Smashing Security podcast #341: Another T-Mobile breach, ThemeBleed, and farewell Naked Security

I think it was Twitter I logged out of, and I got a message along the lines of, "Thanks for logging out. You can log back in again later if you like."

You made me create an account. It took quite a while. I've got to think up a password and give you my phone number. Well, not anymore. They don't do phone numbers, but for 2FA. I'm thinking, it would never have occurred to me that because I had to log in in the first place to use the account, that I might ever want to log in again.

Smashing Security, episode 341. Another T-Mobile breach, theme bleed, and farewell Naked Security with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security, episode 341. My name's Graham Cluley. And I'm Carole Theriault. And this week we're joined by a blast from the past, someone who's been on the podcast since some of his very earliest episodes and someone we've both worked with for many, many years.

Mr. Paul Ducklin. Hi, Duck.

Hello, folks. Thanks for having me. Of course. Strange circumstances, I must admit.

What are these strange circumstances you refer to? Enlighten our listeners. What's going on, Duck? Well, unfortunately, on the very day we're recording, visitors who know me with my Naked Security persona who visit nakedsecurity.sophos.com will notice that the site's being archived to the Sophos news site. Crikey. So it's sort of the end of one era but as your wife said actually it's the beginning of the next great adventure and you've been there quite a long time at Sophos haven't you?

Yes I was hoping to make 30 years but I didn't quite get there. 28.5.

28 years! Graham, you and I did a long time. How long did you do there?

I think I did about 13 or 14 years which is nothing compared to Duck. I did 15, so yeah I'm half Duck so you're twice as good. I'm going to be discussing how sometimes being hacked can actually look better than the alternative.

Okay. And what about you, Duck?

I am going to be talking about theme bleed, as it was perhaps slightly inaccurately called, and there are lots of lessons we can learn.

And I have a warning for all those who brunch with besties. All this and much more coming up on this episode of Smashing Security. Now, chums, last week, users of the T-Mobile mobile app, that's not me stuttering there, the mobile app for T-Mobile, they started complaining online about something they're experiencing. You're kidding! Oh dear. So what, so I could go in and I'd be looking for my stuff to make sure I have enough data for the train or something and I can see Duck's bill?

Potentially it may have been whoever, yeah. So you could see other people's names, their home addresses, their credit balance, their contact numbers, their device IDs, their credit card information.

Wow. Did that include expiry and stuff?

I'm not sure if it did. I'm not sure if it included all of that. And maybe some of it was redacted as well, I'm not sure. But certainly, it wouldn't make you feel very comfortable about how well T-Mobile was looking after your own data, of course, because if they're showing you other people's, the next logical thing you should be thinking is could it be that my data is also being shown to other people?

I think, Graham, you'd be more likely to think what's the chance that my data isn't being shown to all? In a way that I can't predict.

Yeah. So people were posting up on this on Twitter, for instance, with screenshots of people's account information saying, "Whoa, why am I seeing this? My name's not Claudia," redacted they were saying. Well, yeah, they didn't have all of the sensitive information there, but enough to show that it wasn't them. Or Android users were showing information suggesting that they had iPhones connected to their account.

Oh, that would cause a ruction, wouldn't it? That's almost worse than people knowing your home address. If you're an Android fan and they think you've gone to the dark side, oh, dear. So T-Mobile, they were replying to some of these users on social media. They're saying, well, thank you. Thank you for reaching out with your question about your account security. Could you send us a DM? We want to ensure your privacy. And we'll look at your account and address all of your concerns, they were saying.

What if someone screws up, basically, in the code?

If someone's data is leaked, it may not be the work of a hacker, but surely that is a breach, isn't it, Duck?

Well, it's certainly a data leak, and that's covered by things like GDPR and privacy regulations. If I log into my account, I should see information that I expect to see, and I shouldn't be allowed to see, or it shouldn't be possible for me to see other personally identified information for other people. I suppose to try and see it from T-Mobile's side, maybe they're thinking when we say breach, it means that someone steamed in and uploaded gigabytes or petabytes of stuff.

Or downloaded and held it for ransom.

Yeah, whatever it is. But I think the difference between a data breach and a data leak, I think that's a little bit of a semantic game. It's definitely a privacy breach. Yes. I would say someone's privacy has been breached.

Well, for the customer, it is, of course, 100%.

And the weird thing is that in a case like this, it's very difficult to discover what the scale is, isn't it? If you know the crooks have been in and they've got absolutely everything, then you can basically fall on your sword and say, look, as far as we can tell, they stole 62 gigabytes and it affected 14.5% of our user base. And we will contact each and every one of those people to tell them what to do next. But when you know that X could have seen Y's data and quite a lot of X's saw quite a lot of Y's, how do you know just how much leakage there was and how do you decide how controllable it was by the person who's viewing it? So you know Graham, you log in, you see Carole's data and you think wow, that's bad. But if you're more of a sort of axe type who thinks wow, something's gone wrong, let me see if I keep logging in will I get more and more and more? Can I automate this? Can I scrape data? Very hard to say who saw what.

So T-Mobile did try and clarify a little bit about the scale of this. They said it was a temporary system glitch related to a planned overnight technology update involving limited account information and they said for fewer than 100 customers and they said we quickly resolved it.

Oh, so they think they got the lid on it.

That's certainly their message. Yeah.

They think they got the lid on it. They think they did it fairly quickly. They say fewer than 100 customers. Now, from what I've seen online, it's not fewer than 100 customers who saw other people's information. It was, according to T-Mobile, fewer than 100 customers who had their information exposed.

To God knows how many people.

And some people did say, I logged in every 15 minutes and I was getting different people's information each time when I was logging in. So I don't know if they would have cycled through all 100 but you know again I think it feels to me like T-Mobile are trying to downplay this a little bit saying well not you know okay not a cyber attack I get that it does feel to me like it is a breach to my mind the credit card details were involved and people's addresses and their names and you know whether they've got an Android or an iPhone which is as Duck has explained is a dangerous thing to know about somebody. One person on Reddit, they said it wasn't a breach. It was a data exposure due to sheer incompetence. And I think in some ways, this is actually worse than a breach. Okay, maybe less people have been affected. What? No. No.

But don't you think? No, I think it's bad. It's better that they got a lid on it and it wasn't a third party that infiltrated and stole all the data and then is holding it for ransom. As far as a customer perspective. It still sucks that somebody saw my data and that I don't know who and I don't know how many.

But how could something like this happen? Well, you can imagine lots of different ways, can't you? At least it doesn't sound like, what do they call it, an idle or was it insecure direct object reference where there's slash 55 in the URL. And when you put 56, you get the next customer and 57 and 58. Because then I bet you somebody would have scraped as much as they could.

The thing is, though, you understand, Paul, is that Graham never screws up. Right. So it's impossible to him that this could happen anywhere. It's obviously just sheer incompetence. Competence. I also wonder how long this problem was present for because some people on Reddit were claiming well I've been seeing this for over two weeks and I've said nothing. Oh no, they say, they say I told T-Mobile security team but didn't get a response and I was interested in that. I thought well hang on, well you know what's going on in T-Mobile security team. So I did a little bit of searching. Did you say cynical journalists? Yes, it's like military intelligence, it's the same kind of thing.

Cynical or not, it is a good question like will it have an effect and I guess you'll never know right? You don't know for certain but it certainly didn't help them in this occasion, did it? Are you a preferred customer of theirs?

No. There was, there have been a couple of instances this year as well, actually. They exploited a weakness in the API. They stole 37 million T-Mobile customer details in January. In April, and now T-Mobile wants to set the record straight on this one. In April, there were stories that T-Mobile had suffered another hack involving employee details and names and social security numbers. And T-Mobile came out quite loudly and said, nothing to do with us. It's actually a third party called Connectivity Source, and it was their customers and their employees who've had their names and social and all that kind of detail stolen. Now, I went to Connectivity Source's website to find out more about them. And if you go to Connectivity Source, either on Twitter or on their website, try and tell me that they're not T-Mobile because all they've got are photographs of T-Mobile stores and staff wearing T-Mobile shirts. If you did business with Connectivity Source, you would think you were dealing with T-Mobile. So, yes, maybe it technically wasn't T-Mobile who was breached in that case. But I think many of their customers may have imagined the company was actually T-Mobile.

So maybe if you're a T-Mobile user, you want to look at your T's and C's, you know.

Well, maybe do a bit more than that. Maybe.

And you certainly want to keep a closer eye than ever on your bank statements, just in case. You should always review them so you can complain whether you get money going out or coming in that you didn't expect. But if you think you're at potentially higher risk than usual, just make sure that if you see something, you say something. Because the sooner you point it out, the more quickly it will be sorted.

Well, I think they've got a bad track record when it comes to data breaches, and that wasn't clear at all in your commentary. Well but you know also how many incidents don't we know about? How many times has this sort of thing happened and it hasn't been made public or maybe even T-Mobile itself doesn't know about it? If it's happening with this regularity, you have to say to yourself well you know am I sensible being a T-Mobile customer? Would I be wiser to go elsewhere?

Will T-Mobile be sponsoring the next podcast?

Yes, most likely not, Paul.

What have you got for us this week? Well as I said at the top of the show, ThemeBleed, which is the latest vulnerability with an impressive name. You know where someone decides instead of just calling it CVE dash long string of digits that no one ever remembers, let's give it a fancy name. Now I'll start by saying it probably wasn't a great choice of name because when you say something, something, something bleed, everyone thinks of Heartbleed, which is that infamous bug from what, 2014, I think it was, where OpenSSL leaked data. And so I like to reserve that word bleed for bugs where you can't really control it. It's just that data comes out in the wash. And if you milk that leaking data systematically enough, eventually you end up with a giant bucket full of stuff that you can milk for potential secrets. Now, this is a little bit different because it relates to a specific vulnerability that fortunately Microsoft patched this Patch Tuesday, and it goes around Windows theme files.

What is a Windows theme? Does that affect how Windows looks on your computer?

Yes. So it says, I want this particular backdrop. I want this sort of color contrast. I want buttons to look like that. So, you know, it's the kind of thing that if you're a Linux user where these things are more flexible and more competitive, if you like, there's a whole world of themes out there. Ones where the contrast is so terrible that only hardcore hackers can read, you know, brown text on a black background because why make life easy?

It is weird. So that means you could inject code into it and it wouldn't. It's in the right place. Is that right? That's what I thought.

Obviously, that's a dumb idea. It's going to be because they've chosen the executable format. That's obviously the bug. Now, Graham, I thought weird when I heard that, but when you think about it, it's not such a crazy idea because as you remember from your Windows coding days, the nice thing about Windows executables compared to the old DOS style ones is that you didn't just have to have executable code. You could pack in your icons and your resources and your text strings and all that stuff in separate sections. And there's no rule that says you have to have an executable code in there. You just don't have an executable section. And it's fairly easy to validate that a program doesn't have an executable section. And so it means that that file can then be processed with normal Windows processing functions to get out things like resources, string names, buttons, bits of bitmaps, all of that sort of stuff. And of course, because it's a Windows executable file, it can be digitally signed using the same technology and checked with the same ABI calls that a program would. So actually, amazingly, the bug wasn't caused by the fact that this style file is a thinly disguised executable. It's caused by a secret feature that a researcher called Gabe underscore K discovered when he was decompiling the theme processing part of the Windows operating system, he discovered that when it's reading this file, one of the things it asks the file for is, what's your version number? And themes haven't evolved much, it seems, even on Windows 11, the version number you'd expect today is four. So I presume it started at one, and it's gone up exactly three times. Great. But in the code, there was this weird bit that said if the version number is 999 which coincidentally is the UK emergency telephone call number for our overseas listeners then hey do this special thing and this special thing is run off find a DLL with a weird name it's underscore vrf dot DLL I've no idea what it stands for maybe it's version revision function or version revitalization feature who knows. So by poking this weird undocumented secret version 999 into this executable file that isn't an executable file you trick the system into going and fetching a DLL and running it presumably so that you can have an emergency way of handling new style types before they're built into the operating system fully or something.

Now it sounds like something a programmer built in for their own purposes.

Golly, we might need this. So let's just keep 999 up our sleeve for when the emergency call comes in. Now, the good news is, of course, the programmers didn't go, okay, we require that the style file gets digitally signed, but we'll let you feed it any DLL. So the DLL, when it comes back, is checked for a valid Microsoft digital signature. But it has what is known in the jargon - it's one of my favorite names for a bug. It sounds like a character out of Tintin comic or something. It's called TOCTOU, which is time of check to time of use. Basically, the code goes like this: open the file, read in the DLL, verify its digital signature, close the file, then load the file. And many a slip twixt the cup and the lip, because it turns out you can actually put the path name to be somewhere remote so that when Windows calls home to get the file, if the attacker controls the server that's serving up the file, they can determine, "Ah, it's the first time they're asking for the magic DLL, let's feed them a Microsoft signed file." You can actually just feed back a style file - even though it doesn't have executable code in it, got a valid signature - and then immediately afterwards you see a second call coming in saying "Hey, send me the file again" and guess what, you just feed it whatever you want. You feed it a rogue DLL and poof! That's very sneaky. So it's a tremendous warning not to embed hidden features in your code, because while I understand the need for it sometimes, it's the kind of thing that, "Oh, if variable name equals 999, then weird extra thing." It's the kind of thing that code reviewers go, "Oh, it's too hard. I don't want to ask."

Yeah, and I don't think it's necessarily company approved. I know many a developer that would do this just as a CYA move, right? Like, you know, "I'll be able to get in jiggery-pokery about it if I have a secret route in." Well, it wasn't supposed to be a secret route in because it still checks for the digital signature, just didn't check it in the way that if you were doing it in mainstream code you'd probably do it. So they tried to do the right thing, but maybe you're right - it's just a coder thinking, "You know what, I've got the specifications, I'm going to do it like this, but I know what's going to happen."

And when it came out and people were complaining "Oh no, there's not enough RAM," guess what, they had some headroom and it saved the day. So yeah, I guess Code 999 folks - if there's something that people want in themes or something that doesn't work, "We can feed in this VRF version revision feature." And my advice is, even with the best intentions in the world, if you're a coder, don't do that. Your intentions may be entirely honorable, but as it says in the play Julius Caesar, "The evil that men do lives after them, the good is often interred with their bones." And you know, that's sort of what happens, right? You do something... There's a lot of Shakespeare today.

Maybe you should head to drama - maybe that could be your new foray.

A lot of Shakespeare! What was the other Shakespeare we had? Wasn't there - many a slip between the... I can't remember. There was something dramatic.

Yeah, it's not a Shakespeare quote if you don't actually say "as Shakespeare said." Then it's just, you know, talking.

Carole, what's your story for us this week?

Okay, so imagine that the three of us are at a little eatery, maybe in Oxford...

It's a city. Don't call it a town. People get annoyed and then you have to listen to them for hours about it.

And we're having a little chat about the good old days working together. And casually, as I stir my flat white, I mention...

I presume you're going to bleep out that name, are you?

Of course I'm going to do all the bleeping.

Okay, all right. And...

I say, "God, do you remember that guy?" Do you guys remember that? Yeah, I remember. Well, you don't have to say his name very often.

You don't want to bleep out? No. Okay.

Do you remember that guy? Do you remember that guy? And you guys might go...

Oh, is that a prompt? Are we role-playing now? The pathological liar.

That guy. Okay, maybe that could be a word. But just... And perhaps we'd natter about this for a few minutes, right? And Duck would make us double over with laughter with some kind of impression.

Yeah, he's enjoying the conversation so far.

I don't know how this works, so I'm just listening to you guys. It's fascinating because it's going to burst into a sort of cybersecurity story in a minute. To be honest, I'm actually imagining that Carole's sitting there and she's got the flat white, which means I've probably got, if we're at the right coffee shop, my favorite place in Oxford to get an Americano. And I'm just enjoying it. I've got a sparkling water. Not a cranberry juice anymore.

Have you grown up now?

No, no, too many calories. Really?

You know, we move on to new topics, having our little separate drinks, right? Having satiated our appetites for remembering the not so good old days, as well as the fab ones. And, you know, that should be that. However, unbeknownst to us, imagine that we have been gossip-tick-tocked. What is that you say? I know you're dying to know. What's gossip-tick-tocked? Well, in our old person parlance, right, it means someone overhears another separate group blathering away about something, figures out that they're shit-slinging, and decides to film it. Exposing them for gossiping about, in our situation, it would be exposing us for gossiping about a guy called \\\\.

So we could be sat there having a little fun chat about a former colleague or maybe a rival security podcast. Sure. Slagging them off left, right and centre. And someone else is recording us. And what are they going to do with this recording? Are they going to put it on TikTok?

Yeah, live stream it perhaps or just post it to TikTok. And the idea is to alert the person they're shit talking about to let them know that they shouldn't be friends with these people.

Right. Well, he wasn't friends with us, was he? So that's fairly easy.

Yeah, we wouldn't care probably a jot in our situation. But this whole viral, I hate the word, but popular TikTok meme started gaining popularity according to Know Your Meme, right? Because this TikToker posted a video in September showing a group of women at brunch bad-mouthing someone named Sarah. And the TikToker reportedly explained on the video addressing Sarah. They said that your coochie was out, you dressed sleazy. And then the TikToker points her camera at the table where the gossiping is going on and says to the viewers, hold on, I'm about to show you exactly who's talking about you, Sarah. And cue the amateur TikTok sleuths who digitally take flight to try and identify Sarah and warn her.

Right, how do I do that then?

Well, share the message. So this video was reported to have gathered more than 15 million views in three days, so that's probably how they're trying to reach her.

Okay, so everyone's re-sharing it saying do you know these assholes?

Kind of an exciting kind of feeding frenzy online, right? And it's now known as the help me find Sarah brunch gossip TikTok, hence a trend is born by people who think, well, hey, I can do that too. Because these gossip TikToks take few skills and potentially is limitless because according to Rolling Stone, these types of posts tap into every requirement TikTok's algorithm rewards. It gets shares, it gets comments, it gets bookmarks.

No, but if it's live streamed, it's got that, you know, hey, this wasn't a professional trying to game the system. This really happened.

Another example from Rolling Stone, there's a three-minute video. A TikToker tells her 160,000 TikTok followers that she's overheard a table of three bridesmaids gossiping about their wedding that they were recently in. And the TikToker says in the video that the gossip went from tame to sinister, describing the women complaining about the bridesmaid's dresses, the wedding flowers, and how they were asked to style their hair. And she says in the video, you know, so she kind of goads it, because she goes in the video, and she goes, when I tell you, if I were that friend, and I knew that these girls were talking about me like this, I would throw myself into traffic, right? This is a girl who has 160,000 followers. And this was viewed more than 1.2 million times. And what seems to be concerning is the call to action afterwards, right? So here's the story, find the person, right? And it takes it from gossiping to almost policing.

So it's sort of in the end what you do dox the person basically, make them look bad. And presumably if you're the kind of person who gets off on making these videos then you kind of don't even need them to be real, do you? Can just film people talking about something and then just claim that what they were talking about was X or Y or Z or person A, B or C and sort of whip up a frenzy, even though the conversation may have been either mostly or wholly innocent and not necessarily even referring to the individual concerned.

Because you also hear just a snippet of it and make a whole judgment, right? You're not there for the entire call.

Yeah, there's probably quite a lot of people in, at least in the English speaking world, called Sarah just got this hinting. So something like that can go an awful long way. And with the right sort of hints in the follow-up video, you could trick people into, air quotes, giant inserted here, finding the wrong person if you wanted.

Look, I know you can't assume privacy in a public place. But thinking if I'm a restaurateur and I allow people to come to my restaurant, I don't see my restaurant as a public place. And I wouldn't take kindly to someone eavesdropping on a fellow diner to shame my patron. And I wonder if the actual establishment has any recourse. And of course, what the fuck? TikTok, do they not have any recourse for this either to allow this to happen? So, Carole, you're talking about people distributing this video and they're resharing it in the hope that someone will recognize these people. And so you're relying on your followers and their followers. And it begins to escalate into potentially thousands of people resharing it, say, does anyone recognize these guys or whatever?

So there's an article by Joseph Cox. Joseph Cox was working for Vice, and he and some of his mates have left Vice. And they've now set up their own organisation, 404 Media, where they're doing some great reporting.

Nice name, isn't it? It's a great name. You sent me to one of their articles recently and you get 404 and you think, oh, no, and there's the article.

Yes. So they've got the logo and everything. Yeah. So but anyway, they've been looking at this because there are now TikTok accounts where you can actually ask them, identify the person in this video. And what they will do is they are taking screenshots. They're grabbing people's faces who could be in the background of videos or could be in the foreground. They're then putting those faces into sites like PimEyes, which we've spoken about before. So PimEyes is a facial recognition database which spurts back at you people's employment, where they live. Social media accounts. Yeah, it does all of that. And so there have been people who've been finding, you know, they just see someone they fancy in a video. And so you could take this video you're talking about of these bridesmaids or whatever. And rather than just does anyone recognize them, pass them over to these TikTok accounts who are offering to do this for you using facial recognition technology.

Sort of like crowdsourced Clearview AI. Yeah. And TikTok isn't doing anything about this. So these accounts that you appeal to, those are people who set themselves up as TikTokers whose hobby is finding, identifying, doxing people. So they don't need to be using facial recognition. They could just have a bevy of followers hoping that one of them knows them. It doesn't matter what the technology is that finds the person. They're there acting as unpaid let's take our revenge on society.

It could be that I think they're gaining most of their followers however by simply putting people's pictures through things like PimEyes in order to get all that information. They then create their own video which contains at first the original video and then has you sort of pops up or something the request from one of their followers, can you tell me who this guy is because I fancy him or something? And then up comes their social media profile and everything else and their name. And so...

But that could happen with any picture, right? From anybody on the street, right? You could walk around with your phone just on video and do that. Absolutely. Absolutely.

And people are feeling violated because they think they just have an innocent conversation with someone in a, you know, there's one guy who said he was on holiday in South Africa and someone just quickly filmed a little interview with him. Other people saw it and were intrigued as to who he was. And before he knew it, he was getting emails at his work and thousands of friend requests and all sorts of things, which he did not want. He didn't want his name out there.

Well, there was a cartoon in a recent private eye of the two blokes watching the test cricket when England were playing Australia. And the guy sitting with a hat with, you know, a proverbial, the big wide-brimmed hat with corks on strings, which is supposed to mark him as an Australian. And he's leaning over and saying to the guy next to him, oh, no, I'm not Australian, I'm English. I just don't want to get recognised by my boss because I called in sick this morning. You're just figuring that in the old days, you might get on television for a moment when the camera panned around the crowd. Today, when you're at a sporting event and people are waving their cameras around. And how often are you just getting publicized to the world? Probably several times every day. So, yeah, I don't know how you police that, though.

No, and the world is in my view quite bonkers. Can I just show you something that I found during my research, just to get your take on it before we close, right? So it's called the Egg Crack Challenge. Okay, and I've just put a link inside the show notes for you. Yeah, so if you could just take a look at this.

Oh, are you going to roll me back, Carole? No, I will not.

I'm watching a video of someone who's cracking an egg on her young child's forehead. Right, it's fucking disgusting. And she's laughing, she's laughing. The baby looks shocked and then bursts into tears. And the kid's crying. But it's all right because it's been videoed to put up on TikTok.

And it's like humiliation thrums through all scenes. And it started off with people doing it with other adults and then someone somewhere thought, hey, why not just do it on toddlers and children and babies? Fun. So, you know.

You know what? I've got a solution to both this, both Duck's problem at the cricket match and to the egg crack challenge, which is we should all follow the guidance set by Lord Buckethead. And I don't know if you remember Lord Buckethead. He is a political candidate who's stood in various British general elections with a great big bucket on his head. Oh, did he take up the reins of Screaming Lord Such? Yeah, he's in that vein. So when Boris Johnson or whoever, when a major political politician is up for election, you'll often get these sort of joke candidates as well. But if we all wore buckets over our head, that would stop our bosses recognise us and stop the egg crack challenge.

Good one. Okay. Well, there's a famous American guitarist. He's a very, very good guitarist indeed, who goes by the name Buckethead. And every time he plays, he plays with a KFC bucket on his head.

That stinks. Do you think he asked for clean ones? Or do you think he's like, last night's will be fine. It's fine.

Compliance isn't fun but neither is a data breach or losing a customer that's why Drata automated it. With Drata you don't have to spend hours collecting evidence manually testing controls managing spreadsheets and screenshots and pestering other teams with requests. We've automated evidence collection over 85 integrations and 24-hour monitoring. Drata automates the compliance process and keeps you audit ready all year round. Drata supports over 16 frameworks including SOC2 ISO 27001 GDPR and HIPAA and with an open API and plenty of customization you can build your compliance program your way. With over 475 five-star reviews Drata is the highest rated cloud compliance platform on G2. Countless security professionals from companies like Notion Lemonade and Bamboo HR have shared how crucial it's been to have Drata as their trusted compliance partner. Listeners of Smashing Security can get 10% off Drata and waived implementation fees at smashingsecurity.com slash Drata. That's smashingsecurity.com slash D-R-A-T-A. And thanks to Drata for supporting the show. If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees. Gigamon's deep observability pipeline amplifies the power of traditional security and observability tools with actionable network-derived intelligence and insight to eliminate blind spots in hybrid cloud environments, including the threats that may be hiding in encrypted traffic. Gigamon's latest survey of over 1,000 global leaders reveals the state of hybrid cloud security and the dangers that free-flowing encrypted traffic poses to organizations. Find out more. Download the report at gigamon.com slash smashing. That's G-I-G-A-M-O-N dot com slash smashing and thanks to Gigamon for supporting the show. And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they like. It doesn't have to be security related necessarily. Might be. What? You've got... Well, it can be. That's all right. It can be, Carole. That's fine.

It's my rules. Exactly. I changed my rules for this week.

Yeah. Doesn't have to be. Doesn't mean it can't be. My pick of the week this week, however, is not security related. My pick of the week... Well, done. ...this week is a documentary which I watched last night on the old Netflix. It is all about free diving. Have either of you had any experience of free diving? I mean, have you ever gone to the bottom of a swimming pool and picked up a brick or something else unpleasant on the bottom of a swimming pool?

I don't think that really counts as free diving, does it? Free diving isn't free diving like if you don't go 100 metres down and you haven't even

stopped. It's unbelievable. So this documentary is about an Italian free diver called Alessia Zecchini, and she keeps on breaking world records at freediving. And it tells the story of her and Stephen Keenan, who's an expert safety diver. So they have, because this was the thing, right? So Alessia and her fellow freedivers, they go down 100 metres or whatever and come back. But of course, they run out of air, right? Because they go very, very low down on one breath. They may be down for like four minutes or whatever. Extraordinary long time. I was actually reading while preparing for this that the world record, there's some chap who goes free diving and he holds his breath for 24 minutes. It's insane, isn't it? Absolutely. But anyway, so in this documentary, which is a beautifully filmed documentary, they show some of these people. And, of course, as they're coming back up, which is quite difficult in itself, they're almost out of the water and quite often at that point they black out. This is quite a common occurrence and so there are safety divers ready in case they black out because they have to revive them because if you black out and your brain isn't getting any oxygen obviously you could be brain damaged within a couple of minutes or dead. So it's quite horrific, quite an extreme sport. Anyway, Alessia, this expert safety diver Stephen Keenan, who you ended up in a relationship with, they are training and they are attempting to cross an infamous underwater arch in Egypt, which has claimed over 100 lives. It's very far down. They're going to go under this arch and come back up at the start. With no air supply. No air supply. Just the breath which you take at the beginning.

Oh, so that means whatever line they're on, they're going down, they have to unclip to go around the arch and clip back on.

Yes, I think they unclip or they hold it. I don't know what it is, but yes, they have to free swim under the arch and then back up again. Right at the very beginning, you see this woman descend into deep, deep water, and you just follow her the whole way. It's like it's over three minutes, and in your head, you're thinking, how can she still not have breathed? It's just going on and on and on and on. It's a love story. It's also very emotional. Did you cry? Carole, you know me. No spoilers, but it's a bit of a...

You blubbed. Graham blubbed. Graham, that didn't answer the question. But... Oh, he fell asleep. No, no, I know he did blub. He fell asleep is what happened.

I do know him. I didn't fall asleep. So what's it called? It's called The Deepest Breath and it is on Netflix and that is my pick of the week. Duck, what's your pick of the week? Well, I'll be very quick. What with leaving Sophos and all that, I've got to tidy up my old email account to make sure that I've got my personal bills going there and I'm desperately trying to do the right thing by my soon-to-be former boss who'll get my emails after I've left in case there are any bills left. Because I've just got so used to, particularly to all the PR spam that you can imagine has built up after however many decades of dealing with journalists. I've just got used to ignoring it and just mostly hitting delete.

What does that mean? But Duck would it be fair I would say that perhaps maybe during your story, I got lost in all the acronyms that you take for granted.

I didn't put them in the headline. I didn't put that. It wasn't the entire thing. That's true. All of us now, a theme bleed. At least it's an understandable name. But it's just all letters. And there weren't too many acronyms, if you think just.

No, no. It can now be a nitpick of the week. We've established this. If you want to have a nitpick. Oh, I just picked it because I was so amazed that anyone would bother. I think just before coming, before setting up my mic to come on the show, another example of this, I think it was Twitter I logged out of in my browser rather than on my phone. And I got a message along the lines of, I think it goes something like, thanks for logging out. You can log back in again later if you like. And I'm just going, I would never have known if you hadn't told me.

That was satire, satire, satire.

That was satire. And remember if we're on the same team I'm on your side.

Right? Yes, I can guarantee that. Yes, you are, yes.

Better to have him pissing out. Carole, what's your pick of the week?

Well, you know. My pick of the week. Slightly security related. It's close to our hearts Paul, Graham and Mark Stockley's and Anna Braiding's. And that is Naked Security, which we've talked about already.

Oh, God, I'm going to tear up in a minute. Don't go too hard.

It was our cybersecurity news site that we created way back from scratch. When was it? 2011? Is that right?

I don't know. No, it must have been 2010. October 2010, I do believe. There you go.

And it was really difficult to pull off because we had an extraordinary power play going on in the office. We had a meager budget. We had little time, but somehow we pulled it off. And it was fun, right? We had some good times. And best of all, it was fun with a really serious side. I remember the dislike campaign we had when Facebook made one of its bullshit moves. We reported on breaches, arrests, campaigns, widespread malware, proof of concepts, everything.

That Facebook campaign, remember our key thing was HTTPS everywhere. They delivered it very quickly afterwards and I to think they did it more quickly because we made a keen point about it and it wasn't drum banging it was just saying you guys can do this you really can you know you're big enough to be able to get everyone across the line. And blessed their hearts, love or hate Facebook, they were the first big org to do that, weren't they? And everyone else followed suit afterwards. Google and all.

I have to say, I've just gone to the Welcome to Naked Security blog post from the 28th of October, 2010, which is, of course, on an HTTPS link. And my browser says, connection not secure. Parts of this page, such as images, are not being transmitted securely. So I don't know. Paul, I don't know if you've still got any contacts you can speak to there may be some HTTP on that page these days.

I'm sure there is yeah maybe the links to the maybe place where the images live or...

You could say not my problem anymore. My point is to say though right we did do some great stuff we even managed to get our flagship software translated into Klingon. Do you remember to celebrate the return of Star Trek movies?

I want to hear Graham singing YMCA in Klingon right now. Right, we had YMCA in Klingon.

I suspect the video we published of Klingon singing YMCA has been removed, however, by Sophos from its official YouTube channels.

Thing is, guys, we may forget that we were award-winning. We had hits a million hits a month, million five a month. And that was way back when.

More than that. I think over two million some months.

Yeah. So, you know, and that the day of recording, it has been deactivated. The announcement has gone live, terminated, killed off after what? 13 years. But I'm proud of it, actually. And I thank both of you for helping us make it. We created it together. We kept it alive. There are other people as well, Mark and Anna and everyone else who's involved, and it was cool. And Alice and Charlotte, don't forget those. Oh, yeah, good point. And Yogi. So, yeah.

Yeah, since 2020, it's been article by Paul Ducklin. Article by Paul Ducklin. Article by Paul Ducklin. Article by Paul Ducklin.

My pick of the week. Naked Security. R.I.P. You'll always be in our hearts. Onwards and upwards.

Absolutely. Well, that just about wraps up for this week. I'm sure lots of our listeners would love to follow you online, Paul, and maybe offer you a job. Anyway, I'm sure lots of our listeners would love to follow you online, Paul. What's the best way for folks to do that?

X slash Twitter. I'm at Duckblog. You can find me on Facebook, Duckblog, Instagram, and LinkedIn. I'm P Ducklin. Look for the little icon of a duck. It's a mallard, my favourite sort of duck. And yes, if you think that you could do with a fantastic writer, speaker, evangelist, company proselytizer and person with a cybersecurity social conscience, I

Am looking for work. And you can follow us on Twitter at Smashing Security. No G, Twitter and the last of G. We're also on Mastodon. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast apps, such as Apple Podcasts, Spotify and Overcast.

And shout out to this episode's sponsors, Drata, Gigamon and Kolide. And of course, to our wonderful Patreon community. Thanks to them all, this show is free. For episode show notes, sponsorship info, guest list and the entire back catalogue of more than 340 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye bye. Bye bye.

Bye. Wow. I think that's our longest episode ever, Graham. How long was that? One hour forty. Jesus. F your word. No, we haven't. No,

It says one hour. I've got about one hour ten here probably.

We didn't stop talking until half past the hour because Graham was moaning about it.

I think it's because I've had my headphones on for an hour and a half and my ears feel like they're going to fall off. Thank you.