As you have probably heard by now, Twitter CEO Jack Dorsey’s account (@jack, 4.2 million followers) started spewing some tweets on Friday night that were out of character even for him.
For about 15 minutes the account tweeted racist and offensive remarks, and even at one point what appeared to be a bomb threat.
It was pretty obvious that these weren’t messages being genuinely tweeted by Twitter’s oddball co-founder, and theories spread like wildfire that his account had been hacked.
I joined in with the speculation late on Friday night, proposing possible explanations such as a lack of two-factor authentication, or a reused password, but leaning more towards a third-party app connected to the Twitter boss’s account having been hijacked.
Four years ago Twitter’s CFO has his account breached. He wasn’t using 2FA. https://t.co/BAszeVjHJ5 I find it hard to think Twitter’s security team would let @jack make the same mistake. My hunch would be third party app compromised, but we will see.
— Graham Cluley ???????? (@gcluley) August 30, 2019
I couldn’t see the funny side in Jack Dorsey’s misfortune, having myself suffered when a third-party app I had linked to my account started tweeting unauthorised messages a few years ago.
And when close examination of the offending tweets from the Twitter CEO’s account revealed they had been posted through a service called “Cloudhopper” that seemed to suggest something similar had happened.
So, what is Cloudhopper and had it been compromised?
Cloudhopper is a service that facilitates tweeting via SMS text messages, and was acquired by Twitter back in 2010. If you have configured your Twitter account to allow it, it’s possible to just send a text message to update your Twitter status rather than use a smartphone app, laptop or desktop connection.
That’s fine, I suppose, with a couple of caveats.
Firstly, you need to be careful to only send SMS messages to Twitter that you wish to become public.
It’s surprisingly easy to send a text message that you believe to be private to the wrong number, as then White House press secretary Sean Spicer found out in January 2017 when he tweeted something that appeared to be a password via Cloudhopper.
Secondly, if Twitter is going to accept SMS messages from your mobile phone number and automatically broadcast them to the world, you had better be feeling darn confident that no-one else is going to gain access to your phone – or seize control of your mobile number.
As Twitter’s communications team explained the following day, it seems that’s precisely how the unauthorised parties managed to post the offensive messages to @jack’s account:
The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved.
In short, it sounds like Jack Dorsey’s Twitter problems were caused by his mobile phone number being seized in a SIM swap attack (also sometimes called a Port Out scam), where his mobile phone provider were tricked by fraudsters into giving them control of someone else’s number.
So – if we are to believe Twitter’s explanation – the reason for the “@jack hijack” was not because Twitter’s CEO had failed to follow best practices for passwords, or been phished, or failed to have two-factor authentication in place, or even because he had a compromised app connected to his account – but instead that he no longer was in control of his own phone number.
That’s a problem not only because of unauthorised tweets, but also because of the surprising range of other things you can do via SMS with Twitter.
You can’t really blame the affected Twitter user for this incident – it’s a problem at the mobile phone operator’s end.
Well, maybe you can partly blame the affected Twitter user on this occasion. After all, he’s the boss of Twitter. He can get things changed if he wants to.
Although I’m sure there are some users in some parts of the world who appreciate being able to update Twitter via SMS, I’m not convinced that it is a feature that most Twitter users have a need for. I think it would be a sensible step for Twitter to disable SMS tweeting functionality by default, forcing users to manually enable it if they really want the feature.
It seems to me that another sensible step would be for those who do wish to tweet via SMS to be required to add a PIN to their text message as an additional form of identification. That would certainly be another hurdle for fraudsters and scammers to overcome.
You can listen to more about the hack of Jack Dorsey’s Twitter account, and SIM swap fraud, in this episode of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
The other one jumped out over the counter, pulled a handgun out of a plastic bag, and told the tellers to fill it with money.
Why was the gun in a plastic bag?
Because you don't walk around town, Carole, all around the shopping mall with a gun.
Yeah, but normally don't people put them in their trousers?
Not even in America.
What do people walk around with, Sainsbury's bags?
Well, I—
With guns in them?
Depends on your district, Carole. Around here we have Waitrose.
This isn't just a handgun. This is a Dutchie Originals handgun.
Smashing Security, Episode 144: Google Helps the FBI, Twitter Jacks Hijack, and Car Data Woes with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 144. My name is Graham Cluley, and I'm Carole Theriault.
We are joined this week by cybercrime journalist and podcaster Geoff White.
Hello, hello, and welcome to Smashing Security, Episode 144. My name is Graham Cluley, and I'm Carole Theriault.
We are joined this week by cybercrime journalist and podcaster Geoff White.
Hello!
Dare I say friend?
Well, you said it now and you've done it unilaterally, so there we are. I'm going to look the smaller man, aren't I, if I say no?
Now, it's wonderful that you're with us because you're working on all sorts of things at the moment, aren't you, Geoff?
Well, yes, I am, to my cost. So I've just finished the first— actually, the second draft.
I'm in the middle of— with my book on cybercrime, which is going to be coming out next year, next spring.
I'm in the middle of— with my book on cybercrime, which is going to be coming out next year, next spring.
Yes, I've had a tiny sneaky peek, and it's good, listeners, it's good.
Actually, you've got an exclusive on your hands here because I can exclusively reveal the title.
Oh yes, please.
Oh golly gosh.
Which so far I haven't done because I wasn't sure what it was going to be.
Can we have a little fanfare first of all?
We can do that with audio magic, Graham.
Okay. Well, yeah, please replace that with an actual fanfare. Not that I'm demanding or anything, but— So the book is going to be called Crime.com.
Oh, that's a great name.
It's good, isn't it? Crime.com. Snappy, I thought.
Snappy. Memorable.
I have to ask an obvious question, Geoff.
Yes.
Have you registered the domain?
No, because some other bugger's had it for 15 years and has done nothing with it.
So why don't you register crime.com.com?
They've also got that. So yeah, I have been down this route.
I'm sorry, Geoff, I don't know who—
crime.com.com.com.
I have tried every permutation. I'm like, could I put the dot at the beginning and have com.com? No, I've tried them all. I don't have the website.
Is that a reason not to— should I change it? It's not too late.
Is that a reason not to— should I change it? It's not too late.
I think it's a good name.
Yeah, no, no, stick with it.
What I do need though is I need the subtitle. So they've all got— I don't know why, but all books now have to be Crime.com slash, you know, the whole thing right here. Read it now.
You know, the secrets to the— and I can't—
You know, the secrets to the— and I can't—
One man's fearless journey into the underbelly of cybercrime.
I like that. That's pretty good actually.
It is about your investigations, right?
Pissing on the lamppost of cybercrime.
Both excellent suggestions, and forgive me if I don't take either of them up.
Okay.
Perfect.
Crow, what have we got coming up this week on the show?
Hands up for this week's sponsors, LastPass and Detectify. Their support helps us give you this show for free.
On today's show, Graham tells us how Google helped the FBI with a bank robbery. Well, investigating the bank robbery, I'm assuming, not executing it.
Geoff gives us the inside scoop on the hack targeting Twitter CEO Jack Dorsey. And if you have ever driven a Smart car, you may want to hear what I've found out.
All this and more coming up on this killer episode of Smashing Security.
On today's show, Graham tells us how Google helped the FBI with a bank robbery. Well, investigating the bank robbery, I'm assuming, not executing it.
Geoff gives us the inside scoop on the hack targeting Twitter CEO Jack Dorsey. And if you have ever driven a Smart car, you may want to hear what I've found out.
All this and more coming up on this killer episode of Smashing Security.
Excellent. Now, fellows, fellows, by the way, it's been pointed out to me that I have been opening my section of the show by saying chaps.
And I don't want to point any fingers as to who pointed out to me that may not be completely accurate gender-wise, but I think a number of people pointed out.
Yes, a number of people. Someone got in touch, a listener got in touch about it, and also a co-host.
And I don't want to point any fingers as to who pointed out to me that may not be completely accurate gender-wise, but I think a number of people pointed out.
Yes, a number of people. Someone got in touch, a listener got in touch about it, and also a co-host.
And so ironically, yeah, ironically, listener who got in touch with Graham about this, not even 48 hours before, after 143 episodes, I decided to go, why every time?
Anyway, so thank you very much.
Anyway, so thank you very much.
So fellows, fellows, I've got a question I have a question for you. Where were you on Saturday the 13th of October 2018?
Oh—
No idea.
I don't know.
OK, let me narrow it down a little.
Not anywhere near the story you're about to tell.
Do you own a light green zip-up hooded jacket, Geoff?
Actually, I do. Oh God, where's this going?
Interesting.
No alibi, white clothes.
Kroll, have you got blue jeans, black shoes?
Yep.
Sunglasses, gloves?
Yep.
Do you own a hoodie?
Wearing one right now.
Are you between 38 and 48 years of age?
Steady.
Are you 5'6" to 5'8" tall, unshaven? At the moment, maybe. With a stocky build?
No, that's definitely not me.
The reason why I'm asking is that the FBI are trying to identify a couple of chaps who walked into the Great Midwest Bank in Heartland, Wisconsin.
It was at 2 minutes after 9 in the morning. They were the first customers of the day inside the bank.
It was at 2 minutes after 9 in the morning. They were the first customers of the day inside the bank.
Sheila still talking to Barbara about her weekend.
And while one man distracted the tellers behind the counter, the other one jumped out over the counter, pulled a handgun out of a plastic bag, and told the tellers to fill it with money.
Why was the gun in a plastic bag?
Because you don't walk around town, Carole, all around the shopping mall.
Yeah, but normally don't people put them in their trousers?
No, not even in America.
What do people walk around with, like Sainsbury's bags?
Well, I—
With guns in them?
I don't know, I mean, it depends on your district, Carole. Around here we have Waitrose.
This isn't just a handgun, this is a Duchy Originals handgun.
It's an organic handgun. Anyway, they left the bank with a tub of hummus and— No, no, no, they left the bank.
Just 7 minutes later, carrying a bag full of cash, 3 drawers from the vault and the teller station, and the keys to the bank vault itself.
And of course the police investigated, and the bank had security cameras, but despite the footage being shared with local media, no leads have emerged in all the months since.
And they even had an eyewitness account.
So this bank is part of a sort of mall, or whatever they call them in America, you know, a whole bunch of stores around a great big car park.
And there was a shopping plaza, if you like, and there was an eyewitness account of a worker at a nearby store just a couple of doors down who the previous day had had a strange interaction with a man who had walked into the Design Exchange store in the same mall.
Just 7 minutes later, carrying a bag full of cash, 3 drawers from the vault and the teller station, and the keys to the bank vault itself.
And of course the police investigated, and the bank had security cameras, but despite the footage being shared with local media, no leads have emerged in all the months since.
And they even had an eyewitness account.
So this bank is part of a sort of mall, or whatever they call them in America, you know, a whole bunch of stores around a great big car park.
And there was a shopping plaza, if you like, and there was an eyewitness account of a worker at a nearby store just a couple of doors down who the previous day had had a strange interaction with a man who had walked into the Design Exchange store in the same mall.
Design Exchange store?
I don't even know what that is. Carrying his Waitrose bag.
He walked into Design Exchange and he seemed confused. It's like, oh, where am I?
Because he seemed puzzled as to why it was full of home decoration products rather than being a bank. And then he scarpered when someone approached him asking if he needed any help.
So one theory is that maybe he thought he was going to the bank to stake it out. And in fact, he walked into the wrong store.
Because he seemed puzzled as to why it was full of home decoration products rather than being a bank. And then he scarpered when someone approached him asking if he needed any help.
So one theory is that maybe he thought he was going to the bank to stake it out. And in fact, he walked into the wrong store.
What's going on here?
What's going on? Why am I in a pottery bar?
So I hate to be intellectually snobbish here, but that makes me question his intellect. If he walked into a Design Exchange store and went, why is this not a bank?
Before he actually walked in, surely the big sign on the outside would have told them and the lamps, the pictures of lamps and clocks and whatever else was in the— The fact it can happen to anyone.
Before he actually walked in, surely the big sign on the outside would have told them and the lamps, the pictures of lamps and clocks and whatever else was in the— The fact it can happen to anyone.
People do walk in through the wrong door sometimes.
And also, you know, I pine for the days when banks were all mahogany and intimidation. Now you go in, they do look a bit like IKEA, don't they?
With bleached wood and there's no counter.
With bleached wood and there's no counter.
There's someone greeting you.
Hi Geoff, how's it going?
With an iPad, yeah.
You know, what can we do for you? And it's like, I'd like a latte. You know, they did, they— I don't blame him.
I could walk into a Home Depot, whatever, and start depositing my cash into it, into an antique drawer or something thinking it was a— anyway. Yeah.
I could walk into a Home Depot, whatever, and start depositing my cash into it, into an antique drawer or something thinking it was a— anyway. Yeah.
So yeah, I'm— So the cops' investigation is going nowhere, right? They haven't really worked out who these two guys are.
So the cops used a rather inventive method to try and locate the suspected robbers. Now, worldwide, Android has around 85% of the smartphone market. And if you think about it—
So the cops used a rather inventive method to try and locate the suspected robbers. Now, worldwide, Android has around 85% of the smartphone market. And if you think about it—
Seriously?
Yeah, 85%.
Incredible.
If you just look at the States, Android has about 60% share, but worldwide, 85%.
So if you think that many, many people, particularly of robbing bank sort of age, might probably carry a phone around with them.
And many people will have not changed their standard Google settings. And so they will have enabled or left enabled Google Location Services.
And Google Location Services is basically fairly regularly polling your device, keeping track of where you are in the world — so that you can share that information with your buddies if you wish to, right?
As well as being able to use it for other purposes as well.
So what the cops think is, if we can serve Google with a search warrant, we can ask for data that would identify any Android user who's been sending that data within a 100-foot radius of the bank during the 30-minute window when the robbery took place.
And they're thinking, there's a chance we might identify either these guys or people who will have seen them.
So if you think that many, many people, particularly of robbing bank sort of age, might probably carry a phone around with them.
And many people will have not changed their standard Google settings. And so they will have enabled or left enabled Google Location Services.
And Google Location Services is basically fairly regularly polling your device, keeping track of where you are in the world — so that you can share that information with your buddies if you wish to, right?
As well as being able to use it for other purposes as well.
So what the cops think is, if we can serve Google with a search warrant, we can ask for data that would identify any Android user who's been sending that data within a 100-foot radius of the bank during the 30-minute window when the robbery took place.
And they're thinking, there's a chance we might identify either these guys or people who will have seen them.
I don't know if I like this.
The word dragnet is coming up in my thoughts.
Yeah, just my issue here is you've got all these people who have nothing to do with the robbery whose information are being handed over to Wisconsin police.
Yeah, just my issue here is you've got all these people who have nothing to do with the robbery whose information are being handed over to Wisconsin police.
And the extraordinary thing is, at least I found it extraordinary, is this is apparently completely and utterly legal for the police to do. Really?
Now, police would have to come up with some really convincing evidence if they had a suspect in mind.
So if they had a person of interest and they thought we need to investigate them and we need to go to a judge or whatever, you'd have to put together some fairly compelling evidence to say, this is why we need to do a search warrant on this particular individual and grab their data from the technology company.
But if they do a rather wider dragnet, as Carole calls it, of anybody who happened to be within that radius in that 30-minute time period, then they're pretty much given free rein to do it.
And this kind of warrant is called a reverse location search warrant. And it's been done by law enforcement agencies around the world, particularly in America.
And it's not just in relation to this particular bank robbery. Last month, it was used to identify members of a group called the Proud Boys, a group of right-wing extremists.
And some of them are alleged to have beaten up some lefty protesters at a rally in the Upper East Side of Manhattan recently.
Now, police would have to come up with some really convincing evidence if they had a suspect in mind.
So if they had a person of interest and they thought we need to investigate them and we need to go to a judge or whatever, you'd have to put together some fairly compelling evidence to say, this is why we need to do a search warrant on this particular individual and grab their data from the technology company.
But if they do a rather wider dragnet, as Carole calls it, of anybody who happened to be within that radius in that 30-minute time period, then they're pretty much given free rein to do it.
And this kind of warrant is called a reverse location search warrant. And it's been done by law enforcement agencies around the world, particularly in America.
And it's not just in relation to this particular bank robbery. Last month, it was used to identify members of a group called the Proud Boys, a group of right-wing extremists.
And some of them are alleged to have beaten up some lefty protesters at a rally in the Upper East Side of Manhattan recently.
So saying dragnet, is there an analogy here with CCTV where if the bank had— well, the bank had CCTV, the police would just grab the tapes and then go through it and see everybody's face who walked in and out.
Is that the analogy, that they're just simply grabbing the phone details of every phone that walked in and out?
Is that the analogy, that they're just simply grabbing the phone details of every phone that walked in and out?
I guess that is the kind of precedent which has been set, but of course, with the information from a mobile phone, that's much more identifiable, isn't it, than a blurry image of someone's face?
Exactly. You get their name, you probably get all their data, you get their IP address.
I think it's probably still sharing basic GPS information.
And, you know, there is a legitimate purpose for that, which is if you want to share your location with your friends and family via Google services, then you've allowed them permission to look up where your phone currently is.
Or indeed, if you've lost your device, that information is being stored by Google as to where your device is.
And, you know, there is a legitimate purpose for that, which is if you want to share your location with your friends and family via Google services, then you've allowed them permission to look up where your phone currently is.
Or indeed, if you've lost your device, that information is being stored by Google as to where your device is.
And I guess it's up to Google to decide who it shares it with. And it says, we need a search warrant. They present one and they say, here's all the information.
There's the information and people nearby.
There was another case as well, as well as these Trump lovers beating up people, there was another case where a man was arrested for murder based upon information Google supplied, only to be later released as it was found his Google account was actually associated with a variety of different smartphones and devices, one of which was in the ownership of his former stepfather.
So they're having a whole series of these sort of cases. Now you're probably wondering how successful the police were in identifying those responsible for this bank robbery.
There was another case as well, as well as these Trump lovers beating up people, there was another case where a man was arrested for murder based upon information Google supplied, only to be later released as it was found his Google account was actually associated with a variety of different smartphones and devices, one of which was in the ownership of his former stepfather.
So they're having a whole series of these sort of cases. Now you're probably wondering how successful the police were in identifying those responsible for this bank robbery.
Well, with Google's help, I imagine it'd be very easy.
Well, it turns out that the police, so far at least, have not named or arrested anyone in connection with this robbery.
So the investigation continues, which either suggests that these two bank robbers turned off their location history and location services.
So the investigation continues, which either suggests that these two bank robbers turned off their location history and location services.
I'd like to think so, although they did walk into a—
Or might they have been iPhone users, which maybe is another way to defend yourself as well.
Well, if they're successful bank robbers, they probably can afford the latest iPhone.
Phone tech. So does this not work on an iPhone then?
Well, certainly there are services whereby you can share your location on iPhone as well, and I think they are enabled by default.
I have to remember, I'm pretty sure that I had to turn off on my iPhone all kinds of location tracking things, some of which was being used by ad services, for instance.
What I'm unclear about— maybe we can have listeners contact us if they know— is whether Apple itself has access to that information, because quite often Apple will design these things so they themselves don't have any information they can share.
With law enforcement on this to avoid this kind of much law enforcement frustration.
I have to remember, I'm pretty sure that I had to turn off on my iPhone all kinds of location tracking things, some of which was being used by ad services, for instance.
What I'm unclear about— maybe we can have listeners contact us if they know— is whether Apple itself has access to that information, because quite often Apple will design these things so they themselves don't have any information they can share.
With law enforcement on this to avoid this kind of much law enforcement frustration.
Indeed. So, Graham, are you advising that robbers now just leave their phones at home? Is that the whole point of the story?
The good news, Carole, is that we've got no bad guys listening to our podcast. Everyone who listens to our podcast is a good guy. Good for that. I shouldn't say guy, should I?
I should say fellows. Yeah, well, dear Lord. Geoff, what's your story for us this week?
I should say fellows. Yeah, well, dear Lord. Geoff, what's your story for us this week?
I know it's a couple of days old at the time of recording, but I do want to talk about the Jack Dorsey Twitter hack.
The Jack attack, the Jack hack, the Jack attack, the Jack hijack, Hijack Jack. I mean, it's useful that his name is also an assonance type thing for various ways to describe it.
So yes, this was Jack Dorsey's Twitter account, and obviously Jack Dorsey being the boss of Twitter, his Twitter account was hijacked very briefly. I think it's about 20 minutes.
And a series of inflammatory tweets were sent out from his account, one of which talked about a bomb threat, I think it was, at Twitter HQ.
There were references to far-right stuff, a bit of reference to Hitler, very salacious stuff. The account got closed down. They obviously sorted out the problem.
There's no longer salacious tweets coming from Jack Dorsey's Twitter account.
So on the surface of it, embarrassing, obviously, for the boss of Twitter to have his own account hijacked. And then there's a whole issue of, well, how did this happen?
What's emerged afterwards is it seems Jack Dorsey's been the victim of the SIM swap, the classic SIM swap attack.
Not an expert in those particular things, but as I understand it, if I'm a hacker and I want to take over your phone account, for example, I'll phone up, I'll find out who you're with, you know, Three or BT or whoever you're with, and I will phone them up and say, oh, I'm a customer of yours and I've got a new SIM card in my phone and I want to attach my number to this new SIM card.
And obviously I'm the hacker doing it, so it's not my number at all. It's your number. Now the mobile phone company will then often try and establish, you know, are you the customer?
So they'll ask for maybe a date of birth, mother's maiden name, address, anything available on LinkedIn.
The Jack attack, the Jack hack, the Jack attack, the Jack hijack, Hijack Jack. I mean, it's useful that his name is also an assonance type thing for various ways to describe it.
So yes, this was Jack Dorsey's Twitter account, and obviously Jack Dorsey being the boss of Twitter, his Twitter account was hijacked very briefly. I think it's about 20 minutes.
And a series of inflammatory tweets were sent out from his account, one of which talked about a bomb threat, I think it was, at Twitter HQ.
There were references to far-right stuff, a bit of reference to Hitler, very salacious stuff. The account got closed down. They obviously sorted out the problem.
There's no longer salacious tweets coming from Jack Dorsey's Twitter account.
So on the surface of it, embarrassing, obviously, for the boss of Twitter to have his own account hijacked. And then there's a whole issue of, well, how did this happen?
What's emerged afterwards is it seems Jack Dorsey's been the victim of the SIM swap, the classic SIM swap attack.
Not an expert in those particular things, but as I understand it, if I'm a hacker and I want to take over your phone account, for example, I'll phone up, I'll find out who you're with, you know, Three or BT or whoever you're with, and I will phone them up and say, oh, I'm a customer of yours and I've got a new SIM card in my phone and I want to attach my number to this new SIM card.
And obviously I'm the hacker doing it, so it's not my number at all. It's your number. Now the mobile phone company will then often try and establish, you know, are you the customer?
So they'll ask for maybe a date of birth, mother's maiden name, address, anything available on LinkedIn.
Well, exactly, yeah. So those—
That's the problem basically.
If I can grab enough information about you, I can phone up your mobile phone company and effectively hijack your mobile phone number, and your mobile phone number then becomes the number on my phone that I've got my SIM card in.
Now, usefully with Twitter, they have a system where you can tweet using just a text message.
So you can send a text to a particular number, and that text, if it's linked— if your phone's linked to your Twitter account— that text will become your tweets.
You will have tweeted the text effectively. So it's a really handy way on the face of it to get tweets out.
If I can grab enough information about you, I can phone up your mobile phone company and effectively hijack your mobile phone number, and your mobile phone number then becomes the number on my phone that I've got my SIM card in.
Now, usefully with Twitter, they have a system where you can tweet using just a text message.
So you can send a text to a particular number, and that text, if it's linked— if your phone's linked to your Twitter account— that text will become your tweets.
You will have tweeted the text effectively. So it's a really handy way on the face of it to get tweets out.
Well, you know, I at first thought, why on earth would someone want this kind of feature?
Why would you want to send a tweet via SMS rather than using your smartphone app, for instance, to send a tweet, which is going to be a much easier process?
But then I thought about it as I was robbing a bank in Wisconsin a few months ago. I realized, well, I don't really want to carry a smartphone with me, do I?
Because Google are going to be tracking me. So I'll just take this old, you know, 1990s dumb phone with me, and then I can just keep up to date on Twitter via SMS message.
Why would you want to send a tweet via SMS rather than using your smartphone app, for instance, to send a tweet, which is going to be a much easier process?
But then I thought about it as I was robbing a bank in Wisconsin a few months ago. I realized, well, I don't really want to carry a smartphone with me, do I?
Because Google are going to be tracking me. So I'll just take this old, you know, 1990s dumb phone with me, and then I can just keep up to date on Twitter via SMS message.
There are some really good reasons, I think, for the SMS Twitter. Well, some good commercial reasons.
As you say, if you don't have access to a smartphone, so in countries that are less economically developed around the world, there's less smartphone penetration, they can update by SMS.
And also if you're not near Wi-Fi or if the Wi-Fi gets shut down, I know there were instances in which the government was trying to shut down Wi-Fi networks and so on.
Being able to just text through a mobile phone mast was useful, you know, all good reasons.
The issue I've got with this is everybody's reporting, okay, Jack Dorsey's Twitter account hacked and used and so on.
It does mean that for a period of at least 20 minutes, possibly more, hackers had access— well, effectively they had Jack Dorsey's phone in a way.
They had his number under their control. I mean, does that mean if anybody phoned Jack Dorsey during that period, the call went through to them?
And if people sent text messages, did they get text messages and so on?
Isn't that the risk, that if your number's hijacked, it's way beyond just being able to tweet from your phone?
That person is then, they have your number and whatever's going on with your number, they have. So I'm interested as to how far it went and to what kind of access that gets.
But the other thing about this is Twitter sort of said, look, this wasn't a failing at our end.
We believe this was a mobile phone operator failure, i.e., mobile phone company may have inadvertently allowed this SIM swap to happen.
I've spoken to young hackers in the past for whom SIM swapping is just stock in trade.
It's what they do, blagging their way into a Twitter account basically, or into a mobile phone account. So I was interested in this, you know, how much information would you need?
And usefully, perhaps not usefully, my partner lost her phone recently, and has had to go through a very similar process.
She's got a new handset but an old SIM, so she wanted to go to— and I'm going to say the mobile phone provider because this is good for them— Three, the mobile phone provider.
She put the SIM in and said, right, you know, phoned Three and said, I want my old number from the phone that got stolen, got lost, I want that number now on this SIM.
And Three said, oh, we have come into the store, and by the way, we need your passport, we've got to photocopy passport to prove it's you.
So clearly there are some mobile phone providers who are really checking a lot of detail before they're assigning your old number to a new SIM card.
As you say, if you don't have access to a smartphone, so in countries that are less economically developed around the world, there's less smartphone penetration, they can update by SMS.
And also if you're not near Wi-Fi or if the Wi-Fi gets shut down, I know there were instances in which the government was trying to shut down Wi-Fi networks and so on.
Being able to just text through a mobile phone mast was useful, you know, all good reasons.
The issue I've got with this is everybody's reporting, okay, Jack Dorsey's Twitter account hacked and used and so on.
It does mean that for a period of at least 20 minutes, possibly more, hackers had access— well, effectively they had Jack Dorsey's phone in a way.
They had his number under their control. I mean, does that mean if anybody phoned Jack Dorsey during that period, the call went through to them?
And if people sent text messages, did they get text messages and so on?
Isn't that the risk, that if your number's hijacked, it's way beyond just being able to tweet from your phone?
That person is then, they have your number and whatever's going on with your number, they have. So I'm interested as to how far it went and to what kind of access that gets.
But the other thing about this is Twitter sort of said, look, this wasn't a failing at our end.
We believe this was a mobile phone operator failure, i.e., mobile phone company may have inadvertently allowed this SIM swap to happen.
I've spoken to young hackers in the past for whom SIM swapping is just stock in trade.
It's what they do, blagging their way into a Twitter account basically, or into a mobile phone account. So I was interested in this, you know, how much information would you need?
And usefully, perhaps not usefully, my partner lost her phone recently, and has had to go through a very similar process.
She's got a new handset but an old SIM, so she wanted to go to— and I'm going to say the mobile phone provider because this is good for them— Three, the mobile phone provider.
She put the SIM in and said, right, you know, phoned Three and said, I want my old number from the phone that got stolen, got lost, I want that number now on this SIM.
And Three said, oh, we have come into the store, and by the way, we need your passport, we've got to photocopy passport to prove it's you.
So clearly there are some mobile phone providers who are really checking a lot of detail before they're assigning your old number to a new SIM card.
Why do they need my passport though? Why do they need a photocopy?
I'm sure Jack Dorsey actually would be the kind of person— well, hang on, I wish they had checked passports because then I wouldn't have had my SIM hijacked.
So, see, there's lots of interesting fallout. I don't know, look, the whole thing about using your phone as two-factor authentication, I just have issues with it.
So not in the car bag, but this isn't the first time my partner's phone has gone. There was another phone lost in India, and she—
So, see, there's lots of interesting fallout. I don't know, look, the whole thing about using your phone as two-factor authentication, I just have issues with it.
So not in the car bag, but this isn't the first time my partner's phone has gone. There was another phone lost in India, and she—
She won't listen to this, will she? I'm just thinking of marital relations right now. I want to keep them— I want to keep them nice and—
Oh, cool, nobody listens to this.
The secret of a happy relationship is you never get any loved ones to listen to your podcast stuff.
Yeah, exactly. But no, so phone got stolen in India, and of course it was used by my partner as a two-factor authentication thing for her Gmail.
So from then on, well, no more access to Gmail.
So it just felt there was a single point of failure with this phone, and I think if you're using it as two-factor authentication, you've just got to think, right, if I lose this, what actually happens?
So I myself haven't gone down the whole mobile phone as two-factor authentication route, for good or for ill, but those are my concerns with it.
And Jack Dorsey's hack seems to kind of exonerate my position.
So from then on, well, no more access to Gmail.
So it just felt there was a single point of failure with this phone, and I think if you're using it as two-factor authentication, you've just got to think, right, if I lose this, what actually happens?
So I myself haven't gone down the whole mobile phone as two-factor authentication route, for good or for ill, but those are my concerns with it.
And Jack Dorsey's hack seems to kind of exonerate my position.
This whole SMS two-factor authentication, a lot of people are quite down on the idea of two-factor authentication via SMS because of the danger of SIM swapping.
And the thought that someone else will be able to break into your Gmail account or whatever account because they get the code texted to them.
My feeling is it's better than no two-factor authentication at all.
And I'd hate for people to be— I mean, I would prefer if people had a hardware key or if they had an app authenticator, maybe on their smartphone or some other device for their two-factor authentication.
But if you don't have that for any reason, I would rather you had SMS-based two-factor authentication, even though it's not entirely secure.
It's better than what most people are doing. But I think you're right to raise this alarm as to, well, what are you going to do when you lose your mobile phone?
How are you going to handle that situation? I've had that headache.
And the thought that someone else will be able to break into your Gmail account or whatever account because they get the code texted to them.
My feeling is it's better than no two-factor authentication at all.
And I'd hate for people to be— I mean, I would prefer if people had a hardware key or if they had an app authenticator, maybe on their smartphone or some other device for their two-factor authentication.
But if you don't have that for any reason, I would rather you had SMS-based two-factor authentication, even though it's not entirely secure.
It's better than what most people are doing. But I think you're right to raise this alarm as to, well, what are you going to do when you lose your mobile phone?
How are you going to handle that situation? I've had that headache.
Well, my phone broke rather than lost, but yeah, same issue, right? Because that's my default place to do the multifactor and suddenly it was out of commission.
Yeah. I know it's controversial as I say, but I just think that debate is opening up because people do need to think. Think if your phone goes, what are you going to do?
I also feel that Twitter isn't entirely— you know, maybe even Jack Dorsey himself is not entirely blameless about this, because although I don't normally like to blame the victim, I mean, he is the boss of Twitter and he can change the way that Twitter works.
And Twitter by default opens up this SMS gateway for people to use on your account. And my feeling is, well, why is that enabled by default?
I would expect most Twitter users don't have a requirement for that.
And Twitter by default opens up this SMS gateway for people to use on your account. And my feeling is, well, why is that enabled by default?
I would expect most Twitter users don't have a requirement for that.
Yeah, but it's functionality and ease of use over security, right? There's a constant battle.
But if there is this problem of mobile phone numbers being hijacked and then used to tweet without authorization, then why isn't there more of a safeguard?
There should be a PIN which you have to add, a numeric PIN, so that when you send an SMS, you have to add 551 or something to the end of the message so Twitter can say, oh, this really is a text message from this person rather than someone who's spoofing the mobile phone number or someone who has grabbed it through a SIM swap fraud.
There should be a PIN which you have to add, a numeric PIN, so that when you send an SMS, you have to add 551 or something to the end of the message so Twitter can say, oh, this really is a text message from this person rather than someone who's spoofing the mobile phone number or someone who has grabbed it through a SIM swap fraud.
Good thought.
Something else for us to remember.
Well, Carole, you don't have to remember it at all because you're not using SMS for tweeting, are you? Certainly not. I don't tweet.
You tweet. I do occasionally. A little bit. It's a very special day when I do.
As a postscript to this, Donald Trump has inevitably weighed into the debate and I think was either asked about this or commented on it and said, "I don't care if people get into my Twitter account.
All they're going to see is the tweets I've done, right?" This man is head of one of the world's most powerful countries.
So I think actually if somebody did break into Donald's Twitter account, we might get more sense, more sanity in the world. I don't know.
Oh, by the way, the other thing is this was carried out by a group calling themselves the Chuckling Squad.
And the fact they're called the Chuckling Squad makes me wonder, linked to the Chuckle Brothers? TV tricksters? I'm just putting it out there.
All they're going to see is the tweets I've done, right?" This man is head of one of the world's most powerful countries.
So I think actually if somebody did break into Donald's Twitter account, we might get more sense, more sanity in the world. I don't know.
Oh, by the way, the other thing is this was carried out by a group calling themselves the Chuckling Squad.
And the fact they're called the Chuckling Squad makes me wonder, linked to the Chuckle Brothers? TV tricksters? I'm just putting it out there.
To me, to you. No, it's my turn.
Carole, what have you got for us rather than references to 1980s BBC children's TV stars?
Geoff, are you partial to cars? Do you have a fancy car? What kind of car do you own?
No, I've got an old Nissan Micra. It's 20 years old. All right, so you're like me.
Yeah, I'm trying to drive my car into the ground. But Graham, you are driving a smarter car, aren't you?
I wouldn't call it smart as such. It does beep a lot if I'm driving badly. Actually, it beeps all the time.
Yes, yeah, but you know, cars today are much smarter than they used to be, aren't they?
Because for example, if you were in a bad mood, Graham, and you jumped into your car, you might just go to your playlist, Bluetooth up your phone to your car, and then blast your favorite songs.
Because for example, if you were in a bad mood, Graham, and you jumped into your car, you might just go to your playlist, Bluetooth up your phone to your car, and then blast your favorite songs.
Probably the Doctor Who Megamix, you mean? Exactly.
I imagine that's what it's called anyway. And you know, your car collects your GPS information, so where you've been and how long you've been there, and timestamped which days.
And people also use it to open their carports, right?
You put in a little code so that your garage door opens, or that your gated community, if you're all la-di-da, you know, the gates would open.
And there's also this stuff called vehicle telematics. Have you heard of that term?
This is the tech that sends and receives and stores all the info that controls a vehicle remotely, be it stationary or on the move.
So does your car occasionally, when you're driving and you go over a line, does it kind of try and jerk you back into lane?
And people also use it to open their carports, right?
You put in a little code so that your garage door opens, or that your gated community, if you're all la-di-da, you know, the gates would open.
And there's also this stuff called vehicle telematics. Have you heard of that term?
This is the tech that sends and receives and stores all the info that controls a vehicle remotely, be it stationary or on the move.
So does your car occasionally, when you're driving and you go over a line, does it kind of try and jerk you back into lane?
No, my partner does that.
Yeah, mine too. In-car device. Human. Human's always the best way to go. "Ah, you're in the wrong lane!"
No, but I know what you mean. Yes, there's cars, aren't there, that automatically steer you into lanes and all that kind of stuff.
Does yours do that, Cluley? It doesn't automatically steer me, no, but it would sort of buzz and beep.
It can automatically stop if it thinks, or slow down if it thinks I'm about to hit something. Which I have tested on occasion. So it has some kind of quote-unquote intelligence.
It can automatically stop if it thinks, or slow down if it thinks I'm about to hit something. Which I have tested on occasion. So it has some kind of quote-unquote intelligence.
Intelligence. Yeah, and all this tech is great, say many, many millions of users.
You know, how wonderful to blare your device's playlist via Bluetooth, and how wonderful to access step-by-step navigation instructions on a large built-in screen.
I mean, my car doesn't even have cup holders, which is my biggest beef with my car. I don't want any of the smart stuff.
I just really wish I had a cup holder for hot coffee because it's really hard.
You know, how wonderful to blare your device's playlist via Bluetooth, and how wonderful to access step-by-step navigation instructions on a large built-in screen.
I mean, my car doesn't even have cup holders, which is my biggest beef with my car. I don't want any of the smart stuff.
I just really wish I had a cup holder for hot coffee because it's really hard.
My car's got a tape player. Oh wow, okay. Yeah, I have to get tapes from people. Have you any idea how hard they are to track down these days? Oh wow, mixtapes. I've got mixtapes.
I love it. Literally mixtapes.
I love it. Literally mixtapes.
Anyway, let's say you have this fancy smart car of yours, Graham, and you drive it around for yonks, right? To and from work.
Oh yeah, that's not very far for you as you work from home, but up and down the stairs, to and from your conferences, right?
When you're doing your errands and your shopping, when you're off on holiday. Yes, and you realize the mileage is getting up there and you think it's time to trade it in, right?
Would you think of completely cleaning and sanitizing your car from your existence? Do you think— really good point.
Oh yeah, that's not very far for you as you work from home, but up and down the stairs, to and from your conferences, right?
When you're doing your errands and your shopping, when you're off on holiday. Yes, and you realize the mileage is getting up there and you think it's time to trade it in, right?
Would you think of completely cleaning and sanitizing your car from your existence? Do you think— really good point.
Yeah, it's— I mean, to be honest, I probably wouldn't think about that.
No, if indeed you know how.
I mean, yeah, yeah, I might sort of wipe the radio, you know, if I'd preset it to some embarrassing station. I might like that, but I don't know.
You can't be talking about Radio 4 right now. I'll tell you what I have done, actually. I'll tell you what I have done.
I have wiped the sat nav in the past because of course— clever— because of course you might put, you know, friends and family's addresses in there.
And one of the things I do is I don't set an address as home, for instance, because I always think if someone steals my car, I don't want them knowing how to get to my house.
You can't be talking about Radio 4 right now. I'll tell you what I have done, actually. I'll tell you what I have done.
I have wiped the sat nav in the past because of course— clever— because of course you might put, you know, friends and family's addresses in there.
And one of the things I do is I don't set an address as home, for instance, because I always think if someone steals my car, I don't want them knowing how to get to my house.
Yeah, right.
So instead I just put in the city where I live, and from there I know how to get back to my house.
Because I think if you were doing a private sale, you might be more alert on that sort of stuff.
But if you were going back to a dealer to do a trade-in or to upgrade or whatever, you might assume that the dealer is going to wipe all that clean for you before they put it back on the market.
And the problem seems to be that the onus is on the driver to get rid of the information before they trade or sell the car.
Because there's so many, and probably a growing number of interdependent and fully independent services that are all working both without even paying attention to each other and some are cooperating to get you the information you need.
Up ahead there's traffic.
And it's very difficult for a dealer to be able to, for each individual car to go through and wipe all that because it could be many, many different services.
Depending on what car you have, what model, etc. So U.S.
car industry executive turned privacy advocate Andrea Amico told The Register, infotainment systems, even from the same manufacturer, come with a variety of both hardware and firmware.
Even within the same manufacturer and year of production, variances between models can go from small to huge.
If it was truly easy and intuitive to delete information, we would not see the statistics we see. So basically, people are not cleaning their cars.
So it's up to us, the dear owners, to wipe our smart cars before trading and selling them in. The question is, though, how do you go about doing that?
Consumer Reports put together a pretty solid list of advice. First off is unpair all Bluetooth devices. Now, I think most people would think about that.
You pair your devices with your car so they can make and receive phone calls and receive and send texts. Via speech, not typing away as you fly down the motorway.
And you can even create a mobile hotspot in your car and have internet available to your passengers and drivers.
So all that information can be stored either in the car or in the car's cloud server or one of the cloud servers that is made available to your car.
So that brings me to my second point. Log out of any cloud accounts.
Now, apparently inside your manual for your car, there is information on how to ensure that you're off all the cloud accounts. So take a look at that.
But certain automakers store cloud accounts with driver data, including radio presets you talked about, favourite temperature settings, right?
Navigation destinations, driving history. And you might want to make sure you're logged out of all those before you get rid of your vehicle. Remove tracking devices.
Now, Graham, isn't this what you were speaking about a few weeks ago when we were talking about Mercedes?
So this is where auto dealers and banks and insurance companies may attach tracking devices to your car just for when they're setting up financing and coverage deals.
But if you were going back to a dealer to do a trade-in or to upgrade or whatever, you might assume that the dealer is going to wipe all that clean for you before they put it back on the market.
And the problem seems to be that the onus is on the driver to get rid of the information before they trade or sell the car.
Because there's so many, and probably a growing number of interdependent and fully independent services that are all working both without even paying attention to each other and some are cooperating to get you the information you need.
Up ahead there's traffic.
And it's very difficult for a dealer to be able to, for each individual car to go through and wipe all that because it could be many, many different services.
Depending on what car you have, what model, etc. So U.S.
car industry executive turned privacy advocate Andrea Amico told The Register, infotainment systems, even from the same manufacturer, come with a variety of both hardware and firmware.
Even within the same manufacturer and year of production, variances between models can go from small to huge.
If it was truly easy and intuitive to delete information, we would not see the statistics we see. So basically, people are not cleaning their cars.
So it's up to us, the dear owners, to wipe our smart cars before trading and selling them in. The question is, though, how do you go about doing that?
Consumer Reports put together a pretty solid list of advice. First off is unpair all Bluetooth devices. Now, I think most people would think about that.
You pair your devices with your car so they can make and receive phone calls and receive and send texts. Via speech, not typing away as you fly down the motorway.
And you can even create a mobile hotspot in your car and have internet available to your passengers and drivers.
So all that information can be stored either in the car or in the car's cloud server or one of the cloud servers that is made available to your car.
So that brings me to my second point. Log out of any cloud accounts.
Now, apparently inside your manual for your car, there is information on how to ensure that you're off all the cloud accounts. So take a look at that.
But certain automakers store cloud accounts with driver data, including radio presets you talked about, favourite temperature settings, right?
Navigation destinations, driving history. And you might want to make sure you're logged out of all those before you get rid of your vehicle. Remove tracking devices.
Now, Graham, isn't this what you were speaking about a few weeks ago when we were talking about Mercedes?
So this is where auto dealers and banks and insurance companies may attach tracking devices to your car just for when they're setting up financing and coverage deals.
So I think many of the threats which you've been talking about here have been a threat to the seller rather than the new buyer.
But there is a problem in so much as if the seller doesn't, for instance, disconnect their car tracking app from your car, the new one which you've bought via the dealer, then there's the potential for the previous owner to know where your car is and maybe even unlock it remotely via the app.
And take it back. And take it back or who knows what. Yeah, good point.
And so there is this huge problem of dealers not properly wiping the car because you can't necessarily trust the previous owner to have done it, as we've discussed.
But sometimes they may not do it with actual malicious intent.
But there is a problem in so much as if the seller doesn't, for instance, disconnect their car tracking app from your car, the new one which you've bought via the dealer, then there's the potential for the previous owner to know where your car is and maybe even unlock it remotely via the app.
And take it back. And take it back or who knows what. Yeah, good point.
And so there is this huge problem of dealers not properly wiping the car because you can't necessarily trust the previous owner to have done it, as we've discussed.
But sometimes they may not do it with actual malicious intent.
And what we've learned here though, what I've learned is you actually can't trust the dealer to do it either.
Not because they're necessarily too lazy to do it, but because they don't actually know how in lots of cases.
So I think that's a safe assumption for you, the user, even if there's a few of you, don't yell at me if you do know how to do it, well done you.
Not because they're necessarily too lazy to do it, but because they don't actually know how in lots of cases.
So I think that's a safe assumption for you, the user, even if there's a few of you, don't yell at me if you do know how to do it, well done you.
Or they may not have access to passwords. Who knows? There may not be a method of doing it. Sure, sure.
Yeah. Now this is an interesting one, right? Resetting the vehicle's telematics services.
So this is telematics services provide services to the vehicle drivers for either a subscription or for any other arrangement, right? Maybe it's a one-off sale.
And these can be emergency services or information services to help the driving experience.
So this is telematics services provide services to the vehicle drivers for either a subscription or for any other arrangement, right? Maybe it's a one-off sale.
And these can be emergency services or information services to help the driving experience.
Can you not simply order kit to wipe telematics? That's what I would— it just sounds so sci-fi, doesn't it? You have to wipe the telematics of your car. What on earth?
Listen to the advice of how to do it. Okay. Blue Link, FordPass, and OnStar services that can send data from your car to the cloud, even if you don't have a current subscription.
And their analysts at Consumer Reports advises that you look for an SOS or call button on the rearview mirror or overhead console.
Press it and you'll be connected to a live operator. And that is how you go and change the account owner.
And their analysts at Consumer Reports advises that you look for an SOS or call button on the rearview mirror or overhead console.
Press it and you'll be connected to a live operator. And that is how you go and change the account owner.
What? Oh, because so when you make the SOS emergency call, you say, I'm actually only ringing. Sorry to waste your time.
I just want my account wiped.
This is my GDPR request to be forgotten, which I'm making here by pressing the button.
See, I know, well, because I've had cars in the past which have these buttons which claim to cause— I've never ever dared press them because I'm too scared as to whether it's going to be the ejector seat or something.
Even if I've had a crash, I would never press that button.
See, I know, well, because I've had cars in the past which have these buttons which claim to cause— I've never ever dared press them because I'm too scared as to whether it's going to be the ejector seat or something.
Even if I've had a crash, I would never press that button.
I'm just saying you may want to if you sell your car, just to make sure.
I just can't believe all these buttons. I've got hazard warning lights and I've got the rear demister and that's it. Those are the buttons I've got. Don't you feel lucky?
Yes, I feel incredibly lucky.
Yes, I feel incredibly lucky.
Me too. He is, he's got mixtape.
I pressed the wrong button in my mum's car a little while ago and I just had this horrible feeling that I was driving along and I'd wet myself, but it was the seat, you know, the heated seat thing.
Oh, I hate it.
Graham and I have an ongoing war, about 10 years old now, with the heated seats of, you know, secretly whenever we have to travel together, putting on the other person's heated seat very high in his car.
Yep. And then he just starts sweating watching them.
I feel I've got a tropical disease, and then I realize I've just got Carole Theriault sitting next to me. Yep.
Well, I've shown his son how to do it, so he's taking the baton now. Now Graham, you brought up GDPR, and very good point because that occurred to me as well.
So this could be a really yucky issue for car companies if they don't step up to figure out how to wipe cars from PII data. Because think about it, right?
I don't have a smart car, but you do, and you have connected your phone to your smart car, and all your contacts are likely to be stored in a car-tied cloud server somewhere, which means my information as one of your contacts is also there.
So how is this really different from Facebook and that scandal where people that weren't members of Facebook or users were actually—
So this could be a really yucky issue for car companies if they don't step up to figure out how to wipe cars from PII data. Because think about it, right?
I don't have a smart car, but you do, and you have connected your phone to your smart car, and all your contacts are likely to be stored in a car-tied cloud server somewhere, which means my information as one of your contacts is also there.
So how is this really different from Facebook and that scandal where people that weren't members of Facebook or users were actually—
Their information was being traded. I don't actually do that with my car. It is true that you can.
I believe there is even a way of accessing Facebook via my car, but I obviously— and Twitter, and I wouldn't allow any of that nonsense. So I simply use it to listen to podcasts.
I don't actually connect to any accounts or something like that.
I believe there is even a way of accessing Facebook via my car, but I obviously— and Twitter, and I wouldn't allow any of that nonsense. So I simply use it to listen to podcasts.
I don't actually connect to any accounts or something like that.
Lots of people out there do though. Very good that you're better, that you're actually security aware. I was just testing you.
I just want to say I'm better than the rest of you. Yes.
But you're right, it's the stuff that's in the car, actually in the physical car itself that's stored that you can probably wipe, I guess, if you get to it.
But then the issue you raise about the cloud, where it's all got sent off to another server somewhere. Yeah. And you, A, didn't even know that was happening.
B, have no idea how to recover it and get it back or wipe it. And C, it potentially stays with the car. So even if you did wipe the local copy.
But then the issue you raise about the cloud, where it's all got sent off to another server somewhere. Yeah. And you, A, didn't even know that was happening.
B, have no idea how to recover it and get it back or wipe it. And C, it potentially stays with the car. So even if you did wipe the local copy.
Yeah, I see. I'm worrying it's staying with a third party that's working with the car manufacturer, of which there may be, you know, hundreds depending on what services you require.
And they're the ones who are storing the information. So you might be thinking, oh, I bought a, you know, whatever, Toyota, BMW, whatever car, fancy car with the smart stuff.
And who knows who's actually holding in data? Now, as you can imagine, I was pretty smug when I was researching this story, right? Because I'm not a smart car owner.
And Graham knows I'm very good at being smug. So there I was, smugging away. And as I was researching, I came across this older article penned by upcoming guest John Laidy. Sweden.
And his piece raised a really scary point: car rentals.
So everything I've talked about here, even if you don't have a smart car at home, if you happen to rent one when you're off on holiday or on a work gig and you plug your smartphone into its little, you know, or connect by Bluetooth, or, you know, get some Wi-Fi going in the car— and that is a problem now because, give me a break, they're cleaning any cars before they transfer the renting to someone else.
And they're the ones who are storing the information. So you might be thinking, oh, I bought a, you know, whatever, Toyota, BMW, whatever car, fancy car with the smart stuff.
And who knows who's actually holding in data? Now, as you can imagine, I was pretty smug when I was researching this story, right? Because I'm not a smart car owner.
And Graham knows I'm very good at being smug. So there I was, smugging away. And as I was researching, I came across this older article penned by upcoming guest John Laidy. Sweden.
And his piece raised a really scary point: car rentals.
So everything I've talked about here, even if you don't have a smart car at home, if you happen to rent one when you're off on holiday or on a work gig and you plug your smartphone into its little, you know, or connect by Bluetooth, or, you know, get some Wi-Fi going in the car— and that is a problem now because, give me a break, they're cleaning any cars before they transfer the renting to someone else.
Hmm. We actually, that happened. We, not to bring up my partner again, but we, we were source of all tech insights.
My partner, we hired a car and sure enough, she plugged her phone, connected her phone up, and we were stunned to see, you know, 400 names, names and phone numbers pop up on the dashboard.
My partner, we hired a car and sure enough, she plugged her phone, connected her phone up, and we were stunned to see, you know, 400 names, names and phone numbers pop up on the dashboard.
Oh, crumbs. Perfect example. Exactly.
Did test this. So when we unplugged the phone and disconnected the Bluetooth, the numbers disappeared from the readout on the dashboard.
But you've maybe wondered now whether they disappeared from the car or a cloud server somewhere.
But you've maybe wondered now whether they disappeared from the car or a cloud server somewhere.
Well, according to John Leighton, this article— this article is about, I don't know, I think 8 months old— but he wrote, drivers normally get a warning when they hook up to their car through Bluetooth, but this is omitted when a USB connection is made.
So motorists can unwittingly transfer their smartphone contacts and call logs onto the systems of leased or rented cars.
And that is seriously scary to me because, yeah, I've probably done this loads of times and I've never thought about wiping that— a car, you know, a rental car before.
So I've learned something super valuable. Yeah, drop every friend or contact with a smart car. I do, Graham. Never buy or rent a smart car again.
In fact, I probably should really avoid leaving the house altogether because it's just too scary out there. So this is the new me, Carole the Hermit.
So motorists can unwittingly transfer their smartphone contacts and call logs onto the systems of leased or rented cars.
And that is seriously scary to me because, yeah, I've probably done this loads of times and I've never thought about wiping that— a car, you know, a rental car before.
So I've learned something super valuable. Yeah, drop every friend or contact with a smart car. I do, Graham. Never buy or rent a smart car again.
In fact, I probably should really avoid leaving the house altogether because it's just too scary out there. So this is the new me, Carole the Hermit.
Whatever your industry, Detectify can help you stay on top of security and build safer web apps.
Just enter the name of your website and Detectify will run over 1,500 security tests against it, identifying real problems with a list of constantly updated vulnerabilities submitted by a global network of over 150 hand-picked ethical hackers.
The service can even help you discover web assets like unknown subdomains and determine if they're vulnerable to hostile subdomain takeover. So what are you waiting for?
Go hack yourself. Take a 14-day free trial at www.smashingsecurity.com/detectify. Detect with an -ify on the end. And thanks to them for supporting the show. Hey, Graham.
Just enter the name of your website and Detectify will run over 1,500 security tests against it, identifying real problems with a list of constantly updated vulnerabilities submitted by a global network of over 150 hand-picked ethical hackers.
The service can even help you discover web assets like unknown subdomains and determine if they're vulnerable to hostile subdomain takeover. So what are you waiting for?
Go hack yourself. Take a 14-day free trial at www.smashingsecurity.com/detectify. Detect with an -ify on the end. And thanks to them for supporting the show. Hey, Graham.
Yes. There are people out there with companies a little bit bigger than ours. And one of the issues that they face is visibility and oversight.
And when it comes to cybersecurity, that is super important.
And when it comes to cybersecurity, that is super important.
So listeners, listen up.
If you do not have a password manager in your organization, please check out LastPass Enterprise.
They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashingsecurity.
They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashingsecurity.
And welcome back.
Can you join our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone— oh, I haven't done that before.
We haven't had Geoff say Pick of the Week. I just thought that you dropped that because every guest like me forgets to do it or doesn't know they're supposed to do it.
I just thought you'd learned your lesson. But no, we still have to do it. Fine. Okay.
I just thought you'd learned your lesson. But no, we still have to do it. Fine. Okay.
It's in the contract.
Leave the awkward pause and I'll try and step in a bit late as I normally do.
Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
It could be occasionally. Not necessarily.
Now, my pick of the week this week— oh my goodness, a sad moment for everyone like me who's a bit of a Doctor Who fan of old, because one of the godfathers of Doctor Who, one of the great luminaries, Uncle Terry himself, Terrence Dicks, has died.
He died earlier this week.
And for those people who don't know, Terrence Dicks was someone who not only wrote the occasional Doctor Who story from the 1960s onwards, but he was also the greatest Doctor Who author of all time.
He wrote over 60 novelisations of Doctor Who.
He died earlier this week.
And for those people who don't know, Terrence Dicks was someone who not only wrote the occasional Doctor Who story from the 1960s onwards, but he was also the greatest Doctor Who author of all time.
He wrote over 60 novelisations of Doctor Who.
So when you say greatest, you mean most prolific?
He was the most prolific, and in some ways he really moulded what Doctor Who is. And I'll tell you why he is great to a whole generation of boys growing up in the 1970s and 1980s.
Terrence Dicks is probably more responsible for getting me and those other lads to read books than anybody else. So like J.K.
Terrence Dicks is probably more responsible for getting me and those other lads to read books than anybody else. So like J.K.
Rowling?
If, no, not like J.K. Rowling at all. I mean, well, okay, maybe J.K. Rowling has had a tremendous impact on people as well, but Terence Dix wrote scores and scores of books.
And when lads in the '70s and '80s were asked by the English teachers who their favorite author was, there's bound to be someone in every school class who said Terence Dix.
And truth be told, it wasn't watching Doctor Who on TV which made me a fan of Doctor Who.
I believe it was actually reading the old Target novelisations of Doctor Who stories, because Doctor Who was never repeated.
You couldn't get it on video in those days, you couldn't get it streamed. Your way of recreating what you'd seen on TV was to go and read the book and reread it.
And when lads in the '70s and '80s were asked by the English teachers who their favorite author was, there's bound to be someone in every school class who said Terence Dix.
And truth be told, it wasn't watching Doctor Who on TV which made me a fan of Doctor Who.
I believe it was actually reading the old Target novelisations of Doctor Who stories, because Doctor Who was never repeated.
You couldn't get it on video in those days, you couldn't get it streamed. Your way of recreating what you'd seen on TV was to go and read the book and reread it.
That's a very good point. That's true.
We were allowed at my local library three books at once. You could check out three books in the kids' section of the library.
I used to take out three Doctor Who books, read them all in a day, and go back and get three more. And I did that. So yeah, I remember those days of absorbing Doctor Who books.
I used to take out three Doctor Who books, read them all in a day, and go back and get three more. And I did that. So yeah, I remember those days of absorbing Doctor Who books.
It's very sweet.
There's a wonderful tribute by Rob Shearman, who himself wrote a Doctor Who story in 2005, published in the New Statesman, all about how Rob was a young lad with a stammer who met Terrence Dix and interviewed him, and what happened, and how Terrence Dix inspired him to become a writer.
Which Rob Shearman did. You can go and read it, it's linked in the show notes.
But as a little bit of fun, in honor of Terence Dix and his passing, I wanted to play a little game with you.
Now, because I've now discovered that Geoff White has read a fair number of Doctor Who books—
There's a wonderful tribute by Rob Shearman, who himself wrote a Doctor Who story in 2005, published in the New Statesman, all about how Rob was a young lad with a stammer who met Terrence Dix and interviewed him, and what happened, and how Terrence Dix inspired him to become a writer.
Which Rob Shearman did. You can go and read it, it's linked in the show notes.
But as a little bit of fun, in honor of Terence Dix and his passing, I wanted to play a little game with you.
Now, because I've now discovered that Geoff White has read a fair number of Doctor Who books—
I think, yeah, when I was seven or whatever.
Okay, okay, I'm going to read out the names of three Doctor Who books and give you a little summary of what happens, and you have to work out which one I've made up.
Okay, so now the game begins, right? Two of these are real and one of them is made up. First one: Doctor Who and the Danger of the Cybermen.
A fantastic story where the Fourth Doctor, Thom Baker, took Sarah Jane Smith and Harry Sullivan to the Folkestone Literary Festival.
At least he thought he was going to, but he mistakenly landed in a quarry.
Who could believe Doctor Who could do such a thing on an airless planet on the outskirts of the unknown universe?
Okay, so now the game begins, right? Two of these are real and one of them is made up. First one: Doctor Who and the Danger of the Cybermen.
A fantastic story where the Fourth Doctor, Thom Baker, took Sarah Jane Smith and Harry Sullivan to the Folkestone Literary Festival.
At least he thought he was going to, but he mistakenly landed in a quarry.
Who could believe Doctor Who could do such a thing on an airless planet on the outskirts of the unknown universe?
That is Folkestone. I think— sorry to people of Folkestone.
So that's one I want you to consider. The next one is Doctor Who and the Planet of the Spiders. Sarah Jane Smith again, because she's the greatest Doctor Who companion.
She visits a Tibetan meditation center in rural England where a group of middle managers are trying to summon up a spider from the planet Metabilis 3.
And the final story I want you to consider is Doctor Who and the Brain of Morbius. Doctor and Sarah Jane Smith sent by the Time Lords to the planet Karn, graveyard of spaceships.
There they encounter the mad scientist Dr. Solon. So which of those is real, and which of them is made up? The Danger of the Cybermen, The Planet of Spiders, or The Brain of Morbius.
Geoff, have you got any feelings on this one?
She visits a Tibetan meditation center in rural England where a group of middle managers are trying to summon up a spider from the planet Metabilis 3.
And the final story I want you to consider is Doctor Who and the Brain of Morbius. Doctor and Sarah Jane Smith sent by the Time Lords to the planet Karn, graveyard of spaceships.
There they encounter the mad scientist Dr. Solon. So which of those is real, and which of them is made up? The Danger of the Cybermen, The Planet of Spiders, or The Brain of Morbius.
Geoff, have you got any feelings on this one?
I'm going Spiders. I think Spiders is the one you made up. Just the middle manager's bit is just a classic Cluleyism, I'm thinking.
Well, I have to say, Doctor Who and the Planet of the Spiders is a genuine Doctor Who story.
Good job, Clue!
Was utterly made up by me, complete with a really rubbish title. I thought that would make it seem more likely, calling it The Danger of the Cybermen, but there you are.
Anyway, Terence Dicks, what a chap. Fantastic, and mourned by Doctor Who fans all around the world. So he is my, not just pick of the week, I think it's just pick of a lifetime.
What a great impact he had on me.
Anyway, Terence Dicks, what a chap. Fantastic, and mourned by Doctor Who fans all around the world. So he is my, not just pick of the week, I think it's just pick of a lifetime.
What a great impact he had on me.
Yeah. My husband was very sad too. So RIP Terence Dicks.
Geoff, what is your pick of the week?
Controversially, my pick of the week is gonna be my own podcast. Should be. It's a great podcast. Something which, not to give the game away, I was put up to by someone.
Exactly. Have you got a podcast? You've got a podcast, Geoff?
I have got a podcast, weirdly, yeah, called Cybercrime Investigations, actually, since you ask.
Is it available on Apple Podcasts and Spotify and all good podcast apps?
It is. Well, Apple Podcasts and SoundCloud, you can get it on as well. If you just look for Cybercrime Investigations and my ugly mug, you'll find it. And what's it about, Geoff?
Well, it's about the investigation—wait for it—of cybercrimes. When you're trying to research this stuff, often a lot of material gets left on the cutting room floor.
And when I talk to my mates and my family about this stuff, it's often the dead ends and the bits where it's not going well that they're most interested in, they find most interesting.
So that lovely polished version that you put out the end saying, ah, we investigated this and I found this and here's the story, it ignores two-thirds usually of what you've actually done, which is that didn't work out, that was the wrong guy, I went to the wrong place there.
And but actually that stuff is quite interesting.
So that's the whole point of Cybercrime Investigations thing, is to sort of milk the rest of the investigation I don't normally talk to people about. But also it's quite fun.
And I work with a lovely guy called Glenn Goodman, who's a fellow journalist but knows nothing about tech. So that's quite easy.
Well, it's about the investigation—wait for it—of cybercrimes. When you're trying to research this stuff, often a lot of material gets left on the cutting room floor.
And when I talk to my mates and my family about this stuff, it's often the dead ends and the bits where it's not going well that they're most interested in, they find most interesting.
So that lovely polished version that you put out the end saying, ah, we investigated this and I found this and here's the story, it ignores two-thirds usually of what you've actually done, which is that didn't work out, that was the wrong guy, I went to the wrong place there.
And but actually that stuff is quite interesting.
So that's the whole point of Cybercrime Investigations thing, is to sort of milk the rest of the investigation I don't normally talk to people about. But also it's quite fun.
And I work with a lovely guy called Glenn Goodman, who's a fellow journalist but knows nothing about tech. So that's quite easy.
I love you two together, actually. I think you guys make such a good pair.
It is good. He's got a great sense of humor, and as I say, also asks the kind of questions that I need to be asked to kind of explain stuff.
So yes, Cybercrime Investigations is the thing, and we've done ones on TalkTalk, we've done ones on the Bangladesh Bank hack, and we did one on—what was the other one we did?
We've done various ones anyway, so you can catch up and listen. And it's about 90 minutes long, each one of them. Perfect length.
So yes, Cybercrime Investigations is the thing, and we've done ones on TalkTalk, we've done ones on the Bangladesh Bank hack, and we did one on—what was the other one we did?
We've done various ones anyway, so you can catch up and listen. And it's about 90 minutes long, each one of them. Perfect length.
It's really enjoyable, and I have to say it's one of my favorite cybercrime podcasts. It's equal first with 538 other ones.
You know, it's genuinely—I'm just reminded of that episode of Desert Island Discs.
There wasn't there some famous opera singer who went on Desert Island Discs and chose 12 of her own records.
You know, it's genuinely—I'm just reminded of that episode of Desert Island Discs.
There wasn't there some famous opera singer who went on Desert Island Discs and chose 12 of her own records.
I was just having a drink of tea. Did she really? Was that a long time ago before I got here?
I think it was a long time. It may have been someone very—You've just been terribly polite. Absolutely brilliant.
I mean, surely after record number 3, you'd be saying, do you rate anyone else? Anyone else's work? No, no. Here's another one by me. I love it.
Carole, what's your pick of the week?
Well, my pick of the week this week is a podcast. Sorry, Geoff, I should totally have had yours.
Is it about cybercrime? Is it hosted by someone called Geoff White?
I'm talking about a podcast called Intelligence Squared. Now, overall, this is a great, great, great podcast. I love it.
And you'll hear an array of very smart people talking rather deeply about specific topics, actually. And that comes out every week. And it's great.
Now, the most recent Intelligence Squared pod that came out features a person I'm really into. I like her books. I think she's smart. She's a scholar. She's an author.
And she's named Shoshana Zuboff. Oh, yes. Yeah.
And last year, she published this massive tome of a book called The Age of Surveillance Capitalism, which I'm reading slowly and very much enjoying. It's just such a heavy book.
My arms get tired because I got a hardback. And whoa, sometimes it's good, you know, it's good for the guns. But this pod is a great intro to Shoshana's work.
I've heard her on a few pods, but I really love this one. She talks about how Obama ran the first political campaign that showed the power of targeted advertising, right?
And he had the main Google gurus advising him on how to do all this.
So it's like politicians are conflicted because they can directly benefit from the infotech that is infringing on the people they swear to serve and protect, which is an interesting dilemma, right.
She also talks about Facebook, which she says, and we all agree, has largely been self-regulated for a decade or more since its inception.
But of course, since Cambridge Analytica and everything else, the waters have been heating up and Zuckerberg has needed to shift his public perception.
So she says, and I paraphrase here, Zuckerberg is presenting himself as privacy woke, yet the irony is that privacy fundamentally contradicts everything that makes Facebook lucrative for its shareholders, aka him, because, you know, he has to wear black diamond-crusted pants, I'm sure, on a daily basis.
And you'll hear an array of very smart people talking rather deeply about specific topics, actually. And that comes out every week. And it's great.
Now, the most recent Intelligence Squared pod that came out features a person I'm really into. I like her books. I think she's smart. She's a scholar. She's an author.
And she's named Shoshana Zuboff. Oh, yes. Yeah.
And last year, she published this massive tome of a book called The Age of Surveillance Capitalism, which I'm reading slowly and very much enjoying. It's just such a heavy book.
My arms get tired because I got a hardback. And whoa, sometimes it's good, you know, it's good for the guns. But this pod is a great intro to Shoshana's work.
I've heard her on a few pods, but I really love this one. She talks about how Obama ran the first political campaign that showed the power of targeted advertising, right?
And he had the main Google gurus advising him on how to do all this.
So it's like politicians are conflicted because they can directly benefit from the infotech that is infringing on the people they swear to serve and protect, which is an interesting dilemma, right.
She also talks about Facebook, which she says, and we all agree, has largely been self-regulated for a decade or more since its inception.
But of course, since Cambridge Analytica and everything else, the waters have been heating up and Zuckerberg has needed to shift his public perception.
So she says, and I paraphrase here, Zuckerberg is presenting himself as privacy woke, yet the irony is that privacy fundamentally contradicts everything that makes Facebook lucrative for its shareholders, aka him, because, you know, he has to wear black diamond-crusted pants, I'm sure, on a daily basis.
So is that the American definition of the word pants or the British?
British. I'm sure they'd be much more comfortable.
Yeah, slightly chafe slightly.
Right now she sees Zuckerberg and she says he's planning the move to centralize legislation, because if the legislation is centralized, you have a lot more representatives that have to agree, and that waters down a lot.
Then Zuckerberg can target all his lawyers and whips and whatever, what's the word called? Someone who sways. Lobbyists. Lobbyists, right, to that central jurisdiction.
Obviously also can ensure that these elected officials can enjoy the benefits of things they provide like targeted advertising.
So this is just two, but quite big massive points I think, and they're just crammed in amongst others in this tiny 30-minute podcast.
So go check it out, Intelligence Squared, with the wonderful learnings from Shoshana Zuboff. And then go buy your book. And that's my pick of the week.
Then Zuckerberg can target all his lawyers and whips and whatever, what's the word called? Someone who sways. Lobbyists. Lobbyists, right, to that central jurisdiction.
Obviously also can ensure that these elected officials can enjoy the benefits of things they provide like targeted advertising.
So this is just two, but quite big massive points I think, and they're just crammed in amongst others in this tiny 30-minute podcast.
So go check it out, Intelligence Squared, with the wonderful learnings from Shoshana Zuboff. And then go buy your book. And that's my pick of the week.
Excellent. Thank you very much, Carole. And I think that just about wraps it up for this week.
Geoff, I'm sure lots of people would love to follow you online or maybe give you suggestions on what—
Geoff, I'm sure lots of people would love to follow you online or maybe give you suggestions on what—
Or go listen to your podcast.
Yeah, listen to your podcast, you know, give you an idea for the title of your book or what domains to purchase. What's the best way for folks to get in touch with you?
Twitter's the easiest way, and I am Geoff with a G, G-E-O-F-F, White like the color, and 247 because I am 24/7, 7 days a week. Geoff White.
G from marge, but I love it.
You can follow us on Twitter as well at Smashing Security, no G. Twitter allows to have a G, and we've got an active community up on Reddit.
Just go to smashingsecurity.com/reddit and it will take you automagically there.
Just go to smashingsecurity.com/reddit and it will take you automagically there.
And once again, thank you to this week's Smashing Security sponsors, Detectify and LastPass. Their amazing support helps us give you the show for free.
And thanks to you, you classy, classy humans. Be you a listener, a Patreon supporter, a reviewer, you are the gravy on our mashed potatoes.
And thanks to you, you classy, classy humans. Be you a listener, a Patreon supporter, a reviewer, you are the gravy on our mashed potatoes.
Until next time, cheerio, bye-bye, bye-bye. Are you a big fan of gravy on mashed potatoes? Oh yeah, peas gravy.
It doesn't have to be— I'm not talking meat gravy, it can be veg gravy, something, but a nice gravy, right?
But mashed potatoes, peas and gravy, maybe some, a few roasted carrots, I'm in heaven. Yeah, onion gravy.
But mashed potatoes, peas and gravy, maybe some, a few roasted carrots, I'm in heaven. Yeah, onion gravy.
You know what, I am too. I don't know why I'm questioning that. That is pretty, pretty awesome, isn't it?
In fact, I will share, if I may, Graham's feedback from the book where at one stage I talked about the gravy train coming to a halt, at which point Graham's feedback in the text was, 'What, there's a train for gravy?'
Update: Well, what do you know… Twitter disables tweeting via SMS (temporarily at least), in wake of Jack Dorsey account hijack
Cheers for the shout out Graham