We take a bloodied baseball bat to Android malware, and debate the merits of a social media strike, as one of the team bites the bullet and buys a smart lock for the office.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Oli Skertchly.
Visit https://www.smashingsecurity.com/135 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Oli Skertchly.
Sponsored By:
- MetaCompliance: People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management.
- Go to smashingsecurity.com/metacompliance Promo Code: SMASHING
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- This scary game app is coming for your credentials — Wandera.
- App vetting: How do you measure the risk level of risky apps? — Wandera.
- The not so ultra lock — Pen Test Partners.
- Cat playing the flute — Twitter.
- Proposing a 'Declaration of Digital Independence' — Wired.
- Declaration of Digital Independence — Larry Sanger.
- @ — Follow Graham on Mastodon.
- The Fediverse — Wikipedia.
- Apollo 11 in Real-time.
- Dark — Netflix.
- Amazon reviews of the Chillow cooling pillow.
- The Best Cooling Pillows for Night Sweats — Health.com.
- Oli Skertchly on Instagram.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
ROBOT. And as the auditor asked, who actually has access to this room? And I said, well, it's only me and the external IT support people and the guys who use it for storing video equipment, and the boss and the other director. And the man who fixes the photocopier. There was a bit of that, and the air conditioning guys. And because we work on a farm, I think that the farmer likes to store some of the winter feed in there. Cattle feed. Smashing Security, Episode 135. zombie grannies and Unintended Leaks with Carole Theriault and Graham Cluley.
GRAHAM CLULEY. Hello. Hello and welcome to Smash Insecurity, episode 135. My name is Graham Cluley.
CAROLE THERIAULT. I've been waiting for this episode. I'm Carole Theriault.
GRAHAM CLULEY. Why have you been waiting for this episode?
CAROLE THERIAULT. I like the 135. I don't know, it sounds really like we're over 100. We're over 125. We're serious now, professional. We've made it.
GRAHAM CLULEY. Well, we know that we've made it because we've got a special guest, someone who's been a long term listener, but a first time caller to the show. It's Oli Skertchly. Hello, Oli.
OLI SKERTCHLY. Hello, Graham. Hello, Carole.
CAROLE THERIAULT. So Oli is a friend of mine. We've been friends, I don't know, a year or so. And when we hang out, we actually talk about things like GDPR. And we really do. We talk about stupid devices and gizmos and stuff. So we thought he'd be an excellent voice of reason in a world gone mad on all things cyber.
OLI SKERTCHLY. Thank you very much, Carole. Oh, I do happen also to have a career in IT as well.
CAROLE THERIAULT. Oh yeah, yeah, there's that too.
GRAHAM CLULEY. Oh, yadda yadda yadda.
CAROLE THERIAULT. Show off.
GRAHAM CLULEY. Everyone works in IT, Oli. Stop thinking you're so big and amazing because you do that. Jeez. Carole, what's coming up on the show this week?
CAROLE THERIAULT. Well, big thumbs up to this week's sponsors, LastPass and MetaCompliance. Their support helps us give you this show for free. On today's show, Graham contemplates old age and zombies and malware. Oli questions the smartness of some everyday IoT devices. And I'm gonna see if I can convince Mr. Cluley, Oli, and some of you listeners out there to change your social ways for a few days. All this and truckloads more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chaps, chaps, old people—
CAROLE THERIAULT. Like you.
GRAHAM CLULEY. Look, get used to it. Old people are pretty scary, aren't they? Don't you find them scary?
OLI SKERTCHLY. You are scary.
GRAHAM CLULEY. Well, I think old people are scary. The truth is, of course, that age is creeping up on all of us. It's lurking in the background, hidden in the corner of your eye. Every day, drip, drip, drip, you're getting closer.
CAROLE THERIAULT. Nah, nah, nah, nah. I'm never getting old.
GRAHAM CLULEY. What? Aren't you? Nah. Well, I believe it's hiding out there where you never want to look. It's the ultimate horror story. Each and every one of us is metamorphosizing into a cardigan-wearing version of ourselves.
CAROLE THERIAULT. Big word, Graham.
GRAHAM CLULEY. Wearing Crocs.
OLI SKERTCHLY. You should see the picture in Carole's attic.
GRAHAM CLULEY. Now I've been thinking about this recently because I had, I don't think I mentioned it on the show. I had a big birthday and— Was it 60?
CAROLE THERIAULT. Big 60?
GRAHAM CLULEY. I'm not going into details, but I've realised I have less years ahead of me than I do behind me. And the evidence is all there, right? I've got a landline in my house, which only old people have. I like nothing more than to take a bit of a nap. I don't think that's really—
OLI SKERTCHLY. The main—
GRAHAM CLULEY. No, but mid-show, mid-show even, Oli. You know, junker roll segment. I'm off.
OLI SKERTCHLY. So I can tell.
CAROLE THERIAULT. Oh, it's true. You better not today.
GRAHAM CLULEY. Now, thank goodness I don't have a Facebook account because if I did, that would really confirm that I was officially old. But I don't know if you've noticed, but there are an awful lot more old people out there than there used to be, which has led me to the conclusion that they're not dying off anymore. Right? In fact, maybe they are the living dead.
OLI SKERTCHLY. Oh God.
CAROLE THERIAULT. Okay, I'm really trying to see where you're going with this.
GRAHAM CLULEY. Well, I'm not the only person who finds old people scary, it seems, because many folks have played a—
CAROLE THERIAULT. What are you scared of, a wrinkle?
GRAHAM CLULEY. Well—
CAROLE THERIAULT. Gray hair?
GRAHAM CLULEY. What is it?
CAROLE THERIAULT. A slow walk?
GRAHAM CLULEY. They could choke me with a Werther's Original.
CAROLE THERIAULT. A Werther's Original.
GRAHAM CLULEY. Many folks have played a spooky 3D video game called Granny. Oh, okay. Now, you wake up in Granny.
CAROLE THERIAULT. In Granny.
GRAHAM CLULEY. Oh, we've all done that. Well, no, no, you wake up in the Granny game in a bed you don't remember, in a room you don't recognise.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Sound familiar?
CAROLE THERIAULT. Yes, very. Reminds me of my 20s.
GRAHAM CLULEY. And in this game, a crazy old granny carrying a bloodied baseball bat has locked you up in an old decrepit House. Okay, pretty spooky stuff. This is a 3D game which you can get for your computers and for your mobile device as well. Fun, fun, fun, eh?
CAROLE THERIAULT. Sounds fun so far.
GRAHAM CLULEY. Now this is a legitimate game, but the security experts at Wandera, mobile security company, they've discovered that someone has published an app in the official Google Play Android store called Scary Granny Zombie Mod: The Horror Game 2019. And this appears to be a modification or some sort of tinkering with the official Granny app.
CAROLE THERIAULT. So this isn't the legit app. This is a—
GRAHAM CLULEY. I think you can fairly safely say it is not the legitimate version of Granny. It's been downloaded 50,000 times.
CAROLE THERIAULT. This illegitimate one.
GRAHAM CLULEY. That's right.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. And of course the app is malicious, otherwise I wouldn't be talking about it. That's the twist in the tale. It's a completely legitimate app. Oli, what's your story for us this week?
OLI SKERTCHLY. A twist to normality.
GRAHAM CLULEY. I like to keep people on their toes.
CAROLE THERIAULT. Great show. Great show.
GRAHAM CLULEY. No, no, no, no, no. It's a malicious app. It's a malicious app. But I thought it'd be interesting to describe how it is malicious. Maybe that would be helpful to people as well. So it does perform some dirty tricks upon installation. It's just—
CAROLE THERIAULT. so this is like I'm looking for zombie granny game on my phone and I see this. And rather than downloading the legit one, I get duped into downloading this bad one.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Right. Okay. So this is what happens when the bad one's on your phone. Okay, go. Okay.
GRAHAM CLULEY. And so on installation, the game asks you to pay for the game or to do the free trial.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Now, most people on the first run are probably not gonna pay for the game, are they? They're gonna choose the free trial.
CAROLE THERIAULT. 99.9% probably. Right.
GRAHAM CLULEY. And that's the point where the game actually takes you to a payment page for about $22, which is pretty fucking expensive.
CAROLE THERIAULT. So when you select free, it opens up PayPal?
GRAHAM CLULEY. Free trial, yes.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Just, just in the hope that you're going to click through. Okay.
CAROLE THERIAULT. So that's a pretty big indicator that this is not all well.
GRAHAM CLULEY. That's one of the indicators.
OLI SKERTCHLY. £18 for a mobile game. Is that standard these days?
GRAHAM CLULEY. It's called reassuringly expensive.
CAROLE THERIAULT. Bit like Apple products.
GRAHAM CLULEY. There's so many games where you choose download for 99 cents and turn out to be rubbish. But this one is $22 or something like that.
OLI SKERTCHLY. What could possibly go wrong? You know, exactly.
GRAHAM CLULEY. Exactly. It's going to be fun. Now, when you run the the free option of $22. When you run the app, it isn't instantly obvious that it's malicious.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Because it bides its time rather like an old person can take rather a long time in the shopping queue as they get their checkbook out.
CAROLE THERIAULT. Or getting to their point.
GRAHAM CLULEY. Exactly. Just like, get on with it, right? Just like they can do that. Similarly, the app takes quite a long time as well because at first it runs perfectly normally, right? It just runs, but it starts doing naughty things after a couple of days.
CAROLE THERIAULT. Now, that means, of course, by the time most people would be bored because they haven't done anything.
GRAHAM CLULEY. Well, no, no, no, no, no, no, no, no, no. It doesn't pause. It doesn't just say loading for two days or something like that. It doesn't have a pause screen. Okay, so does it.
OLI SKERTCHLY. Does it run the legit game?
GRAHAM CLULEY. It is running a version of the game, yes.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And according to the researchers, it's actually a whole load of fun. So for the first two days, you are having a blast.
CAROLE THERIAULT. Right? This is 18 quid well spent.
GRAHAM CLULEY. So you see, you're having a great old time. But it keeps its malicious activity. couple of days. Now that means, of course, any security researchers who's taken a look at it probably isn't going to notice anything too suspicious. And indeed, Google's own vetting system, which allowed it into the App Store, may not notice about the other dodgy stuff it does.
CAROLE THERIAULT. You know what? The researcher was probably blinking when the PayPal page came up. Maybe, right? Yeah.
GRAHAM CLULEY. I'm not sure if you're able to skip that. I imagine you're able to skip that. It's just like they're just taking a chance that maybe some people will choose to pay for it.
OLI SKERTCHLY. Is this an excuse for security researchers now to be playing every mobile game for at least two days before they issue their report.
GRAHAM CLULEY. In my experience, that is largely what they do anyway, is you go into a lab and they're just all sort of playing some sort of MMORPG or—
OLI SKERTCHLY. It's called research.
GRAHAM CLULEY. Exactly.
CAROLE THERIAULT. That's completely untrue, folks.
GRAHAM CLULEY. Now, not only does it wait a couple of days, but if you happen to be that very small number of people who are running the latest version of Android, good luck with that because most people find it very difficult to get their hands on the latest version of Android on their outdated devices, then it doesn't do any dodgy behavior at all. So again, if the researchers are using the latest version of Android, or if the testers have got an image of Android, which is completely up to date, then it's not going to display anything dodgy. But if what most people are running, which is older versions of Android, then they might see something suspicious.
OLI SKERTCHLY. Oh, that's very clever.
CAROLE THERIAULT. So basically it was downloaded 50,000 times, but does not necessarily mean that 50,000 people were infected.
GRAHAM CLULEY. Well, they might have been infected, but it may not be showing any actual consequences of the infection.
CAROLE THERIAULT. So no payload, you're infected, but okay. So let's get onto the payload.
GRAHAM CLULEY. Let's get onto some of the things which it does. So it's biding its time, as we say, but what does it actually do when it does trigger? Well, it displays a fake notification, sometimes inside the game and other times when you're just simply using your mobile phone, telling you to update Google security services. So it says, okay, you need to update Google Play and the services in order to carry on using your device. You say, oh yes, that's fine, click update because you've been taught security updates are important. Yep. And that takes you to a fake login page, a Google login page, which is going to ask you to reconfirm your username and password, of course.
CAROLE THERIAULT. Yep. And that would feel probably pretty legit to most people.
GRAHAM CLULEY. It would. Yeah, right. Because you're going to install a security update, you know, why wouldn't you be asked this? Now I've included in our notes there, which you can check out, a screenshot of that login page.
CAROLE THERIAULT. There's a quick giveaway there.
GRAHAM CLULEY. I wonder if you noticed the— it's highly convincing apart from one tiny little detail. Do you notice what that is?
CAROLE THERIAULT. Yeah, quite. Quite early on in looking at the picture, I spotted it.
OLI SKERTCHLY. Is it a new form of authentication?
GRAHAM CLULEY. Yeah. La la la la la la. Exactly. Rather than asking you to sign in, it asks you to sing in. So there's some voice biometrics here where you have to go, you know, sing your favorite song. Bird, bird, bird.
OLI SKERTCHLY. Bird is a word.
CAROLE THERIAULT. I think we're onto something. Songs as voice biometrics. TM Graham Cluley.
OLI SKERTCHLY. Power ballads.
GRAHAM CLULEY. Yeah. Oh God. I'm all about power ballads. Oh my goodness. That would be— Alone. Cher, Bonnie Tyler.
OLI SKERTCHLY. Jennifer Rush for me, please.
GRAHAM CLULEY. Thankfully, Kroll, we're not going to get into any copyright trouble with the way you just sang that. I think. I think. So yes, it says singing rather than typing. Now, obviously the bad guys could fix that fairly easy, that little typo.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Some people might spot it and not enter that. But once it's grabbed your password, it will use that to steal your recovery emails, your your birthday, your verification codes, cookies, and tokens, which could give hackers access to third-party apps and all kinds of other stuff as well.
CAROLE THERIAULT. That typo makes me doubt whether all the hoovering up of personal details would actually work seamlessly.
GRAHAM CLULEY. Well, that's in this version, and now we've publicized this in the podcast, of course, the bad guys are probably going to fix that typo, aren't they?
OLI SKERTCHLY. I do hope so, because it's just so embarrassing.
GRAHAM CLULEY. It is pretty shocking.
OLI SKERTCHLY. I feel sorry for them.
GRAHAM CLULEY. So they're grabbing passwords and they're also, of course, popping up all kinds of other ads while you're using your phone. But perhaps the sneakiest trick of all is the one which we alluded to earlier on, which is that the game actually works. And apparently it plays quite well. It's quite fun, according to Wandera, to run around the decrepit old house trying to find weapons to batter zombie grannies with.
OLI SKERTCHLY. You're trying to imply, Graham, that it's almost worth it.
CAROLE THERIAULT. Yeah, I know, it's a really weird angle.
OLI SKERTCHLY. I mean, you sacrifice a bit of your money and passwords and things.
CAROLE THERIAULT. What's wrong with you? Is this you being old? You just want all the kids to download malware? 'Cause you're threatened?
GRAHAM CLULEY. No, I'm just saying it's a sneaky trick that the thing actually darn well works.
CAROLE THERIAULT. So they obviously stole the code, right? The game code.
GRAHAM CLULEY. That's my guess, is that they stole the code and they adapted it and they added a few, you know, bits of nasty stuff. Now, Wandera have offered some tips on how to spot suspicious apps, which I thought might be worth reiterating for folks at home. One is look out for bad reviews and inconsistencies and poor user experience. You have to be careful though, because some of these malicious developers are devious and they submit false reviews to make an app look more popular than it really is. Another clue which can tip you off that something might be up to no good is overzealous advertising. By that, I don't just mean that it has an ad in the corner of the screen or something, but that they're popping up all the time. Indeed, with some of these apps, including this one, the ads will be appearing even when you're not running the app. Even when you restart your phone, you start begin to get ads popping up, maybe while you're using Facebook or other things as well, which actually only begin after installing the Zombie Granny app.
CAROLE THERIAULT. But probably not right away, maybe 2 or 3 days later.
GRAHAM CLULEY. And look out for app permissions which are excessive, right? We've talked about this before.
CAROLE THERIAULT. You mean the T&Cs, that kind of thing?
GRAHAM CLULEY. Well, when you actually install an app on Android, it will give you a long list of all the permissions which it's asking for and things which it's asking to do. And as we've said on previous occasions, always be suspicious of those. If it seems to be asking for too much, it's like, well, why does it need to know this? Why does it need to have this particular privilege?
OLI SKERTCHLY. Access to my camera and my contacts and all my other apps, that kind of thing.
CAROLE THERIAULT. And it's really cool that they make that really obvious now upon installation, right? Because then you can kind of look and go, whoa, why do you want access to all this stuff?
GRAHAM CLULEY. Right. If you've got a relatively up-to-date version of Android, then it will give you warnings about that. And even if they're not up to something deliberately malicious with the app, if for instance they're accessing your address book and maybe uploading it to a server, maybe for some sort of social sharing facility, That's something I would also suggest being cautious of because you don't know how secure those servers are and how and what else they might be planning to do with that data. So you need to treat those sort of things with great care.
OLI SKERTCHLY. Well, of course we won't, we won't have read the T&Cs or the privacy policy.
GRAHAM CLULEY. Oh, good God, no.
CAROLE THERIAULT. Yeah. It seems I'm the only person in the world that does that.
GRAHAM CLULEY. So, and also social engineering. So if it's using manipulative practices, like taking you to the pay page after you've requested a free trial, then that should be something which begins to ring alarm bells in your head as to how this thing's been design and whether it's truly professional or not. Now, the good news is the Zombie Granny has been eradicated now from the Google Play Store, but who knows what still lurks there? My suspicion is there are many, many— Old people. Yeah, many, many old people who frankly need to be—
CAROLE THERIAULT. Scare the shit out of you, it seems. Don't look in a mirror, man. Get some— you want to hide all that. Don't look in the pond. Might fall in.
GRAHAM CLULEY. Well, thank you. Oli, what story have you got for us this week?
OLI SKERTCHLY. Just imagine it's night. It could possibly be the daytime. I haven't quite decided. It's an optional thing. It's a choose your own adventure. You're close to home. You're running. Unlikely.
CAROLE THERIAULT. Graham running?
OLI SKERTCHLY. You're scared.
CAROLE THERIAULT. I'm picturing it right now.
OLI SKERTCHLY. Well, let's just say you're being chased. So you're moving. You're moving. Well, let's say you're being chased by some zombie granny with a baseball bat.
GRAHAM CLULEY. Right. Yes.
OLI SKERTCHLY. So you're probably moving about the same shuffling speed. Carole, you're Canadian, you're being chased by a bear.
CAROLE THERIAULT. Right, right.
OLI SKERTCHLY. That kind of thing. Anyway, you finally reach your front door.
GRAHAM CLULEY. Yes.
OLI SKERTCHLY. Your front door is locked.
CAROLE THERIAULT. Oh!
OLI SKERTCHLY. Absolute terror. You've got to get your key out of your pocket or your bag. You're fumbling around. You're pulling out your keys, your key ring. Your key ring's got 12 keys on it. It's got the key to your desk.
CAROLE THERIAULT. You're emptying the whole bag upside down onto the sidewalk.
OLI SKERTCHLY. Exactly. Oh my God. There's gonks on it. There's like, there's trolls. There's all— oh my God. There's the key to the bike lock that you haven't— you've lost 3 years ago. Eventually you manage to find your door key. You're scrabbling around near the lock 'cause you can't quite get it in.
CAROLE THERIAULT. You're dead is what you're saying.
OLI SKERTCHLY. Well, just before that terrible moment, you think to yourself, if only there was a simpler way to actually get in my own home so I could be safe, so I could not be beaten to death or hacked to pieces or—
GRAHAM CLULEY. It is a genuine concern. This is something which worries many people. Yeah. Is how they're going to escape zombies. I love the zombie theme we're having today. Yeah, and get into the house safely.
OLI SKERTCHLY. Quite exactly. You know, I know where you live, Graham. So, you know, this kind of thing is probably a nightmare for you and your family.
GRAHAM CLULEY. I think you're at the dodgier end of town than me, so I think it's more likely you're going to encounter them.
CAROLE THERIAULT. Okay.
OLI SKERTCHLY. All right, Graham, let's just say you're almost home, but you're absolutely busting for a wee, and the last thing you want to do is fumbling around in your pocket. And really what you want to have is—
CAROLE THERIAULT. What would the neighbours think if you whipped it outside in the front garden?
GRAHAM CLULEY. I don't want to use the letterbox.
OLI SKERTCHLY. I've done that before. So you want to be able to get into your house quickly and also preferably have some kind of pair of self-removing trousers or something like that. They don't exist just yet, but what does exist is the smart lock. Possibly today's most convenient and wonderful internet of thing.
GRAHAM CLULEY. Hmm, really?
CAROLE THERIAULT. Okay, tell us about it.
OLI SKERTCHLY. Well, can I just say, better than a fridge.
CAROLE THERIAULT. So, okay, but how would it work? How does that make my life easier at the door?
OLI SKERTCHLY. Well, with today's modern smart lock, you approach your door and you either type in a quick PIN Yeah. Or you press your finger against it so it can read your fingerprint, or even it can sense your approach by connecting through Bluetooth to your phone. So the door literally flies open as you're—
GRAHAM CLULEY. Do people really do that?
OLI SKERTCHLY. So I'm led to believe.
GRAHAM CLULEY. So basically don't lose your phone. Right.
OLI SKERTCHLY. Okay.
CAROLE THERIAULT. My mum's car, not a smart car or anything, but you know, she can have the key fob in her pocket and she doesn't have to ever take it out. Right?
OLI SKERTCHLY. Exactly. I'm sure we will get to this later.
CAROLE THERIAULT. Okay. Okay. Okay.
OLI SKERTCHLY. But let's just say one lock you could buy is the Utech Ultralock UL3.
CAROLE THERIAULT. Sounds impressive. That sounds serious.
OLI SKERTCHLY. Oh my God. It's a very impressive thing. If you go to its Amazon page, you will discover it was developed as part of an Indiegogo startup.
CAROLE THERIAULT. Oh right, like a crowdfunder.
OLI SKERTCHLY. Crowdfunder. That's the kind of thing. And there's a little section, it says, about the startup. It says, give 3 words to describe the startup. It says, real keyless smart lock. You think that's— I think that's 4 words.
GRAHAM CLULEY. That's 4 words, yes.
OLI SKERTCHLY. So, you know, they're off to a good start, but instead of, let's say, making smart and lock one word, no, they've made real and keyless one word.
GRAHAM CLULEY. What? What? So—
OLI SKERTCHLY. It's realkeyless.
CAROLE THERIAULT. Realkeyless.
OLI SKERTCHLY. Realkeyless.
GRAHAM CLULEY. Ridiculous. Ridiculous, yes. Okay, so we've got this crowdfunded smart lock. All right, so it's the answer to all of your dreams. Fantastic.
OLI SKERTCHLY. Now, I've picked out this particular lock because it's recently had a thorough going over by Pentest Partners, who are a UK-based penetration testing company, and the lock has been found to have quite a severe set of vulnerabilities. No! I know, can you believe it? There are 4 main flaws.
CAROLE THERIAULT. Okay.
OLI SKERTCHLY. Firstly, the actual physical lock is easy to pick using a thin piece of metal that you can slide into the paperclip, the bits of casing, that kind of thing.
GRAHAM CLULEY. Like a key?
CAROLE THERIAULT. Funny, Graham.
GRAHAM CLULEY. Funny.
CAROLE THERIAULT. You still got it. You might be older, but you still got it.
GRAHAM CLULEY. Okay. So it's easy to pick, right? Okay. That's something.
OLI SKERTCHLY. You can apparently also trivially unlock it over Bluetooth. Obviously trivially in a, if you're familiar with Bluetooth low emission encryption sense of the word trivial.
GRAHAM CLULEY. Mm-hmm.
OLI SKERTCHLY. Using the API that the mobile app uses, basically from anywhere on the internet, you can reset the lock pin, locking the user out or allowing you to unlock their door.
GRAHAM CLULEY. Oh, so someone could potentially lock anybody else's door. Door and lock them out using the API.
CAROLE THERIAULT. Yeah, because you could change their PIN and then they can't get in if it requires a PIN to enter.
OLI SKERTCHLY. But also, using the mobile app API, which as it turned out had no server-side authentication at all, you can recover personal information data from any user's account, often enough to actually locate the building where the lock is.
CAROLE THERIAULT. You know, oh, for fuck's sake. I'm just so sick of devices that don't have baked-in security. Like, this is just abysmal.
GRAHAM CLULEY. In fact, it's Reliculous. Reliculous. That's what it is. Reliculous. Reliculous. Was that in The Princess Bride? No, it was inconceivable.
OLI SKERTCHLY. Okay.
GRAHAM CLULEY. Reliculous. Yeah. Okay.
OLI SKERTCHLY. Now, the good people of PTP let the lockmakers know about the API vulnerability. Yes.
CAROLE THERIAULT. Right.
OLI SKERTCHLY. And the Bluetooth vulnerability. And to their credit, the lockmakers have now fixed Oh, that's good. Well, they fixed the API vulnerability, but not the Bluetooth one. But also, they're not the only lock to have come up short on quality or expectations recently.
CAROLE THERIAULT. And so you're just saying, yeah, take a piss in the garden, Graham, is what you're saying.
GRAHAM CLULEY. I don't think— I don't know if that was the focus of what Oli's talking about, Kroll, is my urinary habits.
CAROLE THERIAULT. No, but he set the story up very well, suggesting that you may have a toilet requirement, an urgent toilet requirement.
OLI SKERTCHLY. Why?
GRAHAM CLULEY. Why would it be me?
OLI SKERTCHLY. I am talking about myself just as much as Graham, just to defend him here.
GRAHAM CLULEY. Thank you.
OLI SKERTCHLY. You know, it's, you know, we're all men of a certain age. Well, not all of us.
CAROLE THERIAULT. I'm certainly not.
OLI SKERTCHLY. Everything starts to get a bit, you know, looser as we grow old.
CAROLE THERIAULT. But you're saying do not get one of these locks to help you get into the house faster.
OLI SKERTCHLY. No, what I'm saying is you have to ask yourself when you're thinking about a smart lock, what is the problem that I'm actually trying to solve? Because simply getting over the horrible inconvenience of using a key doesn't really apply to most people.
GRAHAM CLULEY. Well, here you go being negative about smart locks, but I think there are some good reasons to have smart locks actually.
CAROLE THERIAULT. Name one.
GRAHAM CLULEY. I'll tell you one. If you are in an office scenario, I don't know if you've ever set up smart locks inside your office, Oli, as soon as you're sort of in charge of security and things like that. But the problem is that you give keys to everybody, right? Everyone's got a key so they can get in and out. What happens when someone leaves the organization? They've still got the key. Do you have to go round and change all the locks physically, or can you use a smart lock and just reset the PIN to something else. Wouldn't that be handy?
OLI SKERTCHLY. That is an absolutely superb point. And may I say, I have bought myself a smart lock recently for work.
GRAHAM CLULEY. Is this because you've got a weak bladder or some other reason?
OLI SKERTCHLY. It's for my— it's for the server room where—
GRAHAM CLULEY. that's not really where I would recommend to do it.
CAROLE THERIAULT. Definitely not in the fans.
OLI SKERTCHLY. I have a bucket in there. So it turns out that when you sign a data processing agreement with clients and it says on it, we reserve the rights to audit your premises for IT security and GDPR, then they actually mean it. And one of our clients did send the auditors in.
GRAHAM CLULEY. Oh, you poor sod. How horrible for you.
OLI SKERTCHLY. It was a valuable learning experience for all of us.
CAROLE THERIAULT. What was the big takeaway for you when that happened? Like, you must have been shitting yourself.
GRAHAM CLULEY. Well, we've already covered that, I think.
OLI SKERTCHLY. It's a good thing I had the bucket.
CAROLE THERIAULT. This is getting scary.
OLI SKERTCHLY. The big takeaway was don't worry too much about it. Everybody, you know, fucks up on something, but if you think you're doing all right, you're probably okay. You know, since GDPR, where we've all had to go in a bit of a panic about the data that we process, I think most people these days, hopefully, are a bit more at least aware of the kinds of things that they need to polish up on before somebody did send some auditors round.
GRAHAM CLULEY. So did you have a smart lock in place on your server room before the GDPR audit?
OLI SKERTCHLY. No, we did not.
GRAHAM CLULEY. Right.
OLI SKERTCHLY. And as the auditor asked, who actually has access to this room? And I said, well, it's only me and the external IT support people and the guys who use it for storing video equipment.
CAROLE THERIAULT. Right.
OLI SKERTCHLY. And the boss and the other director. And the man who fixes the photocopier. There was a bit of that. And the air conditioning guys. And because we work on a farm, I think that the farmer likes to store some of the winter feed in there.
GRAHAM CLULEY. A couple of sheep.
CAROLE THERIAULT. Yeah, exactly.
OLI SKERTCHLY. There was a, there's a very small chicken door for the chickens to go in and out. So, so he said, well, maybe just in case somebody does go into the server room and help themselves to all the floppy disks and punch cards and all of the fancy IT tech that you've got in there.
CAROLE THERIAULT. Yeah.
OLI SKERTCHLY. Maybe you should get yourself one of these smart locks.
CAROLE THERIAULT. Right.
OLI SKERTCHLY. And so I've done that.
GRAHAM CLULEY. But are you pleased? Do you feel now that you're more secure as a result or not?
OLI SKERTCHLY. I, I feel empowered. Powered, because now finally I am the one who can see who's going in and out. And of course now I can restrict it to as few people as possible. But it did take a certain amount of research to—
CAROLE THERIAULT. Not get a dud lock.
OLI SKERTCHLY. To not find something that was completely shit and was gonna fly open every time a fly buzzed past it.
CAROLE THERIAULT. Yeah, so there's an argument for inside businesses then, I guess.
OLI SKERTCHLY. Well, there are many other reasons, I'm sure, in many other secure locations, but I know I know that certain people are buying these locks to have on their guest homes, their holiday lets, their Airbnbs, so they don't need to be there to meet the guests or tell them that the key's under the mat or something like that. But when, but when, but when something does go wrong, then suddenly you've got people standing out in the cold and that's not a 5-star review.
GRAHAM CLULEY. And I think that just happened recently, didn't it, with one of these cloud-based locks where lots of people were locked out.
CAROLE THERIAULT. It was a Google service that went down, didn't it?
GRAHAM CLULEY. Was it?
CAROLE THERIAULT. Yeah, I think it was the Nest services. Yeah, Nest services went down and people couldn't get in or out. But it is serious. So I'm in Canada, right? And it's been crazy weather here. And we had a serious storm in Ottawa the day before Canada Day. Serious storm. Like, the power went out for an hour. And so the next day, I was driving with the cabbie. And I was talking about the storm. And he said, well, look, my day job is at an old age home. And when the power went out, all the doors unlocked. So there's patients that are really sick. They were wandering around in the dark halls everywhere.
GRAHAM CLULEY. Oh my god. With baseball bats.
CAROLE THERIAULT. Oh my god, yes, it's all Tyson. And because there was not very much staff on because It's a big holiday weekend. So it was a real nightmare. So it only took an hour, but they were really freaking out.
GRAHAM CLULEY. Yeah, he'd have to herd them all up, wouldn't he?
OLI SKERTCHLY. So it was a holiday weekend and all the staff went home and just locked the old people in.
GRAHAM CLULEY. That's what it sounds like now.
OLI SKERTCHLY. And then the doors all unlocked themselves and they were rampaging with their baseball bats.
CAROLE THERIAULT. Yeah, I'm changing my mind, Graham. I think I understand why you're afraid now. Oh, good God.
GRAHAM CLULEY. Kroll, what's your story for us this week?
CAROLE THERIAULT. Okay, so this morning, okay, a beautiful morning this morning, I get a text message from my Croatian friend named Andy. Okay, no words, just a link. And I've shared the link with you guys so that you can take a click and describe it. Okay.
GRAHAM CLULEY. So I'm looking at a rather cute cat who appears to be playing the flute.
OLI SKERTCHLY. Is that a six-legged cat?
GRAHAM CLULEY. What's that then? A cartoon flute.
CAROLE THERIAULT. So, you know, when your cat just stares at you because it wants something, but it doesn't obviously move, they've kind of put little cute little hands, little— it's just a cute little meme, right? And this is what social media basically means to me. It's a few random fun memes that gives you a moment of something, a little giggle. And like, I never post, as most of you know, and I never read anything unless someone emails me or sends me a text message with a link, and then I'll go in. But it seems I'm unusual, because Graham, you are what I would call an avid user of Twitter.
GRAHAM CLULEY. I quite like Twitter, yeah. I enjoy Twitter.
CAROLE THERIAULT. Yeah. And Oli, are you on social media, or do you— Well—
GRAHAM CLULEY. Oh, a pause. No.
CAROLE THERIAULT. Oh.
OLI SKERTCHLY. I missed the Facebook boat, and I'm delighted about it. And I haven't quite managed to tweet, though I have several Twitter accounts. And I have an Instagram account, and I have a few followers, but I've never posted anything.
GRAHAM CLULEY. Are you not on anything else? You're not on Pornhub or anything like that? Or it's—
OLI SKERTCHLY. well, I don't, I don't consider that social media myself.
GRAHAM CLULEY. Okay, right, okay, all right, right, okay, yeah, right.
CAROLE THERIAULT. For the handful of listeners that treat social media as I do, with disdain, there are thousands and thousands of you out there who are much more like Graham here. Not looks, obviously, or age, but more probably, you're probably more likely to be actively managing one or more social media accounts, such as Twitter, Facebook, LinkedIn, Insta, and all all that. And so this story is for you guys, you dirty social media whores.
GRAHAM CLULEY. That's a bit of a— that's a bit of a jump, wasn't it? Now you're calling us whores.
OLI SKERTCHLY. I agree, I agree, Carole. They're all whores.
CAROLE THERIAULT. No, no, but this is all— this centers around a call to action to strike against social media. And this social media strike, a declaration of digital independence they've called it is scheduled to kick off on Thursday this week, July 4th, Independence Day.
GRAHAM CLULEY. Happy Independence Day. Although presumably a lot of people won't actually be using social media as much on July 4th if they're American, or maybe they will be telling distant family members happy Independence Day, whatever it is.
CAROLE THERIAULT. I don't know. Lots of people would take pictures of, you know, their burger and put them on the line. We're having so much fun over here, but it's more fun here than where you are. Pictures.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. So I wanted to kind of share the social media strikes' main gist and see whether this movement can count on you, Mr. Cluley and Skertchly. Is that right? Skertchly. Your name's harder than mine.
OLI SKERTCHLY. Pronounce it however you like.
GRAHAM CLULEY. Please know what the name of our guest is. Give him that respect at least.
OLI SKERTCHLY. It's clearly made.
GRAHAM CLULEY. He's your friend.
CAROLE THERIAULT. So I want to see if you guys are going to support this or not.
OLI SKERTCHLY. Not.
CAROLE THERIAULT. Okay, so let's just first talk email. Okay, each of us own the content of our email. So if, for example, you decided— if you use Gmail and you decide Gmail was no longer for you and you wanted to move to another service, you, the user and owner of the content, could collect all your messages and shove it into a new email service.
OLI SKERTCHLY. Thank you, GDPR.
CAROLE THERIAULT. Well, I don't even think it was that. I think you could always do that. You could move from, say, Gmail to Proton, and that'd be fine. That would work. Now, the same goes for websites and blogs and podcasts and text messages You could choose to export that content and use another service provider. But this is not the case when it comes to some of the social media players. Seems like giants like Twitter and Facebook have a firm grip on its users' short and curlies effectively. Not only do they provide the actual platform, but they also have a stronghold on your, or fistful of your content.
OLI SKERTCHLY. Nice.
CAROLE THERIAULT. So for example, Graham, all your tweets, Tweets, you couldn't just kind of go, I've had enough of Twitter, I'm just going to take my content and move it to a new platform, to a new service provider. You would have—
GRAHAM CLULEY. I wouldn't really want to move old tweets there, would I? I mean, would they really think about Facebook?
CAROLE THERIAULT. Some people have kind of recorded their whole kids' lives on it, or their marriages and all that stuff. You know, maybe they don't have the original pictures anymore because they lost—
GRAHAM CLULEY. but you can download your archive, can't you? You can download your old ones. It's just you haven't necessarily got anywhere where you can upload them to again easily.
OLI SKERTCHLY. Easily.
GRAHAM CLULEY. Yeah. Right.
CAROLE THERIAULT. Okay. Effectively, I guess the issue is whether or not it's important to you to have your old tweets, are you the owner of said content and are you in control of that content? I mean, come on, you have all those Piers Morgan, you know, your Piers Morgan pissing contests and all that. You wouldn't want to lose that.
GRAHAM CLULEY. I've never had an actual pissing contest with Piers Morgan. In fact, I've never had a pissing contest with anyone as far as I know, other than Oli earlier on in this podcast.
OLI SKERTCHLY. It was great.
CAROLE THERIAULT. Right, so the question here is that the strikers are asking all of us is, shouldn't social media providers provide a neutral, fully interoperable service which would allow you to import and export your content at will? So the idea is to decentralize social data, and for this to happen, that means the social media giants and all the services must agree on a common universal set of standards and protocols. And that's kind of the issue. They kind of built them all in silos originally, not working together and not making a universal set of standards that they all agreed upon. In principle, do you think it would be useful if they used a common universal set of standards? So if we could get people like Twitter and Facebook to agree—
OLI SKERTCHLY. I think it sounds like something that the lawyers really wouldn't be very keen on.
GRAHAM CLULEY. Oh, I'm sure.
CAROLE THERIAULT. And this is why there's this whole strike. So this, this, let me just go back a second. This whole strike idea came from someone quite interesting. This is Larry Sanger. That name ring a bell, Graham?
GRAHAM CLULEY. To you? No.
CAROLE THERIAULT. So he's one of the contributors and maybe arguably a founder of the Wikipedia project.
GRAHAM CLULEY. Oh, okay. I know Jimmy Wales. Yes.
CAROLE THERIAULT. But, okay.
GRAHAM CLULEY. So he's one of his buddies, right?
CAROLE THERIAULT. Well, not anymore. We'll get to that in a second. So now he's the CIO of Everpedia, which is very similar to Wikipedia, but it kind of boasts that it has a blockchain and crypto elements. Everpedia, interestingly, also seems to have some social media elements. So this might be the personal driver behind this campaign. Maybe Everpedia is experiencing some growth issues because of Facebook's Twitter stronghold and they want more interoperability in order to grow their platform. Anyway, just an interesting on his blog. So if you go to Larry— I always call him Sanger, so don't stop me. Sanger, I know, right? Not—
GRAHAM CLULEY. that'd be much better.
CAROLE THERIAULT. So what they're asking is that you not post anything on social media on Thursday, July 4th, Independence Day, and the day after, the 5th, unless it's in direct support of this social media strike, right? So that means declare that we're on strike using the hashtag Social media strike, blah blah blah. You can point to the copy of the Declaration of Digital Independence. Yes, that's right, there is a Declaration of Digital Independence that they pulled together, which has all the principles of decentralized social networks. I put a link in the show notes. I've read it, sounds pretty cool to me.
GRAHAM CLULEY. I just think this is a bit weird, isn't it? I mean, if you're not happy with the way Facebook and Twitter work, then quit Facebook and Twitter and go to a service which you do like the way it works. And there are an increasing number of sort of federated social networking services, which give you more control over your data and allow you to move it from place to place rather than it being with one company.
CAROLE THERIAULT. I don't think you're thinking about this as— so let's say, for example, you have, you know, a lot of followers, say on Twitter.
OLI SKERTCHLY. Right.
CAROLE THERIAULT. And let's say you start getting really pissed off with the way Twitter is handling certain things. And you think, you know what, I've had enough. The same way that happened with Facebook. Facebook.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. I don't think you would walk away. If you had the option to actually transfer those followers and some or whatever of the content to another supplier, easy peasy, I think you would choose that over just dumping it all. And we've had those arguments before when we've had to do that in the work world.
GRAHAM CLULEY. Well, I think most of these services now give you an ability to download the data. I don't see what the incentive is for them, or the business case there is for them, to allow people to sort of populate or to work alongside the likes of Facebook or other services more closely so that this data can be easily exchanged.
CAROLE THERIAULT. Do you think blogs and websites should work like this? Do you think if you have, for example, a WordPress blog, you should not be able to, you know, choose a different supplier and make, you know, and port over your content?
GRAHAM CLULEY. Well, I can do. I can do.
CAROLE THERIAULT. Of course you can.
GRAHAM CLULEY. Because I can download my data. Yes, but what—
CAROLE THERIAULT. It's the universal protocol.
GRAHAM CLULEY. Well, but why have you decided that Facebook and Twitter and Instagram are doing the same thing? They're not doing the same thing. They're doing different things. And they have— or YouTube— they're focused around different elements, whereas a blog is a blog. It's something which has an article and a headline and links in it. You know, it's— they're more comparable to take the data from place to place.
OLI SKERTCHLY. I guess we're coming to the idea that you can't unilaterally move off Facebook. So people tend to be stuck on Facebook because that's where everybody else is. And you could say, well, I'm going to take away all my content and I'm going to take away this, do this, and I'm going to publish all my Facebook content on a WordPress site. And that's how I'm going to give all my updates. But then you're not taking part in that community. And the same with Twitter, the same with all of these other things. You're part of that siloed community. So unless they bring those communities together in some special way, you're forced to stay within that single community because going away then means that somebody, for example, you Graham, if you moved on to Mastodon, the idea of taking all of your loyal followers over to that as well whilst they're still on Twitter because they want to follow other people, it's just not going to happen. It's not realistic.
CAROLE THERIAULT. I get that we've accepted that that's how it works. The idea of this whole strike is to put that into question. Like, do you think they should pay attention and figure out a way to work better together together so that we can have better ownership and better interoperability so that we can port or delete or whatever with our data. And I think it sounds like a great idea. Now, how they're going about it though, the idea of the strike is that no one posts anything, although I was guessing you can sit there and read the feed of it saying we're on strike. That's the only thing they want you to post. And the idea would be, isn't— wouldn't it be amazing if on Facebook and Twitter all you could read were, hey, support this, support this strike. There's a lot of press on it, though. So it's going to be interesting to see whether this guy, Landy Sanger, is able to pull it off.
GRAHAM CLULEY. Landy?
CAROLE THERIAULT. Landy Sanger.
GRAHAM CLULEY. Larry.
CAROLE THERIAULT. I see I'm going to say Larry Sanders again. Larry Sanger.
OLI SKERTCHLY. It's okay when people get your name wrong, especially if they're really difficult, complicated ones.
CAROLE THERIAULT. On the site, so this is on Larry's site. There's some controversial bits also, because he sort of says, strikers will start calling out scabs for posting when they should be striking.
GRAHAM CLULEY. Scabs?
OLI SKERTCHLY. Yeah, I'm not— I wasn't really sure about that.
CAROLE THERIAULT. So effectively, if Graham, on July 4th, you decide, well, I don't care, and you put out, hey, we've just put out our new episode.
GRAHAM CLULEY. Yeah, that's exactly what I'm going to do on Thursday morning. I'm going to be tweeting that people can listen to this ruddy podcast.
CAROLE THERIAULT. That's what I'm going to do. And if you get trolled, trolled, right, by some of these people that feel that you should be on strike, how are you going to handle that? He's also suggesting they create a strike bot, which I find not very nice. And organizing—
GRAHAM CLULEY. Oh, what, to automatically abuse people who happen to be— Yes. Well, I just think these are horrible people. I know, I agree. I am totally against this now, if that's what he's proposing. I think that's quite—
OLI SKERTCHLY. Well, I do quite like the idea that the social media sites will reach a level of maturity where they've made so much money that they just think, well, hey, why not just give more people more power and ownership over their data in the way that Tim Berners-Lee wants us all to have? And let's all work together and let's move forward into a beautiful future, singing and smiling together and walking into the rainbow. I think the stockholders and the lawyers who will probably have more to say about this than anything else.
CAROLE THERIAULT. The thing is, is I agree with the principles of it as well. So I've read them, I like them, I think it makes makes sense. The issue I have is actually with this guy Larry himself. He has on his own website— okay, so, so everywhere in the press right now, you know, he's basically banking his fame on, you know, his years at Wikipedia, right? So lots of the titles you'll see in the press are ex-Wikipedia founder and this kind of stuff. And of course, most of us— or I don't know, maybe I'm talking out of my, you know what— but most of us kind of assume Jimmy Wales, as you said, Graham, is the, is the Wikipedia main He's certainly been the most high-profile person, hasn't he? Right. So this is on Larry's website. Just listen to this quote. I was far more active than he was in the first 14 months of the project. And my influence in the community in terms of organizational work, general policy, blah, blah, blah, blah, was far greater than his. I point to my memoir. I'd also like to point out that Jimmy Wales has written no similar memoir, because he really did not do very much in the community. To write about. So there's a lot of bitterness there.
GRAHAM CLULEY. You don't say.
CAROLE THERIAULT. Yeah. What's annoying about this for me is you have to like both. You have to like the policies and you have to like the person who is trying to get the argument going. And my research in this made me think, I don't like the idea of yelling at people that don't want to take part.
OLI SKERTCHLY. I think encouraging people to be trolls just because Yeah, they don't agree with you. See, this is the kind of thing that kind of thing that sort of starts to put me off social media. I may have to stop.
GRAHAM CLULEY. I think there's a lot of people who don't like the founder of Facebook. They don't like the founder of Twitter sometimes, but sometimes they find these services useful. If you feel really strongly that you don't want to be part of them, there are alternatives out there where you have more control over your data and your data isn't being holed by one corporation. It's called the Fediverse. Um, go and check it get out. Yes, of course it can be a pain building up a community again or getting your pals to join you. But I think you probably are better off starting that sooner rather than later, rather than hoping that the existing social media giants do what you want them to do, because I don't think they're going to do it.
OLI SKERTCHLY. But I also think that no matter how much we talk about it and stroke our beards and say what we think is going to be right—
GRAHAM CLULEY. I'm not stroking my— I don't have a beard, Kroll. What about you? Who's he talking about here?
OLI SKERTCHLY. Okay. Neither do I.
CAROLE THERIAULT. Don't quit your day job.
OLI SKERTCHLY. Carole could grow a beard quicker than I can.
CAROLE THERIAULT. Hey, Graham.
OLI SKERTCHLY. Yes.
CAROLE THERIAULT. There are people out there with companies a little bit bigger than ours. And one of the issues that they face is visibility and oversight. And when it comes to cybersecurity, that is super important. Important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass Enterprise. They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier. Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employee keys. Check it out at lastpass.com/smashing. Let me try that again, folks. Check it out at lastpass.com/smashing. We also are sponsored by MetaCompliance.
GRAHAM CLULEY. Now, MetaCompliance reduce cybersecurity risk by providing a platform for training Yeah, they do online training. They've gamified it. It's animated e-learning, teaches you and your staff all about the risks of phishing and other threats which may impact them inside business.
CAROLE THERIAULT. And best thing, it's not boring.
GRAHAM CLULEY. No, not boring at all. You learn everything: GDPR, malware, data security, password safety. You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/metacompliance.
CAROLE THERIAULT. And with a show.
GRAHAM CLULEY. And welcome back, and you join us, our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
OLI SKERTCHLY. Oh, Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. And my Pick of the Week this week is not security-related. I wonder if you can cast yourself back in time 50 years to July 1969.
CAROLE THERIAULT. I didn't exist then. What was it like, Graham?
GRAHAM CLULEY. Well, it was a momentous time, Carole, because Apollo—
CAROLE THERIAULT. Beep!
GRAHAM CLULEY. Because Apollo 11 was landing on the moon, of course. The incredible Apollo—
CAROLE THERIAULT. Do you remember that?
GRAHAM CLULEY. I don't know. No, no, no. I do remember some of the Apollo missions, but not Apollo 11. I was a little bit too young for that. But Apollo 11, of course, took place around about 50 years ago, sometime in July, wasn't it, when they landed? And I have found a tremendous website called ApolloInRealTime.org, and I checked this out the other day, and it is an interactive presentation of the first mission to land on the moon as it actually happened. And there's a timeline where you can go through the entire mission. Some days, of course. And you can hear the radio chatter, you can see pictures scroll by, you can see video footage, you can scrub along very quickly to the relevant part of the mission that you want to watch. Maybe you want to watch the launch or the landing or the first steps on the moon or when President Nixon rings them up. You see a transcript of all the chatter which is going on between Tranquility Base and—
CAROLE THERIAULT. Say no more! I think everyone's sold already. It's super cool.
OLI SKERTCHLY. 15,000 searchable utterances.
GRAHAM CLULEY. Yeah, you go. Wow. And it's quite fascinating. There is, I believe, a documentary which has just come out on CNN. I haven't seen it yet, but I believe it's going to be coming to our cinema screens very soon here in the UK as well. All about Apollo 11, which has taken reconstructed footage of—
OLI SKERTCHLY. So they've reconstructed the mission?
GRAHAM CLULEY. Yeah, well, no, they haven't done it for real.
CAROLE THERIAULT. That would be a feat.
GRAHAM CLULEY. Anyway, I love this kind of stuff, and I had a great old time checking it out. An incredible historic document at apolloinrealtime.org. Go and check it out.
CAROLE THERIAULT. I'm very busy, dear, or we'll make it for dinner.
GRAHAM CLULEY. You know, I kind of like this sort of thing. And it is a very well-put-together website. It's astonishing.
CAROLE THERIAULT. Cool. Okay, I'll go and check that out. Great. Good pick of the week, Luke.
GRAHAM CLULEY. Thank you very much. Oli, what's your pick of Pick of the week?
OLI SKERTCHLY. My pick of the week is series on Netflix, a gentle tale of the intertwined relationships between four families, a hint of spooky goings-on, a dash of adventure, and quite a hefty helping of child kidnap and murder.
GRAHAM CLULEY. Lovely.
OLI SKERTCHLY. I'm not, of course, talking about the new series of Stranger Things, but series 2 of Dark.
CAROLE THERIAULT. Oh, of course you are. I've watched some of this.
GRAHAM CLULEY. I know this. This is a drama, is it?
OLI SKERTCHLY. Drama, documentary or something? It's a, yeah, drama. Not a comedy, not a documentary. It's a, it's from Germany.
CAROLE THERIAULT. So it's dubbed really well. So it's not just, we, oh, I've watched it dubbed.
GRAHAM CLULEY. It's dubbed. It's dubbed.
OLI SKERTCHLY. Well, you say that it's, you say, you know, you say, you say that it's dubbed. And a friend of mine at work said, oh, I liked it, but it was a bit dubbed. And I I thought, well, not after I'd pressed the subtitles button and went to the subtitles and had German audio. So I think you've got a— there's a choice. There's a choice of audiovisual.
CAROLE THERIAULT. I love the dubness though.
GRAHAM CLULEY. I didn't know they still dubbed things. I just assumed they always—
CAROLE THERIAULT. Oh no, Graham, there's this really new cool game we play in our house, right? So you turn on, you watch a dubbed film, right? So you're listening to whoever's translated, but you also turn on on what's it called, the text? Yes, it's called the subtitles. And it's different translators that do both of them. And there's a really cool meta experience because sometimes one of the translators is in a shitty mood, so you're much more sweary than the other one. And sometimes they're much more authoritative, and you can spot all these crazy inconsistencies. And it makes watching things that might be vaguely more for your partner than for you much more fun to watch.
GRAHAM CLULEY. I see. I was about to say, why don't you just stop watching this rubbish. Yeah, that's what you're having to do. But okay, it's because you're sharing the viewing experience. Fair enough.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. Brilliant.
OLI SKERTCHLY. Well, you've just told me how to make all TV more exciting. But getting back to Dark, the reason I absolutely love this series, and I think it may be because it's German, whenever they open up one of these mysteries or questions, they do gradually start to answer the mysteries and questions later. It doesn't turn into another Lost or program like that where you just end up with a whole bunch of—
GRAHAM CLULEY. And you're frustrated because you realize at some point they're never ever going to explain this to myself.
OLI SKERTCHLY. And then eventually—
CAROLE THERIAULT. and you're like, damn you, I've given you hours of my life.
OLI SKERTCHLY. Exactly. But with this one, this one, you kind of know that they are going to get around to that. I mean, obviously they've, at the end of the first series, they've, they closed enough of the questions, but not too many to leave it open for series 2. And I've just started watching season 2 and I've realized that I need to probably watch the second half of series 1 again to try and work out what's going on. But I'm enjoying every second of it.
CAROLE THERIAULT. It's complicated.
OLI SKERTCHLY. Oh yeah. But it's, it's worth it. It's worth every second because you know you're actually going you're gonna get your money's worth out of it.
GRAHAM CLULEY. Oh, and that's called Dark.
OLI SKERTCHLY. That's called Dark, and that's on Netflix.
GRAHAM CLULEY. Marvelous.
CAROLE THERIAULT. I recommend it too. Thumbs up for me as well.
GRAHAM CLULEY. Hmm.
CAROLE THERIAULT. Especially with subtitles and, uh, so dub and sub.
OLI SKERTCHLY. Yeah. Yep. Definitely.
CAROLE THERIAULT. Enjoy. You're welcome.
GRAHAM CLULEY. Crow, what's your pick of the week?
CAROLE THERIAULT. Okay. It's a bit of a weird pick of the week.
GRAHAM CLULEY. Oh, what a surprise. Totally.
CAROLE THERIAULT. I don't think we've ever done anything like this before.
OLI SKERTCHLY. Okay.
CAROLE THERIAULT. It's been really hot. Hot around here, right? And I know in the UK there's been a bit of a heat wave, and Europe, the States— anyway, right? So everyone's probably suffering the same annoying thing that I have, unless of course you have air conditioning, and that is hot pillow syndrome.
OLI SKERTCHLY. Oh my God, oh my God.
CAROLE THERIAULT. Do you know when you like, you're lying in bed and you're like, okay, oh, it's hot, I'm gonna flip my pillow over, and you get the cool side, and that's really nice? But if you do it too often, or if it's really hot out, you do it and it's hot on both sides. And that is like the worst. Even if you make your pillow into a quadrant and you have like 4 designated areas that you try not to overlap to make sure you always have a cool bit coming. I seriously do this.
OLI SKERTCHLY. Oh yeah. And yeah, totally with you on this. You don't know what I'm talking about.
GRAHAM CLULEY. I've got no idea what you guys are talking about. I've never experienced this.
CAROLE THERIAULT. Really?
OLI SKERTCHLY. You don't get hot pillow, hot head?
GRAHAM CLULEY. I don't move my pillow. Why would I move my pillow? My pillow is fine.
CAROLE THERIAULT. Okay, well, anyone who's tweeting on the day that they shouldn't be tweeting, let us know if you're of the cold cold or non-cold.
OLI SKERTCHLY. This is the one exception.
GRAHAM CLULEY. I leave the window open to keep it—
CAROLE THERIAULT. no, no, it's the pillow. It's not about the air, it's about your pillow, the hot side. I sleep on my ear, maybe that's why I sleep on my side. Anyway, okay, I was complaining about this and started Googling, seeing how many other people complain. There's a lot of people that complain about this, right? And people started recommending this thing called the Chillow. Now, totally love the name, right? You gotta love the name. It's great. Great name.
OLI SKERTCHLY. Yeah.
CAROLE THERIAULT. And the idea is that there's like this cool gel pad something inside, right? And people were swearing by it on this certain feed I was reading. Okay. So during my search of the Chillow, I end up of course on amazon.com, right, to check out some reviews. And they have like 1,000+ reviews but 3 out of 5 stars, right? 26% gave it a 1-star rating.
GRAHAM CLULEY. Oh dear.
CAROLE THERIAULT. So I was a little— I was like, oh. So here are a few of my favorites. Right? So we followed the instructions and the Chillow was cool at first. However, it got hotter and more uncomfortable through the night. By the end of the night, I was perspiring even more than I had before. The Chillow was like putting a piece of plastic over the pillow and turning the heat up to 100 degrees.
GRAHAM CLULEY. I don't recommend doing that. That would—
CAROLE THERIAULT. Apparently the Chillow has like, you have to fill it with water and apparently the cap isn't secure and loads of people were talking about leakage inside their bodies.
GRAHAM CLULEY. I have used that excuse from time to time. It's the Chillow, darling.
CAROLE THERIAULT. And the product— another one was the product was dismal at best. I was expecting better quality. I followed the instructions to the letter and ended up leaking and getting warm and staying warm when it was used by either me or my husband. Total waste of money.
OLI SKERTCHLY. It leaks warm water all over my crotch.
CAROLE THERIAULT. So okay, so that was going to be my pick of the week.
GRAHAM CLULEY. Until you realised it was rubbish.
CAROLE THERIAULT. I didn't want to buy it. So now my pick of the week is listeners, can you— those of you that are human and have the hot ear, hot pillow syndrome, problem. If you have a cool pillow method, I need to know it. Okay. So, what?
GRAHAM CLULEY. So basically we're going to get—
CAROLE THERIAULT. Oli will be interested in the results, right?
OLI SKERTCHLY. You like a cool pillow?
GRAHAM CLULEY. Thank you very much. We're going to get bombarded by Chillo Pillow people now.
CAROLE THERIAULT. Well, maybe they can send me if it's— I'm not even going to use it if it's leaking.
GRAHAM CLULEY. Next week's episode starts at 5.
CAROLE THERIAULT. Are these bad reviews? Are these fake reviews?
GRAHAM CLULEY. Who knows? Could be by a rival, couldn't they?
OLI SKERTCHLY. Well, who's the rival though? I want to know about the rival. Maybe the rival's brilliant. Maybe the rival—
CAROLE THERIAULT. There's quite a few. There's quite a few. I've put a link in the show notes of like, apparently, I know, here's, here's 10 cool pillows, but I don't trust any of them now. The world's too complicated. I just want a cooler sleeping pillow. So any advice from a dear listener, I will take. Thank you very much. That's my pick of the week. It's not security related.
GRAHAM CLULEY. No, it certainly isn't. It's the kind of thing that maybe if you'd been on social media, you could have posted about and got some answers from all of your followers.
CAROLE THERIAULT. Maybe, maybe you will, because maybe you can do that for me.
GRAHAM CLULEY. Well, thank you very much for that Pick of the Week. And thank you as well, Oli, for joining us on the show.
OLI SKERTCHLY. Most welcome.
GRAHAM CLULEY. If people wanted to find out more about you, Oli, what would be the best way for people to do that? Is there any method whatsoever?
OLI SKERTCHLY. Well, firstly, more Phil Lemm. And secondly, maybe on July 4th and 5th, as a little bit of a protest to Larry Sanger, I will actually post some some things on my Instagram account, which is Oli Light Industries. That's Oli spelled O-L-I, because I make lamps in my spare time. And maybe people want to look at a nice picture of a lamp.
GRAHAM CLULEY. Yeah, my young son, he bought a lamp from you, didn't he? Yeah.
OLI SKERTCHLY. Yes, yes. How's he enjoying that?
GRAHAM CLULEY. Well, it hasn't actually been delivered yet, Oli.
OLI SKERTCHLY. Oh, has it not? Oh, really? I hated to use the podcast to mention that, but I gave it to Kroll. I gave it to Kroll and she said she would deliver to you.
GRAHAM CLULEY. He's—
CAROLE THERIAULT. oh, oh, oh, may I interrupt and thank this week's Smashing Security sponsors, LastPass and MetaCompliance. Their support helps us give you this show for free, so be sure to check out their offers.
GRAHAM CLULEY. And you can follow us on Twitter at Smashinsecurity, no G. Twitter allows to have a G.
OLI SKERTCHLY. Yep.
CAROLE THERIAULT. And fist bumps to all of you listeners out there. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye-bye. Yes, no, every day my son is waiting by the letterbox saying, 'I wonder if, I wonder if the light will come.' He runs comes home from school, "Is it here, Dad?" I say, "No, Oli hasn't sent it yet. It's not here yet, I'm afraid." So—
-- TRANSCRIPT ENDS --