Trezor wallets hacked? Don’t be duped by phishing attack email

So I wrote about this. Oh, fuck. I've just spilt water all over my keyboard.

Oh, fuck.

Oh dear. Don't panic. Hang on. There's big puddles of water on my desk, Barry.

Oh my God. Do you want to take two minutes to deal with this?

No, no.

Just quickly work one way.

Carole, the show must go on. It can't stop for anything. Smashing Security, Episode 269: Trees or Deep Throat, a CCTV Stalker, and Amazon's List of Banned Words with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 269. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, this week we are joined by a returning guest, someone who hasn't been on the show for a couple of years, but we're delighted to have her back. It's Zoe Rose. Hello, Zoe.

Hello. How are you?

Fabulous to have you back. You are our listeners' favourite voice. So I'm sure many of them are going crazy.

I try not to laugh too hard because I'm not a huge fan of my own voice, but I do appreciate it.

Yeah, there were a lot of people who liked your voice and I think they—

Well, they still do, I imagine.

Well, hopefully.

It's not gone.

Because you've got that weird amalgamation. Everyone's thinking, where does she come from? What's she doing? I know you've moved about a bit. And the other big news with you, of course, is that since you were on, you've had a child.

I have made a human being. Isn't that shocking?

Incredible though.

Don't go into details as to how you made it. But anyway, so there is a mini Zoe Rose out there now.

Yes, with much more fabulous hair. Oh, it is adorable.

How about we thank this week's sponsors, Collide and Keeper Security? It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

Oh, well, something unpleasant that arrived in my mailbox.

Ew. Okay, Zoe, what about you?

I am also talking about not something super pleasant. It's about a man that has decided to be a stalker.

Oh gosh, okay. And I'm gonna look at ideas from Amazon head honchos on how to boost employee morale. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, I want to tell you about something which happened to me this past weekend. Sunday morning, there I am, I'm thinking, oh, I've got to get out of bed. Another day. Drag myself out from under the duvet.

Is it really that hard?

Well, it's Sunday morning. You sort of think, oh, it's—

You need to put Dolly Parton on when you get up and then—

Really?

Yeah.

Wake up in the morning, stumble to the kitchen.

Oh, very good. Anyway, I stumbled to my office and I saw that I had received an email telling me that Trezor, or I think it's pronounced Trezor, had been hacked. Do you know what a Trezor is?

Well, if it's French, trésor, it's like a treasure.

Oh, oh, maybe that's why they named it that. It is a hardware wallet, something which connects via USB to your computer. And what you do is you store your cryptocurrency wallet on it. So if you don't trust online cryptocurrency wallets, brackets, you shouldn't trust online cryptocurrency wallets because they're getting hacked all the time, then you might choose instead to store it on a USB stick via one of these things, which stores it securely. Now, I've only got about £5 worth of cryptocurrency.

Ooh, you are rich.

So it's not as though it's doing me very much good. But I received this email, which appeared to come from Trezor, and it said, "We regret to inform you that Trezor has experienced a security incident involving data belonging to 106,856 of our customers. And the wallet associated with your email address is within those affected by the breach." And this message, which looked pretty legitimate, said that hackers had broken into Trezor's admin servers the day before, last Saturday. And they said, we're looking into this data breach, but we think that there could be a problem for you. So you need to update the desktop piece of software on your computer called Trezor Suite, because otherwise your cryptocurrency assets are at risk of being stolen.

And this came by email?

This came via email, that's right. Came from trezor.us. And I was thinking, oh, that's a bit worrying. Now, obviously, at first I was thinking, well, it might be real because I do have a Trezor device. So they may well have my email address when I bought it. And I clicked on the link in the message and it took me to what appeared to be the Trezor site. And I thought, well, this is quite a good story. I thought I should write this up for my blog, quite interesting if Trezor have been hacked.

Yeah, and it sounds like it was quite a professional email as well. Not the typical poorly spelt, poor grammar. Interesting.

And it's not one of these phishes which is sent out to hundreds of thousands of people who aren't Trezor customers. And I looked online and genuine Trezor customers are saying, I've received this, what on earth is going on? And my spider senses, I've got spider senses. My spider senses were tingling.

That explains all the arms.

I was thinking, whoa, what's going on here? And I wondered if the email was genuine. I thought, I'm gonna look at it. So I look at it on my phone and it looks like it's taken me to suite.trezor.com. And I thought, okay.

Okay.

Looks like the Trezor website's got their logo, it's got their branding. But then I noticed something. And I took a really close look, which isn't easy with my eyesight on a tiny little iPhone SE.

I can relate to that. But I noticed that under the E of Trezor, there was a little dot. And I thought, is that a dot on my screen?

Which is very possible because, yeah, exactly.

The cleaning issue, right. So is it a dot on my screen?

Is it a piece? Yeah, it's dried food.

Or— I can also relate to that because my screen is full of child's fingerprints.

So I wrote about this. Oh, fuck, I've just spilt water all over my keyboard.

Oh.

Oh dear. Okay, don't panic, anybody. So I'm just gonna turn it up. I'm just gonna turn it upside down and put it over here, hang on. And there's big puddles of water on my desk.

Oh my god.

And I haven't got a drink anymore. Okay, all right.

Oh no.

No, well, let's not worry too much.

Do you want to take two minutes to deal with this issue?

No.

Just quickly. We can wait.

Carole, the show must go on, right? We can't stop for anything.

Just don't electrocute yourself.

Zoe's a very important person. She's very busy. We can't—

Okay, but if you die, I would be really guilty.

Is there water where the cables are?

There's a big puddle. There's a big puddle.

Okay, can you please just take care of that? I'm just going to swipe it off.

Hang on, here we go. We're gonna swipe.

Oh my gosh.

1, 2, 3. Oh, I don't know if you can hear us. Are we? It's very wet here.

Just get a towel, for God's sake.

Okay, okay, I'll get a towel.

I'm responsible for a mini human. I cannot be responsible for you as well.

Exactly. Can you imagine he dies and we have to go to a funeral?

Oh, that would be so much work.

And then it'd be, well, how did he die? Well—

I'm coming back.

I'm coming back.

He was overwhelmed by Zoe's lovely voice.

Luckily, my office has an en suite bathroom. So I do have a—

Oh, you are fancy.

He is extremely fancy.

Oh my goodness, all this water everywhere. What's this? Okay.

How big was your cup?

It was great big. Oh my goodness. Trough.

Okay.

Right. Okay. So, hello. So, right.

Right.

Right, so yes, there was a dot. Anyway, so I wrote about this on my blog, 'cause I thought, "Ooh," I thought, "No one's really—" I thought, "That definitely isn't the real Trezor website. I don't know what it's downloading, but I thought this is dangerous. I need to warn people, 'cause people are believing this." And so I posted a warning up on Twitter and on Reddit. I linked to my story on my blog, and I found other people had also been posting on Reddit saying, "Hey, I've received this email. What's going on? You know, it could be a bit dodgy." And what was interesting is their messages on Reddit were being downvoted. Someone was choosing downvote, downvote, downvote, downvote.

More than someone then. That would be a lot of accounts for it to make a difference.

Exactly. So, and I thought, why are they doing that? Because this appears to be a genuine warning to people. Who has a vested interest in downvoting a warning about an attack against Trezor users?

People that can financially gain from it. Exactly.

You're so clever, Carole. And then I noticed something else, right? My website was slowing down a lot because as I was trying to update my story about this attack, my website began to time out. I thought, that's not normal. I'm not that popular.

Well, exactly.

At first I thought, oh God, I am so popular. I've been slashdotted, Reddit, they're all coming through to my wonderful article. But I thought my website should be able to handle this. And so I thought, okay, well, what I'll do is I'll just drop a line to my web host. So I log in to them, the people who manage my website for me.

Yeah, your hosts.

Yeah, my host, who are hosting hundreds and hundreds of other websites as well. Right. Find out all of their services down as well. And I thought, not just my site. And I thought, that's a bit of a coincidence, isn't it? So I've just written about this attack and suddenly my web host has gone down and my hosts are not in the habit of going offline. I thought, wonder if someone's trying to silence me, just like they're downvoting these other messages on Reddit.

That's really actually quite good. Not only they've got good grammar, very professional email, they've got a whole army of Redditors, I don't know. And now they've got something set up to send off a DDoS. That's interesting.

That doesn't help your relationship with your host very much, I imagine.

I thought I've had that problem with web hosts before. Yeah, do you think? Don't antagonize them too much. So I went back on Reddit and what I noticed now was that my warning about the scam email, the one which was linking to me, suddenly been massively downvoted by persons unknown. So I thought, okay, there's definitely an attempt to stop people from hearing about this attack that's going on. Did you take to the streets, Graham?

Did you take to the streets?

With a little placard, I went out on the street. I thought, there's no other way to do this. Now Trezor at this time they hadn't said anything, right? There was nothing on their site, there was nothing on their Twitter account. And I wondered out loud in my article, how was it that Trezor customers had been targeted by this scam? You know, had anyone who wasn't a Trezor customer received this email? Had someone hacked Trezor or maybe hacked the service that Trezor used to send out the emails? Maybe Trezor didn't have two-factor authentication in place on their mailing list or what's going on? And it was about now that someone from Trezor contacted me. And he said, look, you know, stop speculating. He said, we haven't done anything wrong. He said to me, what's happened is that Mailchimp, the mailing list service that we use, they are responsible. He said, it's a rogue insider at the firm who has hacked our account and stolen our addresses and is spamming people. And I said, ooh. And he said, can you update your article? And I said, well, I can't update my article at the moment because my site's been DDoSed. I can't log in.

I'm just too popular.

Yeah, and why didn't Trezor go out with that information because they didn't want to be targeted by them?

Well, I said to him, I said, this is really juicy. I said, can I quote you? And he said, no, you can't. I said, well, can I say sources inside Trezor? He said, yes, you can say that. He said, but I don't want my name in it because our official CTO, he's going to want to say something about it and I'll be jumping on his toes.

Should we call him Deep Throat then?

Let's call him Deep Throat. I was able to eventually update my website, although it was still very slow to say Trezor saying, it's not them, their Mailchimp account got attacked by an insider inside Mailchimp.

But if they already know that, they should be warning their customers.

Well, thankfully at that point then they did. So shortly afterwards, they did post something up on their Twitter account.

Ah, your little placard going into the streets worked.

And how much time has passed now since you've published the article and all this has happened?

Oh, a few hours.

A few hours. Okay, so this is a few hours of work.

And it was a Sunday. You know, and so, you know, it's not too bad. They're not going to beat them up too much. And on Monday, Mailchimp said that their service had been compromised targeting crypto companies. And it's unclear a little bit as to whether it's a Mailchimp employee or whether a Mailchimp employee had their account breached. But what Mailchimp are saying is that a hacker accessed internal tools at Mailchimp, accessed over 300 Mailchimp accounts used for sending out mailing lists for companies in the cryptocurrency and finance industry. So not just Trezor, but hundreds of other companies. And the hacker ended up exporting the mailing list for over 100 of those mailing lists to do whatever they wanted.

That is quite clever.

So it may not just be a Trezor thing which is going on there. There may be subsequent attacks which are gonna happen, which may look like quite plausible messages from your crypto company or your crypto wallet firm or whatever it might be, trying to trick you.

Yeah, and also, who's likely to go to the police when they lose, you know, for your example, £5? You're not going to do that. Well, if you did actually lose it, £5, maybe not.

But I fortunately didn't install the software which this email was telling me to install. But I did hear from people who said they had literally had their entire cryptocurrency investments absolutely raided, and so they have nothing left. And some people— Really? Yep. Some people told me that they lost everything over the weekend. And what a poop storm as well for Mailchimp. Well, yes, obviously a lot of companies who have been affected by this breach are going to be concerned. And I would hope that those crypto companies are going to be contacting their customers and saying, look, your details may have fallen into the hands of hackers, so be on the lookout for phishing attacks and who knows what.

And from the boring perspective of, you know, in my job I have to deal with not so fun stuff like supply chain and that. And I'm not going to lie, if I was a cryptocurrency company, I wouldn't probably value Mailchimp that high on my making sure that they meet, you know, some security standard. So I could see that there's a bit of a gray area of who's going to be held responsible. One, Mailchimp, did they have the right controls? Two, the cryptocurrency, did they do their due diligence there?

Yeah, it is unclear because Trezor say it was a rogue employee inside. Mailchimp are saying hackers accessed internal tools. It's unclear whether it may have been a legitimate employee who was socially engineered maybe into giving access to someone else. Yeah, totally. Yeah, which is— It's a gray area for sure, but clearly less than ideal. What's going on?

Not ideal, yes. That's a very British way of putting it.

Fortunately for me, I didn't lose any money. More damage spilling the water over my desk. Zoe, what story have you got for us this week?

Mine is also not so lovely. It's regarding a man that was dating someone. They broke up and he was not too happy about that, and he had previously installed her CCTV system and was watching her on it.

Oh, like after post-breakup, like not telling her, just stalking her basically through the camera.

Yes. And then she went on holiday, and so he let himself into the apartment, and as you do, you know. And even worse is he took pictures of her flat and then when she came back, sent them by email to her. Without context, just pictures of her flat.

Like, what is this, from an anonymous email address? It was. Aha. So he hid his identity.

That's the way to endear someone, isn't it, to you?

You know, a great way to win someone back.

Yes.

And then claimed it wasn't him. But when he was interviewed by police, I think he originally had said he had been sent them by somebody and he was sending them on to her because he was concerned for her safety, but he obviously admitted to being the one that took the photos and sent them later when he was interviewed by police. Unfortunately, I've been in a very similar situation. I won't give the full details. It wasn't CCTV and it wasn't photos of the flat, but it was access to one of my accounts, and there were pictures involved. I'll give that detail many years ago. And so I've been in that lady's position. And it's a sense of control. It's not even— a lot of people were like, well, that just doesn't seem logical. Why would he take those photos and then send it to her? Because he's clearly showing he's done something.

Do you think it was more a sort of— I'm just trying to get into his head. Do you think it's more of a 'Look what happens when I'm not around. Someone's able to hack into you. If only you had a big manly burly boyfriend who could protect you from this person who's breaking into your house and taking photographs.' Do you think that's the thinking?

I mean, from my experience of investigating these types of incidents, because I do volunteer for an organization in America called Operation Safe Escape, and it's about survivors leaving or have left domestic abuse situations, relationships, and a lot of the times it's a sense of control. It's not logical. In some cases it may— Graham, you may be right— it may be, look, I could have protected this, or look, you're extremely vulnerable, but it also is, you know, I can still control you.

It's a total mindfuck too if you're being targeted, like holy moly.

Yeah, I think from my experience of being the person that's been in that situation, it's terrifying, even if I know what's behind it. Even, for example, in my situation, the person had access to my email account. I knew how to get him off of it. I knew how to check if he still had access, but it's still terrifying because what else does he have access to? Our lives are so online. In her case, it's her bloody CCTV. I think they actually say in the article she had unplugged it knowing he had access to it. When he went in when she was on holiday, he plugged it back in, which is how she knew he was in the flat.

So what should you do, Zoe? I can understand if you've shared your email password with somebody and you've then broken up— you shouldn't probably share your password anyway, but if you have done, obviously change it. But are there other rules and guidelines and pieces of advice you can offer people?

Yeah, I mean, there's two sides to it. Because it's domestic abuse and violence related, I want to be very clear that sometimes removing the person's access is not the right call. Sometimes it's actually leaving their access because it can escalate, especially if they have intimate access to you, like they're in your home, right? But if it's that you have physically left the situation, most of the time the advice I give is start over, get a new account or get a new phone. Because you never know, especially if you're not a tech person. However, when it comes to things like, you know, you're a bit more confident, maybe you have an organization like Safe Escape to support you. It would be things like ensuring MFA is in place, multifactor authentication, ensuring you have a strong password. In my case, I did not give them that password. Actually, it was so long ago, I don't even know how he got it. But I'm a security person and I made a mistake and he got it. No matter how much you do, this can happen. It's just being aware of what information you have online and also being aware of what information can be seen in your email.

There's obviously a physical security aspect to this as well because the guy was able to re-enter the house. He must have had a key or a PIN code or something. Scary as fuck.

Scary, scary. It doesn't specify in the article how he got in, I'm making the assumption he had a key because it doesn't say he broke anything, but yeah, that goes to what's left over. I remember years ago where somebody had put a camera up in their ex's house and the camera was in a private room, you know, so they want control, they want to use anything that they can, and they'll use things that you would never imagine, like CCTV accessing your email, or, you know, putting cameras up. So it is scary, but I think the biggest thing is just knowing what you have in your environment, and I suppose figuring out if you can secure it or if you need to remove it.

So what's happened to this chap now?

He did receive 12 weeks prison term, which is not much, but it's something.

I think, Zoe, his prison term has been suspended for 2 years. So, I don't think he has spent any time in prison.

Oh, so I think—

Did I read it wrong? Yeah, I think if he misbehaves in the next 2 years, then he'll have to serve 12 weeks.

Bloody hell. Okay, I'm not as positive now.

2 years suspension. It's kind of really, I think, frightening. I don't know if it's just from a female point of view, but the idea that you can be kind of terrorised, mentally terrorised in that way. And then it's not considering—

You don't feel safe in your own home, and he gets two years suspension. And the article made it sound like they got a restraining order and he has to do

Yeah. Has to do some community service, oh, here is a house which needs to change its locks, so maybe you could change its locks for it.

volunteer unpaid work. They made it sound like that was such a big deal.

Something like that, which will work really, really well. And we cause any problems in future.

And a mega takeaway in all this as well is don't assume the default security settings are best for you. They're not the recommended ones. They are the ones to make it as easy as possible for you to get up and going and running, not necessarily the best.

So go through those settings please when you get a new device that you plug in, especially when it comes to CCTV, because I know of somebody that had a lot of money. CCTV is closed circuit TV, I think is what it actually stands for, but that doesn't mean that it's actually doing what it's saying it's doing. Because a lot of them, they're actually online, they're available on the internet. So make sure that what you set up is actually doing what you think it's doing, not just that the default of is it secure, but also is it accessible for people that you weren't expecting, let's say.

And if you've split up with someone, just don't be a dick, right?

Yeah. I think in this case, when it comes to Stephen King, I think there's a lot of control. It's a lot of possibly mental health issues. You know, there's a lot going on there, but that doesn't excuse his behavior. Yeah, please don't be a horrible person. At the very bare minimum, please don't be awful. Yeah, I'm with you.

Much more nicely put than I said. Carole, what's your story for us this week?

So we're gonna start off with Microsoft because they recently put out some research all about the state of the office post-Rona or mid-Rona, wherever we are in the whole Rona thing. And they interviewed something like 3,000 different business leaders. And half of these leaders intimated that their company already requires or plans to require full-time in-person work in the year ahead.

You mean people actually in the office? Is that what you mean?

Yeah, bums on seats. Bums on seats. And they also said that time spent in meetings for the average team since February 2020 has increased over 250%. Oh, that's a good thing, isn't it?

Because we needed more meetings. Yeah, I know. That's excellent. I'm glad we've made progress with that.

But if you think about that, it's then perhaps no surprise that 50% of employees are more likely to prioritize health and well-being over work since the pandemic, and that 52% of Gen Z and millennials are thinking about looking for new work during the next 12 months. All these stats are concerning, not just for employees, but for companies, right? Both large and small, they have to figure out a way to work with strained budgets and a stressed-out workforce and a lack of resources. And one of the big questions is, what can companies do to boost morale without breaking the bank.

Yeah. I have a suggestion. Is it croissants? It is not. It is not. It is maybe possibly listening to what the workers actually say they want.

Oh, what a namby-pamby kind of thing to do. The last thing you want to do is ask people what they want. Well, I don't know. There's various ways to cheer up staff, isn't there, in the office? I mean, you could hire some mimes, for instance.

Would that make you want to stay at a company that doesn't listen to anything you say?

No, no. It would be horrific. I don't know, just treat me as a normal human being. Don't treat me as I'm an idiot, I think is the general rule.

So treat you as a respectable adult, essentially. Don't be rubbish.

Yes, yeah, yeah, don't be rubbish. Interesting, because the Harvard Business Review published an article recently saying this is how someone might boost morale if they don't have any financial kickback to offer, financial bump. And one is public recognition. So basically McDonald's Employee of the Month kind of thing, right?

Which, to be fair, to be fair, if we look at intrinsic motivators, sometimes people are motivated that way. Feeling, you know, that you're making a difference.

But you can also be demotivated, can't you?

Yeah, loads of us

Because you can think, why has Bob Middleton been promoted as employee of the month when I know he's useless at everything, can't even carry wood, and he's just a waste of space who we need to get rid of. And for some reason, the bosses have decided he's brilliant, and they have not seen the enormous amount of useful, positive work which I have done this month.

don't do it.

You know, you could be demotivated by that kind of scheme, couldn't you?

Oh, completely, completely. I would be absolutely angry of, oh, I can get an Employee of the Month, but I can't work from home, which I've done for 2 years. Right?

What would you say to another one that they recommend is sending thank you notes to your home address? So you'd have, you know, Dear Zoe, we just want to say that you're such a star. Thank you so much for showing up every day and doing all the stuff you do. Signed, the CEO or someone.

The question is, does this thank you note include stickers? Because I may be swayed.

Yeah, there's not a fiver in there. I want at least a few stickers.

You know what I say? I say kind words don't butter parsnips. If you want to cheer me up, if you want to boost morale, then come on, get some money out of your pocket.

They don't have any money!

Well, they've got enough money. They've got enough money. Yes, they've got enough money to post you compliments and stickers, or they've got enough money to praise Bob Middleton and frame his photograph on the wall.

Who is this Bob that you're so obsessed about?

You'll find him on LinkedIn. I'm going to look.

Graham, it's interesting because, you know, other companies, you were not really moved by these symbolic rewards that I was talking about. Right. And one of those people is Amazon, right? Because they want a more innovative, more, you know, modern, approach to dealing with this type of thing.

Are they rating their staff out of 5? Out of 5? Hot or not? Star rating. No, it's just, would you recommend this employee to your friends? Is it something that?

They're giving people star ratings. I could totally see them doing that. Is that what they did?

It's close, close. So according to The Intercept, and this is according to sources on the inside, last November, Amazon top executives had a little chit-chat about creating an internal social media program. And this social media program would allow employees to recognize co-workers' performances with posts called shoutouts.

You can get that on LinkedIn though, right?

But maybe you don't own all the content then. I don't know.

You don't want a shoutout. You just don't want to be paid minimum wage by a guy who's the richest chap on the entire planet. Jesus. Going up into space on his pneumatic penis thing. It's just, you just want some money. Just pay me properly and then I'll be motivated.

Yeah, I agree with that because I think a lot of people are, oh, I do my job. I'm not motivated by money. Full disclosure, I'm motivated by money because I have a family and I would to eat. Absolutely.

Are you sure that I can't sway you because they have a gamified reward system inside their internal social media system here? Where you get virtual stars, not real ones, unfortunately, because that would be cool, but you get virtual ones and badges, which is practically a sticker, Zoe, practically a sticker for activities that add direct business value.

If you paid me more money, I could buy my own stickers and possibly my own star as well.

Oh, actually, you can. That would be a good idea. The underlying thing is you have to meet your employees where they are, and if they're starving or if they can't pay their bills, or if they're working to the point of exhaustion, I don't bloody care how many stickers you give them or digital versions.

So you're not sure an intranet's going to help reduce employee attrition and foster happiness? Because they're pretty convinced, right?

But who's the people that are convinced? Yeah, the people that have enough money. They have enough money and don't understand why people aren't being, you know, so thankful that they bother to give them any money. Well, I don't know.

I think you guys are being short-sighted because these top Amazon execs, right? The kingpins here are going to keep employees happy and productive so they won't look elsewhere for work. But let's assume this person at the meeting, I don't know, we'll call them Bob, right, Graham? Bob. Okay. Yeah.

That's where Bob ended up, right?

Bob at the meeting says, "Hey, hey, Zoe, Graham," because you guys obviously are top execs at the meeting. They're like, "How do we stop disgruntled employees from basically complaining?" screaming on the internet, right? How do you do that? Like, you know, because obviously negative blocking keywords—

Good bingo! They always do that.

I have provided you guys inside the document the list. These are the words that apparently were being considered to be blocked. This is dumb. Yeah. Now I have to say Amazon have contested saying, well, you know, if this social network does go live, not all these words are going to be blocked. What is TOT? What does that mean?

I don't know.

I looked it up and I was just like, have you tried Urban Dictionary?

That's normally quite good.

I might be too old, I don't know. The second one is union.

Yep. "I don't care," for example, is a phrase that apparently would be flagged. And what they're saying is that it's called an "auto bad word monitor," quote unquote, and it was devised. It's effectively a blacklist that would flag and automatically block employees from sending messages that contained inappropriate keywords. And this is beyond obviously swear words or inappropriate language. These are kind of like the word prison, for example. Yeah. Right. Or ethics, interestingly, is in there.

Ethics is blocked. Maybe it's because they don't want somebody to say, "This isn't ethical." Yeah, they don't want any ethics on the intranet.

It seems "ethical's" okay though. "Ethical" might get through. Oh, okay.

Maybe the trick is just not speaking American English, and then you can say anything.

Or maybe being really bad at spelling. If you spell ethics with a K. Oh, maybe. For instance, ethics. You know, or with double F-X, in fact. Oh yeah, that's very clever. I was thinking along the same lines, right?

You'd have to start kind of working on your writing or language skills to get— and I think you guys are both very good writers. So if I wanted to communicate in this intranet, "I fucking hate working here," what could I say instead?

I'd pop over my thesaurus.

"I love working at Amazon, brackets, not." Are you allowed to use the word "not"?

Yeah, I don't know, maybe.

It's not on the list. So TOT, according to slang for old people, I think, on Google, is texting on the toilet. They also blocked restrooms, so that possibly could be it. But they didn't block the loo. So I really think just spell things in the British spelling and use a lot of parentheses.

Or just being I mean, you know what I would do? I'd just be very, very sarcastic. I'd just be so over-effusive with praise. I cannot begin to tell you how much I adore our overlords at Amazon and how they bring lightness and wonder to my life.

Yes, or you could do analogies like, working here is as glorious as being Geoff Bezos's personal proctologist, for example.

That's perfect. I would say something like, oh, you know, I had to miss my child's, you know, big development stage thing, but it's okay because working here is my favourite thing in the world. Just something as simple as that because it sounds very positive. Yes, yes, I would definitely choose working here because I love it so much. They've got representation blocked. Wow. They've really put some thought into this.

Well, Amazon are saying, look, look, look, there's no promises we're even doing this. We'll see what happens. It was scheduled to launch later this month, so we will see. If any of you listeners want to see the list of words, I have a link to the Intercept article as well to a number of articles. Just let you know that all's great out there. Everything's wonderful.

I'm just gonna say, if they put half as much thought into their incentives as they did into this bloody list, they may actually have a couple of happy people.

Yeah, I'm not sure this is the way to make people smile. Yeah, I think I agree with you on that one.

Blocking pay raise? No, that says it all. So I can still say rubbish. They're even blocking diversity, that really says something.

Collide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack. Collide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Collide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates. You can try Kolide with all of its features on an unlimited number of devices for free for 14 days, no credit card required. Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show. So imagine this scenario. You're out of the office unexpectedly and a colleague pings you because they need access to some system you have credentials for. Now, listeners would never send passwords over email or Slack. But what about your coworkers? How many organizations out there are sending logins back and forth in plain text? Worse yet, how many just store all of their logins on a shared spreadsheet? We all know that human errors are the biggest threat to your organization's security, but did you know that weak or stolen passwords account for over 80% of all data breaches? There are tools out there that allow you to share credentials, set access permissions, and monitor the data dark web for stolen logins. Keeper Security's enterprise password management platform does just that. Keeper locks down logins, payment cards, confidential documents, API keys, and database passwords in a patented zero-knowledge encrypted vault, and it takes less than an hour to deploy across your organization. Sign up for a Keeper free trial for your organization today and get a free 3-year personal plan VPN. So get started by visiting smashingsecurity.com/keepersecurity. That's smashingsecurity.com/keepersecurity. And welcome back. And you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.

You can bring your Lazy Boy with you on the plane. That would be marvelous, wouldn't it?

And you can follow us on Twitter @SmashingSecurity, no G, Twitter must have a G. And we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode. You should follow Smashing Security in your favorite podcast apps, such as Apple Podcasts, Overcast, and Google Podcasts.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they wish. Doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is a little bit security-related because we have discussed this case on the podcast in the past. It's related to the extraordinary story of QuadrigaCX and the death of Jerry Cotton, the company's CEO. If you don't remember, tune in back to episode 114 of the Smashing Security podcast. I knew that off the top of my head where we talked about that case. It is now a Netflix documentary. It's called Trust No One, which you can go and check out. What happened with QuadrigaCX was that they had— they're a Canadian— oh, they're Canadian. Oh, they must be amazing then. Cryptocurrency company who were storing a large amount of money. And what occurred was this chap, Gerry Cotton, went on holiday to India and then he died, or so the company said. And allegedly only Gerry Cotton knew the password which could unlock the cold wallets into which people had put their entire life's savings. So it's a very interesting story at the time. And there were, of course, investors who were deeply disturbed. Some of them you will see in the course of this documentary, very worried about what happened to their money and were thinking that there was some kind of conspiracy going on. I'm not going to spoil anything about the documentary for once.

Good. You don't normally spoil them. You're normally very good at setting it up.

Thank you. Oh, thank you very much. But I thought it was quite interesting. And so I am going to recommend the Netflix documentary Trust No One. Go and check it out, and it is my pick of the week.

Nice. What's your pick of the week? Yes, so my pick of the week is actually a couple of things. So instead of a go-to bag, or, you know, an emergency bag for whatever incident you're investigating, being a mum, I now have a go-to travel bag for traveling with a child. And you mean traveling, traveling, you don't mean going down to Sainsbury's? No, no, I mean traveler, traveler. So I've traveled with my daughter from— I don't remember the first time she moved or she went to a country, but I think 4 countries now. And this is not small travel, this is not just popping over to Germany because I'm in Holland. She's about 1 year old, right?

So you've done a lot of countries in a short period of time.

Correct, yes. This is also going over to, you know, across the pond to North America when she was about 6 months old. So it's been a bit of a journey, and this is traveling by myself with her as well.

Wow. So what, so what's in your travel bag then?

So the most important things are not the small things, not— I mean, obviously clothes are important, you know, she's a child. Yeah, those are good. Bottles, you know, those are helpful, but the main points that I think are really key is instead of carrying— because carrying a pram or having a pram with you, or if you might call it a buggy or stroller, I think is the other term, one that's collapsible, so easy to fold down so that they can put at the bottom of the plane and it's light, is key. But also if they break it or lose it, replacing it isn't that difficult because— oh yeah. Yeah. Well, I've got two prams. I've got my travel one and then I've got my main one and the travel one I actually more, but it costs maybe a third of the other one. So if it gets broken, not a big deal. Interesting. The other thing that is important is a carrier for my daughter whilst I'm in the airport. So instead of carrying her in the pram, I actually strap her to my chest essentially. Because that leaves my arms open. I don't have to deal with a crying baby wanting to be picked up. And also, you know, it's just way more convenient. And then on top of that is a light car seat because the car seat that I have in the car is bloody heavy. I'm pretty sure it weighs the same as me. So this is a specific car seat that is actually clear for air travel. So if you do want to take it on the plane for children that need their own seat, but also when even if you're checking it, you know, walking it in the airport and to the taxis is not going to break your back.

So that sounds very useful. So we'll include some links in the show notes for people to check out your recommendations for these.

These are just suggestions of what I've used. They're not necessarily the best out there, but whatever it is that works for you, mainly just the foldable and light.

And Graham, are you a little jealous that there isn't man-sized, you know, well, baby seat for me?

Yeah, man seat.

If I find one, I will let you know, Graham.

Good luck finding one in my size.

Carole, what's your pick of— Oh, I have a really sweet pick of the week this week. It comes from one of my very good friends, Andy, and she just shared this with me. I don't even think it's very new, and you guys might be aware of it, but it's new to me. So it's called Literature Clock. It was made originally for the eBook Collective, but there's now also a website that does it. It basically grabs snippets from literature that include a timestamp that aligns with the one that is currently in your time zone. So for example, when I was looking at it today, it just comes up on the website, it says, "It's 12:33 now and I could do it. The station is just down that side road there." And that's from Five Red Herrings, Dorothy L.

Sayers. Ah, Sir Peter Whimsey. Lord Peter Whimsey.

Yes, and then it's not every minute it updates, but every few minutes. Sometimes it's every minute, sometimes every two minutes, because obviously they've gotta find the right quote, and they add these in and it just refreshes. And it's quite a nice backdrop to either— you can go visit online or to your e-reader.

Oh, that's lovely. That's very cute.

I think it's a Dutch tech journalist called Jaap Meijers and the English newspaper The Guardian, and it's their brainchild. So it's a perfect site to send to any book lover in your life. Right, so it's called The Literature Clock. It's my pick of the week. Links in the show notes.

Oh, I don't know if I'd go to it again. I mean, I think it's very cute, but would you go to this on a regular basis, Carole? Would you?

I just— I went to it out, and right after it was "died 5 minutes ago, you say?" He asked. His eye went to the watch on his wrist. 12:43, he wrote on the blotter. And that's Agatha Christie. So you get some good books as well, I quite like it.

I also think, you know, it's well thought out. It's got a dark theme. I also like the skip quotes marked not safe for work.

Yeah, exactly, exactly. I only want the not safe for work ones.

Oh, nice. Maybe that's version 2.0. But no, I think that'd be cute to just have sitting in the background even. That's quite lovely. There you are.

That's my pick of the week.

Very good. Well, that just about wraps up the show for this week. Zoe, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?

They can follow me on Twitter @RoseSecOps, or they could check my website, which is just rosesec.com, which would link to my Twitter, but that's okay. Cool. And huge thank you to this episode's sponsors, Kolide and Keeper Security. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. You guys, the timing is perfect because my daughter is now home.

Thank you so much, Zoe.

Yes, you gave us your free hour and we're so grateful.

She is now licking the ferret cage.

You didn't even bring up ferrets on the show. People will think you've given up on them.