Smashing Security podcast #361: Wireless charging woe, AI romance apps, and ransomware revisited

I don't know which it is, whether it's bees or wasps, but one of them, when they have an intruder, they will all gather around and wave their wings in such a pattern that it effectively microwaves the intruder.

Really?

Yeah.

Microwaves? Are these killer bees with laser guns?

No.

Smashing Security, episode 361: Wireless Charging Whoa! AI Romance Apps. And ransomware revisited with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 361. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, this week we're joined by a returning guest, someone who's been on the show many times before. Let our gorgeous listeners know who it is.

This week we are joined by Paul Ducklin.

Hello, everybody.

Hello, Duck.

Welcome, Duck.

Thank you so much. Thanks for having me. I am looking forward to it. You never quite know what Graham's going to say, but you know he's going to say something.

Yep. Now we have an action-packed show, so I suggest we get going. So let's first thank this week's wonderful sponsors: Collide, BlackBerry, and Vanta. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

Well, if you think you're bready, I'm gonna be talking about toasting things.

I have no idea what that means.

I think— oh, I've just worked it out. I think it's what passes for a pun.

Okay, not getting it still. What about you, Duck?

I'm going to look at what happened since you talked about LockBit last week, and the issue of decryptors. Is it worth it? Can it help? Does it work? Should we strive for it?

Great. And I will be tiptoeing into a potentially brand new AI dating frontier. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, we all get up in the mornings if we're lucky. Hopefully. You get up, you wake up, you have some breakfast. Big fan of toast, me. I don't know what your peculiar choice of— Well, what do you slather on your toast? Anything in particular?

Oh, I like a bit of marmalade.

Marmalade?

Marmalade is just jam under another name, isn't it?

Yeah, but it's delicious.

I like shredless marmalade, which I always used to think marmalade had those bits in it. But when I discovered you can have marmalade without the bits, I was much, much happier. I'm a big fan of Marmite. Marmite's pretty good. No, it's pretty good.

Peanut butter?

Certainly not. So I've sorted out my toast. Then I pick up my phone.

Yeah, don't confuse them. If you slap your marmalade against your ear, you're going to be in trouble, aren't you?

Also, if you put your phone in the toaster, that's no good either. It could fry all the electronics. So either of you have wireless chargers? Maybe at your home, in your car, anything like that? Nope. Oh, I do.

My car's 12 years old and no, none in the house.

Well—

Oh, Graham set us up and we've dropped him in it. Do you have wireless chargers? Nope. Do you go on?

Well, it's quite a handy thing, I think, because—

You're often several metres away from a powerpoint.

Well, no, let me explain why. Let me explain what my issue is, Duck, with wired charging. I mean, in some ways it's great because you can find your phone under the rubble on your desk, right? All the detritus which is there, you can just follow the lead and eventually find your phone. That's why I don't have wireless earphones, for instance. I'd just be losing my earphones all the time. So I like them being on a wire. However, with a phone, you've got that little twiddly, little irritating little, ugh, it's a Lightning cable or something, or USB, you know, and it's quite often the bit which goes wrong because the wire gets bent or the connection gets a bit flaky and all the rest of it. So I quite like the idea of wirelessly charging my phone, particularly overnight, because I don't have to remember to plug it in. I just dump it there and it's fantastic and it's happy.

How many wireless charge locations do you have in your house?

I think I have two.

Okay.

Is that all right with you?

You're missing a trick because I've probably got 30 socket outlets where I can plug in a charger. So I'm way ahead of you there, Graham.

So these chargers, the technology is called— I think it's pronounced Qi.

Yes.

Qi.

Not as in the television quiz show hosted by Sandi Toksvig.

No, no, that's right. Qi is also, of course, a fabulous word to use in Scrabble, particularly if you get the Q on a triple word or triple letter even, because especially if you go two ways, it's quite a handy one that you can make a lot of points.

Not as good as Quaichibau.

Well, a bald, a balding, what was it? A balding ape or something. Well, there was that virus, wasn't there? The Melissa virus.

Which referenced Quaichibau, which was a Bart Simpson thing from the '90s, wasn't it?

Yeah, that's right. Well, that's dated us, hasn't it? Anyway, so you have these Qi wireless chargers around the place and there's a whole bunch of vendors these days making them.

Well, we don't, you do.

Well, all right, all right. But folks do. Many people do, Carole, but not people like you guys.

No, no, we worship efficiency, you see. So we like the idea that you just—

Duck, Duck, do you have a wireless phone?

How do you mean a wireless phone?

A phone which you don't have to plug in to phone someone up on.

The telecommunications industry in the United Kingdom of Great Britain and Northern Ireland is discontinuing landlines. So you don't have a choice. You just got to go with the flow.

Right. Okay.

So then I do have wireless headphones because I walk away from my desk and I don't want to yank my computer off onto the floor. But wireless charging's not for me.

Okay.

But we'll let you get there eventually, Graham. Don't worry.

All right. Anyway, some boffins, some boffins have been researching ways in which you can attack smartphones. And what they've discovered is there's a new way of attacking smartphones. It's not phishing. It's not a malware attack. It's a kind of denial of service attack, if you like. And it involves these wireless chargers, and they have called this technique of attacking smartphones Volt Schema.

It's not Ben-Gurion University of the Negev, is it? Those guys?

It's not on this. You know, I really— when I saw the headlines at first, I thought it would be them because those guys, they do great, always coming up.

Stefan Smyter and Yuval Elovici and all that. They get the best names as well as cool research. So it's not those guys.

They do, they do really cool things. Now, this is a bunch of— I think they're Chinese researchers. Security researchers who've come up with this. Volt Schema launches a wireless power toasting attack against smartphones, potentially damaging charged smartphones through overcharging and overheating them.

And not overcharging financially, but making it boil.

No, no, no, no. Anyway, I'm good. And it does more than that. So I'm going to explain what they do and how this works. And you can tell me how plausible you think this is as an attack vector. Okay. They have tested 9 different top-selling commercial off-the-shelf wireless chargers made by people like Anker, who produce loads of these things. You know, the sort of thing you can pick up on Amazon for maybe about £20.

So when you say off the shelf, you mean not off the shelf through your mailbox?

All right.

Okay.

That's right. Yeah. But you could also go down. All right.

Hells bells, Graham.

You could also go down your local electronics shop and probably buy these kind of things as well. So normally this is how wireless charging works, right? You've got your outlet, your wall outlet, which is connected to the charging device, and that is sending AC current, right? Alternating current down the wire to that. Inside the charger, there's some sort of components and technology which turns the AC power into DC power. So we've gone from AC to DC. We've now got direct current. That's the kind of power that your devices use. Am I correct so far? Because I'm not really an electronics whiz.

I have no idea what's going on.

That was a rock and roll pun.

This is an AC/DC thing, is it?

It is.

All right, so— Oh my god!

I need to pay more attention.

Okay, I'm listening. So, the charger uses the DC power to create an electromagnetic field.

Fun. It uses that to wirelessly transfer energy to your phone. All right?

This is like bees or wasps when they kind of microwave someone.

It's exactly like bees, Carole. Yes. What they've done is they've taken a wasp's nest and they've shoved it down a wire.

When— I don't know which it is, whether it's bees or wasps, but one of them, when they have an intruder, they will all gather around and wave their wings in such a pattern that it effectively microwaves the intruder.

Really?

Yeah.

Microwaves?

Well, that's what the term— that's the term I remember. I will do some Googling. Listeners, correct me.

I think they kill bees with laser guns or something.

No.

What are you talking about? What?

Okay. Well, you show your ignorance. I will put a link in the show notes.

Duck, have you heard about this? You've lived in some crazy parts of the world.

You get bees all around the globe. I can imagine it. I mean, insects. Didn't I just read about an insect that can make a noise as loud as a gunshot? There are surprising things out there, Graham.

Right. Okay.

Let's, let's carry on toasting.

All right. Okay. So Volt Schema makes the noise coming from the power supply much bigger, right? Uses specific patterns. And this apparently fools the charger. The charger misinterprets the manipulated noise coming down the power signal as instructions. And these allow the charger to do a number of things.

Like toasters, like battery-operated toasters.

So if, for instance, you were to leave your car key fob on the charging pad.

So it will, for instance, send very strong charging signals that can damage your phone by overcharging it or going to excess. They can even, they said, change how the charger communicates with your phone by sending voice commands, is what they say. Wow. Now, this begins to sound completely bonkers, right? They claim it can send inaudible by the human ear at least, voice commands to your Siri or your Android Google Assistant. They also say, as I said, they can overcharge or overheat your devices, and they can hurt other valuable items as well, which might be in the vicinity or sitting on top of the charger.

Do you do that?

Well, no, I don't. But if you did— And sometimes people put these charging points into their desks. It's just like a flat desk, and they just plonk their phone on their desk in a particular place to charge it.

Yeah, you get them on the upper deck of some of the Oxford Bus Company buses.

That's true.

Yeah.

Where you sit to work, they have a USB charger, and they have the Qi thing in the middle of the desk. Little coil sitting there, so you can just stick your phone down and charge up while you're coming in from the station into town.

I had a car which had a wireless pad in it as well, which is somewhere where you would naturally put your key fob, for instance. And they found that the key fobs couldn't just be sort of ordered to overheat, but in one case detonated and there was an explosion as a result.

Is this in the wild? Is this in the wild? No, it's not. It's not, as far as we know, in the wild. These boffins have done it as an experiment. No, why not keep a fire hazard in the house? I agree.

Well, you've got a toaster already. That's dangerous enough. Yes.

Yeah, but that has an on-off switch, right? I'm presuming these things are on all the time. They're plugged in all the time and constantly waiting for a phone to land on them so they can do their magic.

Did they say which phones were vulnerable? Because it sounds as though if the phone could agree to overcharge itself overdo its battery via this Qi charging, then surely those phones would have a similar problem with today's USB chargers, some of which can deliver power in excess of 100 watts.

Well, it seems that they did tests on the iPhone SE, the Pixel 3, a number of other manufacturers as well. So they did it on a whole bunch of devices where they were able to do it. Maybe, I don't know if it was through this injecting of voice commands that they were saying they could control voice assistants inside the smartphones.

Yeah, I kind of think you could do, I kind of think that, I don't, doesn't seem far-fetched to me. I have no idea how you'd do it, but it, I think. Well, I guess you make sounds that maybe have some ultrasonics in them that the microphone picks up that you can't hear that are misinterpreted. There's an easy fix for that which you should apply anyway, and that is, Please everybody, don't, no matter how convenient it is, leave Siri or the voice assistant enabled at the lock screen.

Hang on. Carole has sent me a message. She says in a— she's done a screenshot.

National Geographic. From National Geographic.

Oh, excellent.

Apparently there's something called Hot Bee Balls is the title of this article. Apparently in a battle with Asian giant hornets, Japanese honeybees—

Not beans, bees.

Bees. They turn up the heat. By swarming around hornets and cooking them to death.

Thank you very much.

Scientists have found a genetic switch in the honeybees' brains that turns on during the attacks.

Thank you very much.

Well, I can see why you've mentioned this in this piece, Rob. There's definitely a link. Thank you very much.

You're very welcome.

Duck, what have you got for us this week? Well, I thought that it might be intriguing, even though you covered the beginning of this saga last week, to revisit the whole ransomware situation, not least because of the, what you might call the denouement, or maybe it's not the denouement, maybe it's the ongoing story of the LockBit takedown and also recent news about the Rycedr ransomware decrypt-it-yourself because the crooks made a programming blunder. You know, how do all these things such as freebie decryptors, how do they really play out in the ransomware world. Is it something we should be keen on trying? So anyone who wasn't listening last week, just to quickly recap—

Go listen to the show.

Well, yeah, shame on them, frankly.

No, they could just go back a week. It's not a big deal. All right. But anyway, so the law enforcement authorities, they took over the LockBit infrastructure. They grabbed a whole load of decryption keys. They reckon they can unlock anyone's LockBit encrypted files for free rather than you have to pay the ransom, right?

That's correct.

Ooh, I wanna hear all about it 'cause I've not been following this at all. Well, apparently the way the stories unfolded from law enforcement, they were able to break into about three dozen servers. They got hold of details of just over 14,000, I don't know whether they were email or messaging accounts related to so-called affiliates.

And it was a bit the Lady Doth protest too much, wasn't it? It was, it was, yes, that's exactly what I thought. And I'm glad you got the Shakespeare in because I think we need a little bit of that every time.

Send me your passport so I can identify you perfectly. That's the legitimization of, hey, it's just a service. Like if you pay the money like you would to a regular pen tester, then you just, you know, you just do the legal agreement afterwards, not before. It's a long time, even for me. And to me, a big thing at the end was trying to reinforce this idea that the FBI claim that they had retrieved evidence from the servers that people who'd paid the money to suppress their data leaks nevertheless had their data retained on the servers. Yes. If that's true, that's very good news for all of us good guys because it completely undermines the main reason most people pay.

Right. Yeah. So I'm wondering, slash hoping, that this will make people think that paying up really isn't worth it because the entire, if you like, business prospect is undermined. You can test whether the decryptor works. So generally my understanding is most ransomware crooks make sure that their decryptors work because it's easy to see if they're leading you down the garden path. If they sell you the thing and then and it doesn't work. And LockBitSup, they can't be confident that someone else hasn't exploited the same flaw.

That's what I mean. They were vulnerable. Who knows who else has got that data?

It could have been going on for ages, couldn't it? Different vulnerabilities mean some other criminal gang has for ages been grabbing data from the LockBit gang. And doing whatever the heck they like with it. And this would not be the first time that crooks have gone to war with each other by pwning each other's servers as a way of getting back at each other, or I guess having what amounts to postpaid pentesting fun amongst themselves. So it looks as though the sort of underlying business model of this whole pay to have your data deleted has been visibly undermined by this long disposition by LockBitSup. He should really have sent an apology email, shouldn't he, to his clients, to all those corporate customers who've been paying him?

Dear customers, we take your security seriously. Now.

Carole, what have you got for us this week? I am going to look a bit at the dating world to start off with. It just struck me. I was looking at it today and doing a bit of research on what was the dating landscape in the last few years? How do people do it? Yeah, you were on it about 1978, weren't you? I think you probably haven't been on it for a while.

Yeah, I was still a toddler. That's right. But also, I was looking at this research, and maybe for a guy with marmalade issues, Graham, you're quite gobby today. He's in a bad mood. Can you tell?

Yes, yes, he's speaking. So maybe there's no surprise that of the respondents in this research that Forbes summarized, right, half the respondents use online dating apps to find dates. But then stuff got weird. No.

What do you mean mind? How's it mind control? I don't understand.

My partner gets mad at me going, were you just thinking about Geoff Goldblum?

Were you?

Did he have a shirt on? Well, it's over. You're cheating.

No, Carole, there's a difference when you're fantasizing about Geoff Goldblum, who you've never met and are unlikely to ever have a, you know, go swinging with or something.

He unleashed the world's most famous virus, didn't he, Geoff Goldblum?

He did. Mac virus as well.

Who says Macs don't get viruses, eh?

Who claims aliens don't use Macs? That was a lucky guess on his part, wasn't it? But Carole, if you were fantasizing about Alan in the office, who you sometimes go play badminton with, then your partner would be right to be concerned, I think.

Well, I wouldn't be telling them, presumably. Anyway, I found that, you know, I think physical cheating might be a bigger deal personally, right?

Yes, but there's gradients.

Having sex with someone who's not your partner is a close fourth. That was the first thing on their list, was fantasizing about someone.

Maybe the deal is that many people who use dating sites never end up meeting up with a person because they're on the other side of the world. So actually, all they've got is the emotional side. And we know that that can draw people in very deeply, even when they're deeply suspicious that they're being scammed. Which is why romance scams are such a often such a terribly long-game thing that you just feel so sorry for the people who get drawn in.

I would be upset if I were a woman whose partner was on Ashley Madison, chatting up someone for months and months on end. Not only that they're emotionally committing to this person, but also the person they're probably chatting to is a bot anyway, who isn't a real person. So it's you're stupid and you're emotionally cheating on me.

And you're sharing your data with an organization that has a non-stellar reputation when it comes to cybersecurity.

Well, look, I just think after looking at all this stuff, I just thought, I don't blame anyone for thinking I'm going to just go fully digital. And why not, right? The generative AI world exploded like an unsettled stomach more than a year ago, and now we are awash with all manner of AI, including love AI.

Your metaphor took me by surprise there.

I was confused by digital, to be honest. I thought I had a different image in my head, but anyway, okay, so we're talking computers.

No, it was the other word beginning with D that washed me away.

Carry on. Some of you longtime listeners might remember that I spoke about Replika AI, I think twice last year. Replika AI is one of the many online chatbots that you effectively train to be your love interest through texting and sending pics and sharing your deepest, darkest secrets.

I'm beginning to understand your exploding stomach metaphor a bit better now, I'll tell you. Yeah, that's peculiar, if nothing else.

So apparently that—

So I actually downloaded this Replika AI to play around with it. And honestly, it was — well, you might remember I said this on the show a year ago, but I lost interest very quickly because it just didn't work. It just had no conversational ability whatsoever.

I was thinking about that when you were saying if, you know, if someone gets sucked into this and they keep telling them more and more and more to try and train this bot to be more like what they want to be like, eventually you're kind of going to tell them everything, aren't you? That is a very interesting point, Doug, and a scary one, right? So that's the kind of thing that Privacy Not Included will ask.

Yes, yes. I expect they found that they were all performing perfectly.

Top notch, five stars.

And looking after privacy. And it's great that we have such a good news story on the Smashing Security podcast.

Would you be surprised to find out that Privacy Not Included found that all 11 romantic AI chatbots assessed had privacy issues, making them among the worst products reviewed for privacy by the club? Would you be surprised to find out that these AI chatbots are deliberately designed to collect sensitive personal information under the guise of being empathetic friends or romantic partners?

No. Shame on you, Carole. That can't possibly be happening. No, but think about it, right? You're sitting there, Clue, right?

Zhu Zhuang?

Zhu Zhuang. Zhu Zhuang.

Yes. Zhu Zhuang. Yeah. And my Meroxibind.

Yeah. Another good chess move. Maneuver.

It just kept going, "What's your favorite movie? Do you like the color red?" Independence Day, obviously, you know. So I lost interest in even for research purposes. But thank God we have organizations like Mozilla's Privacy Not Included. Now, Privacy Not Included, link in the show notes, is a website dedicated to reviewing all manner of smart paraphernalia and exposes the bits hidden deep in the privacy notices. So we've talked about them before as well.

Yeah, you share all your fantasy moves and fantasy games with the fantasy players to the AI chatbot.

Hit the board over in a fit of rage. That's also a chess ending.

Tell them all about your lucky underpants. Would you be a reasonable person to assume that this dirty chess talk is just between you and your AI darling?

It would be nice to think it were, but I suspect you're going to say that it isn't.

And I bet you, as he said, they're collecting location information, all sorts of other stuff, as much as they can. Can as well, right? Because that helps you be more, more empathetic. Because, well, you said X when you're at location Y, but you said A when you're at location B. It's important to know all this stuff, folks. So I can imagine people being lured into turning all the share with those options on.

Exactly. So they market themselves as an empathetic friend, lover, or soulmate, but are built to ask you endless questions. They're designed to collect sensitive personal information about you. Numbers from the research, chatbots collected excessive personal data with an average of 2,663 trackers per minute and up to 24,354 trackers detected in 1 minute of use. That's a lot of tracking.

That does sound—

And I bet you once people think they can trust this bot, and we know that's an issue because going right back to, what was it, the '60s or the early '70s with ELIZA, you know, which was the first simple chatbot. People really got drawn into that and they knew it was a program, but they still talked to it. You can imagine that people aren't just going to be talking about their romantic wishes or their fantasies. They're going to be moaning about things in their life—oh, I had my credit card blocked the other day and I got into a big argument at the bank and I'm thinking of switching. And oh, I owe the utility company money and I won't be able to pay it. You can imagine they're probably giving away all sorts of details. If you're a cyber criminal or an identity thief or another scammer who wanted to come in with a human scam, you would be off to such a flying start.

Well, to your point earlier, Duck, they are hiding—they're in the T&Cs, they hide their CYAs, right, which means cover your bottoms. And one reads that they may collect excessive personal data, even health-related information from you—your sexual health information, use of prescribed medicine, and gender-affirming care information.

Fun.

So are people telling their AI chatbots that they're taking heart medication or they're just—

Sure. They would go, hi honey poochie poo poo.

Oh, I've got such a hangover today. I was at such and such a club. I spent $400 I couldn't afford. You know, just—

I had—I sucked back 4 bottles of Bailey's. Not feeling great today.

Wow.

You know, now a big issue is that some users want to use these chatbots to maybe help with their mental health. Maybe they're feeling lonely, maybe they're anxious. And many are peddling—many of these AI chatbots, these romantic versions, are peddling the message that it's a self-help program. So that's what TalkySoul AI calls itself, a self-help program. Eva AI chat and bot Soulmate bills itself as a provider of software and content developed to improve your mood and well-being.

So they're actively urging you to say more than you reasonably would.

Yes. And Romantic AI chatbox says, here to maintain your mental health. But look at Romantic AI's Ts and Cs, and it says Romantic AI makes no claims, representations, warranties, or guarantees that the service provide therapeutic, medical, or other professional help.

You would think that the people behind them by now thought, I wonder how we could make some more money. I wonder if we could sort of integrate into the conversation some advertising. So say, oh, that sounds terrible. Maybe you should go out to the disco tonight. I hear there's a good one just down the road.

Yes.

Or worse.

Yes, Minority Report does dating.

But there are some serious examples of harm. So one of Chai's— that's another romantic AI chatbot— reportedly encouraged a man to end his own life. He did. A Replica AI chatbot encouraged a man to try and assassinate the Queen. He did, or tried to.

Yeah, I was going to say, crikey, that's—

Missed that story.

They hushed that up well. No, I know what you mean.

Now that these AI chatbot butts are covered by all their legalese, these romantic AI chatbots can let their chatbots ask any question, right? The chatbot can ask anything and hoover up all the answers the customers give, all in the name of providing love AI-style.

Be aware before you share.

Yeah.

Yeah.

The old rules work the best.

I can totally see the draw. My experience, it was a year ago, but it was pretty poor. But go check out Privacy Not Included, see what they say, and make your own mind up. But don't go in with your eyes closed and your— yeah, anything else open. Thank you very much. Good night. With Cylance AI, the team at BlackBerry are helping you keep one step ahead, stopping more attacks earlier and with less effort than other solutions in the market. And that's independently tested and proven. The lightweight AI offers broad coverage, consistently low false positives, and quick threat responses supporting endpoints seamlessly. Smashing Security is also sponsored by Vanta. Managing the requirements for modern security programs is increasingly challenging and time-consuming. Enter Vanta.

And welcome back. And you join us after favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Duck.

Pick of the Week. I always forget that bit.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be. Well, my Pick of the Week this week is not security-related. I do a lot of public speaking, but increasingly people say, well, no, we don't want to see you in public, actually. We don't want you showing up. Graham, what would you find more difficult, talking for an hour or listening for an hour? I rest my case.

Now, my pick of the week this week is something which makes it easier for me to talk online down a camera and hopefully appear slightly professional.

It's not a romantic chatbot, is it?

No, it's not.

A fake audience. It can be easy to forget some detail of your talk or where you are, or, you know, you don't want to be looking at your notes. So I use a piece of software sometimes called PromptSmart. So as your talk goes on, the CPU starts overheating as it's frantically trying to keep up. And then eventually, like your wireless toaster, it all explodes. What I really like about PromptSmart is that the voice recognition works so well that if you go off script, which I am prone to doing, you know, I think, oh, I'll just tell this story as well. I'll tell this anecdote. It doesn't start yelling at you, does not compute. I don't understand.

You're off.

You're going the wrong way.

Anyway, it works really nicely.

Does it have a little tick box that you can turn on that is cough mode? So that if you're way off script, it goes, "Ahem, ahem, ahem, and oh, sorry folks," and it guides you gently back. Anyway, my pick of the week this week is PromptSmart. Thank you very much. My pick of the week is a museum exhibit that is perhaps at least in theory, one of the simplest you can imagine at the Natural History Museum in Oxford, which is a great place to visit. Free entry, gorgeous Victorian Gothic building built in the late 19th century, just opposite Keble College.

Cool. On the near side, just in front of you, is the most exquisitely painted 1/2^32 scale model of the Earth, which comes in at just over 3mm in diameter on a little pin with the continents painted on beautifully. And then on a little circle around it on another pin is a scale model of the moon, which is about 1mm across to scale.

Very cool, very cool, very cool. Interesting Pick of the Week. Carole, what's your Pick of the Week? Well, I was a little stuck this week. I don't know — we do a lot of Pick of the Weeks. You know, guests get to come on and have a few in their pocket, you know.

Tiny violins are sounding.

Well, I had a lot of work on last week, right? And then I twisted my ankle or rolled it or whatever.

The cellos are joining. So I had to cancel loads of stuff, right, which stressed me out and blah blah blah. And I was thinking, why did I roll my ankle, right? It's amazing how tiny the deviation you need to do that though, isn't it? It's annoyingly easy to do. Yep. And kind of frustrating. Anyway, so among other things that I was thinking, what can I do to try and maintain that, is I downloaded, or I heard about this app called Lotusbug.

Right.

And it just means, basically, the way I read it, Graham, is calm the fuck down, basically, right? That's the sound.

So it just occasionally goes—

Bong.

Couldn't you just listen out for a nearby church clock? There are quite a lot of those in the Ox area, 'cause then you get 1, then 2, then 3, then 4, then 5, then 6 as the day goes on.

It's just a random bell.

So just the bong, the bong calms you down, Carole. If you need to be calmed down more, couldn't you have a fire alarm going off?

Those words did not come out as I think you expected, Graham.

The bong calming her down. So it has this little bell sound, and I don't know, I think it's good. So if you're finding yourself to be a little bit stressed, Graham, right? What the fuck are you talking about? Maybe you could persuade the PromptSmart guys to build it into the app. So if it sees you've gone off script, it— you just get bong, a little calming gong thing.

Yep. And it might say, remember to breathe. Important life-saving stuff like that.

One dong at a time. That didn't come out right either, but you know what I mean.

Carole, what's the name of the app again?

It's called Lotusbug, and it's my pick of the week. That just about wraps up the show for this week. Duck, I'm sure lots of our listeners would love to follow you online and find out what you're up to.

The best way to do that is to go to pducklin.com, or if you can remember my full name, paulducklin.com will take you to the same place.

And that's without a G, isn't it?

Ducklin without a G. It is indeed. And you can follow us on Twitter @SmashingSecurity. We also don't have a G. Twitter won't allow us to have a G. And massive thank you to our episode sponsors, BlackBerry, Kolide, and Vanta, and to our wonderful Patreon community. Thanks to them all that this show is free.

Until next time, cheerio, bye-bye. Bye. Bye.

Bong.

I think it would do you good, Graham. Bit of bong in your life. Little bell.

A bit, bit—

Little bell, just to remind you to chill out.

Why? You seem to think I'm stressed.

Yes, it's funny, most people who are stressed don't realize they give stress vibes out.

Yeah, you might not be stressed. Maybe it's everyone else is stressed. On your account, yeah.

Everyone around me.

Maybe that's how it works.

Yes, they're worried about me. Maybe that's the anxiety.

Just saying.

Thank you very much, Duck.

Thank you for having me. It was great fun as always.

Thank you, Duck. You're lovely.

Thank you.

Cheers. I've got to go, guys.

Bye.

Bye.

Bye-bye.