Smashing Security podcast #327: Mark’s metaverse for minors, and getting down to business

Life is bad enough as it is in terms of screens. The fact that he would now be sellotaping a couple of screens to his head permanently is absolutely appalling.

Even if it was full of education and bollocks, will it be?

Smashing Security, episode 327. Mark's Metaverse for Miners and Getting Down to Business. LastPass with Carole Theriault and Graham Cluley. Hello. Hello, and welcome to Smashing Security episode 327. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, a pleasure to have you on the show, obviously, all the way from— well, you're out of the country at the moment, aren't you? At a secret destination?

Yeah, secret holiday, countrified destination with poor Wi-Fi. So hopefully I'm coming through okay.

And even so, the podcast carries on.

Shall we kick the show off?

Let's get on with it. Come on, Carole Theriault.

Before we kick off this show, let's thank this week's wonderful sponsors, Bitwarden, Collide, and Drata. It's their support that helps us give you this show for free. Now coming up in today's show, Graham, what do you got?

I'm going to be getting down to business.

Fantastic. And I'm going to look at what $14 billion can get you. All this and much more coming up on this episode of Smashing Security.

Now, Chum Chum, I've got a question for you. What do you do when you need to find a local company to help you with something? Have you had anything going wrong with your house or any service that you need?

So I suppose you'd normally search online and I might go and see trade recommendations, you know, if it was a house thing and see if anyone else said this is great.

I think you've put your finger on it. You do exactly the same as me, which is that you go onto a search engine. So maybe you'd go on to Google and perhaps your garage door is broken or you need a plumber or you're after a chiropractor and you think, oh crumbs, I don't know one. Haven't used one before. Where am I going to find one? You go on to Google and you might check out reviews and things. So one of the things that you have inside Google Search and Google Maps as well, actually, are business results. So you type in the name of something and it will tell you the plumbers in the area. And it may well give them reviews as well. So people can leave reviews for local businesses. But you want to be careful, of course. You need to be sure that those business results are verified and the real thing. If you need an aromatherapist, you don't want a tree surgeon coming round.

That's a spelling error if that happens.

Well, the thing is that if you weren't getting much work as a tree surgeon, maybe you would set yourself up as an aromatherapist in those results. And, you know, you'd go, well, maybe, maybe, who knows?

I'm not sure that would work out for you, but okay, I'm gonna— I'll fly along with you.

Perhaps it wouldn't. But anyway, so I, for instance, have a relative who has his own little gardening business, and I said to him, well, look, I know how you could help get yourself a bit more traffic coming to your website. Why don't you verify your business on Google, and then they will list you as a gardening service company in this particular part of the world. And he said to me, well, how do you do that? I said, oh, it's easy. There's a variety of ways in which you can do it. One is that you can go to Google's website and get them— you just fill in a form with details about your business, and they will then send you a postcard. You can actually get a postcard from Google which has a verification code on it, so they're verifying you really are at that address. And then you enter the code and it will add you to Google Maps and Google Search with information about your company, and people can leave reviews for your company.

And they've been doing that for what, a decade or something?

Oh, at least. At least.

In fact, it's funny because my neighbors are down as Slimming World on Google Maps.

Oh, really?

I was like, how, you know, do you guys do this?

They're like, nope.

I was like, okay, interesting.

That's peculiar.

That was years and years ago.

Oh yeah. Right. And so Google does attempt to verify these things. Now, for some companies, of course, they may not have a specific location which they want listed. It may be an area. And so for those sort of situations where a postcard wouldn't be appropriate, you can actually get Google to phone you up and FaceTime you. They can have a video call with you where they will actually look around your business. And so you will show them your workshop and they say, oh, okay, clearly you are a business, or you've got this stock which you're selling from this particular place.

Do you install bloatware for them to check out if it's a technology business?

Oh, no, no, they don't permanently. I mean, although Google is obviously a surveillance company, they don't actually—

They do evil now, apparently.

Well, yeah, yes, no more promises regarding that. But anyway, the point is that you can see a local business, read up about it, even check out its reviews and make contact. Very, very handy. So imagine, Carole, there you are in the future, you're living in I don't know, Hollywood. You're living in Los Angeles. Woo!

Living the dream.

You are living the dream. You've got the fancy car. You're driving along the highway. You get back home after a hard day's whatever it is that you do.

Drinking coffee.

And your garage door doesn't open. Oh. And you think, what am I going to do? Because of course it's LA, so your garage door is all electronic. It's not one you pull up. You press a button and it happens. And you need a garage door repair service.

Right.

So you go onto Google and you search for a garage door repair service and you find the Western Los Angeles Garage Door Repair Company.

Perfect SEO for my question.

Yeah. Verified listing for what you needed, verified by Google, contains photographs, has a link to the website, information about the business's hours and service area, got reviews. You know, they're all 5-star reviews for this company.

Okay.

And because you're growing frustrated sitting on the driveway, you call the number, and yep, it's Los Angeles 213 area code. Again, further reassurance that this is a local, legitimate company who you're dealing with.

Hi, how are you today? How can we be of service?

Yeah, Garage Doors R Us, who you're speaking to. And when you place that call, the thing is you're not actually connected to the business that you quite reasonably believe you were calling, because it turns out that company doesn't actually exist. Instead, your call has been transferred to a different company that is part of this scam, perhaps unwittingly part of this scam, and doesn't even realize it.

I'm not following.

So what is going on here?

Yeah, I'm not. Yeah, I don't know. Okay. Walk me through it.

So basically, there are bogus reviews on Google and bogus business profiles on Google, which are then directing to other companies. And they've got fake profiles. They've got fake reviews as well. So Google is now taking legal action against a chap called Ethan Hu. And they claim that Ethan has created over 350 fake business profile listings on Google since the middle of 2021. Why? Exactly. That's what I was interested about. Why has he done this? Yeah.

What's the endgame?

What's the point?

Yeah.

Well, I'm going to explain it to you because it's really rather clever. Okay, so according to Google, this chap Ethan Hu and some of his collaborators have been tricking Google all of this time for the last two years with these fake reviews, setting up these non-existent companies. For instance, the garage door repair company which I spoke about. For instance, a non-existent chiropractor, plumbing companies, all kinds of companies. And he's managed to verify these companies because when Google video call him he has an elaborate set of props, and they claim that he's using these props, which might be, for instance, a workbench with tools on it. It may be a whole massage chair. It may be aromatherapy, essential oils, all kinds of things which then make them think, oh, he's a legitimate business. We're going to profile him. And he was using both a selection of photographs and props and videos again and again, masquerading as different businesses all across the country.

I the idea if he would do that and just set a background, you know, take a picture of a garage and put it behind him and go, yeah, well,

It's just a green screen. Yeah, yeah, exactly. He could have done that. Well, apparently he had a real workbench, apparently. And sometimes he claimed to be the garage door repair company. Then two days later, he'd create another company and get it verified and say that he was a tree surgeon. Then he was a budget plumber's, but he was using the same thing over and over again. And again, I'm still thinking, what's going on there? Why is he sometimes claiming to be a Reiki therapist, other times into massage and things? So hundreds and hundreds of different profiles being set up. So, so what's going on here?

I'm still waiting.

Okay. Okay. So what's going on here is that he's creating these fake profiles and then he's getting fake reviews for them. So these aren't reviews written by real people. In fact, what he appears— what is claimed according to Google that he's had is he's had over 14,000 reviews for these companies, all 5-star, published on Google, all of them posted by just two different people in Bangladesh and Vietnam. So unlikely to be using his Handy Rapid Plumber Service or the Santa Barbara Maid Service and Home Cleaners and Gold Garage Door Repair and all these other companies. So he's got all these profiles and they've got great reviews and they're littered and scattered across America and people are finding them when they're looking for companies. And once again, Carole, you're going to ask me, why is he doing this?

With a more frustrated tone now. Yeah. Yes. The reason is that he is selling those profiles to other people. So he is advertising these profiles, allegedly, on Facebook and the like, saying, I'm looking for a plumber in Los Angeles who would like more internet traffic and more good reviews. So then when I call them up to get my garage door fixed, he then transfers it over to a third-party company that actually handles garage doors. That actually handles it. So it automatically goes through. He doesn't do this by hand. That would, I would find that a little concerning.

Yes, but as the reviews are faked, Carole, as they're written by these couple of dudes in Bangladesh and Vietnam, he's probably told them, look, just say things like 5-star service, amazing, they were really terrific, they're the best, rather than being specific about what kind of business that they've been helped for.

Okay, so question, question. Are you planning to help your family member in this manner?

You know what? That wouldn't be a bad idea, would it?

Yes, it would.

I think— oh, sorry, would it? Yes, it would.

Jeez. Because he's clearly— well, what can Google do about this? I don't know if they can sue or not. I don't know if they— I mean, certainly it is a breach of the terms of service. Wow, scary Google. Google claims it has stopped over 20 million attempts to create fake profiles for businesses in 2022, and it's protected more than 185,000 businesses from suspicious activity along these lines. And it reckons the average person actually loses— consumers lose on average $125 a year due to incorrect reviews. Yeah, and please stay vague.

Yeah. Well, yes. Say what a great job we did fixing your washing machine, perhaps.

Don't name us.

Carole, what's your story for us this week?

Well, what do you think, Graham, $14 billion could buy you? It's a serious amount of cash.

I think for $14 billion, I could probably get my own personal moon base.

You might be able to.

I could possibly. I don't know if it would also include the trip there or not, and hopefully back, but maybe I'd be able to get to the moon.

I can't imagine you wanting to go to the moon. I think you'd find that whole experience rather uncomfortable. How long does it take exactly?

Well, yeah, it's bad enough going to America, isn't it, on the plane or something, or Tenerife. Yeah, I'm not sure I'd want to be on a spaceship for 3 days.

Well, you went much bigger than me because I was thinking, well, what about a private jet? But it turns out private jets are for just, you know, cheap people, because with $1 billion, you could have your pick of Boeing commercial planes worth anywhere between $89 million and $450 million, so might as well buy a few, right?

I was thinking the other day, because I saw Donald Trump was flying around, and he's got a jumbo jet, hasn't he? And I thought, why does he need one that big? Well, other than to carry documents around or something. I mean, I don't know.

For his ego.

Yeah, I think it's just pure ego, isn't it? You don't need a plane that big. It could just be a private jet.

Well, you know, if you're one of those Geoff Bezos type people, you want to have— I think he went and tried to get the biggest yacht in the world.

Yes. You could even buy Buckingham Palace.

Which is estimated to be worth $1.4 billion. So you could maybe build a few more of those.

Is it for sale? Is Charlie a bit hard up for cash?

Juckey's thinking, "I don't need this place." Unfortunately, it's not enough to buy the world's largest royal domain. Can you guess what that might be?

You mean domain as in URL?

No, as in house.

A principality.

As in big, huge place in France.

What, Versailles maybe?

Yes, the Palace of Versailles, an estimated $50 billion because it has 700 rooms, 600 paintings, 400 sculptures, and 1,400 fountains, for God's sake.

It has a lovely garden. I have been to the gardens of Versailles. It's very pretty.

It's very pretty, but you may not want to stump up $50 billion for it. No, probably not.

Probably not.

Now, if you were the CEO of Meta, Mr. Zuckerberg himself, what would you do with this money? This $14 billion?

Ooh. Ah, I know where you're going now. Because the fact that they changed their name from Facebook to Meta, because didn't they invest a ridiculous amount of money into their virtual reality headsets nonsense?

Yes, VR world. Exactly. Way back in December 2021, the New York Times reported, and we remember this, all the world's largest tech companies were hurtling headlong into creating the metaverse, a virtual reality world where people can have avatars and do everything from play video games to attend gym classes or do meetings, all the stuff.

And I thought this is just Second Life, which is something that had been around for 20 years, just a sort of sad online games.

I still think that, but there you go.

Yeah.

Now, Mark Zuckerberg himself believed in it so much, right, in this metaverse, that he was willing to invest billions in the effort. And he has a whopping $14 billion to expand Reality Labs, the company's arm that is devoted to building hardware and developing the metaverse. But the high cost of trying to turn the metaverse into a mainstream business seems to have spooked Wall Street, causing Meta's stock to plunge last year. We remember this.

Yeah, it feels like it was a bad strategy, doesn't it?

Well, is it? I mean, everyone was in on that until AI came along, where all the investors are suddenly—

Right.

Got their heads swiveled the other way and went, oh, that looks like a better bet.

That looks more interesting. Yeah, totally.

But let's go back to poor little Zuckster here. You've invested billions and billions and billions and billions, huge golden shackles that you've put around yourself, if you ask me, and your shareholders are spooked. So what do you do? Because you got to grow the business, make some money, get the investors to come back into the fold.

But how? Isn't the actual trick, I mean, isn't the thing which actually has driven internet innovation for the last 30 years, pornography. And wouldn't that be the obvious? I know it's seedy. I know it may not fit into Facebook family, as if Facebook has any values. But if you actually want to make money out of virtual reality and the metaverse, surely the thing is to go hard when it comes to VR porn or something.

I think actually AI's got that all beat as well.

They've got it beat, haven't they?

Yeah, Science Vs. latest episode has a fantastic episode on AI porn if you're interested.

No, I'm not, thanks.

Well, Zuckerberg decided not to go down that route, Graham. Instead, he has announced his plans to the world that he wants to lower the age limit from 13 to 10.

Really?

Now, yeah. Now think a bit about this. This is all according to a blog post that they put up, links in the show notes.

Right.

Now, if you think about it, the global population is expected to reach more than 8 billion before 2025. So that means by my calculation and looking around at Statista, about a quarter of the world is under 15. So you do a few little maths and you realize there's a few hundred million 10 to 13-year-olds and that might be perfect for this VR world. And they would certainly help fill the empty Meta coffers, wouldn't they?

Well, would they though? I mean, how much pocket money are they getting at that age?

I think you're hitting up mom and dad to buy the VR set and, you know, pay all the fees.

He wants kids on the metaverse.

Yes.

It's not just joining Facebook.

Oh, I see. Exactly. Right. And plus, lowering the age limit requirements might remove friction, helping younger audiences cozy up with the metaverse, get familiar with it. And the idea would be that they're more likely to continue using the technology as they grow up, as many people now still use Facebook, right?

Right.

But 10, for fuck's sake, 10 years old. So according to the Search Institute, it is from the ages of 10 and 14 when young people begin to discover who they are and their place in the world. So quote, with a growing ability to see consequences of different actions, tweens and young teens are more able to think like adults, but they do not have the experience and judgment needed to act like adults. And I'm thinking perhaps that too is very attractive to Meta. You know, kids might not yet have the skills to say, this is good for me, or this is not good for me. And Christ, I know many adults that don't even know how to do that.

Yeah.

But what pisses me off the most here is in Meta's blog announcements, which interestingly has no author. See, surely, I've always thought of a blog as a personal piece from someone representing a company or themselves. But blogs without attribution to a person seem a bit odd to me.

Am I the only one saying that? No, in my experience, because I think we've both worked for companies where we've sometimes had to post things, which the company didn't really want to have to post, but knew it had to post. And so there was always an option of let's not have any author on this because no one wanted to put their actual name.

you can see over there, there's the car I'm working on. Exactly. Yeah. So in this blog announcement without an author, I decided to do a— it's super focused on parents. I mean, literally, I did a search. The word parent shows up 33 times in a single, maybe 5-paragraph blog post. Things like parents decide, parents manage, parents monitor, parent control.

Parents abhor, parents hate, parents disgusted by Meta.

Yeah. So effectively, they're making being a parent, and you're a parent of a kid in this age group, right? Between 10 and 13.

I am.

So what are your thoughts? You know, if you have, you know, you've got this, would you want him to go on this metaverse? Is this something you'd be interested in?

No. Life is bad enough as it is in terms of screens. The fact that he would now be sellotaping a couple of screens to his head permanently is absolutely appalling.

Even if it was full of education and Bollocks, will it be?

No, it won't. I don't think he would go in there to do his math problems, right? I would just, yeah, exactly. Please, please read a book for once rather than looking at a screen. Do something else. No, I don't. Oh, it's just, and it's so isolating as well. We need to connect more with our children and just be around them and talk face to face. The thought of people wearing these. I mean, Apple have just brought out their, well, they've announced, haven't they, their new Apple Vision, is it called? The Vision Pro?

I don't know, I've been on holiday.

Oh gosh, Carole, you missed it. So Apple have now brought out their own virtual reality headset or have announced it at the very least. And one of the things it does is it obviously, the others, it straps a television to the front of your forehead.

That's what I need.

But it actually has cameras looking at your eyes. That's how you control it, is with your eyes. And it then displays your eyes on the outside screen so that people are less unnerved that you're wearing this thing.

So I have these blank eyes that, you know, they're talking to me and I can pretend I'm listening to them while I'm playing a game inside me. Oh, for God's sake. I'm a Luddite. I think we have to stop this podcast. I can't keep up anymore.

Any company can say they're trustworthy, but with this week's sponsor, Drata, you can prove it. With over 14 frameworks, including SOC 2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business. Automated controls, over 75 integrations, and 24-hour monitoring keeps your company in compliance without manual work. And with a new open API and plenty of customization, you can build your program your way. With over 360 5-star reviews, Drata is the highest-rated cloud compliance platform on G2. Countless security professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it's been to have Drata as their trusted compliance partner. So, listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com/drata.

Our sponsor Kolide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance.

How?

If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple. Kolide patches one of the major holes in zero-trust architecture: device compliance. Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date. Insecure devices are logging into your company's apps, but there's nothing there to stop them. Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta. The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked. Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Wanna learn more? Of course you do. Visit kolide.com/smashing. That's kolide.com/smashing. And thanks to Kolide for sponsoring the show.

Our friends at Bitwarden have been busy this month adding some fab new features to their open-source password management solution. Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do. Logging in with a device is a passwordless approach to authentication. It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval. With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden. Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default. And of course, existing accounts can also update themselves to the same level. These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers. Learn more, try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like.

It could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

Well, my pick of the week this week, is it security-related? I'm not going to give you any spoilers. You may have to actually investigate for yourself. I have watched a documentary on Netflix, a sports-related documentary, can you believe?

What?

I know it's unlikely, isn't it? There is a series of sports documentaries on Netflix called Untold, and my attention was caught by one in particular. It tells the story of a guy called Manti Te'o from Hawaii. And he was a very talented young American footballer who won a place on the Notre Dame Fighting Irish football team back in 2009.

Notre Dame. Notre Dame.

Not Notre Dame.

Notre Dame.

Notre Dame. That's a bit weird.

Norder— Norderdame.

Oh, okay.

And correct us, listeners.

Anyway, and anyway, he helped transform their performance. They'd had a, you know, bad few years. He got lots of attention as a player to watch. He was amazing from what I saw. He did really well. And he then hit the headlines in September 2012 upon revealing that both his grandmother and girlfriend— Just sorry, you just caught—

You caught me right before my joke there.

Okay, anyway, so both— it's not funny actually.

Okay, not laughing.

They both died on the same day. He announced that both his grandmother and his girlfriend had died. His girlfriend was a student at Stanford University called Lennay Kekua, and his girlfriend, he said, had had a car crash which had left her in a coma and she'd subsequently died from leukemia on the same day as her grandmother. But despite that, he went ahead with a really important football match.

That day?

Well, I think it was a couple of days later. He was obviously extremely shaken by the horrendous experience. And the media went nuts. And he went on to be nominated as a candidate for a prestigious trophy from the world of American football, about Outstanding Player of the Year in college football, and loads of TV interviews, media interest, and the rest of it. Just a few months later though, Deadspin, which is a sports blog, published a story saying that Lennay Kekua, the footballer's supposed girlfriend, was in fact a hoax and his dead girlfriend had never existed.

So he had no girlfriend to die in the first place, for example.

You'll have to watch the documentary.

Lame.

So it's called Untold: The Girlfriend Who Didn't Exist. There are some big twists in the story which are quite fascinating because I saw the premise of this like, okay, the girlfriend didn't— people lie about their girlfriends. And then as a sportsman, I thought, oh, it's going to be like Lance Armstrong who's the quintessential lying sportsman who won the Tour de France and pumped himself full of drugs and all the rest of it. And I thought, oh, this guy's going to be such a liar and all the rest of it. The story is rather more interesting than simply he was lying for attention. Now, if you're American, you may already know this story because I guess he was a bit of a star in America and it looks like there was quite a lot of media coverage. I'd never heard of this guy, so the story was a big surprise to me. But anyway, I'd recommend it. It's on Netflix. It's called Untold: The Girlfriend Who Didn't Exist. And that is my pick of the week.

Do you recommend it for me personally as well? Do you think?

For you personally? Yeah. Yeah, well, I found it interesting. I thought it was a good documentary. Why not? Yeah. Okay. Oh, well, you've still got to watch Into the Spider-Verse.

That's true. Although I've been asking other people about it and asking, saying that two people were waxing lyrical and they're like, really? I don't. So that was really interesting for me.

Well, they're Philistines. They don't know what they're talking about.

Including my hosts at the moment where I am.

Oh, well, maybe they are too cool for Spider-Man. I do not know. It is all right. It is okay. Carole, what's your pick of the week?

Well, mine's very cute. My pick of the week is Candy Hearts Comics. Now, you know what candy hearts are, right? Those little sweets with cute messages on it, like, "Date me," "Super cool," "I love you," "Be mine." Remember?

Oh, yes. Yeah, yeah, yeah.

Well, there's this illustrator called Tommy Siegel, and he's used this kind of idea of these candy hearts to turn them into insightful little comics or illustrations. And they're pretty on point. They touch upon things like dating, family life, parenthood, and everything in between. And it kind of, I don't know, it's hard to, it kind of, you're already looking at something.

Explain these.

You are, you are going to be explaining them. But they kind of focus on our miscommunication and assumptions. And they juxtapose those against our thought processes. See what you say and what you think might be very different, and that exhibition would be quite cute. So Graham, I put a few in the show notes that I thought you can maybe choose one or two here to try and explain them.

All right, well, it's difficult. So these characters are all the heart shapes, rather like the candy heart sweets, and they're sort of in human situations. And I'm looking at one right now where one of them has sent a message to the other, and the first one says, "OMG, that panda video is so cute!" And she's sort of full of love and everything, thinking, "Oh, I love cute animal videos." And the guy is replying saying, "Haha, I'm glad you like it." But inside he's thinking, "How do I tell them I'm a furry?" And he's sitting next to his panda costume.

They're very cute, aren't they?

They are cute. There's another one of a couple of hearts sat on a sofa together. They're in love and there's a little baby heart sat on the floor with a rattle in between them. And one of them says, "We won't mess up." And he said, "No, no, we will not mess you up." "Oh yeah, we won't mess you up, like our parents messed us up." And the baby is thinking, "Yeah, I'm a whole new kind of fucked up going on." You have to see these, right? So where can people see these, Carole?

So you can actually literally use your search engine and type in Candy Hearts Comics and they'll come up. Or you can go on the Twitter universe and go see them there. Or you can even buy Tommy Siegel's book. I have seen them online. They happen to be in one of my feeds, and I thought they were very sweet. We all did, in fact. I shared them around. So that is my pick of the week: Candy Heart Comics by Tommy Siegel. Check it out.

Very cute. He should do these as sort of greeting cards as well. I think they'd work very well that. You know, you'd buy them and give them to people because they're fun. A lot of greeting cards try to be funny but aren't actually funny. Have you noticed that?

Yeah, a bit some co-hosts.

Oh, charming.

Funny.

Well, Carole Theriault, thank you very much. And that just about wraps up the show for this week. Listeners, you can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G, and we also have a Mastodon account. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.

And huge, huge shout out to this episode's sponsors once again, Kolide, Dorata, and Bitwarden, and of course to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 326 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye.

Bye-bye. I'm gonna go back to my Aperol Spritz now. Well, I'm actually— I'm not drinking one yet, it's only 12 o'clock.

It's a bit early in the morning for that, is it?

That's my plan later.

Okay, well, enjoy the rest of your holiday, Carole.

Thanks, I will.