A cryptocurrency hack leads us down a maze of twisty little passages, Joe Biden’s commercial spyware bill, and Utah gets tough on social media sites.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by The Register’s Iain Thomson.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Maybe we won't get people involved. Maybe we won't put a lot of effort into trying to identify who you were. Maybe in a few weeks' time we'll have left open that vulnerability.
We'll give you a job!
And you can have another go. Yes, so maybe you could work in our security team.
You can join our non-exec team.
We'll send you a t-shirt.
The delivery man might be wearing blue and have a pointed cap. Smashing Security, Episode 315: Crypto Hacker Hijinks, Government Spyware, and Utah Sophos.
Social Media Shocker with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 315. My name's Graham Cluley.
Social Media Shocker with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 315. My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, we're joined this week by who exactly?
By the wonderful Iain Thomson of The Register. Hello, sir.
Hello there. Good morning from— I would nearly say sunny California, but it's chucking down outside at the moment.
Yeah, I keep reading about horrific weather in California. Has it been wacky crazy for you?
It has been a very wet winter, but bring it on, say I. The reservoirs are filling up nicely. We've got snowpack, record snowpack in fact, in some areas.
The only thing is it's sometimes a bit too snowy.
The only thing is it's sometimes a bit too snowy.
Not used to shoveling.
Well, no, I mean, obviously we don't get it down in the Bay Area, but I mean, a friend of mine drove up to Tahoe and they had to put snow, stop and put snow chains on, but there were people getting stranded in the Donner Pass and you'd think Donner Pass, you know, that name means something.
It's like if there's a cafeteria along there, check your food.
It's like if there's a cafeteria along there, check your food.
Yeah, yeah, yeah, yeah.
Do they serve doner kebabs in the Donner Pass?
You cannot get a decent kebab over here for love nor money.
Well, before we kick off, let's thank this week's sponsors: Bitwarden, Kolide, and hCaptcha. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm going to be telling a chaotic chronicle of crypto crime.
Oh, that's hard to say.
It is.
I'm just going to say, don't do that with a skinful. The Biden administration has kind of banned commercial spyware, but not really.
And I'm going to see what's shaking in Utah. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, I've got a tale of cryptocurrency crime. I don't know if you are crypto investors. I somehow doubt that you are, but, you know, surprise me.
No.
Nope, haven't touched it.
I thought crypto was dead. Is crypto still.
No, no, no, no, no, no, no, no, no, no, no, no. Lots of people are very, very keen. Maybe there's a reason why some people are a little bit skeptical about it.
I don't know, perhaps there is. A couple of weeks ago, hackers managed to steal, I think it's $197 million US worth of cryptocurrency from a lending platform called Euler Finance.
Not that big a deal, $200 million. According to some records, the 26th largest crypto theft ever. There is—
I don't know, perhaps there is. A couple of weeks ago, hackers managed to steal, I think it's $197 million US worth of cryptocurrency from a lending platform called Euler Finance.
Not that big a deal, $200 million. According to some records, the 26th largest crypto theft ever. There is—
Isn't that kind of shocking? We have to say, this is not real money. Can we agree on that?
Well, in some cases it's real money, isn't it?
I mean, if it's converted.
But I mean, at the same time, it's kind of understandable this is happening because, to use the oft-misquoted quote from over here, that's where the money is.
But I mean, at the same time, it's kind of understandable this is happening because, to use the oft-misquoted quote from over here, that's where the money is.
Anyway, it does seem hackers managed to steal around $197 million worth of cryptocurrency from Euler Finance, and it sent its investors into a blind panic.
Anyone who had their money hidden away over there, almost 100% of user deposits were found to be under the hacker's control.
And you hear these kind of stories all the time, don't you, of crypto firms losing the money or having suffered a vulnerability or wallets being emptied.
It's every few days there'll be another one of these.
Anyone who had their money hidden away over there, almost 100% of user deposits were found to be under the hacker's control.
And you hear these kind of stories all the time, don't you, of crypto firms losing the money or having suffered a vulnerability or wallets being emptied.
It's every few days there'll be another one of these.
For the people who've lost the cash, it's a big effing deal, right?
Right. Yeah, it is a big deal. But normally when these stories happen, you hear about the theft and that's pretty much the end of the story. Maybe the company goes bust, but—
That's true.
You know, it's well, whatever happens to that, it's just replaced by another story of cryptocurrency theft. But no. Not in this case.
This wasn't the end of the story because a few days after the hack, Euler Finance sent out a message on the old blockchain saying that the hacker could keep 10% of the $200 million that they'd stolen if they would do them the pleasure of returning the rest of the money within 24 hours.
So they said, look, we'll let you keep 10%. Please, please, pretty please.
This wasn't the end of the story because a few days after the hack, Euler Finance sent out a message on the old blockchain saying that the hacker could keep 10% of the $200 million that they'd stolen if they would do them the pleasure of returning the rest of the money within 24 hours.
So they said, look, we'll let you keep 10%. Please, please, pretty please.
Does that mean we won't report you and we won't get the cops involved if you do this?
I imagine they probably haven't identified this person. They have a means of speaking to them via the chain.
They can chat to them that way, send them encrypted messages, but they haven't really got a clue who did it, but they're just sort of saying, look, keep some of it, but give the rest back to us.
Otherwise, we're done for.
They can chat to them that way, send them encrypted messages, but they haven't really got a clue who did it, but they're just sort of saying, look, keep some of it, but give the rest back to us.
Otherwise, we're done for.
Well, what would be the incentive for the criminal?
Well, maybe we won't get people involved. Maybe we won't put a lot of effort into trying to identify who you were.
Maybe in a few weeks' time, we'll have left open that vulnerability.
Maybe in a few weeks' time, we'll have left open that vulnerability.
We'll give you a job.
And you can have another go. Yes. So maybe you can work in our security team.
You can join our non-exec team.
We'll send you a t-shirt. You know, there's all kinds.
The thing is, once you've got them to keep, you know, however much it was, $20 million worth, say, you just keep that for yourself.
They may say, look, you know, we'd like to tie a bow around it. We'd like to send you some merch. Could you give us your name and address? So we're doing it for this team.
The thing is, once you've got them to keep, you know, however much it was, $20 million worth, say, you just keep that for yourself.
They may say, look, you know, we'd like to tie a bow around it. We'd like to send you some merch. Could you give us your name and address? So we're doing it for this team.
There might be—
The delivery man might be wearing blue and have a pointed cap.
Anyway, that didn't happen. The money didn't get returned to them.
And so 24 hours later, they publicly announced that they were launching a $1 million reward for information leading to the hacker's arrest.
And so 24 hours later, they publicly announced that they were launching a $1 million reward for information leading to the hacker's arrest.
This is Euler Finance.
This is Euler Finance who did this. And you'd normally expect that to be the end of the story. But no, no, no, no, no. That wasn't the end of the story.
It wasn't the last you ever heard of this, because last week another hacker, someone who'd been linked to a $500 million theft from another—
It wasn't the last you ever heard of this, because last week another hacker, someone who'd been linked to a $500 million theft from another—
Chump change.
Another cryptocurrency firm called Ronin. He stole some private keys, he accessed their crypto funds, he made off with funds.
He joined the story because the Ronin hacker sent an encoded message along with a couple of bitcoin, ether cryptocurrency, to the Euler Finance hacker, saying to them, hey, look, I've got this message for you.
You can decrypt it using this tool on GitHub, using your private key that controls the stolen Euler funds, right? He said, just to make sure it's— No. Just to make sure it's—
He joined the story because the Ronin hacker sent an encoded message along with a couple of bitcoin, ether cryptocurrency, to the Euler Finance hacker, saying to them, hey, look, I've got this message for you.
You can decrypt it using this tool on GitHub, using your private key that controls the stolen Euler funds, right? He said, just to make sure it's— No. Just to make sure it's—
No.
It's like handing someone the key and say, okay, now you go to the castle and open the door.
About the dragon lying behind.
Yep, he's snoozing.
So security analysts were curious about it.
So they saw this message and they checked out the GitHub repository for this encryption tool, and they saw that it contained a security vulnerability.
And the thought was that the Ronin hacker was trying to do a dirty, trying to phish the Euler hacker to get their private key and presumably—
So they saw this message and they checked out the GitHub repository for this encryption tool, and they saw that it contained a security vulnerability.
And the thought was that the Ronin hacker was trying to do a dirty, trying to phish the Euler hacker to get their private key and presumably—
Then steal the funds.
Steal the funds from them. So it's hacker versus hacker. Meanwhile, Euler Finance is, "Hello?" Well, Euler Finance, who still want their money back—
Of course! Or 90% of it.
Do you know what they did? They told their hacker that he should be very careful about using that encryption tool. They didn't want their hacker hacked.
But why do you groan, Iain? I mean, I probably wouldn't want two hackers having access to my data if I could try and avoid it.
No, but it's so convoluted and so, I mean—
It's ridiculous.
We talk about the rewards of sin, but I mean, these people are literally making millions out of this.
So it's just, I find it incredibly frustrating that they couldn't have sorted their security out in the first place, but still, that's just me.
So it's just, I find it incredibly frustrating that they couldn't have sorted their security out in the first place, but still, that's just me.
Well, that's crypto firms born out of nowhere, you know, within a few weeks they're up and running and their security is not well founded.
So there is some weirdness going on in the relationship between the Euler hacker and the Ronin hacker, because there's some evidence that the Euler hacker had previously sent some cryptocurrency to the Ronin hacker.
So we don't really know what's going on here. Are they part of the same gang? Are they trolling us? Are they trying to catch each other out?
Is this some kind of crazy false flag trying to get people looking in the wrong direction? It's mad, it's weird.
So there is some weirdness going on in the relationship between the Euler hacker and the Ronin hacker, because there's some evidence that the Euler hacker had previously sent some cryptocurrency to the Ronin hacker.
So we don't really know what's going on here. Are they part of the same gang? Are they trolling us? Are they trying to catch each other out?
Is this some kind of crazy false flag trying to get people looking in the wrong direction? It's mad, it's weird.
Kind of made me think about the Poly Network case. Do you remember that from a couple of years ago?
Oh, what happened there?
Well, basically it's a very similar scenario. Poly Network were just basically, they got their cryptocurrency hacked to the tune of $610 million.
And then they were passing this stuff backwards and forwards.
This guy took all the money and then they sent him a message via the chain, as in this case, saying, look, return X amount of the funds and we will pay a bug bounty to you, a significant bug bounty.
And then they were passing this stuff backwards and forwards.
This guy took all the money and then they sent him a message via the chain, as in this case, saying, look, return X amount of the funds and we will pay a bug bounty to you, a significant bug bounty.
Aha.
And declare that this was a white hat action, so the police won't be so interested.
That really annoyed an awful lot of people, not only just at the FBI, but also in the security community. It's just, right, can't retroactively say this is a white hat situation.
That really annoyed an awful lot of people, not only just at the FBI, but also in the security community. It's just, right, can't retroactively say this is a white hat situation.
No.
Yeah, yeah, yeah.
So yeah, in the end all the funds got returned. And the hacker basically decided this was more trouble than it was worth.
Eventually, over the course of 15 days, returned all of the funds and Poly Network, coming back to my original point, started a bug bounty program.
This one is offering $100,000 for any hits. So yeah, sort your security out, people, you know, get a bug bounty program in place.
Eventually, over the course of 15 days, returned all of the funds and Poly Network, coming back to my original point, started a bug bounty program.
This one is offering $100,000 for any hits. So yeah, sort your security out, people, you know, get a bug bounty program in place.
So I thought at this point it would be the end of the story. I thought there'd be no more to this.
But no, because in another twist in the tale, some of the hackers who claim to be involved in the Euler Finance exploit have recently been vowing to give detailed information about the other Euler hackers to Euler.
So they sent out a message saying, well, look, hey, look, we've got detailed information about the hacker.
"If you still are offering 10% of the bounty, we'll be prepared to give it to you." What, information on Ronin? Oh no, no, information, I understand it's coming back.
But no, because in another twist in the tale, some of the hackers who claim to be involved in the Euler Finance exploit have recently been vowing to give detailed information about the other Euler hackers to Euler.
So they sent out a message saying, well, look, hey, look, we've got detailed information about the hacker.
"If you still are offering 10% of the bounty, we'll be prepared to give it to you." What, information on Ronin? Oh no, no, information, I understand it's coming back.
On the original hack, right?
Information on the original Euler Finance hacker.
Oh, okay, okay. So it's an inside leak.
Exactly, exactly. And there's another person as well claiming to be Euler exploiter number 3.
And he's posted up an email address and asked Euler to contact them if they want the beans. So everyone's now— some of them are now saying they're uninterested in the bounty.
Others are saying they are interested in the bounty. But there's all this information and people pointing in all different directions as to who this hacker could be.
And you would think that that would be the end of the story. But no, no, no, no, no.
Because now the original Euler hacker has been communicating with Euler Finance saying, "I had no intention of keeping what isn't ours.
I want us to come to an agreement." And Euler Finance said, "Okay, look, let's talk in private about this. You know, you can contact us this way." Get offline. Yeah. Exactly. You know?
And they've now had over $100 million worth of the stolen cryptocurrency returned to them.
And he's posted up an email address and asked Euler to contact them if they want the beans. So everyone's now— some of them are now saying they're uninterested in the bounty.
Others are saying they are interested in the bounty. But there's all this information and people pointing in all different directions as to who this hacker could be.
And you would think that that would be the end of the story. But no, no, no, no, no.
Because now the original Euler hacker has been communicating with Euler Finance saying, "I had no intention of keeping what isn't ours.
I want us to come to an agreement." And Euler Finance said, "Okay, look, let's talk in private about this. You know, you can contact us this way." Get offline. Yeah. Exactly. You know?
And they've now had over $100 million worth of the stolen cryptocurrency returned to them.
Half the funds, yeah.
Half of the funds so far.
And this guy, this hacker who's now calling himself Jacob, he's posting a message saying, "I don't think what I say will help me in any way, but I still want to say it.
I fucked up." He says, "I didn't want to, but I messed with others' money, others' jobs, others' lives. I really fucked up. I'm sorry. I really didn't fucking mean all that.
Forgive me, forgive me, forgive me." So far, as of this recording, $120 million has been returned.
And this guy, this hacker who's now calling himself Jacob, he's posting a message saying, "I don't think what I say will help me in any way, but I still want to say it.
I fucked up." He says, "I didn't want to, but I messed with others' money, others' jobs, others' lives. I really fucked up. I'm sorry. I really didn't fucking mean all that.
Forgive me, forgive me, forgive me." So far, as of this recording, $120 million has been returned.
What, 'cause no one will transfer more than $20 mil at a time?
Is that the problem?
Well, I don't know if you've ever tried. Sometimes.
Oh yeah, regularly I shift that kind of money.
Maybe there are some security checks in place, you know, making it more difficult to move large amounts of funds.
Maybe this is as much of a nuisance for the criminals as it is for the rest of us when we try and move money around. I don't know. But for now, that is the end of the story.
Maybe this is as much of a nuisance for the criminals as it is for the rest of us when we try and move money around. I don't know. But for now, that is the end of the story.
Elon Musk is going, "Use my account, use my account." Yeah, yeah.
Although apparently Twitter's now worth half of what it was worth when he bought it.
Yes, or less, slightly less than half. But he does say that he believes that it'll be worth $250 billion. Bitcoin at some point in the future.
But we know what Musk is like with deadlines and promises.
But we know what Musk is like with deadlines and promises.
So cryptocurrency, have I convinced either of you to invest in crypto?
Yes, I'm going to do it right now.
Iain, what's your story for us this week?
Well, as I say, news from across the pond.
President Biden issued an executive order on Monday, which goes by the snappy title of Executive Order on Prohibition on Use by the United States Government of Commercial Spyware That Poses Risk to National Security.
President Biden issued an executive order on Monday, which goes by the snappy title of Executive Order on Prohibition on Use by the United States Government of Commercial Spyware That Poses Risk to National Security.
Snappy.
Yeah, snappy, but also slightly misleading.
I mean, basically the executive order is saying that the US government can't use commercial spyware if it's determined that the spyware is either insecure or it's being run by a company that's hosted in a government which the US considers slightly dodgy, or if it's being used to spy, or if the company's products are being used to spy on US citizens.
Basically also government departments are going to have to draw up a list of where they've used this spyware, who they've used it against, and the rest of it.
But it's the nationality and the sort of, you know, is it being used against US people ones, which I think this one falls down on because that's pretty much every commercial spyware vendor, I would have thought.
I mean, NSO Group might be able to get away with it.
Israel is considered a friendly country over here at the moment, but you know, NSO stuff has also been used to spy on US citizens, so that would presumably take it off the list.
It just seems it's got so many holes running through it.
I mean, basically the executive order is saying that the US government can't use commercial spyware if it's determined that the spyware is either insecure or it's being run by a company that's hosted in a government which the US considers slightly dodgy, or if it's being used to spy, or if the company's products are being used to spy on US citizens.
Basically also government departments are going to have to draw up a list of where they've used this spyware, who they've used it against, and the rest of it.
But it's the nationality and the sort of, you know, is it being used against US people ones, which I think this one falls down on because that's pretty much every commercial spyware vendor, I would have thought.
I mean, NSO Group might be able to get away with it.
Israel is considered a friendly country over here at the moment, but you know, NSO stuff has also been used to spy on US citizens, so that would presumably take it off the list.
It just seems it's got so many holes running through it.
It seems weird. If it's commercial spyware, then surely someone will have used it against US citizens.
Exactly. I mean, you'd think it's utterly bonkers.
Also, this was slightly disturbing in that I'd always assumed that the NSA and you know, cyber control and that sort of thing, roll their own.
They don't actually buy from commercial vendors. But it appears not. If they felt the need for this executive order, then someone's got to be using it.
Also, this was slightly disturbing in that I'd always assumed that the NSA and you know, cyber control and that sort of thing, roll their own.
They don't actually buy from commercial vendors. But it appears not. If they felt the need for this executive order, then someone's got to be using it.
Yeah.
And did you say they also have to create a list of who they've used the spyware against?
No, they've got to create a list of which commercial spyware they've used. So they're not going to have to identify targets, right.
But they are, it is gonna have to be assessed as to which departments are using this on a commercial spyware basis.
But they are, it is gonna have to be assessed as to which departments are using this on a commercial spyware basis.
And are they gonna keep that list in a secure fashion so it doesn't fall into the wrong hands?
Well, I gotta say, when I read through this yesterday, my first thought was FOIA request, get it up there. Yeah, right.
I don't understand how anyone would know where their spyware actually comes from.
Well, I mean, it was commercial then, you know, NSO's based in Israel. We've got Gamma, I think it's Gamma International.
These companies keep changing their names on a regular basis. That was first based in the UK, and I think it's now in Italy.
These companies, as I say, they change their name an awful lot. They move around an awful lot.
These companies keep changing their names on a regular basis. That was first based in the UK, and I think it's now in Italy.
These companies, as I say, they change their name an awful lot. They move around an awful lot.
And locations. Exactly.
Would it be helpful if there was a law which insisted that commercial spyware, upon boot-up, upon starting your computer, played the national anthem of the spyware that was operating on your computer?
That would—
That would—
It wouldn't be very good spying though.
I can say, I suppose so.
I suppose so. You're right, you're right.
I hadn't thought of that. It's why is my computer playing the Saudi Arabian national anthem?
Let's say, which— Oh no, I don't know if you're Formula 1 fans, but it was the Saudi Grand Prix last one, and they played the national anthem, and it was amateur hour.
I mean, I don't know who they got to do this, but I mean, it looked sort of the local misfits who didn't know how to play instruments.
Let's say, which— Oh no, I don't know if you're Formula 1 fans, but it was the Saudi Grand Prix last one, and they played the national anthem, and it was amateur hour.
I mean, I don't know who they got to do this, but I mean, it looked sort of the local misfits who didn't know how to play instruments.
Just in case any members of the Saudi royal family are listening to the podcast today, we'd like to explain that those were the views of Iain Thomson, not of the hosts of the podcast.
I've spent a week there and I'm never going back, so thanks.
They'll come to you, they'll come to you, Iain.
And do you think people, these companies, just getting back to your story, do you think people know what spyware they have used in the past? Like they have their own list?
Yeah, I mean, presumably they've got invoices. This is the US government, they've got paperwork for everything.
And couldn't US government start using non-commercial spyware to do certain things just to bypass the law?
If they are, they're not going to tell us about it. I think it's one of these things where, you know, if you have to admit that it's there, then that's half the battle lost already.
I mean, I have absolutely no doubt that they've got their own stuff.
I mean, I have absolutely no doubt that they've got their own stuff.
Well, I suppose if they don't, if they can't buy commercial spyware to use, they can always ask their nephew Kevin or something.
Maybe you could— you're good at computers, could you write us some spyware? 'Cause we need to spy on so-and-so for it. That would work.
Maybe you could— you're good at computers, could you write us some spyware? 'Cause we need to spy on so-and-so for it. That would work.
I don't know, I think it would have worked a while back, but heuristics—
So your view is that this legislation is—
It's a lovely piece of PR. It may help, and frankly, I don't think the US government should be using commercial spyware, because there's a dual risk there.
You know, it's you're trusting the spyware vendor to say, no, no, no, our code only spies on the people that you choose and doesn't have any backdoors in there to these highly sensitive government servers which we're running off.
But that's just me. I'm sneaky.
You know, it's you're trusting the spyware vendor to say, no, no, no, our code only spies on the people that you choose and doesn't have any backdoors in there to these highly sensitive government servers which we're running off.
But that's just me. I'm sneaky.
Why would a government want to use it, do you think? Other than FBI and that kind of ring, would they use it for bossware? You know, does that fall into this?
Oh, I don't think, I wouldn't have thought so. I think this is basically for targeting intelligence targets.
Mm-hmm.
Maybe domestic. It gets tricky if they're actually looking at US citizens, but you'd need a warrant for that.
But, you know, the courts are usually perfectly happy to pass those warrants out, even if they have to be got after the spying went on.
There is a certain amount of delay that you can build into the process so that intelligence agencies can do the spying and then retroactively ask for permission, and it's usually granted.
But, you know, the courts are usually perfectly happy to pass those warrants out, even if they have to be got after the spying went on.
There is a certain amount of delay that you can build into the process so that intelligence agencies can do the spying and then retroactively ask for permission, and it's usually granted.
So for the regular person in the street who might be worried that they're being spied on, whether it be by their government, another government, or, you know, Freddy next door, whoever it might be.
It's the usual rules that apply. Keep your computer up to date with security patches. Patch against vulnerabilities. Be careful what you run on your computer. Run security software.
It's the usual rules that apply. Keep your computer up to date with security patches. Patch against vulnerabilities. Be careful what you run on your computer. Run security software.
Don't run attachments.
Turn your machine off and unplug it from the internet.
Exactly. Put it in the fridge.
Mm-hmm.
Oh, no, microwave. Always the microwave. It really cleans out those chips. Ladies and gentlemen, that was a joke.
Carole, what have you got for us this week?
Well, interesting that you talked about legislation because, you know, I'm regularly advocating for more legislation around social media.
You know, I'm always thinking these giants need to be forced to be more accountable for the actions, right? That's my view.
You know, I'm always thinking these giants need to be forced to be more accountable for the actions, right? That's my view.
I would like to see some controls on it. I just don't see how they're going to be implemented. Honestly, social media is largely a bad thing, but it has its uses.
I do find that the growth of TikTok to be particularly worrying, but still, that's another story.
I do find that the growth of TikTok to be particularly worrying, but still, that's another story.
No, but it's part of the social media family, isn't it? I'll introduce you to Spencer Cox. He's the current governor of Utah.
Mm-hmm.
And he describes himself as a centrist, moderate, liberal Republican.
Okay.
This is from Wikipedia. And this is a stance that has apparently earned him some critics, probably based more on the righty side.
But his recent actions have afforded him a much different spotlight. And for this story to have context, you kind of need to know a few things about Utah.
One, it's kind of known as the home of Mormons—
But his recent actions have afforded him a much different spotlight. And for this story to have context, you kind of need to know a few things about Utah.
One, it's kind of known as the home of Mormons—
Church of the Latter-day Saints, as they prefer to be called.
Oh, sorry. Okay, home of the Church of Latter-day Saints. And they make up a large proportion of people who live in Utah, and drinking is frowned upon in this church.
And maybe that's why the state has some of the most stringent alcohol laws in the land.
Like, you can't drink until you're 21, no alcohol can be sold later than 1 AM under any circumstances, and beer sold at convenience stores, grocery stores is capped at 4%.
And maybe that's why the state has some of the most stringent alcohol laws in the land.
Like, you can't drink until you're 21, no alcohol can be sold later than 1 AM under any circumstances, and beer sold at convenience stores, grocery stores is capped at 4%.
It used to be the case that if you wanted to go to a pub, you had to pay a $5 membership fee because it was only allowed in members clubs. Which, yeah, it's a very strange sight.
Great skiing there.
Great skiing there.
I've never been there. I've never— is it good, Iain? Are you a fan of Utah?
Oh yeah. I mean, I've got relatives out there, so I— up in Park City, and it's literally Olympic-class skiing. They did have the Winter Olympics there, I think.
And it's an oddish sort of a place because it's very clean, there are very few homeless, but then you do go things like go to the Mormon shopping mall, which is just for Mormon shops.
So had to go in there and look around.
And the bookshop is, I mean, the science fiction section was just basically Orson Scott Card, 'cause he's the only, you know, really well-known Mormon writer or something.
And it was just like, what the hell?
And it's an oddish sort of a place because it's very clean, there are very few homeless, but then you do go things like go to the Mormon shopping mall, which is just for Mormon shops.
So had to go in there and look around.
And the bookshop is, I mean, the science fiction section was just basically Orson Scott Card, 'cause he's the only, you know, really well-known Mormon writer or something.
And it was just like, what the hell?
Okay.
Now Gov Cox has a bee in his bonnet about social media.
He tweeted recently, more than once actually, that protecting young Utahns from harms of social media is one of our top priorities, exclamation point, he says.
And he writes Utahns, so U-T-A-H-N-S.
He tweeted recently, more than once actually, that protecting young Utahns from harms of social media is one of our top priorities, exclamation point, he says.
And he writes Utahns, so U-T-A-H-N-S.
Yep, it is a strange state.
Yeah, we all know that protect the kid messaging is nothing new in political campaigns, right? It often resonates well with exasperated parents and guardians.
So see what you make of this, because back in January, Gov. Cox held a press conference.
And at this conference, he made many statements disparaging social media, things like, we know that social media causes harm. We know that social media can lead to cyberbullying.
He said mental health was taking a beating and that social media platforms know this but are doing nothing.
So see what you make of this, because back in January, Gov. Cox held a press conference.
And at this conference, he made many statements disparaging social media, things like, we know that social media causes harm. We know that social media can lead to cyberbullying.
He said mental health was taking a beating and that social media platforms know this but are doing nothing.
Yeah.
And I think, you know, I would agree with that. And certainly in my echo chamber, that's what I see, right?
Oh yeah. Yeah.
And I'm not on it, so I can't really, you know, say from a user point of view, but I stay off it because of those concerns.
Gov Cox reportedly said that the situation requires action, and late last week, action was taken in the form of a sweeping social media bill.
And he says these are the first of their kind bills in the United States. That's huge, he says.
So these two laws are collectively known as the Social Media Regulation Act, and they are to take effect on March 1st, 2024, so in less than a year.
The first bill, SB 152, requires social media companies to verify the age of any Utah resident with an account on their services.
Gov Cox reportedly said that the situation requires action, and late last week, action was taken in the form of a sweeping social media bill.
And he says these are the first of their kind bills in the United States. That's huge, he says.
So these two laws are collectively known as the Social Media Regulation Act, and they are to take effect on March 1st, 2024, so in less than a year.
The first bill, SB 152, requires social media companies to verify the age of any Utah resident with an account on their services.
Okay, how are they going to do that?
Actually, that's still very nebulous. Listen to this. One of the stipulations is that under-18s will have to get permissions to sign up for an account.
It's the first state law in the nation that will prohibit social media service from allowing users under 18 to have the accounts without explicit consent of their parent.
But how do you do that without asking everyone their age?
It's the first state law in the nation that will prohibit social media service from allowing users under 18 to have the accounts without explicit consent of their parent.
But how do you do that without asking everyone their age?
Yeah.
Now at the moment, under COPPA law, which is the child protection or privacy laws, you have to basically ask the user, "How old are you?" And if they say "I'm 56," then you have to believe them.
That's fine. So this is going to demand people probably handing in proof of age, probably driver's licenses, passports.
That's fine. So this is going to demand people probably handing in proof of age, probably driver's licenses, passports.
Credit cards.
Credit cards.
And all this creates an enormous volume, vault of information, which is just what hackers are looking for.
Right. And it also creates a lot of legit information, which may be useful to social media companies because a lot of people spoof information there, don't they?
Oh, yes.
Yes, that's true.
As you can imagine, there's a lot of privacy advocates that are very much against this because they're saying, "Well, you're basically taking away the right to be anonymous online."
Yep.
Right. Also, part of this law is parents can see everything you post. So say they agree, they say, "Okay, you can have an account." Parents can see every post and message.
What do you think about that? Because these are kids, these are people that are not considered adults.
What do you think about that? Because these are kids, these are people that are not considered adults.
Yes.
I mean, I do think there are some things parents shouldn't know about what their children get up to online, but I can see parents loving it, certainly.
No, but I'm thinking, you know, say five kids have diaries. I'm sure one or two parents are going to snoop and read it.
And I'm sure the other three would never dream of doing that unless there was a mega problem.
And I'm sure the other three would never dream of doing that unless there was a mega problem.
Yeah. But as you said, "snoop," this is the essential side of it.
Yeah.
Yeah.
I just think the kids aren't going to be happy with this.
Surely what the kids will do is they'll have an older brother or sister in their early 20s and they'll say, "Can I borrow your ID?
Because I want to create an Instagram account or whatever it may be."
Surely what the kids will do is they'll have an older brother or sister in their early 20s and they'll say, "Can I borrow your ID?
Because I want to create an Instagram account or whatever it may be."
Yeah. But maybe they'll do only one account per ID.
Yeah, could be.
Maybe, but I think there'd just be a flourishing black market for fake ID. I mean, it's not as though kids haven't got fake ID before to pretend to be older than they really are.
Yeah.
Very common over here, yes. It's one of these things where it's kind of like mice holding a vote to say, "Yes, make sure the cat has a bell around its neck. Now, how do we do it?
We haven't worked that one out yet." It seems like one of those—it looks like a PR stunt.
And there's also—I don't know if you're going to go on to this, Carole, but the curfew aspect.
We haven't worked that one out yet." It seems like one of those—it looks like a PR stunt.
And there's also—I don't know if you're going to go on to this, Carole, but the curfew aspect.
Oh yeah, yeah.
So that's the other one as part of SB 152, is that basically parents have to allow a kid if they want to do any social media between 10:30 PM and 6:30 AM, when Governor Cox thinks you probably should be in bed.
So that's the other one as part of SB 152, is that basically parents have to allow a kid if they want to do any social media between 10:30 PM and 6:30 AM, when Governor Cox thinks you probably should be in bed.
Oh, so you'll have to get your parents' permission to be on social media in the hours of darkness when all the satanic stuff happens on social media.
Because of course, nothing bad happens during the day. It's only after 10 o'clock at night. Although I suppose it's more being done for them to get some sleep—is that the thought?
Because of course, nothing bad happens during the day. It's only after 10 o'clock at night. Although I suppose it's more being done for them to get some sleep—is that the thought?
Yeah, but the bills are signed. Now, of course, lots can happen between a bill signing and the actualization of the law, which is, you know, again, March 1st next year.
And there's no surprise that privacy advocates are pointing out the identity verification rules take away rights to use the services anonymously because you have to verify every user agent.
I don't know. Do you think we should have a right to be legally anonymous on social media?
And there's no surprise that privacy advocates are pointing out the identity verification rules take away rights to use the services anonymously because you have to verify every user agent.
I don't know. Do you think we should have a right to be legally anonymous on social media?
A difficult one.
I think it'd be terrible to lose anonymity on the internet. There's lots of good stuff and resources people can use, people who have a very legitimate reason to remain private.
On social media sites as well, eh?
I think so. This is one of the things I liked about Twitter's verified accounts, was that they were at least somewhat verified.
But, and we're kind of with Graham on this one, there is a need for anonymity, or even just a desire for anonymity.
But, and we're kind of with Graham on this one, there is a need for anonymity, or even just a desire for anonymity.
Yeah.
The old advice I used to get from Guy Cuney was you never post anything online you couldn't cheerfully justify to your local newspaper.
Anonymity's important, but also I think with the curfew, how is that going to be enforced?
It'll be down to ISPs and they can't say, right, it's 10:31, let's switch off all the social media and YouTube.
Anonymity's important, but also I think with the curfew, how is that going to be enforced?
It'll be down to ISPs and they can't say, right, it's 10:31, let's switch off all the social media and YouTube.
Yeah, yeah, you're right.
Because people have got exceptions. So I'm not quite sure how that's going to work either.
This is why— this is what interests me about this is why is this guy actually doing this?
It doesn't feel to me like he's actually going to come up with the answers as to how this will be implemented.
It feels to me like he's saying, look, I'm going to do this first of all, because it's good for my image because the parents who are going to vote for me hopefully will be supportive of what I'm saying here is that social media is corrupting our kids, etc., etc.
It doesn't feel to me like he's actually going to come up with the answers as to how this will be implemented.
It feels to me like he's saying, look, I'm going to do this first of all, because it's good for my image because the parents who are going to vote for me hopefully will be supportive of what I'm saying here is that social media is corrupting our kids, etc., etc.
I'm being tough on it.
The other thing is he's basically saying, yeah, not my problem. This is the law. This is the legislation.
You social media companies, you work out how the hell you're going to implement this. And if you can't—
You social media companies, you work out how the hell you're going to implement this. And if you can't—
Yeah, he says he's going to work with them. Right. I think he's going to be asking them to come up with a solution.
And if they can't, what's going to happen? They're going to get fined or there's going to be some form of action against them, isn't there?
Tell me the second bill. I want to know if you think it's a sweetener for kids.
Okay.
Second bill, HB 311, requires social media companies to ensure that they are not designed to cause minors to become addicted to them.
And it gives Utah minors the right to sue social media companies if they believe they've become addicted or otherwise somehow harmed by a social media platform they have an account on.
And it gives Utah minors the right to sue social media companies if they believe they've become addicted or otherwise somehow harmed by a social media platform they have an account on.
Well, this one I'm right behind. I love the idea of all these teenagers now suing the social media companies. Oh, well, I've become addicted to this TikTok nonsense.
Yeah.
It's going to cripple the social media companies if that's allowed, isn't it?
Well, I mean, a guy from us, Thom Claburn, who covered this for The Reg, he had a lovely line here.
When it comes to suing, it's just like, whether letting parents sue social media platforms for ostensibly addicting their kids will improve adolescent mental health, or may these serve as a college funding option, remains to be seen.
When it comes to suing, it's just like, whether letting parents sue social media platforms for ostensibly addicting their kids will improve adolescent mental health, or may these serve as a college funding option, remains to be seen.
Brilliant.
Keep tapping, Alice, we need 40 more instances of harm to cover your next 4 years at school.
Fantastic.
It's, but I mean, also it's gonna be easy enough to prove because the whole point of social media design is to pull you in and to make you use it more and more and more.
That sort of builds into the fundamental essence of the platforms.
That sort of builds into the fundamental essence of the platforms.
Well, understandably then, maybe they're saying, hey, you better take this seriously, otherwise we're going to prohibit kids from using it without parents saying okay.
And they're not alone, right? This is not the only state.
Utah is the first one to pass it, but Arkansas legislation is looking to introduce a similar bill that would require social media networks to verify users' ages and obtain explicit parental consent for people under 18.
There's one in Texas that's even more stringent. It would ban social media accounts for minors, period.
And they're not alone, right? This is not the only state.
Utah is the first one to pass it, but Arkansas legislation is looking to introduce a similar bill that would require social media networks to verify users' ages and obtain explicit parental consent for people under 18.
There's one in Texas that's even more stringent. It would ban social media accounts for minors, period.
I've got a question. So they're doing this, right? So parents have to give the kids permission.
Mm-hmm.
When are we going to start implementing a system whereby the grown-up parents, the grandparents, have to ask permission, maybe from the kids, maybe from their own children, in order to go on social media?
Shouldn't we have some more policing regarding the rest of us? Why aren't we all being protected?
Shouldn't we have some more policing regarding the rest of us? Why aren't we all being protected?
You just want some of that sweet Facebook cash, don't you?
There's a lot of people who shouldn't be on social media who are reading all that nonsense all the time and could do with taking a break.
I agree, Graham. I agree.
Yes.
Why do you say Graham there?
Graham.
Was that pointed?
No, but yes, but no. This episode is sponsored by hCaptcha. Are cyber threats negatively impacting your business?
Unleash powerful fraud protection for your online properties with hCaptcha Enterprise, the leading security ML platform.
hCaptcha adapts to detect and block even the most sophisticated attacks, keeping you ahead of evolving threats.
Whether your bad actors are human or automated, hCaptcha Private Learning is the solution.
Easily combine your pre-blinded data with hCaptcha's thousands of signals to rapidly find fraud and abuse in real time.
hCaptcha's privacy-focused design works in every country, giving you worry-free compliance. Visit smashingsecurity.com/hcaptcha. That's h-c-a-p-t-c-h-a.
To get started with a free trial today. And thanks to hCaptcha for sponsoring the show.
Unleash powerful fraud protection for your online properties with hCaptcha Enterprise, the leading security ML platform.
hCaptcha adapts to detect and block even the most sophisticated attacks, keeping you ahead of evolving threats.
Whether your bad actors are human or automated, hCaptcha Private Learning is the solution.
Easily combine your pre-blinded data with hCaptcha's thousands of signals to rapidly find fraud and abuse in real time.
hCaptcha's privacy-focused design works in every country, giving you worry-free compliance. Visit smashingsecurity.com/hcaptcha. That's h-c-a-p-t-c-h-a.
To get started with a free trial today. And thanks to hCaptcha for sponsoring the show.
Our friends at Bitwarden have been busy this month adding some fab new features to their open-source password management solution.
Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do.
Logging in with a device is a passwordless approach to authentication.
It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval.
With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden.
Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default.
And of course, existing accounts can also update themselves to the same level.
These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers. Learn more.
Try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing.
Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do.
Logging in with a device is a passwordless approach to authentication.
It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval.
With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden.
Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default.
And of course, existing accounts can also update themselves to the same level.
These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers. Learn more.
Try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing.
Our sponsor Kolide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance. How?
If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple.
Kolide patches one of the major holes in zero trust architecture: device compliance.
Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date.
Insecure devices are logging into your company's apps, but there's nothing there to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.
The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked.
Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Want to learn more? Of course you do. Visit collide.com/smashing.
That's collide.com/smashing. And thanks to Collide for sponsoring the show.
If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple.
Kolide patches one of the major holes in zero trust architecture: device compliance.
Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date.
Insecure devices are logging into your company's apps, but there's nothing there to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.
The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked.
Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Want to learn more? Of course you do. Visit collide.com/smashing.
That's collide.com/smashing. And thanks to Collide for sponsoring the show.
And welcome back. Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone choose something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Well, two weeks ago I took you on a trip to Bollywood and I told you how wonderful a movie from 50 years ago, nearly 50 years ago, Sholay is.
Now I'm not going back as far in time this time. I'm going back to last year.
One of the most expensive Indian films ever made, according to The Guardian, one of the best films from any country, which was produced last year.
So it's in their top 10 films of the year.
Now I'm not going back as far in time this time. I'm going back to last year.
One of the most expensive Indian films ever made, according to The Guardian, one of the best films from any country, which was produced last year.
So it's in their top 10 films of the year.
And it's called?
It is called— well, I'm not sure what it's called.
Oh.
I can tell you— because I don't know how to say it. It's 3 letters. It's RRR. So is that— Rrrr. Is it RRR or is it RRRR? I don't know.
I can't help you, Iain. Sorry.
But it's the letters RRR, and it is a fantastic action movie. It is set, it's an epic saga set in pre-independent India. So it's basically the Indians versus the British Raj.
Once again, the British are the enemy, quite right too. Two Indian men on opposite sides of the political divide. One is working for British forces as a cop.
The other one is trying to rescue a girl who's been kidnapped from his local village. And it is bonkers. It is as action-packed as any Hollywood movie you've seen in years.
Once again, the British are the enemy, quite right too. Two Indian men on opposite sides of the political divide. One is working for British forces as a cop.
The other one is trying to rescue a girl who's been kidnapped from his local village. And it is bonkers. It is as action-packed as any Hollywood movie you've seen in years.
The plot seems pretty straightforward though, no?
Sometimes the simplest plots are the best.
That's true. That's true.
These two guys start off as enemies, then become the very best of friends, and then become mortal enemies again. There's a lot of twists along the way.
I don't want to give it away, because this movie lasts 3 hours.
I don't want to give it away, because this movie lasts 3 hours.
Did you stay awake for the whole thing?
It's another long movie. I stayed awake, and there was even CGI. I even stayed awake during the enormous amount of CGI, because there's tigers and animals and crazy action scenes.
Yeah.
This must be the only film I've ever seen where someone is giving someone else a piggyback because he's hurt his feet.
And the guy on top has got the machine guns and is shooting people left, right and center as he's being carried along on someone's piggyback.
And they're doing jumps and they're climbing up ladders again on piggyback from each other. It is nuts.
Now, there are a couple of grisly scenes which I think make it— there's a particularly unpleasant scene, not for kids, I'd say, which is a shame because otherwise this would have been great for kids.
RRR gets my pick of the week. Great movie. And it's on Netflix. Did I say that? It's on Netflix. You can watch it for free. Watch it tonight. Go on. You'll enjoy it.
Iain, what's your pick of the week?
And the guy on top has got the machine guns and is shooting people left, right and center as he's being carried along on someone's piggyback.
And they're doing jumps and they're climbing up ladders again on piggyback from each other. It is nuts.
Now, there are a couple of grisly scenes which I think make it— there's a particularly unpleasant scene, not for kids, I'd say, which is a shame because otherwise this would have been great for kids.
RRR gets my pick of the week. Great movie. And it's on Netflix. Did I say that? It's on Netflix. You can watch it for free. Watch it tonight. Go on. You'll enjoy it.
Iain, what's your pick of the week?
Well, actually, stumbled across this one last night, was giving it a reread. It's a book called He Died with a Falafel in His Hand by the Australian author John Birmingham.
Subtitle: Hilarious True Stories of House-Sharing Hell. And Terry Pratchett thought it was his book of the year when it came out. And he has a lovely quote on the back.
You'll read it with horrified amusement. And if you've ever shared a flat, the occasional wince of recollection.
Now, in this case, this is a guy who basically spent 10 years going from house share to house share in Northern Australia.
And some of the stories are just— I've stayed in some really grotty houses, but I have never seen a board put up in the bathroom with the longest pubic hair pulled out of the shower drain and a competition to see who could get the longest one.
You know, it's that kind of descent into madness.
Subtitle: Hilarious True Stories of House-Sharing Hell. And Terry Pratchett thought it was his book of the year when it came out. And he has a lovely quote on the back.
You'll read it with horrified amusement. And if you've ever shared a flat, the occasional wince of recollection.
Now, in this case, this is a guy who basically spent 10 years going from house share to house share in Northern Australia.
And some of the stories are just— I've stayed in some really grotty houses, but I have never seen a board put up in the bathroom with the longest pubic hair pulled out of the shower drain and a competition to see who could get the longest one.
You know, it's that kind of descent into madness.
I think I can beat that.
Really?
I once stayed with a friend in an apartment, overnight, just one night. And there was a stain on the television. A man stain on the television. A dried man stain on the television.
What?
Yes.
That's— Oh, good grief. That's just gross. I mean, yeah, okay. Nothing quite that bad, but lots of stories.
One thing I'd forgotten about, apparently the Australians call weed or jazz cigarettes or whatever you want to call it, they call them cones.
'Cause they roll a big cone and then just, yeah, it's a very— an awful lot of drug-fuelled mayhem.
The title itself comes from a housemate who was crashing with them for a couple of days and went out for a falafel, came back, injected heroin, and died on the floor.
One thing I'd forgotten about, apparently the Australians call weed or jazz cigarettes or whatever you want to call it, they call them cones.
'Cause they roll a big cone and then just, yeah, it's a very— an awful lot of drug-fuelled mayhem.
The title itself comes from a housemate who was crashing with them for a couple of days and went out for a falafel, came back, injected heroin, and died on the floor.
Oh.
And so he died with the falafel in his hand, became the title.
Cheery.
Cheery, but also it's one of those books, when I first bought it, I was reading it on the Underground, and it was one of the books that actually made you laugh out loud when you were reading it.
Oh, brilliant.
And I looked up, and there was a bloke staring at me. And he reached into his bag, and he pulled out a copy of the same book. He was like, brilliant, isn't it?
You know?
Oh, that's a lovely moment.
And Iain, I've just looked it up on the internet. There's a movie version of it.
Really? No, I didn't know that.
There's an Australian comedy-drama film.
Oh, good lord. They'd have to either put a very heavy rating on that or tone it down a bit.
Came out 20 years ago, so you can go and check it out if you want. And a graphic novel version as well.
I don't think I want the graphic novel version, to be quite frank. Might be a bit too graphic.
Fantastic.
Excellent.
Carole, what's your pick of the week?
Well, my pick of the week should be Root Canal. 'Cause I had root canal yesterday. And let me tell you, a hell of a lot of nerve pain before.
And actually I love root canal because I was in a lot of pain until I had the very expensive procedure, which has allowed me to talk today.
And actually I love root canal because I was in a lot of pain until I had the very expensive procedure, which has allowed me to talk today.
So you're all right now. You sound okay.
I sound great. I'm a little sore. I feel like someone sucker punched me in the jaw.
But otherwise, however, I decided to instead select a single episode of a new series called Swarm, which I found streaming on Amazon Prime. Now here's the blurb.
Swarm is an American satirical psychological horror thriller television series created by Janine Nabers and Donald Glover. And all I can say is holy freaking crapola.
The end of the first episode is like capital D dark. And unpredictable and kind of nasty. So, it's played by Dominique Fishback. She plays Dre, and you cannot take your eyes off her.
She's an unusual, gripping lead. I loved her, loved her, loved her. And she's this young, aimless girl, gaga for a pop star. When I say gaga, I mean she's totally obsessed.
And this obsession leads her to take a dark turn, and then another darker turn, and then one that she'll never recover from. And that's just episode 1!
But otherwise, however, I decided to instead select a single episode of a new series called Swarm, which I found streaming on Amazon Prime. Now here's the blurb.
Swarm is an American satirical psychological horror thriller television series created by Janine Nabers and Donald Glover. And all I can say is holy freaking crapola.
The end of the first episode is like capital D dark. And unpredictable and kind of nasty. So, it's played by Dominique Fishback. She plays Dre, and you cannot take your eyes off her.
She's an unusual, gripping lead. I loved her, loved her, loved her. And she's this young, aimless girl, gaga for a pop star. When I say gaga, I mean she's totally obsessed.
And this obsession leads her to take a dark turn, and then another darker turn, and then one that she'll never recover from. And that's just episode 1!
Well, good grief.
It felt like a whole movie in itself. I'm nervous as hell about where it's gonna go next, so I haven't watched it in the last two nights.
What?
I'm not sure I can watch more, but I'm still recommending episode 1. Again, viewer caution, not for kids.
What's it called again, Carole?
Swarm. Swarm. Streaming on Amazon Prime. You've been warned. It's funny too. There are funny bits.
Okay.
I thought for a second you were gonna say The Swarm, the terrible Michael Caine film.
Oh, I remember seeing that at the cinema way back then.
It's hilariously bad. I mean, I know he was getting hit by the tax authorities left, right, and center, but—
Killer bees.
You know, when this sickly train dad comes up, "But the bees have always been our friends." And it's just like, oh God, Michael.
I remember that. I watched that as a kid and it scared the living shit out of me. I used to have nightmares.
Really?
They're coming up from South America through America, aren't they?
Yeah.
And I lived in Canada and I was petrified.
Yep.
I don't know how old I was. I'm sure it was under 10.
Well, there's a whole swath of films like that.
If you ever get the chance, see Night of the Lepus, which is about rabbits hiding in an abandoned radioactive nuclear waste dump that suddenly turn giant and start biting people's heads off.
It's just amazing. All I can assume is that in the pitch meeting for the film, everyone was doing a lot of cocaine.
If you ever get the chance, see Night of the Lepus, which is about rabbits hiding in an abandoned radioactive nuclear waste dump that suddenly turn giant and start biting people's heads off.
It's just amazing. All I can assume is that in the pitch meeting for the film, everyone was doing a lot of cocaine.
Well, there you go. That's my pick of the week, Swarm, now streaming on Amazon Prime. Watch with caution.
Bonkers. Well, thank you very much, Carole and Iain. That just about wraps up the show for this week. Iain, I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to find out what you're up to?
What's the best way for folks to find out what you're up to?
Best thing is theregister.com for our general stuff. And for at least the next week, I'll be on Twitter. That's Iain Thomson.
Well, they're taking away my blue verified tag on April 1st. So I'm just kind of like, should I really still be supporting this site? I don't know.
It's all going a bit Pete Tong, to be honest.
Well, they're taking away my blue verified tag on April 1st. So I'm just kind of like, should I really still be supporting this site? I don't know.
It's all going a bit Pete Tong, to be honest.
I'm pleased they're taking away my verified tag. I don't want them mixing me up with the people who are paying for the verified, the mouth breathers.
And you can follow us on Twitter @SmashingSecurity, no G nor any verified tick. Twitter wouldn't allow us to have a G.
Smashing Security also has a Mastodon account — find it at smashingsecurity.com/mastodon.
And don't forget to ensure you never miss another episode: follow Smashing Security in your favorite podcast apps such as Spotify, Apple Podcasts, and Overcast.
And you can follow us on Twitter @SmashingSecurity, no G nor any verified tick. Twitter wouldn't allow us to have a G.
Smashing Security also has a Mastodon account — find it at smashingsecurity.com/mastodon.
And don't forget to ensure you never miss another episode: follow Smashing Security in your favorite podcast apps such as Spotify, Apple Podcasts, and Overcast.
And big massive shout out to this episode's sponsors: Bitwarden, Collab, Ride, and hCaptcha, and of course to our wonderful Patreon community.
It's thanks to you all this show is free.
For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 314 episodes, check out smashingsecurity.com.
It's thanks to you all this show is free.
For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 314 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye, bye-bye, goodbye.
You know, Iain, you said that going Pete Tong.
Yeah, yeah.
So Pete Tong, he's a DJ in the UK for those, right? What, in the '80s?
He was '90s, still going. I saw him when he was over here last.
My, I don't know what I call it, aunt-in-law — she dated him.
Really?
Oh, wow.
She was his hottie for a bit when she was younger.
That's a celebrity shag you can boast about.
That's pretty close, I gotta say.
I had a girlfriend who, the previous person she shagged before me was... I've forgotten his name.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Iain Thomson – @iainthomson
Episode links:
- Tweet by Euler Finance confirming security breach – Twitter.
- Euler Finance to Offer $1M Reward as It Reels From Nearly $200M Exploit – Coindesk.
- Hackers stole over $500m in cryptocurrency in record-making heist, Ronin says – The Guardian.
- Hacker Behind $200M Euler Attack Apologizes, Returns Millions in Ether, Dai to Protocol – Coindesk.
- President Biden kind of mostly bans commercial spyware from US govt – The Register.
- Utah Law Could Curb Use of TikTok and Instagram by Children and Teens – New York Times.
- Utah’s social media for kids law could be coming to a state near you – Vox.
- Utah Governor Spencer Cox signs a landmark social media bill – YouTube.
- RRR – Netflix.
- RRR trailer – YouTube.
- RRR Naatu Naatu dance scene – YouTube.
- Best films of 2022 in the UK, No 7: RRR – The Guardian.
- He Died with a Felafel in His Hand – Wikipedia.
- Swarm – Amazon Prime.
- Night of the Lepus – Wikipedia.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Zero Trust for Okta. Watch a demo today!
- hCaptcha – hCaptcha Enterprise is the leading Security ML platform. hCaptcha adapts to detect and block even the most sophisticated attacks, keeping you ahead of evolving threats. Start your free trial today.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Thank you! Thank you! Thank you!!
My mom went to the hospital today and has her 1st treatment of radiation therapy for her liver cancer tomorrow and I have been beside myself worrying! I just finished listening to your podcast, episodes 315 and 314 and laughed and laughed and laughed all the while, learning new things!! I have had this respite from languishing inside my head on things beyond my control because of you and your wonderful wacky humours on your amazing podcasts!! You have a Canadian listener for as long as you will produce content!! <3
I'm really sorry to hear your mum has been poorly, but I'm pleased to hear that the podcast has been able to put a smile on your face.
All the best to your mum from everyone at Smashing Security.