Smashing Security podcast #395: Gym hacking, disappearing DNA, and a social lockout

Hang on, hang on. He did a DNA test on you. Oh my God. Yes, Jeremy Kyle.

Smashing Security, episode 395, Jim Hacking, Disappearing DNA, and a Social Lockout, with Carole Theriault and Graham Cluley.

Hello, hello and welcome to Smashing Security episode 395. My name's Graham Cluley. And I'm Carole Theriault. And Carole, today we're joined by a very special guest. Can you please introduce them in your own inimitable fashion? I don't think she needs any introduction, does she, Miss Anna Braiding?

Hello, how are you two? Welcome back. Hello, Anna. It's good to be back.

Anything you want to share with our listeners before we kick off?

No. No, it's nearly Christmas.

Oh, thank goodness you're here to remind us.

OK, well, let's get this show on the road. But first, let's thank this week's wonderful sponsors, 1Password, Vanta and ThreatLocker. Now, coming up on today's show, Graham, what do you got?

I'm going to be talking about hacking might not help you get hired. OK.

Anna, you?

I'm talking about a vanishing genetic testing company.

Ooh, okay. And I'm going to look at how Oz plans to de-hook its kids from the socials. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, as Anna just mentioned, it's almost Christmas. The end of the year is rapidly approaching. Always a glorious time of the year. Everyone enjoys all that, the passing of time, the speeding up of our lives to the inevitable doom and demise.

You're so doom and gloom. No, I'm not. I am looking forward to the holidays. Yes. I think we all need a bit of cheer.

What in particular are you looking forward to?

I'm looking forward to Christmas markets. I'm looking forward to mulled wine and Christmas quizzes and little dinners with friends and all kinds of stuff. Do people actually like mulled wine? Yes. I thought they didn't. I love mulled wine. Yes, delicious.

I thought there's a reason they only served it once a year.

People like mince pies as well.

Would you eat them in June? Yes, I would often be stuffing myself with mince pies. I would have no problem doing that. Maxing out the credit cards, that's another great thing to enjoy. Well, it is nearly Black Friday. Finding pine needles in your socks for weeks afterwards. Wearing big baggy jumpers knitted for you by your aunties. Some would say it's the most wonderful time of the year. They would. And then January hits. And you're bloated on Quality Street chocolates. And you never want to see another slice of cold turkey ever again.

Yeah, and worse, many people do dry January, which I'll be doing this year. Oh. So you have that first week after overindulgence during the Christmas season. Right, okay. Of basically sweating out the alcohol. Maybe that's just me.

A lot of people feel a little bit the worse for wear, don't they? Come the new year. And they think this year is going to be different. This year, I'm going to make a resolution. I'm going to join the gym. Ah, the gym. Yes. But I won't just join the gym. I'll actually, and this is different from joining the gym, I'll go to the gym, is what you'll say. Who cares? Who cares what the weather's like? I'll be going out in all weathers. Yes, of course, I'll go to the gym. I don't mind that it costs £50 a month. It'll be worth it, you say to yourself. You convince yourself.

I think 50 would be a bargain. I think it's more like 150. Yeah.

A month. Oh, my God. I live right near two gyms, right? There's two gyms on my block. Yes. And come January, boy, are those places jumping. There's a lineup for the machines. Everyone's got their brand new sports gear on.

My Peloton pedals are going to be falling off in January. At the moment, they're sort of stationary.

Maybe you do go to the gym. Maybe you go to the gym twice. But you can't get out the contract can you and so you're still paying for the gym and not going to it in April and I wonder if that's what happened to a chap called Nicholas Kloster because he turned up to his local health club on April 26th 2024 so earlier this year in April maybe he joined it in the January he showed up there just before midnight now you tell me girls is that normal to go to gym at that kind of time

Okay I'm flattering you throw back to 1990

Well boy let me tell you I do I there is a 24-hour gym near where I live and when I drive past it there is often people there at all sorts of times yeah

My the one well the one of my blocks a 24-hour gym sometimes people work really late at night right if you're doing shift work and you want to put a sweat on before you hit the sheets or hit the shower first. Have a shower

For goodness sake. Maybe you're right. Maybe he was going for a late night session. Maybe he was just trying to cancel his membership and thought it's less embarrassing if I try and do it at midnight, not too many people see. Maybe he was too embarrassed to go to the gym during normal gym opening times because he'd let himself go a bit too much. So basically he went late at night, he went very late at night. So just before midnight, he was there at the gym. Normal, I'd say. The next day, he allegedly dropped an email to the owners of the gym. This is a company which owns multiple health clubs across Kansas and Missouri. And he claimed that he had gained access to their computer systems. Yes, there is a cybersecurity element to my story. And what he claimed in this email was that he could easily hack into the company's IT systems. So he wasn't on the rowing machine. He wasn't pumping iron. It sounds like he was doing what many of us do for exercise, participating in aerobic activity via our fingertips on the keyboard instead. I mean, that is a form of exercise. You can burn calories just at the keyboard if you want to. Ultimately, if you did enough typing, people come out with diet books all the time, different ways to lose weight. I think you could probably sell a book about how you could get a workout at your computer.

Wouldn't be on my top 10 list.

Is there a way to count your fingertip strokes like your steps? Because my Apple Watch doesn't count that. Smart wings, they exist.

Install a keylogger. You could just count the key presses, couldn't you? It would work, perfect. You may have to turn off auto-repeats, he can't cheat by just holding down a key, pressing it 58 times. Anyway, this chap Kloster, he's alleged to have sent an email from his work email address and he said the following. He said, "I've managed to circumvent the login for the security cameras at the gym by using their visible IP addresses. I've also gained access to the Google Fiber router settings, which allowed me to use..." And at this point, the feds have redacted a word, it's the name of a tool which he used. But anyway, he says it allowed me to use something or other to explore user accounts associated with the domain. He said, "If I can reach the files on a user's computer, it indicates potential for deeper system access."

And he's told this to the company in question, not advertised it on some forum.

That's right. And he went on to claim that he had assisted over 30 other small to medium-sized businesses in the Kansas City area.

A little digital vigilante here.

A very interesting point. And he attached a file. Now, you're probably wondering what the contents of that file were. Were they malicious? Were they malware? Were they ransomware? Were they something like that? They open it and get infected and held up for ransomware, exactly. What it was is what he described as his resume, his CV. So according to the FBI who've been involved in this case and they've charged Kloster, it was quite different from his normal resume, the one he normally handed out. So we don't know exactly the details, but it sounds awfully like he sent an email to the gym's owners claiming he'd hacked into their systems, into their computers, and was looking to get hired by them for security consultant services at the same time. So he's done the advert for his services at the same time as breaking into systems. And my question to you, and I think I already know the answer from you, Carole, is do you think that's okay?

I think it is, if he's responsibly disclosed it. I suppose he's hacking rather than he's just found a vulnerability.

Don't a ton of legit companies do this all the time? They'll send you a report going, "We found 546 problems in your system."

But generally they're invited, aren't they, to do a penetration test on a company?

Not always. Certainly Facebook and other big companies have hired people after they've hacked into their systems, haven't they?

But they've announced a bug bounty. They've given the rules and they've said if you find a vulnerability, you're welcome to do this or do this kind of testing, you're not welcome to do other kinds of testing, but this is the kind of test you can participate in. And if you do, get in touch with us and then we may send you a t-shirt or something like that.

Yeah, but I think they've hired people that have stolen stuff. And I would argue I think it depends on his next actions as well. So if they say, "Thanks so much, we don't have an opening there, but thanks so much for the information," and then he then holds them to ransom or advertises to everybody what he's done or retaliates in some way, then that's the issue. Isn't that how you hired me, Carole?

There you go. But do you know what I mean? I agree with you. I think it's a grey area, at least based upon the information that we know so far from this press release. But it does appear that the US Department of Justice aren't terribly happy with this chat. And there are some more details where he did. I don't know if this is a 24-hour gym or not. And I wondered maybe whether he had gained access by… Did you break it? Well, perhaps. Because it turned out the staff at the gym found out shortly afterwards that he'd done some other things. For instance, he'd deleted his photograph from the gym's database. He had stolen a staff member's name tag. I don't know if that's something which might have helped him gain access to areas of the gym. And also, he reduced his monthly gym membership to just $1 per month.

I think that's allowed. Come on. That's

allowed. It's expensive, the gym. And those photos are never flattering. No. Exactly.

Now, some weeks after sending this email to the company, this chap, Kloster, is said to have posted an image to social media of what appears to be a screenshot of his desktop computer showing control of the security cameras of the gym. Oh, right. And there's a chat box window saying how to get a company to use your security service.

Ah, you see, Graham, I don't know if it's fair that you ask us these questions. This is a new technique. Well, this came out weeks later. Okay, okay. But you got us to kind of give our point of view, saying this is the information we have. And you're like, oh, and by the way, the gym is not a 24-hour gym. Did I happen to mention that? I

don't know if it is or not. I don't know if it is or not. Do you

know that he broke in? I

don't know. I don't know.

Well, okay. Well, I'm glad you don't

know because we don't know. But okay. Again, I'm not sure about this, right? He posted on social media a screen cap of his desktop showing he had control over the security cameras. You do see vulnerability researchers sometimes sharing information like that to prove that they had access to a system. The chat box says how to get a company to use your security service. Again, he's not saying I'm going to screw these guys up or I'm going to wipe their tapes or anything like that. Is he?

Did he list the gym, the name? Did he name and shame?

Don't know. Don't know. The name of the gym has been removed from all of the court documents so far. So I've been through all the indictment. Because I

think, again, that changes things, right? Because if he identifies the company and says, these guys have a security vulnerability and I cracked in, I think that it tells other baddies that there may be a way for them to access. Although he was on premise.

Also, did he blur the images? What's in the images? I think it's a grey area. Excellent

questions. Yeah, no, I think you're right because we don't know enough. We haven't had this picture shared with us. We haven't been able to examine it. We only know what

you're telling us, which is probably less

than what's available. I'm telling you everything I know. Everything I know. And here's another thing I haven't told you yet, which is it was now the following month, right? The month after he sent the email. So it's May of 2024. And Kloster allegedly entered the premises of another company, a non-profit organisation, into an area that wasn't supposed to be accessible to the general public, right? It can sound a bit shady. He accessed a computer with internet access, and he's said to have used a boot disk, is how it describes it, to access the computer through various user accounts. He circumvented its password protection and installed upon this computer a VPN, possibly to maintain access to the company's systems. Make them more secure, of course. Make them more. So, yes, he's identifying security holes. And helping them along. In order to help

them produce a report. That's illegal, though. That's illegal messing around with someone else's system, right? Now he's breaking the law.

Well, it's illegal to access a system. It's not just to fiddle with a system, but to access a system without permission as well. So, you could argue accessing the camera feed is a breach of computer crime laws. Anyway, this nonprofit, they say they've suffered losses of over $5,000 as a result, trying to remediate this security breach. And do you remember I told you that when he sent the initial email to the gym, it went from his work email address? Well, the feds have been around to there as well. And the people who hired him there, they say that he used stolen credit card information from them and used it to purchase, quote, hacking thumb drives. So he had a company credit card, whether allowed to or not, unclear, and was purchasing potentially tools which could be used maybe as a penetration tester, maybe as a hacker.

Yeah, and the fact that the tool that he used at the gym is not being disclosed, just that perhaps it may be a tool that shouldn't be…

It could have been file manager. It could have been who knows what it was, right? It could have just been a command line. Well, it could have been. We don't know what it was. So, some lessons here, I think. It's all suspicious if you go to the gym. No, it's not. Late at night? No, it's not. If the

gym is closed and you break in, that's a little suspicious. If there's a 24-hour gym, if you were at Tesco's at two in the morning buying diapers, we'd be like, oh, that's suspicious.

I don't have a child who needs diapers.

No, I meant adult diapers, Graham.

Oh.

That wouldn't be suspicious. That'd be so predictable.

Anna, what have you got for us this week?

Well, Carole and Graham, do you know your heritage?

My heritage? I mean, I know my parents are. Yes, I think I do. Yes.

Do you? Go on then, what is it?

I'm a very exotic mix. Are you? As you can imagine. Yes. I'm sure you could have picked that up. Yes. I've got a bit of Hampshire in me. From Hampshire. Yeah, yeah, I've got a bit of that. And my father was born in the Middle East, albeit in one of those sort of imperial British places before we got kicked out. So, yes, so, you know, quite exotic.

That is exotic. Yes. It's kind of like mine, actually.

I don't think so.

Mine is part English, part Germanic.

You're from Jamaica.

Part Germanic. There's some Danish, Scottish, French. How do you know this? So I know this thanks to one of my parents who paid to find out via DNA testing.

Hang on, hang on, hang on. One of your parents, was this your father, perchance, who was interested as to what your heritage was? He did a DNA test on you.

Oh, my God. Yes, Jeremy Kyle.

Oh, hold the front page. We need to put you at the start of the show. This is great. Okay. So, yeah, did a DNA test to check my heritage. But the parent that did this is not the only one because, as we know, many people have sent their saliva off to DNA testing labs in the hope of finding out more about themselves. And there are loads of these companies. Can I just say I have not? I have not. No, I have not either. No, because we're sensible, right? But the problem is that other people inside our family can do it. Yes. And maybe reveal something about us.

People didn't think forward about the implications. But anyway, so there's Ancestry, there's MyHeritage, and there's 23andMe, Carole, which you spoke about on a recent show. And then there is Atlas Biomed. Have you heard of them?

No. I've heard of them, but I don't know anything about them.

Right, so I hadn't heard of them, but they're based here in the UK. Lisa Topping from Essex had heard of them, and she paid about £100 to get a personalised genetic report from them. Atlas said they could not only tell her about her heritage, but also about diseases and injuries that she might be predisposed to. I looked at their Instagram posts, and there's a lot of talk about learning about your gut microbiome. So I'm guessing this was a popular feature as well.

Yeah, because people want to know about health issues. That seems to be a really big driver. 23andMe were doing the same thing, find out about family traits and get ahead of the illness that you might be facing.

Yeah, and keep an eye out. And they can tell about your gut just from some saliva. You don't have to send them something else. That's impressive. You don't have to poop in a jar. Is that what you're worried about? That's what I'm thinking about. It's always hard getting the lid on the jam jar afterwards.

Perhaps that's how they do the DNA test. Anyway, Lisa got her results through. At first, everything was fine. She couldn't download any of the information, but that seemed normal for Atlas. But she could access it all online, which she did every so often. Until one day, the website didn't work. She tried to contact the company, but there was no answer. Another customer, Kate Lake, sent in her sample but didn't receive anything back. She contacted Atlas and they said they'd sent her a refund, but that didn't arrive. In fact, the company appears to have done a complete vanishing act.

So how long was this company around for? Quite a long time. I'm not sure exactly, but years. So it's established. It wasn't just a pop-up, pop-away.

Yeah. And it looks from their social media, it looks like they were using influencers. It's quite glossy and shiny what they were posting.

If they're charging a hundred quid I mean you would hope it would be quite a luxurious service and you would have an expectation. Well because it's a lot of money because Carole frankly you could send me some of your spit and I'll say oh yeah you seem a bit Canadian to me, you may be a little bit, wherever else you know. I could do that. But you know if there are proper scientists in white coats, you would expect the service to be up and running for 100 quid. You'd expect a quality service I would hope.

But now no not at all. Their website's down. They haven't posted on social media since June 2023 and their accounts haven't been submitted to Companies House. According to the BBC who wrote about this story, Atlas Biomed appears to have links to Russia. Two of its officers are listed at the same address in Moscow along with a Russian billionaire.

At the FSB headquarters. Exactly. Two officers of the company.

Yeah, so the Russian billionaire is a resigned director for Atlas. I mean, we can't speculate on what those ties to Russia mean. But we do know...

Oh, I think we can speculate. I think we'd quite happily speculate as to what's going on here.

No, I don't think you can do that based on where it's based. You don't know.

No, we can't reasonably, but we can unreasonably speculate is what I'm saying.

That's what Graham does regularly.

Yeah.

But we do know that whatever the ties are to Russia, it's not just the company that's disappeared. It's also all the customers' DNA data, of course. And that is the most valuable data. It's literally what makes you you. I work for an American company. There's often talk about social security numbers that are breached and they're a nightmare because you only have one, but they actually can be changed. It's just a massive faff. DNA can't, and even if you give it to a company it doesn't disappear like Atlas or isn't breached like 23andMe, you're still trusting that data to a company and hoping that their security and privacy and ethics hold up because you don't know what they'll do with it or what the future holds because we are looking at a future where health insurers put a higher premium on those with predispositions to certain diseases. Drug makers could target us with ads for ailments that we might have, but we haven't even spoken to a doctor about.

And millions of people have done this, right? Millions of people with a myriad of different companies.

And law enforcement is already using DNA data. And it doesn't even need to be your own DNA data. It could be your close relative's DNA data that, you know, if you've committed the crime it could be then matched to you and we don't all know all the implications because we don't know what the future holds so.

The good news is Anna, your father's DNA can't be matched to you. There's no link there apparently. So do we know how many people have been affected?

No, we don't. I don't think it was a huge company. It's not 23andMe which is obviously massive, but it's still...

So it could have been someone like me just collecting jam jars full of spit and sweat and other bodily fluids and writing back, you know, a sort of stock, I'll say, oh yes, you appear to be a bit English. Everyone likes to be a bit exotic, don't they? Say, oh yeah, there appears to be a little bit of Egyptian princess in you or something.

Do you think so? Well, I'm a Danish queen, so.

Yeah, yeah. Oh, you're related to Marie Antoinette. Carole, what have you got for us this week?

Okay, so this story is about a little hoo-ha going on down under. Like many countries around the world, Australia's government has voiced concerns about the impact of social media on young people. And the Aussie powers that be have taken a bold approach to effectively ban under-16s from having accounts on these platforms.

Oh, really?

Yes. So this was announced just last week. So they say social media is doing harm to our kids and I'm calling time on it, said the prime minister. Now, you both are parents, right? So before we get into any of the meat of this, what's your immediate reaction? Both of your kids are under 16.

Yeah, mine are really under 16. They're under 10. And my one hope is that it's all figured out before they get smartphones and social media because it does terrify me. It really, really worries me. I worry about the fact that if they're having a horrible time at school, they won't be able to escape it because they will be constantly on social media. I worry about the effect of AI friends they might make. I worry about bullying. There's so much.

Yeah. My child does have a phone and he is on some social media. Does he have a favourite? I would think the one he's on the most is Snapchat. Apparently it gives you a score as to how many snaps you've received or sent.

Oh, does it? So they've gamified the use of it.

Oh yes. Oh, and it will go up 5,000 in a day. I'd love that kids weren't using social media. I think it would be fantastic.

So the bill that was introduced in Parliament just last week wants to address the concerns about online safety and the negative impact of social media on young people's mental health. And this approach has backing across political divides. The leaders of all eight Australian states and mainland territories have unanimously backed the plan. Opposition parties said it would have done the same thing after winning elections due within months if the government hadn't moved first.

Yeah, yeah, we'd have done that. We'd actually have done that. You just got there before us, but we thought of it too. We thought it before you.

Well, no, but that's interesting that they're not saying it's a shit idea. Yeah. It's kind of sometimes refreshing to hear political rivals singing from the same hymn sheet.

Well, it's not the under-16s who are voting for the political party, is it? I think that the grumpy old people like myself are the ones who are saying, yes, this is a really bloody good idea.

And I really want to debate that because if this law passes, the Aussie legislation will put the social platforms in the financial hot seat if they fail to have bouncers at the digital door, you know, blocking entry to the youth. So in other words, they need to take reasonable steps to stop people under 16 from creating and holding accounts. Okay, that's all about creating and holding accounts. And if they fail, they could impose fines up to 50 million Australian or 32 million US for non-compliance.

That doesn't feel like very much. Not a huge amount for the social media companies, maybe. But I guess it would escalate if they continued, you know, if after six months they continued to allow under-16s on.

But how are they going to prove it? How are we all going to be uploading our IDs if we haven't already?

Interesting point. I think they should do a facial scan of yourself if you have some facial hair.

I look very young, Graham, so.

Well, I think you're, anyway. So, but maybe it would be something

like that. Yeah. Okay, so to your point, Anna, right, both of you were saying we're concerned, effectively, right? And of course, other countries are trying to figure out ways to mitigate the risk of the evils of social for Gen Z and alphas. Like in June this year, 10 US states have passed laws requiring children access to social media be restricted or parental consent gained. Last year, France introduced legislation to ban children under 15 from accessing online services unless they have parental permission.

That's tricky because my son last year really wanted a Switch for Christmas and he really, really wanted one. And we thought, OK, fine. You know, it's a nice Christmas present. It's fine, appropriate for his age if we get the right games. And we bought him one and lots of his friends got one. One of them didn't. And so the dad actually went out and bought one after Christmas so that his son could be the same as the other boys in his year. And so it only takes one parent to give in. Then it becomes like a snowball effect because it is hard if one of them's doing something and the others aren't. You don't want your child to be left behind or be the weirdo.

Absolutely. And it puts the onus on you to be, no, we're not going to be doing that. Yeah. So what's interesting is no jurisdiction so far has seemed to have used age verification methods like biometrics or government identification to enforce a social media age cutoff, these are two methods that are apparently being trialed in Australia. That's not to say that they're going to be implemented, but they're being trialed at this point. And the other interesting thing is the bill won't stop people under 16 from watching videos on YouTube or seeing content on Facebook. It's primarily designed to stop them from making accounts. And this means that the wider ecology of anonymous web-based forums, including problematic spaces like maybe 4chan. Or

even worse than 4chan, they could end up on Twitter.

Okay, so let's noodle a few points of contention here that people have brought up. One of them is, this is a world first proposal to set the highest age limit by any country, apparently. And there's no exception for parental consent. And there is no exception for pre-existing account holders. So who should be boss, parents or government?

It's a bit buying alcohol, isn't it? So in the UK, when I was younger, I could easily go into pubs. I could go into shops and buy alcohol. No one really, they might have said, are you over 18? And I'd say, yes, I am. Even now, me, and I'm still very young, obviously, but I get asked for ID a lot, especially going into pubs. That once happened to us, Anna.

It did. You and I were together and we were buying a bottle of champagne for some special occasion. And because you were with me, they would not sell me the champagne. She had to produce her own ID in order for me to be able to buy it. Wow. They thought you'd buy it for your daughter.

But the onus is on the staff in the shop and the shops themselves and the pubs. And they get big fines if they don't.

I reckon they just fancied you and wanted to know your name so they could look you up on social media. They didn't think you were underage. They just thought, oh, hello, hello. Yes, you probably did think that. The granny that served us. Yes. Crack on,

Yeah. So if it was drinking and there was no law against people would maybe tut, but they wouldn't be able to do anything legally. Exactly.

I think it needs to be the companies themselves.

I think the companies bear a responsibility. I think there's a parental responsibility as well. But it is as Anna describes extremely hard because the whole nag factor of children and so much I think of kids social interaction these days actually does happen online then much as it might gall us then they're not getting together quite as much maybe as we would to imagine we did when we were kids and so you know during lockdown for instance things like Fortnite were fantastic because it let kids play with each other

yeah my son would love to watch YouTube Kids and he'd be allowed to watch YouTube Kids by the companies but I don't let him watch it because the stuff that is on there is just rubbish that has to be a consideration but I think there needs to be more put in place where it's harder for them to access it in the first place it's interesting

because of course not everyone is a fan MSD International Australia They say removing the benefits that social media brings will not achieve the government's objective of improving young people's lives and ignores the fact that the harms extend beyond children and young people to marginalized groups and people. Yeah. And the Australian Human Rights Commission says given the potential of these laws to significantly interfere with the rights of children and young people, the commission has serious reservations about the proposed social media ban. The appointed cyber czar, Elon Musk has also publicly poo-pooed it. Cool, he has. I wonder why. Seems a backdoor way to control access to the internet by all Australians. I

Can understand some of these arguments. My son, for instance, when he was really very young, he used to enjoy watching history documentaries on YouTube. They were like little cartoon ones which would explain about the kings of England or about various wars and battles which had happened around the world. And he learned a lot about World War II and the Napoleonic Wars and things like this. And this wasn't harmful to him. This was his way of educating himself. And it wasn't just entertaining. It was him learning.

I wondered about YouTube as well. So listen to this final point here. So the bill is focusing on, they've named Facebook, Instagram, TikTok, Snapchat, and Twitter X. Also many more minor platforms and services. I'm sure they'll be able to add to that list as they see fit. Interestingly, the legislation has an exclusion framework that exempts messaging apps such as WhatsApp, online gaming platforms, and services with the primary purpose of supporting the health and education of end users. So things like Google Classroom. So I was watching some of the parliamentary discussion on this. And one of the questions raised was, how do you define a social media platform from, say, a messaging app? And they got specific, why ban Snapchat, but not WhatsApp? And there was a little bit of floundering. But I think I have a reason that I feel fits, but I want to see if you guys have any thoughts. I mean, the gamification of Snapchat that you mentioned earlier, that's one difference. I've never seen that on WhatsApp. I don't get awards for sending more messages or less messages. Oh, I'd get a good award.

I'd be on platinum, baby. I think, well, I don't know enough about how Snapchat works.

Yeah, there's a lot more features and filters and all kinds of stuff. But one thing that I noticed was that WhatsApp, unless you're in WhatsApp business, but WhatsApp for consumers doesn't have ads, right? And Snapchat itself boasts itself, potential advertisers, I went to their website and says, reach Gen Z and millennials with Snapchat ads. And it says Snapchat reaches 90% of 13 to 24 year old population, 25 plus countries. I wondered about YouTube as well. And the advocacy group that put together the report suggested that YouTube remain accessible to kids. But they remain concerned by young people being able to start their own accounts and upload videos. I think it's interesting that they're focusing here on accounts, right? Because it's about them being tracked, I suppose. So it's not so much about them seeing content.

All because they recognize that the creation of an account, the use of an account is a gateway through which potentially a check could be made. Whereas if you just anonymously go to a website, you're given the analogy of having a bouncer at the door. Well, the bouncer at the door is at the point where you enter your credentials to log into a site.

I mean, obviously they can't stop someone looking over someone's shoulder, that's it. But if you don't have an account for Instagram, for example, you can't see a lot on there.

It'd be brilliant because you could blame the politicians. It's, oh, I'd love you to have the kids. I'd love you to have it, son. Unfortunately that evil prime minister has prevented it.

Do zero-day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with ThreatLocker. Imagine taking a proactive deny by default approach to cyber security, blocking every action, process and user unless specifically authorized by your team. ThreatLocker helps you do this and provides a full audit of every action for risk management and compliance. Onboarding and operation is fully supported by their U.S.-based support team. Stop the exploitation of trusted applications within your organization to keep you running efficiently and securely. Worldwide, companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high. To learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization, visit smashingsecurity.com/ThreatLocker. That's smashingsecurity.com/ThreatLocker. And thank you to ThreatLocker for sponsoring the show. Whether you're starting or scaling your company's security program, demonstrating top-notch security practices and establishing trust is more important than ever. Vanta automates compliance for SOC 2, ISO 27001 and more, saving you time and money while helping you build customer trust. Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust centre, all powered by Vanta AI. How could I forget? Can you remind me? Obviously, I listen every episode. But let me do it, Graham, just to show how I pay attention to the show. Okay, let's see. Graham was lamenting he had moved house and lamenting that he could not find a hob with knobs because of all the panels and the gizmos and made a huge 10-minute rant that I probably shortened to as much as I possibly could to save our listeners from the soapbox appeal. A listener did come back and gave him some advice, I believe. I think I found the solution. I recommended it to people. So what happened, a hob, by the way, for the benefit of our American listeners, is a stovetop. And the problem is that a lot of induction stovetops or induction hobs these days have touch-sensitive controls, and you press them, and they don't really work well. And I just wanted a knob you could turn. I suspect that's a paraphrase of the highest order. We could find the clip.

Anyway, here we are. Here we are, and I'm excited. And I am back with an update. And I have to say that the hob with the knobs was fantastic. It worked very well and continued to work very well until last month. When two of the hobs, it wasn't a problem with the knobs, two of the hobs stopped working, which means that half of my stovetop is no longer working.

Even if you can turn the knobs really easily.

I can turn the knobs, but those two hobs so it turns out it's not the knobs that are super important oh interesting so naturally i contacted the company and said i've been a great ambassador for your product

Hashtag ad yeah hashtag ad and hashtag you know how many followers i have

And I said there is a problem with two of your hobs not with the knobs they're no longer coming on I don't understand why Christmas is coming we're going to be making Christmas dinner and they got back to me and they said, unfortunately, your warranty ran out two weeks ago. Oh. So this is not a pick of the week. This is a nitpick of the week. You see what I've done here? It's a nitpick because it's about electrical items which fail within days of your warranty running out.

Okay. Graham? Yes. I think good advice for our listeners here is maybe when you're purchasing some white goods that cost a lot of wonga. It didn't cost a lot. Oh, it didn't cost very much. Interesting. That's the problem, Graham. Oh, so you bought a piece of shit.

No, because it was the only one with had knobs. It was the only one I was able to find which had knobs.

Can I just say, I have got an induction hob with knobs. And I bought it this time last year. It's a Range Master. Hashtag ad. Oh, and is there any problems with it, Anna? No, there's not, but it did cost me a lot of money. And that's where you've gone wrong, Graham, because you bought cheap. And you know, if you buy cheap, you buy twice. So that's what you'll be doing.

Maybe you can send me a link because I could be in the market for a new hob with knobs for Christmas.

So the moral of the story, don't buy hobs with knobs unless you listen to Anna.

Yes, I could have helped you. I did a lot of research. I did a lot of research.

Anna, what's your pick of the week?

Well, so I love a pacey show, a TV show. I loved Ozark, loved Breaking Bad, loved Happy Valley. Did you watch them? Yep, all three loved them.

Yeah, I watched Breaking Bad and Happy Valley, yep.

Yeah, so I'm always on the lookout for something that will give me that. You know, as you're going to bed, you're like, oh, just one more. I'll just watch one more. That's one more. So the latest show I've been enjoying is Day of the Jackal. Have you heard of it?

No, no. I've seen the movie with Edward Fox.

Yeah. That was great. There was the book and then the film in the 70s. And so this is a remake.

There was a Bruce Willis remake. Oh, was there? I think. I'm sure that was shit.

I can't speak ill of Bruce now. Yeah, you're not allowed. I don't—

Know. Okay, all right, sorry.

You can speak ill of him if you want, but it's Eddie Redmayne. And it's a TV show and he stars as the Jackal. So he's a ruthless assassin who kills people and he takes on their identities and then he becomes them in order to kill more people. But he's a top, high-level assassin. There's an Elon Musk tech guru called UDC. There's lots of rich people trying to get one over on each other. But what's interesting about this show is that they also show his human side. So he's a family man and he appears to love his wife and his baby son.

For goodness sake. He's an assassin! Stop going on!

But it is. It's conflicting. It's conflicting.

So was Leon but we all loved him too so.

It becomes a cat and mouse chase between the Jackal and a British intelligence officer Bianca as she's trying to hunt him down and stop him.

Oh this sounds right up my alley actually and I'm looking for a new show so I'll watch it. What's it on?

It's on Sky. I've been watching through Sky but it's also on Now TV. Sorry guys, sorry I'm very rich.

Did you hear Anna's kids did you hear that she's got Now TV she's got Sky she's very rich if only will she give you YouTube kids no she won't.

But I did spend a lot of money on my hob with knobs. Oh but you can also I think you can download it from other places legal places and it's on Peacock in the US if you're in the US. That's my pick of the week. Carole what's your pick of the week?

So last night one of my girlfriends took me out on a movie date and this was quite exciting because she has younger kids, so we never go out ever. And she took me to see the 2024 Palme d'Or winner, a movie called Anora. Note, Graham, not Narrowly Missed the Palme d'Or, which we don't recommend, Graham and I don't recommend for reasons we can talk about another time. But the winner, okay, so the premise just quickly, you've got this Uzbek American seasoned stripper, Anora. And she knows all the moves. And she's entrusted by her boss to do the sexy routine for any Russian-speaking clients. And one day she meets a kid or a young adult called Vanja, the son of a gazillionaire Russian oligarch. And she dances for him. He swoons. They hit it off à la Pretty Woman and he turns her life upside down because he is beyond wealthy, completely free and only 21. And life is good, you know? And Anora can't believe that she's finally been chosen for this wonderful world. What could go wrong? More than you can imagine is the answer. This is Cinderella for adults minus the saccharine ending. But it is wisecracking whirlwind of a film. It has romance. It has loads of sexy times. Starts with it right at the beginning, but it has action and comedy gold moments. People were in hysterics in the theater and it's two and a half hours long, apparently, but it flew by. I was thinking, oh, I'm probably about halfway and the movie was ending. Strong acting, strong direction, strong script. There's a few cameos, our oligarch kid slides into the first scene à la Thom Cruise in, what was it? Risky Business. Risky Business, exactly. And there's a word-for-word scene that's taken out of Pretty Woman, a cameo for that. So it's genius and it's a must-see for all adult movie-buffs. Yes, movie-buffs. But this is perhaps not for a first date, okay because there's oodles of erotica maybe it is for a first date there's a lot of potty mouth chatter going on but yeah and it has a strong message you know it talks you know it flirts with the whole concepts of class wars gender roles money flawed humanity oh yes all that stuff. I loved loved loved it so that's Anora winner of the Palme d'Or my pick of the week go see it if you're over 18.

Well that just about wraps up the show for this week. Anna, thank you so much for joining us. I'm sure lots of our listeners would love to find out what you are up to and follow you online. What's the best way for folks to do that?

Thank you for having me. I'm still on X Twitter, Anna Braiding. I have got my username on Bluesky, but I haven't done anything on it yet. But get me on LinkedIn if you hate X.

And you can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure that you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

And huge thank you to our episode sponsors, Threat Locker, Fanta, and 1Password, and of course to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalogue of more than 394 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye. Bye. Bye. Bye.