Smashing Security podcast #363: Stuck streaming sticks, TikTok conspiracies, and spying cars

Do you remember there was that internet hoax about some dying kid called Craig Shergold and everyone had to write postcards to him to cheer him up and this was still going on like 15, 20 years? I can't remember if he died or lived but there was this mountain of post. He died of old age, he died because there was an avalanche of postcards outside his door. Hello, hello and welcome to Smashing Security episode 363. My name's Graham Cluley. And I'm Carole Theriault. And this week, Carole, we are joined by a returning guest regular, I would say, it is the Cyber Wire and Hacking Humans, Dave Bittner. Hello, Dave.

Well, hello there.

Hi, Dave. Nice to be back. It's been a while. We're glad to have you back.

I love hearing your deep velvet tones, especially as you've been a little bit sick of late, and you've been a bit more croaky, sound like you were gargling with razor blades.

That's right, exactly. On your show for a little bit there. Yes, I was not doing a Thom Waits tribute show from the Cyber Wire.

Oh, I love Thom Waits. Before we kick off, let's thank this week's wonderful sponsors, Collide, Kiteworks and Vanta. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be talking about revolting Roku users.

Okay, what about you, Dave?

I'm going to be talking about why TikTok has become a conspiracy theory playground.

Ooh. And is your car insurance super expensive and you don't know why? I might have the answer. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, I want you to imagine the scene. It's late in the evening and Dave Bittner, podcast host extraordinaire, he's there wearing his smoking jacket as normal. He's put a little Kenny Loggins on the hi-fi. You've impressed your little lady there, haven't you, Dave?

I always do.

With your smorgasbord of little tapas.

I'm sorry, my little what?

Your plate of spaghetti and meatballs. And you're eyeing up the fondue. You've got quite an evening lined up. You think this is going to be fun. And you slip into the sofa and you're readying yourself for a cozy night, binging your favorite show, BattleBots.

Yes.

So you boot up your streaming stick. You're all hot and bothered for an evening of sweet, sweet binging on the show and robotic action.

What's BattleBots?

BattleBots. Don't start that again, Carole.

Okay. I'm just thinking some of our listeners would like to know.

You can go back to a past episode and hear us having at it with each other over BattleBots.

Links in the show notes about BattleBots versus Robot Wars, if you're interested. Anyway, you're looking forward to this, right? You turn on your TV and your little streaming stick there, and it pops up and it says, oh, it says, we've updated how we'll handle it if you want to sue us. Hit agree to watch BattleBots or remain in TV purgatory.

What? It's a pop-up. It's a pop-up which is appearing to owners of Roku streaming devices. They're not using those exact words. Their words are a little bit different. We can press a button, you can read the terms.

Oh boy, you could read the terms. There's an awful lot of those. Who has time for that?

Graham, have you been living under a rock? Because I think this is the way of the world at the moment with every single app, every single anything you want to use. It's called enshittification.

And shittification?

Enshittification. It says the general enshittification of all technology and devices where they are being ruined.

Yeah. I believe the term was coined by Cory Doctorow.

That is correct.

Yeah. Oh. Yeah. So what Roku wants you to do, it wants you to agree to a change to its dispute resolution terms. In particular, there's a bit which demands users who've got any beef with Roku have to make a good faith effort to enter negotiations with Roku for at least 45 days before entering arbitration. And they're also limiting your ability to sue. So they're saying in most cases, disputes are going to be settled in arbitration instead. And there's no way to opt out.

So I do think in these instances that most legal scrapes that you might get into, so say you decide to sue or something or to complain, they would be in your favor because you didn't create the terms and conditions. They're responsible for them and you signed on. And you're also a smaller player, right? You're a tiny person versus this big, massive company.

Well, in this particular case, you haven't agreed to them. You haven't signed them because you're just stuck at that screen and you can't watch BattleBots anymore until you hit the agree button. There's no way to opt out.

Can you at least read them before you agree?

Oh, yes, yes, you can read them beforehand. At least that happens. And in fact, if you do go to the effort of reading them, I lied, there is a way to opt out. But there's not a way to opt out electronically. You have to do this thing called writing a letter.

With your hands? Or did you type them out? No, I used my feet. What do you think? I am Daniel Day-Lewis. Yes, I use my hands. With a pen or a pencil? Or did you type it?

I used to write letters on a manual typewriter at one point, as well as by hand.

I'm thinking, Graham, I've known you how long? What, 20 years probably? At least something? I don't know. Too many years. I don't think I've ever seen you write more than 30 words together, ever. Well, you don't have to these days, do you?

Right. From several years ago.

Right. They can't set up an email address for this because that would be just too much bloody trouble.

The thing is that if you sign into your account to use this device, they could just have a disagree button. They could just say, no, thanks, because they already know your IP address. They already have your information from when you set it all up. They could do all that, but they're choosing not to let you do that. So they want you to actually physically write a letter.

No, they don't. They don't want you to write a letter. They want to make it—

They don't. They don't. They'll be really annoyed.

They have no one to—

Do you remember there was that internet hoax about some dying kid called Craig Shergold and everyone had to write postcards to him to cheer him up. And this was still going on 15, 20 years. I can't remember if he died or lived. But there was this mountain of post. He died of old age. He died because there was an avalanche of postcards outside his door. He opened his door and fell on top of him. They don't want letters. Of course they don't want that.

But isn't this just the age-old thing on the internet of everything that's buried in the EULA and your options are basically either agree to everything that we put here including that you must send us your firstborn child or simply don't use our service and we're okay with that because go back and live under a rock right because we operate at scale. You've already bought this little gadget or this TV, haven't you?

You bought that under the old terms of service, which you agreed to and you were happy with. And now they've gone and changed them.

Well, it's like Darth Vader with Lando Calrissian, right? I'm altering the deal. Pray I don't alter it further. That's a Star Wars reference, Carole. Yeah, I wasn't listening.

So clearly they're doing this because they don't want people to opt out. And actually, if you look at the terms of service, they also say that users only have within 30 days of them first being subject to Roku's updated terms, which was February the 20th when this pop-up first began to appear, to opt out. Otherwise, you're opting in automatically.

Oh, God. So you're basically spreading the word now to all our listeners that they have five days.

Yeah, very few days to get a move on.

If they've been sitting there on that screen, the agree screen.

You could technically click I agree to the new changes to watch BattleBots or whatever show it is that you want to watch and then write a letter telling them that you've opted out. That works. But otherwise, you've got to wait for them to receive the letter and act upon it to be able to use your TV.

But that's interesting, though. So 30 days, you have to act within 30 days of that. But does that include the letter arriving at their facility?

I don't know, Carole. I don't know. It's complicated. It is complicated. And what's more complicated is people have found out that actually Roku updated its terms of service last August. And they did that on their website, but they didn't tell anyone. And no one noticed because no one reads the terms of service. And it's only now their TVs are popping up telling them you have to agree to this. And so Ars Technica, they went to Roku and said, you know, this seems a little bit sneaky. And Roku said, well, you know, we update our terms occasionally and we told people somewhere. Words to that effect, basically, they didn't properly tell people, they didn't inform people. And now to stream TV that you love, you've got to also read the legalese, you've got to agree to it. And shittification, as Cory Doctorow said.

I just wonder where this ends. First of all, the thing about being opted in automatically, it seems to me like that would not stand the scrutiny of standing in front of a judge and the judge saying that that was a reasonable course of action, that if you do nothing, you will be automatically included in some sort of legal agreement. That doesn't seem to withstand scrutiny. But who's going to be the person who goes through the trouble over a Roku device to spend time to stand in front of a judge? I think part of what they're trying to prevent here are class action suits, which is the big thing where they talk about agreeing to some kind of negotiation.

Well, this is what's actually happening now, is on the Roku forums, really, really pissed off users are saying, let's start a class action act against this. They're really upset that they've been forced to do this. And so they've been stirred into action right now that they are revolting.

Can I just say, though, the Roku is not a very expensive piece of kit. I just Googled it. How much do you think it is?

$19.99. I'm going to say $30.

So, you know, if you've had it for a few years, maybe it's time to go somewhere else. Vote with your wallet.

Yeah. But I think ultimately the solution to this would be some sort of regulation that would require that EULAs be explained in terms that mere mortals can understand and then also perhaps have some kind of granularity on what you do and do not agree to. Because the balance of power is totally out of whack here. Unfortunately, here in the U.S. anyway, we're not going to get anything anytime soon because we have a Congress who can't get anything done. I feel like you all on your side of the pond are probably in a better situation here with GDPR and just the overall attitude.

Oh, yeah, but Dave, we don't even have a postal service over here, Dave, anymore. There's no way we could write to complain or opt out.

True. Maybe that's why they changed their terms. It was coming.

Dave, what's your story for us this week?

Well, I'm curious, are either of you particularly active on TikTok?

Yes, yes I am. I have a secret account, a million followers and I dance daily some wacky dance.

I don't mean active posting on TikTok, I mean are you a consumer of TikTok?

No.

No? I have a TikTok account, but I don't have the app installed, so I'm not really making much use of it. So, yes, I don't know. I don't understand. I think I'm a little bit too old for it, Dave.

I think, yeah, I concur. Do you have one?

No.

All right, so we're all going to be talking out of our asses. Excellent.

Yeah, which is what we do best. Which would make a great TikTok video, to be fair. There you go, yeah. How do you know?

So I saw this video from Abby Richards. She labels herself in the video as unpaid intern at Media Matters, which is they're a left leaning nonprofit organization. And they fancy themselves a media watchdog group. And Abby was looking at this trend of conspiracy theory videos on TikTok that have just exploded. And as these things often happen, they are all working from a common template. And they are extraordinarily successful. And because they are successful and working from a common template you can go on YouTube and find videos that give you specific step-by-step instructions for how to create a conspiracy theory video that will generate traffic and then cha-ching dollars. And of course that's what this is all about, this is people making tens of thousands of dollars a month generating these videos.

Wow. Graham's going, this is interesting.

Right, exactly. Let's dig out that TikTok account. I'm thinking promote the podcast. If we can write conspiracy about this, that's what I'm thinking.

So Abby Richards goes so far as to create her own conspiracy theory video as a demonstration. And it's actually quite delightful. She comes up... So step one is come up with an outrageous claim. And the claim she comes up with is eating Play-Doh cures cancer. Right. So you start off with that. You know, scientists have discovered the shocking news that consuming Play-Doh cures cancer. So that's step one. Any guesses on what step two would be here to make it click?

Pay. Some ad money. Nudity.

Nudity. Very good. See where Graham's mind goes immediately.

Yeah. Some fake stats. Some fake stats. Some fake quotes maybe. Yeah.

What they say is the next thing you need to do is invent a credible character to anchor the narrative. So you have to create an expert that grounds it. So in other words, you start off by saying there's shocking news that Play-Doh cures cancer. And the next thing you do is you say something like world-renowned cancer researcher Graham Cluley discovered by accidentally ingesting some Play-Doh that not only was it tasty.

Thinking it was spaghetti.

But he had his fuzzy pumper barbershop and accidentally was ingesting Play-Doh and discovered that the tumor the size of a tennis ball he had in his skull was immediately cured. But by having it be a real person, this is an important part of it. If you were telling a story to someone and you say something, you know, hey, eating Play-Doh cures cancer. And they go, what? What are you talking about? And if you say, no, no, no, seriously, there was this scientist, his name was such and such, and this actually happened to him. That makes it much...

So you have a scientist and a case study, basically. Right. Right. An example. Yeah. Right.

So the next thing you need to do is make your video a minute long, because evidently that is the key length for TikTok's creativity program, which is the system by which you monetize these sorts of things. Graham's taking notes. This is fantastic, I'm gonna be doing this. And from there it's mostly relying on AI so you use an AI voiceover. They were saying that for a lot of these they'll use someone like Joe Rogan who of course is very popular with this sort of stuff but then you generate a bunch of AI images and then you just edit the hell out of it. So part of what you have to do here is you have to grab people's attention and you have to hold on to it, keep them in your grip for the 60 seconds. And the way you do that, so lots of cuts and weird effects, cuts and zooms and just everything has to be in constant motion. There can be no break, you can't allow them to blink while you're holding because—

They lose out, they lose out if you leave before the minute's over, is that right?

Correct. So the more engagement you get from them, the longer they watch, the better you're going to be in terms of generating your revenue here. That's nice. Yeah. And then, of course, you want to put some spooky music under it to make it feel mysterious and also hold on to their attention. And there's a whole cottage industry here of folks who are following this simple formula. You have all the tools you need, right? So you don't have to have a booming voice. You can just have AI generate that. You don't have to have artistic skills. You can have AI generate that. You do have to have some editing capabilities, but I'm guessing you can probably have AI generate that, right? You can find, you can have the music generated by AI.

You know, this is true. Just last week, I was on this AI thing. I was messing around and I said to it, make me a video about pig butchering. You know, the pig butchering scams? And it did everything. It did the voiceover. It did the graphics. It did the visuals. It was all edited together. Now, it did make some mistakes because it thought I meant actually the butchering of pigs. It's a subtle distinction.

Yeah, I was just thinking that would be the craziest thing to ask an AI to do.

And occasionally there was a bit of the scam stuff. There was a man shouting into a mirror for some reason and someone smashing a piggy bank. But mostly it was about cutting up animals and butchering and things. But it did it all within seconds. And it was like, my goodness, this is extraordinary.

Welcome to the party, Graham.

Yeah, sorry, I've just woken up to what's going on in the world. But I think the point here is that the barriers to entry are gone. And so when you combine that with the incentives here to make money and lots of money by kind of short-circuiting people's brains and finding the things that will demand their attention, grab their brains and not let go. That's exactly what we've got here. And people have fine-tuned their formulas to do that. And I don't know how we get around that. I mean, obviously, TikTok could try to clamp down on these things, but that's against their interest because they want the engagement.

Yeah, why would they want to do that?

Exactly. Exactly. So just for fun, I gave ChatGPT a prompt. I said, generate an image of a rugged, authoritative cybersecurity expert styled after Graham Cluley. And if you look in the script here, I think it is right on point. Don't you think? That's uncanny. It's like looking in a mirror, isn't it, Graham?

For those that don't know, Graham regularly wears black leather. My chiseled jaw. Yeah, he can grow a beard like nobody's business. That's right. So that five o'clock shadow is definitely on point. Yeah. Handsome head of hair. Oh, yes. You do have a lot of hair, but the eyebrows are a little weak there for this guy, even though they're quite bushy.

But doesn't he look, he looks very serious and he's very well lit standing in front of some sort of security operations center. It looks like the control room from War Games. I mean, if I didn't know better, I'd think this was a photograph of you, Graham.

It is uncanny. Yeah, it really is. No Play-Doh coming out of my mouth, though. So that's, you know, that's not true. Leading to the conspiracy theory, does it? Carole, what have you got for us this week?

Okay, so we're going to driving school. Well, not driving school, but let's just look back on our driving history, perhaps. Oh, yeah. Do either of you have a perfect driving record? So never been caught speeding, never had an accident, no parking tickets.

I have never had a speeding ticket. Really? I have never had a moving violation. Yes, I have had a parking ticket. I got pulled over once for having an expired tag. I thought you were going to say for my cocaine habit. Yeah. Expired partner in the passenger seat. Dead body. I mean, minor stuff, but who hasn't really? I mean, if you want to use the HOV lane, you do what you got to do.

You do what you got to do. You got a real doll in the seat next door.

Exactly.

I have had speeding tickets. Yes, I'm afraid.

Yes, so have I. I've had parking tickets. I've had accidents. Nothing major. But yeah. Well last year if you lived in the states you might have been in a bit of a shock when it came to renew your car insurance because there were insurance hikes across the board it seems of on average five percent and in some cases as high as 15 percent. This was reported in the New York Times at the time. Was this happened to you Dave, did you notice this?

No, I have not but I have to say that in the division of labor within our household, paying the car insurance is not one of my responsibilities. I see what you mean. Now, the reason they hiked up the insurance, apparently, was to increase the profitability of auto insurance. They said the problem was labor, pricey parts, all this kind of stuff. And on top of that last year, it turned out that good drivers were actually being penalized with additional price hikes based on things that had nothing to do with driving. I think they'll just say that you are demonstrating that you are irresponsible.

That's interesting because apparently it's because those with good credit are less likely to file an insurance claim.

Oh, right. They'll just pay it off. Why bother?

Yeah. Why bother? Too much paperwork. I can pay the excess. Don't worry about it. Sure. Okay. And the advice at the time, right, when this came out a year ago was shop around, you know, go shop around. But as two security professionals, you guys, don't you think going around and giving everybody your information in order to get a quote, it makes me feel like it's more hands of people that might misuse it or have an accident with that information? I don't know if you guys feel like that.

I hear what you're saying, Carole, but you're over that. I feel that everyone's got my data already. You know, it's been breached so many times from so many organizations and given it to legitimate companies. And there are all these comparison sites these days as well, aren't there, where they take your data and they go to all the different insurance firms and try and get you the best quote.

I ask you why you're on this stupid show, Graham, if you don't even care and you've given up. What's the point?

Carole, I was thinking the same thing. Like if we're at the point where security professionals are just throwing their hands up and saying, what are you going to do? It's where we are. Have at it.

I've been doing that noise every show for the last three years. So, okay. So what about you? Do you feel the same, Dave? I'm thinking no.

I mean, Graham's point is valid that what options do you have? If you want to buy insurance, you're going to have to share that information with someone. If you want to shop around, you're going to have to share with more than one organization. So, I mean, I suppose you could do some independent research and find ahead of time which insurers have the lowest rates and then just apply with them. But yeah, that's a lot of work.

Well, okay, so let's move forward a year. I had to look at the top three insurers in the States. So we got State Farm, Progressive, and Geico. And they all seem to be doing very well if I look at their last five years. They have this nice upward slope where our coffers are getting full, which you know good for them maybe but a privacy scandal is brewing this week and I wanted to get your takes. The New York Times just issued a big piece on how connected cars or smart cars or internet enabled cars with built-in telematics share driver statistics and data with insurers, often without the owners even realizing it. So they showcase a 65-year-old man named Ken Doll. Okay and he leases a Chevrolet Bolt, this is a General Motors car, GM and his insurance increased by 21% in 2022. So he decides to shop around following the advice from last year. Well if they're giving you too much of price hike go ask other people.

In fairness Ken Doll has had quite a good year hasn't he? He's been doing quite well and his celebrity status driving something a little more upscale than a Chevy Bolt but you know maybe it just tickles his fancy.

Yeah so.

He decides to shop around, our Ken here, but other insurers are giving him the same high quotes and the thing is he's a good driver. He's never had an accident. His own words, I've always been a careful driver. So why the 21% jump? Any ideas?

Has he been speeding and he hasn't been caught for speeding, but the car manufacturers know that he's been speeding? Right. He's being ratted out by his telematics inside his vehicle. Exactly. One of the agents, the insurance agents he spoke with, revealed to him that he should get his hands on his Lexus Nexus report. As you do. And this was one of the reasons that the prices were so high.

That would be too much.

Oh, yeah, that would be too much. I'm thinking there's a lot of other tools that do that for you. So one Thursday morning, there was a car trip that recorded 7.33 miles, and it was completed in just 18 minutes. And on that particular route, maybe that was just too darn short. There had been two rapid accelerations recorded and two instances of hard braking. So who had provided this information to LexisNexis? GM, the car company from who he was leasing with his very own hard-earned money, his Chevy Bolt.

I was about to say, so what are GM getting out of this? But of course, the answer is going to be money, isn't it?

Mm-hmm. Yep. And this is the rub, right? I feel there's an honest way to do this. You could ask drivers to willingly install trackers of sorts to prove they are good drivers in order to lower their insurance rates. And some insurance companies do that. And a lot of these services can be, so GM in its cars have this smart driver, right? This is a service from GM that is optional for drivers to turn on, which will then record stuff and be handed over. But there's two problems they highlight. So one, if you do turn it on, the explanations are not explicit about what it collects about you, your driving habits and who it shares it with. The other thing is some users reported that they did not turn it on explicitly, and yet still their insurance went up unexpectedly. So I know that internet-savvy cars allow access to services like navigation and roadside assistance and apps to lock and unlock your car, but it seems clear that most users, most drivers, have no bleeding idea what the insurers are being fed from this additional connectivity. I mean, if you think anyone in your life, if you think of the people in your life that are not involved in this arena, this, you know, either cyber or cars, auto industry, would they know anything about this?

Oh, absolutely not. No. The average person on the street, whether in a vehicle or otherwise, wouldn't be aware that cars are doing this. And of course, try getting yourself a car which isn't in some way connected anymore. I mean, I know you've got an old car, Carole, which doesn't do things. They still run on rubber bands and clockwork.

My feet are underneath, like the Flintstones.

But, you know, try buying a new car, which isn't in some way integrated. Now, I don't know if all manufacturers have given this information or selling this information to insurers, but I bet they've all been thinking about it at the very least.

Because the problem with this is the stealth enrollment. That's the problem, because it's a pretty shitty thing to do to someone who's actually giving you money for a service, your customer. Seems to me.

Yeah, I saw this article too, Carole, and one of the things that struck me was that the car companies are claiming that they're being overt in requesting the users permit this, but the users are saying that's not the case.

Absolutely. There's this one instance where they say your privacy matters to us. We will never share with any third party without your explicit consent. But then inside the T's and C's, they have, hey, we share this with this company.

Right. Totally without your consent.

Yes, because you signed off on those things. I think, you know, kind of to Graham's point about connected cars, I think most people are aware for the past decade or so that your car is logging things internally because cars have so many computers. But I think the notion that it's sharing this information in real time would be disturbing to a lot of people. It really ticks me off, though, because if a kid jumps out in front of the car, what do I want every driver to do? You know, slam on the brakes. And when I want someone to go really slow and go, I'll tap him. I'll tap the kid. I'll be going a lot slower, but I just don't want to get the points. I just don't want to have that extra hit on my insurance. I'd rather swerve. Yeah, exactly. So if you want to know what your car is hoovering up, first check what services are enabled or those that you or someone else in the family have enabled. And you may be willing to part with that service if you find out via, yes, as Graham mocked earlier, reading the T's and C's to find out what really they're interested in taking.

Oh, for goodness sake. With a car? Is anyone going to... I mean, I don't read the manual for a car. Does anyone read... You know when you get these cars and they've got 400-page manual of how to use the bloody... No one looks at it.

No one... I'm not talking about the manual. I'm talking about the privacy section in the terms and conditions.

People are even less likely to look at that, Carole. People aren't expecting their car to be ratting them out.

That's why I'm doing this story. Listen to me and not to Graham. And I am happy to say that I am super old school for driving a dumb ass car.

So smug about it. Every chance you get, you talk about it.

Yeah, well, jealous. That's what I hear.

Legacy managed file transfer tools are dated. They lack the security that today's remote workforce demands. Companies that continue relying on outdated technology put their sensitive data at risk. Well, this podcast is sponsored by Kiteworks, who enable organisations to effectively manage risk in every send, share, receive and save of sensitive content. To do that, they've created a platform that delivers content governance, compliance and protection to customers, tracking, controlling and securing sensitive content as it moves within, into and out of organisations, all while ensuring regulatory compliance on all sensitive content communications. Kiteworks provides the industry's first private content network for protecting risky third-party communications with secure email, secure file sharing, secure mobile, secure web forms, managed file transfer, and governed SFTP servers. Visit kiteworks.com to get started today. That's kiteworks.com, and thanks to them for supporting the show.

Smashing Security is also sponsored by Vanta. Managing the requirements for modern security programs is increasingly challenging and time-consuming. Enter Vanta. Vanta gives you one place to centralize and scale your security program. Quickly access risk, streamline security reviews, and automate compliance for ISO 27001, SOC 2, and more. You can leverage Vanta's market leading trust management platform to unify risk management and secure the trust of your customers. Plus, use Vanta AI to save time when completing security questionnaires. Smashing Security listeners, you get 20% off Vanta. All you lucky sausages have to do is visit vanta.com slash smashing to claim your discount. That's V as in Victor, A-N-T-A dot com slash smashing. And thanks to Vanta for sponsoring the show. You've probably heard us talk about Collide before, but did you know Collide was just acquired by 1Password? Well, that's pretty big news since these two companies are leading the industry in creating security solutions that put users first. has never been a pick of the week before I

don't think it's been oh this is controversial

you know that my memory is like a sieve yes but I have a feeling I may have had this as an early pick of the week so we're talking early

I'm going to the list oh oh my oh dear oh my god oh my god episode 61 boom

episode 61 isn't it you owe me 10 grand isn't that what we said oh my god

there you go wow there you go as old as

new again how could this have happened yeah that's gonna hurt yeah January 2018 there

you go it was a long time ago

man your memories But I haven't been here. You what? You said it was your pick of the week, but you didn't actually ever go to the URL? This is a scandal.

No, no, no. I haven't been there for a number of years, since the pandemic. So, and I don't know why I forgot about it. So I'm very grateful, Graham, that you brought it back to my attention. My pick of the week from 2018.

It's a re-pick of the week. That's very gracious of you, Carole. Yes, I am gracious. Unexpectedly so. This is lovely. As much as I want to hate it, I can't because it's delightful. And this should be a stop. Everyone should spend a few minutes on this every day.

I'm amazed Google hasn't shut it down because all the useful sort of money-making services in some cases that they have had and they've shut down over the years. But this apparently has been going for something like that. Maybe they've forgotten about it. I was going to say the same thing. Maybe we shouldn't bring it up.

You're right. Let's censor out the name.

Dave, what's your pick of the week? Well, my pick of the week is actually another delightful YouTube video here. Are either of you aware of this ongoing competition that's been happening for several years now? It's called Dance Your PhD.

No. Strangely, no.

No. What does that involve? I wasn't aware of it either. But what they do is they put the word out for folks who have just completed their PhDs to create a video, a music video, where they dance and explain their PhD. And this year's winner is a gentleman who's doing his PhD research on kangaroos.

I love the idea they've got drag queens, there's someone doing some Indian dancing, all sorts here. Some of them are pretending to be kangaroos. I mean, I can imagine doing a kangaroo dance, the sort of thing I might do on a disco floor, but it's not.

Back in the 80s, while everyone else was doing the robot, Graham was famous for his kangaroo dance.

Can I ask, though, if it's so famous, why it has only 288 subscribers on the channel you gave us?

I know that this is the winner this year, Carole. The actual meme of Dancing Your PhD has been around for a few years. Is that what you're saying, Dave?

That is correct, yes. So I think if you go to the main page of the Dance Your PhD, the Dance Your PhD folks, they have their own YouTube channel and that has a lot more views and the whole rundown of all the winners and runners up over the years. And as these things are it's hit or miss, but this particular one, the kangaroo dance, I think is just delightful and I've watched it several times and every time I do it leaves me with a smile on my face. So that is why Kangaroo Time is my pick of the week.

Beautiful girl, what's your pick of the week?

Well okay, you guys should click on that link right now while I'm talking because it'll be self-explanatory for you and then you can say how amazing it is. Because you know how Tetris you play for 30 seconds and you go this is a winner, this is a winner? Yeah, I'm calling this a winner and I discovered it yesterday, okay. So it's a cheeky little game you can find it on crazy games.com. I have mentioned crazy games.com before but this game was not on there as far as I know. As some people know I have a young niece who lives far away and we get together a few times a week on Zoom for a chill out, but now she's more into online games. But we found this little gem and I have to say it's a corker. So it's called Animal DNA Run. And you can play on any device, you can play on a computer, you don't have to log in as long as you don't care about keeping score and coming back and tracking it. And as everything's shown in thumbnails in crazygames.com, you're looking for a pic of a tiger on one side and a gorilla on the other, and in between them is a plus sign. So the game. You have an obstacle course which changes with every level with increasing difficulty. And it takes under a minute or less to do a course, maybe 10 seconds at some times. And you run the course as a designated animal. You guys start off as a dinosaur?

Yes, I will. At this point, I am a dinosaur combined with a shark. Because as you run, you hit mutation points that will change a third of your being into another animal. Oh, no, I fell in a pit.

Excellent stuff, chaps. And that just about wraps up the show for this week. Dave, I'm sure lots of listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?

Oh, the best thing to do is go search for The Cyber Wire on your podcast player and check it out.

Super duper. And you can follow us on Twitter at Smash Insecurity, no G. Twitter won't allow us to have a G. We also have a Mastodon account. And don't forget to ensure you never miss another episode, follow Smash Insecurity in your favorite podcast apps such as Apple Podcasts, Spotify and Overcast.

And ginormous thank yous to our episode sponsors, Collide, Kiteworks and Vanta, and of course to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists and the entire back catalogue for more than 362 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye.

Bye-bye. Bye-bye. Thank you so much once again, Dave, for giving us your time, really appreciate it.

My pleasure. It was fun. We had to get a little laugh there, it was fun.

It was a good one. And we didn't even have to talk sex. What? Normally you guys get together and there's all this double entendre, and I have to sit there going gag, gag, gag.

Yeah, I considered it when we were talking about, well, Graham's all of his Roku things about, you know, your streaming stick and that sort of stuff, I thought... I was like, is this a euphemism salad here? He doesn't even know he's doing it.

Doesn't he, though? Doesn't he? I'm going to post this image Dave has made of me up on Twitter.

Why don't you just make it your new avatar everywhere? Right.