Smashing Security podcast #305: Norton unlocked, and police leaks

Anything with him when he's not punching people in the face tends to be bad.

Are you telling me Sylvester Stallone doesn't punch anyone in the face in Tulsa?

He does and it's wonderful. Okay, I see. All right. That's how you know it's good because the good ones are the ones where he punches people. Yes, exactly. I understand. That's the barometer.

Hello, hello, and welcome to Smashing Security, episode 305. My name's Graham Cluley. Yes, they do. What have you done with her? I'm a poor substitute for all the wonderful things that she does on this show. But I'll do my best. So I should explain to the listeners, Carole, unfortunately, is laid up in her sick bed with ailments, which I could describe to you, but frankly, I don't want to put you off your dinner. So maybe I'll let her fill in the gaps if she returns to the show next week and if she's in a healthy way. Well, this could be your audition piece. Maybe we don't need Carole anymore. You know, maybe we don't. Well, I mean, the Stupid Sexy Privacy is only 24 episodes so there's always room in schedule.

You're a pro so you've already plugged your own endeavor. Tell us more.

Stupid Sexy Privacy. So like the Simpsons joke, stupid, sexy Flanders, because I know my audience well, right? And I know that they will get and appreciate the Simpsons reference.

So what is Stupid, Sexy Privacy about?

Yeah, we just wanted to make this stuff as simple as possible. So for example, why you should use a YubiKey and where to get one. Like these are things that people listening to the show, if you don't have a YubiKey, I'd be shocked, right? Some kind of hardware authentication token, but there is a severe knowledge gap, particularly in the United States, about securing your data and how to protect it and how to keep private. So we wanted to make it as stupid and as simple as possible so that anybody listening could do it, including me.

Well, I'm stupid and simple, and I've been enjoying the episodes which I've listened to. So it's working in that regard. But before we kick off, let's thank this week's sponsors, Bitwarden, ManageEngine, and DigiCert. Their support helps us give you folks the show for free. Now, coming up on today's show, this is the bit Carole normally does. Coming up on today's show, Graham, what have you got? Oh, thank you for asking, Carole. I'm going to be talking about a police raid which could have gone very wrong. BJ, what are you going to talk to us about?

I'm going to talk about a company getting hoisted on its own petard.

Well, all this and much more coming up on this episode of Smashing Security. Now, chums, let me tell you a story. Let me tell you a story about the police. Police in America. Oh, I really don't like where this is going. Well, because it's in America. Exactly.

You said police in America. Immediately, a warning light started flashing over my head.

Police in many countries do get a bit of a bad... I mean, I'm sure there are nice police people out there. There's a lot of bad stuff out there as well, isn't there, unfortunately?

I look at, you know, my dad was a teacher for about 40 years. And there are terrific teachers. And then there are god-awful teachers that you will hate for the rest of your life. Being a police officer, it sort of has that dichotomy. Just here in the United States, they seem to be more on the bad side than the good side.

Well, this is not a story about police being awful. This is a story about how police in Southern California last September arrested more than 600 suspected sex offenders. Yeah, it was one of the largest raids there'd been in years. It involved over 64 agencies and an operation called Protect the Innocent. And it was specifically targeting people who were involved in possession distribution, creation of child sexual abuse material. So obviously we want those bad guys rounded up.

Right. Let me ask you, though, could they have come up with a better name? Because this sounds like an issue of Batman more than it does a serious police matter where 600 people were arrested. Protect the Innocent. Okay. I think I saw that in theaters. What phase of the Marvel Cinematic Universe is that?

Well, it could be something like that, couldn't it? Yes, it could be Avengers Protect the Innocent. I mean, it must be difficult for the police to come up with new code names all the time for their operations. I don't know how they... I mean, we have a hard enough time naming our hurricanes, don't we?

That's right. Well, we're running out of names in the English dictionary.

Anyway, it must be complicated to manage and coordinate a multi-agency raid involving 64 agencies. Can you imagine the Zoom calls? It's hard enough, as we found today, getting three people to show up for the podcast, let alone people from different law enforcement agencies and police departments, getting everyone lined up. And this is what we're going to do. And this is when we're going to knock on the door and make sure that we all do it at the right time. And we've got all the information we need. So it's no surprise that the authorities like to use tech. They like to use technology to share information before a raid and help us coordinate.

I have to say, though, that there is a non-zero chance that someone joined that Zoom call in their pyjamas, right? Or at least from the bed.

I like to think that policemen actually wear police pyjamas as well.

Paw Patrol is huge with the kids, so I could easily see some Paw Patrol-wearing officers that joined the Zoom call.

So according to the journalists at Wired magazine, the LA police did use technology. They used an app. In fact, I don't quite understand this. They used a free trial of an app. Were they not prepared to pay the 99 cents in the app store? I don't know. But anyway, they used a free trial of an app called Sweep Wizard. So yes, there are wizards. Sorry, obviously there are wizards.

There are. There could be wizards involved. They're notoriously slow, though.

There are apps out there which help you, or at least help the police, organise raids to round up the bad guys, right? I doubt they sell for 99 cents. Well, maybe. Maybe you have to buy a subscription. I don't know, depending on how many agencies are involved. Anyway, the raids last September were a big success. They arrested hundreds of people, including over 100 for possession, distribution, and manufacture of child sexual abuse material. They contacted over 500 targets. There was a lot which they did with this. And so, you know, that's all good news, right? These people have been rounded up. They're going to be questioned. Hopefully, if they're guilty, they'll be brought to justice.

Let me ask you real quick. So, 99 cents in the app store for the premium version of Sweep Wizard. Do they do the arrests for them?

That's right. Maybe it's downloadable content. Maybe it's an add-on if you want that to happen as well. I'm not sure. That's maybe when the real wizards actually get involved with Sweep Wizard. So, what the cops didn't know, however, was that this Sweep Wizard app, which they were trying out and they'd been relying upon wasn't perhaps quite as good as they might have hoped. Because it was leaking confidential information about the raid to anybody on the internet. No password required. All you had to do to find out information about the raid was simply visit a specific URL on the Sweep Wizard website. It didn't authenticate, it didn't ask for a password nothing at all.

Oh, wow. I wish that there was a video component just so you could see the lack of surprise on my face.

Well, maybe we'll tweet one later. We'll get a screen grab of you looking shocked. So if you went to one of these URLs, you could find out private information about the suspects, as well as sensitive details that maybe in the wrong hands could tip off the suspects as to when exactly their house was going to be raided. And also it would obviously cast suspicion on people who hadn't yet been convicted of anything. Because anyone could go there and say, oh, Bob down the road is obviously a wrong one. Because he's been rounded up by the cops. So the Sweep Wizard app is built by a company called, unpretentiously, Odin Intelligence.

Now wait, isn't Odin the name of the security agency that's a rival to ISIS in Cartoon Archer? I've never seen Archer. Archer is terrific, but I could swear Odin is the name of the inept security company that they're always competing with. So that's kind of perfect here.

Oh, so it's an incompetent organisation, is it? In Archer. I didn't know. Okay, I'm going to have to watch it. Now, Sweep Wizard didn't just leak information about the Protect the Innocent raid, which happened last September. It had also been leaking confidential details from about 200 other raids that dozens of departments have organised over multiple years. So if you went to these URLs, you could find out details about the police officers, hundreds of them, thousands of suspects, the locations of suspects' homes, the time and location of raids. Their contact information, sometimes even the suspects' social security numbers. So as if someone wasn't having a bad enough day that they were being raided by the cops, you could also defraud them in other ways. That's right. Maybe they deserved it. Maybe they're guilty. But we don't know that yet, right? We have to assume that they're innocent. So in all, it looks like it exposed over 5,700 suspects. In some instances, it includes their height, their weight, their eye color, and even whether they were homeless or not.

Let me ask you really, so the information that's in the app, right? So this information is from, I'm assuming, across all 64 agencies. So we would think, right, that they were pretty sure on who they were targeting in this, we think.

I suppose so. But I think it's anyone who they just wanted to bring in for questioning. I'm sure some of them, they were pretty certain these are people who we've got lots of evidence on. But others may simply have been, well, we think he seems to be associated with these guys. Maybe we should bring him in and have a little bit of a chat and see if there's more to come. But all of this information wasn't being protected. It was being understandably exchanged with the other agencies. That's right. It was just sitting on a cloud drive somewhere.

Did you ever see Zero Dark Thirty? Oh, yeah, yeah, yeah, yeah. So, and basically, there's paperwork that got lost for 15 years or whatever, and they just fished it out. And they're like, oh, that's where Bin Laden's been this whole time. That sort of reminds me of this, right? Where it's like, well, I guess there's 5,700 suspects. We're not really sure, but, you know, maybe.

And all of this was because of simple misconfiguration in the app. So the app, it appears, wasn't properly testing whether the users were authenticated or not. There was no authentication check, which meant that anyone could go to this URL and find all this information. Now, the police knew nothing about this problem until Wired magazine contacted them. And obviously the cops said they were concerned about this revelation. And they said specifically, we don't want people to know when and if we're coming to get them.

That kind of defeats the purpose of police sirens, doesn't it?

Well, I don't know. Well, BJ, I don't know if you've ever been the subject of a surprise raid. Not yet. I suspect. It may happen in a moment now. You may get swatted while you're on the podcast. But I suspect they aren't playing the sirens if they're trying to actually catch you. Maybe if you're on a car chase, they would. You're giving Yellapd too much credit. Am I? I think. Well, they have since suspended the use of the app, so they're no longer using Sweep Wizard. You know, I don't think they are primarily to blame for this. I think the people we should be complaining about are Odin Intelligence who appear to be as incompetent as their fictional existence on Archer. So they declined to be interviewed by Wired but they said in a statement and this reassured me a great deal actually when they said this. I thought oh well that's fair enough then. They said that they take security very seriously and I thought, oh, finally, a company which says they take security very seriously. That's all right then. That's all fixed. They also said that they'd been unable to reproduce the problem which Wired had reported on. But their website's no longer accessible. Their app has been removed from the Google Play Store and the Apple App Store. And it actually turns out that Odin Intelligence have got other problems because just a day or two after this Wired story came out, its website was defaced with some rather abusive ASCII art. So some hackers got in and they said that all cybercops are bastards. A bit mean of them, I think. But obviously, Odin Intelligence aren't being that smart when it comes to their own security. Well, I mean, it's funny because Odin is supposed to be the one that sees everything. Right. Is Anthony Hopkins Odin in those Thor movies? Oh, yes. He's Odin, right. Well, there you are. Anthony Hopkins. Oh, Anthony Hopkins. Oh, lovely. I just have to say, Anthony Hopkins seems to be at the stage of his career where he'll do anything for money. Totally. That's a good point, actually. They could have got him on the answering machine.

The Welsh accent is notoriously hard. It is. It's beautiful, but it's notoriously hard to reproduce.

It's a very dangerous path to tread, can I tell you. I don't know if I told this story before, because it's been a while since I've been on the show. But I remember my first time going to the United Kingdom and passing through Heathrow. Oh yeah, lots of double L's and X everywhere, yes. And so he just looks at me and goes, you're going to Wales? I'm like, yes. BJ what story have you got for us this week?

Yes so this requires some time travel to go back. I don't know if they were big in the UK but in the early 2000s and even the early 10s I guess is what we're calling the previous decade, there was a company called LifeLock. It's normally either a dumb password choice or, more commonly, password reuse. And that seems to be what happened in the Norton LifeLock situation, is that a whole bunch of usernames and passwords were stolen from who knows where, some other site, not from Norton LifeLock. And then they were used to try and unlock accounts at Norton LifeLock. And for those users who hadn't enabled multi-factor authentication, obviously those credentials were enough to get them in. So my question is, why wasn't Norton LifeLock enabling two-factor authentication by default? Surely that would have – if Norton LifeLock is storing really sensitive information, including people's passwords, then you need an additional level of protection than just a dumb password to protect that account.

I'm convinced that most of these companies, and this is a great advertisement for Bitwarden, and some of the others who are pretty good, they've got a good reputation. But then I look at something Norton, who should know better, and has been around forever. I'm convinced that it's just, at this point, they're cashing checks, and they're not really taking this stuff seriously.

Yeah, I mean, the thing is with the Norton name, Norton has been around for 30-odd years, you know, in different forms. But, of course, it's no longer Peter Norton with his crossed arms who's running the company. That brand name has been sold on and on and on from different companies and different organizations. And it's now part of this big security conglomerate. The overarching parent company is called Gen Digital, and they also own Avast and Avira, I think, and CCleaner as well as Norton. You know, there may be some very smart people working there, but there's probably resistance from inside maybe the product team or the marketing team saying, well, yes, of course it would make sense to make two-factor authentication mandatory, but it's going to really piss off our customers because it's going to be a nuisance. They're going to say, oh, well, why do I have to type this six-digit number in? Or why do I have to do this? It's suddenly become more difficult to use. And there's always that battle, isn't there, between ease of use and security. And it feels on this case, the people arguing for it should be easier won to the detriment of securing those accounts.

Absolutely. To me, it's just sort of mind-boggling, too, because this is the thing you sell, right? This is the service you sell, and for you to not be using it tells me not to use your product. I can't think of a more clear – this is true of any tech company, right? If they're not using their own product in-house, you should avoid them.

I'm probably not feeling quite as – I don't want to beat them up quite as much as maybe you do on this. I mean, I think this isn't as catastrophic as what we saw at LastPass. Yes, yes, that's right. That's true. Where they were breached and there were design issues in how LastPass had done it. And maybe they were warned years ago about some of the problems which they experienced. In the case of Norton LifeLock, it does feel like maybe they could have gone a few extra steps to better protect their customer base. From what was, as you said, a credential stuffing attack. There was someone else who got hacked, not them, which led to this happening. Yes. And these credentials being flung at their login pages. But they could have done rate limiting. They could have looked for suspicious behavior. You know, when you're protecting passwords, you've really got to go the extra mile, I think.

Absolutely. And, you know, the reason why Stupid, Sexy Privacy exists in the first place is that people don't want to think about this stuff. They just want to know that they're secure. And so it's, to me, partly the responsibility of these companies to take that extra step for people. Because I think that privacy and security is complicated, right? And so if I'm paying for a solution like Norton LifeLock, then my expectation is that you're going to kind of take that complexity out of my life into yours. And so I'm always disappointed because I just feel like, you know, until we get to the point where my generation and younger are taking privacy and security a bit more seriously than we do, you know, that extra layer of protection just needs to come from the companies. And clearly, in this case, it wasn't there.

Yep. Afraid not. Dear, oh dear. So there's probably a lot of Smashing Security listeners out there who might be concerned after hearing about the data breach which recently occurred at LastPass. Now, that allowed hackers to steal customers' password vaults, and unfortunately there were parts of those password vaults which were astonishingly unencrypted. There's no doubt a lot of questions users are going to ask LastPass about how that could have happened and why some of that data was left in that insecure state. But one password manager that isn't making that mistake is our sponsor Bitwarden. Customers of Bitwarden know that their vaults are entirely end-to-end encrypted with zero-knowledge encryption, including, unlike LastPass, the URLs for the websites which you have saved passwords for. You can learn more about that in the Bitwarden Help Center and at bitwarden.com/privacy. And if you happen to be looking to switch password managers right now, well, Bitwarden makes it easy. They support importing from lots of other solutions. And there's even a LastPass migration guide available. Learn more at bitwarden.com/migrate. That's bitwarden.com/migrate. And stay safe.

You've probably heard that organizations are experiencing increased pressure to manage digital trust at scale across multiple functions in IT. The problem is many have a lack of centralized visibility and control. And this is why companies are looking for a unified digital trust strategy. Enter DigiCert, Trust Lifecycle Manager. The Trust Lifecycle Manager from DigiCert sets a new bar for unified management of digital trust. DigiCert Trust Lifecycle Manager is a full-stack solution that unifies CA-agnostic certificate management, private PKI services, and public trust issuance for seamless digital trust infrastructure. Find out how you can implement a full-stack solution in a single pane of glass that offers superior performance, handling and automation with a single vendor accountability. All you got to do is visit smashingsecurity.com/digicert. That's smashingsecurity.com/digicert. And thanks to DigiCert for sponsoring the show.

Hacks are happening all the time. Databases are being breached. And as we know, 80% of all breaches happen when passwords are compromised, stolen or abused. An efficient way to combat threats like these is using a Privileged Access Management Solution, or PAM. An enterprise PAM tool like ManageEngine PAM 360 offers a holistic picture of all the privileged devices, users and credentials in your IT infrastructure. ManageEngine comes from Zoho, which offers IT management solutions to over 280,000 enterprises around the world, so you're in safe hands. Well, ManageEngine PAM 360, fully functional, privileged access management suite, easy to adopt and implement. From managing and governing access to all your enterprise resources to automating the access management lifecycle in your organization, PAM 360 does it all. And they offer great support for businesses looking to do this without making a dent in your IT budget. Learn more for yourself about ManageEngine PAM 360 at smashingsecurity.com/PAM360. That's smashingsecurity.com/PAM360. And welcome back. Can you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Good man. I remember. It's been a few years. It's been three years, but you remember you have to say pick of the week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses to stand alike. Could be a funny story, a book that they read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Oh, but it could be.

Oh, it could. Good. You may have heard that a chap called Elon Musk is busy breaking Twitter. Oh, yeah. His most recent...

Oh, I don't even... I don't know where

To start with this one. His most recent crazy decision is to start blocking the third-party apps which actually make Twitter usable. Things like Twitterific and Tweetbot and all of those things. He wants you to use the official Twitter app because that is festooned with ads. And its algorithm keeps on recommending that you follow vaccine deniers and conspiracy theorists. Far-right politicians.

If you like Nazis, Twitter is for you.

Yeah. It's such a turnaround because Twitter used to be such a, well, it was never a lovely place. There were plenty of arguments going on, but it was seen as sort of the liberal social media place.

You know, it reminds me a lot of if Elon Musk purchased hell, right? And then walked in and said, this is fine, but how can I make it worse?

Well, he is making it worse because he's blocking all these third-party apps. I can understand for a moment his very simplistic thinking on this. He's thinking, the more people I get to use the official app, the more people will eyeball the ads which we're making money from. The problem is that Twitter isn't just about the technology. Twitter is actually about people and content producers, people who are actually posting interesting things. And the biggest users of Twitter are, I would suspect, people who aren't using the official Twitter app. They've gone to the effort of finding a better app to use Twitter. They're making the content which people want to read on Twitter. So stopping all of those people suddenly overnight from accessing Twitter,

Not a good idea. No, you know, what's funny too is that I've been using Twitter since 2007, right? I was part of that initial Vanguard. And there has always been TweetDeck and services that people have preferred to use over the main app. It's funny because I always thought it'd be a matter of time before they clamped down on it. It's just interesting that it had to happen under this guy of all people. You know what I saw?

I saw one person suggest what Elon Musk should have done. I'm sure he listens to the show. So here's a tip from us. What he should have done is this Twitter blue subscription thing he's trying to get us to pay for, you know, a way of paying $9 a month to prove that we're idiotic enough to care about a blue little badge. If he'd said one of the benefits is you will be able to use third party apps. Yes. I might have even actually been prepared to sign up. Maybe. Maybe. I'm not sure. Maybe. Maybe not.

So I'm torn on the Twitter blue thing, right? So I've always had the legacy checkmark since 2013. So all of the features that he's now making available to people, I was okay, that part is fine. But $12, if you're an iOS user because he doesn't want to pay the tax, seems kind of outrageous to me. The other thing is that, and I'm just putting my marketing hat on for a second, Twitter ads have always been terrible. I can think of maybe one or two instances since 2007 where I can point to and say, wow, that did really well. That was a Twitter ad campaign. But now, not only are you putting money into a service that doesn't really perform well, but you're now actively saying, I support Nazis by running ads. So even if Twitter Blue allowed you that third-party access, I would still be a little hesitant to give this guy my money, you know?

Anyway, I know that Karol will be listening to this, and she'll be very frustrated that I've hijacked the Pick of the Week section to talk about Twitter. The reason why my Pick of the Week is not Elon Musk being an idiot. My pick of the week is an app called Spring. Spring is a highly customisable Twitter app, third party, which is available for iPhone, iPad and the Apple Mac. And it hasn't been shut down yet. And I have to say, I really like it. You don't get the ads. You don't get the promoted posts. You don't get the ghastliness of recommendations as to who to follow, which you really don't want. But this app is, oh, if only the official Twitter app were this. It's really good. And they've also produced one for Mastodon as well. So that's in beta at the moment. So I'm on Mastodon. I'm a big fan. I like Mastodon. I like the idea of it, and it's working well.

I think the biggest issue with Mastodon is not telling people, just pointing them right to Mastodon.social. I feel that would have solved 90% of the onboarding problems for them. But yeah, I've enjoyed it so far. Do you like it? How long have you made the switch over?

Oh, I switched over a few years ago. But I wasn't using it very much because there was no one up there. Now, that's all changed in the last few months. And I have switched occasionally from instance to instance because, frankly, the one I was on just got so clogged down and slow when there was this huge migration of people to Mastodon from Twitter when Elon Musk took over Twitter. So I have changed from time to time. But now I'm more active on Mastodon than I am on Twitter. And I find it more interesting and more useful and just a nicer conversation.

It's so much more calmer than Twitter. Because I feel any second on Twitter, there's someone waiting to take what you said out of context to make some obtuse point. And Mastodon, so far anyway, I feel if I post something, I get much more thoughtful responses. So that's been nice.

And I've got far, far fewer followers on Mastodon than I'd have on Twitter, but I get more engagement on Mastodon. Isn't that interesting?

Yes. Well, I mean, Twitter's always been filled with bots. I mean, it's been filled with bots since at least 2009 with the whole Ashton Kutcher Oprah thing, for people that remember. But yeah, so far, Mastodon, it doesn't seem to have that problem yet.

Not yet. I'm sure it will come as it grows in popularity. Anyway, my pick of the week is the Spring app for iOS and Apple Mac. If you do become a customer of Spring, so I paid them, I don't know, $9 or whatever it was, then you can also get an early access to Mona, their app for Mastodon, which looks identical, works brilliantly so far. So I'm really impressed. And that is my pick of the week. So BJ, what's your pick of the week?

Well, I tend to watch bad television. And the reason why is simply just to escape the hell world that we live in. And so I was pleasantly surprised by Tulsa King. It's this goofy little gangster show with Sylvester Stallone. And anything with him when he's not punching people in the face tends to be bad, right? You can track good Sylvester Stallone content based on how often he punches someone in the face. Are you—

Telling me Sylvester Stallone doesn't punch anyone in the face in Tulsa King?

Oh, he does. And it's wonderful.

Oh, I see. All right. That's how you know it's good. Oh, the good ones are the ones where he punches people. Yes, exactly. I understand. Right.

That's the barometer. So if you watch something with Sylvester Stallone, if he does not punch someone in the first 10, 15 minutes, you can turn it off. In this, he knocks someone right out in the first episode. It's terrific. So you know you're in for a good time. And so, you know, I'm always looking for these little escapes. The juxtaposition of the American West with this old school gangster who looks like he rolled out a 1980s mobster flick is just terrific.

So explain to me the premise of Tulsa King, because I've never heard of this before. What's it about?

So, Sylvester Stallone is a mobster who just served almost 30 years in prison and he's released. And when he comes out, the mob that he was a part of is completely different. They don't know what to do with him. So, basically, on a lark, just to get rid of him, they're like, why don't you go out to Tulsa? So he goes there. And you have this character who does not belong there, is right out of Brooklyn in 1980s interacting with the things you would come to expect with Oklahoma and just the juxtaposition of it is very funny, it's very entertaining, the characters are terrific. Guilfoyle from Silicon Valley, he's also in there and there's actually a nice— there's a really nice just to tie all back together to the show. In the season finale, he makes a reference to most hacks occur because of poor security hygiene. And I thought that was really nice and really, really great to hear in a TV show because that was just a really smart observation about security in general. But I can't say enough good things about it. If you're looking for a little bit of an escape, you know, if you don't have access to it, use a VPN to access. I don't know what the global restrictions are, which to me is stupid. This is one planet. Let's all enjoy our content together. But if you can't access it, please use a VPN to go and check it out.

Terrific! Well that just about wraps up the show for this week. BJ, thank you very much for being our Carole Theriault clone under these unusual circumstances. Hopefully Carole will be back next week but really appreciate you stepping in, it's terrific. I'm sure lots of our listeners would love to hear more about Stupid Sexy Privacy, your podcast and the other things which are up to. What's the best way for folks to do that?

Oh just visiting stupidsexyprivacy.com. It's available where all podcasts can be found but as you know podcast discovery is a bit of a pain so I just send people to Stupid Sexy Privacy. It's a 24 episode mini series which is why we gladly promote Smashing Security throughout the show because our time on the topic will end with episode 24 but we always prefer people come and listen to this show and listen to yourself. But yeah it's just— we want to make this as simple as possible when it comes to privacy because it's so much of the discussions on a high intellectual level we wanted to bring it down into the dirt where everyone can enjoy it.

Fantastic. Well, thank you very much for that. And you, if you are a Nazi, you can follow us on Twitter at Smash Insecurity. No G, Twitter, not a G. We also have a Mastodon account. The easiest way to find it is go to smashinsecurity.com slash Mastodon and that'll take you straight there. And you can also look up the Smash Insecurity subreddit as well. And don't forget to ensure you never miss another episode. Follow Smash Insecurity in your favorite podcast apps, such as Apple Podcasts, Spotify, and Google Podcasts. Thanks as well to our episode sponsors, Bitwarden, DigiCert, and Manage Engine, PAM360, and to our lovely supporters on Patreon and Apple Podcasts as well. Thanks to them, this show is free. For episode show notes, sponsorship information, guest lists, and much, much more, check out smashingsecurity.com. Until next time, cheerio, bye-bye. Farewell. Toodaloo. Pip-pip.

Pip-pip, that's nice. I haven't heard that in forever. Yeah, we need a bit more of that. Pip-pip. Pip-pip.