Smashing Security podcast #400: Hacker games, AI travel surveillance, and 25 years of IoT

Can I just—

I—

Why do we care? Who cares?

Yeah, Graham.

Smashing Security, Episode 400: Hacker Games, AI Travel Surveillance, and 25 Years of IoT with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode, drum roll please, 400! Hey, my name is Graham Cluley.

I'm still Carole Theriault.

And we are joined by a stalwart of the show, special guest, the mellifluous voice behind the CyberWire and Hacking Humans. It is, of course, Dave Bittner. Hello, Dave.

Well, hello, Graham. Hello, Carole. It's great to be back. It's been far too long.

I think Graham wants something from you. He doesn't normally give such gravy in his introductions.

It's episode 400.

It is episode 400.

I know.

That's a big deal.

We have a packed show today. So before we kick off, let's thank this week's wonderful sponsors, 1Password and Tripwire. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm gonna be discussing the latest hacker games.

Hacker games, okay, and what about you, Dave?

I'm looking inside the black box of predictive travel surveillance.

Ooh, and I'm looking at 25 years of the term IoT and what's the latest. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, specifically you, I suppose, Dave. I know you're a big fan of the show tunes. Do you also love a bit of a keyboard smash? Do you love a little bit of video game playing?

I do. I do. It's been a while since I've gotten into a long elaborate game just because of not having time to do those sorts of things. But yes, I have enjoyed games on computers from the very beginning, text adventure games.

Oh yes.

First-person shooters, and everything in between.

Fantastic. Well, lots of people, of course, love video games. And one of the hot video games right now is a game called Path of Exile 2. It is an action role-playing game, which comes from Grinding Gear Games. And it's the kind of game where you hack and you slash hordes of enemies, you grab loot, you customize your character, you level yourself up. It's currently in early access. It's expected to be fully released soon, but already hundreds of thousands of people are playing this game. Including at least one person who all of us know.

Know?

Well, at least one person that we know of.

Okay.

Which is a chap called Elon Musk. Never heard of him.

Elon—

The ultimate put-down. Sorry, Elon. Never heard of you. So, Musk loves his video games. He loves to talk about how he's one of the best Diablo 4 players, for instance, on the planet. Grimes, his former beau, the mother of 3 of his oddly named children. She even wrote a song all about her relationship with Elon Musk and his gaming addiction. And in the video, which I will link to in the show notes, but I won't incorporate into the audio because we'll get stung by the copyright lawyers, she cosplays as a hacking, slashing character beating off hordes of bad guys. And I don't know if you're familiar with Grimes at all or her song—

Is she Cher? She only has one name?

Yes, she's only got one name. And she wrote this song, 'Player of Games.' Are you familiar with 'Player of Games,' Dave? No. You're not familiar with her, oof?

I don't even know who Grimes is.

You don't know who Grimes is?

No, no, I am delightfully not grimy.

The lyrics maybe will remind you. It goes, "I'm in love with the greatest gamer." But he'll always love the game more than he loves me. Oh, oh, oh. If I loved him any less, I'd make him stay. But he has to be the best player of games.

She's a poet.

She is a poet.

She's no Paul Simon, but it'll do, I guess.

It's funny though. Grimes and Musk.

Interesting combination, isn't it?

Sounds pretty vile, doesn't it?

Yeah, it sounds like an old vaudeville act.

Anyway. He clearly wants to be the best video games player on the planet. Last November, as I said, Elon Musk apparently became the number 1 Diablo 4 player globally. So he's quite proud of his gaming prowess. Earlier this month, he livestreamed his playing of Path of Exile 2 on Twitter, or X as he prefers to call it.

I like dropping the bell. That's a nice sound.

That's a nice ring to it. And that got some people wondering, because some gaming nerds took a close look at Elon's video of him playing this game, and they declared bullshit.

They declared bullshit that that's Elon, or that—

That what they were seeing was the reality of what was actually going on, because people well-versed in the game argued that there were lots of clues that what they were seeing could not be legitimate. And one of the reasons is this is a man who runs 6 companies. He's Donald Trump's wingman. He's posting on Twitter roughly 60 times a day. He's meeting world leaders. Where could he find the time to grind away the hundreds of hours needed to level up his character?

I think you mean Grimes away.

Nice. Well done.

Grinding away at Grimes. I think they're past that. They've had their 3 kids now. One person was even mean enough during this livestream to post some ASCII art of Mario doing a dump on Elon's name during Musk's stream. Very juvenile. Not the kind of behavior that we would endorse. And some YouTubers have been analyzing this video in sort of almost forensic Zapruder-style detail. And there's this chap called Cynical X. I can say after watching about an hour of this livestream that I would put I would put $100,000 or more on a bet. I would bet at least $100 grand large that Elon did not level this character from level 1 to level 90 himself.

Yeah.

Friend of the show Joseph Cox, he's similarly suspicious. Joseph is a big gamer. He says he's long suspected that Musk's claimed achievements in Diablo 4 and Path of Exile 2 are lies. The reason for this is observers say he runs past super valuable items while he's playing. He seems to ignore things which seasoned gamers would notice. He doesn't seem to understand the mechanics of the game. Joseph Cox says that Musk doesn't show the behaviour of someone who has put a lot of their own time in the game, which has made people suspicious that maybe he's had some help.

Right.

And some YouTubers, as I said, they've been analysing Musk's videos. And they say it's odd, because he's got his map in the game. He's got this stash or something, and he calls it Elon's map, almost like someone else has been working on it.

As opposed to my map.

Yeah.

Yes.

It's great when you refer to yourself in the third person, right?

I mean, it is plausible, right? It is plausible. And he's also emphasising constantly that what he's doing is very, very difficult, but not clearly not understanding what he is doing. And that suggests that is it possible that this multibillionaire needs some validation and recognition? And that is driving him to exaggerate his capabilities? No.

Am I allowed to make a guess here, or am I going to ruin the story?

Oh, you can try.

I'm wondering whether he's just trying to get connections with the kids because, you know, he needs them in order to buy his products, the Cybertrucks, you know?

He could connect to the kids by playing the game, but this is someone who's a master of the game. It's he's accrued so many points, so much money inside the game. He must have been playing this for hundreds and hundreds of hours. And not being attacked and not being reset back to zero. So it's a bit odd.

I'm not surprised, though. From the little I know about him, this just would not surprise me in the least.

Well, in completely and utterly unconnected news, we hear something strange from the world of Path of Exile 2, which is it turns out that a hacker has compromised an admin account used on the Path of Exile 2 website. Which allowed them to reset passwords and access players' accounts. And this attack happened shortly before the game was launched. So an admin account by a staff employee was compromised. Apparently it had been linked to a Steam account, and the hacker was able to gain access. And things were made worse because a bug in the system allowed the hacker to delete any logs which were kept about password changes being made. So it's really hard to tell whose account has actually had their password changed during this timeframe.

Okay.

Yeah. Now Grinding Gear Games, who are the people behind Path of Exile 2, they say what's really impacted their ability to work out how many accounts have been compromised is that unfortunately they were automatically deleting logs after 30 days. So they can't even see who was logging in on particular times. So there may be many more victims of this than they first imagined. There are around about 290,000 players of the game apart from Elon Musk.

So 200— okay.

Okay. So one question is, why would someone hack the game? And the reason why this game is getting hacked, and similarly why many other video games get hacked, is because trading is a big part of it. There is a currency in the game called Divine Orbs. So you want to look after your Divine Orbs. I think we can all identify with that. And these can be sold to other players via real money transactions on third-party sites. So if you were able to steal someone else's orbs, they have a monetary value in real life.

So they don't know how many accounts were compromised.

No.

Surely people would complain, right? If you were a serious player, you'd be, what's going on, guys? I've lost everything.

And players are complaining. Players are saying their divine orbs have been stolen. Players are saying that their gear has been taken off them. The things that they've accrued, their armor, their special abilities, the things which they needed to level up their characters in order to make themselves maybe the best player in the world at this game.

Yeah, but the irony is now that Grinding Gear has announced this, I'm sure every one of the 290,000 players are going to say, hey, I had loads of sexy orbs or whatever they're called. You owe me money, guys.

Well, it's a free-to-play game, right? So it's not necessarily the case that they owe money. Obviously, you probably can pay for extra features or specialist uniforms and all those sort of things. But, you know, who's got the kind of money to waste on that kind of thing? Who's got money pouring out of their pockets to spend on these online games in order to level themselves up and to get all these abilities? Who would possibly pay the hacker? It's impossible to say. Jonathan Rogers, he's one of the guys behind Grinding Gear Games. He's acknowledged the severity of the breach. He said that they, quote, totally fucked up.

And they're saying that because they delete their logs after 30 days, is that what they mean?

Because they deleted the logs, because they had a member of staff who had associated their account with their Steam account, because they allowed it to be hacked, because they didn't have two-factor authentication in place. So they're now putting two-factor authentication in place for their staff. They're considering it for their players as well. And I think there's a warning for other people out there and other organizations, obviously have two-factor authentication in place, but also maintain your logs, especially for things like when passwords get changed, don't treat that as a sort of ephemeral piece of information. That is something which could be collected. But we still are left in this mystery situation of just not knowing who hacked Path of Exile 2 and what they may have been trying to do with it. So it's a mystery.

Yeah.

Thank you for the conspiracy theory, Graham.

Well, I haven't said any conspiracy theories at all. No, I don't think so. I don't think so. I doubt he's got the time for it, if it's the person I suspect you're thinking I'm thinking. But can I—

It just—

I—

Why do we care? Who cares if Elon Musk wants to be the number one video game player in the world? Who cares if instead of using his billions of dollars for public health or building libraries or solving homelessness, he wants to invest his money into paying other people to play video games for him so that he can swing his dick around and pretend to be the biggest player in the world? Like, what an unserious man this is. That this is his priority, and who cares?

So maybe we need to stop reporting on how successful he is as a video games player and every time he tweets a piece of nonsense 61 times a day.

Yeah, and I don't know to what degree there's a divide here between, you know, you folks on your side of the pond and us here, but we are just hammered with an avalanche right now, obviously with what we're going through with the Trump administration version 2.0 and Elon's influence on that. But I don't know, it just— time and time again, stories about Elon just strike me as what an entirely unserious man he is. And just through his wealth, he manages to live a life without consequences because he can throw money at everything: his family, his businesses, and playing video games. I want to be the number one video game player in the world because that's important to me.

Okay, I agree with you. I don't care if he's the best video game player in the world. I don't care if he's got a video game hobby or anything like that. And if he wants to tweet about it, fantastic, you know, go ahead. I don't care if you do that. I suppose the important message for listeners of our programme is that this game did get hacked. There are consequences. If you've invested your time in it, there's a potential for you to have lost information as well as your valuable hours, which you've spent curating this thing and for other organizations who have similar services online to make sure that they are properly secured, because otherwise your audience is going to be disappointed.

Yeah, but at the same time, these companies are going to be sitting there going, "Oh, guess what? Elon Musk is playing our game. How cool are we? Elon's here."

Yeah, it just seems misplaced priorities for someone. You would think that having the title of wealthiest man in the world comes with a certain degree of gravitas and responsibility. And again, time and time again, I am disappointed with the lack of gravitas and responsibility that Elon seems to take with the incredible opportunities that he's been given.

Because what you've seen, Dave, is so much responsibility being taken by so many other multibillionaires over time. They've always done a great job, haven't they?

Well, not always, but I mean, no, no, no. I know where you're going here, and I think your snark is well placed, but I do think that the historical robber barons, right, of the late 19th, early 20th century, who we have libraries with their names on them, right? They did use their great wealth for the greater good.

Although sometimes they made their millions through slavery and so forth, though, as well, didn't they? So it was easier for them maybe to afford a library.

Yeah, I think we should move on.

Absolutely.

Absolutely.

I'm thinking—

I'm just saying there's better things they can do than, you know, build rockets to send their big space penises into low Earth orbit.

I think that was a car, actually.

Dave, what have you got for us this week?

All right, well, my story comes from the folks over at Wired. This is an article written by Caitlin Chandler, and it's titled "Inside the Black Box of Predictive Travel Surveillance." Now, I don't know about you, but anytime I hear the phrase "predictive surveillance," that gathers my attention, right?

Yes.

I get a warm fuzzy feeling when I hear that.

Right.

It feels a little bit Minority Report, doesn't it?

Exactly. Exactly. So this story starts off with a gentleman named Frank van der Linde, who is a Dutch human rights advocate. And he had a feeling that he was being secretly tracked by Dutch authorities using travel data because he was flagged at an airport in Amsterdam in 2020. So he used GDPR to request his records. And turns out the records for travel are called passenger name records. And these are detailed travel data which airlines share with governments all over the world. And passenger name records really became a thing after 9/11, right? And these are collected for security purposes. And passenger name records include information your payment details, your travel itinerary, personal identifiers. But more and more, this data is being fed into AI-driven systems to assess traveler risk. And there are private companies who are doing this. There's one called Travizor, which is highlighted in this story, who are building these systems. And the promise here, what they promote, is that we could see a future where, let's say you're getting off of an international flight and the vast majority of folks would no longer have to wait in line at customs to have their passport stamped and to be questioned and to be approved for entry into the country because as you're walking down the hallway, an AI system would do a facial recognition scan of you, would analyze everything they know about you, and they would give you a green, yellow, red rating as to whether or not you pass through.

You don't want red, right? Because it's probably a bullet in the head or something. Lasers come out from everywhere.

If you're red, a cage drops out of the ceiling and grabs you. But if you're green, you just go right through and everything's great. You spend less time going through all that. And life is good, right?

Frictionless travel. Yeah.

Well, obviously the problem is that these systems can falsely flag people, but they're also concerned about amplifying biases.

Yes.

This story talks about there was a system, I believe it was in the UK, that turns out it was racist when it was looking at folks coming into the country. They were using some AI, I believe, for refugees, immigrants, and turns out the system was unfairly judging people based on things that it shouldn't have been judging them on. But another big worry is just the lack of transparency. There's a quote in here from the article where they were talking to one of the experts here whose name was Jorgensen. And the author writes, I asked Jorgensen what variables went into selecting who looks unusual. Everything we have on the passengers, he replies, estimating that Travizor's two AI engines use between 100 and 150 variables. They're kind of black boxes. So they will tell you that this person is potentially risky and this person kind of looks different, but how it makes this decision is kind of a mystery. Well, that sounds great.

Surely that could be programmed into the AI, you know, surely that could be. And to say this because of this flagging or this incident or this.

That's not really how it works though, is it? It is a black box with an AI. It will come out with content, but working out why it did it is something which is something of a mystery.

No, but not always. There are some AIs out there that will actually give their references. So I use them for news and it'll say, I think this, it'll put together some blah blah and it'll give me its links on where it's got this information.

Right.

But sometimes it makes them up.

Right. Sometimes.

Yeah, totally.

Right. So you can ask it, but sometimes it lies.

Yes. Yeah.

It's called hallucinations.

Right. Right. With total assurance and confidence, it will make up something to make you believe that it knows what it's talking about.

Sometimes deliberately deceptive as well.

Yeah. So there are other things that they're hoping that this would be helpful with, things like human trafficking.

Not helping human trafficking, presumably.

Well, correct. Tamping down on human trafficking. I mean, helping ID people who are potentially being trafficked. But again, the flip side is that there's a worry that right now, for example, your flight attendants are trained to spot folks who are potentially being trafficked. And the concern is that if the AI systems take over responsibility for that, then you remove the human element and the folks in the airplane, for example, might not be as tuned in to looking for those sorts of things because they'll feel as though it's no longer their responsibility.

Yeah.

There were some other things in here that caught my attention, like things that could get you flagged. One of them that gave me a little chuckle was if you're traveling with more luggage than your trip requires, right?

I know plenty of people who do that. They're just going away for the weekend and they've got 3 suitcases.

Well, that's the thing, right? So because the data that goes into these systems includes how many bags you're traveling with. So if you're just taking a day trip somewhere and you have half a dozen large suitcases, that's perhaps a red flag.

The thing is, Dave, you and I, we need a lot of outfits. We can't wear the same thing twice, can we? And then of course, there could be some sort of event at the ambassador's residence. You know, we need to be ready for His Excellency. We might be going to the opera, we might be slumming it somewhere, might be chilling at the club, maybe playing jazz.

Graham, you need a separate bag just for the number of capes that you travel with.

Cravats, my cane.

Cuban heeled boots.

That's right. So it's a very interesting article. I recommend folks look into it. I think it's indicative of where we find ourselves right now, where there is great promise in these systems. But of course, we have to be mindful of what they potentially take away from us and the degree to which we're okay with giving up our privacy in exchange for potentially safer travel and more secure borders.

Can I give a low-tech tip that I heard on Women's Hour, which is a long-running BBC radio program about human trafficking. So if you are in that situation and you're going through an airport, being sent to a country to get married against your will or these kind of things, you're supposed to put a spoon in your underpants.

I'm sorry.

And then when you go through— yeah, so when you go through the security, right, they see it and they know right away that's apparently a thing, right? And they'll take you in and know that there's something wrong. But they say that children under 16 should not do it. Isn't that awful? Because they have to bring their guardian in with them during questioning.

Well, that at least explains why I keep getting stopped at security. I've learned a useful tip there, thank you, Carole.

Graham's got his special travel spoon. You kind of have to keep it warm. It's no good if you have a cold spoon, right?

Carole, moving on swiftly. What's your topic this week?

I want you to meet Winston Smith. He's a low-ranking member of government.

Hang on, his name is Winston Smith?

Mm-hmm. Now, our pal Winston is not a happy guy, right? His job sucks because he has to alter historical documents to fit the needs of his big bosses in government.

Right. Okay.

And it gets even worse than that. Everywhere Winston goes, even in his home, he's being watched. They're monitoring what he says, monitoring what he does, where he goes. Graham, I think this is ringing a bell for you.

This feels a bit familiar to me. Yes.

A little dystopian, perhaps? Perhaps. So this is all Orwell's novel 1984. And despite being published 75 years ago, Orwell was on to something because today our city streets and neighborhoods and homes are riddled with cameras and microphones. I remember the days when we valued privacy in our own homes, but today that concept seems to be fairly moot because inside we have smart tech that we've paid for with our very own hard-earned cash. I think even Orwell would have raised an eyebrow or two at that.

Yeah, some people have got smart assistants in their bedroom, probably. They're probably live streaming to the internet without realizing it.

You know, it's not like we've been forced into surveillance by some nutjob power monger yet. But why do we have all this stuff everywhere? Because we're bored or we want to make life easier? We're afraid? We're impressed with tech? We want to see how it works?

More money than sense.

These so-called smart devices apparently outrank stupid devices 3 to 1. Okay, this is what they expect to happen in 2025. And Dave, your continent is leading the pack, responsible for 40% of the market, and Asia's hot on the heels at 30%. And we're talking more than 30 billion connected IoT devices globally, right? So not small potatoes here. Now, the term Internet of Things is said to have been first used publicly by Kevin Ashton of MIT way back in 1999. So at least a quarter of a century ago. And I just wanted to take a look at the industry and see how it's looking now, 25 years later. So let's start with a silver lining of sorts. A few days ago, the Biden administration announced the rollout of the cybersecurity label for interconnected devices known as the US Cyber Trust Mark. Do either of you know what the mark looks like, or can you guess?

It sounds a bit like the British Kite Mark, which they put on devices to tell you that they're safe.

Yeah, well, this is a shield. Now, this voluntary program allows providers of smart devices to label their products with the Cyber Trust Mark, governed by the FCC. There are a few words in the last paragraph I just read that concern me. Like, imagine, if you will, that vehicle seat belts had a voluntary certification allowing car manufacturers to sign up because they thought it might be good for business, not because they had to follow the rules. Or imagine a restaurant had a voluntary certification that communicated that the food was certified as safe to eat, but not every restaurant has it. So I find this whole voluntariness— I don't know why it's not mandatory for these devices that will be sold in the country, or said any country, because we rely very heavily on these IoT devices more than we do our cars and restaurants. In fact, cars and restaurants today are riddled with IoT as well. And I know I sound a bit peeved about this. It's not like I'm against all IoT. I mean, I use a computer, I use a smartphone, and both these things I need for my work and stay connected to those I love. And IoT helps conserve water, reduce hydrocarbon fuel, CO2 emissions, farming, transportation, food distribution, healthcare. There's lots of great things that are important for the world and all of us who live on it. Let us take a look at the latest Consumer Electronics Show, CES 2025, showcasing what they call the cutting edge of smart innovations. Let's start with a life-size robot called Aria, a sexy little thing with private parts that has apparently been designed to tackle the staggering loneliness epidemic. Now, its creators, Realbotix, intimate that she is not just intended for sexy times, but for hospitals and theme parks and working booths at trade shows. Let me quote Forbes here, actually. So it's a $175,000 model that can move its limbs and move around on a circular plinth, like a mannequin riding a Roomba.

Right. Okay.

There's even a mid-range model costing $150,000 that can be disassembled and packaged in a suitcase to take with you.

We were just talking about human trafficking. Now we're— that could set the metal detector off. What is in your suitcase? I see a face. Oh!

Because you can take it in your suitcase.

Yes. And she's quite good-looking. She has very smoldery-looking blue eyes.

Does she come with a spoon?

Some of the smart tech at the show has been so bad over the years that a group of advocates created The Worst in Show Awards. And they say it's the one show where winners definitely do not want to give an acceptance speech. So there's 5 different sections. We're gonna run through them quickly. Worst for cybersecurity, the 2025 award goes to TP-Link, a router company that we all know of. Apparently they have 65% market share in the US alone.

Yep, there's one sitting in my living room right now.

TP-Link devices getting hacked seems to be a common theme. They're even up for investigation by the Department of Justice in the US. The problem that they had with it is that because they're a Chinese company, they need to report any issues like data leaks to the government before they inform any of their consumers. Now, worst for environmental impact, the award goes to SoundHound AI. So this is an in-car voice commerce ecosystem.

What?

Basically, it's an AI-powered, hey, how's it going? Show me where McDonald's is.

Right.

The problem is the amount of power required to power this and many AIs is astronomical compared to the value that they offer.

Oh, yeah.

Okay, next, worse for repairability. Okay, this one blew my mind. So this is the Ultra Human Luxury Smart Ring. Okay, a little ring you wear on your finger. It retails at a snip at $2,200. But it turns out the battery only lasts 500 charges. Try to replace the battery and it bricks itself.

So 500 charges. How long does a charge last?

How big could the battery be in a ring, though? And that can't last that long.

Yeah, that's what I'm thinking. It may only be 12 hours or something.

All the links are in the show notes, as always. Please go do your own research.

So that we don't have to.

Yeah, exactly.

So I don't have to. I've done loads. I've done loads.

I've done loads.

Worst for privacy. Okay, so they really are focused on smart infant products, okay? 'Cause these promise peace of mind to stressed out new parents, but actually often makes it worse with false positives, like one saying that your baby has stopped breathing. So the one that they've given the award to is the AI-powered bassinet, baby bassinet from Bosch called Revol, R-E-V-O-L. It costs $1,200 and collects a glut of information through its microphone, its camera, and radar sensors. And what do you get? Well, they say it tells you when your baby poops.

Oh.

To be honest, I'd rather have a false positive than a false negative.

Also, it's quite often not ambiguous when that happens.

Yeah, I think you can often tell your baby's pooping. If you can't smell it, you know—

Yeah, exactly.

From the next room.

Exactly. Now, what about the device that no one asked for award? Well, this goes to Samsung's bespoke AI laundry combo appliances. Now, the whole idea here is do not worry if you left your phone in the other room. Just use your washing machine or fridge to make the call.

What?

I'm not kidding. And you should buy this to help Samsung reach its screen everywhere vision. So coming back to something that Dave said earlier, why, oh why, are companies wasting their time on devices like these? They could be saving the planet, but instead they're just trying to crowbar the word AI into everything and provide us with stuff that no one really seems to want.

Yeah, well, I think the answer is simple. I think Elon Musk has got a lot of houses and he needs to fill them with something. So there is a market. There are people who will buy these things. And it presents these technology companies as being on the forefront of, look what these crazy cool things are that we've made.

They're not cool.

Also, for Elon, if it has a screen on it, you can play video games on it.

So there you go.

There you go.

And also, I'm sure it's to keep shareholders happy, right? Or to secure a few headlines. I'm covering it right now. So there you go. Maybe not in the tone that they'd hoped for.

Years ago, my parents got a new washer dryer set, right? Washer and electric dryer, and they were networked together. And I just couldn't help wondering what do they possibly have to say to each other? Right? "Hey, dryer, brace yourself."

Gonna be sending over some wet laundry soon." Don't you think it's sending a third party how often you do laundry, what kind of laundry settings you use, all that kind of stuff, so they can make all kinds of decisions? The thing that pisses me off is they do this at your expense. Expense, the consumer's expense. You have to still go buy that stuff. It's not like they're giving it to you for free to get your information. Anyway, I'm still on.

Yeah. And eventually they brick themselves.

Exactly.

As this is a security show, we should have some advice here. So the main risks of IoT hasn't really changed. It collects sensitive information through mics, videos, and sensors. They often have weak security, so default passwords that can be easy to guess. LastPass. It also means your devices can be hijacked and used part of a botnet. There's things where you can actually have physical security issues. So smart locks and smart security cameras, they're responsible for your physical security. If they go wrong, they can lock you out of your home or lock you in your home. So I guess my whole point here is you've got to think twice about every single smart device you install in your home, car, or office. Don't just read the marketing blah blah. And so my list here is things make sure that, you know, you need this device, put it on a separate network from your actual important devices where you actually do your banking and whatnot, change your default passwords, disable unnecessary features, use 2FA, multifactor authentication is key here, and regularly check for, you know, updates and weird activity on the logs if they're not deleted. Right, Graham? Or don't. Or don't do any of this and be 1984's Winston Smith after his months-long stint in Room 101, where he discovered his true love, the all-seeing, all-knowing Big Brother, who of course has his best interests at heart.

AI Roomba robot.

If you've been in the cybersecurity industry for a while, chances are you've already heard of Fortra's Tripwire because they've been setting the standard for integrity monitoring tools for more than 25 years. What you might not know is just how much of your environment Tripwire can monitor. Tripwire Enterprise gives you context for suspicious changes across your servers, network devices, applications, databases, file systems, desktops, and more to give you the real-time awareness needed to stop breaches before damage is done. It also automates compliance enforcement with the industry's largest policy library. So visit tripwire.com/demo to set up a personalized demo session with a cybersecurity expert and learn how Tripwire can be your integrity management ally. That's tripwire.com/demo and thanks to them for supporting the show. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well, 1Password has an answer to this question, and it's called Extended Access Management. 1Password Extended Access Management helps you secure every sign-in for every app on every device, because it solves the problems traditional IAM and MDM can't touch. Go and check it out for yourself at 1password.com/smashingsecurity.

Phishing.

That's 1Password.com/smashing. And thanks to the folks at 1Password for supporting the show. And welcome back. And you join us at our favorite part of the show, the part of the show that we to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

Better not be.

Well, my pick of the week this week is not security related. My pick of the week this week is Pick of the Week because it is, of course, episode 400 of Pick of the Week. And wow. Wow.

That's very meta. Yeah.

Yeah. It's called lazy hacking.

What? No, no, no. Hang on. Hang on. Because faithful listener Thom Mattison has been in touch. He sent me an email this week and he says he's listened to the show for several years. He always enjoys it, he says.

Don't sound surprised.

He says, I have shamelessly stolen the Pick of the Week segment for when he has his team meetings. So he's new to leading a particular team and it has given him insight into the people on his team beyond just their duties. So he actually has a segment of his meeting now called Pick of the Week. And apparently he credits Smashing Security for this. And on his first ever entry where he introduced the Pick of the Week concept to the agenda, his Pick of the Week was Smashing Security. This is like Inception. This is like it's all folded in on itself.

Fantastic.

So he says he's not quite as smooth as me when he comes to reciting the intro to Pick of the Week. As we all know, it could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app, whatever they like. But he also doesn't have someone on the team who says, "Better not be." He can work on that. He can work on that. Anyway, if you want to check out our past Picks of the Week, go to the Smashing Security website, go to smashingsecurity.com/potw, and you will see the archive of past Picks of the Week.

Is it updated, Graham?

Yes, it is, Carole.

Wow.

I have been religiously updating it every ruddy week. I did leave it for a few months, but—

Yeah, you left it for a few months. I remember going to check it and I was like, damn it. Well, you check it out these days.

It's normally pretty good.

Good for you.

Anyway, Pick of the Week is my pick of the week.

So your pick of the week is the global influence of Pick of the Week.

Pretty much. Maybe some of your podcasts, Dave, maybe the CyberWire should have a Pick of the Week.

Maybe.

And Hacking Humans. You would have to pay us the royalty, obviously.

You do realize that the entire Hacking Humans podcast ripped off the format of Smashing Security.

Well, I'm glad you've admitted it. We've been thinking that for years.

Where's our lawyers?

I mean, I prefer to think of it as an homage.

Well, I think maybe you could mention that in the show at the end saying, and shout out to the format creator.

We even stole Maria.

Thank you. Yeah. They do give us the odd shout out.

I know.

They are very nice. Right.

Oh, goodness.

Dave, what is your pick of the week?

Well, my pick of the week is a new documentary that is out on Apple TV+. And I would have to say that my all-time favorite musician who has had more influence on me than anyone else has to be Elton John.

I knew you were going to say that.

I was thinking Liberace. But anyway, similar.

Well, it's a close second. The very first record album I ever owned was Elton John's Greatest Hits. Back in the '70s.

Better than my Twisted Sister.

There you go. But what a career, right? And decades of number one hits, great albums. In the Rock and Roll Hall of Fame. I say it's hard to argue with the fact that Elton John deserves the accolades that he has received over his long, storied career. So there is a new documentary on Apple TV+. It is called Elton John: Never Too Late, and it is produced by his husband. And it follows two paths. Part of the story is a retrospective looking back at Elton John's career from the very beginning through today. Lots of archival footage and interviews and things that I'd never seen before. And as someone who is very interested in all things Elton John, I've seen many documentaries. So really interesting stuff. But then also it chronicles leading up to his final concert.

Right.

Was it, I guess, two years ago now? So it has the months leading up to that, the shows that he was doing and interviews, how he was feeling, what he was up to, how important his family is to him, and so on. So it's a lovely documentary. Gives you the warm fuzzies if you're a fan of Elton John. So I learned quite a bit. So it's good information, but also just kind of a feel-good tour through his career, his music. So my pick of the week is Elton John: Never Too Late.

Cool. What a life he had too, right?

Yeah.

And a great songwriter. Yeah, yeah. Just great.

Fantastic. Carole, what's your pick of the week?

Well, I have a nitpick of the week this week for episode 400. And I don't know what you guys are going to say about it. So if this causes some— ruffles some feathers, please shout. But my nitpick of the week is Apple News. Have either of you ever used it or paid for it? As a subscription service?

No. Sometimes it's offered me a free trial or something. I've never found any use for it at all.

No. What about you, Dave?

I have it as part of a kind of bundled subscription to a bunch of Apple things. And I do take advantage of it because it gives me access to some magazine subscriptions that I would otherwise have to pay for that are rolled into Apple News. So I find it useful there.

Yeah. Well, I haven't paid for it. I had a 3-month free subscription because I had a new device and I was extremely underwhelmed, right? Like it cost £12, I think, once you're paying for it each month, and it's like it's for a news aggregator. I think that's steep. And it asked me what I was into, but I could only choose 5 titles, which I did. And then it served me a bunch of crap, like stuff I had absolutely no interest in. And it put those things ahead and above the news that I actually wanted to receive. It's like, I don't care about Brangelina's divorce settlement or what fashion item I have to have this week or the personal account from someone I don't know about how Ozempic improved or devastated their lives. I don't care. I don't want to read about it. I don't even want to scroll past it. And I don't have any interest in reading about sports, but they kept showcasing them to me. And I thought it might be useful for this podcast because I thought maybe I can get a nice bit of news which will help me with new stories. But searching, we all know that Apple search function is not the best, but I had so much trouble. I couldn't find anything that was even remotely useful for this. So basically Apple is in control of what it serves you and it thought it knew better than me what I wanted to read. And Apple, listen up, you don't, you really don't. It's not good. I didn't like it. And that is why Apple News is my nitpick of the week. And on top of your subscription service, the articles are riddled with ads, like those gross ads, like close-up of infected feet and revolting skin conditions. And it just put me completely off the whole service.

Can I push back just a little bit, Carole? Yes, yes, absolutely. In that as we are recording this, on the desktop of my computer, of my Mac, is a widget that is labeled cybersecurity from Apple News, and it's an aggregation of cybersecurity news that Apple's gathering up, and it's just a little scrolling collection of current news stories. So—

Are you finding the stories really useful and good, or are they mostly press releases from companies that are trying to get you to cover their stuff?

I mean, it's a mix of things. I'm looking at the— So the top ones are from Axios, Washington Post, security intelligence, so it's a mixed bag.

I also think though the states have a better feed than we do, 'cause I know that you guys can get access to things like crossword puzzles and all this, and I was like, "Oh, that wasn't available here." Okay.

My point is that perhaps somewhere buried in there are some customization tools that could give you a better experience out of it.

You're jealous. You wanna read about Brangelina. I know it.

I know it's true. It's true. Actually, I want to keep track of what the top score is on Elon's gaming.

Were you implicated at all in Brangelina's divorce or did you get away with that?

Oh, I'm sorry. There is a restraining order that keeps me from discussing any relationship I may or may not have had with Brad Pitt.

Well, that just about wraps up the show for this week. Thank you very much, Dave, for coming on the show. Where can our listeners hear some more from you?

Just look at the CyberWire and it's all there.

And you can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts.

And huge, huge smashing thank you to our episode sponsors, Tripwire and 1Password, and of course to our wonderful, faithful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 399 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye.

Bye.

Bye-bye.