A scam involving restaurant bookings at The Ritz is suitably sophisticated, the second wave of UK coronavirus testing apps, and we take a look at one of the biggest studies ever into the scourge of robocalls.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by BBC technology correspondent Rory Cellan-Jones.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hello, beautiful people. I just want to give a quick shout out to our scintillatingly incredible Patreon supporters.
These are the people that help us make the show, and we are so grateful.
This week, high tens go to Matt Cotton, William Sabados, Brian Berry, Justin Dale, Marcus Serraro, Christoph Goossens, Kylie Higginson, Tim Davis, MG Lee, and Jason Polk.
Thank you all. You guys rock.
These are the people that help us make the show, and we are so grateful.
This week, high tens go to Matt Cotton, William Sabados, Brian Berry, Justin Dale, Marcus Serraro, Christoph Goossens, Kylie Higginson, Tim Davis, MG Lee, and Jason Polk.
Thank you all. You guys rock.
If you want to join this amazing community of people, you know what to do. Visit smashingsecurity.com/patreon. Now let's get this show on the road.
If you remember the Queen Mother, how could anyone forget the Queen Mother? She used to go to the Ritz and her favorite song they'd play on the piano.
Or can you guess what her favourite song was on the piano that she'd like to play there? RORY CELLAN-JONES. A Nightingale Sang in Berkeley Square?
Or can you guess what her favourite song was on the piano that she'd like to play there? RORY CELLAN-JONES. A Nightingale Sang in Berkeley Square?
It was actually The Ace of Spades by Motorhead. Sorry, Rory.
Smashing Security, episode 192: Ritz and Robocalls with Rory, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 192.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, we are joined this week by someone who's new to the show, but not new to our eyes and ears, because he is everywhere in the world of technology.
And he has been for many, many years. It is the BBC's technology correspondent, Rory Cellan-Jones.
And he has been for many, many years. It is the BBC's technology correspondent, Rory Cellan-Jones.
The illustrious Rory. Thank you for coming on the show. It's very exciting. RORY CELLAN-JONES. You're making me feel old. Years and years.
So many years.
Graham just needs a companion. RORY CELLAN-JONES. Yeah. Well, I have been talking to you, Graham, for years and years and years. You have been my go-to guy on cybersecurity.
Me and Alan Woodward. RORY CELLAN-JONES. Yeah.
We have to get him on the show sometime. RORY CELLAN-JONES. The prof. Yeah, he's a good guy.
So Rory, how's it all been treating you? How's it— what's it being a technology correspondent in the era of a global pandemic? How's that changed your life? RORY CELLAN-JONES.
It's been extraordinary.
We— I worked out the other day before I went for a short break at the beginning of August that we had done 18 consecutive editions of my weekly program Tech Tent in lockdown from my attic, which is where I am now, staring out.
There's a cheeky fox that walks along the back wall from time to time, so there's plenty of entertainment here. Yeah, we've managed to make it work. RORY CELLAN-JONES.
I have spent most of the time on Zoom, which I'm beginning to curse. We seem to have more FaceTime, my colleagues and I, than we do in real life.
I see more of them now than I ever do, and I'm bored with their kitchens.
It's been extraordinary.
We— I worked out the other day before I went for a short break at the beginning of August that we had done 18 consecutive editions of my weekly program Tech Tent in lockdown from my attic, which is where I am now, staring out.
There's a cheeky fox that walks along the back wall from time to time, so there's plenty of entertainment here. Yeah, we've managed to make it work. RORY CELLAN-JONES.
I have spent most of the time on Zoom, which I'm beginning to curse. We seem to have more FaceTime, my colleagues and I, than we do in real life.
I see more of them now than I ever do, and I'm bored with their kitchens.
Do you do video calls all the time, never audio? RORY CELLAN-JONES. All the time. All the time.
That's— God, that means you have to shower every morning and everything. RORY CELLAN-JONES. I'm not entirely sure that that's happening with some of my colleagues.
We'll name names later. Carole, what's coming up on the show this week?
Well, first, thanks to this week's sponsor, LastPass. Its support helps us give you this show for free.
Now, coming up on today's show, Graham will share a tip or two on how to avoid scams at fancy schmancy eateries. Rory gives us the latest on the UK COVID tracing app.
Now, coming up on today's show, Graham will share a tip or two on how to avoid scams at fancy schmancy eateries. Rory gives us the latest on the UK COVID tracing app.
And I share some US-based robocall research and explain why the legislation needs work. All this and much more coming up on this episode of Smashing Security.
Now, chums, the Ritz in Piccadilly, London. Have you ever been there? One of the most prestigious hotels in the world. Have you, Griff?
I have. I was there once with someone much more senior than I in terms of corporate— not in terms of age, but in terms of seniority, when I worked in a corporation.
He took you out for a sandwich, did he?
He did, actually. Club sandwich. £18 it cost.
Rory, I imagine it's your regular. RORY CELLAN-JONES. I'm just trying to work it out. I think I once went to a wedding lunch with some rather lovely American friends there.
But I've been waiting for years to be taken for tea at the Ritz. Of course, the thing that happens at the Ritz these days is you get bugged, at least if you're the owner.
There's been a huge row, isn't there, between the various wings of the Barclay brothers?
But I've been waiting for years to be taken for tea at the Ritz. Of course, the thing that happens at the Ritz these days is you get bugged, at least if you're the owner.
There's been a huge row, isn't there, between the various wings of the Barclay brothers?
Yes. Yes, it's them who own it. They also own the Telegraph, don't they? But they've fallen out with each other. RORY CELLAN-JONES.
My advice is look in the plant pots, because there is almost always a bug there these days.
My advice is look in the plant pots, because there is almost always a bug there these days.
There's always an update in Private Eye on them. RORY CELLAN-JONES. Yeah.
Well, it's quite swanky. I don't think I've ever been in the Ritz. I once tried to get into the Ritz, but I wasn't wearing a tie or was wearing the wrong trousers or something.
It wasn't that you were shirtless.
It wasn't that you were shirtless.
It's a bit hot outside.
No, no, no, it wasn't that. It wasn't that I'd been eating a kebab late at night. I was sort of rolling down Piccadilly, so I'll go in there. No, it wasn't anything like that.
But it's quite a swanky establishment. You shouldn't confuse it with Ritz crackers, right? Don't think that— it's completely different.
But it's quite a swanky establishment. You shouldn't confuse it with Ritz crackers, right? Don't think that— it's completely different.
They're pretty classy crackers, Ritz crackers.
I'm not so sure they are, actually, Carole. It's different from that. But most of us probably will never stay there.
Some might, if they're really lucky, book tea at the Ritz, which Rory has just alluded to, for a special occasion. The Smashing Security Christmas party, for instance.
Carole, are you in charge of that?
Some might, if they're really lucky, book tea at the Ritz, which Rory has just alluded to, for a special occasion. The Smashing Security Christmas party, for instance.
Carole, are you in charge of that?
What, we can digitally go? Fantastic.
Maybe we'll be able to go for real, you know, if we take a hermetically sealed suit or something.
Oh, I doubt it. My brother-in-law said to me, Christmas is going to be the worst.
Everyone's going to be indoors, they're going to not follow protocol, and everyone's going to be sick in January. That was our Sunday phone call.
Everyone's going to be indoors, they're going to not follow protocol, and everyone's going to be sick in January. That was our Sunday phone call.
Well, I suspect— charming— I suspect most of us around the world, they probably know it from that movie Notting Hill.
Not that the Ritz is in Notting Hill, but Hugh Grant impresses Julia Roberts at the end of the movie at a press conference. She falls in love with him.
He plays the wrong version of "She." Why it isn't the Charles Aznavour version, I don't know, because that is one of the greatest songs of all time.
The Elvis Costello version is clearly deficient. That's the version that they chose to play. Most of us know the Ritz from that.
But what we've come to learn, and that thanks to a report I have to say on this newbie startup, this news organisation called the BBC. I don't know if you've heard of it. Yeah.
RORY CELLAN-JONES. A report by my colleague Chris Fox.
Not that the Ritz is in Notting Hill, but Hugh Grant impresses Julia Roberts at the end of the movie at a press conference. She falls in love with him.
He plays the wrong version of "She." Why it isn't the Charles Aznavour version, I don't know, because that is one of the greatest songs of all time.
The Elvis Costello version is clearly deficient. That's the version that they chose to play. Most of us know the Ritz from that.
But what we've come to learn, and that thanks to a report I have to say on this newbie startup, this news organisation called the BBC. I don't know if you've heard of it. Yeah.
RORY CELLAN-JONES. A report by my colleague Chris Fox.
There you are, the wonderful Chris Fox. I'm never sure how many X's he should have at the end of his name. It's up for debate. RORY CELLAN-JONES. Sometimes he has two.
He has reported about a scam which is alarmingly convincing and has been targeting diners at the Ritz.
Okay, could it fool me, do you think?
Well, maybe. No, actually, you're very cynical, Crow, and you're very sceptical. Especially about your personal— That's very good description of me. Okay, let's be kinder.
You're very careful about your personal information. You're the only person I know who actually reads privacy policies and terms and conditions.
You're very careful about your personal information. You're the only person I know who actually reads privacy policies and terms and conditions.
I bet Rory does. RORY CELLAN-JONES. No.
Who's got time for it? RORY CELLAN-JONES. Exactly.
Well, what happened was this. So there are folks out there who are making bookings at the Ritz restaurant. You know, they're not put off by the tales of pot plants being bugged.
And they're doing this online, or maybe they're doing it by phone. Of course, it gets popular at the Ritz. You may have to book it weeks and weeks in advance.
You can't just show up like I tried to without a tie. And so you do it somewhere ahead. And then, a day or two before your booking, you get a phone call.
From the Ritz reservations department.
And they're doing this online, or maybe they're doing it by phone. Of course, it gets popular at the Ritz. You may have to book it weeks and weeks in advance.
You can't just show up like I tried to without a tie. And so you do it somewhere ahead. And then, a day or two before your booking, you get a phone call.
From the Ritz reservations department.
Okay.
And you know it's the Ritz reservations department, because they say it's the Ritz reservations department, right? And that's—
That would fool me. That'd be it. Yeah, well, it would. It would, because it's the day before your restaurant. You're expecting it, and fancy restaurants do that.
So that's nothing out of the ordinary.
So that's nothing out of the ordinary.
But even if you were a little bit surprised that they were ringing you, you might check the number that they're ringing on.
And what you find when you look at your mobile phone or whatever, caller ID, is that the number matches.
And what you find when you look at your mobile phone or whatever, caller ID, is that the number matches.
Interesting.
It is the Ritz. And they go further to make this call even more convincing. They confirm your restaurant booking details.
You know, they say, Smashing Security, Christmas Eve, table 25,000, whatever it is that we've booked, you know, cheese sandwiches.
You know, they say, Smashing Security, Christmas Eve, table 25,000, whatever it is that we've booked, you know, cheese sandwiches.
Everyone's RSVP'd. It's going to be amazing.
We're going to bring all the listeners. That's right, by the way, everybody, you're all invited. RORY CELLAN-JONES. This sounds like Curmudgeon Mayo's cruise.
Do you listen to Curmudgeon Mayo?
Do you listen to Curmudgeon Mayo?
No. Are they having a cruise? RORY CELLAN-JONES. They have a cruise every year, and their entire listenership gets invited. So you've been outdone.
Well, I don't know if I'd want to be on a cruise during a pandemic. It's not gone down well for many of them.
Hasn't Carnival just suffered a data breach as well? So maybe— it's quite an idea though.
We could hire a pedalo or two, Carole, and get our listeners— bring the listeners of Tech Tent with us. RORY CELLAN-JONES. Definitely.
We could hire a pedalo or two, Carole, and get our listeners— bring the listeners of Tech Tent with us. RORY CELLAN-JONES. Definitely.
So they confirm all those details, and you think, wow, this really is the Ritz. And then they say, look, "to make the booking, we just need to confirm some details."
"We just need to confirm your credit card details." Yeah, you see, I might fall for that too, because that does happen, especially in fancy pants restaurants.
They sometimes want £100 down to make sure that you're going to show up.
They sometimes want £100 down to make sure that you're going to show up.
Right. And you know, it's the Ritz, it's posh, and posh people obviously don't scam people.
£18 club sandwiches, right? RORY CELLAN-JONES. Yeah. Posh people aren't going to bilk you, are they?
No. It had egg in it. What kind of club sandwich is that anyway?
Well, the scammers have now got your card details. And what do these scammers do, having stolen the credit card details from people who dine at the Ritz?
They take those credit card details and they spend thousands of pounds with those credit card details at Argos. RORY CELLAN-JONES. What? Argos?
They take those credit card details and they spend thousands of pounds with those credit card details at Argos. RORY CELLAN-JONES. What? Argos?
Oh boy. The no-longer-catalogue catalogue company. Do you know that they've stopped their catalogue?
Have they stopped their catalogue, have they?
And I've read somewhere online you can find all their catalogues since 1974. Someone has put them all up, so you can actually go back and see what was available at the early days.
I think for our listeners overseas, we should explain what Argos is, because we had a certain reaction to that.
It's a bit like a less posh L.L. Bean.
I think it's more like communist Russia before the fall of the Iron Curtain.
Oh, stop it! That sounds racist.
No, it is, because you go to an Argos and you're told, "Please go to till A, B, or C," and you queue there. RORY CELLAN-JONES. Yes, that's what you do at L.L.
Bean as well. RORY CELLAN-JONES. Yeah, it's actually quite an innovative— I know what you're talking about.
It's a bit, in a funny kind of way, a bit like Foyles Bookshop in a very different context.
Many, many years ago, when you went to the venerable Foyles Bookshop on the Charing Cross Road, and you bought a book, you couldn't just buy it.
You had to go to till C and wait for somebody to handcraft it for you, virtually.
It's a bit, in a funny kind of way, a bit like Foyles Bookshop in a very different context.
Many, many years ago, when you went to the venerable Foyles Bookshop on the Charing Cross Road, and you bought a book, you couldn't just buy it.
You had to go to till C and wait for somebody to handcraft it for you, virtually.
It's true, Foyles is an extraordinary experience.
Anyway, as the BBC, as the venerable BBC reports, if the bank spotted that suspicious Argos transaction, thought, you don't normally spend £1,000 at Argos.
Anyway, as the BBC, as the venerable BBC reports, if the bank spotted that suspicious Argos transaction, thought, you don't normally spend £1,000 at Argos.
How many pools do you need, sir?
The scammer phones the victim up again, this time pretending to be from their bank. And what they do is they say, someone's just tried to use your credit card at Argos.
'We're gonna cancel the transaction.
Can you just read out the security code?' 'Which you've just been sent on your mobile phone to make sure we're talking to the right person.' It's pretty sneaky.
'We're gonna cancel the transaction.
Can you just read out the security code?' 'Which you've just been sent on your mobile phone to make sure we're talking to the right person.' It's pretty sneaky.
One thing I didn't get is how are these miscreants getting my phone number in the first place? RORY CELLAN-JONES. That is the $64,000 question, isn't it?
Yeah. RORY CELLAN-JONES. Because this data was presumably stored by the Ritz when people rang up and booked in the first place.
So who knows how the Ritz is storing that information? Are they putting it down on little pieces of paper and sticking it to the wall? Have they got an Excel spreadsheet?
Have they got some properly authenticated and carefully password-protected database?
Have they got some properly authenticated and carefully password-protected database?
So seriously, you don't know? RORY CELLAN-JONES. You don't know?
No, we don't know.
Oh, so you don't know? Okay, I didn't realise.
They have admitted that they know they've suffered some kind of data breach involving their reservations department.
Insider job, anyone?
Well, that's a possibility as well, isn't it? It could be someone on the inside who could be doing it. We don't really know. But it's quite sneaky.
Now, one of the potential victims of this told the BBC that this whole thing happened to them, but they were able to dumbfound the scammer.
And the way in which they did it is they asked their caller specific questions about the hotel's facilities, which the scammer wasn't able to answer.
Now, one of the potential victims of this told the BBC that this whole thing happened to them, but they were able to dumbfound the scammer.
And the way in which they did it is they asked their caller specific questions about the hotel's facilities, which the scammer wasn't able to answer.
Okay.
So I don't know what they would have been. I don't know if they were deliberately trying to trip up the scammer or whether they were saying—
Please remind me how many toilets you have available on the first floor. And ice machines, those exist?
Is the loo paper double quilted or will I be using the neck of a swan?
Are the utensils actually silver or just silver-plated? RORY CELLAN-JONES. Is it the 1927 Sauternes or the 1935?
I cannot have my chilled grapes with anything else.
Now, I went to the Ritz website trying to find out some trivia, okay, so that I was ready in case I got one of these calls. There's not very interesting trivia.
There is one about the Queen Mum. If you remember the Queen Mother, she used to regularly dine at the Ritz.
There is one about the Queen Mum. If you remember the Queen Mother, she used to regularly dine at the Ritz.
How could anyone forget the Queen Mother? RORY CELLAN-JONES. My God.
Well, no, she used to go to the Ritz and her favourite song they'd play on the piano—well, can you guess what her favourite song was on the piano that she'd like to play there?
RORY CELLAN-JONES. A Nightingale Sang in Berkeley Square?
RORY CELLAN-JONES. A Nightingale Sang in Berkeley Square?
It was actually the Ace of Spades by Motörhead. Sorry, Rory. Yes, it was A Nightingale Sang in Berkeley Square. You're quite right. Anyway, so—
I can't even believe you know the Ace of Spades from Motörhead. Did your son introduce you to them?
What are you saying about me, Carole? It's Motörhead.
Graham seems outside your echo chamber.
So we are warning people, whether you are booking a lunch or a tea at the Ritz or anywhere else, be wary of calls where they ask you to confirm your credit card details or your account details.
Oh, thanks, Graham. That's really useful.
Watch out for caller ID. Alright, don't be so sarcastic. No, but what are you supposed to do?
So say you have made a booking at one of these fancy restaurants and say they do call you to confirm. RORY CELLAN-JONES.
Yeah, but they're not going to ask you to confirm your credit card details, are they?
Yeah, but they're not going to ask you to confirm your credit card details, are they?
And the Ritz have confirmed that.
Well, that's happened to me, okay.
The Ritz have said that they won't ask you to do that once you've given them to them.
And furthermore, be aware that just because a phone call says it comes from a number, caller ID spoofing is very much within the capabilities of criminals.
And furthermore, be aware that just because a phone call says it comes from a number, caller ID spoofing is very much within the capabilities of criminals.
Mm-hmm.
So, don't do it.
And another piece of advice is, if you do get a scam call, hang up the phone and preferably use a different phone to then call your bank or whoever it is, using a number on their legitimate website or on the back of your bank card instead.
Sometimes people have hung up the phone and then picked up the same phone, and they haven't realised they're still connected to the bad guys.
And another piece of advice is, if you do get a scam call, hang up the phone and preferably use a different phone to then call your bank or whoever it is, using a number on their legitimate website or on the back of your bank card instead.
Sometimes people have hung up the phone and then picked up the same phone, and they haven't realised they're still connected to the bad guys.
What, the guy just changes his voice and goes, "Hello! This is your Barclays Bank!" Oh God.
Rory, what have you got for us this week? RORY CELLAN-JONES. What I've got is the tortuous saga of the UK's attempts to lead the world in contact tracing via a Bluetooth app.
So I first got involved in this — I got a phone call in late March from someone who I'll only describe as a very senior figure in the UK tech community.
This person said to me, "Could I help this team?" They seemed to have some idea that I had to explain that eventually I was a journalist.
I was very interested in the story, but I wasn't going to actually be part of the team anyway that was doing this incredibly secret and important mission that could save hundreds of thousands of lives.
So I said, "Well, I'm not entirely sure that I'm going to be a consultant," which is what they wanted me to be.
"But I could be a journalist and you can tell me everything." And so they kind of put me in touch with the people doing this app.
And then the saga unrolled, as we'll all remember, over the months as the NHS in England, the digital division NHSX, tried to create this app.
And what has interested me about this in particular is the row over privacy and how that's gone.
Because if you remember with this saga, they were originally going to build an app that was on what's called a centralized basis.
There would be some data collected by the NHS centrally — not of your location, but of your contacts with other phones.
Because the way this thing works, it uses the Bluetooth on your phone and it detects whether you're, in theory, within two meters of somebody else who's also running the app, and it stores that data.
And then when one of you reports that you've got the virus, the others get an alert saying, "Hey, you need to self-isolate."
So I first got involved in this — I got a phone call in late March from someone who I'll only describe as a very senior figure in the UK tech community.
This person said to me, "Could I help this team?" They seemed to have some idea that I had to explain that eventually I was a journalist.
I was very interested in the story, but I wasn't going to actually be part of the team anyway that was doing this incredibly secret and important mission that could save hundreds of thousands of lives.
So I said, "Well, I'm not entirely sure that I'm going to be a consultant," which is what they wanted me to be.
"But I could be a journalist and you can tell me everything." And so they kind of put me in touch with the people doing this app.
And then the saga unrolled, as we'll all remember, over the months as the NHS in England, the digital division NHSX, tried to create this app.
And what has interested me about this in particular is the row over privacy and how that's gone.
Because if you remember with this saga, they were originally going to build an app that was on what's called a centralized basis.
There would be some data collected by the NHS centrally — not of your location, but of your contacts with other phones.
Because the way this thing works, it uses the Bluetooth on your phone and it detects whether you're, in theory, within two meters of somebody else who's also running the app, and it stores that data.
And then when one of you reports that you've got the virus, the others get an alert saying, "Hey, you need to self-isolate."
Right. RORY CELLAN-JONES.
Very quickly, privacy campaigners here and around the world began to say, "Just a minute, this is very Big Brother." And eventually there was an alternative system produced by Google and Apple.
They weren't producing apps — they produced an API, basically a toolkit for apps — but they had to be decentralized apps where the data would all be stored on the individual smartphones and the matching would only take place between the smartphones, nothing collected centrally.
And that is the path that just about everybody, including the NHS in England, has now gone down.
Very quickly, privacy campaigners here and around the world began to say, "Just a minute, this is very Big Brother." And eventually there was an alternative system produced by Google and Apple.
They weren't producing apps — they produced an API, basically a toolkit for apps — but they had to be decentralized apps where the data would all be stored on the individual smartphones and the matching would only take place between the smartphones, nothing collected centrally.
And that is the path that just about everybody, including the NHS in England, has now gone down.
So the NHS in England now has an app which follows the Google and Apple model? RORY CELLAN-JONES.
Yeah, so we had this big crisis in June where, having said we're very confident in our centralized app, which didn't have the full cooperation of Apple in particular, which was key because making Bluetooth work in the background on phones is a bit of a nightmare.
Apple weren't really being helpful. The NHS reckoned it had found a workaround. Then they announced in June it wasn't good enough, the workaround.
So they were going back to the drawing board with a decentralized app, which would fit with Apple and Google.
And all the privacy — this is what I find interesting — all the privacy campaigners said, "Ah, we told you so, you should have done that from the start."
Yeah, so we had this big crisis in June where, having said we're very confident in our centralized app, which didn't have the full cooperation of Apple in particular, which was key because making Bluetooth work in the background on phones is a bit of a nightmare.
Apple weren't really being helpful. The NHS reckoned it had found a workaround. Then they announced in June it wasn't good enough, the workaround.
So they were going back to the drawing board with a decentralized app, which would fit with Apple and Google.
And all the privacy — this is what I find interesting — all the privacy campaigners said, "Ah, we told you so, you should have done that from the start."
I think we're guilty of that. I think we were saying that on the podcast.
Yeah, but we also watched Germany go through the exact similar paces about two months earlier. RORY CELLAN-JONES. Exactly. Well, about a month earlier. So Germany had this huge debate.
Obviously, Germany incredibly privacy-focused, and went decentralized and got their app out.
And now, just last week, we have got a decentralized app, which again is being tested in the Isle of Wight and is sitting on my phone right here. I've had access to it.
Obviously, Germany incredibly privacy-focused, and went decentralized and got their app out.
And now, just last week, we have got a decentralized app, which again is being tested in the Isle of Wight and is sitting on my phone right here. I've had access to it.
Is there a problem in so much as they're testing it on the Isle of Wight?
Because I've been to the Isle of Wight and most people — well, maybe this is an exaggeration — a lot of people who live on the Isle of Wight probably don't know how to install apps onto their phones because of their demographic.
RORY CELLAN-JONES. I think that's exaggerated.
Because I've been to the Isle of Wight and most people — well, maybe this is an exaggeration — a lot of people who live on the Isle of Wight probably don't know how to install apps onto their phones because of their demographic.
RORY CELLAN-JONES. I think that's exaggerated.
Is Graham exaggerating? RORY CELLAN-JONES. Yeah. The one thing they did pretty well with, frankly, is getting something like 50,000 out of 55,000 out of 140,000 people downloading.
Right.
Right.
A third pickup, yeah. RORY CELLAN-JONES. Actually, as a percentage of the population, isn't too bad.
And they're also going to be testing it in the London Borough of Newham, you know, a very dense inner city place separately. There are two big questions here.
First of all, did we get too excited about privacy? Because there's a debate here.
As this was rolling out, the very same people who were saying this is a real attack on privacy, this sort of centralized app, were also saying and why can't we be more like South Korea?
Sometimes the very same people, they've done really well.
And they're also going to be testing it in the London Borough of Newham, you know, a very dense inner city place separately. There are two big questions here.
First of all, did we get too excited about privacy? Because there's a debate here.
As this was rolling out, the very same people who were saying this is a real attack on privacy, this sort of centralized app, were also saying and why can't we be more like South Korea?
Sometimes the very same people, they've done really well.
Oh, I know, I've heard that argument. I think it's insane. RORY CELLAN-JONES. And the point is that South Korea didn't use a Bluetooth contact tracing app.
They used vast amounts of quite intrusive data. Every single credit card transaction, people's movements, your mortgage information, insurance information, everything.
And they then published it online. Citizen 1234 left his, left this building, went to this restaurant, did this, did that.
Meanwhile, here in the UK, we were having this debate where we said we're worried about anonymized contact data being in the hands of the NHS, but at the very same time, we are being ordered to stay at home.
We were having our freedom curtailed that way. So there was a bit of a debate there.
And the other side of the debate is who were the arbiters of what was allowed in the final analysis of these decentralized apps? Apple and Google.
So Apple and Google ended up saying, hey, can you just use ours, please?
Well, yeah, but also Apple and Google were deciding what the balance between privacy and public good should be.
And the other huge question is Bluetooth contact tracing apps are a brilliant idea, but they're just an idea and nobody knows whether they work.
They used vast amounts of quite intrusive data. Every single credit card transaction, people's movements, your mortgage information, insurance information, everything.
And they then published it online. Citizen 1234 left his, left this building, went to this restaurant, did this, did that.
Meanwhile, here in the UK, we were having this debate where we said we're worried about anonymized contact data being in the hands of the NHS, but at the very same time, we are being ordered to stay at home.
We were having our freedom curtailed that way. So there was a bit of a debate there.
And the other side of the debate is who were the arbiters of what was allowed in the final analysis of these decentralized apps? Apple and Google.
So Apple and Google ended up saying, hey, can you just use ours, please?
Well, yeah, but also Apple and Google were deciding what the balance between privacy and public good should be.
And the other huge question is Bluetooth contact tracing apps are a brilliant idea, but they're just an idea and nobody knows whether they work.
So I have one thing that I have to say.
This virus is global and an NHS contact and trace app is very geographically decided, like many apps around the world, and that's kind of a problem.
I kind of like the idea that Apple and Google, two competitors, got together to put something together that actually everyone could potentially use.
Because when we start traveling again, it might be good to have that information and not have to kind of go, oh, what's your app do? My app, what's your app? RORY CELLAN-JONES.
Yeah, that still means that you've got to share a database, not of people's contacts, but of who's tested positive.
Because otherwise, you know, if I go to Germany with my app and somebody I meet tests positive in Germany, how is that information going to get to my app and therefore me?
Only if the UK and Germany share a database of people who've tested positive. So there are always potential privacy snafus.
This virus is global and an NHS contact and trace app is very geographically decided, like many apps around the world, and that's kind of a problem.
I kind of like the idea that Apple and Google, two competitors, got together to put something together that actually everyone could potentially use.
Because when we start traveling again, it might be good to have that information and not have to kind of go, oh, what's your app do? My app, what's your app? RORY CELLAN-JONES.
Yeah, that still means that you've got to share a database, not of people's contacts, but of who's tested positive.
Because otherwise, you know, if I go to Germany with my app and somebody I meet tests positive in Germany, how is that information going to get to my app and therefore me?
Only if the UK and Germany share a database of people who've tested positive. So there are always potential privacy snafus.
I think you raise an interesting question here, which is about this balance between, you know, sure, yes, us privacy wonks, and that's obviously the direction which I'm sort of coming from.
We have a particular viewpoint, but at the same time, there's a pandemic going on, and lots of people are dying.
And maybe you should give up something, just like you've given up some of your personal freedom.
You're staying at home, you're not going out to the cinema, doing crazy things like that because of this to help other people. Maybe you should give a little bit away as well.
We have a particular viewpoint, but at the same time, there's a pandemic going on, and lots of people are dying.
And maybe you should give up something, just like you've given up some of your personal freedom.
You're staying at home, you're not going out to the cinema, doing crazy things like that because of this to help other people. Maybe you should give a little bit away as well.
It's a bit different. RORY CELLAN-JONES. And can I come back to this thing of do these damn things work at all? Well, right, exactly.
So Germany and Switzerland, a few weeks ago I got in touch with both of them to say, how's it going? And they basically said we haven't got a clue.
They know how many people have downloaded, but they had no data, they said, because of the decentralized nature of the app on how many people had been alerted and then decided to go in quarantine because of this.
The other point, though, is that for Germany, it didn't matter too much.
The UK started down this path with absolutely zero in the way of contact tracing operations, manual contact tracing operations.
So they got far too excited, the UK government, about the potential of technology. They were starry-eyed about it.
We know that Matt Hancock built his own app a few years ago to some amusement.
He was, you know, tap dancing on the table in Downing Street saying this app's going to change the world.
And it was quite notable last week, not a peep out of him as the second version was released.
So Germany and Switzerland, a few weeks ago I got in touch with both of them to say, how's it going? And they basically said we haven't got a clue.
They know how many people have downloaded, but they had no data, they said, because of the decentralized nature of the app on how many people had been alerted and then decided to go in quarantine because of this.
The other point, though, is that for Germany, it didn't matter too much.
The UK started down this path with absolutely zero in the way of contact tracing operations, manual contact tracing operations.
So they got far too excited, the UK government, about the potential of technology. They were starry-eyed about it.
We know that Matt Hancock built his own app a few years ago to some amusement.
He was, you know, tap dancing on the table in Downing Street saying this app's going to change the world.
And it was quite notable last week, not a peep out of him as the second version was released.
App? RORY CELLAN-JONES. What app? What? What app? Yeah, yeah.
So whereas Germany, Germany had a very efficient regionally based contact tracing system, manual contact tracing system, people ring you up in place.
So this, it doesn't matter frankly if it doesn't work very well. It's an optional extra. It's a nice to have rather than a must have.
So whereas Germany, Germany had a very efficient regionally based contact tracing system, manual contact tracing system, people ring you up in place.
So this, it doesn't matter frankly if it doesn't work very well. It's an optional extra. It's a nice to have rather than a must have.
Do you know what the pickup of the app is in Germany? Like, is it a third of the population or more? RORY CELLAN-JONES.
Last time I saw figures that was about 15, 16 million out of about 80 million. And that's the other thing.
When this idea came forward originally, people said you're going to need 60% of the population for it to be worthwhile.
I think they could work in very select and play a useful role in very select sort of areas.
So people commuting into a city, if you've got lots of people who use the tube every day, because that's what it's doing.
The only thing it does better than a human being is detect people that you don't know, frankly. You sit next to somebody on the bus.
When you get the positive test a few days later, and they say, who were you sitting next to? I don't know. Whereas the app might be able to tell you.
So if you could get discrete populations to do it, it could play a part.
But I think there was a huge amount of tech utopianism, not just here, but around the world, about ways smartphones are going to be the solution to all of this, and they're really not.
Last time I saw figures that was about 15, 16 million out of about 80 million. And that's the other thing.
When this idea came forward originally, people said you're going to need 60% of the population for it to be worthwhile.
I think they could work in very select and play a useful role in very select sort of areas.
So people commuting into a city, if you've got lots of people who use the tube every day, because that's what it's doing.
The only thing it does better than a human being is detect people that you don't know, frankly. You sit next to somebody on the bus.
When you get the positive test a few days later, and they say, who were you sitting next to? I don't know. Whereas the app might be able to tell you.
So if you could get discrete populations to do it, it could play a part.
But I think there was a huge amount of tech utopianism, not just here, but around the world, about ways smartphones are going to be the solution to all of this, and they're really not.
I think it's a little bit more nuanced than purely the privacy brigade who are up in arms about the centralized approach.
And for instance, one of the issues I had with the centralized approach was one of perception. You talk about the need for lots of people to install the app.
If there was the perception that privacy wasn't being taken seriously, compared to maybe other countries, that would prevent people from doing it. RORY CELLAN-JONES.
That's a real chicken and egg thing though, isn't it? What you're saying is if privacy campaigners made enough fuss about it, that would put people off.
And for instance, one of the issues I had with the centralized approach was one of perception. You talk about the need for lots of people to install the app.
If there was the perception that privacy wasn't being taken seriously, compared to maybe other countries, that would prevent people from doing it. RORY CELLAN-JONES.
That's a real chicken and egg thing though, isn't it? What you're saying is if privacy campaigners made enough fuss about it, that would put people off.
Hmm. I think the fact Dido Harding was running things was putting some people off, given her background as well.
That seemed a very strange choice to me if they wanted to instill confidence. RORY CELLAN-JONES.
I think the interesting thing about Dido Harding is that my suspicion is that she came in to run this manual tracing operation, looked at this app and said, "What's that about?
Why are we doing that?" I think she was the one that basically kiboshed it.
That seemed a very strange choice to me if they wanted to instill confidence. RORY CELLAN-JONES.
I think the interesting thing about Dido Harding is that my suspicion is that she came in to run this manual tracing operation, looked at this app and said, "What's that about?
Why are we doing that?" I think she was the one that basically kiboshed it.
Ah, that's interesting.
Rory, Rory, was Dido the tech bigwig? RORY CELLAN-JONES. No, no, she wasn't actually. Shucks.
I was trying to work it out.
That was subtle, Graham.
It was good. RORY CELLAN-JONES. You're very subtle. I'm going to reveal all my sources are on this podcast, which is heard around the world by all the most influential people.
Carole, what have you got for us this week?
Okay, well, we're going to the land of robocalls. We all hate them. I mean, everyone in the world must hate them.
We're not as inundated by these as much as our US counterparts, are we? Like, it was bad a few years ago, maybe 5 years ago here in the UK?
We're not as inundated by these as much as our US counterparts, are we? Like, it was bad a few years ago, maybe 5 years ago here in the UK?
I don't think I've ever had a robocall. RORY CELLAN-JONES. Oh really? I've had a zillion of them.
What do you mean by a robocall? RORY CELLAN-JONES. Have you ever been in an accident that wasn't your fault, Graham?
Yes! RORY CELLAN-JONES. Can I just briefly interrupt here to tell you this?
That's exactly it.
Do you have a Microsoft problem? You know? RORY CELLAN-JONES. Oh yeah.
I don't get those. I don't get these calls.
You've never had them? RORY CELLAN-JONES. I get them on my mobile, which is extraordinary. Yes. Because one's landline quickly becomes solely for spam calls.
I got so annoyed with the constant call from the robot saying, have you ever been in an accident that was not your fault?
That once I played along and I started crying, I said, it was not my fault. And it cut. I think the machine exploded eventually.
I got so annoyed with the constant call from the robot saying, have you ever been in an accident that was not your fault?
That once I played along and I started crying, I said, it was not my fault. And it cut. I think the machine exploded eventually.
Okay, so what advice do you give?
Because these guys I'm going to talk about have done some research, and it'll just be interesting to know before I start, what kind of normal advice would you give to people?
So say I called you up and said, I'm getting scourged by this, this number keeps calling me, these people keep calling me, and they're selling me stuff.
Because these guys I'm going to talk about have done some research, and it'll just be interesting to know before I start, what kind of normal advice would you give to people?
So say I called you up and said, I'm getting scourged by this, this number keeps calling me, these people keep calling me, and they're selling me stuff.
Is there not a do not call list or something, which maybe I signed up for years and years ago? Or contact your phone provider and say, what's all this about?
Okay. RORY CELLAN-JONES. You can get your calls screened.
I mean, the serious side of this is I got an elderly relative who was scammed by some of these people, and we did then put a call screening system in front so that, you know, it would be a bit more difficult.
I mean, the serious side of this is I got an elderly relative who was scammed by some of these people, and we did then put a call screening system in front so that, you know, it would be a bit more difficult.
I used to block the numbers. You know, if this number kept calling, I'd block it. And you'd never answer one, right? The idea was just do not answer because then what was it?
It was you're confirming that you're a real, live character.
It was you're confirming that you're a real, live character.
The only people who regularly call me up are the Ritz reservations department. I'm very happy to deal with them. RORY CELLAN-JONES.
I did, some years, and it used to drive my wife up the wall. Deliberately stringing them along. I mean, not the robocalls, but the Microsoft service centers.
And I did have a guy on the phone for 30 minutes with my Windows PC and then revealed that it was a Mac, actually. And he shouted at me, you've been wasting my time.
I did, some years, and it used to drive my wife up the wall. Deliberately stringing them along. I mean, not the robocalls, but the Microsoft service centers.
And I did have a guy on the phone for 30 minutes with my Windows PC and then revealed that it was a Mac, actually. And he shouted at me, you've been wasting my time.
When I think of all the tech PRs who are probably trying to get the ear of Rory Cellan-Jones and all they had to do is pretend to be a Microsoft support engineer.
Just try and scam them. RORY CELLAN-JONES. Yes, exactly. That is the way.
So there's this paper by these researchers at North Carolina State University. They presented at a recent security conference last week.
And this is apparently the first large-scale longitudinal analysis of unsolicited calls to basically a US honeypot.
And the paper is called "Who's Calling," link in the show notes, etc. So they set up over 66,000 phone lines, ran them for about 11 months. And this is starting March last year.
So 11 months, 66,000 active phone numbers. All of these were clean. I mean, the numbers were never made public by any source. How many calls do you think these guys received?
And this is apparently the first large-scale longitudinal analysis of unsolicited calls to basically a US honeypot.
And the paper is called "Who's Calling," link in the show notes, etc. So they set up over 66,000 phone lines, ran them for about 11 months. And this is starting March last year.
So 11 months, 66,000 active phone numbers. All of these were clean. I mean, the numbers were never made public by any source. How many calls do you think these guys received?
66,000. So what, each one or altogether?
All together.
Over how long? How many months?
11.
Oh, crumbs. Okay, I'm just gonna do some maths. I'm gonna say 5 million.
No, I think it's—
Have I ruined it? Yeah, it's okay.
I'm gonna say 5,000. It's quite funny. RORY CELLAN-JONES. 27.
No, 1.48 million calls were received.
Oh, wow. Oh my goodness. That's much more than I— RORY CELLAN-JONES. That's a big number.
Yes.
So my—
I was gonna end this piece by saying, yeah, not many calls per number. It works out to something about 22 per phone number during that time.
But I still think it's worthwhile research because there's some interesting findings, which I will share with you now.
So they basically had these 66,000 phones and 3,000 randomly selected phones would answer calls while the other ones rejected calls.
And from this, they were able to get 145,000 call recordings. And with that, they were able to figure out how campaigns worked, what could be done about them.
As you guys know, most robocalls are designed to be answered, right? And they normally last less than a minute, about 48 seconds I think was the average.
And they're often focused on things, at the moment actually, there's been a bit of a rise on health insurance and COVID tests, which is doing the robocalls in the States.
RORY CELLAN-JONES. Surprise, surprise.
But I still think it's worthwhile research because there's some interesting findings, which I will share with you now.
So they basically had these 66,000 phones and 3,000 randomly selected phones would answer calls while the other ones rejected calls.
And from this, they were able to get 145,000 call recordings. And with that, they were able to figure out how campaigns worked, what could be done about them.
As you guys know, most robocalls are designed to be answered, right? And they normally last less than a minute, about 48 seconds I think was the average.
And they're often focused on things, at the moment actually, there's been a bit of a rise on health insurance and COVID tests, which is doing the robocalls in the States.
RORY CELLAN-JONES. Surprise, surprise.
Now, there are two types of call. This is a little quiz for you. The two types of calls, robocalls, that are not intended to be answered. Do you guys know what they are?
Not intended to be answered? Are they ones telling you to vote for a particular person, so they leave the message on your answer machine, or?
One is voicemail scam, but it works really interestingly, right?
So the idea, basically, inject the recording into the voice box rather than trying to get the person to listen to it in real time. But this is how they do it.
They will place two simultaneous calls to the target. So that the second call finds the line busy and is redirected to voicemail.
And as soon as that second call is connected, first one is disconnected, often before it rings. So it doesn't get any further.
So the idea, basically, inject the recording into the voice box rather than trying to get the person to listen to it in real time. But this is how they do it.
They will place two simultaneous calls to the target. So that the second call finds the line busy and is redirected to voicemail.
And as soon as that second call is connected, first one is disconnected, often before it rings. So it doesn't get any further.
So why do they do that? Why do they want it to be a voicemail rather than a real one?
It may just be to get the message out or because they don't want to call back. RORY CELLAN-JONES.
At some stage, you might actually listen to your voicemail and take it more seriously.
At some stage, you might actually listen to your voicemail and take it more seriously.
Yes. Whereas a phone call arrives who knows what time and it's irritating because it's interrupting you. Whereas a voicemail, you choose when to listen to it, if at all.
Yeah, we actually— here's another possibility. It's similar to the wangiri scams. Have you heard that word? I had never heard of it.
Okay, and so apparently it's from a Japanese word which basically means one ring, right? So effectively, they call a number once, hang up. So wangiri.
Yeah, once I— I never heard the term before. So these calls are effectively free for the perp to make because the incomplete call attempts are not billable.
However, the victim sees the missed call, and many victims will attempt to return the call and get charged at premium rates.
So that may be what's happening with the voicemail scams as well. Call us back on this number, and it's a premium rate number.
Okay, and so apparently it's from a Japanese word which basically means one ring, right? So effectively, they call a number once, hang up. So wangiri.
Yeah, once I— I never heard the term before. So these calls are effectively free for the perp to make because the incomplete call attempts are not billable.
However, the victim sees the missed call, and many victims will attempt to return the call and get charged at premium rates.
So that may be what's happening with the voicemail scams as well. Call us back on this number, and it's a premium rate number.
So I think this may be the only kind of robocall I do get, because I do occasionally get calls from Albania and bizarre countries which then hang up.
And I would imagine some people would think, oh, someone called me.
And I would imagine some people would think, oh, someone called me.
Oh yeah, you're such an international super tech star, you're thinking, my God, that must be my friends, I might call them.
So I just block those numbers so they hopefully don't irritate me.
Right, yeah. Okay, interesting that you block the numbers. Interesting, interesting. Okay, so just a few highlights. Robo traffic came in surges.
These storms, which basically were abnormally large number of unsolicited calls, were done in a day. And these occurred frequently.
And I think we used to see that even with spam campaigns in the old days, right? You'd see this huge surge and then it would drop off.
So short, it's short burst, well-organized campaigns. But not all the calls during these storms were from robocallers. A significant chunk were from real people.
And these, remember, these numbers were never given out. Can you think of how that would happen?
These storms, which basically were abnormally large number of unsolicited calls, were done in a day. And these occurred frequently.
And I think we used to see that even with spam campaigns in the old days, right? You'd see this huge surge and then it would drop off.
So short, it's short burst, well-organized campaigns. But not all the calls during these storms were from robocallers. A significant chunk were from real people.
And these, remember, these numbers were never given out. Can you think of how that would happen?
Are they starting at 00000 and working their way up or what?
No, the spammers are using some of their numbers as caller ID spoofing. Remember you were talking about that in your section?
So they would steal the numbers from the honeypot, use them as a caller ID spoof. The person would then call back the honeypot to complain or to find out what was going on.
Unbelievable.
So they would steal the numbers from the honeypot, use them as a caller ID spoof. The person would then call back the honeypot to complain or to find out what was going on.
Unbelievable.
Fascinating.
I know. When do you think robocallers are most active? RORY CELLAN-JONES. Early evening.
They had a very definite pattern.
Yeah, when people are at home.
That's what I would have thought. And apparently they're just us. They need to get the kids to have dinner and go to bed, and they have weekends off.
So 90% of the unsolicited phone calls are made during weekdays. And 80% during local working hours. So that's why a lot of things are about students or the elderly, insurance.
They think they're targeting the people that might be more vulnerable or financially less stable. Does answering a robocall mean you're likely to get more calls?
So this is something that regulatory agencies recommend all the time, and these guys decided to find out.
So the researchers declined every unsolicited robocall every unsolicited received call on 3,000 numbers for 6 weeks, and then they answered every single one for another 6 weeks.
And answering the call didn't seem to impact the frequency of calls at all. Isn't that interesting? Because I've always thought that. I always thought, oh God, now I'm, I've been had.
You know, they've got me. They're going to share my number and say, live one here. RORY CELLAN-JONES. But it shows they're dumb, doesn't it? Much better strategy.
So 90% of the unsolicited phone calls are made during weekdays. And 80% during local working hours. So that's why a lot of things are about students or the elderly, insurance.
They think they're targeting the people that might be more vulnerable or financially less stable. Does answering a robocall mean you're likely to get more calls?
So this is something that regulatory agencies recommend all the time, and these guys decided to find out.
So the researchers declined every unsolicited robocall every unsolicited received call on 3,000 numbers for 6 weeks, and then they answered every single one for another 6 weeks.
And answering the call didn't seem to impact the frequency of calls at all. Isn't that interesting? Because I've always thought that. I always thought, oh God, now I'm, I've been had.
You know, they've got me. They're going to share my number and say, live one here. RORY CELLAN-JONES. But it shows they're dumb, doesn't it? Much better strategy.
It's like, why are you missing a trick here, dudes?
So they're pimping on these calls, they're pimping all kinds of stuff, but mostly was Social Security scams, Google search promotion services, which means they must be going after small businesses.
RORY CELLAN-JONES. What you really want to know from this, which they can't know, is what the rate of return is.
So they're pimping on these calls, they're pimping all kinds of stuff, but mostly was Social Security scams, Google search promotion services, which means they must be going after small businesses.
RORY CELLAN-JONES. What you really want to know from this, which they can't know, is what the rate of return is.
Yeah, totally. RORY CELLAN-JONES. You know, what are the economics of it?
Obviously the robot makes a huge difference, but they must need to do some A/B testing between robot and real person because the robot is much more economical, but presumably hardly anybody falls for it.
Obviously the robot makes a huge difference, but they must need to do some A/B testing between robot and real person because the robot is much more economical, but presumably hardly anybody falls for it.
Yeah. Well, the clincher here, this is what I found most surprising.
OK, so regulatory changes made by the FCC in 2017 authorized the telecom operators to block calls which seem to come from unassigned or unallocated or invalid phone numbers.
And it also allowed providers to maintain a do-not-originate list to block calls from certain numbers.
But these changes didn't address the scenarios where legitimate numbers were used to spoof the caller ID, or where the caller ID wasn't spoofed at all.
And they go on to say that out of the 1.5 million calls they received to their honeypot, only 50,000 could have been outright blocked by providers. So 3% would have been blocked.
RORY CELLAN-JONES. So it's not working very well.
OK, so regulatory changes made by the FCC in 2017 authorized the telecom operators to block calls which seem to come from unassigned or unallocated or invalid phone numbers.
And it also allowed providers to maintain a do-not-originate list to block calls from certain numbers.
But these changes didn't address the scenarios where legitimate numbers were used to spoof the caller ID, or where the caller ID wasn't spoofed at all.
And they go on to say that out of the 1.5 million calls they received to their honeypot, only 50,000 could have been outright blocked by providers. So 3% would have been blocked.
RORY CELLAN-JONES. So it's not working very well.
Yeah, and that's a real nightmare. It's like, to your point on your story, Rory, right? There's a bleeding pandemic on.
This is the time where you really want contact and tracers really want people to answer the phone. RORY CELLAN-JONES. Yeah, good point.
This is the time where you really want contact and tracers really want people to answer the phone. RORY CELLAN-JONES. Yeah, good point.
And it would be nice if we could trust that rather than going, I don't know this number, block, block, block.
These youngsters these days, they don't use the phone anyway, do they? I think more and more people are avoiding voice chatting and are preferring to WhatsApp or Facebook message.
Oh yeah, that's safe.
Well, I'm not saying they are.
You trust everything on those.
Isn't instant messaging what all the kids are doing these days? RORY CELLAN-JONES. It is. I mean, seriously is.
This is a fun conversation. Tell me about the kids. RORY CELLAN-JONES. Guys, we do need an analysis of what happens when contact tracers do call people up.
Yeah, totally. RORY CELLAN-JONES. Whether people under 30 actually answer the phone at all.
Yeah, yeah.
Anyway, there you go.
So that's the latest on robocalls. It's quite an interesting paper.
And there are links in the show notes if you want to read more about Hey, you IT security guys out there, I know that you have a tough job.
If you want increased security without impacting productivity, if you want to secure every entry point to your business, if you want to unify access and authentication, then check out LastPass.
They have the tools to make your life easier. Learn more at smashingsecurity.com/lastpass. Oh, and the rest of you out there, don't freak out.
There's a free password manager for home use. Check it out at smashingsecurity.com/lastpass.
And there are links in the show notes if you want to read more about Hey, you IT security guys out there, I know that you have a tough job.
If you want increased security without impacting productivity, if you want to secure every entry point to your business, if you want to unify access and authentication, then check out LastPass.
They have the tools to make your life easier. Learn more at smashingsecurity.com/lastpass. Oh, and the rest of you out there, don't freak out.
There's a free password manager for home use. Check it out at smashingsecurity.com/lastpass.
And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week. RORY CELLAN-JONES. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
And my pick of the week is not— Well, some of it's security-related and some of it isn't.
Oh.
This is a very, very special pick of the week.
Oh, okay.
This is what I believe is known as a meta pick of the week, because this pick of the week is a pick of the week about pick of the week.
We have had from time to time listeners say to us, have you got a list of all of your picks of the week?
Because we remember you once spoke about a shoelace website and now we can't find out what episode that's in or whatever, or we can't find the link.
Well, thanks to some of our glorious listeners, and I'm going to thank some of them now, John Bettinarty Ward, Nathan, Pale Skinny Swede, and Shahid.
We have had from time to time listeners say to us, have you got a list of all of your picks of the week?
Because we remember you once spoke about a shoelace website and now we can't find out what episode that's in or whatever, or we can't find the link.
Well, thanks to some of our glorious listeners, and I'm going to thank some of them now, John Bettinarty Ward, Nathan, Pale Skinny Swede, and Shahid.
You guys rock. Yeah.
They have helped us put together a pick of the week archive. RORY CELLAN-JONES. Is it a wiki? A wiki picky?
It's not a— Oh, that would've been so good. Where were you when we were building this?
We did it via GitHub in the end, but the link you can find at smashingsecurity.com/pickoftheweek, and we list all of our picks of the week with the links and to each individual episode.
So if you want to find out if Carole was right when she accused me—
We did it via GitHub in the end, but the link you can find at smashingsecurity.com/pickoftheweek, and we list all of our picks of the week with the links and to each individual episode.
So if you want to find out if Carole was right when she accused me—
Yeah, I was just gonna say, you can now prove me right.
Yeah, no, I'm afraid I'm gonna prove you wrong. I have not repeated any of my picks of the week. They have all been unique.
And we will be adding this week's Pick of the Week to smashingsecurity.com/pickoftheweek as well. So that is my Pick of the Week, which is all about Pick of the Week.
And we will be adding this week's Pick of the Week to smashingsecurity.com/pickoftheweek as well. So that is my Pick of the Week, which is all about Pick of the Week.
What an amazing community we've got.
They are fantastic.
Very cool.
Rory, what is your Pick of the Week? RORY CELLAN-JONES. Well, I've done a last-minute swerve. I was going to choose a book. I'm now going to choose a podcast.
Is it a podcast you're on? RORY CELLAN-JONES. It's not actually. Amazingly— do, by the way, get the Tech Tent podcast. It is like this but shorter.
And I'm going to choose Series 2 of 13 Minutes to the Moon. Did either of you hear Series 1 of 13 Minutes to the Moon?
And I'm going to choose Series 2 of 13 Minutes to the Moon. Did either of you hear Series 1 of 13 Minutes to the Moon?
I did, yes. RORY CELLAN-JONES. 13 Minutes to the Moon was an excellent podcast about Apollo 11.
And it was, I think, 30 minutes was the time between the lunar module leaving the command module and it landing on the moon. And I'm so old, I do remember the landing on the moon.
But Series 2 is actually better in my mind. It's about Apollo 13.
And it was, I think, 30 minutes was the time between the lunar module leaving the command module and it landing on the moon. And I'm so old, I do remember the landing on the moon.
But Series 2 is actually better in my mind. It's about Apollo 13.
Oh, wow. RORY CELLAN-JONES. And it is just a brilliant listen.
So Apollo 13, the disastrous mission where they had an explosion halfway to the moon and then had to somehow save the ship and bring it home.
You probably have seen the movie with Thom Hanks.
So Apollo 13, the disastrous mission where they had an explosion halfway to the moon and then had to somehow save the ship and bring it home.
You probably have seen the movie with Thom Hanks.
No, I can't stand Thom Hanks.
I'm not allowed to watch any movies with Thom Hanks in.
Wait, that's one thing Graham and I share, a dislike for Thom Hanks. RORY CELLAN-JONES. Isn't that interesting?
Oh really? Yeah, yeah, and it's directed by Carl Sagan. RORY CELLAN-JONES. I don't know that we could be friends anymore.
Oh, he's just— anyway, but I remember as a child, I'm not quite as old as you to remember the moon landing, but I do remember as a child listening to a radio documentary at school.
They played us a radio documentary or something about the Apollo 30, and I have been gripped ever since. What an incredible story and what a perfect tale to tell in podcast form.
So this will be really good. RORY CELLAN-JONES.
Yeah, and what's more, it's not just an incredible drama with brilliant access presented by a guy called Kevin Fong, who's not only a space nut, who's worked briefly at NASA as a medic— he's a medic who's involved in the fight against COVID-19.
And rather interestingly, at the end he dedicates the whole series to people in the health service who've been fighting COVID-19.
And that is because partly, it reads to me, this podcast, as a kind of manager, almost a management, a crisis management manual.
They should be teaching it at Harvard Business School, because you get to hear about these extraordinary decisions that had to be made. I'm just going to give you one example.
So the flight director is this legendary figure, Gene Kranz, I think. And he, you know, is the coolest dude you can imagine. The thing blows up and they're in total crisis.
They're 2.5 hours into the crisis. He's got to make all these extraordinary decisions which will keep these guys alive.
And he's coming to the end of his shift because they do not work 24 hours a day, obviously, and somebody else is due to take over. So what does he do?
Yeah, he lets the guy take over because he trusts him. And it's a real lesson about trust in a team.
And you can't work if the guy in charge says, listen, I'm in charge solely, the rest of you just do what I say. So there are all sorts of lessons like that throughout the series.
They played us a radio documentary or something about the Apollo 30, and I have been gripped ever since. What an incredible story and what a perfect tale to tell in podcast form.
So this will be really good. RORY CELLAN-JONES.
Yeah, and what's more, it's not just an incredible drama with brilliant access presented by a guy called Kevin Fong, who's not only a space nut, who's worked briefly at NASA as a medic— he's a medic who's involved in the fight against COVID-19.
And rather interestingly, at the end he dedicates the whole series to people in the health service who've been fighting COVID-19.
And that is because partly, it reads to me, this podcast, as a kind of manager, almost a management, a crisis management manual.
They should be teaching it at Harvard Business School, because you get to hear about these extraordinary decisions that had to be made. I'm just going to give you one example.
So the flight director is this legendary figure, Gene Kranz, I think. And he, you know, is the coolest dude you can imagine. The thing blows up and they're in total crisis.
They're 2.5 hours into the crisis. He's got to make all these extraordinary decisions which will keep these guys alive.
And he's coming to the end of his shift because they do not work 24 hours a day, obviously, and somebody else is due to take over. So what does he do?
Yeah, he lets the guy take over because he trusts him. And it's a real lesson about trust in a team.
And you can't work if the guy in charge says, listen, I'm in charge solely, the rest of you just do what I say. So there are all sorts of lessons like that throughout the series.
Yeah. RORY CELLAN-JONES. So there are all sorts of lessons like that throughout, throughout the series.
It could also be that he just didn't want them dying on his watch and said, well, I do know— RORY CELLAN-JONES. That is cruel. That is cruel.
This is a BBC podcast, isn't it? RORY CELLAN-JONES. It does happen to be a BBC podcast, yeah.
There have been some incredible ones which have been coming out the BBC lately, so it's highly recommended. Excellent. Carole, what's your pick of the week?
Well, mine is also a podcast, but for a different type of audience. Mine's an audio drama, and that's not something you like, Graham, but something that I do.
So this one is brand new, or new-ish. It came out in May. That's fairly new. And it concluded in July. So all the episodes are out. And it's called Baraska.
And it was a narrative podcast written by Rebecca Klingel and starring Cole Sprouse. So I'm just going to give you the gist. No spoilers, I promise.
But basically, you've got this guy, Sam Walker, and his sister and his folks moved to this town called Driskin, Missouri. And there he befriends two kids called Kyle and Kimber.
Sam's sister Whitney disappears a few months later. And, you know, he wonders what happens to her, but her dad just asserts that she's left.
But then more girls seem to be disappearing, and the young trio take it upon themselves to find out what's going on in this strange mining town.
And it's very cute, it's very spooky, it's got good dialogue and pace. It's a bit like Stranger Things, a bit, right? If you like that, this will be up your street.
So yes, it's like talking to myself.
So this one is brand new, or new-ish. It came out in May. That's fairly new. And it concluded in July. So all the episodes are out. And it's called Baraska.
And it was a narrative podcast written by Rebecca Klingel and starring Cole Sprouse. So I'm just going to give you the gist. No spoilers, I promise.
But basically, you've got this guy, Sam Walker, and his sister and his folks moved to this town called Driskin, Missouri. And there he befriends two kids called Kyle and Kimber.
Sam's sister Whitney disappears a few months later. And, you know, he wonders what happens to her, but her dad just asserts that she's left.
But then more girls seem to be disappearing, and the young trio take it upon themselves to find out what's going on in this strange mining town.
And it's very cute, it's very spooky, it's got good dialogue and pace. It's a bit like Stranger Things, a bit, right? If you like that, this will be up your street.
So yes, it's like talking to myself.
Well, no, no, I'm— I don't know, I haven't heard it, I can't comment on it.
Isn't that what we do every single show? Didn't you just do that with Rory's podcast? RORY CELLAN-JONES. Well, I like Stranger Things, so I'm going to tune into this.
Excellent. I think you'll like it, Rory.
Well, no, I haven't seen Stranger Things either. Thom Hanks isn't even in that, as far as I know. I mean, it's not— by the way, I do watch the Toy Story movies.
I'm all right with those for Thom Hanks's involvement. They're okay. RORY CELLAN-JONES. Why?
I'm all right with those for Thom Hanks's involvement. They're okay. RORY CELLAN-JONES. Why?
Because you don't have to see his face.
And there was also that one of The Post. Did you see The Post? RORY CELLAN-JONES. Oh, The Post is a great—
It was an excellent movie. And only halfway through did I realize, oh, that's Thom Hanks, and I actually really enjoyed it. So there you are, so I'm not completely anti-Hanks.
Traitor. If you like the sound of Brasca, you can get it wherever you get your podcasts.
Cool. Well, that just about wraps it up for this week. Rory, thank you so much for coming on the show.
I'm sure lots of our listeners would love to follow you online and indeed check out the Tech Tent podcast.
What's the best way for folks to stalk you online and find out what you're up to? RORY CELLAN-JONES. Well, I'm a Twitterholic. I've got a slightly unusual handle, @Ruskin147.
You will find me there a lot. You'll find me on the BBC website, and if you Google Tech Tent, it goes out every Friday, but the podcast is available late afternoon Friday.
I'm sure lots of our listeners would love to follow you online and indeed check out the Tech Tent podcast.
What's the best way for folks to stalk you online and find out what you're up to? RORY CELLAN-JONES. Well, I'm a Twitterholic. I've got a slightly unusual handle, @Ruskin147.
You will find me there a lot. You'll find me on the BBC website, and if you Google Tech Tent, it goes out every Friday, but the podcast is available late afternoon Friday.
Marvellous. And you can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G. And we also have a Reddit subreddit.
Just look for Smashing Security up there.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favourite podcast app such as Apple Podcasts, Spotify, or Pocket Casts.
Just look for Smashing Security up there.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favourite podcast app such as Apple Podcasts, Spotify, or Pocket Casts.
And socially distant hugs to you for listening, supporting the show, and sharing our work with your entourage. Also, high five to this week's Smashing Security sponsor, LastPass.
Its support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
Its support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
Until next time, cheerio, bye-bye. RORY CELLAN-JONES. Bye.
Marvellous. Thank you so much, Rory. That was wonderful. RORY CELLAN-JONES. Now, is that okay?
That was terrific.
No, we have to go again, right from the beginning. I'm kidding, you were great.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Rory Cellan-Jones – @ruskin147
Show notes:
- Tech Tent podcast — BBC World Service.
- Sir Frederick Barclay releases footage of alleged Ritz bugging — The Guardian.
- Tea at the Ritz soured by credit card scammers — BBC News.
- Tweet from The Ritz London.
- Coronavirus: England's contact-tracing app gets green light for trial — BBC News.
- Coronavirus: England's contact tracing app trial gets under way — BBC News.
- A simple telephony honeypot received 1.5 million robocalls across 11 months — ZDNet.
- Who's Calling? Characterizing Robocalls through Audio and Metadata Analysis — USENIX.
- Pick of the Week archive — Smashing Security.
- 13 Minutes to the Moon — BBC World Service.
- Borrasca — QCODE.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
