Smashing Security podcast #269: Trezor Deep Throat, a CCTV stalker, and Amazon’s list of banned words

So I wrote about this. Oh fuck, I've just spilt water all over my keyboard. Oh, oh dear, don't panic. Hang on, there's big puddles of water on my desk.

My god. Do you want to take two minutes to deal with this issue?

No, just quickly we're going to wait Carole, the show must go on. Can't stop for anything. Smashing Security, episode 269, Trees or Deep Throat, a CCTV stalker, and Amazon's list of banned words, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 269. My name's Graham Cluley. And I'm Carole Theriault. And, Carole, this week we are joined by a returning guest. Somebody she hasn't been on the show for a couple of years, but we're delighted to have her back. It's Zoe Rose. Hello, Zoe. Hello. How are you?

Fabulous to have you back. You are our listener's favourite voice, so I'm sure many of them are going crazy.

I try not to laugh too hard because I'm not a huge fan of my own voice, but I do appreciate it.

Yeah, there were a lot of people who liked your voice. Well, they still do, I imagine. Well, hopefully. It's not gone. Because you've got that weird amalgamation. Everyone's like, where does she come from? What's she doing? I know you've moved about a bit. And the other big news with you, of course, is that since you were on, you've had a child.

I have made a human being. Isn't that shocking? Incredible, though.

Don't go into details as to how you made it. But anyway, there is a mini Zoe Rose out there now. Yes. Oh, gorgeous.

With much more fabulous hair. Oh. It is adorable.

How about we thank this week's sponsors, Collide and Keeper Security. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

Oh, well, something unpleasant that arrived in my mailbox. Ew. Okay. Zoe, what about you?

I am also talking about something not super pleasant. It's about a man that has decided to be a stalker.

Oh, gosh. Okay. And I'm going to look at ideas from Amazon head honchos on how to boost employee morale. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, I want to tell you about something which happened to me this past weekend. And Sunday morning, there I am. I'm thinking, oh, I've got to get out of bed. Another day, drag myself out from under the duvet. Is it really that hard? Well, it's Sunday morning. You need to put Dolly Parton on when you get up. Really?

Yeah. Wake up in the morning, stumble to the kitchen. Oh.

Very good. Anyway, I stumbled to my office and I saw that I had received an email telling me that Trezor, I think it's pronounced Trezor, had been hacked. Do you know what a Trezor is? Well, if it's French, Trezor, it's treasure. Oh, maybe that's why they named it that. It is a hardware wallet, something which connects via USB to your computer. And what you do is you store your cryptocurrency wallet on it. So if you don't trust online cryptocurrency wallets, brackets, you shouldn't trust online cryptocurrency wallets, because they're getting hacked all the time, then you might choose instead to store it on a USB stick via one of these things, which stores it securely. Now, I've only got about £5 worth of cryptocurrency. Ooh, you're rich. So it's not as though it's very much. But I received this email, which appeared to come from Trezor, and it said, we regret to inform you that Trezor has experienced a security incident involving data belonging to 106,856 of our customers, and the wallet associated with your email address is within those affected by the breach.

Because you have often talked to people about using hardware wallets, right? Absolutely.

I think if you're going to dabble in cryptocurrency, it's probably the sensible place to store your wallet as it makes it more difficult for hackers to break in or access it. And this message, which looked pretty legitimate, said that hackers had broken into Trezor's admin servers the day before, last Saturday, and they said, we're looking into this data breach, but we think that there could be a problem for you. So you need to update the desktop piece of software on your computer called Trezor Suite, because otherwise your cryptocurrency assets are at risk of being stolen.

And this came by email?

This came via email. That's right. Came from trezor.us. And I was, oh, I thought that's a bit worrying. Now, obviously, at first I was thinking, well, it might be real because I do have a Trezor device. So they may well have my email address when I bought it. And I clicked on the link in the message and it took me to what appeared to be the Trezor site. And I thought, well, this is quite a good story. I thought I should write this up for my blog. Quite interesting if Trezor have been hacked.

Yeah, and it sounds like it was quite a professional email as well, not a typical poorly spelt, poor grammar. And it's not one of these fishes which is sent out to hundreds of thousands of people who aren't Trezor customers. And I looked online and genuine Trezor customers are saying, I've received this, what on earth is going on? I can relate to that.

But I noticed that under the E of Trezor, there was a little dot. And I thought, is that a dot on my screen? Is it just that I haven't cleaned?

Which is very possible because, yeah,

exactly. The cleaning issue. Right. So is it a dot on my screen? Is

it a piece? Yes. Dried food or? I can

also relate to that because my screen is full of child's fingerprints. So I wrote about this. Oh, fuck. I've just spilt water all over my keyboard.

you want to take two minutes to deal with this issue?

No. Just quickly. We're going to wait. Carole, the show must go on, right? We can't stop for anything.

I just don't want to electrocute yourself. Zoe's

a very important person. She's very busy. We can't. Okay, but if

you die, I would be really guilty.

Is there water where the cables are? There's a big puddle. There's a big puddle. Okay, can you please

just take care of that? I'm just going to swipe it off onto the floor. Hang on. Here we go. We're going to swipe. for a mini-human. I cannot be responsible for you as well. Exactly.

I'm coming back. I'm coming back.

He was overwhelmed by Zoe's lovely voice. Thankfully, my office has an en suite bathroom. I know. You are fancy. More than someone. Then that would be a lot of accounts for it to make a difference exactly so and I thought why are they doing that because this appears to be a genuine warning to people who has a vested interest in downvoting a warning about an attack against Trezor users people that can financially gain from it exactly you're so clever Graham and then I noticed something else right my website was slowing down a lot. Because as I was trying to update my story about this attack, my website began to time out. That's really actually quite good. Not only they've got good grammar, very professional email, they've got a whole army of Redditors. I don't know. And now they've got something set up to send off a DDoS. That's interesting.

That doesn't help your relationship with your hosts very much, I imagine. I've had that problem with web

hosts before. Do you think? Don't antagonise them too much. So I went back on Reddit, and what I noticed now was that my warning about the scam email, the one which was linking to me, suddenly being massively downloaded by persons unknown. So I thought, okay, there's definitely an attempt to stop people from hearing about this attack that's going on. Did you

take to the streets, Graham? Did you take to the streets? With a little placard, I went out on the street. I thought, there's no other way to do this. I'm just too popular. Yeah, and why didn't Trezor go out with that information? Because they didn't want to be targeted by them? Well, I said to him, I said, this is really juicy. I said, can I quote you?

But if they already know that, they should be warning their customers.

Well thankfully at that point then they did. So shortly afterwards they did post something up on their Twitter account.

Ah, you're a little placard going into the streets worked exactly.

And how much time has passed now since you've published the article and all this has happened?

Oh, a few hours. A few hours have passed.

Okay, so this is a few hours of work. And it was a Sunday. You know, and so, you know, it's not going to beat them up too much. And on Monday, MailChimp said that their service had been compromised targeting crypto companies.

Yeah, and also, who's likely to go to the police when they lose, you know, for your example, five pounds? You're not going to do that if you did actually lose it.

Five pounds, maybe not. But I fortunately didn't install the software which this email was telling me to install. But I did hear from people who said they had literally had their entire cryptocurrency investments absolutely raided. And so they have nothing left.

Really?

Yep. Some people told me that they lost everything over the weekend.

And what a poop storm as well for MailChimp.

Well, yes. Obviously, a lot of companies who have been affected by this breach are going to be concerned. And I would hope that those crypto companies are going to be contacting the customers and saying, look, your details may have fallen into the hands of hackers. So be on the lookout for phishing attacks and who knows what.

And from the boring perspective of, you know, in my job, I have to deal with not so fun stuff like supply chain and that. And I'm not going to lie, if I was a cryptocurrency company, I wouldn't probably value MailChimp that high on my making sure that they meet some security standard. So I could see that there's a bit of a kind of, what am I trying to say? There's a bit of a gray area of who's going to be held responsible. One, MailChimp, did they have the right controls? Right, two, the cryptocurrency, did they do their due diligence there?

Yeah, it is unclear because Trezor say it was a rogue employee inside MailChimp are saying hackers accessed internal tools. It's unclear whether it may have been a legitimate employee who was socially engineered maybe into giving access to someone else. Yeah, totally. Yeah, it's a grey area for sure, but clearly less than ideal. Yeah, what's going on?

Not ideal. Yes, that's a very British way of putting it.

Fortunately for me, I didn't lose any money. I've probably done more damage spilling the water over my desk. Zoe, what story have you got for us this week?

Mine is also not so lovely. It's regarding a man that was dating someone. They broke up and he was not too happy about that. And he had previously installed her CCTV system and was watching her on it.

Oh, like after post breakup, like not telling her, just stalking her basically through the camera.

Yes. And then she went on holiday. And so he let himself into the apartment. And as you do, you know, and even worse is he took pictures of her flat. And then when she came back, sent them by email to her without context, just pictures of her flat. What?

Is this from an anonymous email address? It was. So he hid his identity.

That's the way to endear someone, isn't it, to you? That's

a great way to win someone back. Yes, win someone back. Where's the logic? Yeah, yeah. And then claimed it wasn't him, but when he was interviewed by police, I think he originally had said he had been sent them by somebody and he was sending them on to her because he was concerned, you know. He was concerned for her safety, but he obviously admitted to being the one that took the photos and sent them later when he was interviewed by police.

Do you think it was more a sort of, I'm just trying to get into his head, do you think it's more of a look what happens when I'm not around someone's able to hack into if only you had a big manly burly boyfriend who could protect you from this person who's breaking into your house and taking photographs? Do you think that's the thinking or?

It could be, I mean bonkers. From my experience of investigating these types of incidents because I do volunteer for an organization in America called Operation Safe Escape. It's about survivors leaving or have left domestic abuse situations relationships. And a lot of times it's a sense of control, it's not logical. It's in some cases it may, Graham, you may be right, it may be look at I could have protected this or look at you're extremely vulnerable, but it also is, you know, I can still control you. It's a

total mind fuck too if you're being targeted. Holy moly.

Yeah, I think from my kind of experience of being the person that's been in that situation, it's terrifying even if I know what's behind. Even for example in my situation the person had access to my email account. I knew how to get him off of it. I knew how to check if he still have access, but it's still terrifying because what else does he have access to? Our lives are so online. In her case it's her bloody CCTV. I think they actually say in the article she had unplugged it knowing he had access to it. When he went in when she was on holiday, he plugged it back in, which is how she knew he was in the flat, right? So what

should you do Zoe? I can understand, you know, if you've shared your email password with somebody and you've then broken up, you shouldn't probably share your password in the first place, but if you have done obviously change it. But are there other rules and guidelines and pieces of advice you can offer people?

Yeah, I mean there's two sides to it because it's domestic abuse and violence related. I want to be very clear that sometimes removing the person's access is not the right call. Sometimes it's actually leaving their access because it can escalate, especially if they have intimate access to you, they're in your home, right? But if it's that you have physically left the situation, most of the time the advice I give is start over, get a new account or get a new phone because you never know, especially if you're not a tech person. However, when it comes to things, you know, you're a bit more confident, maybe you have an organization Safe Escape to support you, it would be things ensuring MFA is in place, multi-factor authentication, ensuring you have a strong password. In my case, I did not give them that password. Actually, it was so long ago I don't even know how he got it. But I'm a security person and I made a mistake and he got it. So, you know, no matter how much you do this can happen. So it's just being aware of what information you have online and also being aware of what information can be seen in your email.

And there's obviously a physical security aspect to this as well because the guy was able to re-enter the house, so he must have had a key or a pin code or something scary.

Scary as fuck, yeah scary. It doesn't specify in the article how he got in, but I'm making the assumption he had a key because it doesn't say he broke anything. But yeah, that goes to the what's left over. I remember years ago where somebody had put a camera up in their ex's house and the camera was in a private room, you know. So they want control. They want to use anything that they can. And they'll use things that are what you would never imagine, CCTV, accessing your email or, you know, putting cameras up. So it is scary. But I think the biggest thing is just knowing what you have in your environment. And I suppose figuring out if you can secure it or if you need to remove it.

Yeah. So what's happened to this chap now?

He did receive 12 weeks prison term, which is not much, but it's something.

I think, Zoe, his prison term has been suspended for two years. So I don't think he has spent any time in prison.

Oh, so did I read it wrong?

Yeah, I think if he misbehaves in the next two years, then he'll have to serve 12 weeks.

Bloody hell. Okay, I'm not as positive now.

Two years suspension. It's kind of really, I think, frightening. I don't know if it's just from a female point of view, but the idea that you can be terrorized, mentally terrorized in that way. And then it's not considered... You don't feel

Safe in your own home and he gets two years suspension. And the article made it sound like they got a restraining order and he has to do volunteer unpaid work. They made it sound like that was such a big deal.

Loads of us don't do it. Yeah. Has to do some community service. Like, oh, here's a house which needs to change its locks. So maybe you could change its locks for it. Something like that, which will work really, really well and cause any problems in the future.

A mega takeaway in all this as well is don't assume the default security settings are best for you, right? They're not the recommended ones. They are the ones to make it as easy as possible for you to get up and going and running. Not necessarily the best. So go through those settings, please, when you get a new device that you plug in.

Especially when it comes to CCTV, because I know of somebody that had a lot of money. CCTV is closed circuit TV, I think is what it actually stands for. But that doesn't mean that it's actually doing what it says it's doing, because a lot of them, they're actually online. They're available on the internet. Like cloud-based ones, yeah. Yeah. So make sure that what you set up is actually doing what you think it's doing, not just the default of is it secure, but also is it accessible for people that you aren't expecting, let's say.

And if you've split up with someone just don't be a dick right?

Yeah I think in this case when it comes to stalking I think there's a lot of control it's a lot of possibly mental health issues you know there's a lot going on there. But that doesn't excuse his behavior. Yeah please don't be a horrible person at the very at the bare minimum please don't be awful. Yeah,

I'm with you. Much more nicely put than I said. Carole, what's your story for us this week?

Okay, so we're gonna start off with Microsoft, because they recently put out some research all about the state of the office, post-Rona or mid-Rona, wherever we are in the whole Rona thing. And they interviewed something like 3,000 different business leaders. And half of these leaders intimated that their company already requires or plans to require full-time in-person work in the year ahead.

You mean people actually in the office? Is that weird? Yeah, bums on seats. Oh, really? Bums

On seats. And they also said that time spent in meetings for the average team since February 2020 has increased over 250%. Oh,

That's a good thing, isn't it? Because we needed more meetings. Yeah. No, that's excellent. I'm glad we've made progress.

But if you think about that, it's then perhaps no surprise that 50% of employees are more likely to prioritize health and well-being over work since the pandemic. And that 52% of Gen Z and millennials are thinking about looking for new work during the next 12 months. Interesting. All these stats are concerning, not just for employees, but for companies, right? Both large and small. They have to figure out a way to work with strained budgets in a stressed out workforce and a lack of resources. And one of the big questions is what can companies do to boost morale without breaking the bank? Yeah. I have a suggestion. Is it croissant?

It is not. It is not. It is maybe possibly listening to what the workers actually say they want.

Oh, what a namby-pandy kind of thing to do. The last thing you want to do is ask people what they want. Well, I don't know. There's various ways to cheer up staff, isn't there, in the office? I mean, you could hire some mimes, for instance.

Would that make you want to stay at a company that doesn't listen to anything you

Say? It would be horrific. I don't know. Just treat me like a normal human being. Don't treat me like I'm an idiot, I think is the general. So treat

You like a respectable dog, essentially. Don't be rubbish.

Yeah, yeah. Don't be rubbish. Interesting because the Harvard Business Review published an article recently saying this is how someone might boost morale if they don't have any financial kickback to offer, financial bump. And one is public recognition. So basically McDonald's employee of the month kind of thing. Right? Right.

Which, to be fair, to be fair, if we look at intrinsic motivators, sometimes people are motivated that way. Yeah, sure. Feeling, you know, like you're making a difference. You can

Also be demotivated, can't you? Because you can think, why has Bob Middleton been promoted as employee of the month when I know he's useless at everything, can't even carry wood. And he's just a waste of space who we need to get rid of. And for some reason, the bosses have decided he's brilliant and they have not seen the enormous amount of useful, positive work, which I have done this month. You know, you could be demotivated by that kind of scheme, couldn't you?

Oh, completely, completely. I would be absolutely angry of, oh, I can get probably even a month, but I can't work from home, which I've done for TEO.

Right, right. What would you say to another one that they recommend is sending thank you notes to your home address? So you'd have, you know, dear Zoe, we just want to say that you're such a star. Thank you so much for showing up every day and doing all the stuff you do. Sign the CEO or someone.

Question. Does this thank you note include stickers? Because I may be swayed.

There's not a fiver in there. I want at least a few stickers.

You know what I say? I say, kind words don't butter parsnips. If you want to cheer me up, if you want to boost morale, then come on, get some money out of your pockets. They don't have any money. Well, they've got enough money. But cards cost money. Yes, they've got enough money to post you compliments and stickers, or they've got enough money to praise Bob Middleton and frame his photograph on the wall.

Who's this Bob that you're so upset about?

You'll find him on LinkedIn.

I'm going to look. Graham, it's interesting because, you know, other companies were not really moved by the symbolic rewards that I was talking about. Right. And one of those people is Amazon, right? Because they want a more innovative, more modern approach to dealing with this type of thing.

Are they rating their staff out of five? You can choose a star rating. It's like, would you recommend this employee to your friends? Is it something like that? They're giving people star ratings.

I could totally see them doing that. Is that what they did?

It's close, close. So according to The Intercept, and this is according to sources on the inside, last November, Amazon top executives had a little chit-chat about creating an internal social media program. Oh, no. And this social media program would allow employees to recognize co-workers' performances with posts called shout outs. You can get that on LinkedIn, though. Right. But maybe you don't own all the content then. I don't know.

You don't want a shout out. You just don't want to be paid minimum wage by a guy who's the richest chap on the entire planet. Jesus. He's going up into space on his pneumatic penis thing. It's just, you just want some money. Just pay me properly and then I'll be motivated.

I agree with that because I think a lot of people are, oh, I do my job. I'm not motivated by money. Full disclosure, I'm motivated by money because I have a family and I would like to eat. Absolutely.

Are you sure that I can't sway you because they have a gamified reward system inside their internal social media system here, where you get virtual stars, not real ones, unfortunately, because that would be cool. But you get virtual ones and badges, which is practically a sticker, Zoe, practically a sticker for activities that add direct business value.

If you paid me more money, I could buy my own stickers and possibly my own star as well.

Oh, actually, you can. That would be a good idea. The underlying thing is you have to meet your employees where they are. And if they're starving, or if they can't pay their bills, or if they're working to the point of exhaustion, I don't bloody care how many stickers you give them or digital versions.

So you're not sure an intranet's going to help reduce employee attrition and foster happiness? Because they're pretty convinced, right?

But who's the people that are convinced? The top Amazon execs. They have enough money and don't understand why people aren't being so thankful that they bother to give them any money.

Well, I don't know. I think you guys are being short-sighted because these top Amazon execs, right, the kingpins here, are going to keep employees happy and productive so they won't look elsewhere for work. But let's assume this person at the meeting, I don't know, we'll call them Bob, right, Graham?

Bob. Okay, yeah, that's where Bob ended up, right?

Up at the meeting says, hey, hey, Zoe, Graham, because you guys obviously are top execs at the meeting. They're like, how do we stop disgruntled employees from basically complaining on the intranet? Right? How do you do that? Because obviously negative.

Blocking keywords.

Good bingo. They always do that. I have provided you guys inside the document, the list. These are the words that apparently were being considered to be blocked.

This is dumb. This is dumb, yeah.

Now, I have to say, Amazon have contested saying, well, you know, if this whole social network does go live, not all these roads are going to be blocked.

I can still say rubbish. What is TOT? What does that mean?

I don't know. I looked it up and I was just...

Have you tried Urban Dictionary? That's normally quite good.

I might be too old. I don't know. The second one is union.

I don't care, for example, is a phrase that apparently would be flagged. And what they're saying is that it's called an auto bad word monitor, quote unquote. And it was devised as effectively a blacklist that would flag and automatically block employees from sending messages that contained inappropriate keywords. And this is beyond, obviously, swear words or inappropriate language. These are kind of like the word prison, for example. Yeah. Right? Or ethics, interestingly, is in there.

Ethics is blocked. Maybe it's because they don't want somebody to say this isn't ethical.

Yeah, they don't want any ethics on the intranet.

It seems ethical is okay, though. Ethical might get through.

Okay. Okay. Maybe the trick is just not speaking American English and then you can say anything.

Well, maybe being really bad at spelling. If you spell ethics with a K. Oh, maybe. For instance, ethics. You know, double F. FX, in fact. Oh, yeah. Well, that's very clever.

I was thinking along the same lines, right? You'd have to start working on your writing or language skills to get, and I think you guys are both very good writers. So, if I wanted to communicate in this intranet, I fucking hate working here. What could I say instead? Pop open my thesaurus.

I love working at Amazon, brackets, not. Are you allowed to use the word not? Yeah, I don't know. Maybe. It's not in the list.

So, TOT, according to slang for old people, I think, on Google, is texting on the toilet. They also blocked restrooms, so that possibly could be it. But they didn't block the loo. So I really think just spell things in the British spelling and use a lot of parentheses. Or just being, you know what I would do?

I'd just be very, very sarcastic. I'd just be so over effusive with praise. I cannot begin to tell you how much I adore our overlords at Amazon and how they bring lightness and wonder to my life.

Yes, you could do analogies. Like working here is as glorious as being Geoff Bezos' personal proctologist, for example.

That's perfect. I would say something like, oh, you know, I had to miss my child's big development stage thing. But it's okay because working here is my favorite thing in the world. Just something as simple as that because it sounds very positive.

I would definitely choose working here because I love it so much.

They've got representation blocked. Wow. They've really put some thought into this.

Well, Amazon are saying, look, look, look, there's no promises we're even doing this. We'll see what happens. It was scheduled to launch later this month. So we will see if any of you listeners want to see the list of words, I have a link to the Intercept article as well to a number of articles. Just let you know that all's great out there. Everything's wonderful.

I'm just going to say if they put half as much thought into their incentives as they did into this bloody list, they may actually have a couple of happy people.

Yeah. I'm not sure this is the way to make people smile. Yeah, I think I agree with you on that one.

Blocking pay raise? No. That says it all. Even blocking diversity, that really says something. Collide sends employees important, timely, and relevant security recommendations for their Linux Mac and Windows devices right inside Slack. Collide is perfect for organisations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Collide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com slash collide at smashingsecurity.com slash k-o-l-i-d-e. Enter your email when prompted and you will receive a free Collide goodie bag after your trial activates. You can try Collide with all of its features on an unlimited number of devices for free for 14 days, no credit card required. Try it out at smashingsecurity.com slash collide at smashingsecurity.com slash k-o-l-i-d-e. and thanks to Collide for supporting the show.

Pick Of The Week. Pick Of The Week.

Pick Of The Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, my Pick Of The Week this week is a little bit security related because we have discussed this case on the podcast in the past. It's related to the extraordinary story of Quadriga CX and the death of Jerry Cotton, the company's CEO. If you don't remember, tune in back to episode 114 of the Smashing Security Podcast. I knew that off the top of my head, where we talked about that case. It is now a Netflix documentary. It's called Trust No One, which you can go and check out. What happened with Quadriga CX was that they're a Canadian cryptocurrency company who were storing a large amount of money. And what occurred was this chap, Jerry Cotton, went on holiday to India and then he died. Or so the company said. And allegedly, only Jerry Cotton knew the password which could unlock the cold wallets into which people had put their entire life savings. So it's a very interesting story at the time. And there were, of course, investors who were deeply disturbed. Some of them you will see in the course of this documentary, very worried about what happened to their money and were thinking that there was some kind of conspiracy going on. I'm not going to spoil anything about the documentary for once.

Good. You don't normally spoil them. You're normally very good at setting it up.

Thank you very much. But I thought it was quite interesting. And so I am going to recommend the Netflix documentary, Trust No One. Go and check it out. And it is my pick of the week. Nice. Zoe, what's your pick of the week?

Yes. So my pick of the week is actually a couple of things. So instead of a go-to bag or, you know, a emergency bag for whatever incident you're investigating, being a mum, I now have a go-to travel bag for traveling with a child.

And you mean traveling, traveling. You don't mean like going down to Sainsbury's?

No, no. I mean traveler, traveling. So I've travelled with my daughter from, I don't remember the first time she went to a country, but I think four countries now. And this is not small travel. This is like not just popping over to Germany because I'm in Holland.

She's about one year old, right? So you've done a lot of countries in a short period of time.

Correct, yes. This is also going over to, you know, across the pond to North America when she was about six months old. So it's been a bit of a journey and this is traveling by myself with her as well.

Wow. So what's in your travel bag then?

So the most important things are not the small things. Not like I mean obviously clothes are important, you know, she's a child those are good. Bottles, you know, those are helpful. But the main points that I think are really key is instead of carrying, because carrying a pram or having a pram with you or if you might call it a buggy or stroller I think is the other term, one that's collapsible so easy to, you know, fold down so that they can put at the bottom of the plane and it's light is key. But also if they break it or lose it replacing it isn't that difficult because yeah. Well, I've got two prams, yeah. I've got my travel one, and then I've got my main one. And the travel one, I actually like more, but it costs maybe a third of the other one. So if it gets broken, not a big deal.

Oh, interesting.

The other thing that is important is a carrier for my daughter whilst I'm in the airport. So instead of carrying her in the pram, I actually strap her to my chest, essentially, because that leaves my arms open. I don't have to deal with a crying baby wanting to be picked up. And also, you know, it's just way more convenient. And then on top of that is a light car seat because the car seat that I have in the car is bloody heavy and pretty sure it weighs the same as me. So this is a specific car seat that is actually cleared for air travel so if you do want to take it on the plane for children that need their own seat. But also when even if you're checking it you know walking it in the airport and to the taxis is not going to break your back so brilliant.

That sounds very useful so we'll include some links in the show notes for people to check out your recommendations for these.

These are just suggestions of what I use and they're not necessarily the best out there but whatever it is that works for you mainly just the foldable and light.

And Graham are you a little jealous that there isn't man-sized, you know, baby seat for me?

Yeah man seat.

Little you can bring your lazy boy with you on the plane.

That'd be marvelous wouldn't it.

If I find one I will let you know.

You're good luck finding one in my size. Carole what's Your pick of the week, I have a really sweet pick of the week this week. It comes from one of my very good friends Andy, and she just shared this with me. I don't know if I'd go to it again. I mean, I think it's very cute. But would you go to this on a regular basis?

I went to it right after. It was like, "Died five minutes ago, you say?" He asked. His eye went to the watch on his wrist, 12:43. He wrote on the blotter. And that's Agatha Christie. So you get some good books as well.

I quite like it. I also think, you know, it's well thought out. It's got a dark theme. I also like the "skip quotes marked not safe for work."

Exactly, exactly. I only want the not safe for work ones.

Maybe that's version 2.0. No, I think that'd be cute to just have sitting in the background even. That's quite lovely. There you are. That's my pick of the week.

Very good. Well, that just about wraps up the show for this week. Zoe, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?

They can follow me on Twitter at RoseSecOps, or they could check my website, which is just RoseSec.com, which would link to my Twitter, but that's okay.

Cool. And you can follow us on Twitter at Smash Security. No G. Twitter at the last have a G. And we also have a Smash Security subreddit. And don't forget to ensure you never miss another episode. You should follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Overcast and Google Podcasts.

And huge thank you to this episode's sponsors, Collide and Keeper Security. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list and the entire back catalog of more than 268 episodes, check out SmashingSecurity.com.

Until next time, cheerio. Bye bye. Bye. See ya.

I wouldn't want to be you. I would.

You guys, the timing is perfect. My daughter is now home.

Thank you so much, Zoe.

Yes, you gave us your free hour and we're so grateful. She is now licking the ferret cage.

You didn't even bring up ferrets on the show people will think you've given up on them.