Smashing Security podcast #314: Photo cropping bombshell, TikTok debates, and real estate scams

They've actually created a website where you can upload images taken on your Google Pixel device and see what image may still be remaining there.

Thom are you still there are you busy?

I'm busy contacting all my friends on Android pointing and laughing.

Smashing Security episode 314 photo cropping bombshell TikTok debates and real estate scams with Carole Theriault and Graham Cluley Hello hello and welcome to Smashing Security episode 314 my name's Graham Cluley. And I'm Carole Theriault. And Carole we are joined this week by a special guest very special.

None other than host unknowns Sole founder. I was going to say main host, one of the hosts from Host Unknown, Thom Langford.

That's right. It is me. This is not Javad Malik or Andrew Agnes. This is Thom Langford, sole founder. I know you don't have the other two on very often because they're a bit crap, but I'm back.

They just have jobs. They're busy. They're very busy people. You know, we screwed up last week. I got a few emails from irate Canadians complaining that you don't know where Vancouver is because you said East Coast instead of West Coast and I didn't spot it, even in the edit. So apologies to all my people. I just don't listen to Graham very often.

Yeah, they work at some complaints from my end. Of course I know it's on the West. I can't believe I said East.

Vancouver sounds like a Dutch vacuum cleaner. So it's in the cupboard, isn't it?

Oh my, so corny. The dad jokes galore. Before we kick off, let's thank this week's sponsors, Bitwarden, Collide and Drata. It's their support that helps us give you this show for free. Oh, I'm going to be telling you all about the Acropolis.

Cool. OK. And Thom, what about you?

Well, I'm going back to an old favourite. TikTok.

Woohoo. Oh, good. And I'm going to be talking about how to buy a house in Lakewood, Colorado. All this and much more coming up in this episode of Smashing Security. Now, chums, it's 1974. No, it's not. It's really not, Graham. It's the middle of the Watergate crisis. And someone should write a rap song with that. That's great. Yeah, you could do, I suppose. And as governments, agencies, businesses around the world, they all realise if you don't want a sensitive or embarrassing or awkward piece of information to be shared in a document that you're posting online, redact it. Right. You should always be careful about what you share. Yes. Select all. Can you do a search and replace for the black bars? Maybe you can. Replace with nothing. Maybe you can. Maybe there's an unredact option.

So, yeah. So, if you redact the wrong way, that doesn't work very well. Not a great idea. And, of course, it's also relevant for screenshots. It's not just documents. So, a lot of people will pixelate out things. But, but. This is nothing new.

I had friends in high school that used to do this. There'd be something on the bathroom wall about that. And they would be trying to erase it, right, by using a marker or some pens or something on top of it. And you could always often see through. It's intense. Yeah.

Liquid paper was the stuff that we used. With some determination, Carole, you could always find that phone number you were looking for. If you were using liquid paper or Tippex on the computer monitor, Carole, that would obscure it for you, but not for other people, just so you know. It doesn't quite work like that. Known. My pink hairy vest with the two buttons. And, you know, you're—

Pretty proud, right? And you happen not to be wearing any—

Trousers, okay? Often, oftentimes. I mean, it's, what, Tuesday today? So, yes. So,— You take a selfie. So, you stick up your smartphone up in the air, you know, to give it— Glad you qualified that. Because you want— You want— You want an image from a good angle.

You're doing the princess die face. Face down, eyes up, chin down. So—

You're taking that image, but afterwards you think, oh, I have left a little bit too much in the image. So what I'll do is I'll crop it at my belly button and then they'll just see my manly chest. They won't see anything which is going on beneath.

They won't see Mr. Peewee. You would think—

That sharing that picture would be safe, wouldn't you?

Now, can I just ask where you're cropping this picture? Is this on an iPhone or it doesn't matter?

In this particular case, and this is why it wouldn't be, Thom, because I know Thom absolutely loves Apple hardware. In this particular case, it's happening on an Android Google Pixel smartphone using the default markup tool. Oh,—

My God. It doesn't keep it in the metadata or something, does it? It doesn't.

Well, well. Holy moly. Keep going. Tell us, tell us. Tell us. So. I think someone in the show is sweating and it's not— Me. So, boffins have discovered that there is a flaw in the standard tool used to edit images on Google Pixel phones that makes the seemingly impossible be possible. Got it. Very cute. Let's give it a clap,— Right? Yeah, hand clapped. It's pretty good.

Based on the metadata. Not on the metadata. No. Not specific. Some embedded data somewhere, right? Exactly, exactly. So the metadata normally is like the EXIF information as to when and where it was taken and what kind of camera and all of that guff, which we all know about.

Right, and you're like, here's a hot picture of me or titillating, you know, not— So this— Works both with cropped images and also images where you've changed the image. Like, for instance, and this is what these two boffins, Simon Aarons and David Buchanan, they are the ones who found this vulnerability. Are you still there? Are you—

Busy right now? I'm busy contacting all my friends on Android, pointing and laughing. And then what is it? That emoji with the purple fruited emoji. The aubergine. Aubergine, thank you. Thank you. I could only think of the name that I was thinking of it of. But, yeah, I'm just tweeting that to them. So just imagine, right, it may not be that you're redacting your phone number. It may be that you've got a saucy snap. It happened in an Austin Powers movie where Liz Hurley is there with a couple of watermelons. A cushion. Redact, redact the—

Teapot. Well, no, you may have taken an image, an amusing image with an inflatable item or with a teapot or a chipolata or whatever it may be, covering your modesty. And you could have shared it with someone. Ha, ha, ha, isn't this funny? They can't see anything really. But now they could take that image and see what was there before.

Wow. Ouch. That does remind me a little bit of the Samsung moonshots that they do, the advert that's on telly at the moment saying you can take these most amazing moonshots.

Oh, I don't know. What's all that about?

Yeah, so there's a Samsung advert on your mobile phone. You can take these amazing moonshots and people who've got proper cameras and telescopes are saying, oh, give me your photo because it's so much better. And it turns out that actually the moonshot that you took is basically artificially generated. And they proved this by putting a blurry photo of the moon in a dark room, taking a photo of it, and getting a perfectly crisp picture of the moon back from the camera.

Wow. Because they know what the moon looks like.

The moon looks the same wherever you are in the world, right? It doesn't spin. So, yeah. So take some great shots of the moon, but they weren't taken by you.

Wow. Unbelievable. Well, this flaw has existed on the Google Pixel phone with this markup tool for about five years.

Oh, there's a treasure trove out there. Exactly. Are you sweating yet, Thom? No, I'm an iPhone guy.

So the good news is Google's March 2023 security update fixes the flaw. The bad news is that they haven't issued their March 2023 security update for some Pixel users yet, for some particular Pixel devices. And people are already waiting for that update because there's another problem at the moment with Android, whereby if you know somebody's mobile phone number, that can be enough to hack their phone on particular devices because of the modem chipset. So you do want to update your Google Android device. The worst news of all, though, is, as Thom suggested, Google hasn't invented a time machine to go back five years.

That's what I was just going to ask. Of course, they're not going to retro yet.

Because there's all those images out there already. It's too late. It's no longer under your control.

Well, I just want to shout out to all the people right now who are owning Google Pixel phones and are madly going through their pictures, deleting any that may.

I'm just reminded of that Simpsons character. Ha ha!

Not very friendly at all. You saw all the grief we got from Canadian listeners last week. Now you've angered all the Android users.

They were right. Come on, they were right. They were right. And it's more embarrassing for me than you, trust me.

I agree. Thom, what's your story for us this week?

So my story, we are going back to TikTok yet again. I mean, this seems to be the story that doesn't go away. So TikTok, as I'm sure you will all know, is the favourite social media app of teenage children and middle-aged men, it would seem. Mainly because the algorithm constantly delivers everything you want based upon what you watch. So if you like, you know, nubile young people dancing and jiggling, then that's what you're going to get for the rest of your life until 3 a.m. when you start questioning your life choices.

I've heard that. I've heard in America alone, this is on New York Times podcast, The Daily, they are saying that one in three devices have it installed in the U.S. Yeah, doesn't surprise. That's insane to me. I've never used it. I'm not. Me neither. I've never used it, partly because I don't have to. I get all the best content reposted onto my WhatsApp group with Javan Andy mainly. So I get the curated format.

It's a big waste of time, isn't it?

It's a waste of time. You shouldn't be looking at all that jiggly wonder on your work hours. But some companies would think that, yeah. I would be very, very keen to find out if they're also saying you must also remove LinkedIn and any Google product and Facebook and Instagram and all that thing. I would put money on the fact that the vast majority of them don't. To be blunt, this smacks of politics generally and racism at the end of the day. If it's not to do with the fact that they are a Chinese company, then why are you removing it when there are other products that are gathering the data far more openly and far more egregiously? It's purely because they're a Chinese company.

Okay, so my view is slightly different. I wondered whether or not it was because of the, I don't know, political, you know, Xi Jinping and Putin hanging out a little bit, right? Are they making TikTok videos, the two of them? It's rather like Huawei, isn't it, where there wasn't really any evidence. But something could happen. Absolutely. It's like pinky in the brain. I've had you at my sides for 40 years. But here's the thing. I literally spent, I looked up the first article on the BBC website, and you'll see in the show notes, there's a whole series of links there from the BBC website. I scrolled to the bottom, and you know how they have related articles. This was two minutes, and I immediately found, straight after the BBC's article, down the bottom, the UK government says, stop using it. And then you go to the bottom of that one. The Welsh government says, remove TikTok. Go further down. Danish journalists told to remove TikTok. Then the Canadian government is saying you have to remove TikTok. European Commission saying you have to remove TikTok. And then US is trying to ban it countrywide. It probably won't go through, let's face it. But nonetheless, that's the kind of knee-jerk reaction. You don't know, though. You don't know.

They got caught a few times.

A few times. They get caught constantly. And also,

who was it who influenced the... I'm not advocating for Facebook. Which platform influenced the US election more? TikTok, with its jiggly, bouncing, nubile young people in it? Or Facebook and Cambridge Analytica? Those platforms are far more dangerous. But because they just happen to be American or on American soil, that's perfectly all right. And yet that data is being sold as well.

Thom, it would be remiss for me not to ask, are you getting a backhander from TikTok? It sounds like all this nubile jiggling you keep on advertising on it.

No backhanding, no reach arounding, nothing like that whatsoever from TikTok. I just think if we're going to ban TikTok, let's at least use the same measure. The threat and the risk of TikTok is the same, if not potentially less, than Facebook, Instagram and all of the others. And yet they seem to be absolutely fine.

But they're in jurisdictions, I guess, where the powers that be feel that they can have some kind of oversight or some power.

Well, I'm pretty sure China thinks it can have some oversight over ByteDance running TikTok as well, without a doubt.

Yeah. And that was this week's rant of the week.

Jesus. Okay. Keep taking the blood pressure tablets, Carole. What's your pick of the week? What have you got for us this week? Well, let me take you to Lakewood, Colorado. It is said to have breathtaking views, close to 100 parks for residents to enjoy. It's about 8 miles from Denver, right near the Rocky Mountains. Yeah, it sounds beautiful. Sounds idyllic, doesn't it? I mean, you can hike or camp or ski in the mountains, make friends with the local black bears and mountain lions that roam the place freely. Okay, maybe not. Or you can go into Denver, right? Eat at hippie delis and go to the theater and all that. Yeah, well, I think so. Can be. I mean, especially if you haven't moved in decades and don't know, you know, you're not used to it. So we have Vicky and Sarah Raggle, and they've gone through the whole process of buying and purchasing the house. They even start getting new furniture for the place. Doesn't normally your solicitor handle all this, the money side of things? You give the money to the solicitor rather than... Well, I don't know how it works in the States, actually. I know how it works here.

Yeah, it's slightly different there, but yeah. Yeah, but they are a bit perturbed because previous conversations said that they would need to transfer the funds on the day of closing, right? But Vicky responds saying, "Okay, I'll call in an hour and we can do that." And the title manager emailed back saying, "Don't call because I'll be in a closing but here's the information." And provides all the details for the transfer of funds. So they give the title company the near two hundred thousand dollars, right? And then they get an email saying, "Hi Vicky, we have just confirmed receipt of the funds pending. I will send an escrow confirmation receipt once recorded."

Now Friday, day of closing, Vicky and Sarah go in to finalize the paperwork and pick up the keys for their brand new home. They're greeted warmly. Vicky said in media, she said, "We went to the closing on Friday. Everyone was laughing and excited. We signed acres of paper. And then the title lady said, 'Let me check your funds.' And the title lady comes back looking perplexed and asked Vicky and Sarah, 'Where did you send the funds to?' And Vicky says, 'I sent them to you.' And the response is, 'We don't have them,' says the title lady."

Yeah, exactly. It's not individual email compromise, right?

Exactly. So just to recap for some of our listeners, business email compromise, or BEC for short. That's what we call it in the trade. It's where criminals send an email message that appears to come from a known source, making a legitimate expected request. So in this case, the scammer is purported to be the title company, and it easily duped the person who was expecting to pay that kind of money for a house.

You see, I'm buying a house at the moment, and I had to engage solicitors and things, and they went out of their way to warn me of these type of scams. And they sent... Oh, that's good. That's good. And in the paper, you know, not only in my conversations with them, but also in the pack of information they sent to me through the post, which they said, well, we're not going to send to you electronically. We need to check that you're not a rotter as well. We need to send it to your address. And there was all kinds of verification they had to do on my identity. But there was this bit which said, watch out for scammers. They said it's very common for criminals to get involved in the house buying process in an attempt to trick you into transferring the money into the wrong account. And so they said, look, we're not going to tell you that our account details are going to change or anything like that. You know, you're only ever going to deal with us. And if you have any questions, ring us on this number. Carole. Yeah, that's great. Isn't that great? Yeah. Thom. That does make a difference, doesn't it? But I think part of it is sometimes the criminals just know that you're buying a house because you've posted it on Facebook or wherever or Insta or whatever, and they just chance their arm with a dodgy email, as it were. But then in other cases, and certainly over here, you know, many solicitor companies that handle the house sales are small companies, and their IT is either outsourced or they've, you know, the brother Dave runs it or whatever. And so it's very easy potentially for their networks and for their email accounts to be compromised. And the emails actually come from the correct domain name. And they've read through the emails and they've read through and they've got the tone of the people who are talking to you and they've got all the relevant personal details and, you know, the actual things that aren't necessarily in the documents, you know, that you like being called Thom and not Thomas, for instance, and stuff like that. You know, because, you know, for a start, if somebody emailed me and said, hello, Thomas, I immediately think, well, you're either my mother or you're a criminal, right? Because I call you Thom. Yeah, exactly, exactly. Carole. Well, it's the shitty bit of this, right, is that 69 year old Vicky, right? She said, all I could think of is now I'm homeless and broke. I'm 69 years old and now I'm broke and homeless because the title managers aren't going to go, oh, poor you. You paid the wrong account. Here's money. Right. Let's just go get the house. And it's unclear at this time how the scammers managed to infiltrate the communication chain. But she contacted the FBI in Colorado and the Lakewood police, who I'm sure are all over this. Thom. And she didn't have to call action fraud. Small mercy. Carole. Right. But as a silver lining. As a silver lining to all this, Vicky's friend and co-worker started a GoFundMe page. And as of today, it's currently at one hundred and thirty two thousand six hundred dollars, which is pretty amazing and heartwarming and it's good to know that there are some lovely people out there. Hang on, Thom. These houses don't buy themselves, you know. Jesus. Graham. Any company can say they're trustworthy, but with this week's sponsor, Drata, you can prove it. With over 14 frameworks including SOC2, GDPR, HIPAA and ISO 27001, Drata gets you audit ready for crucial security standards needed to scale your business. Automated controls, over 75 integrations and 24-hour monitoring keeps your company in compliance without manual work. And with a new open API and plenty of customisation, you can build your programme your way. With over 365-star reviews, Drata is the highest-rated cloud compliance platform on G2. Countless security professionals from companies like Notion, Lemonade and Bamboo HR have shared how crucial it's been to have Drata as their trusted compliance partner. So, listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com slash drata. That's smashingsecurity.com slash D-R-A-T-A. Carole. Our sponsor Collide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance. How? If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple. Collide patches one of the major holes in zero-trust architecture, device compliance. Without Collide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date. Insecure devices are logging into your company's apps, but there's nothing there to stop them. Collide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta. The moment Collide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked. Collide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Want to learn more? Of course, you do. Visit collide.com slash smashing. That's collide.com slash smashing. And thanks to Collide for sponsoring the show. Our friends at Bitwarden have been busy this month adding some fab new features to their open source password management solution. Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do. Logging in with a device is a passwordless approach to authentication. It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval. With login for device, it can be initiated on the web vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden. Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default. And of course, existing accounts can also update themselves to the same level. These and many other great security features are incorporated all the time into Bitwarden keeping your password secure from hackers. Learn more, try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing. And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week? Pick of the Week! Pick of the Week! Pick of the Week is the part of the show where everyone chooses something, could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, my pick of the week this week is not security related. This weekend, I took some friends and family out to the theatre because a birthday was being celebrated. Not mine, not mine. And we went to go and see a show in London called The Play That Goes Wrong. Have either of you seen The Play That Goes Wrong?

So good! They also do The Show That Goes Wrong and stuff like that. They've got a series of them, TV. Brilliant, brilliant.

Brilliant! It's absolutely... Have you actually seen the stage show Thom or just...

I haven't seen the stage show. I think they've had two seasons of stuff on The Show That Goes Wrong.

That's right. It's called The Goes Wrong Show. It's on BBC.

Yeah, that's it. The Goes Wrong Show. Which I would recommend.

You may be able to find it on iPlayer or maybe on Amazon Prime. I particularly love the one where... I should explain first of all. The Play That Goes Wrong and The Goes Wrong Show is about... Clues in the name.

Yeah, the clues in the name.

It's meant to be an amateur theatrical group where everything goes wrong. They're trying to do a play and the props go wrong. They forget the words. Disasters befall them. They're also not very good, are they? They're not very good as actors, but it's hilarious. Misplaced props. They forget lines, miscues, everything. The funniest one of the TV show, I think the one I liked the most, was the one where they accidentally built the set at a 90-degree angle.

Oh, yeah! That's right! That's right!

But they carried on, so they moved the cameras to make it look as though it were horizontal, but, of course, it was really vertical, and they were all sat at this table and people were delivering... Clinging on for dear life. It was clinging on for dear life. It was the most hilarious thing imaginable.

Is this current? Is this current now or no? It's, yeah, last few years it's been on the BBC. And the play is playing right now in London. In fact, it's been London's longest running comedy, I believe, that is going. It's probably been going for about 10 years.

We said that the actors are not very good. The actors are amazing at playing actors who aren't very good.

Yes, okay, okay. Yes. Yeah, you know. And the physical comedy and the imagination which is used in this show is quite extraordinary. Anyway, so my recommendation, I believe it may be also on a US tour at the moment. You can probably go and find out. If you're based out in the States, you may want to check it out. But otherwise, you can catch up on Amazon Prime or BBC iPlayer. So my pick of the week this week is The Play That Goes Wrong. Really recommend it. Hilarious. Cool. Thom, what's your pick of the week?

So I've got two. One very, very quick one, and then a proper one. So the first one... So did this last time, many years ago when I first started work and we had Windows, I think it was 3.1 and then maybe just onto Windows 95. There was a little executable that was doing the rounds called pootimer.exe and when you ran it... this was before you know cynicalness crept in and you had to make sure...

Sounds like a trojan horse, Thom, I have to say. It's not something...

And then when you came back from a poo, you clicked the button again, and it told you how much you got paid while you had a poo. So let me get it...

straight, Thom. You're unhappy with companies banning TikTok, but you're quite comfortable running this poo timer program inside your organization.

Would you hold it in, Graham? Is one not allowed to poo on company time? I'm going to have a word with HR.

Is this sensitive data being uploaded to the cloud somewhere in China and they're making use of it? Who...

Cares? But anyway, I've been searching for this a long time ago because, you know, I've got Parallels on my Mac. I could run this again, right? But it doesn't exist as far as I can make out. But there is a new website called poopays.com and it's actually an app for your phone available on Google Pixel. Comes out, yeah exactly, only on Android at the moment. I guess they're trying to work on the iPhone thing. It's not Rate My Poo. I just want to be clear. That's a very different thing entirely. Glass from the past, literally. That is a different site, yes. Yeah, but I'm just saying you can soon work out how much you earn while going for a poo. So that was the quick one. So the other one, and this is the real one.

Yeah, give us your number two now, Thom. Oh man, that was good. That was good. So the real one. I have this wonderful little portable espresso maker, which I have with me because the coffee in the office, I either have to pay for, or it's this horrible stuff out of an urn.

And you like the pods because?

Because they're easy, convenient, and I get them for free in my hotel.

Oh, but your hotel machine doesn't make good enough coffee?

No, no. My hotel machine makes great coffee, but in the office I don't get access to that unless I pay for it.

So you're pinching these capsules from your hotel.

No, I'm paying for them. I'm paying for them just like I pay for all the shampoo, the tea bags and the conditioners. And the dressing gown, the mattress, the pillows. You see, no, I don't pay for those. I rent those. That's the difference.

How many hotel slippers do you have in your house?

Oh, none. But I've got a whole bunch of British Airways business class bags. Do you know what I mean? And first class ones, actually.

You know, because Graham and I went and visited a friend's apartment once and he lived in a very cosmopolitan city, so had a very bijou apartment right on the very high floor and he had a very small bathroom, compact, bijou, and this ginormous fishbowl full of hotel shampoos. Like, you couldn't actually have a waz on the loo without bending forward because it was a fishbowl, right? Like it was ridiculous.

So you're one of those. Yes. Although actually it's now my daughter because she likes the shampoo and conditioner and let's face it, I don't have a lot of use for shampoo and conditioner in fairness. But I do have a lot of use for good coffee and I would highly recommend this. It's great for camping trips as well. So if you're going camping, if you're going out for the day, you know, all that sort of thing, just have to take a thermos of hot water. If you go to the website, you'll see they do other ones where you put ground coffee in. You don't have to use the capsules. You can get ones which you put just regular ground coffee in. Really, really good. Not shockingly expensive. You know, it is an investment, not shockingly expensive. And everybody loves it, especially when you offer to make them a cup of coffee.

Oh, I see. It's a bit like having a lighter in the 1950s.

Yes, that's right. I'm watching a video of the pump action. It looks a little bit like milking a cow. It sort of squirts out of the bottom, doesn't it?

So you're squeezing the side of the thing and it pours out the bottom. You're right. It's a little bit of a workout, right? You know, if you're out of shape, you might start sweating. So, you know, it could be a salted coffee if you're not careful.

I'm getting uncomfortable. What? Why am I getting uncomfortable? I don't know. Okay.

Carole, what is your pick of the week?

Okay, we're back in safe territory, everybody. My pick of the week is a podcast called Restart. So published by BBC Radio 4 Extra in September last year. And the plot is quite cute. Okay, there's a facility in the middle of New Mexico desert designed to cure kids with video gaming addiction, right? And so lots of parents send their kids there because they're obviously completely addicted to video games. And are they really a facility designed to cure the kids? Or is it something more sinister? So they call it a mind-bending thriller. I would agree. I had a great time listening to the eight episodes, getting deeper and deeper into the conspiracy, all while trying to answer the question, just what the heck is going on. And I'm not a gamer, right? Everyone knows I'm not a gamer, so you don't need to be a gamer to enjoy this audio drama. But I would recommend it. I think, I don't know if you listen to audio dramas, Thom. Graham, I know, doesn't, but...

I tend not to, I must admit. But, you know, I have been encouraged to listen to a few. But this looks good. As soon as I see the link, I might give it a go. It's cute, this.

Yeah, I think it's really cute. You might enjoy it. I thought this would be a good one for you as you were coming on the show. So my pick, I was going to say my prick of the whole thing.

That's no way to talk to your guests. It's outrageous. If I was wearing a wide microphone, I'd tear it off and walk out now.

Don't you think we should start doing that? We could have like a little bit. We have nitpick of the week, prick of the week.

Then you could get Javad on. Are we gonna bleep out their names?

Every time they come on just to them. So my pick of the week is a restart podcast from the BBC starring the makers of The Cypher, starring Armin Karima from Sex Education, for those that know it. So find it wherever you get your pods from.

Nice. And that's my pick of the week.

Super. Well, that just about wraps up the show for this week. Thom, I'm sure lots of our listeners would love to follow you online. I don't know why. I'm sure they would.

Why are you laughing? What's the best way?

What's the best way for folks to do that?

You can get me at TomLangford.com. That's Thom with a T-H, but that's also Thom Langford on Twitter, Thom Langford on Mastodon. Yeah, you can also find us at podcast.hostunknown.tv. He's very available.

Terrific. And you can follow us on Twitter at smashinsecurity, no G. Twitter allows to have a G. Smashinsecurity also has a Mastodon account. Easiest way to find us is at smashingsecurity.com/Mastodon and check out the Smashing Security subreddit as well. And to ensure you never miss another episode, follow Smashing Security in your favourite podcast apps such as Apple Podcasts and Spotify.

And huge, huge thank yous to this episode's sponsors, Bitwarden, Drata and Collide. And of course, to our wonderful Patreon community. It's thanks to you all that this show is free. For episode show notes, sponsorship info, guest list and the entire back catalogue of more than 313 episodes, check out smashingsecurity.com.

Until next time. Cheerio. Bye-bye. Bye. Stay secure, my friends. Stay secure. Lame. I used to say that. I used to say that. Remember it was stay secure. You used to say it before Host Unknown used to say. Oh, I—

I know. We've done everything before Host Unknown. And now they've stolen everything.

Yes. I know. Yes. We got it off Jav. We just do it to wind him up. He stole it.

We had it at Sophos Podcast about 15 years ago. Yeah. I've done that 20 years ago, I'd say. Yeah, whatever it is. Yeah. And it was like, stay secure. We were making jokes at the end. Stay secure, people. Stay secure. Anyway. No, I'm just kidding. I don't know if he knows. It's pretty easy to joke. Copyright. Copyright, yeah.

Copyright. You're copyrighting the words stay and secure.