Smashing Security podcast #418: Grid failures, Instagram scams, and Legal Aid leaks

It struck me that if you were an invading force of extraterrestrials, then this would be the time to attack. Yeah. I mean, how could you defend your country from an alien invasion?

I don't think it has to be alien. It could be just a bunch of flies, you know, that land in the city and you have no— you can't, you know, do anything about it.

But where are the flies coming from?

Where's the aliens coming from?

Smashing Security, episode 418. Grid failures, Instagram scams, and legal aid leaks with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 418. I'm a teapot and my name is Graham Cluley.

I'm Carole Theriault and not a teapot.

And we're joined this week by a special guest. Carole, you do know the whole 418 I'm a teapot thing, surely?

No.

Oh, okay. We know 404 is page not found.

Yeah.

Well, 418 is I'm a teapot.

Oh, I didn't know that either.

Well, now you know. And that is the voice of our special guest this week, Dinah Davis. Hello, Dinah. Great to have you back on the show.

Hi, how's it going?

Welcome.

Very good.

So first, before we kick off, let's thank this week's wonderful sponsors Meta Compliance, 1Password, and Vanta. It's their support that helps us give you this show for free. Now coming up on today's show, Graham, what do you got?

I'm gonna be asking who turned the lights out.

Okay, what about you, Dinah?

I'm going to talk about how my daughter got her Instagram account hacked.

Ooh, and I'm gonna see why UK legal aid needs a big fat Band-Aid. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, Monday the 28th of April, just about 3 or 4 weeks ago, isn't it? Do you remember what you were doing on that day?

I do.

You do?

I was voting for my new Prime Minister and I was canvassing for my local Liberal candidate.

That's right. There you go.

It's a very clear day for me.

Oh, brilliant. Well, if you live in Spain or Portugal, there's a good chance that you do remember what you were doing, because at 12:33 on that day, millions of people were impacted by a sudden power blackout, which made headlines around the world, didn't it? When the Iberian Peninsula, its electricity was, well, shut down.

Yeah, just shut into total darkness, wasn't it?

Well, yeah, I mean, it was the middle of the day. I suppose if you were indoors— That's true. Yeah, you could have gone outside. Yeah, okay. It wasn't instantly dark, but— Obviously it became darker during the course of the day, but it still caused massive disruption for around about 12 hours. So telecoms were down, your phone may not have been working, transportation.

It got dark.

Yeah, I was in the blackout zone in the, I think it was 2003 blackout in North America. And I remember the chaos of that and having only cash, nothing else worked. So, I can definitely empathise. It was very kind of scary and just unsettling.

Because you come to expect— You expect all those things to work, don't you? You expect the emergency services to be operating. You expect the metro lines to be working. In Spain and Portugal, they were being evacuated. Air travel was disrupted. Traffic lights were on the blink. There were at least 8 people who died.

Oh, lordy.

During the power cut. Apparently, it's mainly attributed to sort of fires started by candles or inhaling carbon monoxide from generators. But there were also people who had the power to their mechanical ventilators, which they were relying upon for medical reasons, shut down because of the power outage. So it's estimated this blackout cost €1.6 billion. And many businesses, banks, shops, services utterly incapacitated by the lack of power and the lack of connectivity. And as you imagine, in those kind of situations, people are stocking up with essential items. They're grabbing food and water, batteries, torches, flashlights, radios. Also, you don't even have Netflix to rely upon, right? You can't even trust that to be there. So maybe you're out buying jigsaws and books and knitting needles and—

With what? No one carries cash.

Barter, Carole.

You know what's gonna happen? There was a huge baby boom nine months after the blackout in North America. So just watch, just watch, we'll see what happens.

There's nothing else for us to do, darling.

You know? This is what happens.

So obviously, horrendous chaos with a capital K. And it struck me that if you were an invading force of extraterrestrials from the planet Altair 4, then this absolutely would be the time to attack, because everyone's running around like headless chickens.

Yeah.

I mean, how could you defend your country from an alien invasion if your power, if your telecoms were utterly offline?

I don't think it has to be alien. It could be just a bunch of flies, you know, that land in the city and you have no— you can't, you know, do anything about it.

But where are the flies coming from?

Where's the aliens coming from?

The planet Altair 4. Oh, you're imagining crickets or—

Anything.

Plague of locusts. Anything.

If you have no power, plague of anything is not fun, especially if you have no power. I'm just arguing that point.

The good news is it got sorted out eventually, and people were able to charge their electric fly swatters, because by the middle of the night, energy was restored. But we don't know, three or even now four weeks after it happened, what we don't know is how this all occurred, how the power cut happened. What we do know is that very soon after the power blackout started, several government officials ruled out the possibility of a cyberattack. Prime Minister of Spain, Pedro Sánchez, as well as Portugal's Prime Minister and the President of the European Council, they all said it's not a cyberattack.

I'd be likely probably to believe that at first instance.

It could be something more down to earth, couldn't it? I mean, it could be simply that someone wanted to do a bit of hoovering, they unplugged the electrical grid. We've all done it, we've all pulled out the wrong plug from time to time. So that view that it wasn't a cyberattack was also backed by the Portuguese Cybersecurity Centre. They said there's no indication the outage was due to a cyberattack. So what might it have been? Well, some people claimed it was all to do with renewable energy. Did you see those headlines?

No.

Do you guys not read the newspapers?

As little as possible.

Well—

I was deeply ensconced in Canadian politics at the time.

Fair enough. I understand that. Anyway, some people blamed it on renewable energy. They said it's all green energy's fault. They said over half of Spain's electricity supply does come from solar energy, and then it's followed by wind, nuclear, and gas. And renewable energy has become something of a political football in Spain. The Prime Minister there, Pedro Sánchez, he's a big fan of renewable energy, but there are far-right political parties less keen, and they said, well, things would have been much better if we'd been reliant on oil and gas. But in the weeks since the blackout, officials and energy experts, they say it's wrong to point the finger of blame that way, that there's nothing unusual about the energy mix. No one turned off the sun.

Right.

Didn't stop being quite so windy. You know, that wasn't to blame, they say. So another theory which was going around, and these theories were being spread on social media and so forth, was the blackout was due to low-frequency oscillations.

I just can't believe so many people online got things wrong.

Especially when it's really hard to get on the internet because there's a power cut. Right. Well, CNN and Reuters, they reported that the Portuguese Energy Grid Organisation— they said that they had claimed it was because of a rare atmospheric event which had induced atmospheric vibration, causing synchronisation failures between electrical systems. Now, I didn't understand a word of that.

Well, didn't they say— you remember that huge yacht that went under?

Oh, yes. The Bazian. Yes.

They say that was a rare atmospheric event. They've just— I think they've just concluded that.

It wasn't just that it had an enormously tall sail and was out in very, very bad weather conditions.

Well, that is an atmospheric disruption.

I suppose so.

Yeah.

So I was wondering about this low-frequency oscillation, the synchronisation failures. And I was reading this scientific explanation. I didn't understand a word of it. So I plugged it into an AI and said, could you explain this to me like I'm a presenter of a cybersecurity podcast? And what it did was it explained to me that it was like a giant skipping rope. The European energy grid, it stretches across the entire continent. Every country is holding part of the rope and they all have to swing it together in rhythm, right? And that apparently—

That's not how a skipping rope works, but okay.

Well, okay, well, this is what they do. This is how the grid works.

This is what AI— Yeah, it's probably not seen much skipping, maybe.

I don't think it's for skipping. It's just— okay, just imagine it's a rope. It's a rope. Everyone's holding a bit of it and you have to swing it together, right, in rhythm so electricity can flow smoothly. And they claim that Spain and Portugal, which is at the end of the skipping rope of Europe, got out of sync. And that's why things wobbled around too much and that caused the problem.

But how do they get out of sync? I don't get it.

Yeah. Is your AI hallucinating?

No, there's something to this. It's less like energy got sucked or something.

Look, look, guys. Guys, you go away and you get a European length of skipping rope and start swinging it, and you will soon get out of rhythm, I promise you. So Reuters and CNN, they reported that REN, which is the Portuguese energy grid organisation, they reported that this is what they had blamed the outage on. But REN says, we never said that. And these media reports are complete bunkum. So, again, how did the misinformation get out there, which was being spread on social media?

Somebody just made it up.

This whole theory's been debunked. So, there've been this whole list of crazy reasons, which have been debunked and said, "No, that's not possible. That didn't happen." Which takes us back, I believe, to a cyberattack. And Spain is now investigating again whether a cyberattack was responsible after all. So, having initially debunked that theory, they're now saying, maybe it was. And they are demanding that the country's small and medium-sized power facilities, which I'm afraid are typically solar and wind farms, look into whether they are a weak link. And they are barraging those organisations with questions as part of the inquiry. Questions like, is it possible to control the power plant remotely? Were any anomalies detected prior to the incident? Have you installed any recent security patches or updates? I don't know if that's because you should have done or because they might have caused a problem. Hard to say with a security patch or update.

I find it interesting that one or a handful of companies would be responsible for the entire country going under.

Yeah, but the one in 2003 was one, you know, big breaker that just went, it went and then it was a domino effect. And so I think these things can happen starting from one smaller spot, but it's the domino effect. It's that toaster plug-in, you know, where—

Right, one goes offline, it surges.

Where you turn on the breaker and then it just keeps going, right? If you don't have the right infrastructure in place.

And you saw that power outage at Heathrow Airport not very long ago, and it was just a tiny little place which had some kind of explosion which happened to it, and it knocked out the entire thing and caused so much disruption.

I mean, the other thing is it's possible it's not a cyberattack, but somebody just messed up at one of those places and they're just not coming forward. They don't want to be held responsible.

I know, isn't it the best way if you screwed up? Cyberattack, swear to God. Nothing to do with me.

Yeah, that's what it was, because then you can blame it on somebody else.

It's not I fell asleep and—

Yeah, instead of you plugging something into the wrong spot.

It was Jerry. Jerry came in that day. He pressed that button.

Yeah.

It's always Jerry. Poor Jerry.

It said don't press, but he just had to do it. He just had an overwhelming urge.

So it may not be a cyberattack that was to blame. But it certainly is the case that cyberattacks have caused serious problems for electricity grids in other countries in the past. In Ukraine, in 2015, in the run-up to Christmas, people were getting ready for Christmas, snow was falling, cabbage was being boiled, and somewhere deep in Russia, they decided that was the perfect time to launch some sabotage. Hackers wriggled their way into the IT systems of Ukrainian energy companies, logged into SCADA systems, and they managed to turn the power off. Quarter of a million Ukrainians suddenly found themselves in the dark.

At the same time, what would be the motivation to do that to Spain and Portugal? We know what Russia's motivation was, right? They just want to mess with Ukraine, and that was the middle of winter. Yeah, so it's curious. Even if it was a cyber attack, what was the point? It feels like whoever did this did not actually want the whole grid to go down. Yeah, that's my guess.

Yeah, because then they sent the email and no one got it.

Geez. Exactly. Exactly. So either some hacker went wrong or it was just Jerry.

Sometimes you think, well, it could be an exploratory attack. You know, let's see if we can do it because at some point we may want to do it in the future, right?

That's true. That's true.

Geopolitically, things seem to be getting rather hotter between certain parts of the world. Again, they may be saying, well, let's just go and see what we can do. As I said, it's happened in Ukraine before. It also happened in India in 2020 in Mumbai, home to Bollywood, 20 million people, most of them practically living on the railways. Everything went dark. Trains ground to a halt. Hospitals had to use backup generators.

I'm glad, I'm glad that trains ground to a halt if they're living on the railways.

I'm just thinking of how crowded the trains are. Anyway, that has been blamed on a Chinese state hacking gang called Red Echo, who had been lurking on the power grid for months, dropping malware. So these things do happen. Now, the challenge, whether you be running the electricity grid in Ukraine, India, Spain, or Portugal. Challenges are the same. We are taught at cybersecurity school that it's all about CIA. Confidentiality, integrity, availability. Top of the pyramid, confidentiality. You've got to keep information secret. Integrity, you've got to maintain the integrity of the data, make sure it's not tampered with. And availability, yeah, people need to be able to access the data. But when you are dealing with critical infrastructure like the energy grid, that pyramid turns upside down. Suddenly availability is the most important thing. That's what they need. They need to be able to supply electricity. That matters more than confidentiality or integrity. And I think the challenge for the energy sector is there's very much an attitude of, if it ain't broke, don't fix it. When they say things, have you applied any security patches lately? Chances are on many of these industrial machinery and SCADA systems, they won't have done because they can't afford to break the power supply. It's got to be keeping up. So you have a lot of old systems sometimes running, which aren't properly patched and aren't properly defended and maybe aren't properly understood exactly how they work because the person who put them in place—

Yes, don't touch the black box, whatever you do.

Yeah.

It was set up by someone 25 years ago. So that's a real, real challenge. So I'm interested to see what Spain and Portugal come up with in terms of their investigation. It may not be a cyberattack, but certainly there are huge challenges for that sector. Dinah, what have you got for us this week?

Okay, so the unimaginable happened to my poor 16-year-old daughter. She had her Instagram account hacked. And taken away. I came home to the house at about 4 o'clock, and my husband looked a little bit frazzled and said to me, her account's been hacked. We're trying to get it back. I have to go back to work. Can you please help her? And I was, oh, okay, let's take a look at this, right? And it turned out, you know, we tried to get her account back using the my account's been hacked, but to do that you need to have access to the phone number or the email address associated with the account. And it turns out the hacker changed that immediately, so we weren't able to get in.

Okay, so if you've got an Instagram account and it is stolen by somebody else, the way to retrieve it is to go to Instagram and say, look, here's my email address, here's my phone number, therefore I own the account. But if someone has changed it—

Correct—

Is your daughter's Instagram account— I mean, does she have hundreds of thousands of followers?

No. And in fact, she'd only posted one story ever, and it was the day before, ironically. And it was because she did that ice bucket challenge with her friend, because that has come back to life, right? So no, she— it's a very private account. I don't think it was about that. I think it was a stepping stone to get more accounts. So the hack timeline is, you know, she gets home from school at like 3 o'clock, and she was sitting down. She had a lot of homework to do, so she was getting started right away. And she got a message on Instagram from a very close friend of hers, somebody she's known since kindergarten, right? And the message said, hey, can you do me a favor please?

Yeah.

And she responds with, sure, what do you need? And then the hacker sent a screenshot of purportedly their Instagram account, and it says, request help from friends. Send a request to your friends to help you get back into your account. How this works Choose two friends on your Instagram who can confirm your identity. We recommend you call or text them so they'll know who sent the request. And this is actually an old feature. I don't think it's a feature on Instagram anymore. I couldn't find it anymore, but I did find references to it from about a few years ago, and it was a way to help recover your account or prove your identity, and you could request help from friends.

Basically, it was a way for Instagram to stop people contacting them, right? Their support desk don't want lots and lots of their users contact them. It's, yeah, let's farm this out to people's friends to confirm their identity, and that way they can get their accounts back, right?

And so the hackers are actually using this, right? And then underneath the screenshot of this, it says, can you please? And then my daughter's, well, of course. So yeah. And then again, they heart the message, making her feel more warm and fuzzies. Then they say, thanks, what's your number? And this is when my daughter sends her phone number. Again, she thinks she's talking to her best friend. This is a very hard situation, right? And then it says, check your phone messages, send me the code please. Which my daughter did. And she said to me after, she said, Mom, after I sent the code, I had this deep sinking feeling that I'd done something wrong. We never got mad at her about this. This could happen to us, you know. She was doing her homework and all of this happened.

Should we just explain to listeners what has just happened and why that was wrong?

Oh yes. So immediately her account was gone.

Yeah.

So basically what happened is they used the "my account was hacked" feature by Instagram to hack her account. They said, "My account's been hacked."

Yeah.

They put her phone number in, and then it requests a code. And there you go, Bob's your uncle.

Which got sent to your daughter. Your daughter then told the hacker who was able to enter it pretending to be your daughter, and the hacker gained access to your daughter's account through that mechanism.

Correct. And she was immediately locked out. Yeah, and you know, that's when she came running upstairs to her dad and they tried to access it, but obviously they changed her phone number immediately so we couldn't get any access to it. It's only after, because I was able to look at all the messages that were sent once we got it back, that I could see what else happened. So at 3:02 they sent the first message, and at 3:05 her account was gone.

Wow.

So that's how fast it happened. By 3:14 they started sending messages, from what I could tell, to at least 29 of her top contacts. So they went into her messaging app, they just went through the top people that they recently messaged. So now these are all her good friends, right?

Yeah.

And the cycle starts again. Hey, can you do me a favor?

Right.

And between 3:14 and 3:29 PM, 10 teens replied and agreed to help.

Yeah. And they sent the next message. You know, with the image again, and then, can you please help? And at this point, two teens ghost the hacker. So good for them. They figure out something's not right. Yeah.

Well, at 3:30 PM, the hacker went silent. No messages ever were sent from my daughter's account again after that initial wave. And it took me a minute, and then I realized what happened. So a few months ago, Instagram created something called Instagram Family Center, and it allowed you to put controls and monitor your child's activity. In talking with my daughter, we agreed that we would set a 1-hour time limit per day to Instagram. And so what happened was she'd been on Instagram earlier that day, and at 3:30 PM, the hacker got kicked out because of my parental controls.

So you had parental control over a hacker?

I did, yes. It was delightful. And then after 3:30, another 14 sent responses to the hacker, but obviously they didn't have any effect at all. And the hacker figured out that this account was somewhat useless now.

Yes.

So two days after, she got a text message from an unknown number. And it said, hey, screenshot her Instagram account, and then the words, you need it back. And so the hackers were texting my daughter to see if she wanted her account back, to buy it. And that's what I realized— they were trying to ransom her for her account.

That would work on a lot of teenagers too.

Yeah.

And so I told my daughter that's what they were doing, and then she laughed at that and blocked the number.

Cool.

I was like, yes, it's funny to you because you have nothing to lose. Yeah, you didn't send any untoward pictures to any of your friends. You didn't have anything in your account that you could be blackmailed with. And we're really lucky that that was the case. And this just isn't the case for all teens. And there's been a lot of instances in the news recently of teens committing suicide for fear of explicit pictures they've sent in DMs to become public because of somebody who has taken over their account, probably in a very similar way to this. So this part is my PSA.

Yeah.

If you have teens, especially if they're on Instagram or if they're on Snapchat or if they're on whatever else, apps that I don't even know about 'cause I'm in my 40s, please tell them that there is no picture worth ending your life about.

Yeah.

It sounds obvious to us as parents, but I don't think it is. It's not to them. If they are so worried that they might have disappointed you or anything, and maybe just having that conversation with them is enough that they'll come to you if it happens, you know?

Or have them listen to this show.

Or have them listen to this show.

Listen to Dinah.

Yeah.

I've gotta say, Dinah, well done on your detective skills.

Thanks, it was super fun.

Yeah, I bet.

And for eventually gaining control back over the account. I love the parental controls trick as well. So when you were contacted by this person who worked at Meta via LinkedIn, and you gave them your daughter's number and account.

It took a number of days. It took a while for that to come through.

It's a shame though that you had to use connections, which you already have, knowing someone who worked at the company.

Yeah, I don't think that's cool at all. There is no other way for us to— and then here's the other interesting thing that's been happening. I wrote this article, I posted it on my Substack and on my Medium account and posted it with Code Like a Girl. And I've been getting responses on there saying, oh, I'm this person, you know, I work at Meta and you can pay me $200 to get that account back. Wow.

I know that Mark Zuckerberg, he's so hard up for money, isn't he?

Yeah, totally.

Carole, what's your topic for us this week?

I am talking about legal aid in the UK, because they're in a bit of a pickle. But first, you know, I like to do a little bit of did you know, a little bit about legal aid, because obviously it is not something that's been around since the dawn of time. Can you guess when it might have come about in the UK? When would we have introduced legal aid as a service?

1971.

That is a good guess, but it was actually post-war. It was a post-war social reform, 1949.

Yeah. 1971 was post-war, Carole.

Yes.

Yes.

More closely to the end of the war.

But only 30 years off.

It was kind of seen as a counterpart to the NHS. Justice for all, not just the wealthy.

Okay.

Now, in order to use legal aid in the UK, applicants must prove financial needs. So, you know, even if you qualify, you may have to repay some or all the costs if you win money or property from your case.

Okay. Yep.

And that's a way to make sure it's just those that really need to use it. But still, I don't know, it's kind of cool, how beautiful that there are countries out there that introduce and maintain such a system. Because basically it says you can't get away with something just because the other person is poor. But alas, my friends, as we know, every government-funded rainbow has a shadowy cloud ready to kill the beauty. So this service has not been nearly as readily available since the LASPO Act. So Legal Aid, Sentencing, and Punishment of Offenders Act was passed in 2012.

Yeah.

So this act, LASPO, dramatically reduced the scope of legal aid. So many areas like family law, housing, welfare benefits, immigration cases were cut or severely limited, like fallen by 80% since 2012 in some areas, with parts of the country being described as legal aid deserts. And this is despite the population increasing by 5 million people in the same time period. So the upshot is we have an overburdened system that is desperately underfunded. And maybe that might help to explain why what has been unfolding in the past few months, but it's only come to light this week. So Monday this week, we see reports that the Legal Aid Agency's online digital services which are used by legal aid providers to log their work and get paid by the government, have been taken offline. And it wasn't a technical fault. The Ministry of Justice confirmed that the agency services were indeed hacked. That happened this week. See, the rainbows are vanishing, being replaced by thundery clouds here. The BBC reports that the Ministry of Justice said the following: This data may have included addresses of applicants, dates of birth, national ID numbers, criminal medical history, employment, financial data such as debts and payments.

Oh boy.

Now, if that's not uncomfortable enough, it seems that the initial cyberattack was detected in April this year. And it has since become apparent that the incident was more extensive than originally understood. That is, quote, quote, more extensive than originally understood. It's a bit vague.

Yeah, of course it is.

And that vagueness scares me quite a bit.

Yeah. Because we didn't know what was happening in the first place.

Right. So you detected something going awry in April, but what, you just thought, ah, it's a blip, and don't do your due diligence for whatever reason? What, maybe because you don't have enough people?

Or you just don't even have the expertise in-house at all.

Right. Lack of resource completely. The hackers were able to take data as far back as 2010.

Oh.

So the BBC article says it understood that 2 million pieces of information had been taken. So some of this data would include children who have been mistreated, abandoned, or wronged, people who have been trafficked, sexual and domestic violence victims. These are vulnerable people who definitely do not want to be found by the wrong people.

And this data is now in the hands—

Of—

of cybercriminals.

Right. And it goes back, what, 15 years?

Oh, boy.

That must be so scary for the people that had it taken. So scary and so disappointing that the government didn't keep it safe.

Yeah. It's unclear whether affected individuals have even been contacted yet. So this is as of yesterday. The Law Society, which represents the legal profession in the UK, said the Ministry of Justice needs to get a grip on the situation immediately and notify all those affected individually. And now that the fiasco has come out into the open, there are, of course, fears of scammers jumping in on the confusion to target those whose data—

Of course.

Was in the legal aid system. And this is not even people who received legal aid, but anyone who's applied for legal aid may be impacted, right? So we're warning people to be on alert of any suspicious activity, including unknown messages or phone calls, and to update any potential exposed passwords. Okay, so how is the MOJ gonna communicate with the people that have been affected if everyone is looking out for unknown, unexpected messages? But they're expecting a message, but they shouldn't expect it from the scammer, just from the MOJ. Do you see what I mean? Yeah, it's a bit of a—it's similar to the grocery store hacks we've been seeing in the UK over the last month or so where they're just taken offline. But in this case, the vast majority of the people are people in need who've already, many of them, been victimized and traumatized and maybe just need a break.

Yeah. Unclear what the hackers want to do with this. Are they ransoming this group or is it just for identity theft?

That's going to be the fear, isn't it? It could be used for extortion, couldn't it? Against the individuals, not just the organization. But the actual vulnerable people.

Right, maybe some of these cases were sealed. You don't even know if they have children in them or minors. They might have been sealed to the media.

Yeah, and we don't know how much information—the article focused on identifiable information, but who knows about the information about their particular case and how much of that has been shared. So it's a bit of a nightmare. It's still unfolding, so we will watch this space. There's lots of links in the show notes for you if you want to nose in a bit deeper. But yeah, shame and tsk tsk. This is really bad. Not cool.

Now, the folks at MetaCompliance know that real cybersecurity starts with your people. That's why their approach is different. They don't just deliver generic cybersecurity training, they personalize it.

Every employee gets content tailored to their role, location, and level of risk. It's engaging, it's relevant, and most importantly, it drives real behavior change. MetaCompliance has created a free security awareness planner, your 12-month roadmap to building a culture of cyber awareness. It's designed to save you time, increase staff engagement, and make it easy to plan meaningful campaigns that reduce risk.

Whether you're just starting out or looking to improve your current program, this planner gives you a clear, structured path to follow, and it's completely free. Download it today and take the first step towards smarter, more effective cyber awareness. Just visit metacompliance.com/planner. That's metacompliance.com/planner. And thanks to MetaCompliance for sponsoring the show. Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.

Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.

You see, Vanta allows your company to centralize security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant, but stay compliant.

So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff. Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A, .com/smashing. And thanks to Vanta for sponsoring Smashing Security. Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?

Well, 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.

1Password Extended Access Management is the first security solution that brings all these unmanaged devices, apps, and identities under your control. It ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.

So secure every app, device, and identity, even the unmanaged ones. Go to 1Password.com/Smashing. That is 1Password.com/Smashing. And welcome back. And you join us for our favorite part of the show, the part of the show that we call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, my Pick of the Week this week is not security related. My Pick of the Week this week is a TV show which I have been watching. Not a drama, not a documentary.

20th century.

Nothing like that. Ooh, a comedy? Not a comedy. Not related to chess. None of the usual things which are up my alley. No, this is a programme called The Assembly. Have you seen The Assembly, Carole?

No, I haven't heard of it.

Right. Well, The Assembly is something— it has happened in other countries as well. I believe they've done it in some European countries.

Is this reality TV?

Well, it's not. Let me explain what it is. The Assembly takes a group of autistic, neurodivergent people with learning disabilities, and gets them to interview celebrities.

Oh, I'm gonna love this. I'm gonna just love this. I love Love on the Spectrum, so I feel I'm gonna love this.

They ask questions. Nothing is off limits. It's amazing. It is absolutely heartwarming and beautiful.

What programme is this on? Which streaming service?

So, initially, I saw it on the BBC, on BBC iPlayer. But the series then switched over. That was an episode with Michael Sheen, the Welsh actor, who was asked about Dylan Thomas and things like that. And then it went to ITV, where we've had David Tennant, the former Doctor Who, one of the girls from Little Mix, Gary Lineker, Danny Dyer. He's a geezer. It is lovely. The first one I saw was the one with David Tennant, where he's asked some difficult questions, refreshingly honest. But to be honest, this old softie got a bit of a tear in his eye during most of these episodes because it is really, really touching and refreshing.

What's touching, though?

What is touching is the honesty of the situation, the questions people are being asked, the human connection between these people.

Oh, all the fake glossy gloss that most interview shows put on is gone.

Exactly. And it's not the normal questions which you would ask celebrities. And sometimes they play a little song at the end where the interviewers, some of them will get together and play some music for the celebrity. Sort of thank them for coming along. And I have to say, the performance they did of Sunshine on Leith for David Tennant, which is one of those songs, it is such a beautiful song anyway, it's absolutely heart-wrenching, it was wonderful.

I got to figure out how to watch this in Canada. We'll be in touch.

We'll work out a way of getting you access. There are clips on YouTube if you want to enjoy it up there as well. And as I said, there are versions of this programme in other countries around the world. But my pick of the week, absolutely, I'd strongly recommend The Assembly. Cool. Very good. Dinah, what's your pick of the week?

Have you guys all heard of Ironman? Right, the Ironman competitions?

Heard of Ironman? I practically am Ironman. I'm getting up at 3 o'clock every morning.

I'm— Is it 8 different or 10 different sports you have to do?

No. Yes, that's what I did.

That's what I did. The Ironman is, it's a triathlon.

Well, yeah, I did Ironman Plus. I did something a bit stronger than that, yeah.

So here's the thing though, when you're a swimmer, any of these triathlons always feel like when your main sport was a swimmer, you feel really cheated. For a swimmer, Olympic distance, a kilometre and a half, it's not that far, it's fine. But then the bike and the run, they're crazy. They're super far, especially in an Ironman, right? So the Ironman swim's 4 kilometres. That's far, but it's not crazy for a swimmer. But the bike's 160 kilometres and then the run is 42 kilometres, right?

It's crazy. Yeah, it doesn't compare.

Right. And so many years ago I quit running anyway, but I did like to try and do triathlons. But both my daughter and I are swimmers and I got back into swimming a couple years ago and I discovered this amazing organisation called Oceanman. So it's like an Ironman, but it's only swimming. And so an actual Oceanman swim length is a 10-kilometre swim. Oh, wow. And that's a, I even think that's a little bit insane. I personally like to stick to what they call the sprint distance, which is 2 kilometres. That's just far enough for me, but my daughter loves distance swimming and she recently did her very first 5K. Congratulations. Wow. Yeah. And so what's really cool about Oceanman is they host races all over the world. So basically you can one, do an awesome event, challenge yourself and find other people who actually like swimming and not the running and the biking part. And we just wanna do the open water swim. But two, it's a great excuse to go on a vacation someplace else. So I was also supposed to do the race in Spain, which unfortunately I've injured my shoulder, I couldn't do it, but oh well, had to go to Spain anyway for my daughter. That was such a hard choice.

Yeah, me too. I was hoping to swim there too, but yeah, I got an injury.

Yeah, couldn't make it. I did do one in Curaçao in October. And so they really are all over the world. So if you like swimming and you want a challenge, you're like, you wanna be cool like the Ironman people, but you don't actually wanna bike or run, you can do Oceanman instead and you can go all over the world. So I'm currently looking at their map for this year and you can do swims in Nicaragua, Ecuador, Argentina, Egypt, Greece, Italy. You can even do one in Kiev, Ukraine. I feel that's very bold right now. I'm not sure I'm up for that, and they did three in Spain this year. So there's, I think it looks like there's about 25 different races you can do all over the world. So it's kind of a cool thing to do. It's like travel racing. Go to, go see a cool place, do a race. You know, it's something I like having a goal to train for.

Yeah, come home and feel pretty smug.

Yeah, right. Yes, because I— yeah, exactly, exactly. My daughter comes out and she's dying because it was actually really wavy, so it took her a lot longer than expected and I bet she was exhausted. And then we're like, are you gonna do it again? She's like, yeah. And she's like, and one day I'm gonna do a 10K. I'm like, okay, you are crazy, but I love you.

I was a swimmer, and open swimming, open water swimming compared to pool swimming is very different, right?

Yeah, but we also did a different race in Barbados, and I saw 19 turtles while I did the race. It was great. It's really, it's a fun way to— yeah, I don't know, it's a different way to explore the world and challenge yourself.

I think it's a great pick of the week.

Cool. Carole, what's your pick of the week?

Well, I am very glad Dinah's here because I have a book, and a fiction book, and Graham is not typically that keen on fiction.

Okay, well, try me.

So I finished it just two hours ago, and it's a beautiful beast called All the Colors of the Dark by Chris Whitaker. Don't think you've read it because you would go, oh my God, oh my God, I love it.

I haven't, but I'm looking it up.

So it came out last year. You know when you finish a book and you are just better armed for life because of it? This book is one of those books. So the gist is this. One summer, this little town called Montclair is shattered by the abduction of a teenage boy nicknamed Patch. And nobody more so than St. Brown, best friend, who will risk everything to find him. And when she does, it breaks her heart. It's difficult to describe the book's genre, but you have a really fast-paced cat and mouse thriller, a police procedural, a murder mystery, a small-town domestic drama, and a multi-layered, decades-long love story.

Oh, this sounds great. This is going on my list for sure.

Yeah. And it had me laughing out loud.

Oh, I love that. Yeah.

There are characters in it that are just hysterical. And I don't laugh out loud very often at books, but I really did. And I also teared up. So that's rare. It's rare for me. I read a ton, and I promise, very, very rare.

So did you read it or audiobook?

I do both. Audiobook. But I'm going to buy the book because it's so beautifully written that I want to see the sentences. It's so tight. I just— oh, I don't know, it just blew my mind.

I'm reading it's the number one best-selling book in the UK at the moment.

Well, hey, there you go, very topical, Graham. Yeah, you should try it, or at least get the book in the house, or try the audiobook.

I love listening to audiobooks. Yeah, me too, like audiobooks and podcasts. I listen to them all the time doing all the things I'm doing.

I always feel a bit wanky not saying it's an audiobook, but then what do you say? Like, have you read or listened to? I don't know, maybe I should experience— experienced. That's what my brother and I say.

My favorite thing to do is listen to audiobooks, like of biographies, and read by the author. So good. It's way better than reading the book. Like, just hearing it in their voice is so powerful.

Yeah, Demi Moore's one is pretty awesome. I think that was a Pick of the Week in the past, but that's definitely worth—

Yeah, I think my favorite memoir was— oh shoot, he used to run The Daily Show. Jon Stewart? No, no, Trevor Noah. Yes, Trevor Noah, thank you. His book about his childhood is unbelievable, and read by him because he does all the accents and stuff as well. It's really good.

I highly recommend. Well, the novel is All the Colors of the Dark by Chris Whitaker is my very highly recommended pick of the week.

Terrific stuff. And that just about wraps up the show for this week. Dinah, thank you so much for joining us. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for them to do that?

Yeah, I've got a new Substack called Dinah Being Me. You can always also find us at codelikeagirl.io, which is all the tech articles written by women. And on LinkedIn is Dinah Davis.

Marvelous. And you can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps, such as Apple Podcasts, Spotify, and Pocket Casts.

And huge, huge thank you to our episode sponsors, MetaCompliance, 1Password, and Vanta. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 417 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye, bye-bye.

Beast of a show. Go there. Brilliant. Thank you so, so much.

That's good. It was fun though.

Thank you. Yeah, thank you very much, Dinah. I really appreciate you coming on, sharing that with us.