Smashing Security podcast #346: How hackers are breaching Booking.com, and the untrustworthy reviews

If they want to bring me in as a consultant, we could maybe even edit this podcast to remove all these references to phishing. All they have to do is get in touch. This whole podcast can be cleaned up.

Just give me my frickin' hotel room, which I need in London, for God's sake.

Smashing Security, Episode 346: How Hackers Are Breaching Booking.com and the Untrustworthy Reviews. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 346. My name's Graham Cluley.

And I'm Carole Theriault.

How's things, Carole? Everything going tickety-boo? What's going on with the new podcast? Big success?

Super success. I think as of yesterday, we had 150 listens, which turns out if you get more than 121, if I remember correctly, from God knows what website. You're in the top 25% downloads. So if you get 121 downloads in a 7-day period, you're in the top 25% podcasts in terms of rankings.

25%, do you mean?

25%, yeah. Not 25, good point.

Yeah, that's what I was confused by.

I'm sorry, there was a big keyword I was missing there, percent. Yeah, top quarter, top quarter.

Anyway, and the name of the podcast, Carole, which you've forgotten to mention, you should mention every time, is?

Audio— no, it's not. Art Musings.

Don't include that.

Don't include that. I have too many podcasts. I don't even know what I'm doing anymore. Art Musings with Sally Ann Stewart. It's fantastic. Just wait to hear me eat my humble pie. Honestly, it's coming.

Brilliant. Let's kick off.

Before we kick off though, let's just thank this week's wonderful sponsors: Collide, Panoptica, and Vanta. It's their support that helps us give you this show for free. Now coming up on today's show. Graham, what do you got?

I'm gonna be taking another look in at Booking.com.

A whole week it took you to come up with that one. And I am gonna ask the question, is it or ain't it AI? All this and much more coming up on this episode of Smashing Security.

Now, Chum Chum, I want to take you back in time, and listeners, you can come back in time as well. Way, way back to two episodes ago, episode 344, in fact. Yes, a fortnight ago, I talked about how I— yes, your humble host, Graham Cluley— how I almost got scammed while looking for an aubergine in the supermarket. I wasn't scammed by the supermarket. I wasn't scammed in terms of, you know, I was being offered a melon or a pomegranate instead of an aubergine.

I really didn't think we would go back to aubergines and pomegranates again. I thought that was a one-off for the entirety of all the series and episodes I'm going to have.

Unfortunately, I have to come back to this because, of course, the way in which I almost got scammed, if you didn't hear, was via Booking.com. So—

The app. Yeah.

Short story long, or long story short, whichever, we'll find out which is going to be on the way. I made a booking on Booking.com for a hotel. Lovely, lovely. And then I got a message via the Booking.com app, seemingly from the hotel, telling me that there was a problem with my booking. Click on this link to reconfirm my credit card details. Thankfully, I spotted that it was a scam. I didn't click on the link, but I thought, crumbs, how's this happening inside the Booking.com app? And since then, I have been festooned with correspondence from other victims on Booking.com. I've had dozens of people replying to me on social media or sending me emails because they've had similar experiences. Some of them even said that they'd been in touch with Booking.com querying the message and were told, "Oh no, if you got a message via the Booking.com app, it is trustworthy." Turns out it isn't necessarily trustworthy. So people are getting scammed. People are actually losing money because of this as well. And in fact, I was tweeting about this and live as I was tweeting about my continuing experiences on Booking.com and what other people were experiencing, the scammers actually tried it on with me again. I got another notification from the Booking.com app, and I took a look, and it turned out there was someone again posing as the hotel, sending me a message from the hotel.

"Bonjour, monsieur, this is Antoine, the concierge." Pretty much, pretty much, Graham.

They said, "If the link doesn't work, here are banking details in Abu Dhabi," or wherever it was.

Oh, for God's sake.

I was booking a hotel in London. Yeah, so, I mean, obviously that one was fairly obvious, right? But when they just had the link in there, it was less obvious. So this has been quite an interesting topic. And the mainstream media have picked up on this story of Booking.com scams. I'm not suggesting it's since we did the podcast about it. Since we did the podcast about it. The Daily Mail, The Mirror.

Hi, guys.

The Mirror. Oh, yeah, hi, guys, thanks for listening. The Mirror, in fact, they actually picked up the story. They even mentioned my aubergine experience. They mentioned the aubergines in their article. Link's in the show notes.

Oh, for God's sake.

So if you want to hear about my aubergine expedition and how it was interrupted.

How can I make this interesting? I don't need to. Graham had a really wacky approach. Let's grab that.

So, so.

Yeah. Love you all.

So the media are all, oh, okay. Obviously, there's been some interaction with Booking.com as well, because way back when I contacted Booking.com and said, "Oi, there's a problem here," and they didn't get back to me. They were a nightmare to get hold of. They weren't getting back to me, and I wasn't terribly impressed. And I was less impressed when I found out other people were victims as well.

No support is really shitty, and not having information about this on your website is kind of shitty.

And then they sent out an email to people, but it was all a bit vague, and it was all a bit wishy-washy. I thought it'd be interesting to find out how are the bad guys actually doing this, because how can they send a message via the Booking.com app from the hotel? Now, as we speculated on the previous episode, Episode 344, the scammers were breaking into hotels' Booking.com accounts. And from there they could see the bookings which are coming in from legitimate customers like myself, and they were then able to reply to those customers via Booking.com. So it all looked legitimate.

So in other words, you're saying they would have stolen Antoine's password, or they guessed Antoine's password and username and then were able to pose as him and get the information he was — that particular person.

Absolutely.

Right.

Absolutely. So I've done some digging around. I've spoken to some people in the industry who've been looking into this as well.

Well, you got your own Deep Throats.

Mine is called Brian. Hi, Brian. I think he listens to the podcast sometimes. Hi, Brian. Thanks very much. Brian was able to help me out. What he told me is that the criminals are compromising the hotel staff. The way in which they do it is this. They create a fake account on Booking.com, right? A John Smith or whatever. They then book a room via Booking.com with a particular hotel for a certain date. And of course, even if they book it, they can cancel it later and get their money back.

And then they have a problem and contact directly?

Exactly. Then they send a follow-up message to the hotel saying, "Oh, you know, I'm really old," or, "I've got this wheelchair." "I need 15 lamps in the room." Yeah, exactly. 'Can you make sure that you've cleaned out the kettle properly? Because I've heard stories that people might urinate in the kettles. I want a cup of tea when I get there.' Or whatever their specific requirement.

'I need 10 shower caps. I can't explain why.' Wow.

Whatever their specific requirement is, they send a message in, maybe via the Booking.com app, and maybe they attach a malicious booby-trapped PDF file, or they link to a website. Claiming to be pictures or an archive. Like, here's all my information. I need you to do this.

Yeah. I need the room to look exactly like this.

That's right. This color Smarties in the, you know, whatever it may be, whatever their rider may be. And of course, the poor concierge or booking agent inside the hotels, Antoine, right, who's dealing with this, he clicks on the attachments, piff, paff, poof, and his computer is infected. With a keylogger, which then spies upon what's going on on that computer and is able to determine the password and log in or grab the cookie session or whatever it may be to log into Booking.com as that hotel and access everything that Antoine can see. That appears to be the way in which this is happening.

Questions? Yes. Got so many. Did you ask them whether they do staff training on how to avoid scams?

I have not asked anyone, either Antoine or Booking.com, that question.

Or Brian.

But that's — yeah, or Brian, who's my inside man. I haven't asked them whether they do that. You would like to think that they do. You would like to think that they also —

Use multifactor?

Yes, exactly, have multifactor authentication on the accounts. That would make it harder to log in, wouldn't it? You would like to think that they'd have strong, unique passwords, although it appears they wouldn't necessarily help under this particular scenario. But I think there's other things that Booking.com could do as well.

Yeah, like contact any of our sponsors to see if they can improve their security. But yes, what else, Graham?

Very good, Carole. Always the professional. Yes, you could do that. You could, for instance, let's look at a number of possibilities, right? You could say, if you've got a hotel account with Booking.com, you can only log in from a certain IP range. Right. So the hotel can decide. These are our computers. Anyone who tries to log in from Mongolia when we are a Parisian hotel should instantly be considered suspicious.

Because people from Angola don't tend to go to Paris.

No, no, no, no, no, no, no, no, no, no. The people, people from Angola or Mongolia. The employees. Yes, but I'm talking about Antoine, right behind the checking in desk when he logs into Booking.com, the Ruddy Hotel itself, right? Rather than somewhere else in the world.

I like the IP thing. I think you could totally question that IP in the same way that Google does. It's like, is this you? You know, you're in a different place. Yeah.

Yeah. I mean, I'm not saying that's the only protection which you can do. There's other protections you could do as well. You've mentioned training. You could also prevent the hotel from including links in its messages to its customers which do not link to the hotel's own domain name.

Yeah, totally. You could. You could. Yeah, of course you could. I hope you're listening. Take notes, people. Take notes.

Yeah, take notes, Booking.com. I'm giving you loads of ideas here. You could do that, because obviously then, if they try and put together some sort of scammy URL which looks like Antoine's Hotel, it won't actually be it. And so the message will be blocked or treated as suspicious, or they won't be able to post it. It makes it— Makes it more difficult. You could also look at the domains which are included in the links posted in these messages, because what I found was the scam URLs which were posted in these messages were created typically within about 24 hours of the message being posted. So they— these are brand new created domain names which are being used in these scams. And you could say any domain name which is less than 6 months old cannot be included in one of these messages because instantly it's suspicious. Because why would the hotel be linking to some site which never existed before?

Staff could have a dongle, right? With a one-time password.

Yeah, you could have hardware keys. You could even simply have a thing which pops up on Booking.com inside the chat window saying, be suspicious, Mr. User, Mr. Traveler.

No, no.

If you're, well, there's no harm in saying that. They used to say that on AOL, didn't they? Saying AOL staff will never ask you for your password or things, just to alert you.

Do you know why though? They do that for liability. I don't think it's out of the goodness of anyone's heart personally. I think that's a liability issue. It's like, be careful if you see anything suspicious, and if you fail to do so, we'll be able to blame you.

Yeah.

I don't like that personally, but anyway.

Brian has told me about, Brian has told me about one situation. Just give you an idea of the scale of this. A guest booked in for a wedding and ended up being scammed out of €10,000, which the hotel is saying, nothing to do with us. Go to your bank.

Did you and Brian meet down a dark alley somewhere and he shared this information? How did that happen? Was it just on X or what?

I'm not going into any details.

You won't tell me what browser you use?

Yes. The other thing which happened is Booking.com's CISO Spencer Mott has been in touch with me.

Spencer not?

Spencer Mott with an M. M-O-T-T. Spencer M-O-T-T has been in touch with me.

I bet he's listening too. Hi, Spence. Yeah.

Yeah, hi, Spencer. Thanks, Spencer, actually, for replying. He did give me a very detailed and lengthy reply saying that they are putting additional security controls in place.

Excellent.

Because I had a bit of a moan to him. I said, look, not like you at all, Chris. This has happened to me twice, Spencer. Come on. You should have contacted the hotel to stop it happening with them again. It does appear to be quite a widespread problem happening all around the world. And they say that they are creating significant obstacles for fraudsters. Well, we've given them some tips today. I know they may take a while to initiate, but I think they could put some simple protection in place, maybe block all URLs in the messaging system for now. Why not do that?

You know, the ads people might not enjoy that so much.

I don't think there are ads inside the chat system.

Not inside the chat system. No, no, you're right. You're right. Not in the chat. But mind you, I'm trying to think, maybe a user might want to send one.

Maybe. Yeah. Well, I don't mind so much that happening. I don't know.

That's how it went wrong.

That's how— you're right, Carole. You're right, Carole. Anyway, the other question I asked Booking.com is the question that everyone wants to know.

Is it Brian?

No, no, no, no. This is Booking.com.

Oh, this is, yeah, Spencer.

Yes, this is Spencer, the CISO.

So many people.

The other question I said is, so what are you gonna do? What are you gonna do? How are you gonna compensate these travelers?

Did you say me? Did you say me, but you're saying these travelers on the show?

No, no, no, 'cause I haven't, I didn't get scammed. I was, I was, I scammed them.

But you didn't go time, sweat, effort. Do you have any tweets? Do you know how my fingers have bled?

It's a charity, Carole. That's what I'm doing. I'm not charging for this work I'm doing for them.

You're doing this for the world.

If they want to bring me in as a consultant, we could maybe even edit this podcast to remove all these references to Booking.com. All they have to do is get in touch. This whole podcast can be cleaned up.

Just give me my fricking hotel room, which I need in London, for God's sake.

So they have said that regarding losses incurred by our travelers, this is assessed on individual circumstances. In other words, they're not going to help you out. This may be resolved by the paying bank as an intermediary or separately between the hotel partner and ourselves. So they're saying contact customer services. Each case will be investigated upon its own merits.

Hmm.

So what I will do is I'll also put in a link in the show notes to some research that Akamai did back in September looking at this phishing campaign as well. So it's been going on for a while, but for now, be very careful on Booking.com unless of course we get sponsored by Booking.com. In which case, this will just be 10 minutes of static that you're listening to rather than an actual moan about Booking.com.

No, no, no, no. I'm here to, you know, keep us straightened out, Crowe.

Keep it, keep us, okay. Keep us good. Keep us good, Crowe. That's good.

That's my job.

Crowe, what have you got for us this week?

We're going to talk product recommendation websites. Do you use these? Product review sites?

Well, yes.

You know, maybe if you want to buy a new hob. Or something?

Well, yes, I was looking for a hob with knobs and there weren't very many.

Oh, we all know about that.

Yeah. By the way, still going really well. Cooked the ratatouille just great. Thank you for asking.

I didn't, but—

No, you didn't. But anyway, but no, review, absolutely I do. All the time. You know, I think that's—

So what ones do you use? Can you share that information or is that also proprietary?

No, not proprietary. I go to my search engine of choice. I'm not going to say which one that is. And I typically will write in hobs with knobs reviews or top 10 hobs with knobs.

No, but is there sites that you go to? Like, there are companies, right?

Not really.

I go to Which. Oh, yes. In the UK.

Which. I do use Which. Yes. Which is very good, I think.

Mm-hmm.

I Which.

And there's Consumer Reports in the States that I know of. Popular Mechanics in the States is big.

I've heard of them.

Good Housekeeping. And there's Wirecutter. I think they're associated with New York Times.

Yeah, yeah, yeah.

Well, another well-known USA-based product review website is called Reviewed.com. So you can check that out while I'm yakking if you. So it's a division of Gannett Satellite Information Network. These are the people that also own the paper USA Today. So they're not tiny. And on the Reviewed.com website, they have a mission statement. It says, help you buy the best stuff and love what you've already got. Okay.

Right.

And they say in their about page, they write, we believe that tough, objective, hands-on testing is the best way to measure the quality of a product. Like any good scientist, we promote transparency in our process. Not everyone will always agree with our recommendations. We're looking at you, brands of the world. But they'll always know how we arrived at them. And we're always happy to share the info we learned along the way. So, you know, sounds pretty good.

I'm looking at their homepage and they are being upfront with one thing, which I'm pleased to see, which is they're saying, if you make a purchase through some of our links, it may well earn us a commission.

May meaning definitely, defo, defo.

Yeah, yeah. I mean, that's the business model, isn't it, for them? With sites. So you always have to be a little bit skeptical of some of these. I know there's a lot of VPN review sites which turn out to be actually owned by VPN companies, for instance.

It's, they're all shit but ours.

Yes. Yeah, right.

We're the best.

Amazing.

20 million stars. Wow. And they also say that recommendations are independently chosen by Reviewed Editors. It's hard word to say, Reviewed Editors.

It's a stupid name.

Yes, sure.

Reviewed, isn't it?

Yeah, sure. We could go down that road, but let's not. Let's just stay on point. Just, yeah, but noted. Okay. Now it does sound super cool. You know, they independently chosen, they're not trying to make everyone happy, including you brands of the world, right? All this.

Sorry, what is brands of the world?

they're saying, hey, Hotpoint, or hey, Bosch, or hey, Echo, or Amazon.

Oh, so brands of the world isn't a thing. I thought maybe that was a different—

Hey, what do I know?

They just mean big brands.

What I'm reading in that is they just mean, hey, big brands. We're not, you know, we're telling the truth no matter what.

Okay. Okay.

Anyway, so they do all kinds of stuff, as you can see from the website, from appliances, kitchen gadgetry, smart home tech, strollers, fitness equipment and blah, blah, blah, all manner of stuff.

Yeah.

Now, a week or so ago, a few reviews came out on Reviewed, and nothing unusual there. Obviously a daily occurrence, right? Except that these specific reviews were a tiny bit unusual. One, no one at Reviewed recognized the bylines of the piece. So that means who were the writers, right? Who are these people? No one recognized the names of the people that had written the pieces.

You would think they would be more careful about that in case it is someone who's also the head of marketing at, I don't know, Hoover or something, you know, some big company which maybe has a slight bias as to who may come out top.

Yeah, because apparently many of the editors and staff that work at Reviewed.com didn't even know or even know of these people being in existence, right? So what do they do, right? They're kind of looking at these names and they decide to look for the byline, the author of the articles, using the power of the web. So they hit up sites like LinkedIn. Yeah, surefire place to find the majority of tech reviewer writers, right? Wrong. None of the names seem to have any profile. Now, problem number one, if you were making up byline names, surely you would choose things like John Smith, Paul Baker, right? Like easy names where there's 15,000 profiles for it.

Yeah.

Yeah. Rather than something like Nimity Blathered or something. Anyway, curiouser and curiouser, nothing on LinkedIn, right? The other problem was the actual content of the article. I don't want to use the word rubbish, but it seems that the quality led some of the writers and editors at Reviewed.com to ask the obvious question, which is, Graham, what was it written by a robot? Exactly. That is the question, right? And this has ensued a bit of a spat because Gannett, the owners of USA Today and Reviewed.com, says, no, no, no, no, no, no AI here, gov. But about 40 people at Reviewed who work there say, oh yeah, they did. So how do they know? Okay. So apparently some of these 40 people at Reviewed ran the articles that they suspected to have been written by AI through AI detection services that are available online, and red flags were raised here, there, and everywhere. This is all according to the union that represents staff members, writes The New York Times. So one of the tools, the AI detection services they use, was called Winston AI, and apparently it found 3 articles to have 0% human score, which is apparently the way you say not written by a human. Do you want to hear one of the reviews that was judged to have a zero human score?

Okay, try. Yes, let's do lines. Okay, okay, let's hear it. Yeah, let's see if I can tell.

Okay, so this is all about flogging a trampoline.

Okay. Yeah.

Searching for the best portable trampoline can be daunting. Luckily, this buying guide features all the essential factors to consider while shopping. 'Regularly using a trampoline can help improve balance, coordination, and agility.' And according to Winston AI, this is highly probable that an AI text generation tool was used. Hmm, yeah, I was as well, right? That's, I could imagine someone writing that, a human.

Yeah, it's not really terribly engaging or, yeah.

So then I went looking around other places and The Verge had a few, right? So The Verge states, the writing was stilted, repetitive, and at times nonsensical. So here are a few quotes they saw. Before buying a product, you need to first consider the fit, light settings, and additional features that each option offers. And that was for the best waist lamp of 2023.

A waist lamp?

A waist lamp, around your waist.

What are you trying to— what are you trying to—

I guess I don't know.

What are you trying to light up?

Is it a headlamp? Is it—

Are you putting a little halo around your— what's this way? Maybe if you're in the dark, focus on—

You're trying to find the loo.

Especially if you have a headlamp.

No, but maybe you're looking elsewhere. Maybe you're sleepy, you just, I don't know, crazy.

Hang on, I'm Googling waist lamps right now. I'm interested, I want to know.

Okay.

Oh, runners. Runners have waist lamps, apparently. Oh, waist lights for runners.

Very good.

I don't know if that's what they're talking— Okay, well, that makes a little bit of sense if you're running around in the dark.

Yeah.

I thought it'd be something pervy.

You might run over a badger in England. That would be scary.

I thought it meant some sort of angle-poise lamp sellotaped to your belly button. Okay.

There's another one. It says, "Before you purchase Swedish dishcloths, there are a few questions you may want to ask yourself." Why is the first question.

Why do you want a Swedish dishcloth? Is it for wiping Swedish dishes? What? Why would you? Who cares? Just get a local one. Don't get one flown in from Stockholm.

These are the kind of sentences that may have made some of the editors and writers at Reviewed.com think, hmm, maybe something is amiss. So the union that represented Reviewed workers shared screenshots of the shopping articles that the staff had stumbled upon and then thought, hmm, these seems a bit weird. And then of course asked the obvious question, were these written by AI?

Right.

But no, no, no, says Gannett. They call the method of AI detection unfounded. It was actually a third-party company called Advan Commerce that had provided the freelancers, and these were human freelancers that wrote the reviews, not AI.

This is what I would've expected. Is that Reviewed can say, no, no, no, we haven't hired any AI, we haven't used any AI to do this, but they've got some other third-party companies that, oh, we can write content for your website. And then Reviewed doesn't do its due diligence. Well, are you actually going to use human journalists to do this?

Well, Gannett actually did say maybe the quality wasn't great and maybe they didn't use the accurate affiliate disclaimers and they didn't meet our editorial standards. But this wasn't really washing with staff.

That's the one with the great big pile of mashed potato, isn't it? You wouldn't be too athletic after consuming that. Robert Duvall's munching away on it.

And at the time, Gannett paused the use of the tool and said it would reevaluate the tools and the processes. But a few weeks before this whole debacle of whether or not AI was used to write the articles, unionized staff at Reviewed walked out of the job to secure dates for bargaining sessions with Gannett to get more moolah and get a better package. So writers and editors are calling for all the articles in question to be retracted and for an apology from the company for using a third party for work that they could have done because they're staff. Apparently this request doesn't look like it's going to be honored according to some insiders. So perhaps it's no surprise that workers are worried that Gannett are again experimenting with AI to curb the costs of having human writers, because that sucks, doesn't it? Humans, so expensive, us people. And the whole thing gets even a bit more complicated than that when you hear this. So this wasn't the company's first negative brush with AI. Jeez. But okay, just to finalize this, if you search right now, AI-generated product review services, 'cause I was thinking, God, there's people that make money off this. So in August this year, the company ran a botched experiment using AI to generate sports articles, publishing reams of stories repeating these awkward phrases such as "close encounters of the athletic kind." Close encounters. There's people that go to Amazon and write tons of reviews.

I'm not revealing my search engine of choice. What do you want me to search for then?

Of course. Oh, sorry, don't Google, search for AI-generated product review services.

Product.

So basically imagine you are a reviewer.

Yes.

You make money out of this. You would of course look for this.

Yeah, no, it's a great idea.

There's tons of services.

Oh yes. Oh yeah, I found one here, right? Yeah.

Keep looking.

Oh my goodness.

Yeah.

There's loads of them.

So you can't trust your reviews, Graham. So maybe your hob is a piece of poop. Just saying. Thank you to Smashing Security sponsors Vanta, where you can shortcut compliance without shortchanging security. Expand the scope of your security program with Vanta's market-leading compliance automation. Vanta's 5,000+ global customers report saving over 300 hours in manual work and up to 85% of cost for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more. And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on. From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and improve security in real time. As a special bonus, Smashing Security listeners get a whopping 20% off Vanta. Just go to vanta.com/smashing. That's vanta.com/smashing.

Panoptica provides users with deep visibility, prioritized risk assessment, and actionable remediation from development to runtime. This comprehensive cloud-native application protection platform, or CNAPP, provides an essential holistic view to secure the entire cloud application stack seamlessly. With integration of security into the DevOps and CI/CD pipelines, Panoptica fosters a security-first culture and allows users to detect and resolve security issues at every stage of the development lifecycle. Get more information. Go and visit Panoptica's website at panoptica.app. That's panoptica.app, A-P-P. And thanks to Panoptica for supporting the show.

If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world. You can just start using Kolide. Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log in to your cloud apps. Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.

And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.

I've rarely seen you read a book, Clue. Have you read this? Have you read both books?

Well, not every word, no. And the reason is that in total, there are over 1,200 pages, and it's in a very dense, tiny print.

Is there any pictures that can give you some relief?

There are some pictures, but everything's really quite small. Is it a comic book? No, no, this is— there's a lot of words. This, I think this will be of interest to a lot of our listeners.

Okay, I'll shut up.

Talk. This is a couple of books called Scarred for Life: Growing Up in the Dark Side of the Decade. There's one for the 1970s, one for the 1980s. It is a couple of books by chaps called Stephen Brotherstone and Dave Lawrence. And it's an affectionate look at the darker side of pop culture. So, in the '70s and '80s, Carole, particularly the '70s when I was growing up, there were things like public information films. Which told you not to climb up electricity pylons or to play in gravel pits.

I am the spirit of dark and lonely water. Ready to trap the unwary, the show-off, the fool. And this is the kind of place you'd expect to find me. But no one expects to find me here. It seems too ordinary. But that pool is deep. The boy is showing off.

The bank is slippery. Yeah, I saw them too, even in the late '70s and '80s, yes.

Terrifying. And there were scary kids' TV shows doing things they would never do now. There were bleak adult dramas like Threads. Have you heard of Threads? Which was about what would happen if there were a nuclear war in 1984 and you lived in Sheffield. Probably the bleakest thing that's ever been on BBC television.

You're bringing back — we saw this is what happened in the Holocaust. That's what I remember seeing as a child. And there was huge focus on the oven, everything. It was just —

Yeah. In the early '80s in particular, there wasn't — there will be people who remember being taught at school to go and hide under your desk.

Oh yeah, we had that too.

Paint yourself with white paint or something, you know, to protect yourself.

Paint yourself with white paint?

Yes, yes, to reflect. And people were building bunkers. Anyway, there were horror films, there were violent comics, there was dystopian sci-fi, there were horror-themed toys and sweets. These books are all about these things. So I love vintage television, so I love things like I, Claudius and Threads and Day of the Triffids and The Tomorrow People and classic Doctor Who. All of this and much more is included in these books in most minute nerdy microscopic detail. And it takes me to my warm comfort place, my dystopian past perhaps. And I rather enjoy these, dipping into them. It's a good book for dipping into, both of these books. If you love to be scared again or are nostalgic for the misery of your childhood, then Scarred for Life are a good couple of books. You can't get them on Amazon, as far as I know, I bought mine on Lulu. They were sort of print-to-order. So you order them and then they get printed. They cost about £20 each, but they're great. And I think there's a Scarred for Life podcast as well.

That might be a place to start before you decide to —

If you want to have a taster, they have a Twitter account. I'll link to the Twitter account where they regularly tweet out things which are scary from the past, which may have frightened you when you were 9 years old. And that is my pick of the week.

It sounds fascinating. Probably not for me.

Okay.

But I can totally see people would love that kind of stuff.

It's quite — there's certainly a British orientation to these. So, you know — I think it's the minutiae. You know, someone going into lots of detail. Literature. Okay. All right.

Okay.

Fair enough. Yeah. Carole, what's your pick of the week?

Well, my pick of the week is a podcast. It's a fairly new podcast, fun podcast starring Amy Poehler of Parks and Recreation fame.

I've never seen Parks and Recreation.

Oh, you don't know Amy Poehler? Very funny. She's the one who hangs out with Tina Fey.

Oh, I like Tina Fey. I like Tina Fey.

So she's as funny and as good as Tina Fey. Yeah. So the podcast is called Say More with Dr. Sheila. So, doctor, it's very hard to say. Dr. Sheila.

Doesn't seem that hard to say, Dr. Sheila.

No, no, no, no, no, no. It's not Dr. Sheila. It's Dr.? And that's very important.

Right.

Important question mark because you need to add it in for liability reasons, she says on the show. So the whole show is she's a quirky couples therapist, and she talks to guests like Tina Fey about, you know, and their partners about love and life troubles, right? And then constantly corrects them when they declare her doctor-ness as opposed to question her doctor-ness.

Oh no, I that. I the idea of that.

I know, it's very cute.

I've come across some fake doctors in my time, including Dr. Gillian McKeith. She's known.

Dr. Laura? Well, she probably was real.

I don't know. But yeah, there are some doctors out there who aren't real doctors.

Yes, yes. Fockters. Anyway, her chosen methodology in each episode or class or whatever episode includes dubious methods at best, right? So, for instance, in one episode, you have Delia, who is worried that Judy is too codependent. Judy is worried Delia is gonna ghost her. Dr. Sheila turns to Harry Potter movies for therapy inspiration. Anyways, it's insane and it's all improv. So they have to react off each other and then at the end you kind of have this real moment when the credits are going, when they're talking about how, you know, they didn't know how to handle certain things. See what you think. I think it's really fun. So Say More with Dr. Sheila. Dr. Sheila is my pick of the week.

Brilliant. Well, that just about wraps up the show for this week. You can follow us on Twitter @SmashInSecurity, no G, Twitter doesn't have a G. We also have a Mastodon account and don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Spotify, Overcast, and Apple Podcasts.

And massive thank you to our episode sponsors, Panoptica, Vanta, and Kolide, and to our wonderful Patreon community. Thanks to them all, this show is free. For episode show notes, sponsorship information, and access to the past 345 episodes, go to smashingsecurity.com.

Until next time, cheerio. Bye-bye.

Bye-bye. Or maybe we need to use some of these services to write reviews for Smashing Security.

Well, we could do with some decent reviews on Apple Podcasts. Our last one called us a couple of bullies.

Brian, Spencer, come on, come on, guys.

He said we were mean to Robin Williams.

Hey, I was not mean to Robin Williams. Whoever wrote that, can you just give it to Graham Cluley personally and not to me? Because he was my hero. Eat everything in the ashtray. Eat everything in the ashtray. See, Graham won't know what that means, but us Robin Williams fans know. Red, white, and blue. How patriotic. I could recite his whole sketch.

I don't know what that means.

I don't know what you're doing.