Smashing Security podcast #338: Catfishing services, bad sports, and another cockup

It's a male chastity device. So it attaches itself quite firmly and securely around your private parts, preventing you from performing certain functions.

What could go wrong, to quote you, Graham?

What could go—

Well, I'll tell you what went wrong. They discovered flaws, which meant that someone could remotely lock all of the devices and prevent people from unlocking themselves. The actual advice on the site was you're gonna have to use bolt cutters or an angle grinder.

What? I think I'd rather not. I'll just stay in it.

Smashing Security, episode 338: Catfishing Services, Bad Sports, and Another Cock-up, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 338. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole joining us today, pretty— I was about to say a pretty common regular. That's quite rude really, isn't it?

It's, maybe start that again.

So joining us today, Carole, who've we got?

We have a guest for the first time in a few weeks. Mr. Mark Stockley is joining us. Hi, Mark.

Hi.

Welcome back to Smashing Security.

Thanks very much.

Great to have you back, Mark.

It's brilliant. And we have a big show today, so we should crack on. Are we ready to go?

Let's go.

But first, let's thank this week's wonderful sponsors: Collide, Systake, and ClearVPN. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

Oh, it's another right cock-up.

Okay, Mark, what about you?

I am going to talk about the worst sports reporter in the world.

And I'm going to be looking at a catfishing enterprise. Plus, we have a featured interview with Alex Lawrence. He's the principal security architect at Sysdig, and we're going to dive into Sysdig's brand new threat report and find out what we should be looking out for. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, can you believe how time has flown by? Flown by, not only if our kids got older over the summer and grown about 3 foot taller, not only are they sprouting hair out of their nostrils and all sorts of unpleasant places like that, but it's also 4 years or so since episode 199 of Smashing Security.

Wow.

Yeah, you may remember we had Zoe Kleinman from the BBC on and we reported on how security researchers had found serious security flaws in the Key Cellmate, which is a Chinese-made IoT device made of polycarbonate and toughened steel. A very specific kind of IoT device. It comes in both long—

Oh no.

What? It comes in both long and short models. When I investigated it back then, I found the short models had sold out on the website.

I remember the name Cellmate, actually. I remember what it does. Okay.

What do you remember about it, Carole? Could you describe what it does? Because that would save me.

Is this something to do with prison?

Yeah, basically it is with prison. It prisons up your junk, if I remember correctly, and you give your special someone the key. And it's a digital key. Am I right? Is that right? Or am I just dirty?

It's a male chastity device. So it attaches itself quite firmly and securely around your private parts, preventing you from performing certain functions.

Who does this? Actually, I don't want to know.

I do not want to know. Unless your partner via the internet unlocks it.

What could go wrong, to quote you, Graham?

Well, I'll tell you what went wrong. The penetration testers at Pentest Partners, appropriately enough, they discovered flaws in Cellmate's API. Which meant that someone could remotely lock all of the devices and prevent people from unlocking themselves. The actual advice on the site was you're going to have to use bolt cutters or an angle grinder.

Can you imagine?

So what?

It's got to be an internet joke.

I think I'd rather not. I'll just stay in it.

So aside from imprisoning your penis, also the API was leaky. Which you don't want. So it would leak your location data, your personal information, your private chats, and what was called your member code.

You have private chats through your—

Well, yes, but via the— Not on that. There was no screen on it, a keyboard.

There's a big microphone?

No, but via the app, you could chat with partners saying, oh, please unlock me, you naughty boy.

Let's not use Signal or WhatsApp or something. Let's use Cellmate's own chat service.

So, yeah. Okay. Cybercriminals did eventually exploit this flaw, and they demanded a ransom from people they'd locked up. Now, surprisingly, years have gone past. The Qkey Cellmate, I've done some Googling today, it's still on sale. You can go to its online store. The motto is "Love Hurts." You can buy them on Amazon. You can even get them on eBay. I'm not sure you'd want a pre-loved sex toy from eBay, but if you—

Reconditioned.

If you wanted—

As long as they delete the chat history.

Anyway, that's all yesterday's news, right? That's from a while ago. Because surely by now everyone's been put off the idea of chastity cages. People have decided that's not a good— Well, not so. Not so. Because I don't know, Mark or Carole, if you read the Dear Deirdre Agony Aunt column in The Sun newspaper.

Paper.

That's still going. Is she still alive? Does she exist?

That's very interesting, because when I was reading this Dear Deirdre column online about male chastity cages from last month, it's actually got someone else's name on the byline. So the brand is Dear Deirdre, but there's someone called Sally who's actually answering questions.

They fired Deirdre.

Yeah, so Deirdre, she's been sent off in the wheelchair. Anyway, someone wrote in saying, my sexual urges are so out of control, I'm considering buying myself a chastity cage. And this chap, he said he was in his mid-20s. He said he had a bit of a wandering eye, but he loved his girlfriend. He's been going out with her for two years. She's wife material, he says. But because he keeps on looking at other girls and thinking, well, I'd quite like to have sex with her, he has secretly bought himself a metal chastity cage to lock up his penis to prevent him from doing anything untoward with it. And he was saying 'Do you think this will stop me cheating?' he said to dear Deirdre.

Surely. Okay, I'm wondering if she defines cheating now, because my story has to do a bit with cheating as well. So this is quite interesting because, yeah.

Well, I'm thinking that chances are she's going to spot this, isn't she? If he's clanking around the bedroom wearing one of these.

I don't think it's medieval, right? I know what you're picturing.

Have you seen these things, Carole?

No, I haven't. I haven't.

But you have to take an angle grinder to them. They are quite substantial. Anyway, she said, get a grip, pleasure yourself. That's what you have to do. Stop being ridiculous. Just stop trying to have sex with me.

A lot of bathroom breaks.

Anyway, so chastity cages are still being sold. Now word reaches us via TechCrunch of another dick cage that has serious vulnerabilities. An anonymous researcher — anonymous, because he doesn't like to mix business with pleasure — he has found a different internet-connected male chastity device is exposing users' email addresses, plaintext passwords, home addresses, IP addresses, and in some cases — and this one really surprised me — GPS coordinates due to flaws in its servers. Now, why these things are beaming out their GPS coordinates, and how precise do you need to be with something? You surely don't need to know within a few metres, which apparently the device claims.

Well, if you're using an angle grinder, I think very, very precise.

You need great precision. Yeah, a few metres doesn't cut it. No, you want, you know —

Well, it could.

A centimetre could make a big difference. So apparently, your partner who's in control of your chastity device can follow your movements and see where you're going while you're clanking around. This researcher has found, via these flaws, he's found records of more than 10,000 users. And so he did the responsible thing — he contacted the company back in June about the vulnerabilities. They didn't respond.

Quelle surprise.

Now, this is the interesting bit. He then, because he couldn't get a response from them, he defaced their website. He put up a message on their website. He said, this site's been disabled by a benevolent third party and the vendor's name has been redacted, right? There's no one saying who the vendor is. He says they've left the site wide open. It's allowing any script kiddie to grab all this customer information, including plaintext passwords and shipping addresses. And he says, if you've paid for a physical unit and now can't use it, I'm really sorry, but there are thousands of people have accounts on here and I couldn't leave it up for grabs.

Hope you weren't wearing it at the time.

Well, exactly. I mean, does disabling the website prevent you from unlocking it? I don't know. Maybe it does — maybe it prevents someone from logging in and doing that. How do you feel about that, Mark? What do you think — do you think that's right, that he should have defaced the website and put up this message?

I'm going to say no.

Right. After careful consideration.

Because I don't want to think that anything would rely on the website being there because websites being there is a —

Websites are very transient.

They are. They're not difficult to affect. But having said I wouldn't want that to happen, that doesn't mean that it doesn't happen. And we're talking about the IoT here, so I think actually probably did happen.

So you don't think it's right for him to deface the website and put the message up there, even though he's frustrated and he wants to get the message out to those users? Should he have emailed those users instead, or what do you think would have been a better course of action?

I think put it on Reddit.

Right. And they'll DDoS the site by all traveling there.

If you want people to read something, put it on Reddit. Yeah, Google will pick it up.

But he was worried that naming the company would actually get people exploiting it. And that's why TechCrunch haven't named them either. TechCrunch say they've tried to contact the company, which is based in China, like the Qiui Cellmate. Similar lack of response. They have removed the defacement message from the website. And so I was curious. I immediately thought this must be the Qiui Cellmate, but the one we spoke about a few years ago. I thought it must be the same one. And I thought, why are TechCrunch being so coy? I thought, oh, I saw it. I went to the Internet Archive. I was looking at Qiui Cellmate's store, looking to see if, you know, they'd been defaced or anything like that. So Qiui Cellmate's still running, but it isn't the Qiui Cellmate because according to TechCrunch, the vulnerable device only has an Android app. There's no iPhone app. So I imagine iPhone users who have a chastity cage around their penis, they don't have to worry because this is only affecting androids instead.

I just think this is one of those things that if you definitely want to have your cocks in a block, I guess, why wouldn't you just go old school and get dumb tech?

With a key.

No tech. With a key. Just don't lose the key.

Or maybe a good fisherman's knot would be good. If you could— Tie a knot in it, tie a secure knot, and that'll prevent anything bad from happening. Mark, what have you got for us this week?

Well, I am going to talk about the worst sports reporter in the world.

Okay.

So, do you like sports? You're pretty athletic, Graham. Do you like sports? What are you into?

I am keen on badminton. And chess. I consider badminton not really a sport. I consider that a game.

Yes.

But I consider chess to be a sport.

Yes. I think other chess players do too, don't they?

Yes, they do.

That's why they get all sweaty when they're playing.

Yeah. I think anything which has a random element is a game. So, football, cricket, badminton, anything like that. That's just a fun game. But chess is a serious sport.

Let's see.

Yeah.

Well, I was going to say they also love sports in the USA, but I'm not sure you actually love sports. I think there's a whole other discussion to have there. But in the USA, they definitely love sports, like actual proper sports. Sports like, you know, NFL, NBA, college sports, even high school sports. And the local newspapers are only too happy to add these sports-mad fans to their readership with penetrating and insightful analysis of all the latest goals, baskets, and touchdowns.

Yeah.

However, something strange has been happening at local papers in the USA. See if you can tell what it is. So this in-depth bit of sports reporting came from a recent edition of the Milwaukee Journal Sentinel. Okay. It said— I'm gonna butcher this name now— the Waukesha West Wolverines defeated the Hartford Orioles 42-14 in a Wisconsin high school football game, "On Friday, Waukesha West recorded a big victory over Hartford, 42-14, during this Wisconsin football game." That's a really high score for a football game, isn't it?

How big were the goals?

They may be talking about—

American football.

American football.

Oh, okay.

But anyway, so that was perhaps not the peak of journalism there. What about this one from The Tennessean? The Christ Presbyterian Lions defeated the Brentwood Academy Eagles 17-16 in a Tennessee high school football game on Saturday. Christ Presbyterian eventually took victory away from Brentwood Academy 17-16 in a Tennessee high school football matchup.

Oh, it makes no sense.

Oh, it's weird. Yeah, it's a bit garbled, isn't it? It's an odd way of phrasing things.

Both teams were shut out in the first quarter. The Eagles took a 7-3 lead over the Lions heading to the halftime locker room. Clintwood Academy enjoyed a 16-3 lead over Christ Presbyterian to start the fourth quarter. A 14-0 scoring edge in the final quarter fuelled the Lions' defeat of the Eagles.

I think I know what's going on here.

Okay, well, the final one might give you a clue. This is my favourite from the Columbus Dispatch. The Worthington Christian bracket bracket winning underscore team underscore mascot bracket bracket defeated the Westerville North bracket bracket losing underscore team underscore mascot bracket bracket 2-1 in an Ohio boys' soccer game on Saturday. Worthington Christian edged Westerville North 2-1 in a close encounter of the athletic kind for an Ohio boys' soccer victory on August 19th.

A close encounter of the athletic kind.

It's like the first time you listen to the shipping forecast in the UK. You know, you're like, what?

Worthington Christian drew first blood by forging a 2-1 margin over Westonville North after the first half. The scoreboard was in hibernation in the final half with neither team scoring. The last two lines, I think what they're saying is—

Hibernation.

Worthington Christian drew first blood forging a 2-1 margin over Westonville North after the first half. But in the final half, which if I remember correctly, there are two halves.

There are normally two halves, yes.

Neither team scored.

Yes, that would be a simpler way of wording it, wouldn't it? Has all this underscore bracket bracket stuff, could there possibly be some sort of computer cock-up occurring?

Perhaps.

You're close. You're very close.

Right.

So there are two little letters that join all of these terribly written articles together. Can you guess what they are?

AI.

That's how we're going to say AI from now on.

Yep.

This year's NFT AI. All of these reports were written by an AI called Lead AI, which is being tested out by a newspaper chain called Gannett, which owns a bunch of local newspapers. According to Axios, Gannett-owned newspapers published dozens of lead AI game recaps. And CNN reports that the experiment has now stopped following ridicule on social media. And soon podcasts. The thing is that the reports are actually generated. There's a, I forget what the system's called, it's something like Scorebox. There is a system that actually generates this was the score after the first quarter and this was the score after the second quarter. And so all this thing is doing is it's taking that information and putting it into sentences rather than into bullet points.

Right.

But the sentences are AI garbage.

Yeah.

So, and I suppose the AI to try and make it appear more human is thinking, well, we won't use those other words. We'll go to the thesaurus, we'll find synonyms.

Like hibernation.

Like in hibernation or Close Encounters of the Athletic Kind. It's just trying to add a little bit of colour and coming across as freaky.

Now, this is not the first time that the myth of AI journalism has faced public scorn. So last year, I don't know if you remember, but CNET, massive publication, started publishing articles under the byline CNET Money Staff. So these articles, look, they were probably made for search engines rather than for people. But this CNET Money staff with its AI pseudonym and Wired reports that a torrent of embarrassing disclosures followed with more than half of the articles containing factual errors and 41 out of 77 requiring quote, sometimes lengthy corrections. Now, I don't know about you, but wherever you look, AI is just making stuff up at the moment, which is really bad for everyone. I mean, it's bad for information and disinformation, It's bad for the internet and ultimately it's even bad for AI, 'cause AI is using the internet as training data. So if the internet—

Well, that's right. The more AI generates, the more it's feeding itself worse information, isn't it?

Yes.

And there are some news sites now which are specifically blocking these AI chatbots from scouring and scooping up information from their sites, because they don't see why they should be helping them. You just make a change to robots.txt to block some of these things from coming through.

But I use a chatbot. I've been playing around with it for a few weeks, and I have not run into it being incorrect that I've noticed.

Hahaha.

But I guess I'm not asking for, you know, right or wrong answers. I'm asking more for fleshing out ideas, I guess. Really? Yeah.

What, turning sports scores into sentences about sports scores?

I'd ask them something "tell me about this term. Tell me I don't know what this term means."

Yeah.

You know, and then I might learn something about it, but it's—

Well, you might, or you might learn something about something else.

Yeah. I've just not seen any cock-ups on the ones I've been using. I know they've happened, but I've seen that more in the press than me seeing any blatant, oh my God, mess.

It sounds a bit though, Carole, you're not really asking it to generate anything new, create a report.

That's true.

You're more saying, "Define something," or, "Explain this to me." Yeah.

"Tell me what happened at this," you know, whatever, a historical thing, or, you know, "What does this mean?" That sort of thing. Yeah. So you're right. I'm using it like this.

Maybe that's more straightforward for it. I don't know.

Mm.

Yeah, that's true. So did these sports articles not say, "This article has been written by a stupid robot rather than a human," or did they?

They did actually. The sports articles did. They said the byline was "Lead AI." I think it's more that it was just really bad. I don't think anybody would've minded if it was written by an AI and it was good. But I think the badness and the fact that it was made by an AI are now kind of joined in people's minds. I don't know about you, but I sense a significant lowering of expectations this year after a sort of explosion of hyperbole around generative AI last year.

Right.

I've got a colleague who went to the RSA security conference, which is sometime earlier this year, and he said you couldn't move for AI. I went to InfoSec in the UK in June, and honestly, I didn't see anyone talking about AI. Everyone was just talking about real-world problems, and nobody was suggesting that AI was the solution. Apparently, the mood at Black Hat, where they are talking about AI, is much more, okay, well, what can it actually do? You know, it's taken us a year or so, but I think we're actually now coming to a much more sensible place about, all right, maybe it's not going to replace everybody, but maybe it's going to be, as Carole described, a sort of useful assistant.

Yeah, really cool tools.

Yeah.

And the astonishing thing is that if they were doing this experiment, getting AI to generate these sports reports, if it was an experiment, why weren't they having someone human in the process just to have a look over?

Oh, they did. Oh, they did. Yes.

Yes.

The editorial guidelines for Gannett.

Were they underpaid?

Well, I think, I don't know, I can't speak for them, but the editorial guidelines say something like they're checking for factual errors. And I think the things that I read are actually factually correct.

They're just nonsense.

Drivel.

Yeah. Yeah.

You'd think that a researcher would spot that though. No offense, but.

So what does this tell us about the future of AI? Does it tell us anything? Does it just tell us to manage our expectations a little more rather than?

Well, I think what it tells us is that we're going to have, you know, we've had 20 years of reading garbage articles written by people trying to target for SEO. I think now the future is going to be much, much, much, much, much more of the same, unfortunately.

Okay, well, thanks for that.

Fabulous. Carole, what have you got for us this week?

Okay, so as we know, there are some people that are in relationships that sometimes get distracted by what I'm going to call a third party, someone outside the relationship. And this can happen because maybe someone has a philandering style about them, or their relationship problems, or whatever. We know that not every relationship, whether budding or long-term, is rock solid, right? And we know about cheating, a la, you know, let's sneak off and do some sexy stuff without the knowledge or consent of the long-term partner. But we also have heard about emotional cheating. Which, as far as I understand, is someone having risky, you know, risqué, flirty conversations with another person, but no body fluids are exchanged. Is that fair?

Having a little daydream about someone, maybe?

Yeah.

Yes.

Is that an emotional cheating?

I would think so.

If you're having a daydream about someone else other than your long-term partner, you've got to go, "Whoa, whoa, stop that." You know, I mean— I'm not going to tell my husband about my Geoff Goldblum obsession.

There is a difference, surely? Yes, because it could all be going on in your head. Whereas if you actually physically participate, then yeah.

Okay, I have a scenario.

I'm not saying one is right and the other one is wrong.

I'm going to give you a scenario and I want you to tell me if you feel this is emotional cheating. Okay, perfect. Perfect. Okay, so we have a woman who lives in South America somewhere. We're gonna call her Carla. And Carla is chatting with someone online, you know, yik yak, yik yak, yik yak. And she happens to mention the city where she lives. And the someone she's talking to says, oh, I've never been there before, but I'm actually planning a trip quite soon. And this guy she's chatting to eventually asks if she would show him around when he arrives in her city.

Very friendly. Yes.

You know, and she's like, that'd be cool. Right?

Yeah.

More chitchat, more chitchat. And then he says, you're kind of cute. And Carla calls him cute back. And then later on the conversation, at one point, she says she can't wait for him to get there. Okay, can't wait being the key word. And that's it. Yeah, that's it. That's the scenario. So where on the scale of emotional cheating do you feel this flies?

Well, does Carla or the other guy have another partner?

Yeah, Carla does. Carla does.

Carla has a boyfriend. Yeah. Oh, I see. I didn't know that. Okay.

Well— I mean, it's not like they're discussing sexting or whatever.

Oh, for God's sake, we're all right.

No, but you know what I mean? It's not—

It's always that with you, isn't it?

Has anybody invested in an IoT chastity belt yet?

Right? These are questions I want to know the answers to now.

I think it's— You know, I think probably they need to be careful about saying, "Oh, you're pretty cute yourself." You know?

Really? I say people are cute all the time.

Do you?

Yes.

I've never heard that from you.

Well—

Yeah, sorry, Graham. Yeah. Other people. Cuter people.

I'm going to say maybe for some people, this type of chatter, right? If your partner was having this type of chatter with a third party would be considered not cool, right? Okay.

Does the guy who's chatting with her know that Carla has a partner? If she hasn't revealed that, then that's a bit—

What?

We should all be wearing "boyfriend" tattooed across our foreheads?

Yes. Yes, we should. Absolutely. That's exactly where I was taking it, Carole. You're absolutely right. Yes, of course, that's what I meant.

So for people that, you know, don't think this is cool, there is hope. In the form of a small online company, one that is offering a specific service to couples, or at least one member of the couple. And this is where a party pays, right, a small online company to do some very serious assessing in order to discover whether the, you know, relationship is— or the person is loyal to the relationship and the person.

How do they do that?

Catfishing. Oh, so according to a New York Times article, you pay this company called Loyalty Test, and one of their testers will get in touch with you, with your person of interest, and do some flirting. Like in some cases, pretty innocently, like Carla's, right?

Yes.

But as soon as Carla wrote that she, quote, can't wait, right, referencing his arrival to the city, our loyalty test worker grabbed a screenshot of the conversation, blocked Carla on all accounts, and immediately reported what happened to Carla's boyfriend?

Oh, I think that's a bit extreme.

And that is how this company even sells itself. So Carla's sitting there, I'm guessing, going, what just happened? Meanwhile, the guy goes and tattletales to the boyfriend, right? According to the New York Times, loyalty tester said, I just texted the boyfriend and was, hey, she says she wants to go out. So I sent him screenshots and he said, okay, that's enough, thank you. And this loyalty test worker, okay, who is this guy? A 19-year-old college student from West Palm Beach, Florida, making ends meet by testing the loyalty of relationships. Apparently he'd been cheated on. He's trying to save the world from the pain he went through. And he's just one of many workers, right? So they work like rideshare drivers, right? So they basically are free to take on as many clients as they wish. And you can go check out the site. Why don't you go check out the site?

So can I sign up? How much would I get paid for doing this?

You can sign up for free. You can charge whatever you like. But Brandon Balasingham, the 27-year-old site founder, will take 10% of every transaction. So you can go to loyalty-test.com. And the strapline here, listeners, is hire one of our testers to DM and flirt with your significant other. Catch a cheater today.

So it's not telling me how much he's going to pay me if I become a tester. I'm not—

Well, some people in the article say that they charged around $100 per session. It depends because sometimes it just takes one DM exchange, apparently. Other times it's 2 or 3 days of online conversation. So our Florida student loyalty tester determines what's included in his flat fee on a case-by-case basis. And he says he only tests women, he says.

Right.

Do you think people ever sign themselves up?

I did wonder that, because I received a— so I had to join WhatsApp the other day, right? I've always refused to be on WhatsApp. And I had to get on WhatsApp because of various groups my son is a member of. And that's how they communicate, is only via WhatsApp. Bloody hell. So I had to join WhatsApp. I've started receiving spam from people saying, oh, I'm 28, I'm lonely. And I was wondering, who actually responds to these?

Who would get in touch with me?

No, no, I think who would actually reply to these things? Someone, some nut? Then I thought, well, there probably are people who are lonely and might start it as a bit of fun and then begin to believe they are in a relationship. Graham, you'd be great at this, I think. This could be your next thing. You'd be excellent.

I think I would too. I think I'm going to give up this cybersecurity life.

Because you have no morals and you're effectively setting up a honey trap. Don't you think? I mean, is this— okay, is this the same thing? Is this the same thing? Is this the same as someone being on a diet, right? And your boyfriend or girlfriend or partner sticks a bunch of fresh, delicious, amazing pastries, right, from a top bakery in the fridge all over the kitchen and sets up video surveillance just to see if your resolve will weaken. I mean, isn't that what it's like? If you go to the website loyaltytest.com, you'll see the people that are apparently calling you.

I have had that happen. I have had people plant food in my fridge and then booby trap it because they know I can't resist. Yeah, that's—

Were there small lenses poking out?

And what does it tell you of the partner? Like, would you not be more pissed that your so-called partner paid a hottie to catfish you instead of just being a wonderful partner?

I think if this is happening in your relationship, then you probably have bigger problems than whether or not your partner would respond to an approach from a stranger. And the thing that kind of bothers me most about this is what of these testers?

Well, it doesn't take much to be approved. An active Instagram account, it seems, and you don't even have to use a real name there. And you have an agreement to abide by the Loyalty Test terms. But how do we know that they don't keep the information on their, you know, 'cause it's all their devices and stuff, right? So all the stuff that they're screenshotting and taking. Anyway, it's—

So nice advert for loyaltytest.com. Well done, Carole. You've promoted their service.

I'm just thinking if you're doing this, asking the private info of someone you supposedly care about, right?

Yes, yes.

By inviting someone with little to no verification to seduce them, all in the name of catching them out. Like, ain't love great?

And someone could sign up for this service and then become a scammer, right? You know, having got themselves into this situation.

No, no, no, stay well clear of this. None of this nonsense.

Okay, okay. Kind of tempted to sign up though.

I knew you would.

This week we're sponsored by ClearVPN, developed by MacPaw, a software company from Ukraine with more than 30 million users worldwide. ClearVPN is incredibly user-friendly, ensuring that even non-tech-savvy users can easily protect their online privacy without any extra technical skills required. ClearVPN has a free plan for all users worldwide. It can hide your IP address and browse without geo-restrictions. And the best part is, you don't even need an account to start using ClearVPN's free plan. It's entirely anonymous. ClearVPN works on Mac, Windows, Android, and iOS. And with its premium plan, you can be teleported to 40 other countries to unlock content on the top streaming services such as Netflix USA, Hulu, HBO Max, BBC iPlayer, and more. To make your life online more safe and private with ClearVPN right now, you can try out 30 days of free trial premium. Head over to smashingsecurity.com/clearvpn, click Start 30 Days, go through the registration, and then download ClearVPN to your device. That's smashingsecurity.com/clearvpn.

If you work in security or IT and your company uses Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world. You can just start using Kolide. Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps. Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.

Feeling like you have too many alerts, overwhelmed by vulnerabilities, and at the end of the day, not deploying apps as quickly as you'd like? Well, Sysdig delivers the industry's only complete consolidated cloud-native application protection platform, CNAPP, powered by Runtime Insights. To prioritize critical risks and stay ahead of unknown threats. With Runtime Insights, you can level up your cloud visibility, shift left the right way and start scanning for vulnerabilities earlier, shield right to protect your production environment, and keep dev teams innovating securely at cloud speed. Now is the time to transform your cloud security. So visit sysdig.com/cloudsecurity to learn more. That's sysdig.com/smashing. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like. It doesn't have to be security-related necessarily.

Better not be.

Now, a few weeks ago, my pick of the week was not pick of the week. My pick of the week was in fact a nitpick of the week.

Mm-hmm.

Everyone loved my nitpick of the week, all about EV chargers, and it put to mind that maybe some of my other grumbles in life could be used as a nitpick of the week. So I am, I've recently moved house. And there've been a couple of teething problems. One of my teething problems is with the hob on my oven, right? There's the hot plates.

Yeah.

Right. And it's an electric hob. And it has this touch interface. We have to press down on that to turn on, and then you choose the hot plate, and then you have to go blink, blink, blink, and blink to try and turn it up or dink, dink, dink, to turn it down all the time. Your food is bubbling over. Everything's going everywhere, it's making a mess.

Do you not have handles on your receptacles to move them?

This is a typical female response to the problem.

Female? Wow. Okay.

Whoa.

Welcome back in 1980s.

My partner had the same response, which is why sample size of two.

Yeah, sample size of two, and they both have teeth.

Rough.

Okay.

Why did you bother turning it down or trying to turn it down rather than pick it up? In this particular instance, I wasn't quick enough to pick it up, or I thought turning it down would be enough. It was not sufficient. And the thing is, these touch—

Eh!

So this is, this is just a piece of ceramic glass or something, right, on the hob. And they don't give you knobs. And my nitpick of the week is, why do induction hobs not have knobs?

So your whole stories, both your stories have to do with domes this week. Wow.

So it turns out the one I have at the moment is a pure electric. I was wondering why, because the previous place I was at was an induction hob with touch buttons, and it really, really annoyed me that it was so awful. The new one is even worse. And so I have gone on a search on the internet for induction hobs with knobs, and it turns out no one's making them. No one's doing them because they say, oh, but it's so much easier to clean the hob if you don't have a knob on it. Well, yes, but it's also a whole lot easier to make great things happen.

Are your fingers too flat for, too wide for the button? I don't really understand. Can I just say, my suggestion to you, right?

Yes.

Is to touch the touchscreen gently rather than cramming your finger on it and pushing as hard as you can, thinking it's not registering.

Your massive sausage finger.

It doesn't matter.

Yeah, just gentle, gentle touch, touch, gentle touch.

Doesn't work. And if your fingers are wet because maybe you've dared to wash your hands before doing the cooking, and not drying them, because— And still, or maybe your fingers are a little bit sweaty because you're feeling the heat of the kitchen. All these hot plates, all these hot plates going off at once. And so you can't control the thing. So I've done lots of searching. I've only managed to find two hobs of the size I need, which actually have knobs. They're very, very rare. There's one called by a company called Smeg. I want Smeg with knobs on the hob. I don't want that. And it costs £800. Or there's another one from Cookology. I'm not very happy. I've decided I'm going to risk buying the one that's affordable with knobs. And I will report back. But I suspect there are other people out there.

Why don't you buy— Why don't you just buy an induction stove? An induction hob?

That's what I am getting.

Okay. Because you said electric everywhere. I heard electric, 19— you know, with the coils.

What do you think induction is powered by? Clockwork or little mice running around in a turnstile?

Look, I'm worried about you having a heart attack with all your nitpicks.

Well, so I am getting an induction hob, but they've all got touch interfaces which are bloody awful. Some of them have this special— oh, we've got this magnetic knob which you can just drop down on the top and it will— you can turn it. It's you're going to lose that and that's no good. Just having one knob. I want four knobs for the four hot plates. I'm buying one. If anyone's interested, follow me on Twitter and I'll tell you what the results are when it comes through. But I'm really angry about this.

Sorry, X.

Don't even get me started on that.

Can we move on? This has been great. Get off the soapbox here.

That was my nitpick of the week. And now, Mark, what's your pick of the week?

Well, I think you need my pick of the week.

Oh!

My pick of the week is a book.

Yes?

It's called Longevity Simplified by Dr. Howard J. Lukes, who is an orthopedic surgeon and a bit of a personality on the website formerly known as Twitter. And he's written a book about how to lead a long and healthy life by staving off metabolic syndrome, which is the umbrella condition that manifests as heart disease, diabetes, and the other sort of chronic illnesses of the Western world. They're all actually just aspects of the same metabolic syndrome. And now he writes about what makes the biggest difference to your longevity and why. And he explains how to do really big things sleeping and eating and exercising better. And it isn't what you might think. So, for example, if you think about exercise, most exercise programs are actually optimized for some type of athletic performance. So they're about making yourself faster or stronger or building stamina. You know, if you run a marathon, right, you're not actually trying to make yourself healthier, you're trying to make yourself able to run 26 miles. But his exercise program in this book is about doing lots of things— look, it's about doing lots of fairly easy activity very, very consistently. And by consistently, I mean over decades.

All right. You can catch up, Graham. Don't be put off.

I'm not sure I've got another decade.

That's what you need if you want to live a long and healthy life, if you want the healthy portion of your life to be longer. What I really like about the book is, although it goes into some depth about the science, so if you're a bit nerdy like me and you want to know, okay, well, why does it work? Why does that help? But it's actually, despite all of that, it's a really easy read. And you can see that they've actually put lots and lots of effort into making it something that's very easy to read and digest.

So digest, hehe.

How many words are on the page? You know, the size of the margins and then the text itself, it's full of things like repetition and recaps and stuff like that. So it's very easy to kind of take notes as you're reading it.

I have to ask you, have you read it? Have you read the whole book, or you're halfway through or something?

I'm halfway through.

Okay, so you must have at least 3 takeaways for Graham.

For Graham? For Graham? What, for his knob situation?

Takeaway number 1 is look after your sleep.

Oh, I'm screwed.

Sleep is massively important. It's the number 1 thing in the book. It's the thing he goes into first because it underpins everything else. That's when your body does all of its repair work.

Work.

That's when everything gets better, basically. All the exercise that you do, you know, you stimulate your body with exercise and then you become stronger, fitter, more athletic, blah blah blah. That all happens while you're asleep. And also, you know, the sleep is where your brain does its maintenance and things like that. So sleep is massively important. Food— it's all about unprocessed food. Now that's not news, probably, but it's still true. And then the exercise, it's, he talks about these Nordic skiers, like people who are very, very good Nordic skiers in their 20s, and they were tested by some university, I can't remember who, as they got into their 80s and 90s, and they still had cardiovascular systems equivalent to sort of college-age kids.

And wow, you're gonna live forever, Mark.

Yeah, what that comes down to is the fact that these guys, they never ever trained hard, but they trained consistently for 30, 40, 50 years.

Yeah, a bit too late, Graham, out there doing low-level exercise.

So it's a different kind of exercise. But anyway, it's just a super, super readable book.

Yeah, give us the name one more time. Yeah, yeah, give us the name and the author.

So it's Longevity Simplified by Dr. Howard J. Lukes, and he's worth a follow on the website formerly known as Twitter as well, because he actually tweets out a lot of the stuff from the book and answers questions and so on. Have you ever seen the Huberman Labs podcast and things like that?

No.

Are you familiar with Andrew Huberman? He's one of these optimizers, so he runs a lab and he goes into enormous depth about things like meditation and supplements. And Howard Lukes is like the anti-Huberman, right? I saw Huberman described as an optimizer, like, you know, what is the absolute—like, what 100 supplements should you be taking every day? Like, how do you meditate for an hour every day? If you break your life down into thousands and thousands of different aspects and then try to optimize every single one of them, you don't have any time left to actually have your life. And, you know, this kind of stuff is massively popular. I know all the guests on Joe Rogan and things like that. Huberman's got his own podcast. And Howard Lukes is kind of like the total opposite of that—like, these are the general patterns you need to follow in your life, don't worry about all that, don't worry so much about the detail, get the big stuff right. Anyway, give it a read, Graham.

Amazing.

Sounds interesting. I like that it's simplified. The way you've described it, it does sound like it's easy to digest, as you said. So it's an interesting one. Carole, what's your pick of the week?

Oh my God, you guys are gonna love my pick of the week this week. It's me.

Woo!

No, you know, like people know that I do art, right? And I do a few exhibitions, just very nascent in the whole thing. But the Oxford Art Society is currently having its open exhibition for 2023 where people like me get a chance to show their work. And I'm proud to say that one of my entries got in again. And you can go see it online—it's called Sophie's Piano Lesson. There's a link in the show notes so you can go see not just my piece, but all the other—there's hundreds of great works. Like, we've got a really amazing set of artists in Oxford, just huge. And you can even see my art buddy Sally Ann Stewart—she's a linocut artist. Graham, I think you bought one of hers before.

I did. I went to an exhibition where you were exhibiting as well, and I bought one of her pieces. Yeah, it's very nice.

And the best news is now that I've exhibited in two exhibitions, I'm now eligible to become an Oxford Art Society member. And I'm waiting for the invitation, guys. So yay me, I'm the pick of the week. And if you want to see other works from me, where should they go, Graham?

Carole.wtf. Yay.

I just want to make sure you do it. And that is my pick of the week.

Well done indeed. That's brilliant news. Sophie's Piano Lesson—I'm looking at it right now. It's one of your ink and watercolors, isn't it?

The problem was, this year they wanted to do it online. There was some bit of a disaster with the location where they normally hold this. And so I suddenly panicked and I was thinking watercolor is so difficult to really appreciate online. And so I sent in both works of ink and then I didn't—I don't regret sending this one in, but I just, yeah, anyway, I don't know.

It looks great. I really like it. Brilliant.

Thanks, buddy.

There you go. Now, Carole, you've been speaking to the chaps from Sysdig this week, haven't you?

Yes, I have with Alex Lawrence. He's the—well, you're going to hear from him in a few seconds and we're going to learn all about their findings in their threat report. And we're going to be focusing on the cloud. So listen up. Today, listeners, I have the pleasure of speaking with Alex Lawrence, a principal security architect at Sysdig. This is a company on a mission to make every cloud deployment secure and reliable. So welcome, Alex. Thanks for chatting with me.

Yeah, thanks for having me.

Now, we have a lot to cover today, but first, maybe you can just tell us a little bit about Sysdig and your role there as principal security architect.

Yeah. Sysdig, as you said, we have a mission to secure the cloud, right? We are a kind of weird startup, I suppose. But our overall goal has always been to figure out how to instrument and how to secure things in the most native way possible. So for workloads, that's system calls. For the cloud, that's logs. For applications, that might be streaming data sources. Right. And so it's kind of whatever is the appropriate way to approach looking into that application's information. That's the way we go.

It sounds very like a good approach. Not many people do that.

Yeah, it's a little bit more work upfront, but it has some pretty rich results on the end result of that. At Sysdig, for me specifically, I've been here about 5 years now, maybe 5 years and 2 days or something like that. And my overall goal is to just help people figure out how to deal with the complexity of the cloud and how to deal with securing all of those diverse assets.

Okay, good. You're the perfect person to talk about your Global Cloud Threat Report 2023 from Sysdig. I had a glance at the report, a little read, and it seems that the main focus is the amazing speed and swiftness of cloud attacks. To quote the Sysdig report, "opportunistic attacks average under 2 minutes to find a publicly exposed credential and 21 minutes for credential discovery to attack initiation." So this seems ridiculously fast for me for an average attack.

Yes, it is extremely fast. That's probably the single biggest change in the attack surface when it comes to cloud versus on-premises or things is just how quickly an attack advances in the cloud. And a lot of that comes down to the reason we all use it in the first place, right? We abandon traditional data centers as a global IT group, mostly just because of how quickly we can get things done, right? That's the main driving factor of moving to the cloud. And it benefits us. It also benefits the attackers. And so you don't have that same kind of time to find things anymore. The stuff on the cloud is significantly faster. I think the threat report calls it cloud automation weaponized.

This is so crazy because whilst it's a big benefit to organizations, and I can totally see that it allows people to work collaboratively across geographies and everything. I mean, it's an amazing tool, but I guess there's also weaknesses in that design that help attackers. So before they actually initiate an attack, what goes on on the attacker side? They must do some recon or something.

Yeah, yeah, they certainly do. So there's this wonderful blog we put out about this really interesting attack called Scarlet Eel. So if you just Google like Sysdig Scarlet Eel, you'll find the blog. But basically it goes through kind of a story about how these things happen in the cloud and how much more complex they actually are. And so for that initial access, traditionally it's exploiting something, right? That could be exploiting credentials that were exposed in an S3 bucket. That could be exploiting a vulnerability in an application. That could be finding some misconfiguration in your cloud assets, maybe in a region you don't typically use. There's any number of ways they'll gain access and they'll look at pretty much everything under the sun to find that one spot that has kind of the weak point, so to speak, to break in and start doing something. There's a lot of recon that happens and it's a lot around misconfiguration. And honestly, it's typically purely by accident in terms of how that misconfiguration made it to production. So if you think about all the different tools involved in creating cloud applications, there's about a bajillion of them. And all it takes is one, you know, developer or one admin, one ops person to try to get their job done too quickly and they forget to go sanitize something or make this change or they push the thing from stage into production and suddenly all of those credentials are exposed and it just takes minutes to find those things these days.

So, okay, am I being hyperbolic in saying that any organization that has a cloud that is unprotected is at risk? Because a lot of this, I don't know, initial stages is automated, I guess, on their side, correct?

Yeah, no, they absolutely are at risk. Right. And again, these things are just surely from, for the most part, accidents, right? One of the wonderful things about the cloud is that it has all this automation built in and we know all these defined endpoints and ingress and egress. We know how to access all of our content on the cloud. Most of these public, these ranges, IP addresses, accessible things, they're all published out there, right? It's all on documentation. That also means all the attackers know where to find everything, right? You can set up scanners, just go look for exposed S3 buckets. And if it was just up for a few minutes, you know, it's going to get compromised.

And what do they do? So they grab all this data. What do they do? They're just selling it on or what?

They could, right? There certainly is a market for selling stolen credentials. And I would say that that's predominantly focused in kind of the you know, the Fortune 500, Fortune 1000 around the world, the biggest of the bigs, those are the ones who are at risk for having their stuff sold. If you're kind of a smaller startup or a mom-and-pop shop, you're just doing something, you're selling pizzas, salads, who knows, whatever it might be. Those are the folks who are kind of more opportunistic, right? And so it kind of depends on your profile for what matters the most. But at the end of the day, you know, they could be monetizing the credentials. They are more likely taking those credentials themselves and then accessing your environment, right? So if we look at kind of step 2 of Scarlet Eel, it's really about doing installation of tools, doing, you know, basic crypto mining, stealing credentials, stealing access to things. It's basically trying to get more information, kind of sitting and persisting in that environment, looking for what can they do with what they now have access to.

And what about ransomware? You mentioned crypto. See, I don't know, my— in my world, crypto is kind of dead, but maybe it's not.

Yeah, crypto's here to stay. So yeah, there certainly is ransomware issues, right? That's probably one of the things that's top of mind for most CISOs. So someone gets in my environment and they encrypt everything and I lose access to it, what do I do? Right, that's what backups are for. So hopefully people have good strategies. You still got to have backup plans even in the cloud. If you can get your content back, great. But that doesn't mean that that's where it ends, right? You know, if they truly got access to your content, then that means they also can distribute it. Right, and so that whole notion of ransomware is a particularly interesting one. But there's far more than just that that crypto means, right? Crypto could mean securing the stuff or could be encrypting the stuff. It could also be crypto mining, right? They could be just looking to get some bitcoin off your environment. And what's interesting there is that it's pretty low cost or low benefit to them, but pretty high cost to the person that's being attacked. I think in the threat report last year that we put out, it was roughly for every dollar they make, it costs you $53 on your infrastructure. Wow, so to put it differently, you know, $1,000 to them is $53,000 to you.

That's pretty crappy ROI.

Yeah, for the person being attacked, it hurts.

Yeah, not only your reputation, but— OK, so this is pretty bleak. And I'm hoping you have a silver lining to this cloud to help us understand how the people that use the cloud, all these organizations around the world, can better protect themselves.

Yeah, I mean, it should be top of mind, right? Like, a lot of people used to think that, hey, I'm in the cloud. I don't have to worry about security quite as much, right? We are the kind of random people out in the world. That's not really the case anymore. I think it was an IBM report that came out a few years back that as of 2020, the cloud is attacked more often than on-premises, right? So even if you move to the cloud, it's not security by obscurity. It's the standard way of operating these days. And so you have to think about how do I do all of the things I used to do in a completely different environment? When you had on-premises, it was really simple because you could have a firewall, you could have defined ingress points. So you knew exactly where data was flowing in and out of that. That's not what the cloud looks like, right? We typically use the analogy that if the on-premises data center was a castle, the cloud was a carnival. And so it's significantly harder to deal with. And so what do you do? How do you secure all of those things? You have to adapt with the times. And so we use the analogy of a camcorder. Right? If I can have something that looks at all of my different permutations of my environments in the cloud, and it does it in a way that makes sense for that application, that service, that whatever it is, I can then have full visibility across that entire thing. And so from Sysdig's perspective, if we can instrument the cloud logs, if we use Amazon as an example, if we can instrument CloudTrail, if we can look at all of that data about how configuration changes are happening in your cloud infrastructure, we can look for misconfiguration in real time. We look for attacks in real time. We can look for people exposing credentials in real time. And that real-time piece is the key, right? As you said at the start of this, people are being attacked extremely fast, right? That dwell time, that amount of time that they take from the moment they get in to the moment they start doing something is extremely fast, right? It's way lower than it ever used to be. And so if you're not looking at stuff in real-time context, you're exposing yourself to a risk. So one of the things that we put in this threat report that I think is interesting, it's point 3 or something in it, that supply chain security isn't safe enough. Right. Most people will do things scanning their images. They will scan for configuration problems. They'll look at all of the static analysis components of their infrastructure. And that catches about 90% of all of the vulnerabilities that they're exposed to. There's 10% that doesn't catch, and they ignore that 10%, right? That's the runtime things. So 10% of all threats don't show up until the application actually starts running. And that's when the interesting things start to happen, right? That's when crypto mining happens. That's when you start having access to credentials being hit. And so if you're not looking at that 10%, you're missing a humongous piece of the puzzle. It sounds pretty small. But when we start talking about, you know, $1,000 to them is $53,000 to us, that 10% matters an awful lot.

See, what I is that you kind of put security first and foremost. And I think many clouds are about ease of use or ease of onboarding, really quick onboarding and not worrying about the details of security. And not that every individual wants to worry about it, but I'm glad someone is there in the chain, right? You want someone there to look after this stuff for you. What do you feel about IT security folks out there that have to secure this stuff? What things could they do right now to kind of look and see if they've got an issue or a problem that they need to address quickly?

Yeah, the first thing they can do is never stop learning. And that's probably the single most important thing you can do in this industry is to try to do everything you can to stay on top of the way things evolve. Because if you don't, you're going to get left behind. One of the things I'm very passionate about is trying to help change the way we view our security models at our organizations. So traditionally in the commercial sector, people have viewed their security posture as a competitive advantage, which to some degree it certainly is, right? But that lends them to not wanting to communicate too openly about how they are handling breaches, how they are handling attacks, how they're handling their security posture. Because that's privileged information to the company. I guarantee you our adversaries are not doing that, right? Our adversaries are leveraging open communication platforms. They're leveraging working with each other, right? They're acting like an open community to talk about how they're exploiting things. And we aren't doing the same in kind, right? We're trying to keep that information to ourselves. That is a disservice to everybody in the industry. And so the biggest thing we can do is be more open in our communication. Be more open to working together. We vehemently believe here at Sysdig that open source is the future of cloud security, and that's a large reason why, right? If we are leveraging open standard tools to do a lot of these things, we can react as fast to the attacks as they are in coming up with new ways and novel ways to break into our infrastructure. And it starts by being open to learning and being open to communicate with each other and being able to work together to up all of our security posture as opposed to keeping it as a secret to ourselves.

Yes. Your secret weapon is collaborate and be open.

Correct. Correct. And so if you look at the foundation of the entire security tooling that we bring to the market, it's all built on open source, right? Falco is the runtime detection engine that we use. Rego is our policy engine that we use for CSPM type stuff. All of the things that we do are out in the open because we fundamentally believe that's the way to get the competitive edge in security as time goes on in the cloud.

I love that. And what would you say to someone, for example, a CISO or a CIO who really needs to get buy-in from the board but is having trouble communicating their requirements?

Yeah, I think if there were one particular way to do that, that person would be making an awful lot of money.

Your advice then, because you must have seen or heard of these situations much more than the average person?

I mean, honestly, I think the best way to do it is to not try to use that whole scare tactic technique. It's just about, again, being open and honest about the threats we're facing and the reasons that we have to change the way we think. It's basically that we need to adapt to the times. We need to be able to address threats in the way that makes sense with the way cloud operates. And trust me, it's a lot less pain to. Oh my gosh. Yes.

Because I've been in that situation too, and it's not fun. Yes. Listeners, you can learn even more about cloud-based attacks and everything that Sysdig does to try and prevent them by going to sysdig.com/smashing. That's sysdig.com/smashing. And thank you so much, Mr. Alex Lawrence, Principal Security Architect at Sysdig for chatting with us.

No problem. Thank you for having me.

Terrific stuff. And that just about wraps up the show for this week. Mark, I'm sure lots of our listeners would like to follow you online, find out what you're up to. What is the best way for folks to do that?

You can find me on the website formerly known as Twitter @MarkStockley.

Easy. And you can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G. We've also got a Mastodon account. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

And massive thank you to this episode's sponsors, Sysdig, Kolide, and ClearVPN. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 337 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye.

Bye.

Bye.

Both of our stories had to do with, yes, controlling cheaters in some way.

What does that say? What does that say? I've been looking at loyalty tests some more. So what I hadn't appreciated is I basically set myself up. I can choose how much I charge people for this.

Yes.

This service that I'm going to offer.

You'd be very good. I think people should pay a lot of money.

I think I'd be brilliant at this.

I think you would be. And then you get to snapshot it and send it to the husbands and the wives.

Oh yeah, and ruin people's lives.

I knew it, I knew it.

Well, what a wonderful thing. Yes, it's something to tell the grandchildren, isn't it? So they can be proud of. What did you do during the great Brexit disaster, Dad? Oh, I tried to ruin people's relationships online. Poor old Carole. Yeah, wonderful.