Smashing Security podcast #227: Phishing foul-up, Twitter tip jars, and Facebook’s Apple fury

And he put it back in his bag, and then he carried on with his class.

And we all looked at each other, just like slack-jawed, thinking, this is the biggest moron I've ever met in my life. Smashing Security, Episode 227, Fishing Foul Up, Twitter Tip Jars, and Facebook's Apple Fury, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 227. My name's Graham Cluley. And I'm Carole Theriault. And we're joined this week by a returning guest. It's Ray Redacted. Hello, Ray. Hello there. How are you today?

Hi, Ray. Bring some sunshine to our lives. I think Graham and I are a little bit, we're a little bit frazzled today. I don't know why. Oh, really? Isn't that way, Graham? Yeah.

Yeah, I feel that way a little bit.

Yeah. How about you, Ray? What's going on in your neck of the woods? You just filing your nails?

No, absolutely not. We are having a fantastic time. It's all optimism and hope and happiness here in the United States. Everything seems to be dandy. This is the best week of the entire pandemic.

I heard there's a little trouble on the east coast of the United States. Something to do with oil or something? What's going on?

Oh, yes. Oh, yes. I think one of the ransomware groups made a little bit of a boo-boo and accidentally picked the wrong target and is now trying to do a PR campaign to clean it up a little bit. And it's also causing ripple effects across the economy, including our petrol prices.

You guys don't even know what expensive petrol is. Correct. That's correct. Yeah, so everyone's in shock and we're all sitting there going, yeah, welcome to the real world, dudes.

Yeah, well, we like our cheap gas and we like to use that all the time, but it's surging to $4 and $5 a gallon, which is not a liter, by the way, a gallon.

Let's make this week's sponsors 1Password, 1Login, and Skiff. Their support helps us give you this show for free. Now coming up on today's show, Graham, what do you got?

Oh, I've got a fantastic way of incentivizing your staff and making them really, really happy.

Okay, I can't wait to hear. And Ray, what about you?

I've got a story about Paddington Bear and payments.

And I'm going to welcome us all to the Apple anti-tracking revolution. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, life's been pretty hard, hasn't it, under COVID? People are living under enormous anxiety and strain. Here in the UK, at least, there is some sunlight beginning to dawn. Boris Johnson has told us that from next Monday, we are welcome to have casual sex and one-night stands once again. He did not. He did not. It's not just for him, Carole. He's saying that those rules now apply for everyone. Has he been looking a little bit pent up? Has he been looking a little bit more awkward than normal?

Do we count that as a jab? I've had 12 jabs since Monday.

Steady. But yes, no, we're allowed to hang out at other people's houses overnight and hug and all these other things as well. But of course, you know, the serious side of these things, countless people have tragically died. Businesses have been ruined. Jobs lost. Some of us have managed to cling on to our jobs. But some of us may have found ourselves having to take on new responsibilities to cover for workmates who've left the company.

Sure. Yeah. It's been a shit show. Yeah, it has. I know. I think we all know that. Just so you know, it's been a global pandemic. Yeah. Okay.

We're all aware. I mean, there are ways of cheering ourselves up. One way I came across the other day was to stop referring to it as lockdown and start referring to it as Locky D.

Lame.

What do you mean, lame? Lame. Locky D. Not to be confused with Locky D, of course, a ransomware attack. But yeah, you know, people have been providing services, not just the emergency services, public services, public transport, such as those who work on public transport, like the employees of the West Midlands Trains Organisation here in the UK. Now, there we had a company which wanted to say thank you to its staff. And what's a great way of incentivizing staff when they've been working hard?

Oh, gifts, gifts, bonuses, gifts.

Yeah, moolah, swunga. Exactly, moolah, exactly. So you can imagine how they felt when they received an email from their big, big boss.

Okay, I'm closing my eyes. Can you read it to us? Of course I can. Okay, I'm closing my eyes. I'm listening.

Eyes closed. I don't know why closed eyes helps with the radio, but anyway. Dear all. Actually, this is the West Midlands, so maybe I should do a Brummie accent. Will that be considered offensive? I'm not sure. For Brummie listeners. Okay, I'll just do it as though I've got a blocked up nose. Dear all, thank you for your hard work. We realize that a huge strain was placed upon a large number of our workforce as a result of COVID-19.

Yeah, kind, kind. Okay, yeah.

Notice, yeah, yeah, kind. This has not been easy for any of us. We would like to offer you a one-off payment to say thank you for all your hard work over the past 12 months.

Oh, what's it going to be? $5 or something?

Please visit the following link with a personal message from Julian Edwards, as well as information on your one-off paper. Who's Julian Edwards? He's the CEO. He's the boss, right, of West Midlands Trains. Again, many thanks for your hard work. Hope this gift will inspire you to keep up the good work. A lovely, positive message to send out to staff. And, of course, people clicked on the link, didn't they?

I'm thinking, actually, okay, so in my head, you know, with my security head on, I'm thinking, okay, they didn't put the amount in the email, but maybe they're worried it's going to leak out and it's different for different people. This sounds interesting. Let's go sneak around and see what's going on. I imagine I might do that.

You would anticipate that maybe it'd be different amounts of different people depending on their length of service or, you know, it could be. So maybe you have to enter your details when you get to this link. So, of course, people clicked on the link. And because this is a cybersecurity-related podcast, you've probably already guessed. Oh, don't give it away. All was not quite as it seemed. What happened? Because what happened next was they then got emails saying, dear redacted. Oh, what did I do? What did I do? Do you work for the West Midlands train system? I'm not sure. Not that I'm aware of,

But I would have clicked the link just to see if I got more than the next guy.

So the email said, I'm writing to you to update you on the outcome of the recent phishing simulation test performed by IT. Oh, that's nasty. Basically saying you made a mistake, you were enticed into clicking on a link, it was the promise of thanks and financial reward which convinced you to provide your details.

You know what my view is on this? You know what I would reply? Fuck you very much. That is what I would reply. You can say that. I am going to say it again. Fuck you very much. That's what I would reply to the boss and I would walk the fuck out of there. I'm a little angry.

Obviously, they weren't actually giving money to people. People's family have died. And people are skint. And people have been having a really hard time, and they've been working maybe more hours than normal. Stressed out to hell. They had this prize dangled in front of them. Do you know what it reminds me of?

I know exactly what it reminds you of, Graham.

We used to work at a company, which we won't name here, but it's not hard to work out. And there had been a number of redundancies in our department, and we were quite upset, and the new boss flew in to try and reassure us. And we were thinking, what have you done? You've got rid of all these people. We're going to have to do their work for them. You're a moron. You got rid of the wrong people.

We were all a little salty. We were all a bit salty in the meeting room. We were feeling salty,

And this boss stood at the front with his man bag, and he reached into his man bag, and he said, I want to tell you something. The other day, the CEO, he invited all of our senior managers into a room and he gave us all a prize, he said. He gave us all a brand new iPad. And this was in the days when getting an iPad was a big deal, right? Most people didn't have an iPad.

Huge. They're brand new.

And he said, you know what I'm going to do? I'm going to give each and every one of you. And I thought, oh, my goodness. I thought, he's going to turn us around.

Me too. We were like, fuck off. He's going to win us over.

He's going to give each and every one of us an iPad, and then we won't care about the people who've left the company. And it was right before Christmas.

It was right before Christmas.

Even if you had an iPad, you thought, I can put that on eBay? It sounds awesome. You thought, I don't care about Tony and all the other people that we made redundant. I don't care about them anymore. I'm getting an iPad. So he carried on. I'm going to give each and every one of you a chance to win. And I think, oh, OK. He's only going to offer us one iPad.

That makes sense. That's the way this works, yeah.

One iPad between 25 of us. But I still think I've got a chance. I've got a chance for an iPad.

I love that you were thinking about yourself, probably the highest paid person in the department other than the fucking VP.

I'm going to give each and every one of you a chance to win this iPad. And then he said, this is no word of a lie, he said, only joking, I'm going to give it to my kids.

And he put it back in his bag and then he carried on with his presentation.

And we all looked at each other just slack-jawed, thinking, this is the biggest moron I have ever met in my life. Why has he said this? Why did he dangle this opportunity in front of us and then just rip it away from us? Well, that is what West Midlands Trains have done. They've sent this email saying, we're going to give you something lovely. And then they said, nah, nah, nah, nah, nah. That was actually a phishing test. And I thought, what an amazing, extraordinary way to disincentivize your staff.

Thank you. So my reaction was perfectly appropriate in your mind.

I think you were absolutely right.

Ray, are you on board the Carole train of responses on this one?

Well, so here's the deal. This concept, this idea about what kind of phishing simulations can you use? This is a very contentious debate on InfoSec Twitter. Going back to the GoDaddy days from last December, people have argued, can you, for example, send an email saying, here's your COVID-19 results, as a phishing exercise? Or in America, can you say that there's been a school shooting at your kid's school? Because people would immediately take those, right?

No! No! Who's debating this?

Can I echo what Carole's saying there? That is a definite and absolute no. No, you can never do that.

But so the same thing, right? What happens is, and by the way, about two thirds of InfoSec Twitter says, no, you cannot do this. There are lines you cannot cross. Lisa Forte says, you know, we are the good guys and all phishing exercises need to be ethical and appropriate, period. There's no, you can't do anything like this. Leslie Carhart had pointed out that everybody thinks when they first get a phishing internal exercise, oh, I can get them, I can get them, I can get them. But that's a problem of the toxic culture of thinking the user is the weakest link. I mean, we're trying to educate people. Now, by the way, I would have fallen for the phish that you just mentioned. I would have totally fallen for it, 100%. But we're trying to educate groups. And also, when something happens, you're going to need these people to be on your side. You're going to need them during an incident response. You don't want them hating you right out of the gate, which is what Leslie pointed out.

Yeah, absolutely. I completely agree. So I think the correct thing might have been to say you have failed the phishing test or whatever, but you know what? We are actually going to give you a bonus. There should have been something like that.

Well, maybe they will now. There's a bit of a fuss being made on Smashing Security. Maybe they will do that. They'll give them five quid for sure.

It's not just the podcast here, Carole, where we're creating a fuss. The Transport Salaried and Staffs Association Union have described this as crass and reprehensible.

Yeah, I agree with them.

They pointed out that one worker on the train system up there in West Midlands has actually died from COVID-19. Others have fallen ill with the illness. They think it's cynical and shocking. They're almost threatening to go on strike.

Okay, pivot, pivot, pivot, pivot, pivot. Whoever in this department, the IT department that okayed this phish simulation. It was an intern. SolarWinds123. No, but that's gross. If it was an intern, shame on them, right? Blame the intern.

Well, the alternative point of view is, of course, these sort of crass techniques could be easily used by phishing people. I mean, maybe that is a more likely phish to receive than some bland one coming from the right.

Oh, you know what? Actually, this is a really good point. Maybe we should start simulating people showing up at people's doors with a gun, right? Just so that they know what it feels like. You don't have to simulate that here, by the way. Yeah, yeah, let's just do it. Let's just do it randomly to everybody just so that they can feel what it's like to feel true terror in their bones. Just so that when it really happens, they know what to do. Good idea, I like this.

So I'm very surprised with a unionized workforce that nobody thought to talk to someone from the union beforehand because you can really run afoul of unions and they can tend to hit back.

Yeah, well, I imagine they will.

So, yeah. Well, a spokesperson for the train company, they're basically not apologizing. They're saying this is just the sort of thing a criminal organization would have done. Thankfully, it was an exercise without the consequences of a real attack.

And we take security very seriously. They do say they take security very seriously.

Well, I can offer my, it's rather exclusive to be honest, my patented way to never fall for any phishing tests run by your IT team. Are you ready for this? What? Don't read email? Exactly. It's working for me. I've watched you for years for a while using this technique of never opening emails, never responding to anything, never clicking on anything when you're asked to. Unless you call me, I won't do it. You wait for people to come around to your desk and say, for goodness sake, why haven't you applied to any money? And go, oh, really? What have I got to do? It's true. So, Ray, what have you got for us this week?

Okay, I want to talk to you a little bit about Twitter. So, Twitter has a history of rolling out innovations and enhancements that the users were already using, right? So putting an at reply, the retweet, even the hashtag. These were things that the users were using, and then Twitter embraced them and made them part of the product, right? And took credit. Yeah, for sure, for sure. And along those same lines, Twitter has just rolled out something that they call Twitter Tip Jar, which allows users to tip creators with a variety of payment options. You can do it on Bandcamp, Cash App, Patreon, PayPal, and Venmo, okay? And what Twitter does is it basically facilitates the tip directly to the user, but Twitter's not taking a cut. It's not taking a percentage. It's just basically doing that link.

So, okay, can I make sure I understand? So, you know, I'm a budding artiste, right? So, let's say I put out an art piece on Twitter with a cash request, saying who wants to buy this tip thing? No, no, no. You just post your artwork or your poem or—

Your joke. Right. And people just decide they want to tip you a dollar or a quid or maybe two dollars or whatever. It's very small micropayment. Like a hat tip. For sure. And users were already doing this using tip bots and cryptocurrencies and even Dogecoin, by the way. This is the only use for Dogecoin, I think, where you could just send people micropayments. And it would just kind of go over to that. And also, if somebody had a viral tweet that went mega viral, they would often put their Cash App address. Hey, listen, I'm a starving student. Send this to here or whatever, right? Okay. So Twitter rolls this out and they tie it to Bandcamp, Cash App, Patreon, PayPal, and Venmo. Okay. And just to give you an idea, Venmo has about 40 million users. Cash App has about 30 million. Patreon has about 6 million. And PayPal has 360—

Million. So PayPal is the winner. I haven't heard of some of these. Obviously, I've heard of PayPal and Patreon. Venmo. You haven't heard of Venmo? Venmo I've only recently heard of because I heard congressmen hire hookers or something from them. Yes, correct.

Correct. That's the famous hooker one. And Bandcamp is to support musicians. Oh, yes. Independent musicians. Very, very popular. The best one, by the way, by far is Patreon. I encourage everybody to go to Patreon. It's a good way to support your favorite podcast. But anyway. Okay, so back to this. So PayPal has 360 million users, okay? Right. And PayPal is the Paddington Bear of payment services. Their heart might be in the right place, but they're constantly getting into trouble. They're always making security faux pas, so to speak, around things multi-factor authentication, data leakage, API abuse. Leaving the taps on in the bath and it overflowing and going down the stairs, that kind of thing. Yeah, so PayPal is the largest one of all. And people that abuse PayPal know ways to basically harass people, get other people's accounts frozen and everything else. So Twitter announces that you can do this tip jar. And again, they're rolling it out so that the creators have it. Anyone can tip, but only certain people can receive tips, including creators, journalists, experts and nonprofit organizations.

Oh, so they haven't rolled out the ability to collect tips to every account at the moment is what you're saying. Correct. It's just special. Creative people. Creative people.

Okay. Within minutes of even hearing about this, Rachel Toback, who is the CEO of Social Proof, immediately found a flaw in the system, which is you can tip a complete stranger. And if you leave everything in the default settings, which people just click, click, click, click, you get their physical home address. Their home address. You're freaking kidding me. Oh, my God. This is by PayPal. Correct. And the reason that they do that is because by default, PayPal thinks it's a product or a service. Right. You have to have a mailing address or something that. And then not long after that, a former FTC chief technologist named Ashkin Satani found that you could also reveal their user's email address, even if no transaction took place whatsoever. Now, there is a way that you can hide this if you go in and change it from goods and services to friends and family. But just everything else, you know, the vast majority of people aren't going to remember to do that. And is it really friends and family if I send Carole $2 for her beautiful artwork that I saw on Twitter? I'm not sure about that. So this blows up, okay? And where else does it blow up but on Twitter? And it sparks this huge debate with people Brian Krebs and Marcus Hutchins, famous for the WannaCry fix, saying that there's a ton of ways that people can use fraudulent credit cards to harass or shut you down. So this has basically become a PR nightmare for PayPal. But Twitter, on the other hand, takes the high road immediately. And thanks, Rachel Toback. It says this is a good catch. We appreciate it. We can't control the revealing of the addresses on PayPal side, but we will add a warning for people giving tips on PayPal so that they're always aware of this. So this has been the big controversy of this week.

The guru again snaps his fingers and it shall be. Interesting.

A very tenuous connection to Paddington Bear by the way, very, very tenuous connection.

Yeah, nothing about marmalade sandwiches sadly. So let me understand what's happened right now. So by using this technique people who were receiving tips would receive your address, but now Twitter is going to give you some sort of warning that PayPal will pass on your address unless you mark this as a friends and family transaction. Is that right?

Well we don't know what PayPal is going to do yet because typically when they fix issues, they do it silently. In the past, when there was a multi-factor workaround, they just suddenly did it very quietly. But the problem is data leakage. It could be an email address. It could be a physical address. There are things you can do on disputes where by default, if you use a MasterCard on dispute, both parties can see each other's PII, right? So, that's another kind of a hole that's there. So most likely PayPal will take some steps to adjust this because they want to be in the lead on the Twitter tip jar. So we don't know exactly what they will do. In the meantime, just a packet of cigarettes, there'll be a big warning that says your data is being leaked or be aware of the fact of this, which nobody will probably read and people will—

Continue to leak their data. So what worries me most about this is not people's addresses being leaked to people who they want to tip. But this other side of it, which you said that Krebs and Hutchins found, which was that you could actually find out someone's email address if you began to send them a tip but didn't go through with it. Is that right? Is that what was happening?

Correct. And you don't even have to send them anything. In addition to that, if they want to harass you without you knowing that they're doing it, they can take that email address and associate it with criminal activity. And PayPal will often just shut you down and suspend your account. Like if they see your name in the dark web, that will happen just pretty much without any trial or any kind of jury.

You know, Ray, my takeaway from your story is don't use PayPal.

Get a Venmo account.

I hate to break it to you, but PayPal owns Venmo. Oh, my God. Carole what have you got for us this week? Okay, first a question — do either of you think people today are aware of how insidiously they are tracked via devices, or do you think we're in our little echo chamber and we're talking to each other constantly about it and they don't really hear it at all?

Oh, no way. Nobody knows. Yeah, most people have heard rumblings about it, but it's kind of... It's gone in one ear and out the other, I think, and people go, la, la, la. They kind of forget about it.

Let's start off my little section, actually, with an activity. So you guys are both iPhone users?

I don't give that information out publicly, but...

If you are, can you check your iPhone? I want you to think of an app in your head, just an app that you use regularly, and I want you to go to the app store and I want you to search for it. Okay, got it. I'm going to do PayPal. Listeners, actually, you should be doing this too if you're sitting there not doing anything dangerous like driving or, you know, I don't know, chopping something.

Can I just say that being a professional podcaster, my phone is turned off and I now have to wait for about two minutes.

Oh, well, mine's not. I just put it on silent like a normal person. Okay. Well, Graham, you let us know when you get there. Have you found something?

Oh, yes. I went to PayPal's because we're beating up on them today. Okay. And there is a list of things that they are collecting and linking to me, and probably about six of these I would not be expected. So purchases, locations, financial info, contact info — that's fine. User content, browsing history, search history, identifier. Why do they need any of that?

Yeah. Why do they need to know that you're going to the Candy Crush website all the time? I agree. So on any app page now on the iPhone app store, you can scroll down inside an app description and you will find an app privacy section. And then in there, it's going to be listed what kind of stuff is going on. And this is the result of a promise that Apple made about a year ago, saying that it was going to start taking privacy more seriously. iPhone, iPad, and Apple TV apps now required to request users' permission to track users' activity for data collection and ad targeting purposes. In other words, they need to tell you and you need to say, yeah, I'm fine with that, in order for apps to be able to collect that data. That's basically the shorthand of it.

Is it all or nothing? Can I give them a couple things and not the rest of them?

Well, you can. Of course you can. Of course you can. So they're kind of giving you a bit more power as to what you, the user, as to what you're okay with and what you're not okay. All right. Oh, brilliant. Brilliant. That's perfect. Now, some companies like Facebook are fuming. Okay. They say it'll radically impact their bottom line. And, you know, they're so awash with cash I very much doubt anyone working there knows what their bottom line actually is. But Facebook went so far as to take out a full-page newspaper ad — maybe you saw this, one of you, Ray, maybe — claiming that the change would not just hurt Facebook, but would destroy small businesses around the world.

Because that's who they care about. They care about small businesses.

Small businesses. Small businesses. Yes, that's correct. They said, every mom and pop, every mom and pop dry cleaner will be out of business if we can't slurp your data.

Exactly. So, it started off with, we're standing up to Apple for small businesses everywhere, right? And it was like, you know, kind of FT style, color pink background kind of thing to look really serious. No pictures. Nobody's sitting there making friends. None of that stuff they normally use. It was like a serious message. Now, shortly after the Apple CEO, Tim Cook, attended a data privacy conference and he delivered a speech that harshly criticized Facebook's business model. And, you know, the thing is, the worldwide global mobile advertising industry is worth $189 billion. So it's not chump change. Yeah, it's a lot of wonga, isn't it? Now, all this is revolving around changes that Apple made to its identifier for advertisers, what's called IDFA. That's the shorthand. And until now, apps have been able to rely on Apple's IDFA to track users for targeting and advertising purposes. So if Graham, for example, had done a few searches on cupcakes, you know, flirting around on Facebook and going, cupcakes, cupcakes, looking for cupcakes. And he might start seeing ads for cupcakes when he's on, you know, searching the web or in different apps. This has all happened since iOS 14.5 came out. So that's about a month ago. But there are 14 categories of data that Apple have stipulated that they need to alert to. Kind of complicated for the developers as well. They need to go through everything that they collect and go, is this a purchases or does this fit into contact info? Does this a search history or is this a location issue or is this financial?

You're saying it's a bit of a nuisance for the app developers to categorize what exactly their apps are collecting. Is that right?

They're certainly feeling the pain because until now they've had carte blanche. They've had nobody interfering at all. So they paved the road with gold and they were sitting there with their big straws, snarfling all your stuff and no one was the wiser.

And if you think about it, Facebook was actually asking you if they could use Bluetooth, but they weren't telling you that they were using Bluetooth to see who you were around when you were using your credit card, which is not anonymized data. They can actually extrapolate that. And so now they knew where you were, whether you checked in, if there were other Facebook users nearby. I mean, it is a very slippery slope, right? And I don't even want to bring up the other stuff Cambridge Analytica and all that, but 13 out of 14. You said there's 14.

Ray, it's not about that. It's not about that. It's about the ma and pa laundrettes. It's dry cleaners. Yeah, it's about the dry cleaners.

So, Carole, my PayPal one, they want 13 of the 14 categories. You see? The only one they don't want... Or the one that they say data is not linked to you, they still probably want it. Data is not linked to you is diagnostics, which is the only one I would really want to give them. Yeah, your phone diagnosis. We don't give a shit.

Let it crash. We don't care about improving our app, making it less buggy.

So they have my contacts. They have my user content. They have my search history. I mean, I don't even want my wife to have my search history. Yeah, by the end of this section, you may want to take it off your phone.

So basically he sounds a fun guy to have at a party.

I agree, I would love to have him at a party. I'd be, I'll sit next to him, I'll be tell me everything. I love privacy stuff. Do you read T's and C's too? Oh my god. Okay, so main findings, okay? Weather apps share tons of data about you. For sure. I don't think most people would assume that. They would just think it's going to have my location because it needs to know my location.

Yeah, location. What other information do they collect about you?

Why don't you just go on your phone, Graham?

Oh, for God's sake, Carole, I turned it off again. I thought you were done with that. For God's sake, what is wrong with you? Well, I didn't know you were going to ask me again. Ray, can you look in your weather app?

Yes, I actually did know that about weather apps and fart apps, the apps that just generate fart noises. They also ask for a lot of data from you because they're free. F-A-R-T? Yeah, they're free. Oh, yes. When App Store first opened, they were all the rage. You could make fart noises on your phone.

Oh, you should have a whole folder of them. You need a whole folder. But they were free. They were free and they didn't have ads. And there's an old expression on the internet that if you're not paying for the product, you are the product, right?

Other ones that they said were shopping, exercising, moving news, and dating apps are also big into tracking. So what you can do, listeners, go check if you have those apps on your phone and see what they're taking from you. Other findings were that of the 250 of the apps that they looked at, 60% had a data used to track you label. Basically having to have a label by Apple because they fit into one of those 14 data tracking categories that they've set out. Of those that were tracking you, most of them was for advertising, 70%. Is that surprising? Not at all to me. No. But 20% use contact info. And that really bugs me because if you think of the information, all the addresses you have in your phone, business, friends, family, and that someone can just go in there and snarfel it up and know exactly who your contacts are is outrageous to me. Well, the contact thing is particularly bad because the people that are in your contacts never gave their consent. Right. Now, remember Facebook was making, throwing its toys out of the pram and putting out the ads and making big dramas about this whole new 14.5 app tracking?

If you mean they were sticking up for the little guy, Carole, yes, I do remember that. Yes. They protest too much.

So do you guys want to guess how many people chose to opt out of tracking since the arrival and the adoption of 14.5, which was about a month ago?

Oh, it's got to be at least half. It's got to be half. Half. I have worldwide data. This is from Flurry. This is owned by Verizon. Okay, so Flurry Analytics.

Oh, I'm going to say a bit higher. A bit higher. Three quarters.

Than half?

Yes. Yes.

Okay, all right. 87 out of 100 opted out worldwide. And 96 out of 100 in the US. So only four people out of every 100 people said, I don't mind being tracked or have not said, yeah, yeah, I don't care, I don't want to know, just go, let's go.

Will no one care for the dry cleaners? Is it just Mark Zuckerberg who's standing up for them?

Now, let's say you guys don't want to be tracked, okay? You guys want to be tracked. This is how you disable tracking on your iPhone or iPad. Tell me, tell me, how do I do it? Now, you can do a universal no tracking. For example, if you had a kid's phone or my phone, you might go, I don't want anyone to track me. I don't even want to know about it. So you can go to settings and you then scroll all the way down that ginormous list to privacy, which is in the section that starts with general and ends with privacy. And then scroll in there to the second one and it says tracking, yellow icon. And then you can turn off allow apps to request to track. And what that means is it tells all apps, these people do not want to be tracked anywhere, anyhow, so don't even bother asking them. Don't even ask them. They don't want to know. It's not going to happen. This is my kind of thing. We talked about it. I don't read email. This is my kind of thing. Right. I am curious about Facebook because I actually thought Facebook was making way too big of a deal about this and they should have just let it blow over.

Yeah, it's about secretly snarfling incredible amounts of private user data is their business model. And boo fucking hoo that it's getting hit in the chops because they were taking advantage of an unwitting audience. I'm really pissed today. Yeah, so the classic story on the iPhone was the apps that asked to access your pictures. You would think, oh yeah, I've got to give it access to my pictures because I might want to share a picture.

It would be good if you could say something just the ones which don't have people's faces in, or just selfies, or maybe no other parts of your body.

None of the nudes. None of the nudes. Exactly. Pixelate my pickle. According to the OneLogin I Am OK mental health survey, more than 77% of technology leaders have said that their work-related stress increased due to the COVID-19 pandemic.

Introduce your family to better online security and safer browsing habits with 1Password. 1Password doesn't just make it easy and safe to share passwords with your loved ones. You can also save logins, documents, credit cards and more. Sharing is made simple. Keep personal logins private and easily share access to what they need. And you can recover 1Password access for family members so they never get locked out. Find out more and try 1Password for free for 14 days at 1Password.com. And welcome back. And you join us in our favourite part of the show. The part of the show that we like to call Pick Of The Week. Pick Of The Week. Pick Of The Week. Pick Of The Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related, necessarily. Better not be. Well, my Pick Of The Week this week is not security-related. I love podcasts. Really?

And he blows your mind every week, this man, I swear.

I listen to podcasts on different topics. And I was having a little look in my favourite podcast app, which is Overcast. And I noticed that I am subscribed to just under 30 different podcasts about the Beatles.

What? That's impressive. How do you do that?

Now, if that seems crazy, I'm subscribed to 36 different Doctor Who podcasts.

That's too many. But you probably listen to three of them, right?

Well, there are some which I would, some I listen to religiously. It's, oh, I've got to listen to that. Others I just have around. Some aren't active anymore. But, you know, there's quite a lot of them. I do love The Beatles, right? I'm obsessed with The Beatles. And there are two podcasts. I'm actually a bit confused because I think it started as one podcast and seems to have split up into two different podcasts. It has an overlap in the host. So I'm going to recommend both of them. There's a podcast called One Sweet Dream and another podcast called Another Kind of Mind. And they're very similar. I'm not really totally clear about the relationship. Hosted by Diana Erickson and Phoebe Lord. And they talk about Lennon and McCartney in particular. And what makes these podcasts so interesting to me is that they're approaching the whole relationship between these two leading, obviously the two main songwriters in the Beatles with a very different way from the way in which I've read many books in the past and many of the other podcasts I listen to as well. And the way they describe it is they say, look, we're approaching this from the viewpoint of some emotional intelligence. They're looking at what people say and what they do, but trying to understand how people may have responded to different things which were said. Thought-provoking and different podcasts. Well, I say a couple of podcasts. And I've found it very interesting. I don't agree with everything, but I don't know whether that's...

Can you tell us something you learned? Just give us something you learned.

Well, I can. I just don't know. It just may be a bit boring and go a bit too...

There we go. I think we have our answer on this. No, but you might need to go a little bit too deeply into the dynamic of the relationship to truly understand it. But fundamentally, what Lennon really needed was a big hug. These two podcasts do take a very different view on the Beatles from others I've listened to.

Well, you know, Graham and Carole, economists are always trying to figure out if there are unique indicators of an economy recovering, right? They look at things like diaper rash, because apparently diaper rash goes down when people are more confident in the economy because they change their kids' diapers more often rather than trying to stretch them. What we're really interested in for this particular topic is the UK and specifically London. How is it doing reopening? Now, before I tell you about this index, I have to ask you this question as an American because as Americans, when we go to London, we often go to this place, but none of us know how to say it correctly. Is it pronounced Pret-a-Manger? Yes. Yes, it is. How do you say that? How do you pronounce that? It's Manger. Manger. Pret-a-Manger. I it.

Do you want to know what it means? Because it means something.

Sure.

Prêt à manger is to eat, so it's ready to eat.

Ready to eat, yeah. So Bloomberg has compiled an index that looks at ready to eat or Pret-à-Manger and basically compares sandwich, croissant and coffee sales prior to COVID beginning.

The sandwiches are going to be four days old.

They don't actually say what they're ordering or whatever, but the London suburbs is almost 86% now. So that means that a lot of people are venturing out, and a lot of those people are venturing out and getting coffee and croissants. So that is the Pret-à-Manger, or if you're American, Pret-à-Manger Index. And by watching it over time, you can see London getting back to normalcy. And you said that Yorkshire was top of the list. Is that right? I said Yorkshire. Didn't I say Yorkshire? Yes. Of course you did. Of course you did. I get to pronounce things as much as I want. You can do whatever you want, Ray. You're gorgeous. Yeah, you're fine. Okay. I'll talk about Edinburgh. Carole, what's your pick of the week? Okay, I'm going to give you a little culture. Let me put on my Oculus. Hold on a second.

As gently as your hands on my body.

Here I'm immersed so I can move around inside. I am properly immersed in the woodcut. I've got wood. Oh, God. Philistine. No, it is lovely. It looks lovely.

So you can see it on YouTube first if you want to take a look at it. But the app is called Unframed VR. And this is a way that you can experience artworks in a brand new way. And it's quite exciting. So you go. That's my pick of the week. Awesome. Fantastic.

Well, they can find me on Twitter by going to rayredacted.com. I've just recently joined Darknet Diaries as well.

Oh, cool. And you can follow us on Twitter at Smash Security, no G, Twitter allows to have a G, and also on the Smash Security subreddit. And don't forget, if you want to ensure that you never miss another episode, follow Smash Security in your favourite podcast apps, such as Overcast, Spotify, and Google Podcasts. Thanks to this episode's sponsors, 1Password, Skiff, and OneLogin, and to our wonderful Patreon community. It's thanks to them all that this show is free.

Until next time, cheerio. Bye-bye.

Bye-bye. Bye-bye. Hey, Carole here. So just to highlight a few new reviews that came in. Huge thank you to Pada Fufu, who wrote "interesting topics, brilliant guests, witty humor, a must listen since the beginnings in 2016. Greetings from Germany." Well greetings from the UK and thank you. And also from Mr Ergo "changing the world for the better with a laugh. It mostly only takes a few seconds until my first laugh. I'm fairly new to the podcast and I'm already addicted to the show. They've managed to give you the latest updates but keep it light and understandable for non-security professionals and they are just hilarious with each other." Thank you guys for these and all the other reviews we got and please keep them coming. They just make the show so much more fun to do plus I get to do this little segment which I kind of like. See you guys next week.