Smashing Security podcast #361: Wireless charging woe, AI romance apps, and ransomware revisited

I don't know which it is, whether it's bees or wasps, but one of them, when they have an intruder, they will all gather around and wave their wings in such a pattern that it effectively microwaves the intruder.

Really? Yeah. Microwaves? Are these killer bees with laser guns? No. No.

Smashing Security, episode 361 Wireless Charging Woe AI Romance Apps and Ransomware Revisited with Carole Theriault and

Graham Cluley Hello, hello and welcome to Smashing Security, episode 361 My name's Graham Cluley And I'm Carole Theriault And Carole, this week we're joined by a returning guest someone who's been on the show many times before Let our gorgeous listeners know who it is

This week we are joined by Paul Ducklin hello everybody hello duck welcome

Duck thank you so much thanks for having me I'm looking forward to it you never quite know what Graham's going to say but you know he's going to say something

Yep now we have an action-packed show so I suggest we get going so let's first thank this week's wonderful sponsors Collide Blackberry and Vanta it's their support that help us give you this show for free now coming up on today's show Graham what do you got

Well if you think you're bready I'm gonna be talking about toasting things

I have no idea what that means

I think oh I've just worked it out I think it's what passes for a pun.

Okay, not getting it still. What about you, Duck?

I'm going to look at what happened since you talked about Lockbit last week and the issue of decryptors. Is it worth it? Can it help? Does it work? Should we strive for it?

Great. And I will be tiptoeing into a potentially brand new AI dating frontier. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, we all get up in the mornings if we're lucky. Hopefully. You get up, you wake up, you have some breakfast. Big fan of toast me. I don't know what your peculiar choice of, well, what do you slather on your toast? Anything in particular?

Oh, I like a bit of marmalade. Marmalade? Marmalade is just jam under another name, isn't it? Yeah, but it's delicious.

I like shredless marmalade. I always used to think marmalade had those bits in it, but when I discovered you can have marmalade without the bits, I was much, much happier. I'm a big fan of Marmite. Marmite's pretty good. No, it's pretty good. Peanut butter? Certainly not. So I've sorted out my toast, then I pick up my phone.

Yeah, don't confuse them. If you slap your marmalade against your ear, you're going to be in trouble, aren't you?

Also, if you put your phone in the toaster, that's no good either. It could fry in all the electronics. So either of you have wireless chargers? Maybe at your home, in your car, anything like that? Nope. Oh, I do.

My car's 12 years old and no, no in the house.

Oh, Graham set us up and we dropped him in it. Do you have wireless chargers? No. Do you go on? Well, it's quite a handy thing, I think, because... You're often several metres away from a PowerPoint.

Well, no, let me explain what my issue is, Duck, with wired charging. I mean, in some ways it's great because you can find your phone under the rubble on your desk, right? Or the detritus, which is there. You can just follow the lead and eventually find your phone. That's why I don't have wireless earphones, for instance. I'd just be losing my earphones all the time. So I like them being on a wire. However, with a phone, you've got that little twiddly, little irritating, little, it's a lightning cable or something. And it's quite often the bit which goes wrong because the wire gets bent or the connection gets a bit flaky and all the rest of it. So I quite like the idea of wirelessly charging my phone, particularly overnight, because I don't have to remember to plug it in. I just dump it there and it's fantastic and it's happy.

How many wireless charge locations do you have in your house?

I think I have two. Is that all right with you? Missing a trick because I've probably got 30 socket outlets where I can plug in the charger. So I'm way ahead of you there, Graham.

So these chargers, the technology is called, I think it's pronounced Qi. Yes. Q-I.

Not as in the television quiz show hosted by Sandy Toksvig.

No, no, that's right. Q-I is also, of course, a fabulous word to use in Scrabble, particularly if you get the Q on a triple word or triple letter even, because especially if you go two ways, it's quite a handy one. that you can make a lot of points. Not as good as Kwyjibo. Well, a boarding, boarding, what was it? A boardlike ape or something. There was that virus, wasn't there? The Melissa virus.

Which referenced Kwyjibo, which was a Bart Simpson thing from the 90s, wasn't it?

Yeah, that's right. Well, that's dated us, isn't it? Anyway, so you have these Qi wireless chargers around the place. And there's a whole bunch of vendors these days making them. We don't. You do. Folks do. Many people do, Carole, but not people like you guys. No, no,

We worship efficiency, you see, so we like the idea that, you know, you just...

Duck! Duck! Do you have a wireless phone?

How do you mean a wireless phone?

A phone which you don't have to plug in to phone someone up on.

Well, the telecommunications industry in the United Kingdom of Great Britain and Northern Ireland is discontinuing landline so you don't have a choice, you've just got to go with the flow.

Right, And I do have wireless headphones because I'd walk away from my desk and I don't want to yank my computer off onto the floor. But wireless charging's not for me. All right. Carry on. Anyway, some boffins have been researching ways in which you can attack smartphones. And what they've discovered is there's a new way of attacking smartphones.

Schema. It's not Ben Gurion University of the Negev, is it? Those guys.

It's not on this. You know, when I saw the headlines at first, I thought it would be them because those guys are always coming up.

They do great. Van Smitter and Land Tenor and all that. They get the best names as well as cool research. So it's not those guys.

They do really cool things. Now, this is a bunch of, I think they're Chinese researchers who've come up with this. Volt Schema launches a wireless power toasting attack against smartphones, potentially damaging charged smartphones through overcharging and overheating them.

Not overcharging financially, but like making it boil. No, no, no. And it does more than that. So I'm going to explain what they do and how this works. And you can tell me how plausible you think this is as an attack vector. Okay.

So when you say off the shelf, you mean not off the shelf through your mailbox.

All right. Okay. All right. Yeah. We could also go down. All right. You could also go down your local electronics shop and probably buy these kinds of things as well. So normally this is how wireless charging works, right? You've got your outlet, your wall outlet, which is connected to the charging device. And that is sending AC current, right? Alternating current down the wire to that. Inside the charger there's some sort of components and technology which turns the AC power into DC power so we've gone from AC to DC we've now got direct current that's the kind of power that your devices use am I correct so far because I'm not really in the electronics whiz

Hells bells Graham I have no idea what's going on that was a rock and roll pun

This isn't AC DC thing is it all right

I need to pay more attention. So the charger uses the DC power to create an electromagnetic field. Fun. This is like bees or like wasps when they kind of microwave someone.

It's exactly like bees, Carole. Yes, what they've done is they've taken a wasp's nest and they've shoved it down a wire.

I don't know which it is, whether it's bees or wasps, but one of them, when they have an intruder, they will all gather around and wave their wings in such a pattern that it effectively microwaves the intruder.

Really? Yeah. Microwaves? Okay. Will you show your ignorance? I will put a link in the show notes.

Duck, have you heard about this? You've lived in some crazy parts of the world. You get bees all around the globe. I can imagine it. All right. Okay. So Volt Schema makes the noise coming from the power supply much bigger, right? Uses specific patterns. And this apparently fools the charger. The charger misinterprets the manipulated noise coming down the power signal as instructions. And these allow the charger to do a number of things. So it will, for instance, send very strong charging signals that can damage your phone by overcharging it or going to excess. They can even, they said, change how the charger communicates with your phone by sending voice commands, is what they say.

Wow. Now, this begins to sound completely bonkers, right? They claim it can send inaudible, by the human ear at least, voice commands to your Siri or your Android Google Assistant. Yeah you get them on the upper deck of some of the Oxford Bus Company buses.

That's true. Yeah where you sit

To work they have a USB charger and they have a the Qi thing in the middle of the desk, a little coil sitting there so you can just stick your phone down and charge up while you're coming in from the station into town.

I had a car which had a wireless pad in it as well, which is somewhere where you would naturally put your key fob, for instance. And they found that the key fobs couldn't just be sort of ordered to overheat, but in one case detonated, and there was an explosion as a result. A paper clip, they managed to increase the temperature of a paper clip to 280 degrees Celsius, so over 500 degrees Fahrenheit, which then could actually burn paper and documents. So if you had important documents lying around, SSD cards, USB drives, again, suffered permanent data loss as a result of these kind of attacks. Credit cards, passports of NFC chips, magnetic stripes got wiped, all because this Volt Schema attack was able to fool the charger into carrying on charging and indeed tell the phone not to cut off and not to say, "Oh, I've had enough, thank you." It could actually fool it into thinking, "No, just keep on going" until they get hotter and hotter and hotter.

Is this in the wild? Is this in the wild? No, it's not. It's not as far as we know in the wild. These boffins have done it as a matter of time. It's just those guys at Ben-Gurion University in Israel who are always finding these crazy attacks, which are completely theoretical. This is as well. Why not keep a fire hazard in the house? I agree.

Well, you've got the toaster already. That's dangerous enough.

Yeah, but that has an on-off switch, right? I'm presuming these things are on all the time. They're plugged in all the time and constantly waiting for a phone to land on them so they can do their magic.

Did they say which phones were vulnerable? Because it sounds as though if the phone could agree to overcharge itself and overdo its battery via this Qi charging, then surely those phones would have a similar problem with today's USB chargers, some of which can deliver power in excess of 100 watts.

Well it seems that they did tests on the iPhone SE, the Pixel 3, a number of other manufacturers as well. So they did it on a whole bunch of devices where they were able to do it. Maybe I don't know if it was through this injecting of voice commands. They were saying they could control voice assistants inside the smartphones.

Yeah, I kind of think you could do that. I kind of think that doesn't seem far-fetched to me. I've no idea how you'd do it. Well, I guess you make sounds that maybe have some ultrasonics in them, that the microphone picks up that you can't hear, that are misinterpreted. There's an easy fix for that, which you should apply anyway. And that is, please, everybody, don't, no matter how convenient, leave Siri or the voice assistant enabled at the lock screen.

Hang on. Carole has sent me a message. She says in a... She's done a screenshot.

This is from National Geographic. From National Geographic.

Oh, excellent. Apparently there's something called "hot bee balls" is the title of this article. Apparently in a battle with Asian giant hornets, Japanese honeybees... Not beans, bees. Bees. They turn up the heat by swarming around hornets and cooking them to death. Thank you very much. Scientists have found a genetic switch in the honeybees' brains that turns on during the attacks. Thank you very much. Well, I can see why you've mentioned this in this piece, there's definitely a link. Thank you very much.

You're very welcome.

Paul, what have you got for us this week?

Well, I thought that it might be intriguing, even though you covered the beginning of this saga last week, to revisit the whole ransomware situation, not least because of what you might call the denouement, or maybe it's not the denouement, maybe it's the ongoing story of the Lockbit takedown, and also recent news about the RISIDA ransomware "decrypt it yourself" because the crooks made a programming blunder. How do all these things such as freebie decryptors, how do they really play out in the ransomware world? Is it something we should be trying? Can they work? And what happens next?

So anyone who wasn't listening last week, just to quickly recap. Go listen to the show. Well, yeah, shame on them, frankly.

No, they could just go back a week. It's not a big deal. All right.

But anyway, so the law enforcement authorities, they took over the Lockbit infrastructure. They grabbed a whole load of decryption keys. They reckon they can unlock anyone's Lockbit encrypted files for free rather than you have to pay the ransom, right? But since then, Lockbit appears to have made a bit of a comeback. That's correct.

Ooh, I want to hear all about it because I've not been following this at all. Well, apparently, the way the stories unfolded from law enforcement, they were able to break into about three dozen servers. They got hold of details of just over 14,000. I don't know whether they were email or messaging accounts related to so-called affiliates. They claim to have got 1,000 decryption keys or pre-built decryption programs with the keys built in that people would normally have to negotiate and pay for. They also claim they'd frozen 200 cryptocurrency accounts.

A bit the lady doth protest too much, wasn't it? He thinks.

Yes, yes exactly what I thought and I'm glad you got the Shakespeare in because I think we need a little bit of that every time. What I did find intriguing in there is, I hadn't heard this term before, but this seems to be the new way of repitching ransomware. Basically, and I'm assuming it's a guy, he describes his business as post-paid pen testing. How do you like that? And he's saying, what I'm going to do now is I'm going to be a bit strict about who I take on. So if you want to be an affiliate, you have to prove that you are pen testers who work on a postpaid basis.

Send me your passport so I can identify you perfectly. That's...

The legitimization of, hey, it's just a service. And if you pay the money you would to a regular pen tester, then you just do the legal agreement afterwards, not before. One fascinating part of this 2,800-word ramble was actually they only got in because I got lazy. Now they've re-energized me, I'm gonna be fine and yes the rumors you may have heard about how the FBI etc broke in are true. I was hit by a remote code execution bug in PHP that was patched on the 3rd of August 2023 and then there's this long as Graham says the lady doth protest too much me thinks was going well this could have caught out anybody who didn't patch. You're thinking yeah.

Yeah, but last August is quite a long time ago.

It's a long time, even for me. And to me, a big thing at the end was trying to reinforce this idea that the FBI claim that they had retrieved evidence from the service that people who'd paid the money to suppress their data leaks nevertheless had their data retained on the service. If that's true, that's very good news for all of those good guys, because it completely undermines the main reason most people pay. When you pay for the decryption key, you know whether the person is being, how can I say, truthful is the right word. You try the decryptor, either it works or it doesn't. And it's sink or swim, and you know whether you've got the real decryption key. But paying for the negative, you never know, are they going to keep the data as someone else already got it? So the LockBit ramble was basically, no, no, no, that's all lies. They didn't get any data. There's no evidence that we've been keeping data that we claimed we delete in return for the payment. So we haven't undermined the business model. Yet, the fact that those servers were insecure due to operational cybersecurity blunder, such as being vulnerable to a six-month-old vulnerability, how on earth can anyone then claim that their data hadn't been plundered? So I'm wondering, slash hoping, that this will make people think that paying up really isn't worth it because the entire, if you business prospect is undermined. You can test whether the decrypter works. So generally, my understanding is most ransomware crooks make sure that their decryptors work because it's easy to see if they're leading you down the garden path if they sell you the thing and then it doesn't work. But you can never really have any proof, positive proof, that they deleted the data they claimed.

And LockBit Sup, they can't be confident that someone else hasn't exploited the same flaw.

That's what I mean. They were vulnerable. Who knows who else has got that data?

It could have been going on for ages, couldn't it? Different vulnerabilities mean some other criminal gang has for ages been grabbing data from the LockBit gang and doing whatever the heck they like with it. And this would not be the first time that crooks have gone to war with each other by pwning each other's servers as a way of getting back at each other or, I guess, having what amounts to postpaid pen testing fun amongst themselves. He should really have sent an apology email, shouldn't he, to his clients, to all those corporate customers who've been paying him. Dear...

customers, we take your security seriously.

Now. Carole, what have you got for us this week?

I am going to look a bit at the dating world to start off with. It just struck me I was looking at it today and doing a bit of research on what was the dating landscape in the last few years, how do people do it, and it's completely different from when I was in the dating zone. I mean Graham actually you've been on it more recently than me and...

Yeah you were on it about 1978 weren't you? I think you haven't been on it for a while. Yeah I was still a toddler. That's right.

For a guy with marmalade issues, Graham, you're quite gobby today.

He's in a bad mood. Can you tell? Yes. Yes, he's speaking. So maybe there's no surprise that of the respondents in this research that Forbes summarised, half the respondents use online dating apps to find dates. But then stuff got weird. So overall, respondents were more concerned with emotional cheating than physical cheating. And I was I didn't really understand what that meant. And it means if you're cheating, you're fantasizing about another person in a romantic way. So basically, mind control, no?

What do you mean mind? How's it mind control? I don't understand.

My partner gets mad at me going, were you just thinking about Geoff Goldblum? Were you? Did he have a shirt on? Did he? Well, it's over. You're cheating.

No, Carole. Carole, there's a difference when you fantasise about Geoff Goldblum, who you've never met and are unlikely to ever have a, you know, go swinging with or something. He unleashed the world's most famous virus, didn't he, Geoff Goldblum? Who, he did. Mac virus as well. Who says Macs don't get viruses, eh? Who claims aliens don't use Macs? That was a lucky guess on his part, wasn't it? But, Carole, if you were fantasising about Alan in the office who you sometimes go to play badminton with, then your partner would be right to be concerned, I think.

Well, I wouldn't be telling them, presumably. Anyway, I found that, you know, I think physical cheating might be a bigger deal, personally. So apparently... Yes, but there's gradients. Having sex with someone who's not your partner is a close fourth. That was the first thing on their list, was fantasising about someone.

Maybe the deal is that many people who use dating sites never end up meeting up with the person because they're on the other side of the world. So actually, all they've got is the emotional side. And we know that that can draw people in very deeply, even when they're deeply suspicious that they're being scammed, which is why romance scams are often such a terribly long game thing that you just feel so sorry for the people who get drawn in.

I would be upset if I were a woman whose partner was on Ashley Madison chatting up someone for months and months on end. Not only that they're emotionally committing to this person, but also the person they're probably chatting to is a bot anyway, who isn't a real person. So it's you're stupid and you're emotionally cheating on me.

And you're sharing your data with an organisation that has a non-stellar reputation when it comes to cyber security. Yes.

Well look, I just think after looking at all this stuff, I just thought, I don't blame anyone for thinking, F this. People are nuts. And I'm going to just go fully digital. And why not? The generative AI world exploded like an unsettled stomach more than a year ago. And now we were awash with all manner of AI, including love AI.

Your metaphor took me by surprise there. I was confused by digital, to be honest. I thought I had a different image in my head. But anyway, okay, so we're talking computers. No, it was the...

other word beginning with D that washed me away.

Carry on. Some of you longtime listeners might remember that I spoke about Replica AI, I think twice last year. Replica AI is one of the many online chat bots that you effectively train to be your love interest through texting and sending pics and sharing your deepest, darkest secrets. So you might kind of go, oh. That is not weird at all. You might go oh, I really love chess and I really love Doctor Who, but I hate everything else.

I'm beginning to understand your exploding stomach metaphor a bit better now. Yeah, that's peculiar, if nothing else.

So I actually downloaded this Replica AI, right, to play around with it. And honestly, it was well, you might remember I said this on the show a year ago, but I lost interest very quickly because it just didn't work. It just had no conversational ability whatsoever. It just kept going, "What's your favorite movie? Do you like the color red? Independence Day." Obviously. You know, so I lost interest in even for research purposes. But thank God we have organizations like Mozilla's Privacy Not Included. Now, Privacy Not Included, link in the show notes, is a website dedicated to reviewing all manner of smart paraphernalia and exposes the bits hidden deep in the privacy notices. So we've talked about them before as well.

Yeah. I was thinking about that when you were saying if someone gets sucked into this and they keep telling them more and more and more to try and train this bot to be more like what they want to be, eventually you're going to tell them everything, aren't you?

That is a very interesting point, Duck, and a scary one, right? So that's the kind of thing that Privacy Not Included will ask. They're just going to see what data are they taking from you and is your privacy safe? And the point is to help us make better choices when it comes to buying smart tech. So these people released some findings earlier this month on a smattering of romantic AI chatbots. Now, I'm guessing, well, I don't want to guess. Do you boys think that they found the purveyors of AI romantic chatbots were privacy forward thinkers securing their romantic AI services for the paying customer?

Yes, yes. I expect they found that they were all performing perfectly. Top notch. Five stars. And looking after privacy. And it's great that we have such a good news story on the Smashing Security podcast. Would you be surprised to find out that Privacy Not Included found that all 11 romantic AI chatbots assessed had privacy issues, making them among the worst products reviewed for privacy by the club? No, shame on you Carole, that can't possibly be happening, no.

But think about it right, you're sitting there Clue, right, you're sitting there wooing, yes, a bot with your zugzwang talk. Is that how you say it? Zugzwang? Zugzwang. Zugzwang. Yeah.

Maróczy bind. Yeah. Another good chess maneuver.

Yeah. You share all your fantasy moves and fantasy games with the fantasy players to the AI chatbot.

Hit the board over in a fit of rage. That's also a chess ending.

Tell them all about your lucky underpants. Would you be a reasonable person to assume that this dirty chess talk is just between you and your AI darling?

It would be nice to think it were, but I suspect you're going to say that it isn't.

I bet you as you said they're collecting location information, all sorts of other stuff, as much as they can as well, right? Because that helps you be more empathetic because, well, you said X when you're at location Y, but you said A when you're location B. It's important to know all this stuff, folks, so I can imagine people being lured into turning all the share with us options on. Exactly. So they market themselves as an empathetic friend, lover, soulmate, but are built to ask you endless questions. That does sound good. And I bet you once people think they can trust this bot, and we know that's an issue because going right back to what was it, the 60s or the early 70s with ELIZA, you know, which was the first simple chatbot, people really got drawn into that and they knew it was a program, but they still talking to it because it's a way to unburden. You can imagine that people aren't just going to be talking about their romantic wishes or their fantasies. They're going to be moaning about things in their life "oh, I had my credit card blocked the other day and I got into a big argument at the bank and I'm thinking of switching and, oh, I owe the utility company money and I won't be able to pay it." Well, to your point earlier, Duck, they are hiding their in the Ts and Cs. They hide their CYAs, right, which means cover your bottoms.

So are people telling their AI chatbots that they're taking heart medication or they're just—

Sure I think they would go, "Hi honey poochie poo poo—"

But "oh I've got such a hangover today. I was at such and such a club. I spent $400. I couldn't afford," you know.

Just I had a suck back four bottles of Bailey's not feeling great today. You know, now a big issue is that some users want to use these chat bots to maybe help with their mental health. Maybe they're feeling lonely. Maybe they're anxious. And many of these AI chatbots, these romantic versions, are peddling the message that it's a self-help program. So that's what Talky Soul AI calls itself, a self-help program. Eva AI Chat and Bot Soulmate bills itself as a provider of software and content developed to improve your mood and well-being.

So they're actively urging you to say more than you reasonably would.

Yes. And Romantic AI chat bot says, here to maintain your mental health. But look at Romantic AI's T's and C's, and it says, Romantic AI makes no claims, representation, warranties, or guarantees that the service provide a therapeutic, medical, or other professional hub.

You would think that the people behind them by now thought, I wonder how we could make some more money. I wonder if we could sort of integrate into the conversation some advertising. So, oh, that sounds terrible. Maybe you should go out to the disco tonight. I hear there's a good one just on the road.

Yes. Or worse. Minority report does dating.

But there are some serious examples of harm. So one of Chai's, that's another romantic AI chatbot, reportedly encouraged a man to end his own life. He did. A replica AI chatbot encouraged a man to try and assassinate the queen. He did, or tried to.

Yeah, I was going to say, crikey, that's... Missed that story. They hushed that up well. I know what you mean. Now that these AI chatbot buts are covered by all their legalese, these romantic AI chatbots can let their chatbots ask any question, right? Be aware before you share. Yeah. The old rules work the best.

I can totally see the draw. My experience was a year ago but it was pretty poor but go check out privacy not included see what they say and make your own mind up but don't go in with your eyes closed and you're yeah anything else open thank you very much good night. With Cylance AI the team at BlackBerry are helping you keep one step ahead stopping more attacks earlier and with less effort than other solutions in the market, and that's independently tested and proven. The lightweight AI offers broad coverage, consistently low false positives, and quick threat responses, supporting endpoints seamlessly.

Smashing Security is also sponsored by Vanta. Managing the requirements for modern security programs is increasingly challenging and time-consuming.

And welcome back. And you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Duck.

Pick of the Week. I always forget that bit. Pick of the Week is the part of the show where everyone chooses to share their pick. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security related necessarily. Better not be.

Graham, what would you find more difficult, talking for an hour or listening for an hour? I rest my case.

Well, my pick of the week this week is something which makes it easier for me to talk online down a camera and hopefully appear slightly professional.

It's not a romantic chat bot, is it?

No, it's not. It's a fake audience. It can be easy to forget some detail of your talk or where you are, or, you know, you don't want to be looking at your notes. So I use a piece of software sometimes called PromptSmart. And this is a tool which you can run on your computer or on your phone. I use it on my computer. And it's basically a teleprompter. So as your talk goes on, the CPU starts overheating as it's frantically trying to keep up. And then eventually, your wireless toaster, it all explodes. And it's paper clips for setting his documents on fire.

What I really about PromptSmart is that the voice recognition works so well that if you go off script, which I am prone to doing, you know, I think, oh, I'll just tell this story as well. I'll tell this anecdote. It will wait. And it will wait until I come back or it will catch up. It doesn't require me to say every word. It will, you know, it will jump to wherever I am. It will work out where I am.

It doesn't start yelling at you, does not compute. I don't understand. You're going the wrong way.

Anyway, it works really nicely.

Does it have a little tick box that you can turn on that is cough mode, so that if you're way off script, it goes... And, oh, sorry, folks. And it guides you gently back.

Anyway, my pick of the week this week is PromptSmart. Thank you very much. Duck, what's your pick of the week?

My pick of the week is a museum exhibit that is perhaps, at least in theory, one of the simplest you can imagine at the Natural History Museum in Oxford, which is a great place to visit. Free entry, gorgeous Victorian Gothic building built in the late 19th century, just opposite Keble College. And this is an exhibit that very much goes about around 32 bits or two to the power of 32, but it's not a techie thing. Basically, the atrium of the main gallery of the museum is just short of 40 meters across. That's where they've got the iguanodon skeleton and the T-Rex skeleton and all the cool stuff. But if you go up into the coffee shop on the portico on one side on the first floor and you look across those, it's just under 40 metres. Well, that just happens to be one divided by two to the 32 times as far as it is from the Earth to the sun. So it's basically one four billionth of the scale of the distance from the Earth to the sun across the museum. So what they have done on one on the far side of the museum, they have a gilt sphere, a brass sphere that is about 350 millimetres across, which is one four billionth the diameter of the sun. And then on the near side, just in front of you, is the most exquisitely painted 1 over 2 to the power 32 scale model of the Earth, which comes in at just over three millimeters in diameter on a little pin with the continents painted on beautifully. And then on a little circle around it on another pin is a scale model of the moon, which is about one millimeter across the scale. And it's amazing how in amongst all the interactive exhibits on the super high-res screens and the carefully restored giant dinosaur skeletons which are real you know massive deal to maintain, this tiny simple model it's just amazing. If you just stand around near there and watch people sometimes they go up there and work and sit and work it, and people go wow that's amazing and it really gives you this amazing sense of scale. And I didn't realize until I looked it up that the scale was also one in two to the power 32 more or less and it's fascinating how you can get an idea of the scale of just our part of the galaxy just by looking at these three balls one millimeter, 3.2 millimeters, 350 millimeters and think gosh the sun's a lot bigger than I probably thought at 1.4 million kilometers in diameter. Very cool. Very cool. Very cool. Interesting pick of the week.

Carole, what's your pick of the week?

Well, I was a little stuck this week. I don't know. We do a lot of pick of the week. You know, guests get to come on and have a few in their pocket, but we have to do it every week, Cluley.

So, tiny violins are sounding.

Well, I had a lot of work on last week, right? And then I twisted my ankle or rolled it or whatever.

The cellos are joining.

So I had to cancel loads of stuff, right? Which stressed me out and blah, blah, blah. And I was thinking, why did I roll my ankle, right? Because I probably wasn't paying attention. I was probably either thinking about something or planning ahead or, right. I wasn't in the moment. I wasn't walking and paying attention. One foot, left foot, right.

I think it's what I need to do. It's amazing how tiny the deviation you need to do that though, isn't it?

Yeah, annoyingly easy to do. Yep. And kind of frustrating. Anyway, so among other things that I was thinking, what can I do to try and maintain that is I downloaded or I heard about this app called Lotus Bug. And there's no tracking that I can see. It's free for iOS and I think maybe elsewhere. But basically it's one of those beautiful simple apps that does only one thing. It just puts this kind of chimey bell occasionally throughout the day, right? It just goes bong and it just means basically the way I read it, Graham, is calm the fuck down, basically, right? That's the sound. So it just occasionally goes.

You just listen out for a nearby church clock. There are quite a lot of those in the Oxey area because then you get one, then two, then three, then four, then five, then six as the day goes on.

It's just a random bell. So just the bong calms you down, Carole. If you needed to be calmed down more, couldn't you have a fire alarm going off or something?

Those words did not come out as I think you expected, Graham. The bong calming them down.

So it has this little bell sound and I don't know, I think it's good. So if you're finding yourself out to be a little bit stressed, Graham, right? A little grumpy because you have a lot of things on and you're trying to balance everything and everyone's frustrating you. Maybe Lotus Bug is for someone like you and that is my pick of the week.

What the fuck are you talking about?

Maybe you could persuade the Prompt Smart guys to build it into the app. So if it sees you've gone off script, you just get a little calming gong thing. So is that all it does? Just one? Yeah.

And I might say remember to breathe. You know, important life-saving stuff like that.

One dong at a time. That didn't come out right either, but you know what I mean.

What's the name of the app again? It's called Lotus Bug and it's my pick of the week.

That just about wraps up the show for this week. Duck, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?

The best way to do that is to go to pducklin.com or if you can remember my full name, paulducklin.com will take you to the same place.

And that's without a G, isn't it? Ducklin without a G.

It is indeed.

And you can follow us on Twitter at Smash Insecurity. We also don't have a G. Twitter and the House have a G and we have a Mastodon account too. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Overcast.

And massive thank you to our episode sponsors, BlackBerry, Collide and Vanta, and to our wonderful Patreon community. Thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists and the entire back catalogue of more than 360 episodes, check out smashingsecurity.com.

Until next time, cheerio.

Bye-bye.

Bye.

Bye.

Bong.

I think it would do you good, Graham. Bit of bong in your life. Little bell. A little bell. Just to remind you to chill out.

What? You seem to think I'm stressed.

Yes. It's funny. Most people who are stressed don't realize they give stress vibes to.

Yeah, you might not be stressed. Maybe it's everyone else is stressed on your account. Everyone around me.

Maybe that's at work. Yes, they're worried about me. Maybe that's the anxiety.

Just saying. Thank you very much, Duck.

Thank you for having me.

It's great, as always.

Thank you, Duck. You're lovely. Thank you.

Cheers. I've got to go, guys. Bye.

Bye.

Bye-bye.