Smashing Security podcast #351: Nuclear cybersecurity, Marketplace scams, and face up to porn

Facebook would suffer data breach after data breach after data breach and the name was being tarnished so he simply rebranded. I think this is generally accepted. Yes. But

it's the first time I've ever heard it.

Well maybe you're not speaking to the right people.

Graham doesn't understand echo chambers yet. He doesn't realize that he also could be a victim of an echo chamber. Maybe he doesn't see that.

But I will put it, oh, right. I will put it in the bloody show notes. How about that?

Smashing Security, episode 351, nuclear cyber security, marketplace scams, and face up to porn with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 351. My name's Graham Cluley.

We have returning guest Dinah Davis. Hey, Dinah.

Hello. So excited to be here.

Welcome. Yeah, because you actually listen to the show, don't you?

I do, religiously. Yes, I love it.

Why do you act so surprised, Carole? All of our guests listen to the show.

No, that's not true. We always know when we get to the pick of the week section, don't we, Graham?

Oh, that is true. Yes, that is the test. That is very true. That is the test. Dinah, have you anything that you want to update our listeners on since the last time you were here?

Yeah, I've been working really hard on my publication, Code Like a Girl. It's codelikeagirl.io. And our goal is to amplify the voices of women in technology. So we would just love it if you came there, helped us amplify more voices, change perceptions of women in technology. Boom. First, let's thank this week's wonderful sponsors, Collide, Push Security and Vanta. It's their support that help us give you this show for free.

I've got possibly the most toxic cyber breach in history. Whoa.

Whoa. Okay.

Dinah, what about you?

Well, I don't have that. I have a story about how I almost got scammed on Facebook Marketplace.

Ooh, and I'm going to talk about age-gating pornography. All this and much more coming up on this episode of Smashing Security. Now, chums, chums, what is in a name? That which we call a rose by any other name would smell as sweet. Well, when Bill Shakespeare wrote those words, he was arguing that names themselves don't really mean anything, do they, Carole? Don't mean anything. Right, Dinah?

Especially if you have one that people just misspeak all the time.

Yes, exactly. Yes. Carole, Dinah, Cluley. These are all tricky. It doesn't really matter in the end.

I don't think Cluley is that complicated. How has anyone said that?

Well, sometimes I've been a Cluey. I've been announced as a Chilly before. All sorts of things. But these are just sounds used to differentiate one thing from another. But some words, they do leave a mark. The name Marcus, for instance. I shudder to this day when I hear the name Marcus. Really, really. Gives me the... Because when I was a young boy in Mr. Simpson's class at school, I had an unpleasant incident involving a boy called Marcus who was sat next to me. And he spat in my ear. And I remember saying, Mr. Simpson, Mr. Simpson. Marcus has just spat in my ear, Mr. Simpson.

God, I can just see you whining. Yes.

It was very, very unpleasant. I mean, that's disgusting.

Yeah, just kick him or something.

It was. I can feel it right now. Here we are, over 40 years on, and I can still feel it. And this was a real problem because Marcus is my middle name. And so I was…

I wasn't prepared for that.

So I hated the name Marcus. And for years, I would not even tell... People would say, what's your middle name? And I'd refuse to tell them. I'd just tell them I'm Graham M. Cluley, I'd say. I would refuse.

I can't believe you just told the entire audience your middle name. One step closer to being a phishing victim. I'm hacking you now. We're not allowed to know what browser he's using, right? But we know his middle name. Last week he wouldn't say his browser, but this week he's telling us his middle name.

Sometimes people want to forget their old names. Two years ago in October 2021 Mark Zuckerberg Mark Marcus Zuckerberg as I believe his middle name is he stood up on stage and announced what he called a new chapter for his social media company he said that Facebook was now to be known as Meta and if you recall the thing which brought on Facebook's name change was the leak of Facebook data to Cambridge Analytica

Was that the reason? What, they were trying to distance themselves from the name Facebook?

Really? I just thought it was because he had this whole idea of the metaverse, and he was super entranced by it and wanted everything to be meta. What he knew was that Facebook would suffer data breach after data breach after data breach, and the name was being tarnished by the connection with Cambridge Analytica, so he simply rebranded. I think this is generally accepted. Yes. it's the first time I've ever heard it.

Maybe you're not speaking to the right people, Dinah. Graham doesn't understand echo chambers yet. He doesn't realise that he also could be a victim of an echo chamber.

None of them can be named at this time.

Right. I will put it in the bloody show notes. How about that?

Oh, what? But have evidence for what you're saying? Good idea. This is not a new concept. Okay. In 1989, the Exxon Valdez, do you remember that? Are you old enough to remember the Exxon Valdez super tanker? Exploder. I think it was called Exploder, no? Well, exactly. There were all these jokes, weren't there? Because everyone hated Internet Explorer.

Yeah. Yeah, Clippy would have saved the day. Of course it would. Microsoft renamed Internet Explorer Edge.

Live here? I didn't know this. Well, you don't know it, Carole. Do you know why you haven't heard of Windscale?

I really hope that's not near you guys, and I'm very happy to be in Canada right now. Well, you know how the winds operate, don't you? Damn it.

I was just going to say, it can't be number one tourist destination. No. And The Guardian this week has reported that hackers linked to Russia and China have compromised Sellafield's networks. They claim that these breaches have been going on for as far back as least as 2015, when experts found there was sleeper malware. Graham, are you aware that this is a slight comedy show?

I was like, I'm so scared and down in the dumps right now. I don't see the twist. I don't see how you're going to get out of this. And people are just going to be crying before it gets to my segment. They're going to be crying. They're not even going to be able to listen, I'm just scared for their lives.

It's a bit of a worry. Now, my hope is that they've got air-gapped systems, right? That the IT network is separate from the systems which is running. You know when you go to a fairground and you've got that sort of, oh, what do you call it? That sort of mechanical hand which picks up a teddy bear, like on a crane, and delivers it. They've got all these robots at Sellafield, which are sort of moving the plutonium and all the radioactive waste around. My hope is that those systems are separate from the regular IT network. It's unclear exactly what systems may have been hit by malware and may have had hackers lurking for all this time. Hopefully, they're air-gapped. But we know that an air gap isn't all sufficient. If you remember Stuxnet, which was obviously a high-profile attack against a nuclear enrichment facility, wasn't it? How

old now? 15 years? 10 years? Oh, I think even older.

Yeah. It's done for a USB stick. And according to The Guardian, contractors are regularly given free reign to plug in USB sticks hither and thither inside Sellafield, attaching to its networks.

How's Canada's housing market, Dinah?

I mean, it's rebounded a little, but it's not good, Carole. It's not great, no.

Do you have any room in your house? Oh, no. I'm a good guest.

So we don't know fully just how bad this is. The Guardian claims that it's been made harder to quantify because they say Sellafield has been engaged in some sort of cover-up and not been reporting it to the nuclear regulators for several years. But what we do know is last year the organization which sort of oversees Sellafield, the Office for Nuclear Regulation, the ONR, they put Sellafield on the equivalent of special measures which is normally what they do at schools if schools aren't going very well for consistent failings on cybersecurity. So this is...

So, okay. So basically what you're saying is everybody knows that they're missing the mark and that they're responsible for some serious, serious stuff. And there's cover-ups going on and everyone's just sitting around going dum-de-dum-de-dum until The Guardian stand up and go, hello?

So The Guardian are making this claim, right? And they're doing quite a big exposure. They also, by the way, say that they've identified a leak coming from Sellafield as well. Not a data leak. Another kind of leak.

Oh, you don't mean like an information leak. You mean like a nuclear waste leak.

Uh-huh. Yeah, but I wasn't going to lead on that bit of the story. Fun times. So the UK government, responding to this hacking claim, put up a statement. And they said, we have no records or evidence to suggest that Sellafield networks have been successfully attacked by state actors in the way described by The Guardian.

In the way described. Okay.

That was my italics you heard there. But that, I felt, was a rather significant part of the report.

So they said we have no evidence? Is that what they said?

They said they've got no records. Well, first of all, records can be deleted. Or evidence to suggest that Sellafield networks have been successfully attacked by state actors in the way described by The Guardian. So that does open up some further questions. That sounds so fishy. Did they attack but not manage to steal any information? Did they not manage to impact the critical infrastructure? But was it the IT network which was infected instead? You know, there's all kinds of – my guess is that somewhere like Sellafield, which was built 70 years ago, okay? My Lord. It's the oldest one that has ever existed of this sort of plant. Is it that they're actually using ancient computer systems, which are almost impossible to lock down, which they don't want to replace?

Because, you know, you can have a nuclear meltdown. Right. Because nobody knows how that code works anymore. The people who coded it are dead probably.

We don't want to upgrade this to Windows 3.1 because, you know, it's been working fine for the last...

Who the fuck knows what's going to happen? Yeah, exactly.

It could be that. It could be too little money is allocated to computer security and more is to the physical security of the Sellafield base. This is the kind of place where they have armed guards. You know, in our country, we don't normally have that, but, you know, there will be a real strong physical security, hopefully, at Sellafield. But it's interesting. So, The Guardian, the UK government, they're at odds with each other. MPs are all sort of chiming in now, taking potshots at each other about this, saying that something needs to be done. It does sound a bit fishy. And maybe more will come out in the coming days as to what's really going on. But Sellafield has acknowledged that improvements need to be made, but is withholding specific comments about any type of breach while investigations are ongoing.

Okay, but I'm not surprised that they would be not going into the details of the breach until they've sorted out the freaking problem.

Yeah, they don't want to tip anybody else off either.

Yeah, if it's a complete web of crap, they have to kind of go, oh, everything's fine. We don't see anything. We're just idiots. Guys, fix it, fix it.

But as always, Carole, the real wrongdoing is the cover up rather than necessarily the mistake. Do you know what I mean? It's like if they knew this was a problem, they have known for years and are now covering it up or were covering it up until The Guardian unearthed it.

Graham, this is not like we're talking ransomware, right? This is like nuclear waste. Death, disaster, destruction, gross, gross, OMG. I don't know. I know nothing about that other than scares the hell out of me. But thanks so much for sharing your story. Let's move on. Woohoo. This show is fab. Love the show.

Oh, man.

Dinah, what have you got for us this week?

Okay, well, hopefully something not as scary as that. So my story starts about 35 years ago when I was about 10. My grandmother decided it was time to buy me china. Because, you know, one day I would be getting married and maybe she wouldn't be there.

Oh, I thought you meant the country. I was like, wow.

No, like teacups and stuff, right? Maybe she wouldn't be there and she needed to make sure I would have china. So she bought me some china. She was completely wrong on both counts. She's still alive, she's 102, love her to death, and I do not need china. But I have stored this china after I got married for 20 years in my basement. It never came out of the Rubbermaid container. It's still nicely packed there. At this point, I thought, this is ridiculous. I'm never going to use this. Why am I storing it? I might as well let somebody else use it, right? I don't know how to sell china. So I thought, I'm just going to use Facebook Marketplace. Have you guys ever used Facebook Marketplace?

I moved house. It turned out I had an abundance of sofas. I had too many sofas for my new house. So I was desperately trying to flog a sofa. Eventually I was actually trying to get rid of it for free. And it was a bloody nuisance all the time. I'd put something up for sale and people would message me and they would say, is the sofa still available?

Right. Because that's actually a button they can press, right? So when you look at an ad, there's a few buttons there and one of them is, is this available? So that's why you always get that as a seller.

So annoying. So annoying. And in despair, I updated my profile to say, if you can see this ad, yes, the sofa is still available. So stop asking that. Because they then take three more days to get back to me after I said yes. And it's silence. Anyway, annoying.

Yeah. And so I think, as you can imagine, most people would be worried more about being scammed on Facebook Marketplace as a buyer. Right? Somebody is selling something fake. But in this case, I was almost scammed as a seller. So it's not something I was prepared for, really. I've often free sale things on there. Our local community group has a Facebook group that you can sell into. And so it works very well, usually, for me to free sale it. Then somebody else gets it. I don't throw it out. It's being used. Somebody who needs it gets it.

So free sales are free cycles. You're giving it away. Here you go.

Yeah, yeah. Exactly. But the china's worth too much. I can't do that. And so I put it on for sale and I had a buyer reach out to me. All the places I posted it were local, to the Kitchener-Waterloo area. They were all on those groups, right? Because I'm not shipping this anywhere. You're coming to get it. And they said, okay, I'm at a conference in Montreal. I won't be able to pick it up for two weeks, but I'd really like it. And I said, okay, I'll hold it for you for a deposit, right? Give me a deposit. I'll hold it for you. And then you can come get it. And so I gave them my email because I don't know if you're aware of this, but in Canada, we can do something called the email transfer or the e-transfer for money. All of our banks, there's only four or five major banks in Canada. So they coordinate very well. You go onto your bank site, you put somebody's email address in there. You put the amount of money you want to send to them. And then they get an email saying that, you know, such and such has sent you money. And in the first version of this, you would have to give them a password. So I would pick a password, then give that to them offline. And then they would put that in and it gets entered. How cool is that?

It is. Yeah. How cool is Canada? And it doesn't cost anything either. I was flogging paintings to my family when I was in Canada and they kept wanting to use this with me, but I couldn't, right? Because I don't have a Canadian account.

Yeah. So everybody does this. We all do this.

This and Sellafield are a reason to move to Canada, I reckon.

So now what they have available is automatic deposit. So I can set mine up to receive anytime somebody sends it to me, I want to just automatically receive it. Now we don't have to do any passwords. And at no point in any of the systems, do you ever have to put in your bank card number and password ever, right? So the automatic deposit gets rid of the fact that I have to click a link in an email, which always seemed a bit dodgy, but you would know it's coming. So it wasn't so bad. Well, instead of getting an email, they sent me a link on the Facebook messenger. And I was like, this is really weird. And my spidey senses kind of go off. What was weird? It had a link I had to click to go get the money. And I was like, oh, I don't like this. But then I was talking to them back and forth so much. And I'm like, it's probably okay. Even security people are stupid. But I was like, I'm not doing this on my computer. I'll do it from my phone. Why do I think that's better? I don't know. It's not better, people. It's not better. Is it not better, though? I feel like it's a little better because usually they're targeting computer malware, right? Yeah. But it's still high risk. It's still high risk. I don't recommend it, okay? So anyway, I click the link from my phone, feeling stupid later, and it takes me to my bank's website. What appears to be my bank's website. Right. And it wants me to put in my username and password of my bank account. And at this point, I'm like, Oh, hell no, this is not happening.

Yeah, I think I would stop there too.

So I stopped there and I went and looked up this conference they said they were at and I was like, Well, I don't see it. I don't think this is real. But then I thought, Well, maybe they are not Canadian and they don't know about this eTransfer and this is what they're sending me. So I messaged them back and I said, I can't accept the money this way, but you can send it to my PayPal me account. So here's my PayPal me account. Unsurprisingly, they never messaged me again. So I'm thinking it was a scam. So anyway, this freaked me out. And I decided, well, I'm going to change my banking password anyway, just to be safe. I don't know why, but I just felt like, I don't know, I'm just changing it, making sure. And then I was like, oh, shoot, what if there's something running on my phone now, because I clicked the link from my phone. So I run Android. I'm one of those people. And so first I rebooted my phone. So if there's anything that's not an app, but it's running in memory, if you reboot your Android, it deletes anything that was running in memory. So it won't come back up. So that's one thing you can always do. And then I went through all my apps to make sure there was nothing I wasn't expecting, in case something got installed. And that was fine. Like a new app, you mean? Like a new app. Yeah. I double checked that Google Play Protect was turned on because they will ban apps that aren't good. And I went and did my Google security checkup just to be safe. So basically, this was a phishing scam is what I think. They were trying to phish for my bank credentials. Yeah. And this would have been very bad. It definitely was a wake up call for me. So I thought, and I never really thought about the sellers getting scammed. I just thought buyers on Facebook maybe were getting scammed. So I decided to look up what other seller scams are common, right? Because if this one's common, what else is there, right? So phishing was definitely on their list. And obviously, don't do the thing I did. Don't click on any links. But also, just anything that doesn't look right, just skip. Payment and overpayment scams. So this one is quite common, actually. So thieves pose as a buyer. They're purchasing an item and then they claim to have sent you too much money. And they're like, well, I need a refund for half the money because I sent you too much. Come on, guys. No one sends too much money. No one does that. The actual chances of that being real is so small.

How is it a scam? So then you look at the money they sent you.

Yeah. So it looks like they sent you money. So either they're doing it in a fake way and you get a fake message that says you've got the money, or they're doing it with a system that lets them pull the money back immediately. And you've now paid them a refund and they've taken that you never got the money or they've taken it back. Yeah. So my thing is, insist on cash transactions for these types of things. I'm not selling things on Facebook to ship to people. They're coming and getting it. Or, you know, wait until because the other one that they have here is electronic payment delay scams. So let's say somebody's come to my door, and they're e-transferring it to me because we can do that in Canada. And I'm like, I don't see it in my account yet. And they're like, well, it's coming, you know, sometimes there's glitches and it's slow and that kind of thing. Don't let them leave without confirming that you've got the money, right? Again, cash eliminates these issues. And then there was one weird scam that I had never heard of before, which is kind of surprising to me since I've been in security for so long. But it's a 2FA scam that happens, I think, more in the US than anywhere else. So you're on Facebook marketplace, you're selling your item and the buyer asks for your phone number so that you can, you know, maybe phone and talk about the purchase, right? Okay. This seems totally fine. Then the scammer uses your phone number to create a Google voice account. And in the US, you can create a Google voice account with your own number or your own current number and purport it over so that you could move from being on a mobile number to just a voice over IP number. And so if you haven't done that already with your phone number, somebody can try and do it. Oh, my God. Yes, yes, yes. So however, when they sign up for that, a 2FA code is going to go to your phone. It's either going to be Google say yes, or it's going to give you a number.

To confirm that you own the number. Correct. Yeah.

So if anyone ever is asking you for that number that you got texted never give it out okay I just can't believe this one works but I think it does because otherwise why would they list it here

I don't this from Google either because it kind of forces people to think well maybe you should register your number everybody right

So and then what they'll typically do is now use your phone number for fraudulent scams so that's the scam that's involved they're getting your number then that now they can use your number that's associated to you to do illegal things.

And how would you find out about that? I don't even know. Yeah, exactly. Exactly. So

Anyway, cash transfers. Don't give your phone number out. Old school cool. Old school. Old school. Yeah.

Until someone mugs you, until someone hits you around the head with a rusty kipper and pitches the money.

Well, I mean, if you're worried about that, you can pick I know a lot of the police stations here in Canada will say, come and do a transfer at our police station, a sale. Oh. Yeah. So you can go to their parking lots and do your sale there. Canada's sounding better and better. I think

Canada's the nicest country in the world. It's so friendly. We try. We try. Carole, what's your topic for us this week?

Okay, so Tuesday this week, Ofcom, this is the UK's communication regulators, they issued a statement outlining guidance on highly effective age checks. So that's quote unquote, highly effective age checks to stop children accessing online porn services. Okay. And these guidelines are there to help companies comply with the UK's brand new online safety laws.

Okay. What are those safety laws since I'm not in the UK? Oh,

There's a lot of them. Okay. Nevermind. There's more than 200 clauses. Oh my God. 200 clauses. But in short, platforms will be required to address a wide spectrum of illegal content and will have a duty of care over what their users, particularly kids and children, see online. Okay. Okay. As background, there's some pretty compelling reasons to keep kids off certain websites. I think any adult would agree. So Ofcom, you know, their latest research. Actually, maybe I shouldn't give you the numbers. Why don't we see if we can guess? So the average age that a young person sees online pornography in the UK.

Oh, I don't want to do this because I have a 15-year-old girl. 13. 13.

Yeah, I was going to say 12 because my son is 12.

13. 13 is the correct answer. But it's an average age, Graham. Right. Okay. How many 18 and unders have encountered violent pornography? So depicting coercive, degrading or pain inducing sex acts. 40%. 70%. Okay, so we got 40, we got 70. You're both too low. It's 80. Oh my God. Eight out of 10. Oh my God. And what is the platform? Okay, you got to think back 2021, 2022. This is when the research was done, where most young people were likely to see or encounter pornography. YouTube. Oh, that's a good guess. Want to throw something in there? Facebook. Twitter. Twitter. Oh, that makes more sense. Closely followed by Instagram and Snapchat.

Well, the good news is that Twitter's really locked down now and there's no unpleasant content there at all.

Yep. And they have such great support. They're doing a really good job.

So this is UK data, but at the start of this year, Common Sense Media in the US did its own research. And the report entitled Teens and Pornography found that 73% of teens between the ages of 13 and 17 have watched pornography online. And more than half reported first seeing pornography by the age of 13. So very similar numbers. So you guys are parents both of you, what do you make of this?

I mean it's not surprising. It's not surprising, no.

I'm not surprised. I've recently acquired a raspberry pi and I've installed ad guard home on it so all of our internet activity now is being filtered and certain types of content is being blocked. And that was a requirement in our household.

I would have said before the age of 18, I would have seen a top shelf mag as what we call them.

Yeah, you know? But that was 40 years ago, Carole. And I think things have got pretty much—

It was. But I think it's more likely that kids have seen other kids in their schools. I think it's more rampant the picture taking of themselves and sharing and thinking that's safe and thinking that their partner won't share that when they will. So, I think it's—

It's much more accessible. Everyone's got a device in their pockets. Carole you had to reach up, you had to get up on the top, you had to get up to that top shelf didn't you Carole whereas you know—

I did do it okay. I'm not a porn person, never. I just never, no. But you're curious, yeah I'm sure. No but I had a flatmate who was in love with David Duchovny from X-Files.

I did not see this going there. Oh my god, okay.

No no this is real. This is in Waterloo, this is in your hometown. Of course it's in Waterloo. And he, David Duchovny, had apparently just done a spread for Playgirl and my flatmate wanted it but she was too scared nervous to get it and I was trying to be super cool. To go buy it, yes I see. And so I was like I'll go get it and I bought a few other items—

Along my purchase to hide it, to hide it in there just in case they, because they wouldn't notice.

Yeah, to kind of go, this is casual. This is casual, right? Magazine, a few items, but the items that I chose were things to make a tzatziki. Oh, no! What? I had yogurt and a huge cucumber.

Now it is getting worse, yes. Two bulbs of garlic. Hello. And a playgirl. That's quite a night you got there.

And I gave it to her and I was like, I'm never doing that again. I'm crying.

But even though that was David Duchovny, I think chances are it was a lot tamer than what you get to see on the net.

That is part of the argument from the Ofcom and from the government, right? Is this stuff is completely tame comparatively to the stuff that is on show now. Yeah. The government has said it wants the UK to be the safest place to go online in the world.

That's a ridiculous statement.

Well, yes. It was from the UK government. So, yes, I think when it comes to technology, most of what they say is ridiculous.

It's slightly 1984 to my mind, but it says an age assurance tech. OK, so age verification, age estimation or a combination of the both are what it's betting its policy pledge on.

So how's that going to be done with credit card numbers or what are they going to do?

Yeah, what are they going to do? So weak measures. OK, so that's considered where porn sites ask a user to self-declare their age because nobody lies there.

Although the state of education means that if you're asked to enter your year of birth, many people may not actually calculate it correctly to make it look as though they're over 18. So that's the good news.

Well, that is true. But these kind of rules will not suffice to comply with the new legal duties to conduct robust age checks. Online payment methods that lack age verification, right, are also out. So how does Ofcom's draft guidance to porn sites, you know, what do they suggest? So how would you do age checks? How would you confirm someone is 18?

Well, you don't want to give them any kind of ID.

And you don't want to give them your credit card number because they just lose that.

Well, that's one way, credit card number.

Maybe all computers should come with a breathalyzer and you have to blow into a tube. If there's alcohol there, that suggests you've been allowed to drink alcohol.

No, come on. How many teenagers steal their parents' alcohol?

Now we're learning about you, Dinah.

That's the worst idea ever. Graham, you would never get access again because you don't drink.

No, but it might drive me to drink.

I don't drink either, but I've watched television. I see what teenagers do.

What about signing into open banking where you have to have age verified accounts?

I don't want my bank knowing that I'm accessing some porn website. That sounds like an awful idea. Can't I keep my dirty habits private?

Yeah, adults don't want to do this. My God. What about submitting your naked visage to a webcam assessment in order that an AI can make a calculation?

Not a bloody chance. My naked what?

Your face, your face. Oh thank you, right I see.

She said it in French that was the problem and—

Then the AI could make a calculation of whether you look legit old enough to view adult pornographic—

Material. Is there a particular face I should be pulling when I access this porn website? That's very interesting.

Because there is discussion about the poor baby-faced users out there. Oh, not me. Some people don't have... Yeah, you're a bit of a baby face, actually.

But seriously, who wants their picture associated with a porn account? They'll keep it—

Private. They'll lock it down in a folder and make sure it's all safe. Oh, the—

Best thing is just to not look at it. Just don't go there.

Ofcom acknowledged that there's a prospect of layered forms of age assurance potentially being unfurled on users. So say, for example, the baby faced versus a careworn porn punter, and they get blocked. Ofcom's draft guidance includes the suggestion of a challenge age being set. So you could kind of go, "Hey, you might think I'm under 18, but I'm not."

The only way you can really do something like this is with some kind of secure token and everybody gets issued one token when you turn 18. And there can't be a way to steal it. I mean it's an interesting problem but at the same time it's almost like how electronic voting works. Like voting works in Canada in general, like you can prove that you voted, but you can't prove how you voted. It would be something like that because your vote is anonymous. So you're not associated with any particular vote, but you can prove that your vote... it's a thing.

I think this is similar. Ofcom is also giving a seal of approval to the use of digital identity wallets that can securely store a user's age, which could then be shared with a porn site to verify the user is not a minor.

I think that's the only way you can really do it where it's not tracking you. There's a service that verifies it, but there's pieces. It would need to be some very sophisticated crypto.

It's going to ruin the mood a bit though, isn't it? If you're having to log in with all this. This is—

What's going to happen. They'll put all these rules in place and then all these porn sites will lose all their money because no one's going to do it. And then they're just going to crop up on other parts of the web that aren't jurisdicted by the UK government. And they're going to make their money that way. And it's going to be even less regulated than it is today. So there has to be some kind of middle ground, right? That's very interesting.

What happens if they don't comply, right? So huge fines. Under the Online Safety Act, Ofcom is empowered to fine companies in breach of the regime up to 10% of their global annual turnover. That's huge. It's 4%, I think, GDPR. Ofcom's chief exec, Dame Melanie Dawes, says, "Regardless of their approach, we expect all services to offer robust protection to children from stumbling across pornography." And for robust protection read highly effective age assurance. One more potential knock on impact to your point, Dinah, foreign porn websites far outside the jurisdiction of UK authorities might find themselves inundated with British punters seeking to circumvent age gate frustrations. However, that might just get sites added to an Ofcom block list if they get too popular, since the regulator has the power to geoblock services that threaten the safety of UK web users.

This is starting to feel very 1984.

Yeah, it's like the Great Firewall of China now. I've come up with another idea. Rather than them scanning my face to decide if I'm old enough or something daft like that, how about we had some sort of cultural question, which these young kids wouldn't have a bloody clue about. If it was like a pub quiz. Graham, it's called Google. I'm thinking if they were to play a snatch of a Roxette song or something, and we would be able to say, "Oh, that's Roxette," but kids wouldn't know. Oh, Graham, Graham, Graham. And they're Swedish, aren't they? That would be appropriate for a porn site. Oh,—

My God. What? At the moment these are all guidelines, so anyone who is panicking as they're listening to me, according to Tech Crunch, 2025 looks to be the earliest for all the pieces to be in place for the child safeguarding system to be up and running on porn companies that submit themselves to being regulated under the Online Safety Act. As Ofcom says it expects to publish its final guidance in this area in early 2025 after working with pornography companies to finalise the advice. So write in to your favourite porn provider with any feedback you may have.

Well, a happy ending for now, at least. Now, you've probably noticed the uptick in identity-based attacks recently hitting the headlines. If you're working like crazy to get everything behind SSO and make sure everyone's using strong passwords and MFA, then Push Security is for you. Push Security helps you to monitor and secure your entire identity attack surface, including non-SSO identities. Get notified in real-time to vulnerabilities across all your internet-facing identities. What's more, Push Security then guides your employees to fix simple issues so your team can carry on fixing everything else. Want to check it out? Well, head over to pushsecurity.com slash smashing. That's pushsecurity.com slash smashing. And thanks to them for supporting the show. Thank—

You to Smashing Security sponsors Vanta, where you can shortcut compliance without shortchanging security. Expand the scope of your security program with Vanta's market-leading compliance automation. Vanta's 5,000 plus global customers report saving over 300 hours in manual work and up to 85% of cost for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more. And with Vanta's 200 plus integrations, you can easily monitor and secure the tools your business relies on. From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and prove security in real time. As a special bonus, Smashing Security listeners get a whopping 20% off Vanta. Just go to vanta.com slash smashing. That's V-A-N-T-A dot com slash smashing. If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world. You can just start using Collide. Collide is a device trust solution for companies with Okta. And it makes sure that if a device is not trusted or secure, it can't log into your cloud apps. Visit collide.com slash smashing to watch a demo and see how it works. That's K-O-L-I-D-E dot com slash smashing.

And welcome back. And you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Of the Week. Pick of the Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, my pick of the week this week is not security related. I'm sure lots of us are familiar with those wonderful motivational posters and inspirational art which decorate boardrooms and offices around the globe. Have you ever seen those sort of things where it's like togetherness and teamwork and there'll be some bland stock image? I

Was just thinking that's a way to make a bit of wonga in the art career because I'll tell you.

Yeah, well, try it. I'll try it. Listener Vin Kennedy has been in touch. He's a fan of the show. Hi, Vin. He pointed me towards a website called despair.com. And despair.com has a series of demotivational posters. I was checking through them and I think some of them are rather wonderful. So we have one which says believe in yourself. Then underneath it says, because the rest of us think you're an idiot.

Dedication. When the time comes for us to burn the candle at both ends. We're grateful you're here being our candle.

Shoot for the moon. Even if you miss your land among the stars, of course, then your eyeballs will boil and your lungs explode from decompression. But that's what you get for being a damn show off. So my mission for Smashing Security listeners who hate these motivational posters and would rather have despairing demotivational posters is go into your offices and see if you can swap the motivational posters for one of these lookalikes, which has, I imagine, a message which you're more on board with and is more reflecting what life inside the office is really like.

My favourite one is the discouragement fish, because there's nothing standing between you and your goal but a total lack of talent and complete failure of will.

I like, I like there's one at the bottom it's a picture of a sloth. Sloth is my spirit animal. Love it.

Thank you Vin Kennedy for the suggestion and that is my pick of the week. Dinah, what's your pick of the week or is it a nitpick of the week?

I have both. I'm really excited about this. Okay. So when my daughter was about 12, I read her the Hunger Games series and she loved the books. I loved the books. I had read them before that. Then we watched the movies and they weren't exactly the same as the books, but it represented well enough. So when you read a really good book, do you get excited about it being turned into a movie or a TV series?

I'm more nervous. Normally I'm full of a sense of disappointment.

Yes. Yeah, that's very cute. I've had many disappointments too, but somehow I still look forward to it. So she loved The Hunger Games so much. We even did a 13th birthday party, which was all Hunger Games. We did a Hunger Games out in the field. It was great. No one was hurt though, don't worry. When the prequel The Ballad of Songbirds and Snakes came out in 2014 we were really excited so we read that and we loved it. Not all prequels are great, Star Wars, but this one was. A couple weeks ago we went to see the movie and it was amazing. It was amazing. It was so good. The storyline stuck really close to the book. The movie was well done. You end up loving Coriolanus Snow somehow, even though he's the villain in the later series. And it was really good. So that's my pick of the week.

Oh, can I just say one thing right at that point? Because I have a tie to that movie. Okay. One of my best friend's daughters was an extra in The Hunger Games, The Ballad of Songbirds and Snakes. Yeah.

Get out. Yeah. That is so exciting. How brilliant is that? That's awesome. Okay, so that leads me to my nitpick of the week. All right. So a few weeks ago, Carole, you recommended Lessons in Chemistry. The book, yeah? Yeah, the book. So I listened to it on audiobook, and I loved it. So on the heels of watching the new Hunger Games movie, I was like, oh, this is so good. I found out Lessons in Chemistry is now a TV show on Apple TV. My nitpick is that I was 10 minutes into the first episode and I was already disappointed. I watched three and a half episodes. I don't think I can finish it. I love the book too much. And all I can say is the same consequences happen in the TV show as the book. Not the same happy things, the same consequences. And they happen in completely different ways. Just completely different ways. If you've not read the book, the TV show is quite good, but it's just, it's too different for me. So anyway that's my pick of the week plus nitpick of the week.

Well good to know, thank you. What's your pick of the week? Okay, before I get to that, you know the dating rule Graham? There are, you know, especially for people of an older disposition out on the prowl. We have a rule for our friend group if they start dating. Do we not? Okay. In terms of age range. Oh yeah. Yeah. Plus seven. Yeah.

That's the lower limit. Yes. Lowest level you can go. Right. But now I've got quite old. Half of my age plus seven is still very, very young. So it feels like too long away from me now, to be honest.

You know that there's that thing from Saturday Night Live, I think, you know, meet your second wife. So it's a sketch by Amy Poehler and Tina Fey and it's a game show where there's happily married men and they're going to meet their future second wife. Yes. And then, you know, when they call out these little children come out. Right. Very funny. Very funny.

And and not only that, a pregnant lady comes out. And then the guy's like, oh, that's not too bad. That person looks, you know, not too old. And they're like, it's the unborn child inside. That is your future wife.

So okay so let's pivot. So everyone knows I'm an audio slut bag. I listen to everything: audiobooks, podcasts, radio, whatever I can get my hands on. And sometimes I'm perusing for something old but new. So a show I know but maybe I haven't listened to for ages and ages, right? So that happened this week and I'm going through these titles and then I see this as a title. Okay. I quote, "Our 34 Year Age Gap Didn't Matter Until It Did." There's clickbait if I ever heard it. That is clickbait. And it was three in the morning. So I said, good, good, good. So this is from Modern Love hosted by Anna Martin. And it's a podcast that typically features all matter of love stories, you know, friendships and romance and everything in between. And it's kind of quirky and great. But I listen, I dab, you know, I dabble in it really. Anyway, so the write-up for this particular episode: So Sonia Falk was immediately attracted to Colin, the professor who was renting a room to her. He was intellectual, lively, with bright eyes that drew her in. It was only after, this is so cliche, it was only after they were already dating that Sonia found out Colin's age. He was 34 years older than her.

Well, what did she think? 34 years. It's not like he would only look a few years older than her. 34 years is a big enough difference. He's going to be wrinkly and stuff.

What was Catherine Zeta-Jones thinking? That's what we're all... Money and power.

So as a firm believer in the age divided by 2 plus 7 to be your absolute minimum, this was shocking because she is, I think, 27 at the time, something like that. So I kind of already in my head, I think I can hear you, Dinah, doing, you know, you can imagine how the story will go. The age gap gets in the way, right? They break up because she can't stand that he has gray pubes or they stay together because, but he gets older and older and yada, yada, yada. But this baby took a turn that I did not expect. I was completely riveted. It's fantastic. It's honest. It's beautiful. It's kind of uncomfortable, but wonderfully human. It's wonderful. And so I think I may have put this podcast on the show before, but I am pick of the week in this episode. Well, now you've talked it up so much. Now I have to listen. All right. So Modern Love Podcast, find it wherever you get your podcasts. It is called, I'm looking for the title, "Our 34-Year Age Gap Didn't Matter Until It Did." And tell me what you think. Fabulous. Well, great picks of the week, everyone.

On LinkedIn at Dinah, D-I-N-A-H, Davis.

Terrific. You can follow us on Twitter at Smashing Security, no G, Twitter and LastPass have a G. We also have a Mastodon account. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Overcast.

And massive thank you to our episode sponsors, Push Security, Vanta and Collide. And of course, to our wonderful Patreon community. Thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists and the entire back catalogue of more than 350 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye. Bye-bye.

Bye. Bye. I was going to do that. Bye. Thank you.