It could be a case of aCropalypse now for Google Pixel users, there’s a warning for house buyers, and just why is TikTok being singled out for privacy concerns?
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Thom Langford.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
They've actually created a website where you can upload images taken on your Google Pixel device and see what image may still be remaining there.
Thom, are you still there? Are you busy right now?
I'm busy contacting all my friends on Android, pointing and laughing.
Smashing Security, episode 314. Photo cropping bombshell, TikTok debates, and real estate scams. With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 314. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 314. My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, we are joined this week by a special guest, very special.
None other than Host Unknown's—
Sole founder.
I was going to say, yes, I was going to say main host, one of the hosts from Host Unknown, Thom Langford.
That's right, it is me. This is not Javad Malik or Andrew Agnes. This is Thom Langford, sole founder. I know you don't have the other two on very often because they're a bit crap.
But I'm back.
But I'm back.
They just have jobs. They're busy. They're very busy people. You know, we screwed up last week.
I got a few emails from irate Canadians complaining that you don't know where Vancouver is.
I got a few emails from irate Canadians complaining that you don't know where Vancouver is.
Oh.
Because you said East Coast instead of West Coast, and I didn't spot it even in the edit. So apologies to all my people. I just don't listen to Graham very often.
I just— Yeah, there were some complaints from my end. Of course I know it's on the West. I can't believe I said East.
Yeah.
Vancouver sounds like a Dutch vacuum cleaner. So it's in the cupboard, isn't it?
Oh my, so corny. The dad jokes galore.
Before we kick off, let's thank this week's sponsors, Bitwarden, Kolide, and Drata. It's their support that helps us give you the show for free.
Coming up today's show, Graham, what do you got?
Coming up today's show, Graham, what do you got?
Oh, I'm going to be telling you all about the Acropolis.
Ooh, okay. And Thom, what about you?
Well, I'm going back to an old favourite, TikTok. Woohoo!
Oh, good. And I'm going to be talking about how to buy a house in Lakewood, Colorado. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, it's 1974.
No, it's not.
It's the middle.
It's really not, Graham.
It's the middle of the Watergate crisis. You are Richard Nixon. And you have been ordered to produce transcripts of all the secret tapes you've been recording at the White House.
But you've got a problem. You've got a problem. Lots of rude words being used in the White House.
It turns out when people, you know, there's a lot of, you know, chuffing this and Jimmy Carter that. Libbity-jibbit. Yep. Belgium. Holy Zarquons singing fish.
All kinds of stuff is coming out. And oh, it's going to be so embarrassing if that gets out into the public domain, all those or that rude word. So what did they do?
They deleted the expletives. "Expletive deleted" was the phrase.
But you've got a problem. You've got a problem. Lots of rude words being used in the White House.
It turns out when people, you know, there's a lot of, you know, chuffing this and Jimmy Carter that. Libbity-jibbit. Yep. Belgium. Holy Zarquons singing fish.
All kinds of stuff is coming out. And oh, it's going to be so embarrassing if that gets out into the public domain, all those or that rude word. So what did they do?
They deleted the expletives. "Expletive deleted" was the phrase.
Redacted.
They redacted. And in the transcript, wherever it was a rude word, they didn't write the rude word. They wrote "expletive deleted" is what they wrote.
Someone should write a rap song with that. That's great.
Yeah, you could do, I suppose.
And as governments, agencies, businesses around the world, they all realise if you don't want a sensitive or embarrassing or awkward piece of information to be shared, in a document that you're posting online, redact it, right?
You should always be careful about what you share.
And as governments, agencies, businesses around the world, they all realise if you don't want a sensitive or embarrassing or awkward piece of information to be shared, in a document that you're posting online, redact it, right?
You should always be careful about what you share.
Yes.
And sometimes the redaction goes wrong.
So I remember a couple of times I've written about this, the UK's MoD, Ministry of Defence, have accidentally leaked secrets about radar defences and nuclear submarines because they publish PDFs online.
And the way in which they did them was they placed a little black bar over the words they didn't want there. And unfortunately, with a PDF editor, you could go in—
So I remember a couple of times I've written about this, the UK's MoD, Ministry of Defence, have accidentally leaked secrets about radar defences and nuclear submarines because they publish PDFs online.
And the way in which they did them was they placed a little black bar over the words they didn't want there. And unfortunately, with a PDF editor, you could go in—
Delete the black bar.
And delete the black bar and see the words beneath.
Select all. Can you do a search and replace for the black bars?
Maybe you can.
Replace with nothing.
Maybe you can. Maybe there's an unredact option. So yeah, so if you redact the wrong way, that doesn't work very well. Not a great idea.
And of course, it's also relevant for screenshots. It's not just documents. So a lot of people will pixelate out things, but black boxing—
And of course, it's also relevant for screenshots. It's not just documents. So a lot of people will pixelate out things, but black boxing—
This is nothing new. I had friends in high school that used to do this.
There'd be something on the bathroom wall about them, and they would be trying to erase it by using a marker or some pens or something on top of it.
And you could always often see through.
There'd be something on the bathroom wall about them, and they would be trying to erase it by using a marker or some pens or something on top of it.
And you could always often see through.
It makes perfect sense.
Yeah. Liquid paper was the stuff that you would—
With some determination, Carole, you could always find that phone number you were looking for.
If you were using liquid paper or Tipp-Ex on the computer monitor, Carole, that would obscure it for you, but not for other people. Just so you know, doesn't quite work like that.
Okay, thanks.
But some people try and pixelate, don't they? They pixelate the text. But boffins have created tools that can take pixelated images and unpixelate.
They can work out what the words are likely to be underneath. So those tools exist. So you should never really blur or swirl text.
They can work out what the words are likely to be underneath. So those tools exist. So you should never really blur or swirl text.
If you want to overwrite it in an image, you should, because it could always be unswirled.
It could be unswirled. And so much better, I would think, to cover it with random generated noise or just to cover the text with an opaque black bar in an image.
And then obviously don't save it as layers. So if it's a merged down flat image with a black bar and then no one can see what's going on underneath, right?
So if you do that, if you overwrite something with a black bar in an image, or if you crop out sensitive parts of the image. So imagine, Thom, you have an image of yourself.
Maybe you're a client. Maybe you want to show off your manly chest. You've been pumping iron.
And then obviously don't save it as layers. So if it's a merged down flat image with a black bar and then no one can see what's going on underneath, right?
So if you do that, if you overwrite something with a black bar in an image, or if you crop out sensitive parts of the image. So imagine, Thom, you have an image of yourself.
Maybe you're a client. Maybe you want to show off your manly chest. You've been pumping iron.
It has been known. My pink hairy vest with the two buttons.
And you know, you're pretty proud. Right, and you happen not to be wearing any trousers, okay?
Often, oftentimes. I mean, it's what, Tuesday today? So yes.
So you take a selfie. So you stick up your smartphone up in the air, you know, to give it—
Glad you qualified that.
Because you want—
You want an image from a good angle. It's not, you don't want to show any sort of— You never want to take an image from below your chin, do you?
You want to have it above your chin.
You want to have it above your chin.
You're doing the princess style face, you know, face down, eyes up, chin down.
So you're taking that image, but afterwards you think, oh, I have left a little bit too much in the image.
So what I'll do is I'll crop it, I'll crop it at my belly button, and then they'll just see my manly chest. They won't see anything which is going on beneath.
So what I'll do is I'll crop it, I'll crop it at my belly button, and then they'll just see my manly chest. They won't see anything which is going on beneath.
They won't see Mr. Pee-wee, right? Okay.
You would think that sharing that picture would be safe, wouldn't you?
Now, can I just ask where you're cropping this picture? So is this on an iPhone or it doesn't matter?
In this particular case, and this is why it wouldn't be Thom, because I know Thom absolutely loves Apple hardware.
In this particular case, it's happening on an Android Google Pixel smartphone using the default markup tool.
In this particular case, it's happening on an Android Google Pixel smartphone using the default markup tool.
Oh my God. It doesn't keep it in the metadata or something, does it?
Well, well, well.
Holy moly.
Okay, keep going. Tell us, tell us, tell us.
So.
I think someone in the show is sweating and it's not me. So, boffins.
That's brilliant. Discovered that there is a flaw in the standard tool used to edit images on Google Pixel phones. That makes the seemingly impossible be possible.
So this flaw, which they have called Acropalypse, which I think is— Got it.
So this flaw, which they have called Acropalypse, which I think is— Got it.
Very cute.
Let's give it a clap, right?
Yeah.
Hand clap. It's pretty good.
Yeah.
So it has made it possible to take a previously cropped image posted on the internet and at least partially recover what was cropped out of it.
Based on the metadata?
Not on the metadata.
No?
No, not specifically.
But some embedded data somewhere, right?
Exactly, exactly. So the metadata normally is the EXIF information as to when and where it was taken and what kind of camera and all of that guff, which we all know about.
But in this particular case, what markup does is if you edit an image and then resave it, the way in which it resaves its data is it says, is this new image shorter or taking up less data than the previous image?
And if that's the case, it won't truncate the entire file. It keeps whatever was there at the end still there. It's not visible in the image viewer.
So you think everything is fine, but there's still—
But in this particular case, what markup does is if you edit an image and then resave it, the way in which it resaves its data is it says, is this new image shorter or taking up less data than the previous image?
And if that's the case, it won't truncate the entire file. It keeps whatever was there at the end still there. It's not visible in the image viewer.
So you think everything is fine, but there's still—
Right, and you're thinking, here's a hot picture of me or titillating, you know, not, oh God.
So this works both with cropped images and also images where you've changed the image.
For instance, and this is what these two boffins, Simon Ahrens and David Buchanan, they are the ones who found this vulnerability.
They took an image which they found on Discord of someone who posted up a picture of their credit card saying, hey, look at me, I've got this new credit card.
And they'd blacked out the entire credit card number.
For instance, and this is what these two boffins, Simon Ahrens and David Buchanan, they are the ones who found this vulnerability.
They took an image which they found on Discord of someone who posted up a picture of their credit card saying, hey, look at me, I've got this new credit card.
And they'd blacked out the entire credit card number.
Right.
And they were able to recover it, find out what the credit card number was.
And they've actually created a website where you can upload images taken on your Google Pixel device and see what image may still be remaining there.
And they've actually created a website where you can upload images taken on your Google Pixel device and see what image may still be remaining there.
Thom, are you still there? Are you busy right now, or?
I'm busy contacting all my friends on Android, pointing and laughing. And then, what is it, the— That emoji with the purple fruited emoji.
The aubergine.
Aubergine, thank you. I could only think of the name that I was thinking of it of. But yeah, I'm just tweeting that to them.
So just imagine, right? It may not be that you're redacting your phone number. It may be that you've got a saucy snap.
Yeah.
It happened in an Austin Powers movie where Liz Hurley is there with a couple of watermelons. And Austin Powers has a great big teapot. And they're positioned in particular—
And then a sausage, and then whatever it was. Yeah.
A cushion and a—
Redact the teapot.
Well, no, you may have taken an image, an amusing image with an inflatable item or with a teapot or a chipolata or whatever it may be, covering your modesty.
And you could have shared it with someone. Isn't this funny? They can't see anything really. But now they could take that image and see what was there before.
And you could have shared it with someone. Isn't this funny? They can't see anything really. But now they could take that image and see what was there before.
Wow.
Ouch.
That does remind me a little bit of, you know, the Samsung moon shots that they do, the advert that's on telly at the moment. You can take these most amazing moon shots.
I don't know, what's all that about?
Yeah, so there's a Samsung advert on your mobile phone, you can take these amazing moon shots, and people who've got, you know, proper cameras and telescopes are saying, oh, give me your photo because it's so much better.
And it turns out that actually the moon shot that you took is basically artificially generated.
And they proved this by putting a blurry photo of the moon in a dark room taking a photo of it and getting a perfectly crisp picture of the moon back from the camera.
And it turns out that actually the moon shot that you took is basically artificially generated.
And they proved this by putting a blurry photo of the moon in a dark room taking a photo of it and getting a perfectly crisp picture of the moon back from the camera.
Wow.
Because they know what the moon looks like.
The moon looks the same wherever you are in the world, right? It doesn't spin. So yeah, great. Take some great shots of the moon, but they weren't taken by you.
Wow.
Unbelievable. Well, this flaw has existed on the Google Pixel phone with this markup tool for about 5 years.
Oh, there's a treasure trove out there. Are you sweating yet, Thom? No, I'm an iPhone guy.
Exactly. So the good news is Google's March 2023 security update fixes the flaw.
The bad news is that they haven't issued their March 2023 security update for some Pixel users yet, for some particular Pixel devices.
And people are already waiting for that update because there's another problem at the moment with Android.
Whereby if you know somebody's mobile phone number, that can be enough to hack their phone on particular devices because of the modem chipset.
So you do want to update your Google Android device. The worst news of all, though, is, as Thom suggested, Google hasn't invented a time machine to go back 5 years.
The bad news is that they haven't issued their March 2023 security update for some Pixel users yet, for some particular Pixel devices.
And people are already waiting for that update because there's another problem at the moment with Android.
Whereby if you know somebody's mobile phone number, that can be enough to hack their phone on particular devices because of the modem chipset.
So you do want to update your Google Android device. The worst news of all, though, is, as Thom suggested, Google hasn't invented a time machine to go back 5 years.
That's what I was just going to ask. Of course, they're not going to retro— yeah.
Because there's all those images out there already. It's too late. It's no longer under your control.
Well, I just want to shout out to all the people right now who are owning Google Pixel phones and are madly going through their pictures, deleting any that may—
I'm just reminded of that Simpsons character.
Ha ha! Oh. Not very friendly at all.
You saw all the grief we got from Canadian listeners last week. Now you've angered all the Android users.
They were right, come on. They were right, and it's more embarrassing for me than you, trust me.
Give me a coffee, guys. I agree.
Thom, what's your story for us this week?
So my story, we are going back to TikTok yet again. I mean, this seems to be the story that doesn't go away.
So TikTok, as I'm sure you will all know, is the favourite social media app of teenage children and middle-aged men, it would seem, mainly because the algorithm constantly delivers everything you want based upon what you watch.
So if you like, you know, nubile young people dancing and jiggling, then that's what you're going to get for the rest of your life until 3 AM when you start questioning your life choices, Javad and Andrew.
So TikTok, as I'm sure you will all know, is the favourite social media app of teenage children and middle-aged men, it would seem, mainly because the algorithm constantly delivers everything you want based upon what you watch.
So if you like, you know, nubile young people dancing and jiggling, then that's what you're going to get for the rest of your life until 3 AM when you start questioning your life choices, Javad and Andrew.
But I've heard that— I've heard in America alone, this is on New York Times podcast, The Daily, they are saying that 1 in 3 devices have it installed in the US.
Yeah, doesn't surprise me.
It's insane to me.
I've never used it.
No, I'm not.
Me neither.
I've never used it, partly because I don't have to. I get all the best content reposted onto my WhatsApp group with Jav and Andy mainly.
So, you know, I get the curated format, but it's insanely addictive.
I know my kids are on it and they use it, not to the extent that, you know, middle-aged men do, I must admit, you know, staying up until stupid hours.
But nonetheless, it's a very successful platform. It's, you know, lots of people have monetized on it and made a lot of money out of it, etc.
And of course, it's owned by a company in China, ByteDance, which makes that very, very sensitive.
Now, there have been a number of stories like this, but the most recent one, which I actually think is the company in question using a little bit of a diversionary tactic myself, is the BBC.
They have instructed all of their staff to remove TikTok from their company phones.
Presumably in response to the UK government saying all civil servants and anybody who works for UK government to remove TikTok from their company or organizational phones because there's this big thing about China snooping and using the app to track people, to track habits, to gather data, etc., etc., none of which has actually been proven.
In fact, you know, apart from the standard social media thing.
Now, the thing that gets me here, and I said, apart from the BBC's timing of let's put this out so that people will stop talking about Gary Lineker, but apart from the timing, it makes me feel— and we talk about this on the other security podcast, but the fact is TikTok is probably more benign than say Facebook and Instagram.
And Facebook and Instagram have been caught, well it's the same company, Meta, right? And even, you know, Google generally and, you know, even LinkedIn, etc., etc.
They have been caught multiple times with their hands in the tills of people's private data.
Twitter, for instance, gathered, this is a number of years ago, gathered everybody's mobile phone number under the premise of we will use this for two-factor authentication, we won't share it with anybody, this is purely for your security, and then sold those phone numbers and your personal data to third parties quite blatantly, paid the fine, moved on.
Nothing, nothing.
So, you know, I get the curated format, but it's insanely addictive.
I know my kids are on it and they use it, not to the extent that, you know, middle-aged men do, I must admit, you know, staying up until stupid hours.
But nonetheless, it's a very successful platform. It's, you know, lots of people have monetized on it and made a lot of money out of it, etc.
And of course, it's owned by a company in China, ByteDance, which makes that very, very sensitive.
Now, there have been a number of stories like this, but the most recent one, which I actually think is the company in question using a little bit of a diversionary tactic myself, is the BBC.
They have instructed all of their staff to remove TikTok from their company phones.
Presumably in response to the UK government saying all civil servants and anybody who works for UK government to remove TikTok from their company or organizational phones because there's this big thing about China snooping and using the app to track people, to track habits, to gather data, etc., etc., none of which has actually been proven.
In fact, you know, apart from the standard social media thing.
Now, the thing that gets me here, and I said, apart from the BBC's timing of let's put this out so that people will stop talking about Gary Lineker, but apart from the timing, it makes me feel— and we talk about this on the other security podcast, but the fact is TikTok is probably more benign than say Facebook and Instagram.
And Facebook and Instagram have been caught, well it's the same company, Meta, right? And even, you know, Google generally and, you know, even LinkedIn, etc., etc.
They have been caught multiple times with their hands in the tills of people's private data.
Twitter, for instance, gathered, this is a number of years ago, gathered everybody's mobile phone number under the premise of we will use this for two-factor authentication, we won't share it with anybody, this is purely for your security, and then sold those phone numbers and your personal data to third parties quite blatantly, paid the fine, moved on.
Nothing, nothing.
100%. But do you think, do you think it has anything to do with the political climate?
I think it's got everything to do with the political climate. Now I also think actually instructing people to remove TikTok from a company phone, there's nothing wrong with that.
Nothing wrong with that. You know, it's a company phone. You really should not be looking at all of that.
Nothing wrong with that. You know, it's a company phone. You really should not be looking at all of that.
Well, it's a big waste of time, isn't it?
It's a waste of time. You should be looking at all that jiggly wonder on your work emails.
But some companies would think that.
Yeah, I would be very, very keen to find out if they're also saying you must also remove LinkedIn and any Google product.
And yeah, Facebook and Instagram and all that sort of thing? I would put money on the fact that the vast majority of them don't.
You know, to be blunt, this smacks of politics generally and racism at the end of the day.
If it's not to do with the fact that they are a Chinese company, then why are you removing it when there are other products that are gathering the data far more openly and far more egregiously.
It's purely because they're a Chinese company.
And yeah, Facebook and Instagram and all that sort of thing? I would put money on the fact that the vast majority of them don't.
You know, to be blunt, this smacks of politics generally and racism at the end of the day.
If it's not to do with the fact that they are a Chinese company, then why are you removing it when there are other products that are gathering the data far more openly and far more egregiously.
It's purely because they're a Chinese company.
Okay, so my view is slightly different. I wondered whether or not it was because of the political, you know, Xi Jinping and Putin hanging out a little bit, right?
And are they making TikTok videos, the two of them? It's rather like Huawei, isn't it, where there wasn't really any evidence—no, not at all. But something could happen.
But what's strange to me is that people are saying, "Well, you can't use these apps anymore because they're written in China." It's like, well, the device you're running these apps on, your smartphone, where was that manufactured?
But what's strange to me is that people are saying, "Well, you can't use these apps anymore because they're written in China." It's like, well, the device you're running these apps on, your smartphone, where was that manufactured?
Yeah, exactly.
And hello, hello, House of Commons, your CCTV cameras, where do you think they were made? I mean, all technology comes from China, doesn't it?
Yeah, it's like Pinky and the Brain. I've had you at my sides for 40 years.
But here's the thing, I literally spent—I looked up the first article on the BBC website, and you'll see in the show notes there's a whole series of links there from the BBC website.
I scrolled to the bottom, and you know how they have related articles.
This was 2 minutes, and I immediately found straight after the BBC's article, down the bottom, the UK government says stop using it.
And then you go to the bottom of that one, the Welsh government says remove TikTok go further down, Danish journalists told to remove TikTok.
Then the Canadian government is saying they have to remove TikTok. European Commission saying you have to remove TikTok. And then US is trying to ban it countrywide.
It probably won't go through, let's face it, but nonetheless, that's the kind of knee-jerk reaction.
And yet Facebook is doing far more, egregious data harvesting, probably doing far more in your opinion—well, what about the—
I scrolled to the bottom, and you know how they have related articles.
This was 2 minutes, and I immediately found straight after the BBC's article, down the bottom, the UK government says stop using it.
And then you go to the bottom of that one, the Welsh government says remove TikTok go further down, Danish journalists told to remove TikTok.
Then the Canadian government is saying they have to remove TikTok. European Commission saying you have to remove TikTok. And then US is trying to ban it countrywide.
It probably won't go through, let's face it, but nonetheless, that's the kind of knee-jerk reaction.
And yet Facebook is doing far more, egregious data harvesting, probably doing far more in your opinion—well, what about the—
You don't know.
You don't know though. You don't know. I'm just saying they got caught a few times.
A few times? They get caught constantly.
Yeah.
And also, who was it who influenced—
I'm not advocating for Facebook.
Which platform influenced the US election more? TikTok, with its jiggly, bouncing, nubile young people in it, or Facebook and Cambridge Analytica?
You know, those platforms are far more dangerous, but because they just happen to be American or on American soil, that's perfectly all right.
And yet that data is being sold as well.
You know, those platforms are far more dangerous, but because they just happen to be American or on American soil, that's perfectly all right.
And yet that data is being sold as well.
Thom, it would be remiss of me not to ask, are you getting a backhander from TikTok?
Yes, it sounds like all this new jiggling you keep on advertising.
No backhanding, no, nothing like that. Reach around in, nothing like that whatsoever from TikTok. I just think if we're going to ban TikTok, let's at least use the same measure.
The threat and the risk of TikTok is the same, if not potentially less, than Facebook, Instagram, and all of the others. And yet they seem to be absolutely fine.
And, you know, it does—
The threat and the risk of TikTok is the same, if not potentially less, than Facebook, Instagram, and all of the others. And yet they seem to be absolutely fine.
And, you know, it does—
They're in jurisdictions, I guess, where the powers that be feel that they can have some kind of oversight or some—
Well, I'm pretty sure China thinks it can have some oversight over ByteDance, who are running TikTok as well. Without a doubt.
So yes. Yeah. And that was this week's rant of the week.
Yeah. Jesus.
Okay.
Wasn't it just—keep taking the blood pressure tablets. Carole, what's your—not pick of the week. What have you got for us this week?
Well, let me take you to Lakewood, Colorado. It is said to have breathtaking views. Close to 100 parks for residents to enjoy.
It's about 8 miles from Denver, right near the Rocky Mountains. Just giving you a visual here so you can kind of feel it out.
It's about 8 miles from Denver, right near the Rocky Mountains. Just giving you a visual here so you can kind of feel it out.
Yeah, it sounds beautiful. Yeah, yeah, right?
Sounds idyllic, doesn't it? I mean, you can hike or camp or ski in the mountains, make friends with the local black bears and mountain lions that roam the place freely.
Okay, maybe not.
Or you can go into Denver, right? Eat at hippie eateries and go to the theater and all that.
So it's no surprise residents Vicky and her daughter, Sarah Ragle, thought this was the place to be.
Now, Vicky is 69, spent 42 years as a middle school teacher, retired this July, right, this past July.
And she and her daughter made a plan that they would find themselves a dream home in the city of Lakewood, where Vicky would be able to enjoy her retirement.
So it's no surprise residents Vicky and her daughter, Sarah Ragle, thought this was the place to be.
Now, Vicky is 69, spent 42 years as a middle school teacher, retired this July, right, this past July.
And she and her daughter made a plan that they would find themselves a dream home in the city of Lakewood, where Vicky would be able to enjoy her retirement.
Lovely.
And after some searching, they land on this cute little townhouse within their budget. But it wasn't Vicky's entire life savings.
And the thing is, the whole house buying process is complicated. I mean, it's full of formalities and paperwork.
And, you know, it's very clear for those who run the transactions, estate agents and lawyers and lenders. But I think it's daunting for the purchaser or the seller.
And the thing is, the whole house buying process is complicated. I mean, it's full of formalities and paperwork.
And, you know, it's very clear for those who run the transactions, estate agents and lawyers and lenders. But I think it's daunting for the purchaser or the seller.
Yeah, yeah. Well, yeah, I think so. Yeah, can be.
I mean, especially if you haven't moved in decades and don't know, you know, you're not used to it.
Yeah.
So we have Vicky and Sarah Ragle, and they've gone through the whole process of buying and purchasing the house. They even start getting new furniture for the place.
Two days before the closing date for the property, the mother and daughter duo get an email from the title company, and they write, "Hi, Vicky and Sarah.
I went ahead and prepared the closing documents and closing statement with the closing date of Friday, the 3rd of March." Great. Attached, please find the final closing statement.
The amount due to close is $198,662.81.
Polite reminder, it then says, as we require funds to be remitted 48 hours prior to closing, kindly advise when you will be ready to remit the closing funds so I can forward the title instructions for your action.
Okay.
Two days before the closing date for the property, the mother and daughter duo get an email from the title company, and they write, "Hi, Vicky and Sarah.
I went ahead and prepared the closing documents and closing statement with the closing date of Friday, the 3rd of March." Great. Attached, please find the final closing statement.
The amount due to close is $198,662.81.
Polite reminder, it then says, as we require funds to be remitted 48 hours prior to closing, kindly advise when you will be ready to remit the closing funds so I can forward the title instructions for your action.
Okay.
Okay.
So, okay, so Vicky and Sarah, they don't want to lose this house.
Doesn't normally your solicitor handle all this, the money side of things? You give the money to the solicitor rather than—
Well, I don't know how it works in the States, actually. I know how it works here.
Yeah, I get it's slightly different there, but yeah.
Yeah, but they are a bit perturbed because previous conversations said that they would need to transfer the funds at the day of closing. Yeah.
Right?
Yeah.
But Vicky responds saying, "Okay, I'll call in an hour and we can do that." And the title manager emailed back saying, "Don't call because I'll be in a closing, but here's the information," and provides all the details for the transfer of funds, right?
So they give the title company the near $200,000, right? And then they get an email saying, "Hi Vicki, we have just confirmed receipt of the funds pending.
I will send an escrow confirmation receipt once recorded." So a few days pass. Now Friday, day of closing.
Vicki and Sarah go in to finalize the paperwork and pick up the keys for their brand new home. They're greeted warmly.
Vicki said in media, she said, "We went to the closing on Friday. Everyone was laughing and excited. We signed acres of paper.
And then the title lady said, let me check your funds." And the title lady comes back looking perplexed and asked Vicki and Sarah, "Where did you send the funds to?" And Vicki says, probably wide-eyed, "Send them to you." And the response is, "We don't have them," says the title lady.
But Vicky responds saying, "Okay, I'll call in an hour and we can do that." And the title manager emailed back saying, "Don't call because I'll be in a closing, but here's the information," and provides all the details for the transfer of funds, right?
So they give the title company the near $200,000, right? And then they get an email saying, "Hi Vicki, we have just confirmed receipt of the funds pending.
I will send an escrow confirmation receipt once recorded." So a few days pass. Now Friday, day of closing.
Vicki and Sarah go in to finalize the paperwork and pick up the keys for their brand new home. They're greeted warmly.
Vicki said in media, she said, "We went to the closing on Friday. Everyone was laughing and excited. We signed acres of paper.
And then the title lady said, let me check your funds." And the title lady comes back looking perplexed and asked Vicki and Sarah, "Where did you send the funds to?" And Vicki says, probably wide-eyed, "Send them to you." And the response is, "We don't have them," says the title lady.
Yeah.
So this is what I would say is a business email compromise.
But I think a lot of people kind of think, "Oh, business email compromise, I don't need to worry about if I'm an individual, or I don't need to look out for those things.
I'm not a business."
But I think a lot of people kind of think, "Oh, business email compromise, I don't need to worry about if I'm an individual, or I don't need to look out for those things.
I'm not a business."
Yeah.
Exactly. It's not individual email compromise, right?
Exactly. So just to recap for some of our listeners, business email compromise, or BEC for short, it's what we call it in the trade.
It's where criminals send an email message that appears to come from a known source making a legitimate expected request.
So in this case, the scammers purported to be the title company, and it would easily dupe the person who's expecting to pay that kind of money for a house.
It's where criminals send an email message that appears to come from a known source making a legitimate expected request.
So in this case, the scammers purported to be the title company, and it would easily dupe the person who's expecting to pay that kind of money for a house.
You see, I'm buying a house at the moment, and I had to engage solicitors and things, and they went out of their way to warn me of these type of scams. And they sent—
Oh, that's good. That's good.
And in the paper, not only in my conversations with them, but also in the pack of information they sent to me through the post, which they said, "Well, we're not going to send to you electronically.
We need to check that you're not a rotter as well. We need to send it to your address." And there was all kinds of verification they had to do on my identity.
But there was this bit which said, "Watch out for scammers." They said it's very common for people to get, for criminals to get involved in the house buying process in an attempt to trick you into transferring the money into the wrong account.
And so they said, "Look, we're not going to tell you that our account details are going to change or anything like that. You know, you're only ever going to deal with us.
And if you have any questions, ring us on this number."
We need to check that you're not a rotter as well. We need to send it to your address." And there was all kinds of verification they had to do on my identity.
But there was this bit which said, "Watch out for scammers." They said it's very common for people to get, for criminals to get involved in the house buying process in an attempt to trick you into transferring the money into the wrong account.
And so they said, "Look, we're not going to tell you that our account details are going to change or anything like that. You know, you're only ever going to deal with us.
And if you have any questions, ring us on this number."
Yeah, that's great. Isn't that great?
Yeah. That does make a difference, doesn't it?
But I think part of it is sometimes the criminals just know that you're buying a house because you've posted it on Facebook or wherever, or Insta or whatever, and they just sort of chance their arm with a dodgy email, as it were.
But I think part of it is sometimes the criminals just know that you're buying a house because you've posted it on Facebook or wherever, or Insta or whatever, and they just sort of chance their arm with a dodgy email, as it were.
100%.
But then in other cases, and certainly over here, many solicitor companies that handle the house sales are small companies and they're out.
Their IT is either outsourced or they've got the brother Dave runs it or whatever.
And so it's very easy potentially for their networks and for their email accounts to be compromised.
And the emails actually come from the correct domain name and they've read through the emails and they've got the tone of the people who are talking to you and they've got all the relevant personal details and the actual things that aren't necessarily in the documents, you know, that they— you like being called Thom and not Thomas, for instance, and stuff like that.
Because for a start, if somebody emailed me and said, hello Thomas, I immediately think, well, you're either my mother or you're a criminal, right?
Their IT is either outsourced or they've got the brother Dave runs it or whatever.
And so it's very easy potentially for their networks and for their email accounts to be compromised.
And the emails actually come from the correct domain name and they've read through the emails and they've got the tone of the people who are talking to you and they've got all the relevant personal details and the actual things that aren't necessarily in the documents, you know, that they— you like being called Thom and not Thomas, for instance, and stuff like that.
Because for a start, if somebody emailed me and said, hello Thomas, I immediately think, well, you're either my mother or you're a criminal, right?
Yeah, because I call you Thom-ass.
Yeah, exactly, exactly.
Well, it's—
It—
The shitty bit of this, right, is that 69-year-old Vicki, right, she said, all I could think of is now I'm homeless and broke. I'm 69 years old and now I'm broke and homeless.
Because the title managers aren't going to go, oh, poor you, you paid the wrong account, here's money. Exactly, right? Let's just go get the house.
And it's unclear at this time how the scammers managed to infiltrate the communication chain.
But she contacted the FBI in Colorado and the Lakewood Police, who I'm sure are all over this.
Because the title managers aren't going to go, oh, poor you, you paid the wrong account, here's money. Exactly, right? Let's just go get the house.
And it's unclear at this time how the scammers managed to infiltrate the communication chain.
But she contacted the FBI in Colorado and the Lakewood Police, who I'm sure are all over this.
At least she didn't have to call Action Fraud.
Small mercies, right?
But as a silver lining— Yeah, as a silver lining to all this, Vicky's friend and coworker started a GoFundMe page.
And as of today, it's currently at $132,600, which is pretty amazing and heartwarming. And it's good to know that there are some lovely people out there.
And as of today, it's currently at $132,600, which is pretty amazing and heartwarming. And it's good to know that there are some lovely people out there.
So I'm just going to go and create a GoFundMe page in her name now and see if I can put a link to it in our show notes.
Ah, sheesh, Graham, you're so heartless.
These houses don't buy themselves, you know.
Any company can say they're trustworthy, but with this week's sponsor, Drata, you can prove it.
With over 14 frameworks including SOC 2, GDPR, HIPAA, and ISO 27001, Drata gets you audit ready for crucial security standards needed to scale your business.
Automated controls, over 75 integrations, and 24-hour monitoring keeps your company in compliance without manual work.
And with a new open API and plenty of customization, you can build your program your way. With over 360 5-star reviews, Drata is the highest-rated cloud compliance platform on G2.
Countless security professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it's been to have Drata as their trusted compliance partner.
So listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com/drata.
With over 14 frameworks including SOC 2, GDPR, HIPAA, and ISO 27001, Drata gets you audit ready for crucial security standards needed to scale your business.
Automated controls, over 75 integrations, and 24-hour monitoring keeps your company in compliance without manual work.
And with a new open API and plenty of customization, you can build your program your way. With over 360 5-star reviews, Drata is the highest-rated cloud compliance platform on G2.
Countless security professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it's been to have Drata as their trusted compliance partner.
So listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com/drata.
Our sponsor Collide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance.
How?
If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple.
Kolide patches one of the major holes in Zero Trust architecture: device compliance.
Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date.
Insecure devices are logging into your company's apps, but there's nothing there to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.
The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked.
Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Wanna learn more? Of course you do. Visit kolide.com/smashing.
That's kolide.com/smashing. And thanks to Kolide for sponsoring the show.
Kolide patches one of the major holes in Zero Trust architecture: device compliance.
Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date.
Insecure devices are logging into your company's apps, but there's nothing there to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.
The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked.
Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Wanna learn more? Of course you do. Visit kolide.com/smashing.
That's kolide.com/smashing. And thanks to Kolide for sponsoring the show.
Our friends at Bitwarden have been busy this month, adding some fab new features to their open-source password management solution.
Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do.
Logging in with a device is a passwordless approach to authentication.
It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval.
With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden.
Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default.
And of course, existing accounts can also update themselves to the same level.
These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers.
Learn more, try Bitwarden for yourself at bitwarden.com/smashingsecurity. That's bitwarden.com/smashingsecurity. And welcome back. Can you join us at our favorite part of the show?
The part of the show that we like to call Pick of the Week.
Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do.
Logging in with a device is a passwordless approach to authentication.
It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval.
With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden.
Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default.
And of course, existing accounts can also update themselves to the same level.
These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers.
Learn more, try Bitwarden for yourself at bitwarden.com/smashingsecurity. That's bitwarden.com/smashingsecurity. And welcome back. Can you join us at our favorite part of the show?
The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Well, my pick of the week this week is not security related. This weekend, I took some friends and family out to the theater because a birthday was being celebrated.
Not mine, identity thieves, not mine. And we went to go and see a show in London called The Play That Goes Wrong. Have either of you seen The Play That Goes Wrong?
Not mine, identity thieves, not mine. And we went to go and see a show in London called The Play That Goes Wrong. Have either of you seen The Play That Goes Wrong?
So good. They also do The Show That Goes Wrong and stuff like that. They've got a series of— they have some TV shows. Brilliant. Brilliant.
It's absolutely— have you actually seen the stage show, Thom, or just—
I haven't seen the stage show, but I think they've had two seasons of stuff on The Show That Goes Wrong.
That's right. It's called The Goes Wrong Show. It's on BBC.
Yeah, that's it. The Goes Wrong Show.
Which I would recommend. You may be able to find it on iPlayer or maybe on Amazon Prime.
I particularly love the one where I should explain first of all, that The Play That Goes Wrong and The Goes Wrong Show is about—
I particularly love the one where I should explain first of all, that The Play That Goes Wrong and The Goes Wrong Show is about—
Clue's in the name.
Yeah, the clue is in the name. It's meant to be like an amateur theatrical group where everything goes wrong. They're trying to do a play and the props go wrong.
They forget the words, disasters befall them.
They forget the words, disasters befall them.
They're also not very good, are they?
They're not very good as actors, but it's hilarious. Misplaced props, they forget lines, miscues, everything.
I think the funniest one of the TV show, I think the one I liked the most was the one where they accidentally built the set at a 90-degree angle.
Oh yeah, that's right, that's right, Bruce!
But they carried on, so they moved the cameras to make it look as though it were horizontal, but of course it was really vertical and they were all sat at this table and people were delivering—
I think the funniest one of the TV show, I think the one I liked the most was the one where they accidentally built the set at a 90-degree angle.
Oh yeah, that's right, that's right, Bruce!
But they carried on, so they moved the cameras to make it look as though it were horizontal, but of course it was really vertical and they were all sat at this table and people were delivering—
Clinging on for dear life.
It was clinging on for dear life. It was the most hilarious thing imaginable.
Anyway, is this current now or no?
Yeah, last few years it's been on the BBC and the play is playing right now in London. In fact, it's been London's longest running comedy, I believe, that is going.
It's probably been going for about 10 years. I've actually seen The Play That Goes Wrong now 3 times.
It's probably been going for about 10 years. I've actually seen The Play That Goes Wrong now 3 times.
Are you kidding me?
My son adores it and it is, I've never seen him laugh so hard at anything.
If you like the TV show, this takes it to a whole other level and you just cannot believe what is happening on the stage with the stunts and the humour. It is bonkers.
People get knocked out, so people are removed from the stage. Anyway, all kinds of shenanigans go on.
If you like the TV show, this takes it to a whole other level and you just cannot believe what is happening on the stage with the stunts and the humour. It is bonkers.
People get knocked out, so people are removed from the stage. Anyway, all kinds of shenanigans go on.
We said that, or I said that the actors are not very good. The actors are amazing at playing actors who aren't very good.
Yes.
Yes. And the physical comedy and the imagination which is used in this show is quite extraordinary. Anyway, so my recommendation, I believe it may be also on a US tour at the moment.
You can probably go and find out. If you are based out in the States, you may want to check it out. But otherwise, you can catch up on Amazon Prime or BBC iPlayer.
So, my pick of the week this week is The Play That Goes Wrong. Really recommend it, hilarious. Thom, what's your pick of the week?
You can probably go and find out. If you are based out in the States, you may want to check it out. But otherwise, you can catch up on Amazon Prime or BBC iPlayer.
So, my pick of the week this week is The Play That Goes Wrong. Really recommend it, hilarious. Thom, what's your pick of the week?
So I've got two, one very quick one and then a proper one.
You did this last time.
Many years ago when I first started work and we had Windows, I think it was 3.1 and then maybe just onto Windows 95.
There was a little executable that was doing the rounds called PooTimer.exe. And when you ran it, this was before, you know, cynicalness crept in and you had to make sure—
There was a little executable that was doing the rounds called PooTimer.exe. And when you ran it, this was before, you know, cynicalness crept in and you had to make sure—
Sounds like a Trojan horse, Thom, I have to say. It's not something I'd run.
Yeah, but it wasn't. It may have been technically a worm because you sent it to everybody you knew as a result.
But you see, you ran the app and it asked you your salary and, you know, either per year, per month, per week, asked you what percentage tax you pay.
You type that in and up it came and a button that basically said, I'm going for a poo. So you click that when you went for a poo. This is at work, obviously.
And then when you came back from work, from a poo, you click the button again, and it told you how much you got paid while you had a poo.
But you see, you ran the app and it asked you your salary and, you know, either per year, per month, per week, asked you what percentage tax you pay.
You type that in and up it came and a button that basically said, I'm going for a poo. So you click that when you went for a poo. This is at work, obviously.
And then when you came back from work, from a poo, you click the button again, and it told you how much you got paid while you had a poo.
So let me get this straight, Thom. You're unhappy with companies banning TikTok, but you're quite comfortable running this poo timer programme inside your organisation?
Would you hold it in, Graham?
Is one not allowed to poo on company time? I'm going to have a word with HR.
Is this sensitive data being uploaded to the cloud somewhere in China, and they're making use of it?
But anyway, I've been searching for this, you know, a long time ago because I've got Parallels on my Mac. I could run this again.
Right.
But it doesn't exist as far as I can make out. But there is a new website called poopies.com. And it's actually an app for your phone.
Available on Google Pixel.
Comes out. Yeah, exactly. Only on Android at the moment. I guess they're trying to work on the iPhone thing.
It's not Rate My Poo, I just want to be clear, that's a very different thing entirely.
It's not Rate My Poo, I just want to be clear, that's a very different thing entirely.
But blast from the past, literally.
That is a different site, yes.
Yeah, but I'm just saying you can soon work out how much you earn while going for a poo. So that was the quick one. So the other one, and this is the real one.
Yeah, give us your number 2 now, Thom. Yeah, yeah. Oh man.
That was good. That was good.
So the real one, I have this wonderful little portable espresso maker, which I have with me because the coffee in the office I either have to pay for, or it's this horrible stuff out of an urn.
And so I have a little portable espresso maker by a company called Wacaco. And they do a range of these, and the one I have is called the Minipresso NS2.
I did have the Minipresso NS as well because I like my gadgets, as you both know.
And what this one does, it's called the Minipresso because it uses the Nespresso pods, the ones you can buy in the shops.
So I think Starbucks have got their own and Tesco's and etc., etc.
You pop this into the machine, screw the bottom on it, open up the top, pour in hot water, and then a little plunger comes out and then you pump it.
And then it basically acts like an espresso machine and gives you a perfect espresso shot of coffee from your Nespresso pod.
So the real one, I have this wonderful little portable espresso maker, which I have with me because the coffee in the office I either have to pay for, or it's this horrible stuff out of an urn.
And so I have a little portable espresso maker by a company called Wacaco. And they do a range of these, and the one I have is called the Minipresso NS2.
I did have the Minipresso NS as well because I like my gadgets, as you both know.
And what this one does, it's called the Minipresso because it uses the Nespresso pods, the ones you can buy in the shops.
So I think Starbucks have got their own and Tesco's and etc., etc.
You pop this into the machine, screw the bottom on it, open up the top, pour in hot water, and then a little plunger comes out and then you pump it.
And then it basically acts like an espresso machine and gives you a perfect espresso shot of coffee from your Nespresso pod.
And you like the pods because?
Because they're easy, convenient, and I get them for free in my hotel.
Oh, but your hotel machine doesn't make good enough coffee?
No, no, my hotel machine makes great coffee, but in the office I don't get access to that unless I pay for it.
So you're pinching these capsules from your hotel?
No, I'm paying for them.
Well, well—
I'm paying for them. Just like I pay for all the shampoo, the tea bags, and the conditioners.
Oh my God. And the dressing gown, the mattress, the pillows.
Ah, you see, no, I don't pay for those. I rent those. That's the difference.
How many hotel slippers do you have in your house?
Oh, none. But I've got a whole bunch of British Airways business class bags. Do you know what I mean? The little— and first class ones, actually.
Graham and I went and visited a friend's apartment once, and he lived in a very cosmopolitan city, so he had a very kind of bijou apartment, right? On the very high floor.
And he had a very small bathroom, compact, bijou, and this ginormous fishbowl full of hotel shampoos.
And he had a very small bathroom, compact, bijou, and this ginormous fishbowl full of hotel shampoos.
Yes.
You couldn't actually have a waz on the loo without bending forward because it was a fishbowl, right? It was ridiculous. So you're one of those?
Yes, although actually it's now my daughter because she likes the shampoo and conditioner. And let's face it, I don't have a lot of use for shampoo and conditioner, in fairness.
But I do have a lot of use for good coffee, and I would highly recommend this. It's great for camping trips as well.
So if you're going camping, if you're going out for the day, you know, all that sort of thing, you just have to take a thermos of hot water.
If you go to the website, you'll see they do other ones where you put ground coffee in. You don't have to use the capsules.
You can get ones which you put just regular ground coffee in. Really, really good.
Not shockingly expensive, you know, it is an investment, not shockingly expensive, and everybody loves it, especially when you offer to make them a cup of coffee.
But I do have a lot of use for good coffee, and I would highly recommend this. It's great for camping trips as well.
So if you're going camping, if you're going out for the day, you know, all that sort of thing, you just have to take a thermos of hot water.
If you go to the website, you'll see they do other ones where you put ground coffee in. You don't have to use the capsules.
You can get ones which you put just regular ground coffee in. Really, really good.
Not shockingly expensive, you know, it is an investment, not shockingly expensive, and everybody loves it, especially when you offer to make them a cup of coffee.
Oh, I see. It's a bit like having a lighter in the 1950s.
Yes, that's right.
I'm watching a video of the pump action. It looks a little bit like milking a cow. It sort of squirts out of the bottom, doesn't it?
So you're squeezing the side of the thing and it pours out the bottom.
You're right.
It's a little bit of a workout. Right. You know, if you're out of shape, you might start sweating. So, okay, you know, it could be a salted coffee if you're not careful.
But I'm getting uncomfortable.
But I'm getting uncomfortable.
Why am I getting uncomfortable?
I don't know.
Carole, what is your pick of the week?
Okay, we're back in safe territory, everybody. My pick of the week is a podcast called Restart. So published by BBC Radio 4 Extra in September last year, and the plot is quite cute.
Okay, there's a facility in the middle of New Mexico desert designed to cure kids with video gaming addiction.
Okay, there's a facility in the middle of New Mexico desert designed to cure kids with video gaming addiction.
Right.
And so lots of parents send their kids there because they're obviously completely addicted to video games. And are they really a facility designed to cure the kids?
Or is it something more sinister?
Or is it something more sinister?
No.
So, they call it a mind-bending thriller. I would agree.
I had a great time listening to the 8 episodes, getting deeper and deeper into the conspiracy, all while trying to answer the question, just what the heck is going on?
And I'm not a gamer, right? Everyone knows I'm not a gamer. So, you don't need to be a gamer to enjoy this audio drama. But I would recommend it.
I think, I don't know if you listen to audio dramas, Thom.
I had a great time listening to the 8 episodes, getting deeper and deeper into the conspiracy, all while trying to answer the question, just what the heck is going on?
And I'm not a gamer, right? Everyone knows I'm not a gamer. So, you don't need to be a gamer to enjoy this audio drama. But I would recommend it.
I think, I don't know if you listen to audio dramas, Thom.
Graham, I know doesn't.
But I tend not to, I must admit. But I have been encouraged to listen to a few. But this looks good. As soon as I see the link, I might give it a go.
It's cute, this one. Yeah, it's— I think it's really cute. You might enjoy it. I thought this would be a good one for you as you were coming on the show.
So my pri— I was gonna say my prick of the whole thing.
So my pri— I was gonna say my prick of the whole thing.
That's no way to talk to your guests. This is outrageous. If I was wearing a wired microphone, I'd tear it off and walk out now.
Don't you think we should start doing that? We could have a little bit— we'd have nitpick of the week, prick of the week.
Then you could get Javad on.
Are we gonna bleep out their names every time they come on just to irritate them?
So my pick of the week is Restart, podcast from the BBC starring the makers of The Cipher, starring Armin Karima from Sex Education, for those that know it.
So find it wherever you get your pods from. And that's my pick of the week.
So my pick of the week is Restart, podcast from the BBC starring the makers of The Cipher, starring Armin Karima from Sex Education, for those that know it.
So find it wherever you get your pods from. And that's my pick of the week.
Nice.
Super. Well, that just about wraps up the show for this week. Thom, I'm sure lots of our listeners would love to follow you online. I don't know why.
I'm sure they would.
Why are you laughing?
What's the best way? What's the best way for folks to do that?
You can get me at ThomLangford.com. That's Thom with a TH. But that's also Thom Langford on Twitter, Thom Langford on Mastodon. Yeah, you can also find us at podcast.hostunknown.tv.
He's very available.
Terrific. And you can follow us on Twitter @smashingsecurity. No G, Twitter allows to have a G. Smashing Security also has a Mastodon account.
Easiest way to find us is at smashingsecurity.com/mastodon and check out the Smashing Security subreddit as well.
And to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts and Spotify.
Easiest way to find us is at smashingsecurity.com/mastodon and check out the Smashing Security subreddit as well.
And to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts and Spotify.
And huge, huge thank yous to this episode's sponsors, Bitwarden, Drata, and Kolide. And of course, to our wonderful Patreon community. It's thanks to you all that this show is free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 313 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 313 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye.
Bye. Stay secure, my friends.
Stay secure.
I used to say that. I used to say that. Remember, it was stay secure.
You used to say it before Host Unknown used to say it.
I know, we've done everything before Host Unknown.
Now they've stolen everything. Yes.
Yes. We got it off Jav. We just do it to wind him up.
He stole it.
We had it at Sophos podcast about 15 years ago.
Yep. I know from that. 20 years ago, I'd say.
Yeah, whatever it is.
Yeah.
And it was stay secure. We were making jokes at the end. Stay secure, people. Stay secure. Anyway, no, I'm just kidding. I don't know if he knows. It's pretty easy.
Copyright. Copyright.
Copyright.
Yeah.
Copyright.
You're copyrighting the words stay and secure. Aah!
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
@thomlangford.bsky.social
@
Episode links:
- Stop pixelating! New tool reveals the secrets of “redacted” documents – Hot for Security.
- Google Pixel exploit reverses edited parts of screenshots – The Verge.
- Tweet by researcher Simon Aarons – Twitter.
- aCropalypse demo.
- Samsung ‘Fake’ Moon Shots Controversy Puts Computational Photography in the Spotlight – MacRumors.
- Android phones can be hacked just by someone knowing your phone number – Graham Cluley.
- BBC advises staff to delete TikTok from work phones – BBC News.
- TikTok: UK ministers banned from using Chinese-owned app on government phones – BBC News.
- TikTok banned from official Welsh government phones – BBC News.
- Danish public broadcaster advises staff against using TikTok – BBC News.
- Canada bans TikTok on government devices – BBC News.
- European Commission bans TikTok on staff devices – BBC News.
- New bill would ban TikTok in the US but it faces long odds – BBC News.
- A Retired Teacher and Her Daughter Were Scammed Out of $200,000 Over Email: ‘I’m 69 Years Old and Now I’m Broke and Homeless’ – Entrepreneur.
- Retired Colorado teacher left homeless and broke after scammers hijack house sale – MSN.
- Homebuyers scammed out of nearly $200,000 – YouTube.
- Stolen life savings Vickie and Sarah Ragle – Go Fund Me.
- The Play That Goes Wrong.
- The Goes Wrong Show 90 Degrees clip – YouTube.
- The Goes Wrong Show Series One – Amazon Prime.
- Poo Pays.
- MiniPresso NS2 – Wacaco.
- Restart Podcast – BBC.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Zero Trust for Okta. Watch a demo today!
- Drata – With over 14 frameworks including SOC2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business. As a listener to Smashing Security you can save 10% off Drata and have implementation fees waived.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
LOVE, LOVE, LOVE YOU AND YOUR PODCAST SERIES!!!!!! You inform and keep me laughing till the tears fill my eyes!!
Cheers from Nova Scotia (on the East Coast of Canada Graham….LOL)