Twitter and the not-so-ethical hacking of celebrity accounts, study discovers how you can pay someone to quit Facebook for a year, and the millions of dollars you can make from uncovering software vulnerabilities.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Maria Varmazis.
Sponsored By:
- Recorded Future: For anyone who is baffled by threat intelligence, and the benefits that it can bring to your company, this is the book for you.
- "The Threat Intelligence Handbook" is an easy-to-read guide will help you understand why threat intelligence is an essential part of every organisation's defence against the latest cyber attacks.
- Download it for free at smashingsecurity.com/intelligence
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Dad pays girl $200 to give up Facebook — YouTube.
- How much is social media worth? Estimating the value of Facebook by paying users to stop using it — PLOS.
- Being paid to quit Facebook — Graham Cluley.
- This account has been hijacked (temporarily)! — Insinia.
- Security firm hijacks high-profile Twitter accounts — BBC News.
- 'Serious' Twitter flaw allows hackers to post on other people's accounts — Computer Weekly.
- Twitter is Broken — The AntiSocial Engineer.
- About Twitter's SMS PIN feature — Twitter.
- How to Tweet via text message — Twitter.
- Earn $2,000,000 by remotely jailbreaking an iPhone — Graham Cluley.
- Zerodium Offers $2 Million for iOS Hacks, $1 Million for Chat App Exploits — Security Week.
- Life as a bug bounty hunter: a struggle every day, just to get paid — MIT Technology Review.
- Yahoo changes bug bounty policy following 't-shirt gate' — ZDNet.
- Equifax Was Warned — Motherboard.
- Remove Background from Image - remove.bg.
- 'Tidying Up With Marie Kondo' Is a Quiet Delight — The Atlantic.
- Tidying Up with Marie Kondo | Official Trailer — YouTube.
- Bear Brook podcast.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
MARIA VARMAZIS. As an American, I have no idea who they are.
GRAHAM CLULEY. I've sat behind Louis Theriault on an aeroplane.
MARIA VARMAZIS. It's like we're there right now.
CAROLE THERIAULT. Did you try and lick his hair?
GRAHAM CLULEY. No.
MARIA VARMAZIS. Is that a thing that you normally do?
ROBOT. Smashing Security, episode 110. What? You can get paid to leave Facebook? With Carole Theriault. Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 110. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And we're joined for this brand new 2019 episode by a returning special guest, is Maria Varmazis. Hello, Maria.
MARIA VARMAZIS. Hello.
CAROLE THERIAULT. Hello, Maria.
MARIA VARMAZIS. Hello, Carole. Welcome back.
CAROLE THERIAULT. How are you?
MARIA VARMAZIS. I am great. Let's do the whole podcast this way. Let's keep it up. Oh my God, I could do it.
GRAHAM CLULEY. Yes, right. So everything good with you, Maria? You had a good break?
MARIA VARMAZIS. Oh, it was made extra special by receiving some Texan single malt whiskey in the mail from a listener named Adam, who's a buddy of mine. So thank you, Adam.
CAROLE THERIAULT. Sorry, a Smashing Security listener?
MARIA VARMAZIS. Yes.
CAROLE THERIAULT. Sorry, sent you whiskey?
MARIA VARMAZIS. Yes, which I'm totally open to receiving at any time from all listeners, for the record.
GRAHAM CLULEY. So hang on, hang on, this is my 110th episode and no one sent me any whiskey. How many bottles of whiskey have you received?
CAROLE THERIAULT. I'd rather not say.
GRAHAM CLULEY. Oh, okay.
CAROLE THERIAULT. Okay, no, really, zero. Actually, I don't mind because I'm not drinking at the moment. This is a 2019 New Year's resolution.
MARIA VARMAZIS. Oh, for the whole year or just for January?
CAROLE THERIAULT. January. What if I make it to the end of the week? It's a haram.
MARIA VARMAZIS. Some people try to go all of January without drinking. It's like a thing.
GRAHAM CLULEY. Good luck with that. Now, we have a doozy of a show for you this week.
CAROLE THERIAULT. Graham tries to find out how much it would cost to get Maria off Facebook. No! Maria slaps Twitter's fingers for ignoring a reported problem with their service for more than 6 years. And I look into bug bounty programs. Turns out they're not all created equal. All this and much more coming up on Smashing Security.
GRAHAM CLULEY. Recorded Future believes that every security team can benefit from checking out their free Threat Intelligence Handbook, which offers practical steps for applying threat intelligence in any organization. For anyone who is baffled by threat intelligence and the benefits it can bring to your company, this is the book for you. It's an easy-to-read guide. It'll help you understand why threat intelligence is an essential part of every organization's defense against the latest cyber attacks. Download your free copy now by visiting smashingsecurity.com/intelligence.
CAROLE THERIAULT. Are you not running a password manager in your organization? What are you thinking? May I invite you to check out LastPass Enterprise? Just go to this URL: lastpass.com/smashing. God, I find that so hard to say. lastpass.com/smashing. Here you can learn all about what password managers can do for your firm. You can download a Forrester report all about the topic, and you can learn more about LastPass enterprise. I mean, if you want to solve poor password hygiene, if you fancy securing every password-protected entry point in your business, then put on your digital skates and slide on over to lastpass.com/smashing. I use them, I heart them, so you should check them out. On with the show.
GRAHAM CLULEY. Maria, the big question, it's on everyone's lips, is Do you have a New Year's resolution?
MARIA VARMAZIS. Hell no. Absolutely not. Have you ever done—
CAROLE THERIAULT. ever had one?
MARIA VARMAZIS. I'm sure when I was more optimistic, yes, but I now know it's just setting myself up for failure, so I just don't bother.
GRAHAM CLULEY. Okay, well, look, we are going to suggest one to you, and that is to get you off Facebook once and for all for your sanity. I see.
CAROLE THERIAULT. To protect you. It's good for you.
GRAHAM CLULEY. This actually is an intervention. You thought you were coming on as a podcast guest.
MARIA VARMAZIS. Oh no!
GRAHAM CLULEY. We are actually— this is— It's all a setup.
MARIA VARMAZIS. Is that why my mom's here?
CAROLE THERIAULT. Yeah, sit down and buckle up, Maria.
GRAHAM CLULEY. That's it. Or we'll buckle you up around the back, actually. This is the thing, right? We want to wean people off Facebook for their own sanity. And I'm interested in what it would actually take. Could I bribe you, Maria, with money to leave Facebook?
CAROLE THERIAULT. Ooh, interesting concept. How much would it cost to pull you off Facebook?
MARIA VARMAZIS. I mean, technically nothing, but I don't know. I've never thought about it. Yeah.
CAROLE THERIAULT. Well, think about how much value you get out of it.
MARIA VARMAZIS. Very little.
CAROLE THERIAULT. So $500?
GRAHAM CLULEY. Could you quit for a year for $500 of your US dollars?
MARIA VARMAZIS. Of my US dollars, which is now worth very little. Thank you, stock market.
GRAHAM CLULEY. Well, compared to British pounds, I think it's about $50 is worth about 97,000 British pounds, I believe.
MARIA VARMAZIS. So what about Zimbabwean dollars? Are we there yet? Like, what, 2 billion?
GRAHAM CLULEY. Anyway, listen, some people are actually turning to money as an incentive to quit Facebook. 6 years ago, for instance, there was a news report about a chap called Paul Bayer, and his teenage daughter was getting a little bit sick of Facebook. And so she asked him, hey, Dad, would you pay me $200 to quit Facebook? Presumably she said it in a Boston accent.
CAROLE THERIAULT. Where is she from?
GRAHAM CLULEY. I think she's sort of Massachusetts.
MARIA VARMAZIS. Yeah, they're from Wellesley, so they don't talk like that.
CAROLE THERIAULT. No one talks like that.
MARIA VARMAZIS. No one talks like that.
GRAHAM CLULEY. Anyway, he agreed. And he wrote up a contract which he got her to sign, as he told a TV station over there. It turns out that Paul Byers' 14-year-old daughter was serious about quitting Facebook. So earlier this week, the Wellesley father and daughter signed a contract. And I'll have access to her Facebook.
MARIA VARMAZIS. Oh, I love the bit where they have like a laptop bouncing on the hood of the news van. It's like, this is what a computer is. This is what Facebook looks like. For those at home who don't know.
GRAHAM CLULEY. She's pretty good about honoring a contract.
MARIA VARMAZIS. Oh, and the guy's got a Sox cap on in the story. I love my home state, it's so predictable.
CAROLE THERIAULT. And so she wants to leave Facebook and she wants to get paid to do it. Not bad.
GRAHAM CLULEY. Yeah, as a little incentive. And he agreed.
MARIA VARMAZIS. Amazing.
GRAHAM CLULEY. Now it got me thinking, you know, how much would it take to get people to quit Facebook? How much money would they have to be given? And it's not just me who's thinking this, a series of boffins have also been exploring this question, and they have determined in a brand new study that the average person would need to be paid more than $1,000 to agree to stop using the social network.
CAROLE THERIAULT. God, I feel so cheap now. I did it for free.
GRAHAM CLULEY. It'd be good, wouldn't it, if there was some charity which popped up and said, oh yeah, we'll look out, you know, you could give your money to the starving in Africa or to—
CAROLE THERIAULT. or to Carole Theriault, who gave up Facebook for a year. Exactly.
GRAHAM CLULEY. We do a charity song for Carole. Because she's given up on Facebook.
MARIA VARMAZIS. Do they know that Facebook really sucks? No, no.
GRAHAM CLULEY. Copyright. Get Bob Geldof on us now.
MARIA VARMAZIS. Don't sue me. Please don't sue me.
GRAHAM CLULEY. Now, this study by 3 economists and a social media researcher was published on the Public Library of Science website, and it describes how they ran a series of real-life auctions with real genuine money. And they asked over 1,200 people to bid on how much money they would need to quit the social network for as little as an hour or even up to a year. Now, the way this works, these sort of auctions, is it's kind of crazy, isn't it? Because if you say, well, please give me $20,000, right?
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. And I'll quit Facebook.
MARIA VARMAZIS. Sure.
GRAHAM CLULEY. Right? That's not quite how it happens. What happens is this: they give the money to the lowest bidder. So the lowest bidder who agrees to sell their Facebook access gets the amount of money of the second lowest bid. So in this way, people actually bid a realistic amount for what they would be happy to receive.
CAROLE THERIAULT. Sorry, don't follow. Do not compute.
MARIA VARMAZIS. They're trying to get people to stop inflation on the bids, basically. So the people who lowball are probably the people who are closest to the real value, is their guess. Right.
GRAHAM CLULEY. So they commit, they commit in advance to agreeing for the price of the second lowest bid. So that cuts out the really stupid bids.
MARIA VARMAZIS. Right, right, right. $1 million.
GRAHAM CLULEY. But, and it also, yes, it also cuts out anyone who puts out a really, really big bid as well.
MARIA VARMAZIS. Yeah.
GRAHAM CLULEY. So you go for the second lowest one in this particular setup because you're giving something away, you're not actually trying to win something. So to receive the cash, they had to show a page from their Facebook settings showing the date when they deactivated their account and then when they reactivated their account, if they did bring it back after the year. And they were also told that their accounts would be checked throughout the year to ensure compliance.
CAROLE THERIAULT. Now, are they checking it? Surely you're activating it.
GRAHAM CLULEY. Oh no, I don't think— it's not logging in. I think maybe your Facebook friends with with the boffins.
CAROLE THERIAULT. Oh, they see if you're online or something.
GRAHAM CLULEY. I imagine, or posting. Now I find this all full of flaws, to be honest. As a sort of shyster myself, I'm instantly thinking, I'll say that I'll give up for a year, but of course you just create another account, don't you?
MARIA VARMAZIS. Is that what you did with the Smashing Security podcast page? Is there like a shadow podcast page?
CAROLE THERIAULT. Hashing Smersh—
MARIA VARMAZIS. Hashing Smershmerdy.
GRAHAM CLULEY. Anyway, obviously there are ways around this, right? It's not entirely foolproof. And you can imagine all kinds of ways in which you could game the system if you really, really wanted to. They didn't really touch on that, but they do get this price of over $1,000. Now, some people refused to participate at all in the auction. They said, you know, frankly, any deactivation of our Facebook account for a year would be so crippling. It's just not something we would ever welcome.
CAROLE THERIAULT. I can imagine for small businesses, that's the case, right? I mean, there's loads of web presences out there that only exist on Facebook. So people have shops there and stuff. Yeah.
MARIA VARMAZIS. Yeah. I could see that.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. This wasn't actually asking businesses. This was mostly asking sort of students, you know, just sort of lolling around, not doing very much, probably just updating their Instagram when they're not on Facebook. You know, it was those sort of people who are mostly being questioned.
CAROLE THERIAULT. Very scientifically explained. Yes.
MARIA VARMAZIS. Yes.
GRAHAM CLULEY. And some of them, of course, said, oh, give me $50,000. They obviously hadn't understood the rules of the actual auction to realize that wasn't going to work. So they were kicked out as well. But they ran 3 different auctions. The average bid for a year's worth of Facebook account deactivation was over $1,000. Mm-hmm. So what it seems to me is that despite all of the scandals and the data privacy screw-ups we've seen over the last year and the headlines, the Cambridge Analytica, the vulnerabilities, the trolls from Russia, the fake news, the sloppy handling of private data, users are still valuing Facebook really highly. You can't imagine anyone actually paying $1,000 for Facebook, can you?
CAROLE THERIAULT. It's interesting how people use Facebook to stay connected. It is the biggest connection tool, isn't it, really?
MARIA VARMAZIS. Yeah, it's got its tentacles in everything.
CAROLE THERIAULT. Yeah, it's like, what, 2 billion users or something?
MARIA VARMAZIS. Yeah, it's not easy to extricate yourself from it. That's the problem that I have. So even if you barely use it anymore, getting Coming off of it completely is a different story. You kind of have to leave a toe in, even if you're not really using it much.
GRAHAM CLULEY. And I can understand, I mean, I don't know your reasons for being on Facebook, Maria, but I know you've got a young child, for instance.
MARIA VARMAZIS. She's not on there though.
GRAHAM CLULEY. No, right. But maybe you want to keep people updated regarding, you know, you and what you're doing, you know, you can set your privacy. No, don't do anything.
MARIA VARMAZIS. What are you doing on Facebook?
CAROLE THERIAULT. Coffee mornings?
MARIA VARMAZIS. No, I honestly, it's most of my family lives very far away and same thing with most of my friends. They've all scattered to the four corners of the earth to find their fortune. So I mainly just post bullshit memes on Facebook and leave comments on what my friends post. Like, so they don't come to me to find out what's going on. But when people make like an event or something, that's basically what I use it for. But I don't use it for photos. I don't post updates. I'm barely using it. So yeah.
GRAHAM CLULEY. But you're privacy conscious, you're security conscious. I wonder if it's not a thousand.
CAROLE THERIAULT. What the hell are you doing, Maria?
GRAHAM CLULEY. What would Facebook need to do to get people to leave in droves? What more could they possibly do?
MARIA VARMAZIS. Facebook can't do anything.
CAROLE THERIAULT. How much more can they fuck up before you decide to leave?
MARIA VARMAZIS. It's the critical mass of people. That's the problem. So I saw over the Christmas, New Year's break, I saw a ton of people posting these long-winded statuses or notes saying, I'm going to leave Facebook because it's just gotten to be too much. And they were like, here are all my reasons. And then to like every single one, a week after they said they would quit, they were like, I found out that I can't really quit because too many of you are still on here. I mean, it was so predictable. So I'd read all of these and go, yep, I know what's going to happen here. Make a big noise and then nobody leaves. It's just that everybody else is still on there. So you can't leave because where are you going to find your friends?
CAROLE THERIAULT. Well, Graham and I are not there.
GRAHAM CLULEY. You found us.
CAROLE THERIAULT. Yeah, but you don't count.
GRAHAM CLULEY. We don't count as friends. You don't count. We're podcasters. Yeah.
MARIA VARMAZIS. You're just voices in the ether, you know. Yes, it all comes out now in 2019.
GRAHAM CLULEY. What needs to happen is everyone needs to leave at the same time. You need some kind of Jonestown scenario, some sort of solar temple cult saying on October 31st, the aliens are going to land, we're all going to die, so we have to drink this juice beforehand. The truth is, right? Oh, well, this is the truth as I see it, is that Facebook is an addiction. But you know what? Why not go cold turkey right now?
CAROLE THERIAULT. Yeah, Maria.
GRAHAM CLULEY. But maybe going cold turkey is too difficult. Maybe just like some folks are giving up drink, like Kroll, or stopping smoking for a month, maybe there should be a month when everyone tries to get past without logging into Facebook.
CAROLE THERIAULT. Yeah, just deactivate and see how long it takes you before you activate again. I am sure it is so slippery to reactivate.
MARIA VARMAZIS. I'm sure you'll even just go to the pages, bing, bing, bing, boom. No Facebook February, make a commitment.
CAROLE THERIAULT. Interesting.
GRAHAM CLULEY. Yeah.
MARIA VARMAZIS. I, I could try that. I could give that a shot.
GRAHAM CLULEY. Well, no, no Facebook in February.
MARIA VARMAZIS. The thing is though, I have two Facebook accounts.
GRAHAM CLULEY. Oh, because you've got like a work one or something?
MARIA VARMAZIS. Yeah, I've got like a work one and a personal one, basically.
CAROLE THERIAULT. So it's a personal one.
MARIA VARMAZIS. Okay. Yep. Okay.
CAROLE THERIAULT. And, and you can come on at the end of February maybe and tell us how it was.
GRAHAM CLULEY. We'll check up on you.
MARIA VARMAZIS. Yeah, I can do a No Facebook February. Absolutely.
CAROLE THERIAULT. Okay, I'm off your list.
GRAHAM CLULEY. Okay. All right.
MARIA VARMAZIS. Because it's the shortest month of the year, so, you know, whatever gets you through, baby.
GRAHAM CLULEY. Maria, what story have you got for us this week?
MARIA VARMAZIS. Well, the long and short of it is, how nicely do you have to ask a company to fix a vulnerability if it's been around for, oh, I don't know, 5, 6, 7 years? They haven't fixed it. It's been kicking around. What do you do?
CAROLE THERIAULT. Yeah, it's a crazy situation. The fact that when you go and report it and you don't hear anything back, what do you do? How frustrating.
MARIA VARMAZIS. Yeah. I mean, do you just continue to ask nicely or do you go tell the world? So there's a security firm called Insignia, and they wanted to highlight a longstanding Twitter bug that, uh, has existed for like 6 years. And what they did, basically zero-day style, is they hijacked the accounts of various celebrities and posted phony tweets to their accounts to demonstrate how the zero-day worked. Or I'm calling it a zero-day, whatever, if it is or not, you know, that's up for discussion.
CAROLE THERIAULT. 6-year-old zero-day.
MARIA VARMAZIS. Yeah. It's kind of like weird to call it that, but so they, they, they wanted to show it live. Right. They wanted to do it live.
GRAHAM CLULEY. Yep.
MARIA VARMAZIS. So to do that, they actually posted funny tweets to accounts of a bunch of people who I do not know, but Louis Theroux, Simon Cowder, Saira Khan, Eamon Holmes. I don't know who these people are, but they're verified on Twitter. So I assume that they're very important.
GRAHAM CLULEY. Very, very important. Well, I know who two of those are.
CAROLE THERIAULT. Yeah, I know who two of those are too.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Okay.
MARIA VARMAZIS. So their names you recognize as an American. I have no idea who they are.
GRAHAM CLULEY. I've sat behind Louis Theroux on an airplane.
MARIA VARMAZIS. It's like we're there right now.
CAROLE THERIAULT. Did you try and lick his hair?
MARIA VARMAZIS. Is that a thing that you normally do, Graham?
GRAHAM CLULEY. I've sat on a sofa with Eamon Holmes. So those are the two I know.
MARIA VARMAZIS. Did you try to lick his hair? Okay, this is— we need another podcast for this because I need to explore what's going on there. That's okay. So the Insignia was basically trying to show that there's a really remarkably simple problem with Twitter where if you know a user's phone number and that user has their phone number attached to account, which many of us have that for two-factor reasons, you can spoof a tweet or a retweet or a like to that person's account with very simple technical know-how basically. So all you need to do is just basically send a text to Twitter with that person's phone number and a little bit of something else and there you go. You've now posted a phony tweet to their Twitter account. So—
CAROLE THERIAULT. OMG. This has been lurking around for 6 years and no one— even cared.
GRAHAM CLULEY. It's madness, isn't it?
MARIA VARMAZIS. Yeah, so you know how we talked about in December about spammy promotional tweets on Twitter that have been the accounts that have been hijacked? This to me seems a bit more under the radar, but sort of in that vein. So you could post a nasty fake tweet to somebody's account and yeah, they could notice it and then delete it later. But if that person's like abandoned their account or something, you could really take over what they're putting out there and put all sorts of nasty shit out there in perpetuity. Yeah. So that actually could be pretty dangerous if you think about it, like malicious links or links to like terrorist propaganda or you name it, that could get kind of gross pretty fast.
CAROLE THERIAULT. You know what? Ironically, if people did start doing that, Twitter would probably do something about it.
MARIA VARMAZIS. Interesting you say that. So Insignia said, you know, we've been waiting 6 years and rattling cans and throwing boots at Twitter's head and stuff, but they're not doing anything. So We're tired of waiting. And so they decided to draw attention to the issue by, quote, ethically hacking accounts.
GRAHAM CLULEY. Mm-hmm.
MARIA VARMAZIS. They're ethically hacking. What does that mean? In their own words, they said they contacted the user notifying what was about to happen. So we're gonna hijack your account, post some tweets to it. You can't stop us, but we're gonna do it. They then sent the passive command in order to send the tweet. They then retweeted their own tweet with a link to their own blog post explaining what happened and how it works. And then they offered to provide support to anyone who was concerned about the attack and wanted additional information on how to protect and secure themselves. So they weren't hiding.
GRAHAM CLULEY. But they also didn't ask for any permission, did they?
MARIA VARMAZIS. Right. They did not. They were just like, we're going to do this. Heads up.
CAROLE THERIAULT. Yeah, because it's not Louis Theroux's fault, for example, that Twitter have this bug.
MARIA VARMAZIS. Correct.
CAROLE THERIAULT. Yet it's his account that has been smacked around looking like— and he looks like a dumbass.
MARIA VARMAZIS. Yeah, yeah. And it's just like, this account has been hijacked ethically. It has been ethically hacked. Here's what's going on. It's like, oh, come on, really? So just to be clear, they never had control over the accounts that they hijacked. They just were— they're just able to send those tweets. Um, and they were able— and they were pointing people to blog posts saying, yeah, this is us doing it. It's not the account owner. We're totally taking accountability for what we're doing. So there's no mystery. And they communicated what's going on and how people can protect themselves. But the folks who actually got their Twitter accounts compromised did not agree. So Simon Calder for— surprise!
GRAHAM CLULEY. How completely unreasonable of them.
MARIA VARMAZIS. Right. So Simon Calder was interviewed by the BBC about this and he said—
CAROLE THERIAULT. Was he outraged?
MARIA VARMAZIS. No, he said he confirmed the attack had been done without his permission and he described it as, quote, tedious and annoying.
CAROLE THERIAULT. Okay, that's so English.
MARIA VARMAZIS. And it was an experience that had left him feeling unimpressed. Yes. I love it. So here's the funny thing. After all this, it actually—
CAROLE THERIAULT. this tactic worked.
MARIA VARMAZIS. It worked.
CAROLE THERIAULT. You see it?
MARIA VARMAZIS. Apparently Twitter has now actually fixed this problem because of these nasty tweets that Insignia sent out through other people's accounts. They used zero-day tactics, sort of, I guess, sort of a stretch to get attention on this issue, on this really old problem with really questionable ethics, but it worked and the harm was minimal to the victims. What do you think?
CAROLE THERIAULT. One thing that I noticed, they are defining what they say ethical hacking is. Right. They're saying ethical hacking is, well, we're coming clean and we're doing this, therefore it's fine.
MARIA VARMAZIS. Yeah, like they made this decision without talking to anybody.
CAROLE THERIAULT. Yeah, but by putting the word ethically in front of it doesn't make it ethical.
MARIA VARMAZIS. No.
CAROLE THERIAULT. Yeah.
MARIA VARMAZIS. Yeah, but it worked. And I'm sure for them, but it worked. That's for them, the end goal is like, get Twitter to fix their shit.
GRAHAM CLULEY. It was also arguably illegal what they did.
CAROLE THERIAULT. Hmm. I don't think arguably, I think it is.
GRAHAM CLULEY. Well, you know, this was unauthorized access to other people's accounts. It wasn't done with their permission. And in fact, a very similar A similar stunt was performed just a couple of weeks before Insignia did it. A guy I know called Richard de Vere, who's also known as the Anti-Social Engineer, he worked with Computer Weekly magazine, and with their agreement, as an experiment, he basically hijacked Computer Weekly's account and got them to post a message. They knew that he was going to do it, but it was all under his control, and they then wrote that up. Whereas Insignia— and they got an awful lot more PR attention from this LastPass hacked into basically celebrity accounts and posted these messages and caused some concern. Now, what's curious is Insignia have on their board, some of the top dogs at the company are actually former members of the Met Police and the Computer Crime Unit. And so you would expect—
MARIA VARMAZIS. That's a great little bit of color.
GRAHAM CLULEY. You would expect them to know a thing or two about the computer crime laws. And it feels to me like this was just a huge PR stunt. But even if this was—
MARIA VARMAZIS. Come on, 6 years! Well, yes.
GRAHAM CLULEY. You're right, that's not good at all. But Computer Weekly and the work done by the Antisocial Engineer had already raised awareness of this. And it was in the public eye, albeit, you know, wasn't picked up by the Daily Mail and co. like Insignia's stunt was because of the celebrity angle.
CAROLE THERIAULT. And the problem didn't go away.
GRAHAM CLULEY. Well, that was only days before they then did it and were claiming all the credit for having this amazing discovery. It's like, well, this has been known for years.
MARIA VARMAZIS. Yep. Yep. Yes, that's true.
GRAHAM CLULEY. I would imagine most of us would never want to update Twitter via SMS anyway, by sending an SMS message.
MARIA VARMAZIS. Not anymore. When, when Twitter first started though, I remember I actually, I used that method.
GRAHAM CLULEY. Yeah, maybe like 10 years ago you might have done that. But I mean, I think for most of us it just became an impractical way to interact with the site. And bad thing has been that, as far as I know, there hasn't been a way to turn that off. And the PIN code, which Twitter could supply for you to use as a security measure to protect your account. And so you had to send a message with your specific PIN code to update your account. That only worked in some countries. It didn't work in all countries. I think it may be relevant that these particular attacks all appeared to happen against UK-based accounts. So things with Twitter and SMS work differently in different countries. One thing to be aware of.
MARIA VARMAZIS. Yep.
CAROLE THERIAULT. Yep.
MARIA VARMAZIS. You know what though?
CAROLE THERIAULT. It's a really good lesson though for people that have services with legacy functionality that's no longer popular.
MARIA VARMAZIS. Maybe turn it off.
CAROLE THERIAULT. Maybe turn it off. I've worked in big companies and people hate revisiting old code and deciding whether they should retire stuff. It's so boring and people hate doing it. And this is what happens. They probably thought it wasn't important because it's a functionality that people don't use.
MARIA VARMAZIS. Or they forgot that it was even there.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. And wouldn't it be great if Twitter now decides to change its default? So if you create an account on Twitter now, wouldn't it be great if all this SMS nonsense which the vast majority of people would never need, was disabled by default. And you had to knowingly turn it on and say, "Yes, I want to be able to interact with my account via SMS." I just wanted to ask a quick question.
MARIA VARMAZIS. Do you think we're gonna see other people trying to do this kind of stunt work, like this kind of bullshit stunt work that, I mean, we see it all the time anyway, but since this actually quote worked, is this gonna create a lot of copycats?
GRAHAM CLULEY. Well, that's a real danger, isn't it?
MARIA VARMAZIS. Yeah.
GRAHAM CLULEY. Is that seeing anyone in the security community think, "Oh, the computer crime laws don't account They don't cover us, you know, they don't abide by us, and so therefore we can go and do what we want. It does kind of give the green light to others to do similar things. And I think most people in the security research community think, no, what happened here was wrong.
MARIA VARMAZIS. It shouldn't have been done this way. It was irresponsible disclosure.
GRAHAM CLULEY. It wasn't just the disclosure, it was the fact that they—
MARIA VARMAZIS. They hacked something.
GRAHAM CLULEY. They abused other people's accounts without their permission. You know, I could have tapped on Louis Theroux's shoulder when I was on the airplane and said, hey, Louis, do you mind when we land, Can I lick your hair? That's what they should have done, right?
MARIA VARMAZIS. Yes. Consent is a thing. Yeah.
CAROLE THERIAULT. You know, Graham, maybe for February you should give up Twitter.
GRAHAM CLULEY. Oh, yeah.
CAROLE THERIAULT. You keep going on at Maria.
GRAHAM CLULEY. Bollocks to that.
MARIA VARMAZIS. It's his podcast. He doesn't have to do that. You see?
CAROLE THERIAULT. Oh, how addiction is defensive.
MARIA VARMAZIS. Shall we go on?
CAROLE THERIAULT. I'm not talking to you anymore. So today we are skipping off to the wild world of bug bounty hunters. Can someone be a full-time bug bounty hunter and make a worthwhile career? Basically make enough money to live. The thing is, we have oodles of listeners that are tech savvy, right? So this could maybe be a surefire way that they might be able to make a living. Bug hunting kind of evolved with tech savvy and curious guys and gals tinkering away, poking and prodding away at a new system or application or service. If they found a serious bug or problem, many would report it to the company that was in charge of that service or application or whatever. And they may be doing it for the kudos or to make the service less vulnerable for other users or whatever their motivation. Few expected to be paid for it in the early days. And from a typical bug hunter point of view, the gold would come if the company publicly announced, thanks to the bug hunter's discovery and report, the company fixed the vulnerability before it was ever exploited, right? And now that person got a good career ahead of them.
GRAHAM CLULEY. Good news.
CAROLE THERIAULT. Yeah, exactly. Now, a company with a zero-day vulnerability did not always respond predictably when they were told about it, right, Maria?
GRAHAM CLULEY. Mm-hmm.
CAROLE THERIAULT. As we've just seen. So where one company might take it seriously, assess the report, and address the issue, another company might just ignore the messages from the security researcher, either not checking, you know, the public-facing email account to which the bug was sent or not prioritizing the problem.
MARIA VARMAZIS. Happens all the time. Yep. Sending the lawyer after the researcher is another one they love doing.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Yeah. And this was the case, in fact, with the Equifax cyber snafu, right? 6 months after a security researcher first notified the company about the vulnerability, Equifax patched it, but only after the massive breach put millions and millions of people's personal info at risk.
MARIA VARMAZIS. I am on the floor shocked. I can't get up. I just can't get over this. I know, but in a way, your blood should boil because it's so—
CAROLE THERIAULT. I mean, that makes it so fricking annoying. They were actually forewarned and did nothing, right? And it's so ironic because if companies were thinking logically, it's of course much, much, much preferable to find out about a zero-day or a serious vulnerability directly and privately rather than having it splashed all over the news, as per your story, Maria. And should the vulnerability end up making headlines, it's much, much better that said company can say, hey, we've already resolved it. You know, they don't have to deal with the media fallout as well as the vulnerability.
MARIA VARMAZIS. Security.
CAROLE THERIAULT. So this is where bug hunter bounty firms fit in. So these investor-backed fat cats are kind of streamlining the process as well as driving some serious revenue into the business model. The main players in the space include HackerOne, Synack, and Bugcrowd. And these firms help run bug bounty programs for clients. And they also seek out researchers to find vulnerabilities in return for a payout. So it's a nice little system, little ecosystem going.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. HackerOne, for instance, say they pay just shy of $2,000 per vulnerability in 2017, for a critical vulnerability in 2017.
GRAHAM CLULEY. Is it them paying it though, or is it the company which had the vulnerability?
CAROLE THERIAULT. Well, how much has been paid out using their—
GRAHAM CLULEY. Oh, I see. Critical vulnerability, you get that kind of money. Oh, okay.
CAROLE THERIAULT. And then on Synack, they say about $650 per vulnerability, and that's not critical, but vulnerability. And they say some have paid up to $30,000 for uncovering critical bugs. And then you've got Bugcrowd. They have about 3,000 people working for them, and they average between $1,000 and $2,000 for all bugs. So you can kind of see a price point there.
GRAHAM CLULEY. And I think it's good that, you know, people are finding the bugs who are basically doing the work of the software and hardware manufacturers, which they should have done. Yes, they should be rewarded for finding these bugs and vulnerabilities.
CAROLE THERIAULT. Oh, absolutely. You know, of all the time these guys are wasting, not not finding stuff and therefore not getting paid for it.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Right? So, yeah, I mean, I'm surprised it's so low, but in comes this company called Zerodium. Zerodium announced today, this is the day of recording on Tuesday, announced payments of up to $2 million for iOS hacks and $1 million for chat app exploits.
MARIA VARMAZIS. But not just any iOS hacks, I would imagine, they're very specific ones, right?
CAROLE THERIAULT. Exactly. Now look, I've shown you their price list here and you can see some of the stuff that they are offering money for. So if you can remotely jailbreak an Apple iOS, they'll give you $2 million for it.
MARIA VARMAZIS. Yeah. Okay.
CAROLE THERIAULT. And that's up $500,000 from the previous year. So you can see this is big money and this has obviously gotten big headlines. Now before you get excited, especially after the financial hit that was Christmas, Zeronium are a very different breed of bug bounty hunter firm. They're certainly getting all these big headlines with their big payouts, but what they do with the vulnerabilities that they buy from independent researchers— so they pay the independent researcher for the exploit, but they don't sell it to the company. They sell it to government intelligence services so that they can take advantage of these loopholes.
MARIA VARMAZIS. Eek. Eek. Oh, of course.
CAROLE THERIAULT. So law enforcement and intelligence agencies are kind of their target market.
GRAHAM CLULEY. Why? Because they're the ones with the money and they're the ones who really want to hack into somebody's iPhone.
MARIA VARMAZIS. Oh, yes.
GRAHAM CLULEY. And they want to use a vulnerability which hasn't been patched and which isn't going to become known to, for instance, Apple or Google.
CAROLE THERIAULT. This is the ultimate ethical issue here. The premise here is not to make the service safer, but to help authorities get access to information they really shouldn't have. Finding a route into private messages, for instance.
MARIA VARMAZIS. I'm sure something like this has been happening on the black market for ages. Just these are people working for somebody else and we didn't know about the transactions. So this is sort of making it a little more visible. But, you know, if you want, if you want these kinds of really hot-button vulns, you got to be willing to pay serious money because $1,000 is not going to get, you know, somebody's attention necessarily. $1 million, $2 million. Yeah.
CAROLE THERIAULT. Yeah. CNN Business said Zerodium is a cyber arms dealer. It pays hackers to learn about their tactics, then packages and sells it to elite subscribers. Now, Now, the problem I have here is you're talking, Graham, I saw the article and the comment you just made about intelligence companies and governments having a lot more money to pay for these loopholes. But I don't know, I poo-poo that a bit. I mean, Google and Apple are not hurting, right?
GRAHAM CLULEY. Amazon are not hurting. Yeah, but they don't want to get into a game where the price is constantly going up to extortionate, incredible levels for bugs being reported to them.
CAROLE THERIAULT. Remember T-Shirtgate in 2013? Yahoo were accused of paying for very serious bug finds, which is 4 XSS vulnerabilities. They paid with a t-shirt, a $12.50 t-shirt.
MARIA VARMAZIS. Yeah, but this is cross-site scripting. That's not a big deal.
CAROLE THERIAULT. That's no big deal.
MARIA VARMAZIS. That's no biggie.
GRAHAM CLULEY. But they did subsequently initiate a proper bug bounty program.
CAROLE THERIAULT. Because someone went public with the fact that they were pissed off with getting a $12.50 t-shirt.
GRAHAM CLULEY. But you can't go from one extreme to the other, Carole. You can't go from a $12 t-shirt to $2 million.
CAROLE THERIAULT. No, but listen, we— I was reading the story about Philippines-based bug bounty hunter Evan Rickaford, right? He spends 75 hours a week, he says, looking for bugs, and he averages about $187 a month. Now, before you think he's obviously very crap at his job, he has found vulnerabilities in products from over 200 companies. Companies, right? And $187 is the average salary in the Philippines, but it certainly ain't for the US, UK. You ain't, you're not having burgers that night.
MARIA VARMAZIS. Yeah.
CAROLE THERIAULT. It ain't gonna cut it.
MARIA VARMAZIS. No, that's like one burger. No.
CAROLE THERIAULT. Exactly. Depending on where you go.
MARIA VARMAZIS. Yeah.
CAROLE THERIAULT. So I guess the question is, do we think these bug hunting firms are valuable middle guys that might help grease the wheels for safer code and actually pay researchers what they deserve? I'm not just talking about Zerodium here. I'm talking about bug hunting firms in general, like HackerOne or— Well, no, hang on.
GRAHAM CLULEY. The likes of HackerOne are running the bug bounty programs for big tech firms, aren't they? And so the tech firm partners up with HackerOne and says, these are the rules of our bug bounty program. This is the money. Please, can you run this for us? Because we're a software company. We've got no idea how to run a bug bounty program. HackerOne isn't then selling them off to the highest bidder, those vulnerabilities. Those vulnerabilities are only going to get passed on to the people who can actually fix the problem. So the unpleasant thing here, I'm afraid, is Zerodium and its ilk, who are basically selling to the highest bidder. Now, having said that, would it be any better if they were driven underground?
MARIA VARMAZIS. Yeah, because that's where this is going on anyway. No. Yeah.
CAROLE THERIAULT. Wouldn't it be better if legitimate firms like HackerOne told their clients, hey, maybe up the bug bounty from $25, buddy?
MARIA VARMAZIS. Yeah, you gotta walk before you run though, right? I mean, if you think about the t-shirt game, In 2013, you were lucky if you got a response from somebody if you sent in a vuln. And like, I don't think a lot of people were even paying any bounties back then. They're still kind of a new thing.
CAROLE THERIAULT. Turns out if you find a bug in Twitter, you're lucky in 2018.
MARIA VARMAZIS. Right. Yeah. So, I mean, the fact that bug bounties now exist and are being adopted is great progress compared to where we used to be just a few years ago. So, like, it'd be great if companies paid more. But I mean, the fact that some of them are doing it at all is like pulling teeth.
GRAHAM CLULEY. Why don't the intelligence agencies use these vulnerability brokers against each other? Why don't you go to vulnerability broker number one, get a hack which you then use against vulnerability broker number two to spy on their communications and all the vulnerabilities they are selling to other countries, and then you get all the rest of them for free?
CAROLE THERIAULT. Or why not appeal to smart security researchers and say, before you get into bed for the highest price, Why don't you find out what the information that you're providing them is going to be used for and who it's going to be sold to?
GRAHAM CLULEY. I think once you've sold it to the likes of Zerodium, you know, it's up to them what they do with it. You don't have any control over it.
MARIA VARMAZIS. It's out in the world. It's out in the wild.
CAROLE THERIAULT. Yes, but you can choose before, you know, who you partner with. If you found an exploit, you don't have to, you're not necessarily in bed with one player the entire time.
GRAHAM CLULEY. Absolutely right. And I think a lot of security researchers would feel very uncomfortable comfortable selling their exploit even for $2 million. A lot of them would view it as an almost religious zealot-like thing. It was like, we have to tell the vendor.
CAROLE THERIAULT. And thank the Lord for that.
MARIA VARMAZIS. Ethical security researchers, yes.
GRAHAM CLULEY. Yeah.
MARIA VARMAZIS. There are a lot of people who are going to go, $2 million is not enough, and I'm going to go elsewhere to find some cash.
CAROLE THERIAULT. Yeah, yeah, yeah.
MARIA VARMAZIS. So it's a thorny problem for sure.
CAROLE THERIAULT. I mean, all this said though, I think this industry of having bug bounty program marketplaces, not necessarily those that sell it to intelligence agencies, but actually help make, you know, security better and make services more secure. I think it's percolating and it's going to settle, and I think it's going to be an industry. You know, this certainly will prepare you well for a job in IT and cybersecurity if you start looking into bug bounties and how you can help companies make their security better.
GRAHAM CLULEY. I've had another evil thought. Imagine you worked at one of these big tech companies, and you heard that there's the possibility of making $2 million, and you could actually embed something, a bug, inside the code.
CAROLE THERIAULT. You're stealing this from that story you told about the— was it the lottery guy? I don't know who told it, but it was on the podcast a few months ago.
GRAHAM CLULEY. David Bitner, about the lottery.
MARIA VARMAZIS. You're lifting stuff from Bitner now, man.
GRAHAM CLULEY. I know.
CAROLE THERIAULT. But that was the same premise.
GRAHAM CLULEY. I'm just saying, with $2 million on offer or that kind of money on offer.
CAROLE THERIAULT. Chump change, Graham. Chump change.
MARIA VARMAZIS. Yeah, but after taxes.
GRAHAM CLULEY. And welcome back. And you join us on our favourite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
MARIA VARMAZIS. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security-related necessarily.
CAROLE THERIAULT. Definitely should not be.
GRAHAM CLULEY. And my pick of the week this week is not security-related. It is very simple.
MARIA VARMAZIS. Huzzah!
GRAHAM CLULEY. It's a website, and it's a website with a.bg domain. Bulgaria, I believe. But it's—
CAROLE THERIAULT. Belgium?
MARIA VARMAZIS. I thought—
CAROLE THERIAULT. oh no, that's.be, isn't it?
GRAHAM CLULEY. Yeah, I think.bg is Bulgaria. I think, I don't know. But anyway, it's nothing Bulgarian. It is a website called remove.bg, and if you go to remove.bg, something magical happens. All you have to do is upload an image, a picture of a person, and remove.bg, better known as remove background, will remove the background. So it gives you a transparent PNG file or a GIF with just the person. So, Kroll, if for instance I took a photograph of you or your loved one took a photograph of you and you had something embarrassing—
CAROLE THERIAULT. My loved one?
GRAHAM CLULEY. Have you just done it, Maria?
MARIA VARMAZIS. I just did. That actually worked. I gave it a really complicated photo with a lot of noise in it and stuff, and it did a great job.
GRAHAM CLULEY. It's pretty clever, isn't it?
MARIA VARMAZIS. Yeah.
CAROLE THERIAULT. I'm surprised that you slapped up a photo of yourself without checking the privacy policy, Maria.
GRAHAM CLULEY. Just uploaded a meme.
MARIA VARMAZIS. It's not a photo of me.
GRAHAM CLULEY. Oh.
MARIA VARMAZIS. Smart girl.
GRAHAM CLULEY. She's destroyed someone else's privacy.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. So, Kroll, this is the thing though. If someone took a photograph of you and you had something embarrassing on the—
CAROLE THERIAULT. Like you behind me.
GRAHAM CLULEY. On the mantel shelf behind you, you know, and you thought, I don't want that in the picture because people will laugh, then put it through remove.bg. You can do this kind of thing with Photoshop and other tools, of course. And normally I do. I have a specific tool for doing this on my computer, but then I came across this site and it's so easy.
CAROLE THERIAULT. Why is the picture on the home page of a girl with crazy hair? Oh, is that to show how amazing it is at cutting out the background with all the strands of hair? I understand.
MARIA VARMAZIS. Ah, this used to take so much time to do, like manually in Photoshop. This is amazing and always looks shit when I did it.
GRAHAM CLULEY. I remember you doing something like this with a picture of Hamster, because you wanted a hamster to appear in a teacup. Do you remember?
CAROLE THERIAULT. Oh yeah, that was, that was, that's about 20 years ago. Yes, it was when I first started working.
GRAHAM CLULEY. There was a virus, it was called Hamster or something like that. Oh my God. We wanted to, and it was a storm in a teacup. So you said, what we need is a picture of a hamster in a teacup.
CAROLE THERIAULT. And I said, there you are with the lasso tool in Photoshop 2.
MARIA VARMAZIS. 12 hours later, like there's jaggedy edges everywhere. And then you're like, what the hell is anti-aliasing? And then yeah.
GRAHAM CLULEY. There is a drawback with remove.bg, which is that it is not compatible with hamsters. I have tried. It only recognizes—
MARIA VARMAZIS. Feed me a hamster.
GRAHAM CLULEY. It only recognizes human faces. You could put a human face on a hamster and then it might work, of course. That is possible. So there you go. Remove.bg is my pick of the week. Thank you very much.
CAROLE THERIAULT. Not bad.
MARIA VARMAZIS. Not bad. Yeah, that was pretty cool. I like it. I'm adding that to my bookmarks. That's service-y.
GRAHAM CLULEY. Bookmark Maria. Maria, what's your pick of the week?
MARIA VARMAZIS. My pick of the week is a wee bit controversial, and—
CAROLE THERIAULT. oh, that's refreshing.
MARIA VARMAZIS. Yeah, it's, it's something that everyone I know has been talking about since it came out, and I just— I— it's my pick of the week simply because I want to get us talking about it, and I really want to hear your thoughts. Okay, so my pick is the Marie Kondo show on Netflix called Tidying Tidying Up. And I will admit that I really enjoyed it. And I know a lot of people who hate it. And the reason I like it is because mess and clutter drive me insane. Marie Kondo, who is a Japanese organizational expert, she goes into people's houses and helps them get their stuff in order. She has a TV show all about her specific tidying up philosophy. So she goes to a lot of American homes in Southern California that are all extremely and, and kind of prestiges a very gentle intervention to them and saying, let's just get your house a little more in order. Let's get rid of all the extra shit you don't need. She doesn't say it like that. She's much nicer than me. And, uh, and it's, it's, it's done in a way that's very respectful to the people as well as to their things.
CAROLE THERIAULT. She doesn't sit there and go, fire up the incinerator!
MARIA VARMAZIS. This is not like that. It's very, very gentle. And like, you always end an episode feeling really good about everything that's happened for the most And it's like the most— the only way I can think of it is like the Great British Bake Off is really popular in the States. And now we have our own version of it. It's like a very gentle reality show that is like a feel-good reality show where nobody's yelling at each other.
CAROLE THERIAULT. It's great.
GRAHAM CLULEY. So I saw you put this on the list. So last night, I realized you were going to speak about this. So I said to my wife, let's go and check out this TV show that Maria is going to talk about tomorrow.
CAROLE THERIAULT. Let's see if it's worthy of our time.
GRAHAM CLULEY. And my wife said, Marie Kondo. I said, yes, have you heard of her? And she said, oh yeah, we've got books of hers cluttering up our bookshelves. And so—
MARIA VARMAZIS. Missing the point. Yeah.
GRAHAM CLULEY. So we put on the show and I have to say the first episode I saw, I was thinking, what? I couldn't understand it because this couple had a house which I thought was perfectly tidy, had considerable storage space compared to mine.
MARIA VARMAZIS. Oh yeah, the houses are all enormous because they're all in Southern California. It was enormous. Yeah, I'm watching the show, I'm also American going, these houses are like 5 times the size of mine and they can't see their kitchen countertop. Meanwhile, like my house is probably the size of their bathroom. I mean, it's just like, I can't, I don't understand what they're cluttering up with.
GRAHAM CLULEY. The first house in the first episode, I thought, okay, they're kicking off the series, let's see how good it gets. It was like, this is hardly untidy at all. They had 2 young kids. And like you—
CAROLE THERIAULT. Graham, I've seen your office.
MARIA VARMAZIS. This is very revealing about you, Graham, but go on.
GRAHAM CLULEY. Yeah, crow, crow. I know you've seen my office. This is in order to dampen any echo that I have items around me. Okay. This—
CAROLE THERIAULT. Oh, of course. That's why it was like that 10 years ago as well.
MARIA VARMAZIS. It's for science. It's, it's actually for science.
CAROLE THERIAULT. Yeah. You were preparing for your podcast future.
GRAHAM CLULEY. But compare, but there are shows on in Britain and maybe you have them in the States as well, which are seriously about hoarding.
MARIA VARMAZIS. Yes.
GRAHAM CLULEY. Where you actually have to tunnel into the house past the milk bottles full of urine and the newspaper collection.
MARIA VARMAZIS. Yes. Oh, there's a lot of those in the States. I can't watch them, but yes, they exist.
GRAHAM CLULEY. So I was expecting some of that rather than this rather petite sort of gentle sort of Japanese woman who was, you know, hoping that clothes sparked joy and you had to be respectful to the clothes.
MARIA VARMAZIS. It's very Shinto. I love it. She was a Shinto shrine maiden before she started doing this. And like in Shinto, you believe that all objects have a spirit. So like that's where that comes from. I love it. I think it's great. I didn't—
CAROLE THERIAULT. Ooh, who's got the Japanese bugs as they travel?
MARIA VARMAZIS. I minored in Japanese in college.
GRAHAM CLULEY. Yeah.
MARIA VARMAZIS. Like—
CAROLE THERIAULT. That's true. That's true. Sorry, I take it back.
GRAHAM CLULEY. I didn't dislike it. I just thought, couldn't they have found some people who had less tidy homes?
MARIA VARMAZIS. Have you watched the whole series?
GRAHAM CLULEY. They had— I've watched two episodes.
MARIA VARMAZIS. Okay, keep going.
GRAHAM CLULEY. And the second one, they did have a guy who had loads of baseball cards and a woman who had a huge mountain of ugly clothes. Clothes.
MARIA VARMAZIS. Yeah, I mean, that house was insanely cluttered. You didn't think that was that bad?
CAROLE THERIAULT. You thought it was normal?
MARIA VARMAZIS. I mean, that house is the size of like a football stadium and you couldn't see the floor. I don't know how much more cluttered you needed to get. I mean, they had an entire bathroom they couldn't find anymore. I mean, I cannot relate to that.
GRAHAM CLULEY. I just thought— I thought that when they had the before and after pictures, there should be more of a difference because it's like, oh, the before picture, oh look, now they've done it in moody black and white, and the after picture is in It's like, it's hardly changed at all. It's like, could they have not added another 10 minutes to the program? They could have sent someone in to put up some new shelves or something like that.
MARIA VARMAZIS. It's not a home renovation.
GRAHAM CLULEY. Well, that's what it needed. I wanted that Japanese woman to knock up some shelves or something.
CAROLE THERIAULT. Okay, Marie Kondo, whose name you can't even remember.
MARIA VARMAZIS. Yeah, Marie Kondo. She's a Brazilian air, so, you know, I don't think she's mad about it. Yeah.
GRAHAM CLULEY. She's a Brazilian, is she?
MARIA VARMAZIS. Brazilian air, yes. She's got Brazilian air.
GRAHAM CLULEY. Maybe a billion Brazilians.
MARIA VARMAZIS. Yes.
GRAHAM CLULEY. Carole, what have you got for us?
CAROLE THERIAULT. So my pick of the week is a wonderfully told whodunit podcast series from New Hampshire Public Radio called Bear Brook. I listened to it during the Christmas hiatus and I loved it. So in 1985, the bodies of a young woman and a little girl are found in a barrel in the woods of Allenstown, New Hampshire. And 30 years later, the cops still hadn't identified—
GRAHAM CLULEY. Is this true? Is this a—
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Real story? Oh, right.
CAROLE THERIAULT. Yes. There's 6 episodes that tackle the murders from a variety of different standpoints. They talk to residents, they talk to cops, they talk to amateur detectives. There's a load of people that have been just obsessed with this whole case and trying to find out who these people are. So the podcast introduces you to a serial killer known as the Chameleon. And really, it totally blew my mind. I actually— I think I listened to all 6 episodes in a row. The case also led to massive changes in how murders will be investigated from now on. And that's a little teaser because it has something to do with the topics that we sometimes talk about.
GRAHAM CLULEY. Oh, go on, tell us. Go and give us a bit more of a hint than that.
CAROLE THERIAULT. I don't know if I can.
GRAHAM CLULEY. What? So is there something— is there something computer.
CAROLE THERIAULT. I don't know, just listen to it.
MARIA VARMAZIS. It's worth it.
CAROLE THERIAULT. It's worth it. There's something modern technology, and that has come in full force because of the internet, that plays a huge part in discovering who these people are.
MARIA VARMAZIS. Okay, it was DNA. Biometrics, maybe. Maybe you should listen.
CAROLE THERIAULT. Um, so all I want to say is hat tip to the Bear Brook team, uh, because I think it's just a great piece, a great production piece. I love it, and I want more of it. So well done, and you guys should check it Check it out. It's worth the time. So that's Bear Brook from New Hampshire Public Radio.
GRAHAM CLULEY. Do they end up catching the chameleon or does he blend into the background?
CAROLE THERIAULT. Can you just— Yeah, they couldn't find him. Boom, boom.
MARIA VARMAZIS. Well, yeah.
GRAHAM CLULEY. On that piece of comedy gold, it's about time to wrap up the show for this week. Maria, I'm sure lots of listeners would love to follow you online. What's the best way for them to do that?
MARIA VARMAZIS. They can find me on Twitter. I'm still on there, haven't quit it yet. So, uh, @mvarmazis, find me there.
GRAHAM CLULEY. You won't find her on Facebook in February though. You can also follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G. And you can check out our online store if you're interested in getting t-shirts and mugs and things like that at smashingsecurity.com/store. And let me tell We don't make a single cent out of our store because, well, I'd like to say it's because we're really generous, but the truth is we just don't fancy dealing with the tax man. So—
CAROLE THERIAULT. Thank you to all our listeners who listen to us every week. Thank you to our sponsors, LastPass and Recorded Future. And if you want to help us out, the best way you can do that is by telling your friends to listen to the show.
GRAHAM CLULEY. Fantastic. Okay, until next time. Cheerio. Bye-bye.
MARIA VARMAZIS. Bye. Happy New Year.
GRAHAM CLULEY. Happy New Year.
CAROLE THERIAULT. Now, Maria, I owe you an apology.
GRAHAM CLULEY. Oh?
CAROLE THERIAULT. Because my husband decided to watch it at The Good Place. Remember, I pooped?
MARIA VARMAZIS. You did, you did. Yeah.
CAROLE THERIAULT. And I have to admit, when he started watching it, I was like, oh, it's better than I thought. And I remembered that I did watch it, but very peripherally. I was doing some kind of project or something, so, you know, it was on, but I wasn't fully watching it. And I actually think I missed most of, uh, the plot. So I, I— so I wanted to say it is a good show, and you've got my thoughts.
MARIA VARMAZIS. Oh, I'm so glad to hear it. I really, I really enjoy it.
CAROLE THERIAULT. Thank you for watching.
MARIA VARMAZIS. Oh, you're very welcome. That That makes me so happy. Thank you.
GRAHAM CLULEY. It's good to know that we can change our opinion sometimes, isn't it, Kryll?
CAROLE THERIAULT. Yes, Graham, it is.
GRAHAM CLULEY. Any change of opinion on the red pill? Remember Michael Hucks's pick of the week? No, it's still rubbish, isn't it?
CAROLE THERIAULT. Still shit.
-- TRANSCRIPT ENDS --