Smashing Security podcast #276: Webcam extortion, Michael Fish, and food foul-ups

Newsflash. Newsflash. Smashing Security has made it to the finals of the European Security Blogger Awards. If you can be asked, please go to smashingsecurity.com slash vote, and vote for your favorite security podcast. So don't delay or I'll electrocute your eardrums. That's smashingsecurity.com slash vote. Now, on with the show. Smashing Security, Episode 276, Webcam Extortion, Michael Fish, and Food Foul Ups, with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security, Episode 276. My name is Graham Cluley. And I'm Carole Theriault. And this week on the show, Carole, we've got someone who's returning to the show, a popular... It's me, it's not them, it's me. Oh, I read it as Mario, it actually says Mark, Mark Stockley. Hello Mark. Hi, thank you for joining us on the show again.

They're coming up in June. There is an opportunity for the audience to vote as well.

What, our listeners you mean?

Our listeners. Our listeners can vote, if they wish, for their favourite cybersecurity podcast. Sadly, Sticky Pickles isn't listed as one of the nominations this year. They were last year, of course.

Weren't you listed as one of the top cybersecurity blogs last year as well?

Oh, well, actually, Mark, funny you should say that, because this year we are once again one of the top cybersecurity blogs, as well as one of the top podcasts. So if people want to vote for us as one of their favourite cybersecurity blogs, that's great. We'd rather have the vote for the podcast, though.

I think it would be hilarious if you won the blog category and you didn't win the podcast category. Come on, listeners, we can make this happen.

The way to vote is to just go to smashingsecurity.com slash vote, and that will redirect you to an awfully long Google Docs link where you can tell the organisers what your favourites are.

Yeah, obviously say us, dudes.

Yeah, obviously, yeah, otherwise you're dead to us.

No, not to me. Shall we get on with the show and let's thank this week's sponsors Collide, Rumble and Good Access. It's their support to help us give you this show for free. Now coming up on today's show, Graham, what do you got?

I've got Michael Fish.

Am I supposed to know who that is? We'll discuss that.

I've got a story about all your worst fears coming true.

Oh, sounds hilarious. And I enter the world of food production. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, talking about all your worst fears coming true, you do know who Michael Fish is, don't you?

I don't think I do.

I know who Michael Fish is.

Of course you do. Everyone in Britain knows who Michael Fish is because for 30 years he was one of our most famous weathermen, appearing on our television screens in a series of horrendous jumpers. He became something of a celebrity.

What's your problem with jumpers? What kind of jumpers?

Well, these were quite, you know... Colourful? Colourful. Good. Just wasn't very much of a sex symbol. It's strange, though, because he did have a punk group in 1985 who wrote a song called I Wish I Wish He Was Like Michael Fish.

I wish, I wish. He was like Michael Fish. Michael! Fish, fish!

Rachel and Nicky sang that. You may remember Rachel and Nicky.

No.

John Ketley had a song as well, didn't he? John Ketley was a weatherman. That's right. And so is Michael Fish. And so is Iain McCaskill. But yes, that's right. That was an even more popular song. Michael Fish's forecasts have even been sampled by the Prodigy.

Oh, really?

Yes, but none of this means anything to anyone outside of Britain because you don't know who Michael Fish is. So you might be thinking, Graham, Graham, why are you talking about Michael Fish? Well, even if you're not British, you might know a Michael Fish. Maybe you were a student to the State University of New York at Plattsburgh, maybe between 2016 and 2019, because there was a guy there studying law called Michael Fish.

What, with the exact same name? By the way, yes. How is that possible?

I can't believe it. Not spelt with a PH. He was a Michael Fish. A proper Fish. Fish swimming in the water. Just, yes, actually, coincidentally, spelt the same as fish you encounter in the sea. Now, Michael had a problem.

Was it jumpers?

Not just jumpers. No, Michael had a problem. This is Michael at the university now. We've moved on from the weatherman.

Okay, but he's got the same name, so it's very confusing.

It is confusing. I'm going to try and clarify throughout the story.

Can we just say one and two? Number one and number two?

I don't think there would be a lot of arguments as to which one was number one and which one was number two. Michael Fish had a problem. He liked the ladies. Oh, it can be a tremendous, horrible problem, that one, can't it? Liking the ladies and wanting, for whatever reason, to occasionally have a little peek at the ladies, have a little look at the ladies. Maybe he had a girlfriend. Maybe that wasn't quite enough for him. Maybe he wanted to look at other ladies as well. I don't know. What are you saying? He looked at porn and that's the problem? Well, that's one of the solutions, Carole. If you are someone who likes to engage in the male gaze, then you might find different ways. It's an artistic term. He likes to look at the ladies. Now, there's different ways of handling this problem, right? If you want to look at ladies' boobs and their other bits, what are you going to do? What are you going to do? Carole, I'll ask you first. I don't know how interested you are in ladies' boobs and bits. Well, you know.

I'm a girl from the 70s, so I'm buy a mag. Old school. I thought you were going to say you could just look at yourself, and that would be satisfaction enough.

Well I have heard that there is pornography available on the internet.

Right okay well he didn't do any of those things. He didn't even make a PowerPoint presentation to convince young women to reveal all to them which is a technique I can tell you that works.

Does it?

Well hasn't worked yet, hasn't worked yet but I'm hoping at some point they'll be impressed with my clip art.

Do you think that is because you haven't just haven't put the right slides together?

I think I haven't got the right builds. That's what I think it is, the right transitions. Something that. If I'm really convinced... I mean, because we're told PowerPoint presentations can sell anything, haven't we? So why can't they sell the idea of, you know, a woman... This conversation is going crazy. Anyway, so what he did instead of all of those very reasonable ideas...

Michael Fish at the university. That's what we're talking about.

Michael Fish. What he did was he hacked into the accounts of some of his classmates. Okay. Now, it wasn't any old classmates. It was just the female ones. So he very cleverly targeted just the ones he was interested in.

Accounts, their email accounts or? Their email accounts. Oh, right. Okay. Their email accounts. I would love it.

You would love it, wouldn't you? He could have tried 12345, right, as a password maybe.

He could have done that. He could have got the common passwords off the internet. He could have used a password cracker, maybe. He might have written a PowerPoint presentation where he said, people, I'm doing research into people's passwords. Please tell me your password. So he's cracking into email for what reason? Well, guess. To look at, because I keep loads of nude pictures of myself in my email. Of course. Because that's what one does, right? We all do that.

We've all got lots of pictures of you in our email, Carole. As backups, in case you ever lose yours. So, Michael Fish, not the weatherman. The weatherman never did this. I have heard he's very litigious.

He just wears weird jumpers, according to you. He broke into the accounts of over 100 female students. And once he had access to their accounts, he was able to get into their other accounts, their other online accounts, their social media accounts. Do they really keep that stuff on their social media accounts? It just seems a bit weird to me.

I understand that direct messaging of pictures is a thing that the young people do. Yeah. And also, some services might be backing up their photographs from their cameras as well. And if they gained access to those online accounts, they might be able to access them that way.

No one knows who Michael Fish is. It's not like he's the hero of the university, presumably, or the college we're talking about. So which Michael Fish you saying nobody knows him? I bet they know who he is now.

Can we skip to the second thing that he does?

After the first thing. After the first thing, which he then repeats several times.

He makes a website, a gallery for them all for him to enjoy in his own private time. Am I close?

You're so close, but not quite. So obviously he did the obvious thing quite a lot, I imagine. And then he started trading the pictures with other people. What is he, 12? It's like Pokemon cards or collecting butterflies. No, he's not 12. He's in his 20s. So yeah, he's 12, basically. Yeah, he's mentally 12. And what's more, he got out his copy of Photoshop. He pulled out a copy of Photoshop and he created a collage. An obsession wall. He took the photos. He made collages where he put the sexual images, the ones with the nudie stuff, alongside the innocuous graduation photographs of these young women.

What, here's Sheila with her graduation outfit on and here are her tits type thing? This guy's classy.

He labelled each one with their full name and he shared those collections with other people who were appreciative of collages, including a chap called Nicholas Faber who was sentenced last August to three years in prison.

So at some point he's got a magazine and in the magazine he's found an article called something like, Are You a Psychopath? And then there's a list of tick boxes that you have to go through. And he's just working his way down through the tick boxes and he's now at number 15. He's just tick, tick, tick, tick, tick, tick, tick, tick, tick. If he blows up his cat, we're fucked. Then he decides to create a physical version of this where he puts their pictures on the wall and joins them together with pieces of red string. Is that what he's going to do next, Graham?

I think this is probably the way it was going, yeah.

Does he start leaving cryptic clues for the police officers who are always half a step behind him? Like the Zodiac Killer.

A really nice guy, yeah, nice chap.

Another upstanding person with an interesting name, yeah.

So this little pig, Michael Fish, what happens to him?

Well, obviously, he was causing some upset, embarrassment, stress, anxiety for any victims who found out that their images were being shared online or shared between these unpleasant people. And probably rage as well, I would imagine. But it could haunt you for years. And they didn't know it was him.

They just knew someone had done this. They didn't know it was that Michael Fish who sits behind them in geology.

Yes, yes. And so eventually the security breach was discovered and the university spent thousands investigating the scale of the problem. They realized, oh my goodness, there's quite a lot of accounts which have been hacked here. They looked at the computer, the server logs, they reset passwords. It cost them thousands and thousands, they reckon. And Fish was caught. I don't know exactly how he was caught.

Again, excellent research, Graham.

I haven't been able to find that out. I did do a lot of research into the other Michael Fish, which I think we can appreciate. So he obviously was there before a judge, right? And the case is going forward and it's you've been a very naughty boy. You've done some highly unpleasant stuff.

Yeah, I'm sure that's exactly the words that the judge used, naughty boy.

And then the judge said, and is that jumper you're wearing made out of human hair? Toenails. And one of the things that judges like, of course, is they like to look at any mitigating circumstances, whether they need to consider the ethics of the person or what they've contributed to society. And so what Michael Fish did was he sent the judge a letter. In fact, he forged a letter. He forged a letter claiming to come from an aide to a U.S. representative. And this U.S. representative is someone who had actually volunteered for her election campaign back in 2016. He took a legitimate, genuine letter which said, oh, yeah, he's a good bloke. He worked hard on the campaign, et cetera, et cetera. And he augmented the letter.

Well, yeah, that's the stress. The collage.

I'm not saying that the collage bit is the fact it was a collage. At least he didn't make a montage. At least he spared them that. It wasn't macramé.

You know what you've done, though, in your story? From now on, every time I hear of the real Michael Fish, the weatherman, I will think of this story. And you have basically sullied his name as well.

I seem to remember something about Michael Fish, the weatherman, which I wasn't able to find evidence of on Wikipedia.

Again, excellent research. Here's the thing I've made up about Michael Fish. Wouldn't it be funny if Michael

Fish... I'm not saying he did anything illegal. I'm just saying he might... I'm just saying that. No, I'm not. I'm not saying that, and that's because we're up for an award and we'd like you to vote for us and not get us into any legal trouble. So let me say right now, Michael Fish, of all the weathermen, is one of them and a fine, upstanding fellow. Well done, Michael Fish, but not the American student who stole people's photographs. OK. On that note, Mark, what have you got for us this week?

I said in the intro it's your worst fears. Yeah. Maybe not all of you. You're quite well put together human beings. Maybe it's not your very worst fear. We just heard of Michael Fish, so, you know. OK. But as we heard in the previous story, and I don't know if you picked up on this, but it turns out that there's pornography on the internet. I've looked,

Never found anything. Never found a single thing. Very disappointing. Massively oversold the internet.

So obviously the reason that we're sort of laughing awkwardly about this is because there's a little bit of cultural stigma attached to the idea of self-pleasure, unless your name's Michael Fish.

Are we going down the masturbation route now? What the heck's going on with the show?

Well, I used the word self-pleasure. Well, we all know what you mean. You're talking about wanking. OK, yes, yes, that's where we're going. We are on route one to Wankville. OK, strap in.

Just remember, this is the episode where we're encouraging people to vote for us.

Carry on. So, as you may have noticed, there's a bit of stigma attached to this act. And you're not the only one who's noticed, because cyber criminals have noticed this as well. And one of the very simple and extremely popular ways that they have of making money from this sense of shame is that they will occasionally send people emails saying something like, I've got full control of your device and I've made a video of you watching porn. And when I say watching porn, obviously they don't just mean watching, they mean joining in enthusiastically, hand actions, participation, all that stuff. And then they threaten to send the video to all of your friends unless you pay them some money in Bitcoin, of course.

Can I just say, if anyone threatened to send me a video of either of you doing this, I would not watch on my life. I would rather do anything else than watch that I'm no offense, I love you both very much. No, I am a little bit

Offended by that actually.

Well, you shouldn't be because I'm doing it out of respect just honestly.

So what you're saying is I should ask for my Bitcoin back. So the key thing about these emails and one of the reasons that they work is that the criminals will often provide some sort of proof that they do indeed have full control of your device, such as they might send you the email from your own email address. Oh, yes. Or they might include a password that you have used for a website in the email.

Aha. So you basically just shit bricks and then do what they say. Yes, and then send Bitcoin.

Because you don't realise that's easy to have gathered or to do.

Neither of those two things are actually proof. Yeah. As Graham said, anyone can send you an email from your own address. It's one of the wonders of email. We've only had 50 years to fix it. We're working on it. It's fine.

We've got a lot of other things on our plates right now, guys.

It's been a busy time. It's been a busy time. The internet, all that stuff.

We might fix the climate problem before we actually fix the email.

I don't know. There's absolutely no chance of that, no. Yeah. Anyway, the one thing that they never do, the one thing that we'll never, ever, ever do, because they can't is send you actual proof. So for me, as Carole was kind of saying, the real proof for me would be like, send the video. OK.

Yeah. Or at least a still of it. Yeah. Right. Show me my mug that was on the table at the time.

Let's see the O face. OK. But they're not going to do that because actually the reason they can't send proof is they don't have any, because actually breaking into someone's computer and taking over the webcam is much, much harder than just sending an email that says you've done that. But what if it wasn't that hard? What if a website could turn on your webcam and video you without asking? That would be uncool.

It makes me very smug that I don't take my clothes off in front of the computer. Yes, me too.

I think we're all pleased about that, Carole.

We're all joined together in a sense of smugness about not doing that now. There is an ethical hacker who specializes in browser add-ons, his name is Vladimir Palant, and he's been wondering the same thing — what if a website could turn on your webcam? And he's made some fairly alarming discoveries. So his focus is a browser extension called Screencastify, which is just a typically awfully named thing because everything has to have "ify" on the end now because we've run out of hours. 10 years ago it would be Screencaster with an R on the end — there are no R's left. And it creates videos and it's being used by at least 10 million people. We don't know how many people actually use it because they stop counting at 10 million when you download extensions. So 10 million plus. And there are limits to what you can get browser extensions to do, but they're designed so that they can't take over the world. So according to Palant, what Screencastify does is it integrates with its own website in order to add video editing functionality. And that's a problem because it massively increases the number of people and organizations that you've got to trust. Because you think you're just trusting this browser extension, but actually you're not.

Okay, so is this a supply chain issue, effectively?

It is. It is a supply chain, but it's one of those — supply chain is very buzzwordy at the moment — and this is a supply chain issue that is fundamental to the way that the web works. So fixing this is very hard. So the Screencastify website, which integrates with this extension, can send messages to the extension. And those messages include things like, "start the webcam." And because you grant the extension permission to take pictures when you install it, it doesn't ask you for permission again. So you install it, it asks for permission, you say yes, it remembers that permission forever. So at any moment, the Screencastify website can send a message to your extension saying, "turn on your webcam."

What?

And the video that it takes is saved to your Google Drive. But you can't use the extension without also giving it access to your Google Drive.

Oh, boy.

So it can start a video recording, and then it can snaffle the resulting video from your Google Drive because you've allowed it to do that. Now, that's fine, you say.

Yeah, we do say that. Of course we're saying that.

Screencastify aren't going to just arbitrarily turn on your webcam and video while you're masturbating. Of course they wouldn't, because you know every individual at that company, and you trust them all individually. They're all fine, upstanding people — they've all given you a pinky swear to be good guys. So that's all fine. Well, it's not actually that simple. Because as Carole was alluding to, modern websites are kind of collections of stuff from other websites. So the way that you add functionality to a website often is you just pull in some code from the other website. And all the pulling in from other websites happens the minute you load a page in your browser. So you're pulling down code from Screencastify, but you're also pulling down code from other places as well. And any code that gets pulled into the Screencastify page also gets permission to trigger this API. And the Screencastify website includes code from Webflow, Teachable, Atlassian, Netlify, Marketo and Zendesk.

Sorry, can I just give a warning? If anyone feels affected by this and is driving a car right now, could they pull over if they're suddenly losing blood as they realize what might have happened to them? Just carry on. So just to recap — the Screencastify website can access your webcam at any time that it likes, but it also includes code from Webflow, Teachable, Atlassian, Netlify, Marketo and Zendesk, which means they can as well. Well, I imagine if you're in a hurry in that situation — like say you've got 10 minutes before someone comes home and you're presented with a number of dialogue boxes before you get to the main event — you would hurry through them, right?

10 minutes isn't a hurry, Carole. That's a very leisurely... This is a particular scenario. Oh, yeah. I imagine that you are correct, Carole, and that a theoretical person put in such position would probably just hurriedly click through any dialogue boxes. Yeah, get me to the pictures.

I bet they freaking did. Holy moly. But I think the broader picture is what happens in these situations is somebody like Palant comes along and he goes, what if? Don't you think? Tape it up. Tape up the camera. Tape it up.

Like a little robot arm comes out. Yes, a robot arm. It just rolls some tape.

Sounds good, Graham. TM that. TM that. Carole, what have you got for us this week? Well, I don't even know how to follow these two stories. I think something about masturbation. Graham, we're going to talk to you. So do you mind if I mention to our lovely listeners that you are on a bit of a health kick at the moment?

Oh, for God's sake. Now that's going to put the pressure on me to carry on, isn't it? Well, whatever. That's good. Is that not good? Sure. Okay. I've been trying to eat more sensibly. I've been exercise biking and I've been going for brisk walks.

Would you say sensibly means less?

What, less food? Yeah. Oh yeah, there's less food. And the food I am eating is the kind of food which allegedly is better for you. Well, can I just say on behalf of the rest of the people on earth that we thank you for your contribution? I don't think you can pin that on me, Carole.

I'm not pinning it on you. I'm just saying.

You sort of are. You sort of, it does sound like you were. You did a bit.

Do you know how some supermarkets say every penny counts, right, or like some strap lines? It's like that.

But particularly Graham's. They count more than everyone else.

Let's leave my penance out of this, please.

Oh, my God. So the global food supply is being hammered by a number of things, right? Do you want to name a few that can come off the top of your head?

There's a war going on in Ukraine.

Right. Ukraine and Russia, 25% of the world's wheat is produced there. So that's a bit of a pickle. Extreme weather events, right?

Yes.

That little pandemic thingy that we're still kind of recovering from?

There have been ransomware attacks on some big food supply companies in America in the last year or so.

Yes, there has. And the UN estimates that in the past year, global food prices have risen by almost a third, fertilizer by more than half, and oil prices by two thirds. And this company, Food Logistics, say that while this is all horribly bad, there are some silver linings, as in technology is there to save us. So there's things like CAT, which stands for catastrophe modelling, which will help us predict weather conditions so that we can take preventative action.

That's definitely what we should do about global warming. We'll just try and locate the ever smaller patch of livable space as it slowly dwindles and everything else goes crispy.

Yeah. It can monitor conditions to help improve yields, reduced waste. There's also smart agricultural tech that promises to bring more automation, allowing for things like remote monitoring, less human labor, less human error, right? Less effort, more money, yada, yada, yada.

But just to be clear, these devices that are going to free us up from human error are themselves made by humans, correct? Okay, and so these massively giant centralized systems. So instead of having the human error of, let's say, 10,000 separate farms, some of whom may have idiots running them, they're all going to use one piece of tech designed by a human. So it's just one system. It's just one big system. What if the human who makes it has an error?

Yes. Well, there is a new paper that came out. Researchers at Cambridge University are ringing the alarm bell saying that using new AI technologies at scale, to Mark's point, holds huge risks that are not being properly considered. Now, as you say, a lot of us are going, oh, God, of course, that's the case. That's, you know, of course, all industries. But there's so many industries out there that have not pulled up their so-called cyber bootstraps, right? And maybe they're excited about the possibilities of high returns, but they're not thinking hard enough about how to safeguard against bad stuff that might come their way. And in this paper, links in the show notes as always, the authors have come up with a catalog of risks that might be considered in the responsible development of AI for agriculture. Sorry, they raised the alarm about cyber attackers potentially causing disruption to commercial farms using AI by poisoning data sets or shutting down sprayers or making sprayers not be able to be shut down or autonomous drones, right? Robotic harvesters. There's so much of this stuff that we're dependent upon.

I think it's very important there that when we say drone in the context of farming, what we mean is an American sized combine harvester. Yeah? Yeah, they're huge. The hacker is not taking over your little quadcopter, your little $50 quadcopter. We're talking about a giant human threshing death machine.

But you have to also think about the little guys too, right? For example, there's a guy that the BBC was talking to that was trialing an autonomous asparagus harvesting robot called Sprout. And the farmer says, you know, there's a real risk that people anywhere in the world could try and take control of these machines to get them to do whatever those people want or just prevent them from operating. Someone could potentially drive Sprout into a hedge or a ditch or prevent it from working at all. So they say they're working with security research to address any vulnerabilities. But I'm imagining there are thousands, nay, tens of thousands of companies that are going, hey, food's a big deal. Let's come up with some automatic cool ways and let's race out the door before our competitors. And yeah, who cares about the pen test dudes?

And if Sprout can harvest asparagus, maybe it can also harvest humans.

Yes, Graham, again, a really excellent insight.

That's how Terminator started with an asparagus picker.

So you said, Graham, it's not like we've not seen attacks right in the industry. Was it there was the meat processing plant JBS? Yeah, and they had millions of dollars in ransom they paid to resolve the attack and there was also this top agriculture firm AGCO was hit by a ransomware attack that affected production. And that was this month.

And the FBI actually put out a warning in the last month or so saying to the entire agricultural sector, be very, very wary of ransomware attacks in your planting and harvesting seasons. Because they think that the ransomware attackers are, they're basically always looking for more leverage. And if you have a very short time window in which to do some of your most important economic activity, e.g. planting and harvesting, then you're very vulnerable to ransomware. And ransomware attackers are very good at picking the worst moments. So they'll often run the ransomware at night, for example, or at a weekend or on a public holiday because they've been sat in your computers for months sometimes. So they're just well able to choose, okay, what's the absolute worst moment to attack you? So that your calculation about whether to pay them or not is fraught with urgency.

Yeah, and I really feel for the people in this industry at the moment because they are not necessarily experts in cybersecurity and encryption and all this stuff, right? And they don't necessarily have very strong ties to that community. And yet, they are trying to stay alive and produce food. And these things are coming to them saying that we can 3x what you produce now, or we can do this, and we can do that, and the cost will be way little. And yeah, the Cambridge researchers suggest that ethical hackers should help companies uncover any security failings during the development phase.

Well, that sounds like a good idea, but will an ethical hacker have access to some multi-million pound tractor of death in order to find out if the vulnerability is there?

Yeah, if they do get access to it, then I think that's when they say, hello, I got in. Yeah, but you might need one in your backyard to tinker around with it, find out where the problems are. Are the companies, are the agricultural companies going to actually bring in ethical hackers and say, look, we want you to try and break this. Here you go. Here's the equipment. See what you can do. Yeah, it seems to me that whatever works, it's all of the above, basically. Because if food supply isn't a national security issue, then I don't know what is.

Yeah, because it's super important to us all. And well, not for Graham right now, but you know. Even if you're a self-interested government, you know, people aren't going to miss too many meals before they start rioting. But we seem to be doomed to repeat the same cycle with each form of new tech. So there's always a gold rush. Yes. Well, thank you for that very fun end.

Do you know what assets are connected to your network? Most organizations don't. For your security program to be effective, you need an inventory of all your devices so you can make critical decisions fast. Well, Rumble was made by the creator of Metasploit, which explains why it finds many devices that other solutions miss, including orphaned machines running outdated operating systems. Quickly find systems affected by the latest security news. Just think of Log4J, SolarWinds and Kaspersky. It can even tell you which machines are missing endpoint protection from your local network all the way to the cloud. Sign up for a free trial and build your asset inventory in minutes. Get your trial at rumble.run. That's rumble.run. And thanks to Rumble for supporting the show.

So we all know that users these days sometimes have to connect from an unsecured network using any device they have at hand. And companies have no control over the device, applications, clouds, and the infrastructure that connects it all together. This rapid shift in online work created security gaps that bad actors use to the full. And most importantly, companies need to emphasize the reduction of risk of a data breach if a user's credentials are stolen. This is why you need to check out Good Access. This is a global company based in the Czech Republic with a proven 10-year track record. They are a bunch of security enthusiasts dedicated to delivering anytime, anywhere secure remote access for small and medium-sized businesses worldwide. And this begins with a free Good Access starter product for unlimited usage by up to 100 employees. Yes, you heard right, 100 employees. Learn more at smashingsecurity.com forward slash Good Access. And big thank yous to Good Access for sponsoring the show.

Collide sends employees important, timely and relevant security recommendations to their Linux, Mac and Windows devices right inside Slack. Collide is perfect for organisations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Collide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com slash collide. That's smashingsecurity.com slash K-O-L-I-D-E. Enter your email when prompted and you will receive a free Collide goodie bag after your trial activates. You can try Collide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com slash collide and thanks to Collide for supporting the show. And welcome back and you join us at our favourite part of the show the part of the show that we like to call Pick Of The Week Pick Of The Week Pick Of The Week Pick Of The Week is the part of the show everyone choose saying, well, that could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily. Please don't be. I don't even know which one this is. I'm going to zhush. I'm going to, oh, what can I do to make this interesting?

No, no. On this occasion, you announced your intention to marry a horse. And I was reminded of this. It did make for an interesting evening. I was browsing the internet. This was even

Before the internet got crazy about that. I think I just did it just to have a philosophical argument of why would that be a bad idea.

I'd like to introduce you all to Bernard. I'm sorry for his table manners.

Anyway, so... Have you discovered a website?

Sadly not. I haven't found the horse dating website. Yeah, that's what I meant. Rule 34. I bet it exists. But what I did find is something that's going on in Iceland, where they have a campaign called out horse your email so rather than outsource you see what they did there so rather than outsource your email so the idea is this they want Icelandic horses to help people with their out of office messages when they go on vacation because it can be very stressful creating an out of office message. And so what they've done in Iceland is they have trained three horses to write your out of office message for you. They created a giant keyboard, which the horses stride across, creating the words. The words?

The words? Do you think words is the right? Well, They're written in horse-ish, you know. They're not written in English or Icelandic. Let's not stress the horses too much.

Is that just because it's in Icelandic? It might be. Maybe it is Icelandic. Maybe that's why I don't understand it. I don't know.

I think you're losing your mind slowly, Cluley.

Well, it's one of the effects of some of the activities we talked about earlier. Mark what's your pick of the week? So mine is bees. So while we're busy working out how to live on the smaller patch of the earth that's liveable and farming it with robots that are all going to kill us, you may have noticed that there are fewer bees and people are a bit worried about this. And I was a bit worried about this a few years ago. So I thought, well, is there anything I can do in my garden that will help the bees? And I came across something called a Bee Guardian scheme by Mason Bees UK. And the Bee Guardian scheme is a scheme to promote mason bees. And mason bees are solitary bees, so they don't make honey. And they're very, very good pollinators. And they're the sorts of bees that we should be encouraging. So actually, you know, when we say there aren't enough bees, there's more than enough honeybees plenty of honeybees okay that's an industrial business but the other kind of bees we need more of and so what you do is you pay them some money so I think you pay them about 70 pounds to join the scheme and they send you mason bee cocoons and cardboard tubes which look a bit like a bug hotel and the cocoons hatch and the bees go out and find mates and then they make new cocoons inside these tubes and each tube will comfortably hold about 10 cocoons.

Wow.

And then at the end of the season you gather up your cardboard tubes you send them back to Mason Bees UK they check them so they soak them in water they unfurl they take out the cocoons they check them for disease they make sure everything's healthy they remove any parasites and then in the spring they return the same number of cocoons that you bought in the first place, in the spring, they return cocoons to you, but they only return sort of 50 or so, as many as they sent you in the first instance. And the rest is used to propagate the scheme so that other people can join. So your excess bees each year go to new people.

Oh, that's very cool. Once you've signed up for the scheme, you never have to pay for it again. So year after year, as long as you send them the tubes, they will send you the cocoons in the spring. What a cool idea to buy it for school as well. That's super clever.

Well, I did mention it for the credit.

Mark, the hero.

It does seem rather more worthy than my Icelandic horses writing my out-of-office email messages. Don't

Mine's not worthy. Okay, Carole, what's your pick of the week? Mine is for my fellow lovers of audio dramas. So, Graham, feel free to snooze. So BBC Four, one of the most consistent producers of high caliber audio dramas that I've come across anyway, have a podcast called Limelight. And in this podcast, you can find a meaty handful of drama serials, right? Each about four to six episodes long. They all seem to have a thriller element to it. They're the ones that I certainly have listened to. So, so far, my favorite is called Who is Aldrich Kemp? And the plot is just so wonderfully crazy okay secret service researcher and excellent fencer Clara Page played by Phoebe Fox is sent to find Aldrich Kemp who is the leader of an underground criminal gang. It's written by Julian Simpson who's fantastic and he takes full advantage that they're on radio right because you know they drop people from a helicopter on skis or a mountain lair is blown up or baddie decides to kill enemies, right? And if this was a film, that would cost millions. But because it's audio, it was apparently recorded on location in Brighton. As the Guardian says, for one imagines a budget that would struggle to get into four figures. The mind pictures are fabulous. So, there are loads of other great dramas available on it. There's maybe about 10 or 12 at the moment. So, if you have a monotonous task out there and you want to be entertained, you can check out Limelight Podcast wherever you get your podcasts from. And that's my pick of the week. I have a question. Yes.

It's just that I feel like I have managed to get through life thus far without needing to call upon any sword fighting skills.

Yeah, but you probably have used the internet in ways that you wouldn't want recorded. So, you know, swings and roundabouts. Wow, wow. Lovely way to treat the guest, Carole.

You can find my webcam on Google Drive but if you can't find that you can find me on Twitter at Mark Stockley And you can follow us on Twitter at Smash Insecurity no G, Twitter wouldn't last have a G and there's also Smash Insecurity subreddit you can also give us a 5 star review in iTunes or Apple Podcasts or Podchaser or wherever you can leave reviews. And don't forget to ensure that you never miss another episode. And huge thank you to this episode's sponsors, Collide, Good Access and Rumble. And to our wonderful Patreon community.

Until next time cheerio bye bye bye bye Thank you.