Facebook says it’s sticking up for the little guys as it picks a fight with Apple, there are testing times on the trains, and Twitter takes a tip.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Ray [REDACTED].
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
And he put it back in his bag and then he carried on with his class.
And we all looked at each other, just like slack-jawed, thinking, "This is the biggest moron I've ever met in my life." Smashing Security, Episode 227: Phishing Foul Up, Twitter Tip Jar, and Facebook's Apple Fury, with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 227. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 227. My name's Graham Cluley.
And I'm Carole Theriault.
And we're joined this week by a returning guest. It's Ray [REDACTED]. Hello, Ray. RAY [REDACTED]. Hello there. How are you today?
Hi, Ray. Bring some sunshine to our lives. I think Graham and I are a little bit, we're a little bit frazzled today. RAY [REDACTED]. I don't know why. Oh, really?
Aren't we, Graham? Yeah.
Yeah, I feel that way a little bit.
Yeah. How about you, Ray? What's going on in your neck of the woods? You just filing your nails? RAY [REDACTED]. No, not absolutely not. We are having a fantastic time.
It's all optimism and hope and happiness here. And in the United States, everything seems to be dandy. This is the best week of the entire pandemic.
It's all optimism and hope and happiness here. And in the United States, everything seems to be dandy. This is the best week of the entire pandemic.
I heard there's a little trouble on the East Coast of the United States, something to do with oil or something. What's going on? RAY [REDACTED]. Oh, yes. Oh, yes.
I think one of the ransomware groups made a little bit of a boo-boo and accidentally picked the wrong target and is now trying to do a PR campaign to clean it up a little bit.
And it's also causing ripple effects across the economy, including our petrol prices.
I think one of the ransomware groups made a little bit of a boo-boo and accidentally picked the wrong target and is now trying to do a PR campaign to clean it up a little bit.
And it's also causing ripple effects across the economy, including our petrol prices.
You guys don't even know what expensive petrol is. RAY [REDACTED]. That's correct.
Yeah, so everyone's in shock and we're all sitting there going, yeah, welcome to the real world, dudes. RAY [REDACTED].
Yeah, well, we like our cheap gas and we like to use that all the time, but it's surging to $4 and $5 a gallon, which is not a liter, by the way, a gallon.
Yeah, well, we like our cheap gas and we like to use that all the time, but it's surging to $4 and $5 a gallon, which is not a liter, by the way, a gallon.
Let's thank this week's sponsors: 1Password, 1Login, and Skiff. Their support helps us give you this show for free. Now coming up on today's show, Graham, what do you got?
Oh, I've got a fantastic way of incentivizing your staff and making them really, really happy.
Okay, I can't wait to hear. And Ray, what about you? RAY [REDACTED]. I've got a story about Paddington Bear and payments.
And I'm gonna welcome us all to the Apple anti-tracking revolution. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, life's been pretty hard. Hasn't it, under COVID? People are living under enormous anxiety and strain.
Here in the UK at least, there is some sunlight beginning to dawn.
Boris Johnson has told us that from next Monday, we are welcome to have casual sex and one-night stands once again.
Here in the UK at least, there is some sunlight beginning to dawn.
Boris Johnson has told us that from next Monday, we are welcome to have casual sex and one-night stands once again.
He did not. He did not.
It's not just for him, Carole. He's saying that those rules now apply for everybody.
Has he been looking a little bit pent up? Has he been looking a little bit, you know, a little bit more awkward than normal? RAY [REDACTED]. Do we count that as a jab?
I've had 12 jabs since Monday.
Steady. But yes, no, we're allowed to hang out at other people's houses overnight and hug and all these other things as well.
But of course, you know, the serious side to these things: countless people have tragically died, businesses have been ruined, jobs lost.
Some of us have managed to cling on to our jobs, but some of us may have found ourselves having to take on new responsibilities to cover for workmates who've left the company.
But of course, you know, the serious side to these things: countless people have tragically died, businesses have been ruined, jobs lost.
Some of us have managed to cling on to our jobs, but some of us may have found ourselves having to take on new responsibilities to cover for workmates who've left the company.
Sure, yeah, it's been a shit show.
Yeah, it has.
I know, I think we all know that, though. Just so you know, it's been a global pandemic.
Yeah, okay, we're all aware. I mean, there are ways of cheering ourselves up.
One way I came across the other day was to stop referring to it as lockdown and start referring to it as Locky D. Lame. What do you mean lame? Lame. Locky D.
Not to be confused with Locky D, of course, a ransomware attack.
But yeah, you know, people have been providing services, not just the emergency services, public services, public transport, such as those who work on public transport, like the employees of the West Midlands Trains organisation here in the UK.
Now, there we had a company which wanted to say thank you to its staff. And what's a great way of incentivising staff when they've been working hard? RAY [REDACTED]. Oh, gifts!
One way I came across the other day was to stop referring to it as lockdown and start referring to it as Locky D. Lame. What do you mean lame? Lame. Locky D.
Not to be confused with Locky D, of course, a ransomware attack.
But yeah, you know, people have been providing services, not just the emergency services, public services, public transport, such as those who work on public transport, like the employees of the West Midlands Trains organisation here in the UK.
Now, there we had a company which wanted to say thank you to its staff. And what's a great way of incentivising staff when they've been working hard? RAY [REDACTED]. Oh, gifts!
Gifts! Bonuses! RAY [REDACTED]. Moolah!
Wonga! Exactly! Moolah! Exactly! So, you can imagine how they felt when they received an email from their big, big boss.
Okay, I'm closing my eyes. Can you read it to us, right?
Of course I can.
Okay, I'm closing my eyes. I'm listening. RAY [REDACTED]. Eyes closed.
I don't know why closed eyes helps with the radio, but anyway. RAY [REDACTED]. Dear all.
Actually, this is the West Midlands, so maybe I should do a Brummie accent. Or will that be considered offensive? I'm not sure. For our Brummie listeners.
Okay, I'll just do it as though I've got a blocked up nose. Dear all, thank you for your hard work.
We realise that a huge strain was placed upon a large number of our workforce as a result of COVID-19.
Okay, I'll just do it as though I've got a blocked up nose. Dear all, thank you for your hard work.
We realise that a huge strain was placed upon a large number of our workforce as a result of COVID-19.
Yeah, kind, kind.
Okay, they notice. Yeah, yeah, kind. This has not been easy for any of us.
We would like to offer you a one-off payment to say thank you for all your hard work over the past 12 months.
We would like to offer you a one-off payment to say thank you for all your hard work over the past 12 months.
Oh, what's it going to be, £5 or something?
'Please visit the following link with a personal message from Julian Edwards, as well as information on your one-off payment.' Who's Julian Edwards? He's the CEO.
He's the boss, right, of West Midlands Trains.
He's the boss, right, of West Midlands Trains.
Okay.
'Again, many thanks for your hard work. Hope this gift will inspire you to keep up the good work.' A lovely, positive message to send out to staff.
Yeah.
And of course, people clicked on the link, didn't they?
Oh, I'm thinking actually, okay, so in my head, you know, with my security hat on, I'm thinking, okay, odd they didn't put the amount in the email.
But maybe they're worried it's gonna leak out and it's different for different people. This sounds interesting. Let's go sneak around and see what's going on.
I imagine I might do that. RAY [REDACTED]. Sure.
But maybe they're worried it's gonna leak out and it's different for different people. This sounds interesting. Let's go sneak around and see what's going on.
I imagine I might do that. RAY [REDACTED]. Sure.
Yeah, you would anticipate that maybe it'd be different amounts for different people depending on their length of service, or, you know, it could be.
So maybe you have to enter your details when you get to this link.
So of course, people clicked on the link, and because this is a cybersecurity-related podcast, you've probably already guessed.
So maybe you have to enter your details when you get to this link.
So of course, people clicked on the link, and because this is a cybersecurity-related podcast, you've probably already guessed.
Oh, don't give it away.
All was not quite as it seemed.
Oh no, what happened?
Because what happened next was they then got emails saying, "Dear [REDACTED]." Oh, what did I do? What did I do? Do you work for the West Midlands train system? I'm not sure.
RAY [REDACTED]. Not that I'm aware of, but I would have clicked the link just to see if I got more than the next guy.
RAY [REDACTED]. Not that I'm aware of, but I would have clicked the link just to see if I got more than the next guy.
Yeah, right.
So the email said, "I'm writing to you to update you on the outcome of the recent phishing simulation test performed by IT." Oh, damn.
That's nasty.
Basically saying, "You made a mistake. You were enticed into clicking on a link.
It was the promise of thanks and financial reward which convinced you to provide your details." Do you know what my view is on this?
It was the promise of thanks and financial reward which convinced you to provide your details." Do you know what my view is on this?
You know what I would reply?
What?
"Fuck you very much." That is what I would reply. RAY [REDACTED]. You can't say that. You can't say that.
Yes, I can. I can. I am gonna say it again. "Fuck you very much." That's what I would reply to the boss, and I would walk the fuck outta there. After— oh, okay. I'm a little angry.
So obviously, they weren't actually giving money to people.
People's family have died!
And people are skint.
Yes.
And people have been having a really hard time, and they've been working maybe more hours than normal. RAY [REDACTED]. Sure.
Stressed out to hell.
They had this prize dangled in front of them. Do you know what it reminds me of?
I know exactly what it reminds you of, Graham.
We used to work at a company, which we won't name here, but it's not hard to work out. And there had been a number of redundancies in our department, and we were quite upset.
And then the new boss flew in to try and reassure us, and we were thinking, what have you done? You've got rid of all these people. We're going to have to do their work for them.
You're a [MASKED]. You got rid of the wrong people.
And then the new boss flew in to try and reassure us, and we were thinking, what have you done? You've got rid of all these people. We're going to have to do their work for them.
You're a [MASKED]. You got rid of the wrong people.
We were all a little salty.
We were all a bit salty in the meeting room.
We were very salty.
And this boss stood at the front with his man bag. And he reached into his man bag and he said, I want to tell you something. He said, I want to tell you something.
The other day, the CEO, he invited all of our senior managers into a room and he gave us all a prize. He said, he gave us all a brand new iPad.
And this was in the days when getting an iPad was a big deal, right? Most people didn't have an iPad.
The other day, the CEO, he invited all of our senior managers into a room and he gave us all a prize. He said, he gave us all a brand new iPad.
And this was in the days when getting an iPad was a big deal, right? Most people didn't have an iPad.
Huge, huge. They were brand new.
And he said, you know what I'm going to do? I'm gonna give each and every one of you— and I thought, oh my goodness, I thought he's gonna turn me too.
We were like, [MASKED] off, it's gonna be over.
He's gonna give each and every one of us an iPad, and then we won't care about the people who've left.
And it was right before Christmas. It was right before Christmas.
Yeah, but if you had an iPad, you thought, I can put that on eBay, this sounds awesome.
You thought, I don't care about Tony and all the other people in the major— I don't care about them anymore, I'm getting iPad. So he carried on.
"I'm gonna give each and every one of you a chance to win." And I think, "Oh, okay." He's only gonna offer us one iPad.
You thought, I don't care about Tony and all the other people in the major— I don't care about them anymore, I'm getting iPad. So he carried on.
"I'm gonna give each and every one of you a chance to win." And I think, "Oh, okay." He's only gonna offer us one iPad.
That makes sense. That's the way this works, yeah.
One iPad between 25 of us. But I still think I've got a chance. I've got a chance for an iPad.
I love that you were thinking about yourself, probably the highest-paid person in the department, other than the fucking VP. So, you know, yeah, let's go.
"I'm gonna give each and every one of you a chance to win this iPad." And then he said, this is no word of a lie, he said, only joking, I'm gonna give it to my kids.
And he put it back in his bag and then he carried on with his class.
And we all looked at each other just like slack-jawed thinking, this is the biggest moron I have ever met in my life. Why has he said this?
Why did he dangle this opportunity in front of us and then just rip it away from us. Well, that is what West Midlands Trains have done.
They've sent this email saying, we're going to give you something lovely, and then they said, nah, nah, nah, nah, nah, that was actually a phishing test.
And I thought, what an amazing, extraordinary way to disincentivize your staff.
Why did he dangle this opportunity in front of us and then just rip it away from us. Well, that is what West Midlands Trains have done.
They've sent this email saying, we're going to give you something lovely, and then they said, nah, nah, nah, nah, nah, that was actually a phishing test.
And I thought, what an amazing, extraordinary way to disincentivize your staff.
Thank you. So my reaction was perfectly appropriate in your mind?
I think you were absolutely right.
Ray, are you on board on the crawl train of responses on this one, or? RAY [REDACTED]. Well, so, I mean, here's the deal.
This concept, this idea about what kind of phishing simulations can you use, this is a very, very contentious debate on InfoSec Twitter.
This is all going back to the GoDaddy days from last December.
People have argued, is it— can you, for example, send an email saying, here's your COVID-19 results, okay, as a phishing exercise?
Or in America, can you say that there's been a school shooting at your kid's school, right? Because people would immediately click those, right?
This concept, this idea about what kind of phishing simulations can you use, this is a very, very contentious debate on InfoSec Twitter.
This is all going back to the GoDaddy days from last December.
People have argued, is it— can you, for example, send an email saying, here's your COVID-19 results, okay, as a phishing exercise?
Or in America, can you say that there's been a school shooting at your kid's school, right? Because people would immediately click those, right?
What?
What? No!
Who's debating this?
Can I echo what Carole's saying there? That is a definite and absolute no. No, you can never do that. RAY [REDACTED]. But so the same thing, right?
What happens is, and by the way, about two-thirds of InfoSec Twitter says no, you cannot do this. There are lines you cannot cross, right?
Lisa Forte says, you know, we are the good guys and all phishing exercises need to be ethical and appropriate, period. There's no, you can't do anything this.
You can't take away people's iPads. You can't talk to them with an iPad, right? Leslie Carhart had pointed out that everybody thinks when they first get a phishing internal exercise.
Oh, I can get them, I can get them, I can get them. But that's a problem of the toxic culture of thinking the user is the weakest link. I mean, we're trying to educate people.
Now, by the way, I would have fallen for the phish that you just mentioned. I would have totally fallen for it, 100%. But we're trying to educate groups.
And also, when something happens, you're gonna need these people to be on your side. You're gonna need them during an incident response.
You don't want them hating you right out of the gate, which is what Leslie pointed out.
What happens is, and by the way, about two-thirds of InfoSec Twitter says no, you cannot do this. There are lines you cannot cross, right?
Lisa Forte says, you know, we are the good guys and all phishing exercises need to be ethical and appropriate, period. There's no, you can't do anything this.
You can't take away people's iPads. You can't talk to them with an iPad, right? Leslie Carhart had pointed out that everybody thinks when they first get a phishing internal exercise.
Oh, I can get them, I can get them, I can get them. But that's a problem of the toxic culture of thinking the user is the weakest link. I mean, we're trying to educate people.
Now, by the way, I would have fallen for the phish that you just mentioned. I would have totally fallen for it, 100%. But we're trying to educate groups.
And also, when something happens, you're gonna need these people to be on your side. You're gonna need them during an incident response.
You don't want them hating you right out of the gate, which is what Leslie pointed out.
Yeah.
Absolutely. I completely agree. So I think the correct thing might have been to say, you have failed the phishing test or whatever, but you know what?
We are actually going to give you a bonus. There should have been something that.
We are actually going to give you a bonus. There should have been something that.
Well, maybe they will now. There's a bit of a fuss being made on Smashing Security. RAY [REDACTED]. Oh, they'll give them 5 quid. They'll give them 5 quid for sure.
Oh yeah, that's the worst.
It's not just the podcast here, Carole, where we're creating a fuss. The Transport, Salaried and Staffs Association Union have described this as crass and reprehensible.
Yeah, I agree with them.
They've pointed out that one worker on the train system up there in the West Midlands has actually died from COVID-19. Others have fallen ill with the illness.
They think it's cynical and shocking. They're almost threatening to go on strike.
They think it's cynical and shocking. They're almost threatening to go on strike.
Okay, pivot, pivot, pivot, pivot, pivot. Whoever in this department, the IT department, that okayed this phish simulation. RAY [REDACTED]. It was an intern.
SolarWinds 123.
No, but that's gross. If it was an intern, shame on them, right? If it was an intern, shame on them. RAY [REDACTED]. Blame the intern.
Well, the alternative point of view is, of course, these sort of crass techniques could be easily used by phishing people.
I mean, maybe that is a more likely phish to receive than some bland one coming from—
I mean, maybe that is a more likely phish to receive than some bland one coming from—
Oh, you know what? Actually, this is a really good point. Maybe we should start simulating people showing up at people's doors with a gun.
Right, just so that they know what it feels like. Yeah, yeah, let's just do it.
Let's just do it randomly to everybody just so that they can feel what it's like to feel true terror in their bones, just so that when it really happens they know what to do.
Good idea. I like— RAY [REDACTED]. So I'm very surprised.
I'm very surprised with a unionized workforce that nobody thought to talk to someone from the union beforehand, because you can really run afoul of unions and they can tend to hit back.
Right, just so that they know what it feels like. Yeah, yeah, let's just do it.
Let's just do it randomly to everybody just so that they can feel what it's like to feel true terror in their bones, just so that when it really happens they know what to do.
Good idea. I like— RAY [REDACTED]. So I'm very surprised.
I'm very surprised with a unionized workforce that nobody thought to talk to someone from the union beforehand, because you can really run afoul of unions and they can tend to hit back.
Yeah, well, I imagine they will. So, yeah.
Well, a spokesperson for the train company, they're basically not apologizing. They're saying this is just the sort of thing a criminal organization would have done.
Thankfully, it was an exercise without the consequences of a real attack. RAY [REDACTED]. And we take security very seriously.
Thankfully, it was an exercise without the consequences of a real attack. RAY [REDACTED]. And we take security very seriously.
They do. They do say they take security very seriously as well.
Well, I can offer my, it's rather exclusive, to be honest, my patented way to never fall for any phishing tests run by your IT team. Are you ready for this?
Well, I can offer my, it's rather exclusive, to be honest, my patented way to never fall for any phishing tests run by your IT team. Are you ready for this?
What? Don't read email?
Exactly. RAY [REDACTED]. Work for me.
I've watched you for years, Carole Theriault, using this technique of never opening emails, never responding to anything, never clicking on anything when you're asked to.
Unless you call me, I won't do it.
You wait for people to come around to your desk and say, for goodness' sake, why haven't you replied to an email? And go, oh really? What have I got to— It's true.
So Ray, Ray, what have you got for us this week? RAY [REDACTED]. Okay, I want to talk to you a little bit about Twitter.
So Twitter has a history of rolling out innovations and enhancements that the users were already using, right?
So putting an @reply, the retweet, even the hashtag, these were things that the users were using and then Twitter kind of embraced them and made them part of the product, right?
So Ray, Ray, what have you got for us this week? RAY [REDACTED]. Okay, I want to talk to you a little bit about Twitter.
So Twitter has a history of rolling out innovations and enhancements that the users were already using, right?
So putting an @reply, the retweet, even the hashtag, these were things that the users were using and then Twitter kind of embraced them and made them part of the product, right?
And took credit. Yeah. RAY [REDACTED]. Yeah, for sure, for sure.
And along those same lines, Twitter has just rolled out something that they call Twitter Tip Jar, which allows users to tip creators with a variety of payment options.
You can do it over Bandcamp, Cash App, Patreon, PayPal, and Venmo.
Okay, and what Twitter does is it basically facilitates the tip directly to the user, but Twitter's not taking a cut.
It's not taking a percentage, it's just basically doing that link.
And along those same lines, Twitter has just rolled out something that they call Twitter Tip Jar, which allows users to tip creators with a variety of payment options.
You can do it over Bandcamp, Cash App, Patreon, PayPal, and Venmo.
Okay, and what Twitter does is it basically facilitates the tip directly to the user, but Twitter's not taking a cut.
It's not taking a percentage, it's just basically doing that link.
So, okay, can I make sure I understand? So I'm a budding artist, right?
So let's say I put out an art piece on Twitter with what, with a cash request, saying, who wants to buy this thing? RAY [REDACTED].
You just post your artwork or your poem or your joke, right? And people just decide they want to tip you a dollar or a quid or maybe $2 or whatever.
It's very small micropayment, like a hat tip, for sure. And users were already doing this using tip bots and cryptocurrencies and even Dogecoin, by the way.
This is the only use for Dogecoin, I think, where you could just send people micropayments and just, it would just kind of go over to that.
And also if somebody had a viral tweet that went mega viral, they would often put their Cash App address. Hey, listen, I'm a starving student, send this to here, or whatever, right?
Okay, so Twitter rolls this out and they tie it to Bandcamp, Cash App, Patreon, PayPal, and Venmo.
Okay, and just to give you an idea, Venmo has about 40 million users, Cash App has about 30 million, Patreon has about 6 million, and PayPal has 360 million. So PayPal's the winner.
So let's say I put out an art piece on Twitter with what, with a cash request, saying, who wants to buy this thing? RAY [REDACTED].
You just post your artwork or your poem or your joke, right? And people just decide they want to tip you a dollar or a quid or maybe $2 or whatever.
It's very small micropayment, like a hat tip, for sure. And users were already doing this using tip bots and cryptocurrencies and even Dogecoin, by the way.
This is the only use for Dogecoin, I think, where you could just send people micropayments and just, it would just kind of go over to that.
And also if somebody had a viral tweet that went mega viral, they would often put their Cash App address. Hey, listen, I'm a starving student, send this to here, or whatever, right?
Okay, so Twitter rolls this out and they tie it to Bandcamp, Cash App, Patreon, PayPal, and Venmo.
Okay, and just to give you an idea, Venmo has about 40 million users, Cash App has about 30 million, Patreon has about 6 million, and PayPal has 360 million. So PayPal's the winner.
I haven't heard of some of these. Obviously I've heard of PayPal and Patreon. Venmo, I've heard of Venmo.
Venmo I've only recently heard of because I heard congressmen hire hookers or something from them. RAY [REDACTED]. Correct, correct. That's the famous hooker one.
And Bandcamp is to support musicians. Oh yes, like independent musicians and very, very popular. The best one, by the way, by far is Patreon. I encourage everybody to go to Patreon.
It's a good way to support your favorite podcast. But anyway, okay, so back to this. So PayPal has 360 million users, okay?
Venmo I've only recently heard of because I heard congressmen hire hookers or something from them. RAY [REDACTED]. Correct, correct. That's the famous hooker one.
And Bandcamp is to support musicians. Oh yes, like independent musicians and very, very popular. The best one, by the way, by far is Patreon. I encourage everybody to go to Patreon.
It's a good way to support your favorite podcast. But anyway, okay, so back to this. So PayPal has 360 million users, okay?
Right. RAY [REDACTED]. And PayPal is the Paddington Bear of payment services. Their heart might be in the right place, but they're constantly getting into trouble.
They're always making security faux pas, so to speak, around things like multifactor authentication, data leakage, API abuse.
They're always making security faux pas, so to speak, around things like multifactor authentication, data leakage, API abuse.
Leaving the taps on in the bath and it overflowing and going down the stairs, that kind of thing. RAY [REDACTED]. Yeah. So PayPal was— is the largest one of all.
And people that abuse PayPal know ways to basically harass people, get other people's accounts frozen and everything else. So Twitter announces that you can do this tip jar.
And again, they're rolling it out so that the creators have it.
Anyone can tip, but only certain people can receive tips, including creators, journalists, experts and nonprofit organizations. Okay.
And people that abuse PayPal know ways to basically harass people, get other people's accounts frozen and everything else. So Twitter announces that you can do this tip jar.
And again, they're rolling it out so that the creators have it.
Anyone can tip, but only certain people can receive tips, including creators, journalists, experts and nonprofit organizations. Okay.
Oh, so they haven't rolled out the ability to collect tips to every account at the moment is what you're saying? RAY [REDACTED]. Correct.
It's just— RAY [REDACTED]. Correct.
Special people, creative people. RAY [REDACTED]. Correct.
Right. RAY [REDACTED]. Okay.
Within minutes of even hearing about this, Rachel Toback, who is the CEO of SocialProof, immediately found a flaw in the system, which is you can tip a complete stranger, and if you leave everything the default settings, which people just click, click, click, click, you get their physical home address.
Their home address.
Within minutes of even hearing about this, Rachel Toback, who is the CEO of SocialProof, immediately found a flaw in the system, which is you can tip a complete stranger, and if you leave everything the default settings, which people just click, click, click, click, you get their physical home address.
Their home address.
You're freaking kidding me. Oh my God.
This is by PayPal. RAY [REDACTED]. Correct. And the reason that they do that is because by default PayPal thinks it's a product or a service.
Right. RAY [REDACTED]. You have to have a mailing address or something like that.
And then not long after that, a former FTC chief technologist named Ashkan Sultani found that you could also reveal their user's email address, even if no transaction took place whatsoever.
Now, there is a way that you can hide this if you go in and change it from goods and services to friends and family.
But just like everything else, the vast majority of people aren't going to remember to do that.
And is it really friends and family if I send Carole Theriault $2 for her beautiful artwork that I saw on Twitter? I'm not sure about that. So this blows up, okay?
And where else does it blow up but on Twitter?
And it sparks this huge debate with people like Brian Krebs and Marcus Hutchins, famous for the WannaCry fix, saying that there's a ton of ways that people can use fraudulent credit cards to harass or shut you down.
So this has basically become a PR nightmare for PayPal.
But Twitter, on the other hand, takes the high road immediately and thanks Rachel Toback and says, this is a good catch, we appreciate it.
We can't control the revealing of the addresses on PayPal side, but we will add a warning for people giving tips on PayPal so that they are always aware of this.
So this has been the big controversy of this week.
And then not long after that, a former FTC chief technologist named Ashkan Sultani found that you could also reveal their user's email address, even if no transaction took place whatsoever.
Now, there is a way that you can hide this if you go in and change it from goods and services to friends and family.
But just like everything else, the vast majority of people aren't going to remember to do that.
And is it really friends and family if I send Carole Theriault $2 for her beautiful artwork that I saw on Twitter? I'm not sure about that. So this blows up, okay?
And where else does it blow up but on Twitter?
And it sparks this huge debate with people like Brian Krebs and Marcus Hutchins, famous for the WannaCry fix, saying that there's a ton of ways that people can use fraudulent credit cards to harass or shut you down.
So this has basically become a PR nightmare for PayPal.
But Twitter, on the other hand, takes the high road immediately and thanks Rachel Toback and says, this is a good catch, we appreciate it.
We can't control the revealing of the addresses on PayPal side, but we will add a warning for people giving tips on PayPal so that they are always aware of this.
So this has been the big controversy of this week.
The guru again snaps his fingers and it shall be. Interesting. RAY [REDACTED]. A very tenuous connection to Paddington Bear, by the way. Very, very tenuous connection.
Yeah, nothing about marmalade sandwiches, sadly. So let me understand what's happened right now.
So by using this technique, people who were receiving tips would receive your address, but now Twitter is gonna give you some sort of warning that PayPal will pass on your address unless you mark this as a friends and family transaction.
Is that right? RAY [REDACTED]. Well, we don't know what PayPal is gonna do yet because typically when they fix issues, they do it silently.
Like in the past when there was a multifactor workaround, they just suddenly did it very quietly. But the problem is data leakage.
It could be an email address, it could be a physical address.
There are things you can do on disputes where by default, if you use a MasterCard on dispute, both parties can see each other's PII, right? So that's another hole that's there.
So most likely PayPal will take some steps to adjust this because they want to be in the lead on the Twitter tip jar. But we don't know exactly what they will do.
In the meantime, just like a packet of cigarettes, there'll be a big warning that says your data is being leaked or be aware of the fact of this, which nobody will probably read, and people will continue to leak their data.
So by using this technique, people who were receiving tips would receive your address, but now Twitter is gonna give you some sort of warning that PayPal will pass on your address unless you mark this as a friends and family transaction.
Is that right? RAY [REDACTED]. Well, we don't know what PayPal is gonna do yet because typically when they fix issues, they do it silently.
Like in the past when there was a multifactor workaround, they just suddenly did it very quietly. But the problem is data leakage.
It could be an email address, it could be a physical address.
There are things you can do on disputes where by default, if you use a MasterCard on dispute, both parties can see each other's PII, right? So that's another hole that's there.
So most likely PayPal will take some steps to adjust this because they want to be in the lead on the Twitter tip jar. But we don't know exactly what they will do.
In the meantime, just like a packet of cigarettes, there'll be a big warning that says your data is being leaked or be aware of the fact of this, which nobody will probably read, and people will continue to leak their data.
So what worries me most about this is not people's addresses being leaked to people who they want to tip, but this other side of it, which you said that Krebs and Hutchins found, which was that you could actually find out someone's email address if you began to send them a tip but didn't go through with it.
Is that right? Is that what was happening? RAY [REDACTED]. Correct, correct. And you don't even have to send them anything. Yeah.
And in addition to that, if they want to harass you without you knowing that they're doing it, they can take that email address and associate it with criminal activity, and PayPal will often just shut you down and suspend your account.
Like, if they see your name in the dark web, that will happen just pretty much without any trial or any kind of a jury.
Is that right? Is that what was happening? RAY [REDACTED]. Correct, correct. And you don't even have to send them anything. Yeah.
And in addition to that, if they want to harass you without you knowing that they're doing it, they can take that email address and associate it with criminal activity, and PayPal will often just shut you down and suspend your account.
Like, if they see your name in the dark web, that will happen just pretty much without any trial or any kind of a jury.
You know, Ray, my takeaway from your story is, don't use PayPal.
Yeah, get a Venmo account. Yeah, Matt Gaetz, I hate to break it to you, but PayPal owns Venmo.
Oh, oh my God.
Carole, what have you got for us this week?
Okay, first a question.
Do either of you think people today are aware of how insidiously they are tracked via devices, or do you think it's— we're in our little echo chamber and we're talking to each other constantly about it and they don't really hear it at all?
Do either of you think people today are aware of how insidiously they are tracked via devices, or do you think it's— we're in our little echo chamber and we're talking to each other constantly about it and they don't really hear it at all?
Oh, no way. RAY [REDACTED]. Nobody knows. No.
Yeah, most people have heard rumblings about it, but it's kind of gone in one ear and out the other, I think, and people go, la la la, they kind of forget about it.
Should we— let's start off my little section actually with an activity. So if you guys get— you guys are both iPhone users?
I don't give that information out publicly, but if you are, okay, can you check your iPhone? I want you to think of an app in your head, just an app that you use regularly.
And I want you to go to the App Store, and I want you to search for it. RAY [REDACTED]. Okay, got it. I'm gonna do PayPal.
I don't give that information out publicly, but if you are, okay, can you check your iPhone? I want you to think of an app in your head, just an app that you use regularly.
And I want you to go to the App Store, and I want you to search for it. RAY [REDACTED]. Okay, got it. I'm gonna do PayPal.
Listeners, actually, you should be doing this too. If you're sitting there not doing anything dangerous like driving or, you know, I don't know, chopping something.
Can I just say that being a professional podcaster, my phone is turned off and I now have to wait about 2 minutes.
Oh, well, mine's not. I just put it on silent like a normal person. Okay, well, Graham, you let us know when you get there. Okay, have you found something? RAY [REDACTED]. Oh, yes.
I went to PayPal's because we're beating up on them today. Okay. And there is a list of things that they are collecting and linking to me.
And probably about 6 of these I would not be expected. So purchases, locations, financial info, contact info. That's fine. User content, browsing history, search history, identifier.
Why do they need any of that?
I went to PayPal's because we're beating up on them today. Okay. And there is a list of things that they are collecting and linking to me.
And probably about 6 of these I would not be expected. So purchases, locations, financial info, contact info. That's fine. User content, browsing history, search history, identifier.
Why do they need any of that?
Yeah. Why do they need to know that you're going to the Candy Crush website all the time? I agree.
So on any app page now on the iPhone App Store, you can scroll down inside an app description and you will find an app privacy section.
And then in there, it's gonna be listed what kind of stuff is going on.
And this is the result of a promise that Apple made about a year ago saying that it was gonna start taking privacy more seriously.
iPhone, iPad, and Apple TV apps now required to request users' permission to track users' activity for data collection and ad targeting purposes.
In other words, they need to tell you and you need to say, yeah, I'm fine with that in order for apps to be able to collect that data. That's basically the shorthand of it.
RAY [REDACTED]. Is it all or nothing? Can I give them a couple things and not the rest of them?
So on any app page now on the iPhone App Store, you can scroll down inside an app description and you will find an app privacy section.
And then in there, it's gonna be listed what kind of stuff is going on.
And this is the result of a promise that Apple made about a year ago saying that it was gonna start taking privacy more seriously.
iPhone, iPad, and Apple TV apps now required to request users' permission to track users' activity for data collection and ad targeting purposes.
In other words, they need to tell you and you need to say, yeah, I'm fine with that in order for apps to be able to collect that data. That's basically the shorthand of it.
RAY [REDACTED]. Is it all or nothing? Can I give them a couple things and not the rest of them?
Well, you can, of course you can. Of course you can. So they're kind of giving you a bit more power as to what you, the user, as to what you're okay with and what you're not okay.
All right. RAY [REDACTED]. Oh, brilliant. Brilliant. That's perfect.
Now, some companies like Facebook are fuming. They say it'll radically impact their bottom line.
They're so awash with cash, I very much doubt anyone working there knows what their bottom line actually is. But Facebook went so far as to take out a full-page newspaper ad.
Maybe you saw this, one of you, Ray, maybe, claiming that the change would not just hurt Facebook, but would destroy small businesses around the world.
They're so awash with cash, I very much doubt anyone working there knows what their bottom line actually is. But Facebook went so far as to take out a full-page newspaper ad.
Maybe you saw this, one of you, Ray, maybe, claiming that the change would not just hurt Facebook, but would destroy small businesses around the world.
That's who they care about. They care about small business. RAY [REDACTED]. Small businesses. Small businesses. Yes, it's correct.
They said every mom and pop, every mom and pop dry cleaner will be out of business if we can't slurp your data.
They said every mom and pop, every mom and pop dry cleaner will be out of business if we can't slurp your data.
Exactly. So it started off with, we're standing up to Apple for small businesses everywhere, right?
And it was like, you know, kind of FT style color pink background kind of thing to look really serious.
No pictures, nobody sitting there making friends, none of that stuff they normally use. It was like a serious message.
Now, shortly after, the Apple CEO Tim Cook attended a data privacy conference and he delivered a speech that harshly criticized Facebook's business model.
And the thing is, the worldwide global mobile advertising industry is worth $189 billion. So it's not chump change. Yeah, it's a lot of wonga, isn't it?
And it was like, you know, kind of FT style color pink background kind of thing to look really serious.
No pictures, nobody sitting there making friends, none of that stuff they normally use. It was like a serious message.
Now, shortly after, the Apple CEO Tim Cook attended a data privacy conference and he delivered a speech that harshly criticized Facebook's business model.
And the thing is, the worldwide global mobile advertising industry is worth $189 billion. So it's not chump change. Yeah, it's a lot of wonga, isn't it?
Yeah.
Now, all this is all revolving around changes that Apple made to its Identifier for Advertisers, what's called IDFA. That's the shorthand.
And until now, apps have been able to rely on Apple's IDFA to track users for targeting and advertising purposes. So if Graham, for example, had done a few searches on cupcakes—
And until now, apps have been able to rely on Apple's IDFA to track users for targeting and advertising purposes. So if Graham, for example, had done a few searches on cupcakes—
Just a few.
—flirting around on Facebook and going cupcakes, cupcakes, looking for cupcakes, and he might start seeing ads for cupcakes when he's searching the web or in different apps.
This has all happened since iOS 14.5 came out, so that's about a month ago. But there are 14 categories of data that Apple have stipulated that they need to alert to.
Kind of complicated for the developers as well. They need to go through everything that they collect and go, is this a purchases or does this fit into contact info?
Is this a search history or is this a location issue or is this financial?
This has all happened since iOS 14.5 came out, so that's about a month ago. But there are 14 categories of data that Apple have stipulated that they need to alert to.
Kind of complicated for the developers as well. They need to go through everything that they collect and go, is this a purchases or does this fit into contact info?
Is this a search history or is this a location issue or is this financial?
So you're saying it's a bit of a nuisance for the app developers to categorize what exactly their apps are collecting, is that right? Or what they're trying to do.
Well, they're certainly feeling the pain because until now they've had carte blanche. They've had nobody interfering at all. So they've paved the road with gold.
And they were sitting there with their big straws, snarfling, snarfling, snarfling all your stuff. And no one was the wiser. RAY [REDACTED].
And if you think about it, Facebook was actually asking you if they could use Bluetooth.
But they weren't telling you that they were using Bluetooth to see who you were around when you were using your credit card, which is not anonymized data.
They can actually extrapolate that. And so now they knew where you were, whether you checked in, if there were other Facebook users nearby.
I mean, it is a very slippery slope, right?
And I don't even want to bring up the other stuff like Cambridge Analytica and all that, but yeah, 13 out of 14 on the— you said there's 14, right?
And they were sitting there with their big straws, snarfling, snarfling, snarfling all your stuff. And no one was the wiser. RAY [REDACTED].
And if you think about it, Facebook was actually asking you if they could use Bluetooth.
But they weren't telling you that they were using Bluetooth to see who you were around when you were using your credit card, which is not anonymized data.
They can actually extrapolate that. And so now they knew where you were, whether you checked in, if there were other Facebook users nearby.
I mean, it is a very slippery slope, right?
And I don't even want to bring up the other stuff like Cambridge Analytica and all that, but yeah, 13 out of 14 on the— you said there's 14, right?
It's not about that. It's not about that. It's about the ma and pa laundrettes. It's about the little dry cleaners. Yeah, it's about the dry cleaners.
It's not about— shush, shush, shush, shush. RAY [REDACTED]. So, Carole, my PayPal one, they want 13 of the 14 categories.
You see, the only one they don't want, the only one they don't want, is— or the one that they say data is not linked to you, they still probably want it.
Data is not linked to you is diagnostics, which is the only one I would really want to give them.
It's not about— shush, shush, shush, shush. RAY [REDACTED]. So, Carole, my PayPal one, they want 13 of the 14 categories.
You see, the only one they don't want, the only one they don't want, is— or the one that they say data is not linked to you, they still probably want it.
Data is not linked to you is diagnostics, which is the only one I would really want to give them.
Yeah, your phone diagnosis, we don't give a [MASKED]. We don't want to give it. Exactly.
Let it crash. We don't care about improving our app, making it less buggy. RAY [REDACTED]. So they have my contacts, they have my user content, they have my search history.
I mean, I don't even want my wife to have my search history.
I mean, I don't even want my wife to have my search history.
Yeah, by the end of this section, you may want to take it off your phone. So this is all app tracking transparency. That's how Apple is referring to this.
Now, Thorin, an editor at The New York Times, he does product reviews for a site like Wirecutter. He looked into the app tracking disclosures of 250 iPhone apps.
Okay, now these apps included the top apps of 2020, popular games, browsers, weather apps, streaming video apps, photography apps, Notes app, dating apps, shopping apps, news apps, health and fitness.
So basically—
Now, Thorin, an editor at The New York Times, he does product reviews for a site like Wirecutter. He looked into the app tracking disclosures of 250 iPhone apps.
Okay, now these apps included the top apps of 2020, popular games, browsers, weather apps, streaming video apps, photography apps, Notes app, dating apps, shopping apps, news apps, health and fitness.
So basically—
He sounds like a fun guy to have at a party.
I would love to have him at a party. I'd sit next to him. I'll be like, tell me everything. I love privacy stuff. Do you read Ts and Cs too? Oh my God. Okay, so main findings.
Weather apps share tons of data about you. For sure. I don't think most people would assume that.
They would just think it's gonna have my location 'cause it needs to know my location. Yeah, location. What other information do they collect about you?
Why don't you just go on your phone, Graham, and just—
Weather apps share tons of data about you. For sure. I don't think most people would assume that.
They would just think it's gonna have my location 'cause it needs to know my location. Yeah, location. What other information do they collect about you?
Why don't you just go on your phone, Graham, and just—
Oh, for God's sake, Carole, I turned it off again. I thought you were done with that. What's wrong with you? Well, I didn't know you were going to ask me again.
Ray, can you look in your weather app? RAY [REDACTED]. Yes, I actually did know that about weather apps and fart apps.
The apps that just generate fart noises, they also ask for a lot of data from you because they're free. They're free. Like F-A-R-T? Yeah, they're free.
Oh yes, when the App Store first opened, they were all the rage. You could make fart noises on your phone.
Ray, can you look in your weather app? RAY [REDACTED]. Yes, I actually did know that about weather apps and fart apps.
The apps that just generate fart noises, they also ask for a lot of data from you because they're free. They're free. Like F-A-R-T? Yeah, they're free.
Oh yes, when the App Store first opened, they were all the rage. You could make fart noises on your phone.
Have people lost the human ability to do it themselves, or—
Well, it's like, I don't need an app to make a fart noise. RAY [REDACTED]. You should have a whole folder of them. You need a whole folder. But they were free, okay?
They were free and they didn't have ads. And there's an old expression on the internet that if you're not paying for the product, you are the product, right?
So the fart apps were tracking everything. They wanted to know everything about where you were and everything, all of your taps and everything else.
And actually, the Android versions of them, you know, in many cases were even like exfiltrating data as well on that side.
They were free and they didn't have ads. And there's an old expression on the internet that if you're not paying for the product, you are the product, right?
So the fart apps were tracking everything. They wanted to know everything about where you were and everything, all of your taps and everything else.
And actually, the Android versions of them, you know, in many cases were even like exfiltrating data as well on that side.
So other ones that they said were shopping, exercising, moving news, and dating apps are also big into tracking.
So what you can do, listeners, go check if you have those apps on your phone and see what they're taking from you.
Other findings were that of the 250 of the apps that they looked at, 60% had a data used to track you label, basically having to have a label by Apple because they fit into one of those 14 data tracking categories that they've set out.
Of those that were tracking you, most of them was for advertising, 70%. Is that surprising? Not at all to me. But 20% use contact info.
And that really bugs me because if you think of the information, all the addresses you have in your phone, business friends, family, and that someone can just go in there and snuffle it up and know exactly who your contacts are is outrageous to me.
RAY [REDACTED]. Well, the contact thing is particularly bad because the people that are in your contacts never gave their consent. Right!
So if I have tons and tons of notes about them, like their children's names, kids' names and birthdays, and when we last met and all that other stuff, that other person never said, "Oh, you can give this to the weather app," right?
I mean, that consent issue is a little bit fuzzy. And I mean, I've even had issues with Signal about this because Signal wants your full contact database as well as Clubhouse.
I mean, almost every app that ever asked for contacts, I generally want to either give them dummy contacts or none.
So what you can do, listeners, go check if you have those apps on your phone and see what they're taking from you.
Other findings were that of the 250 of the apps that they looked at, 60% had a data used to track you label, basically having to have a label by Apple because they fit into one of those 14 data tracking categories that they've set out.
Of those that were tracking you, most of them was for advertising, 70%. Is that surprising? Not at all to me. But 20% use contact info.
And that really bugs me because if you think of the information, all the addresses you have in your phone, business friends, family, and that someone can just go in there and snuffle it up and know exactly who your contacts are is outrageous to me.
RAY [REDACTED]. Well, the contact thing is particularly bad because the people that are in your contacts never gave their consent. Right!
So if I have tons and tons of notes about them, like their children's names, kids' names and birthdays, and when we last met and all that other stuff, that other person never said, "Oh, you can give this to the weather app," right?
I mean, that consent issue is a little bit fuzzy. And I mean, I've even had issues with Signal about this because Signal wants your full contact database as well as Clubhouse.
I mean, almost every app that ever asked for contacts, I generally want to either give them dummy contacts or none.
Now, remember Facebook was making, throwing its toys out of the pram and putting out the ads and making big dramas about this whole new 14.5 app tracking?
If you mean they were sticking up for the little guy, Carole, yes, I do remember that. RAY [REDACTED]. Yes. They protest too much.
So do you guys want to guess how many people chose to opt out of tracking since the arrival and the adoption of 14.5, which was about a month ago? That's the— RAY [REDACTED].
Oh, it's got to be at least half. It's got to be half.
Oh, it's got to be at least half. It's got to be half.
Half. I have worldwide data. This is from Flurry. This is owned by Verizon. Okay. So Flurry Analytics. So Graham, higher, lower?
Oh, I'm going to say a bit higher. Bit higher. Three-quarters. Than half? Yes. Yes. Okay. All right.
87 out of 100 opted out worldwide and 96 out of 100 in the US. So only 4 people out of every 100 people said, I don't mind being tracked or have not said, yeah, yeah, I don't care.
I don't want to know.
I don't want to know.
Just go, let's go. Will no one care for the dry cleaners? Is it just Mark Zuckerberg who is standing up for them?
Now let's say you guys don't want to be tracked, okay? You guys don't want to be tracked. This is how you disable tracking on your iPhone or iPad.
Oh, tell me, tell me, how do I do it?
Now you can do a universal no tracking. For example, if you had a kid's phone or my phone, you might go, I don't want anyone to track me.
I want them to, I don't even want to know about it.
So you can go to settings and you then scroll all the way down that ginormous list to privacy, which is in the section that starts with general and ends with privacy.
And then scroll in there to the second one and it says tracking and little yellow icon. And then you can turn off allow apps to request to track.
And what that means is it tells all apps, these people do not want to be tracked anywhere anyhow, so don't even bother asking them. Don't even ask them. They don't want to know.
I want them to, I don't even want to know about it.
So you can go to settings and you then scroll all the way down that ginormous list to privacy, which is in the section that starts with general and ends with privacy.
And then scroll in there to the second one and it says tracking and little yellow icon. And then you can turn off allow apps to request to track.
And what that means is it tells all apps, these people do not want to be tracked anywhere anyhow, so don't even bother asking them. Don't even ask them. They don't want to know.
It's not going to happen.
This is my kind of thing. We talked about, I don't read email. I wouldn't want, you know, this is my kind of thing. Right. RAY [REDACTED].
I am curious about Facebook because I actually thought Facebook was making way too big of a deal about this and they should have just let it blow over.
But hearing 96% of the people said, No, I could see why Facebook is in real, real trouble. And I would think Google would be upset too.
I mean, their entire model is about tracking behaviors.
I am curious about Facebook because I actually thought Facebook was making way too big of a deal about this and they should have just let it blow over.
But hearing 96% of the people said, No, I could see why Facebook is in real, real trouble. And I would think Google would be upset too.
I mean, their entire model is about tracking behaviors.
Yeah, it's about secretly snarfling incredible amounts of private user data is their business model.
And boo hoo hoo that it's getting hit in the chops because they were taking advantage of an unwitting audience. I'm really pissed today. Yeah, yeah. RAY [REDACTED].
So the classic story on the iPhone was the apps that asked to access your pictures.
Okay, you would think, oh yeah, I've got to give it access to my pictures because I might want to share a picture.
You might be giving them access to all of your pictures rather than just—
And boo hoo hoo that it's getting hit in the chops because they were taking advantage of an unwitting audience. I'm really pissed today. Yeah, yeah. RAY [REDACTED].
So the classic story on the iPhone was the apps that asked to access your pictures.
Okay, you would think, oh yeah, I've got to give it access to my pictures because I might want to share a picture.
You might be giving them access to all of your pictures rather than just—
In most cases you are. Yeah. RAY [REDACTED].
So most people would be like, then— so now I have noticed now you can say just the recent ones, or just the current ones, or ask me every time, which I think, ask me every time, is probably, as annoying as that might be, I think that's probably the right answer.
So most people would be like, then— so now I have noticed now you can say just the recent ones, or just the current ones, or ask me every time, which I think, ask me every time, is probably, as annoying as that might be, I think that's probably the right answer.
It would be good if you could say something like, just the ones which don't have people's faces in, or just selfies, or maybe, you know, other parts of your body. RAY [REDACTED].
None of the nudes. None of the nudes.
None of the nudes. None of the nudes.
Exactly. Pixelate my pickle. End-to-end encryption isn't just for messengers. You use Signal to chat in private, but what about your documents?
Skiff is the first collaboration platform built for privacy from the ground up. Every document, note, and idea you write is end-to-end encrypted and completely private.
Only you and your trusted collaborators can see what you've created. Unlike Google Docs, Evernote, or Notion, no one else, not even Skiff, ever has access.
Skiff is offering listeners of Smashing Security early access. Sign up for Skiff's beta at skiff.org/smashing. That's S-K-I-F-F dot org slash smashing.
Skiff is the first collaboration platform built for privacy from the ground up. Every document, note, and idea you write is end-to-end encrypted and completely private.
Only you and your trusted collaborators can see what you've created. Unlike Google Docs, Evernote, or Notion, no one else, not even Skiff, ever has access.
Skiff is offering listeners of Smashing Security early access. Sign up for Skiff's beta at skiff.org/smashing. That's S-K-I-F-F dot org slash smashing.
According to the OneLogin I Am Okay mental health survey, more than 77% of technology leaders have said that their work-related stress increased due to the COVID-19 pandemic.
In today's work-from-anywhere era, CISOs and IT executives work tirelessly to make sure the organization's information assets and technologies are properly protected.
And this increased pressure has led to deteriorating mental health, addiction issues, and even suicidal thoughts and tendencies. OneLogin's message: you are not alone.
Smashing Security listeners are invited to attend their live event on Wednesday, May 26th for free. It's called Keeping the Mind Clear and the Company Secure.
Learn more at smashingsecurity.com/1loginiamokay. That's smashingsecurity.com/1loginiamokay. And thanks to OneLogin for supporting the show.
In today's work-from-anywhere era, CISOs and IT executives work tirelessly to make sure the organization's information assets and technologies are properly protected.
And this increased pressure has led to deteriorating mental health, addiction issues, and even suicidal thoughts and tendencies. OneLogin's message: you are not alone.
Smashing Security listeners are invited to attend their live event on Wednesday, May 26th for free. It's called Keeping the Mind Clear and the Company Secure.
Learn more at smashingsecurity.com/1loginiamokay. That's smashingsecurity.com/1loginiamokay. And thanks to OneLogin for supporting the show.
Introduce your family to better online security and safer browsing habits with 1Password. 1Password doesn't just make it easy and safe to share passwords with your loved ones.
You can also save logins, documents, credit cards, and more. Sharing's made simple. Keep personal logins private and easily share access to what they need.
And you can recover 1Password access for family members so they never get locked out. Find out more and try 1Password for free for 14 days at 1password.com.
And welcome back, and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week. RAY [REDACTED]. Pick of the Week. Pick of the Week.
You can also save logins, documents, credit cards, and more. Sharing's made simple. Keep personal logins private and easily share access to what they need.
And you can recover 1Password access for family members so they never get locked out. Find out more and try 1Password for free for 14 days at 1password.com.
And welcome back, and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week. RAY [REDACTED]. Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Better not be. Well, my Pick of the Week this week is not security-related. I love podcasts. No, really? And I—
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Better not be. Well, my Pick of the Week this week is not security-related. I love podcasts. No, really? And I—
Yes, and he blows our mind every week, this man, I swear.
I listen to podcasts on different topics, and I was having a little look in my favorite podcast app, which is Overcast, and I noticed that I am subscribed to just under 30 different podcasts about the Beatles.
Not all—
Not all—
Wait a minute, that's impressive. How do you do that?
Now, if that seems crazy, I'm subscribed to 36 different Doctor Who podcasts. RAY [REDACTED]. That's too many.
But you probably listen to 3 of them, right?
Well, there are some which I would— some I listen to religiously. It's like, oh, I've got to listen to that. Others I just like to have around.
Some aren't active anymore, but there's quite a lot of them. I do love the Beatles, right? I'm obsessed with the Beatles, and there are two podcasts.
I'm actually a bit confused because I think it started as one podcast and seems to have split up into two different podcasts. It has an overlap in the hosts.
So I'm gonna recommend both of them. There's a podcast called One Sweet Dream. RAY [REDACTED]. One Sweet Dream.
Some aren't active anymore, but there's quite a lot of them. I do love the Beatles, right? I'm obsessed with the Beatles, and there are two podcasts.
I'm actually a bit confused because I think it started as one podcast and seems to have split up into two different podcasts. It has an overlap in the hosts.
So I'm gonna recommend both of them. There's a podcast called One Sweet Dream. RAY [REDACTED]. One Sweet Dream.
And another podcast called Another Kind of Mind. And they're very similar. I'm not really totally clear about the relationship. Hosted by Diana Erickson and Phoebe Lord.
And they talk about Lennon and McCartney. McCartney in particular.
And what makes these podcasts so interesting to me is that they're approaching the whole relationship between these two leading— obviously the two main songwriters in the Beatles— with a very different way from the way in which I've read many books in the past and many of the other podcasts I listen to as well.
And the way they describe it is they say, look, we're approaching this from the viewpoint of some emotional intelligence.
They're looking at what people say and what they do, but trying to understand how people may have responded to different things which were said.
Thought-provoking and different podcasts— well, I say podcasts, a couple of podcasts. And I found it very interesting. I don't agree with everything, but I don't—
And they talk about Lennon and McCartney. McCartney in particular.
And what makes these podcasts so interesting to me is that they're approaching the whole relationship between these two leading— obviously the two main songwriters in the Beatles— with a very different way from the way in which I've read many books in the past and many of the other podcasts I listen to as well.
And the way they describe it is they say, look, we're approaching this from the viewpoint of some emotional intelligence.
They're looking at what people say and what they do, but trying to understand how people may have responded to different things which were said.
Thought-provoking and different podcasts— well, I say podcasts, a couple of podcasts. And I found it very interesting. I don't agree with everything, but I don't—
Can you tell us something you learned? Just give us something you learned.
Well, no, I can. I just don't know. It just may be a bit boring and go a bit too— There we go.
I think that we have our answer on this.
No, because you might need to go a little bit too deeply into the dynamic of the relationship to truly understand it. But fundamentally, what Lennon really needed was a big hug.
These two podcasts do take a very different view on the Beatles from others I've listened to, and it's quite refreshing.
So they're called One Sweet Dream and Another Kind of Mind, and don't slag them off till you've tried them out. I've been told. Okay. Ray, what's your pick of the week? RAY [REDACTED].
Well, economists are always trying to figure out if there are unique indicators of an economy recovering, right?
They look at things like diaper rash, because apparently diaper rash goes down when people are more confident in the economy because they change their kids' diapers more often rather than trying to stretch them.
What we're really interested in for this particular topic is the UK and specifically London. How is it doing reopening?
Now, before I tell you about this index, I have to ask you this question as an American.
When we go to London, we often go to this place, but none of us know how to say it correctly. Is it pronounced Pret-a-Manger?
These two podcasts do take a very different view on the Beatles from others I've listened to, and it's quite refreshing.
So they're called One Sweet Dream and Another Kind of Mind, and don't slag them off till you've tried them out. I've been told. Okay. Ray, what's your pick of the week? RAY [REDACTED].
Well, economists are always trying to figure out if there are unique indicators of an economy recovering, right?
They look at things like diaper rash, because apparently diaper rash goes down when people are more confident in the economy because they change their kids' diapers more often rather than trying to stretch them.
What we're really interested in for this particular topic is the UK and specifically London. How is it doing reopening?
Now, before I tell you about this index, I have to ask you this question as an American.
When we go to London, we often go to this place, but none of us know how to say it correctly. Is it pronounced Pret-a-Manger?
Yes, yes it is. Yes, yes, you should definitely carry on. Okay, how do you say that? RAY [REDACTED]. How do you say that?
How do you pronounce that? It's Manger. Manger. I think yours is better. I like it. RAY [REDACTED]. Okay.
You know what, do you wanna know what it means? 'Cause it means something. Prêt à manger is to eat, so it's ready to eat. RAY [REDACTED]. Ready to eat, yeah.
So Bloomberg has compiled an index that looks at ready to eat or Pret A Manger and basically compares sandwich, croissant, and coffee sales prior to COVID beginning.
Baseline was the week before the schools opened and then calculates a percentage towards recovery of each area of London that you can actually see how people are recovering and how often are they going to Pret A Manger, right?
Yeah, I love it. Now, this is not a perfect way to judge it, but it's great.
You can look at things like the suburbs, you can look at Yorkshire versus London City or Manchester or whatever those are and see how many people are recovering and going back to the Pret A Manger.
And the airports seems to be the last place that people go - the airports are sagging quite a bit.
So Bloomberg has compiled an index that looks at ready to eat or Pret A Manger and basically compares sandwich, croissant, and coffee sales prior to COVID beginning.
Baseline was the week before the schools opened and then calculates a percentage towards recovery of each area of London that you can actually see how people are recovering and how often are they going to Pret A Manger, right?
Yeah, I love it. Now, this is not a perfect way to judge it, but it's great.
You can look at things like the suburbs, you can look at Yorkshire versus London City or Manchester or whatever those are and see how many people are recovering and going back to the Pret A Manger.
And the airports seems to be the last place that people go - the airports are sagging quite a bit.
Yeah, the sandwiches are going to be four days old, so be like— RAY [REDACTED]. Well, fair enough.
They don't actually say what they're ordering or whatever, but the London suburbs is almost 86% now.
So that means that a lot of people are venturing out, and a lot of those people are venturing out and getting coffee and croissants.
So that is the Pret A Manger, or if you're American, Pret A Manger index. And by watching it over time, you can see London getting back to normality.
They don't actually say what they're ordering or whatever, but the London suburbs is almost 86% now.
So that means that a lot of people are venturing out, and a lot of those people are venturing out and getting coffee and croissants.
So that is the Pret A Manger, or if you're American, Pret A Manger index. And by watching it over time, you can see London getting back to normality.
And you said that Yorkshire was top of the list, is that right? RAY [REDACTED]. I said Yorkshire, didn't I say Yorkshire?
Yes, of course you did. Of course you did. RAY [REDACTED]. I get to pronounce things, I get to mispronounce things as much as I want.
You can do whatever you want, Ray, you're gorgeous.
Yeah, you're fine, you're fine. RAY [REDACTED]. Okay, I'll talk about Edinburgh. Carole, what's your pick of the week?
Okay, I'm going to give you a little culture. So my pick of the week, I have to introduce you to one of my favorite artists first.
So this is Félix Vallotton - there's another French name for you. Well, Swiss name. He was born mid-19th century, and he's basically considered the innovator of woodcut.
This is where you cut wood and make an image, kind of like lino cuts, that kind of thing.
He made over 120 of these woodcuts through his career, but he is said to have felt he achieved perfection in terms of woodcuts when he did this one series called Intimités, or intimacies.
So this is Félix Vallotton - there's another French name for you. Well, Swiss name. He was born mid-19th century, and he's basically considered the innovator of woodcut.
This is where you cut wood and make an image, kind of like lino cuts, that kind of thing.
He made over 120 of these woodcuts through his career, but he is said to have felt he achieved perfection in terms of woodcuts when he did this one series called Intimités, or intimacies.
Oh, are these sort of pervy woodcuts?
Well, you're going to see them in a second, so you'll be able to tell me. So there are 10 prints illustrating the age-old power struggle between men and women.
And once he did these, he moved on to painting after this. He was just like, "I've hit the Mecca, I'm now the Shangri-La of woodcut, and now I don't need to do it anymore.
I'm gonna become a painter." And if you get a chance to check out his paintings, I've put links in the show notes — I think they're beautiful and amazing.
So I was doing some online research on this guy, and I came across this app called Unframed VR. Now they've developed an experience where viewers can be immersed into a work of art.
What? Yeah, so you're gonna see this in a second. So they've done a number of these different artists, but they've also done one on Félix Vallotton's intimacy woodcuts.
And I'm going to just show you what it is. This is on YouTube. Now it's a video — I'm starting you in 32 seconds because it's obviously really slow and sensuous, right?
We don't have a lot of time for that stuff on this show. So here's the link.
Now, what's cool about it is if you guys watch this, click on the link, and if you watch it, you can actually scan around you're kind of in the middle of the work.
And you can start spinning it around you and looking up and down so that you can see the line of cuts from it — you know, the wood cuts from totally different perspective.
You're completely immersed. It's kind of cool, huh? RAY [REDACTED]. Let me put on my Oculus. Hold on, hold on a second. Let me put on my Oculus.
Tracing my curves — it's in motion too, it's moving as well.
And once he did these, he moved on to painting after this. He was just like, "I've hit the Mecca, I'm now the Shangri-La of woodcut, and now I don't need to do it anymore.
I'm gonna become a painter." And if you get a chance to check out his paintings, I've put links in the show notes — I think they're beautiful and amazing.
So I was doing some online research on this guy, and I came across this app called Unframed VR. Now they've developed an experience where viewers can be immersed into a work of art.
What? Yeah, so you're gonna see this in a second. So they've done a number of these different artists, but they've also done one on Félix Vallotton's intimacy woodcuts.
And I'm going to just show you what it is. This is on YouTube. Now it's a video — I'm starting you in 32 seconds because it's obviously really slow and sensuous, right?
We don't have a lot of time for that stuff on this show. So here's the link.
Now, what's cool about it is if you guys watch this, click on the link, and if you watch it, you can actually scan around you're kind of in the middle of the work.
And you can start spinning it around you and looking up and down so that you can see the line of cuts from it — you know, the wood cuts from totally different perspective.
You're completely immersed. It's kind of cool, huh? RAY [REDACTED]. Let me put on my Oculus. Hold on, hold on a second. Let me put on my Oculus.
Tracing my curves — it's in motion too, it's moving as well.
As gently as your hands on my body.
Here I'm immersed so I can move around inside. I am properly immersed in the woodcut — I've got wood. Oh God, philistine. No, it is lovely — it looks lovely.
So you can see it on YouTube first if you want to take a look at it. But the app is called Unframed VR, and this is a way that you can experience artworks in a brand new way.
And it's quite exciting. So yeah, that's my pick of the week.
And it's quite exciting. So yeah, that's my pick of the week.
Awesome, fantastic, marvelous. Well, that just about wraps it up for this week. Ray, I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that? RAY [REDACTED]. Well, they can find me on Twitter by going to @Ray[REDACTED]. I just recently joined Darknet Diaries as well.
What's the best way for folks to do that? RAY [REDACTED]. Well, they can find me on Twitter by going to @Ray[REDACTED]. I just recently joined Darknet Diaries as well.
Oh, cool. And you can follow us on Twitter @SmashingSecurity — no G, Twitter doesn't allow us to have a G — and also on the Smashing Security subreddit.
And don't forget, if you want to ensure that you never miss another episode, follow Smashing Security in your favorite podcast apps such as Overcast, Spotify, and Google Podcasts.
And don't forget, if you want to ensure that you never miss another episode, follow Smashing Security in your favorite podcast apps such as Overcast, Spotify, and Google Podcasts.
Thanks to this episode's sponsors: 1Password, Ransomware, Skiff, and 1Login, and to our wonderful Patreon community. It's thanks to them all that this show is free.
Episode show notes, sponsorship information, guest list, and the entire back catalog of more than 226 episodes — check out smashingsecurity.com.
Episode show notes, sponsorship information, guest list, and the entire back catalog of more than 226 episodes — check out smashingsecurity.com.
Until next time, cheerio. Bye-bye.
Bye-bye. RAY [REDACTED]. Bye-bye.
Hey, Carole Theriault here. So just to highlight a few new reviews that came in.
Huge thank you to Pater Furfur, who wrote, "Interesting topics, brilliant guests, witty humor, a must-listen since the beginnings in 2016.
Greeting from Germany." Well, greetings from the UK and thank you. And also from Mr. Ergo, "Changing the world for the better with a laugh.
It mostly only takes a few seconds until my first laugh. I'm fairly new to the podcast and I'm already addicted to the show.
They've managed to give you the latest updates but keep it light and understandable for non-security professionals.
And they are just hilarious with each other." Well, it's called bickertainment, right? And we're masters at it. Thank you guys for these and all the other reviews we got.
And please keep them coming. They just make the show so much more fun to do. Plus, I get to do this little segment, which I kinda like. See you guys next week.
Huge thank you to Pater Furfur, who wrote, "Interesting topics, brilliant guests, witty humor, a must-listen since the beginnings in 2016.
Greeting from Germany." Well, greetings from the UK and thank you. And also from Mr. Ergo, "Changing the world for the better with a laugh.
It mostly only takes a few seconds until my first laugh. I'm fairly new to the podcast and I'm already addicted to the show.
They've managed to give you the latest updates but keep it light and understandable for non-security professionals.
And they are just hilarious with each other." Well, it's called bickertainment, right? And we're masters at it. Thank you guys for these and all the other reviews we got.
And please keep them coming. They just make the show so much more fun to do. Plus, I get to do this little segment, which I kinda like. See you guys next week.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Ray [REDACTED] – @RayRedacted
Show notes:
- Train firm’s ‘worker bonus’ email is actually cybersecurity test — The Guardian.
- Anger Over Shocking Covid Bonus Stunt At West Midlands Trains — TSSA.
- Researcher calls out privacy flaw in Twitter’s new ‘Tip Jar’ donation feature — The Daily Swig.
- Twitter's Tip Jar Privacy Fiasco Was Entirely Avoidable — Wired.
- We Checked 250 iPhone Apps—This Is How They’re Tracking You — Wirecutter.
- 96% of US users opt out of app tracking in iOS 14.5, analytics find — Ars Technica.
- App Privacy Details on the App Store — Apple.
- What is App Tracking Transparency and how do you block app tracking? — MacWorld.
- Daily iOS 14.5 Opt-in Rate — Flurry.
- If an app asks to track your activity — Apple Support.
- Another Kind of Mind – A Different Kind of Beatles Podcast.
- One Sweet Dream podcast.
- The Pret Index: Pret Sandwich Sales Show Where U.K. Workers Are Returning to the Office — Bloomberg.
- Unframed : Intimacies, Félix Vallotton — YouTube.
- Unframed, a virtual reality serie about Swiss painters.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: 1Password
With 1Password you only ever need to memorize one password. All your other passwords and important information are protected by your Master Password, which only you know. Take the 14 day free trial now at 1password.com
Sponsor: Skiff
We store more personal information on our devices than we do in our homes. Where do you go online when you want to write or share something privately?
Skiff is the first collaboration platform built for privacy from the ground up. Every document, note, and idea you write is end-to-end encrypted and completely private. Only you and your trusted collaborators – no one else, not even Skiff – can see what you’ve created.
Skiff is offering listeners of Smashing Security early access. Sign up now: skiff.org/smashing
Sponsor: OneLogin
According to the OneLogin IAMokay Mental Health Survey, more than 77% of technology leaders have said that their work-related stress increased due to the COVID-19 pandemic.
As a result, CISOs and IT executives have been under ever-increasing pressure – leading to deteriorating mental health, addiction issues, and even suicidal thoughts and tendencies.
OneLogin’s message? You’re not alone. Attend their live event on Weds May 26, “Keeping the Mind Clear and the Company Secure” at smashingsecurity.com/oneloginiamokay
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
