Happy Hanukkah. Happy New Year.
Happy every holiday. So how about this? How about we do, hello, hello, my name is Graham Cluley. And I'm Carole Theriault. And then I'll say that bit. Yeah.
And then Vanja says, and I'm back. Here we go. Hey, right, how about that?
And then Vanja says, and I'm back. Here we go. Hey, right, how about that?
Is that cute? Yeah, I don't know. Yeah, we could do that. Fine. Sounds really exciting. Super. You're really loving what you came up with. Yeah, it's amazing.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Vanja Švajcer – @vanjasvajcer
Show notes:
- Smashing Security #001: "One cup, two hotel guests" – YouTube
- Mozilla Slipped a ‘Mr. Robot’-Promo Plugin into Firefox and Users Are Pissed
- This Looking Glass/Mr Robot sh*t really p*sses me off – Reddit
- Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser… or is it just malware? – Firefox Support Forum
- Update: Looking Glass Add-on
- Bono and Tim Cook – YouTube
- How to remove Bono and U2 from YOUR f*#!ing iPhone – YouTube
- For 8 days Windows bundled a password manager with a critical plugin flaw
- Disabling Windows 10 Consumer Experience
- How Windows 10 Pro installs unwanted apps (Candy Crush) and how to stop it
- Troy Hunt explains why Face ID Stinks – YouTube
- 10-year-old kid succeeds in unlocking his mum’s iPhone X, with just a glance
- Apple's Face ID tech can't tell two Chinese women apart
- First iPhone X fondlers struggle to admit that Face ID sort of sucks
- Erase 2017 from your brain. Face ID never happened. The Notch is an illusion
- How I Learned to Deal with My Bitcoin FOMO
- Bitcoin FOMO Calculator
- Oh, My Coins! – Database Of Lost Crypto Assets
- Missing: hard drive containing Bitcoins worth £4m in Newport landfill site
- Is Bulgaria sitting on $3.5 BILLION worth of Bitcoin seized from criminals?
- WeCroak on the App Store
- Nose Dance! The Original Nose Twerking Miss Santa Face Paint! – YouTube
- Christmas Nose Twerk! Grinch & Max! – YouTube
- Smashing Security on Facebook
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: OneLogin
OneLogin provides Single Sign On for customers like Airbus, Royal Mail, BSI, and Dun and Bradstreet. With hundreds of apps being used in the typical workplace, and the average user having to remember about 40 different passwords, we all know that if we don’t have a product to remember passwords they end up in spreadsheets, stored in emails, or left on post-it notes. And that is a security nightmare. OneLogin allows IT to say which users have access to which applications at what time and also enforce two factor authentication. So even if credentials are compromised, hackers can’t get access to those corporate services. And, by connecting to Active Directory, access to all of these services is de-provisioned as soon as someone leaves the organisation.
Learn more, and download a free guide to identity access management, at www.smashingsecurity.com/onelogin
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Good to see Vanya back . .