GRAHAM CLULEY
That a message being sent to Earth from outer space could cause harm.
GRAHAM CLULEY
It could be a really simple one, right? It could be something saying, "Oh, by the way, your sun's going to blow up next Thursday just after tea time," right?
Now that may not be deliberately intended to destroy the world, but imagine the panic, right?
CAROLE THERIAULT
I don't think there'd be any panic. I think people would be like, "There's nothing we can do about that," right? Maybe NASA would be in a panic.
Maybe, you know, the Russian equivalent of NASA might be in a panic. But I think— I think I'd go punting.
Unknown
I've never heard it called that before. Smashing Security, Episode 68: Malware from Outer Space, with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 68.
CAROLE THERIAULT
My name is Graham Cluley, and I'm Carole Theriault.
GRAHAM CLULEY
And we're joined today by a very special guest, aren't we, Carole?
CAROLE THERIAULT
We are. This is my friend and at times colleague, James Thomson. James, so you're not really in the technology sphere, are you? Tell us a bit about where you're from.
JAMES THOMSON
Carole, I am now, it will come as a surprise to you, editing a network of European cultural journals.
CAROLE THERIAULT
It's no surprise at all knowing you for about 20 years.
JAMES THOMSON
Well, it is a surprise given that I am the least cultured person that you know, but—
CAROLE THERIAULT
That's not true.
GRAHAM CLULEY
Oh, wow. It's not true. It's not true. I'm happy.
CAROLE THERIAULT
Oh yeah, Graham, yeah, you really rock the whole culture wire.
JAMES THOMSON
Well, I'm sure, I'm fairly confident there's a big overlap between your listeners and the readers of European cultural journals, so that's the reason I'm here, I guess.
So yeah, check it out, it's eurozine.com, and it covers about 100 cultural journals around Europe.
Don't ask me what a cultural journal is, we have long arguments about that, and intermediaries who contribute content, and we republish it after translating some of it into English.
GRAHAM CLULEY
So basically you're a journalist. I mean, obviously a very important editor-in-chief sort of journalist. And you're based where in the world?
JAMES THOMSON
Based in Vienna, Austria.
CAROLE THERIAULT
Oh, Vienna!
GRAHAM CLULEY
And you used to work for BBC World Service, is that right?
JAMES THOMSON
I did, yes, indeed.
GRAHAM CLULEY
Yes. And what university did you go to?
JAMES THOMSON
One not far from you, actually.
CAROLE THERIAULT
Christ, what is this, the Spanish Inquisition?
GRAHAM CLULEY
You went to Oxford, didn't you?
GRAHAM CLULEY
I'm just going to put it out there right now. James Thomson. Are you a spy?
JAMES THOMSON
Well, I did not— All I can say, Graham, is that if I am, the pay should be better.
GRAHAM CLULEY
All right. We will start talking about computer security and privacy after the break. Thanks to MetaCompliance for supporting this episode of Smashing Security.
People are the key to minimizing your cybersecurity risk posture, and MetaCompliance makes this easier by providing a single platform for phishing, cybersecurity, Smashing Security training policy, privacy, and incident management.
Listeners can get a 10% discount off the high-quality cybersecurity e-learning catalog by quoting the code SMASHING. Just visit www.metacompliance.com. That's www.metacompliance.com.
And welcome back. And I want to talk to you, Carole Theriault, and James Thomson, about a very important topic. I want to talk to you about malware from outer space.
CAROLE THERIAULT
Oh, for God's sake.
GRAHAM CLULEY
No, it's a very, very serious issue.
CAROLE THERIAULT
Really? Really? Really?
GRAHAM CLULEY
Apparently so, because there is—
CAROLE THERIAULT
Pinky swear.
GRAHAM CLULEY
There is a new scientific paper which is warning us about the way that aliens could communicate with us and potentially destroy humanity through their communications with us.
JAMES THOMSON
Graham, you didn't read about this in the Daily Mail, did you? This isn't one of those— this isn't one of those, a new report, a new study has shown.
GRAHAM CLULEY
You might want to read up about this because it's the sort of thing you might want to cover in Eurozine. All right, all right, all right.
Lots of brainiacs and scientists have been putting their heads together over the years to consider the merits and possible downsides of searching for extraterrestrial intelligence, ETI as they're known.
Would contact with bug-eyed monsters—
CAROLE THERIAULT
Sounds like a sexually transmitted disease.
GRAHAM CLULEY
Careful what you do with that tentacle.
JAMES THOMSON
Look, I know you've got regular listeners, but I mean, I think they might start to detect a common theme here. But anyway, yeah, carry on, Graham.
GRAHAM CLULEY
Would contact with bug-eyed monsters benefit or harm humanity?
CAROLE THERIAULT
I can't believe you're covering this.
GRAHAM CLULEY
Should we hunt for them or keep our heads down in order to protect the Earth from threats?
Some have even suggested we cloak our planet using lasers to hide telltale signs that might be leaking information about us into space, maybe drawing attention to us, right?
So there's a couple of guys, Michael Hippke of the Sonneberg Observatory in Germany and John G. Learned of the University of Hawaii.
They've written— great name, a wonderful name, a learned name.
He has written— they have written some scientific papers considering these big questions relating to extraterrestrial intelligence, and in particular their latest one covers interstellar communication.
And they think this is an issue because they have postulated it is cheaper for aliens to send a malicious message to eradicate humanity compared to sending battleships.
CAROLE THERIAULT
What kind of message?
GRAHAM CLULEY
A malicious message.
CAROLE THERIAULT
Okay, wouldn't it be equally as easy to send a nice message saying how do you—
GRAHAM CLULEY
Well, this is the thing, you see. We can't be certain if we're going to encounter good guys or bad guys.
There is a chance it could be a Vogon battle fleet rather than some lovely sort of Ewoks.
CAROLE THERIAULT
No offence, but quite a small chance since nothing in history has suggested they've been round before. Right?
GRAHAM CLULEY
What if we're going to base the future upon your personal experience of the past, Carole? In fact, Carole, is it not the case?
I seem to remember, as soon as you've interrupted me, is it not the case that actually you once believed there was an alien invasion really happening?
I believe you were in Brighton at the time and there was some sort of spoof on the radio and you— Do you even want me to go there?
CAROLE THERIAULT
Look, I was very young and probably not of right sound mind.
GRAHAM CLULEY
Stoned. Anyway.
CAROLE THERIAULT
Or right of sound mind.
GRAHAM CLULEY
So we can't be certain if we're going to encounter good guys or bad guys. And the scientists warn that message decontamination is impossible. This is the finding of their paper.
And therefore any complex message we might receive from outer space might need to be destroyed to protect the planet. That'd be a real nuisance, wouldn't it?
And looking around, putting all these computers onto the SETI project, analyzing data which has been sent out there only to destroy the information when it comes out there.
So this is what they've said. They've said a complex message from space, may require the use of computers to display or analyze and understand.
And such a message can't be decontaminated with certainty. And there is a technical risk, albeit small, it could pose an existential threat.
Complex messages would need to be destroyed in the most risk-averse cases.
So what they're actually basically saying is, if we got a message, it might be wise for us to run it on a computer which is air-gapped, and so it can't cause too much of a problem.
And once we get to really analyze it, we can switch to a paper printout is what they're suggesting for offline analysis.
In fact, now, if that sounds crazy, they're suggesting that maybe we need to go even further because imagine it wasn't just a basic message.
CAROLE THERIAULT
How would this message come in? Via Gmail or something? Outlook? It would just be sitting there, an IM?
GRAHAM CLULEY
Well, it would— I don't know.
CAROLE THERIAULT
Meet me for coffee.
GRAHAM CLULEY
It would be a sort of radio signal or something, wouldn't it? Which would be analyzed and you get beep beep. Beep beep beep beep beep or something. Who knows, Carole?
CAROLE THERIAULT
Who knows? You mean Morse code?
GRAHAM CLULEY
Morse code. But see, there is a possibility that a message being sent to Earth from outer space could cause harm.
GRAHAM CLULEY
An alien message, for instance. It could be a really simple one, right? It could be something saying, oh, by the way, your sun's going to blow up next Thursday just after tea time.
Right now, that may not be deliberately intended to destroy the world, but imagine the panic.
CAROLE THERIAULT
I don't think there'd be any panic. I think people would be like, there's nothing we can do about that, right? Maybe NASA would be in a panic.
Maybe, you know, the Russian equivalent of NASA would be in a panic. But I think I'd go punting.
GRAHAM CLULEY
Well, I've never heard it called that before.
Most people, when they're given a time limit and they're all talking about who they'd, you know, get off with and that sort of thing, you know, there could be rioting.
People could be getting widescreen TVs, HDTV or something, or they could be, you know, nobbing off with someone. Who knows? Who knows what could happen? It could be chaos.
CAROLE THERIAULT
You're making a real good story out of this.
GRAHAM CLULEY
Keep going.
CAROLE THERIAULT
You're doing great. I'm really buying it.
GRAHAM CLULEY
Well, now, if that sounds crazy enough, it gets even crazier because they then considered, well, what if it isn't a simple message that's sent to us, but something rather more complex?
What if there's a sort of header message, a frame around it which says, oh, hello, we're very friendly. We would like to send you our galactic library with every piece of knowledge.
All you have to do is build our artificial intelligence. Here are our instructions. It will quit.
JAMES THOMSON
This is basically an intergalactic Nigerian letter scam, isn't it? This—
CAROLE THERIAULT
Yeah, exactly. It's 101.
CAROLE THERIAULT
And these two guys have handed this paper in.
GRAHAM CLULEY
So what it says— this is what gives academics a bad name.
JAMES THOMSON
I'm sorry. I mean, I know his name is Learned, but really, please.
CAROLE THERIAULT
I really hope at the end of this Graham's going to be like "Isn't this a pile of poo?"
JAMES THOMSON
So it's not even April 1st yet.
GRAHAM CLULEY
So they say this is how you construct the AI. It will learn your language and it will answer your questions, and it may execute some code following these instructions, right?
And so these scientists have said, well, how would we handle this? And they said, well, we have to be very careful. So what we do is we isolate the computers.
We get the computer in a box on the moon.
CAROLE THERIAULT
They say we will only take Elon Musk's car to drive over to the moon.
GRAHAM CLULEY
We will execute the code there. There will be— we'll put safety devices in place.
And so they're describing things like remote-controlled fusion bombs to terminate the experiment at any time, right? Now, that sounds like they've thought of everything, doesn't it?
But they then say, our current research indicates that even well-designed boxes on the moon are useless because a sufficiently intelligent artificial intelligence will be able to persuade or trick its human keepers into releasing it.
CAROLE THERIAULT
Are you losing the plot?
GRAHAM CLULEY
Well, you know, it sounds like a whole load of poo to me. It sounds completely fucking crazy, doesn't it?
CAROLE THERIAULT
Thank God! Okay, I was really worried for your sanity there.
JAMES THOMSON
This makes me feel so much better about the story I've got as well. Can I just point out two fairly obvious flaws in this theory?
First of all, if an alien is clever enough to develop this ultra-complex AI system that we have to execute in a box on the moon in order to avoid being infected, they're probably intelligent enough just to zap us in the first place, right?
Secondly, in the early '70s we sent out the Pioneer probes.
GRAHAM CLULEY
Pioneer and Voyager.
JAMES THOMSON
In the Voyager, but the Pioneer probes are the ones that had those plaques on them with anatomical pictures of human beings and our exact position in the galaxy.
So it's not like we've been trying to cover up where we are, or it's a bit late. We need to send someone out to get those back. So the aliens don't even need to be that smart.
GRAHAM CLULEY
Well, the main point of this paper, which people are welcome to read and have a good laugh about, is they're basically saying any message which comes through could potentially do something nasty on the computers.
But I think that's a bit of a long stretch myself, that they would have built in some sort of Microsoft Word exploit or Flash zero-day into the message which they're sending.
It reminds me a little bit of Geoff Goldblum. Do you remember in Independence Day?
CAROLE THERIAULT
Oh, I know Geoff called them. Yum, yum, yum.
GRAHAM CLULEY
Well, he uploaded that virus onto the alien mothership, didn't he? And thank goodness they had an Apple Mac like the one he was using.
That was a bit of a choice he had to make there. It could have been 50/50, but he said, you know what, those aliens look like they're Mac users. That's what I'm going to go for.
And that's how he managed to save the world. So thank you very much to Geoff.
And I think it's marvelous that these scientists are busy working on stuff like this rather than, you know, something less important, like, I don't know, global warming.
CAROLE THERIAULT
Thank you very much. Thank you very much for bringing this to our attention.
GRAHAM CLULEY
Well, it was the most important computer security story I saw in the last 7 days, so I thought it was important to bring it to everyone's attention.
James, what have you got for us this week?
JAMES THOMSON
Well, being the solipsist I am, and also the complete lack of technical knowledge that I have, I've decided to make this about myself. I mean, it's sort of tech-related.
CAROLE THERIAULT
That's perfect!
JAMES THOMSON
It's sort of tech-related. Because, like many other ordinary Joes who use consumer websites, I've discovered that some of them aren't quite true to their word.
Good, who'd have thought?
You might remember a few months back, Ryanair, that purveyor of high-quality air transport services, decided to cut thousands of flights across Europe and leave people actually stranded in various towns and cities where they'd gone for weekend breaks and things without any obvious way of getting home.
Now, I had a—
GRAHAM CLULEY
To their credit, that is more pleasurable than actually being on the Ryanair plane.
JAMES THOMSON
Yeah, well, that's true. Yeah, I mean, a bus ride back from Bulgaria probably is more fun than traveling on a Ryanair plane and being abused by the in-flight staff.
But anyway, I was a bit further away a few weeks ago in Malaysia, and for reasons which I won't go into now, I decided that renting a car would be a good idea.
So I went to a site called RentalCars.com, who glory in and claim RentalCars.com is the world's biggest online car rental service.
CAROLE THERIAULT
I'm assuming they're like Avis.
JAMES THOMSON
Well, yeah, they're not quite.
They're one of these kind of aggregator sites where you put in what you want, they offer you various options from Avis and Hertz and all the rest of them.
Then you book a car, you give them your credit card details, and, you know, lo and behold, in 3 or 4 days you expect to pick up the car, or however long it is.
So I book a car to get out of a town in Malaysia during Chinese New Year, which is a busy time of year over there, 4 days before I leave.
And then 12 hours before I'm supposed to pick this car up, I get an email from somebody at RentalCars.com saying, "Oh, very sorry, we couldn't find you a car."
CAROLE THERIAULT
See you later. And really, like, just see you later? Like, thanks very much, enjoy your trip?
JAMES THOMSON
More or less, yeah, more or less.
GRAHAM CLULEY
But had they earlier confirmed that they had got you a car?
JAMES THOMSON
Yep, they sent me a message saying, "Your booking is confirmed, thank you for using RentalCars.com," and then proceeded to send me emails every 12 hours promoting their services and trying to get me to rent another car.
And they're still sending them to me, actually, despite what happened later.
Now, insofar as this is tech-related, it's to do with the way that the average person interacts with tech firms.
I mean, not that these firms are really tech firms, but they're online.
CAROLE THERIAULT
But they're providing services that we rely on.
GRAHAM CLULEY
Exactly. And you never used to have this problem when Q Branch supplied you with vehicles, right?
JAMES THOMSON
Never. Those Aston Martins were as reliable as Swiss watches.
But the thing about these people was that when I phoned them up, and I got some guy and he said, "Well, the trouble is, you see, Malaysia, it's the other side of the world." And I said to him, "Well, it may be, my friend, but you are supposed to be running a global website and I'm on the other side of the world.
So what are you going to do about it?" "Try to pick up my freaking car." "Where is the car from the world's biggest online supplier of rental cars or whatever you are?" And this conversation went on for a couple of hours on and off.
The top and bottom of it was that they offered me a very generous discount on my next rental from RentalCars.com and then told me to bugger off, basically.
GRAHAM CLULEY
Oh, well, you're rushing to take them up on that generous offer, aren't you?
JAMES THOMSON
Very much so. Yeah, of course, there's no record of them offering me this.
So even when I do come around to booking something, which I won't, on their site, they won't honor it, I dare say.
But the thing about this is that, first of all, these sites are offering something that they don't actually have.
That's to say, they're offering all these things from Hertz and Avis and all these other car companies which are branded and look reliable.
But the fact is that they haven't actually got those cars.
And when they went to them to say, right, this guy, we've got a sucker, they turned around and said, well, we've already rented our cars at this rate anyway.
Of course there would have been cars. These companies all keep cars on standby for full rate, the people who walk in customers.
But of course the aggregator site isn't going to pay the full rate because they've already offered it to me at less. So they just walk away from the deal.
And that's the second part of this. That's to say, it's a one-way bet. You choose something on the site, you click on it, you give them your credit card details.
And if they can find it, they take your money. If they can't, they just walk away. And the same thing happened with Ryanair a few months back.
If you remember, they had got people who'd booked flights, some of whom had already traveled to the destinations and had paid for them, and then they just canceled the flights and walked away and said, well, it's your problem, get yourselves back.
And for people, I mean, all right, at the end of the day, I was lucky. I know Malaysia a little bit, I know the deal, I managed to find another way out.
But for people who've never been to Łódź, Poland, or Timișoara, Romania, and are there on a weekend break and may not have been abroad very often before.
You know, you try and get yourself back from Timișoara in a hurry.
CAROLE THERIAULT
Oh no, think of— I'm thinking of, you know, maybe our parents, right? Traveling.
JAMES THOMSON
Our parents are resourceful, Carole. They'd have just chartered a helicopter or something. But for ordinary folk like us, you know, or they'd have—
GRAHAM CLULEY
Oh yeah, you're pretending you're ordinary now. Why? Why don't you tell us about your trip to Tirana, Salata? Yeah, very interesting. Good cover. Good cover.
JAMES THOMSON
Anyway, the silver lining to this story was that I then managed to get an Uber taxi up into the mountains, a 300-kilometer journey for about 40 quid.
And I know because I saw, and me and my traveling companions saw the driver fill up the car and pay motorway tolls that came to more than the fare.
So we got quite a bargain out of Uber. I suspect this is because Uber is subsidizing drivers in order to capture market share over there.
So while one bunch of greedy venture capitalists was taking my money or attempting to take it with one hand, another bunch of greedy venture capitalists from Silicon Valley was giving it to me with the other.
So, you know, what goes around comes around in the end.
GRAHAM CLULEY
Well, I just hope your driver did all right out of that.
JAMES THOMSON
Mohammed was a very cheerful little fella.
GRAHAM CLULEY
He did his maths at the end of the day. Who knows?
JAMES THOMSON
I don't know. I mean, yeah, I don't know. But he seemed cheerful right off the end.
CAROLE THERIAULT
Do you think though that the upshot of this is that we shouldn't necessarily trust third-party sites that basically take deals from, you know, individual companies and try and provide a better service.
JAMES THOMSON
What I would say is this: I've used other rental car sites, aggregator sites, and some of them—in fact, I'll name one, Auto Europe, I've used before—and they've actually been very good.
When something's gone wrong, I've phoned them up and they've sorted it out. The problem is that these other guys notice that there's money in the market.
They go in with poorer customer service, and then they clean up because most of their deals go through.
So what I'd say is if you get good service from one of these companies, then stick with them. The only reason I didn't use them was that they had no cars in Malaysia.
It turns out they were all rented, actually, but that's why, probably.
GRAHAM CLULEY
So a nice recommendation there from James, the editor-in-chief of Eurozine, recommending Auto Europe. Interesting, similar names and great—
JAMES THOMSON
That is not an official endorsement. That is not an official endorsement.
GRAHAM CLULEY
No, then you're not affiliated. No, no, no connection. No connection. Okay. Carole, what's your story this week?
CAROLE THERIAULT
So I personally need to understand whether people like you and me, typical users, are actually cool with this business model, because I don't think I am.
So, you know the saying, if you aren't paying, you are the product. I get that. We know with free apps that makes sense, right?
Like Google provides you things like YouTube and Gmail, but in exchange they take things like, oh, everything that you search for, all the images of you, all the videos you watch, where you happen to be at the time, what IP address you're using, and what device you're using at the time.
So what about apps or services that we fork out money for, right? There's this company called MoviePass, a U.S.
firm headed by CEO Mitch Lowe, and this is a company that wants to deglue U.S.-based butts off the couch and put them into the movie theater.
Well, they're not targeting my butt or your Austrian butt.
JAMES THOMSON
Bloody hope not.
GRAHAM CLULEY
Degluing butts. Is there a problem of sticky bottoms in America?
CAROLE THERIAULT
Yeah, well, you know, if you're sitting on your couch watching Netflix all day, right? And sitting there and you're eating maybe on the couch all the time, might be getting sticky.
GRAHAM CLULEY
Right, you're getting fused to the cushion. Right, okay.
CAROLE THERIAULT
Oh, you're being rude and lewd again.
GRAHAM CLULEY
No, no, not again. Not after last week.
CAROLE THERIAULT
We've been told many times.
GRAHAM CLULEY
I cleaned up my act.
CAROLE THERIAULT
Right, so they want to get you off the couch and get you into movie theaters. Now, how are they going to do this? Well, why not just steal the model made by Netflix?
So have a movie theater subscription service.
So you pay about $10 a month, or about £7, and the service uses a mobile app where registered users check into a cinema and choose a film and a showtime, and then you present your voucher and the theater actually collects payment from third-party credit cards, including, says TechCrunch, one that belongs to a bunch of venture capitalists.
So according to this article in MediaPlay News, the CEO, Mr.
Lowe, claims to currently have around 2 million users and is looking to onboard 3 million more by the end of the year, bringing him to a total of 5 million.
Boom, this is all looking fantastic. Now, back to the topic of data tracking. What kind of data tracking would we expect in a paid service like this?
Now, you might think, hey, they might know what movies I go watch, right? Or what time I watch them.
GRAHAM CLULEY
Maybe they'd recommend similar movies, you know, so if they find out that you like thrillers, maybe they say, oh, by the way, there's a thriller out now next week at this cinema, you may want to go and see it.
I don't know, something like that.
CAROLE THERIAULT
Yeah, yes, okay, exactly. That makes sense to me, right?
What date you went to see it, you know, how many tickets you bought, when you go, and then they can kind of tailor the experience for you.
So I headed over to the website, the MoviePass website, to learn a bit more, and I found their policy just to kind of take a look around. And here's just a quick snippet from it.
So, we keep track of your interactions with us and collect information related to your use of our services.
Including but not limited to the online activity, title sections and ratings. Fine, fine, fine, I think. Payment history and correspondence as well as internet protocol addresses.
Interesting. Device types, operating system and related activity. So there's a few things that make me nervous in there. The words not limited to and related activity, right?
Those are the two that make me a little nervous. I'm no lawyer, but they just give me a bit of the heebie-jeebies.
So on March 2nd at the Entertainment Finance Forum in Hollywood, of course we've all heard about this. MoviePass CEO Mitch Lowe was the keynote presenter at this event.
And the title of his talk was, "Data is the New Oil: How Will MoviePass Monetize It?" Well, he tells us during his keynote, he seems to literally crow about how much data they are currently hoovering up from their paying customers.
The company, of course, knows its subscribers' addresses and can glean demographic information based on where they live. This was reported by TechCrunch.
The company can also track subs via the app and phone GPS. So let me quote here. We get an enormous amount of information, he said. We watch how you drive from home to the movies.
We watch where you go afterwards. Well, what? What? Right?
GRAHAM CLULEY
So hang on.
CAROLE THERIAULT
So let's go back to the policy. But first, before you start, because I know, I know, let's go back to the policy. Policy.
So the policy says that MoviePass collects information related to my use of the service. How is where I go beforehand and afterwards any way related to the service use?
Yeah, it's not. It's actually related to their future service.
I'm assuming all this data is going to help them forge alliances with nearby restaurants, cafes, bars, and clubs and give you deals, two-for-one drinks, etc., etc.
GRAHAM CLULEY
Because they could pop up something on the app, couldn't they, to say, oh, maybe you'd like to go to Domino's now for a pizza or something like that?
CAROLE THERIAULT
No, two-for-one. Two-for-one larges for you and your date. Mega Gulps for free. Yeah.
GRAHAM CLULEY
This CEO, basically, he was on stage.
GRAHAM CLULEY
He was on stage and he got a little bit— he's thinking, hey, look at me, right? I'm on stage. I'm only at the Entertainment Finance Forum in Hollywood. Everyone's listening to me.
I've got this great speech about data being the new oil. And he can't stop himself from crowing about it.
CAROLE THERIAULT
He's a bit like someone on CNN I saw this morning.
GRAHAM CLULEY
Yeah, there've been some extraordinary appearances on CNN lately, yes.
CAROLE THERIAULT
Now here is my big beef about this. I want peddlers of services like this to be upfront. Is that too much to ask?
I want to make an informed decision and I want to decide whether I want to sign up for that service or not based on the interaction of what they get and what I get.
It worries me that lots of apps many of which we're paying for, are taking a lot more from us than we realize.
Even if those of us who go and read the policy aren't really any wiser to that information.
GRAHAM CLULEY
Well, that's the thing, isn't it? Because it's not just being upfront about it and put it in the privacy policy, which clearly they didn't do on this occasion.
It wasn't clear because they just said, oh, related activity. Nobody reads the privacy policy apart from you, Carole, on this occasion.
CAROLE THERIAULT
Well, I was doing a story on it. I had to do my homework.
GRAHAM CLULEY
Okay. But normally what you need is a great big fat dialogue saying, "Oh, by the way, we're going to spy on where you go to after the movie.
Is that all right?" And the default should be, "No, of course it's bloody not all right." Or alternatively, "Yes, I'm a complete idiot.
CAROLE THERIAULT
I don't mind you tracking me." I know I was fantasizing earlier about having this fantastic app that would just basically read all these contracts for us and then just give us alerts on things that we've told that we don't want.
GRAHAM CLULEY
You know, there's some alien intelligence which could actually— They've promised that they can provide us with that. We've just got to run the code on the moon.
CAROLE THERIAULT
Look, I don't think I'm being crazy here. Is it nuts that I think that they should be upfront about, you know, the details of the exchange between us?
Or are we so desensitized by piss-poor privacy that we don't give a shit anymore? And we're just like, yeah, well, that's the cost of business.
JAMES THOMSON
Of course not. But just to give you a kind of insight, these sort of issues are actually kind of live political issues here in Austria.
This kind of data privacy thing is a big deal here. The idea that apps are tracking you is something that people here get really concerned about.
CAROLE THERIAULT
I'm so glad to hear that.
JAMES THOMSON
Being someone who doesn't really use apps, I mean, what benefits do you get from— if you're running these dozens of apps on your phone or hundreds, some people, and they're all tracking you, are the benefits really worth it?
I mean, which apps do you use or would you recommend where you have to trade off this loss of privacy for benefit.
CAROLE THERIAULT
I do use some Google apps, right? And I use tons of apps. I'm sure loads of apps are saying, yes, we're going to kind of track your data. GDPR is going to help protect EU residents.
But as far as I could see, MoviePass doesn't give a hoot about the EU at the moment. In fact, they're moviepass.co.uk if anyone wants to buy it. It's available for grabs.
GRAHAM CLULEY
So I think the vast majority of free apps are certainly going to be doing something with your data, even if it's simply to target you with advertising. The majority are doing that.
What is upsetting particularly about this MoviePass thing is you're actually paying a subscription, aren't you, for this service? And so these add-ons, even if—
JAMES THOMSON
For the pleasure of being monitored.
GRAHAM CLULEY
Exactly. Even if they can promote the benefits of tracking you and explain why that's a really good idea, it should be optional.
It should be something which you have to knowingly opt into rather than to have to try and find out how to opt out.
As it is, you only found out about this because the CEO couldn't keep his mouth shut on stage.
CAROLE THERIAULT
Yeah, and it makes you wonder how many more apps are doing this.
And look, I'm not a big fan of layers upon layers of legislation, you know, but you know, if people are gonna behave like this, it's maybe the only option we have to protect our privacy.
GRAHAM CLULEY
We could all move to Austria.
JAMES THOMSON
Australia. I'm not sure I'd recommend that.
GRAHAM CLULEY
Well, you don't want me coming to Australia?
JAMES THOMSON
You're very welcome. You're always welcome.
CAROLE THERIAULT
So, and I know there's some people are going to say, "Hey, but look, you get a real deal with MoviePass, right? It's so much cheaper going through this way.
What are you complaining about, dude?" But that's the problem. I don't know what apps like this, paid or unpaid, are actually taking in exchange for my patronage. I don't know.
And if I knew and I could make an educated guess, fine. But I don't know why we're leaving it up to them just to hoover up off our phone what they want.
GRAHAM CLULEY
And it's a slippery slope, Carole, because it becomes the new normality, right? Every time this happens—
CAROLE THERIAULT
You know I know about that stuff, yes.
GRAHAM CLULEY
And before you know it, they're filming you in your bed or they're stealing your—
CAROLE THERIAULT
And on that bombshell!
JAMES THOMSON
At risk of sounding like Victor Meldrew, sorry for non-English listeners, Can I just make a request for them to bring back Orange Wednesday, when to get a half-price cinema ticket, you just had to borrow your mate's Orange phone and get them to send you a code, and then they let you in for half price?
CAROLE THERIAULT
I think that actually still—
GRAHAM CLULEY
I mean, that just seems so much simpler than having to have an app. Sounds to me like fraud, James. No, that is fraud.
And I cannot believe that someone who worked on Her Majesty's Secret Service is suggesting such a thing.
JAMES THOMSON
I think that's what Hope Higgs would call a little white lie, and I think we can all live with that.
CAROLE THERIAULT
Right, off to our sponsors!
GRAHAM CLULEY
And thanks once again to MetaCompliance for supporting this episode of Smashing Security. People are the key to minimizing your cybersecurity risk posture.
You can save 10% as a Smashing Security listener off the high-quality cybersecurity e-learning catalog by going to metacompliance.com and quoting the code SMASHING.
That's metacompliance.com, and don't forget the code SMASHING. On with the show. And you join us at our favorite part of the show, which we like to call Pick of the Week.
CAROLE THERIAULT
Pick of the Week.
GRAHAM CLULEY
Pick of the Week is the part of the show where we all choose something that we like.
Could be a funny story, a book we've read, a TV show, a movie, a record, an app, a website, podcast, whatever we like. Doesn't have to be security-related necessarily.
CAROLE THERIAULT
Definitely not security-related this week.
GRAHAM CLULEY
Well, mine is not security-related this week, Carole.
JAMES THOMSON
No aliens, Graham.
GRAHAM CLULEY
It's no aliens. No, I'm going to talk to you about another aspect of my life.
Before I was in the crazy world of computer security, I used to be in the world of interactive fiction, also known as text adventure games.
I used to write text adventure games when I was a wee lad, which was great fun, and I loved them as well.
They were the only kind of computer games I was really any good at writing or playing. And my pick of the week is a documentary called Get Lamp.
These are the kind of games which were purely words, okay?
Where you'd say something like, "Go north, pick up everything apart from the Dweezil, stroke the octopus" or whatever, and it would then relay what happened in text.
So it was like a book, but an interactive book.
CAROLE THERIAULT
Okay. I used to play two of these. One was called— one started with Z, the other one was called Zork. Zork and Enchanter.
GRAHAM CLULEY
I like that. Yes, Enchanter. Well, both of those games were published by a company called Infocom.
GRAHAM CLULEY
There's both a documentary where they interview the people who wrote those games, and they were fantastic games.
The ones you've just spoken about were written by people like Steve Meretzky, who also wrote Leather Goddesses of Phobos. Very funny game.
JAMES THOMSON
Pardon? Say that again?
GRAHAM CLULEY
Leather Goddesses of Phobos. Did you never play that game? It's very funny. It's like a 1950s schlock.
JAMES THOMSON
You know, I realize my youth wasn't nearly misspent enough.
CAROLE THERIAULT
Where were you living? Under a rock?
GRAHAM CLULEY
He also co-wrote with Douglas Adams, no less, the computer game of Hitchhiker's Guide to the Galaxy. And they wrote some tremendous creative games.
Other people included Brian Moriarty and Dave Liebling, who wrote The Lurking Horror, which is sort of an H.P. Lovecraft-inspired text adventure game.
Scott Adams didn't work for Infocom, but also wrote some famous games.
JAMES THOMSON
What, the Dilbert Scott Adams?
GRAHAM CLULEY
No, it's a different Scott Adams. I don't think it is that Scott Adams.
CAROLE THERIAULT
That would be just too weird.
GRAHAM CLULEY
That would be just too weird.
But it's a great documentary, loads of background features, including a 50-minute documentary all about Infocom, who were really the kings of the text adventure.
Great packaging, fantastic quality, and eventually the company went bust for an interesting reason. But you can watch the documentary to find out more.
My only complaint about the movie is that it's very US-centric, and there were a lot of European games as well, and European text adventure companies back then, like Level-9 and Magnetic Scrolls.
CAROLE THERIAULT
Maybe Europe wouldn't put any money towards it.
GRAHAM CLULEY
No, I think this was really a labor of love by the director, Jason Scott.
Now, I bought the DVD from his website, Get Lamp website, but you can actually watch it for free on YouTube. He presented it as a Google Tech Talk. So if you—
CAROLE THERIAULT
Did you really? Did you really buy it?
GRAHAM CLULEY
Yes, I did.
GRAHAM CLULEY
Did you really? I did. Oh, yeah, I know. Surprising. You can check it out as a Google Tech Talk as well and watch the documentary about Infocom. Really recommend it.
Terrific documentary and talks about a long-lost era of computer gaming, which I miss.
CAROLE THERIAULT
I miss too. And I've actually played your games, Graham.
CAROLE THERIAULT
And I would recommend them because they are good. I don't even know what they're called.
GRAHAM CLULEY
The most famous one is called Jacaranda Jim.
CAROLE THERIAULT
Oh yeah, I remember.
GRAHAM CLULEY
And its sequel— well, not a sequel really, but the next one I wrote was called Humbug. Humbug is a much better game.
Yes, both of them are available on my website, GrahamCluley.com.
CAROLE THERIAULT
Why don't we play a bit so people know what they're getting into?
GRAHAM CLULEY
I am in the pantry. It is a small, dark room, the only source of light being a barred oval window built close to the ceiling and the west wall.
A definite niff of seaweed wafts around the shelves. Small mountains of marzipan and icing sugar are liberally scattered across the damp stone floor.
A shark is leaning against one of the mounds of marzipan. He gives me a knowing wink. A small mouse pokes its head around a mound of marzipan and squeaks at me.
I can also see a caddy. An exit exists. Next, James. Show me.
CAROLE THERIAULT
What's your pick of the week, baby?
JAMES THOMSON
I'm afraid to say there are no games on my website, and there wouldn't be even if I had one.
But I also have to confess, I'm afraid I haven't listened to every one of the 67 preceding podcasts.
I have listened to most of them, but not every one, so this may have come up before. I'd be surprised if it hasn't. And I'm talking of the Warrington Cycle Campaign.
GRAHAM CLULEY
Oh yeah, we did that, episode 34.
CAROLE THERIAULT
Next, the Warrington— what? Warrington's a place in the UK.
JAMES THOMSON
The Warrington Cycle Campaign, which promotes safer cycling for existing cyclists in Warrington and aims to encourage more people to travel by bicycle in the— Ah, now, now you'd wonder why this would be my pick of the week.
Well, yes, they have this genius subpage which is called Facility of the Month. This documents in photographs every month the most idiotic cycling facilities in the world.
And I'm talking about dedicated cycle lanes.
GRAHAM CLULEY
Oh, I'm looking at one right now. Yeah, yeah.
JAMES THOMSON
So the ones that require cyclists to get off their bicycle every 20 yards or feed cyclists directly into oncoming traffic or put lampposts in the middle of cycle lanes.
Have you seen this before?
GRAHAM CLULEY
No. This is extraordinary. I'm looking at some of them. It's quite dangerous, isn't it, being a cyclist? It seems if you obey the laws of the road, if you follow these instructions.
JAMES THOMSON
Well, some of them are just— I mean, most of them are just crazy.
They've been put in by council workmen who've just been operating according to some plan they've been given without any thought for whether this makes any sense or not.
Most of them are things like cycle lanes that last literally 3 yards and then end in a steel gate. But they also have these superbly sarcastic captions that they use for them.
So if you look at July last year, 2017, for instance, picture of a sign in the middle of a cycle path blocking it entirely that just says cyclists caution Signage in Cycleway, and the caption reads, this month's facility was inspired by an undergraduate philosophy assignment: a sign that only purpose is to warn of its own existence.
CAROLE THERIAULT
So charming, it's lovely, it's fantastic, and it's from the Hackney Council.
JAMES THOMSON
There are hundreds of them there, they're brilliant, so I recommend that you scroll through that.
CAROLE THERIAULT
That's, this is like a website from 1990.
JAMES THOMSON
I know, that's what I love about it as well, it's very old school.
JAMES THOMSON
But they're really down to earth as well. They're not cycling Nazis. They're not sort of anti-motorist. They're just pointing out that things could be done better.
And so I salute them.
GRAHAM CLULEY
Cycle Nazis. And then you mentioned saluting. That would be quite dangerous actually doing the Nazi salute while cycling, wouldn't it?
JAMES THOMSON
Well, I'm not going to make any comments about Vienna. Not to be recommended. But you know what I mean by cycling Nazis.
I mean, if you read any articles about cycling in the press, if you read the comments underneath, they're divided between people who think that anyone who drives a car should be executed and people who think that anybody who rides a bicycle should be executed.
People get really anxious about this.
GRAHAM CLULEY
James, James, it's one thing for us to upset Donald Trump fans on this podcast. Don't start getting cyclists annoyed. They're much scarier. I am a cyclist.
Oh yes, some of my best friends are cyclists. Look, we don't want those sort of people leaving us negative reviews on iTunes, you know.
JAMES THOMSON
No, no, no.
GRAHAM CLULEY
I am merely highlighting the debate. I am not coming down on either side. As I say, I cycle to work every day on Austrian cycle paths. My day is enlivened every morning.
I say this to people. They say, why do you cycle to work? And I say, well, the adrenaline from Austrian motorists attempting to murder me every morning is what keeps me going.
So no, I'm a committed cyclist. I love it. But I hate a crappy cycle facility.
CAROLE THERIAULT
Well, thank you for that pick of the week. I think actually this is a perfect time waster for late Friday afternoon.
Anyone who's into cycling, this is definitely where I would recommend people to go this week.
GRAHAM CLULEY
So, Carole, what is your pick of the week?
CAROLE THERIAULT
Mine is a podcast and actually an episode of a podcast. So this is the podcast called We the People Live, created by Josh Zepps, a journalist hailing from Australia.
I really like this podcast. It's interesting, it's refreshing, it's got a bit of political bite.
It talks about ethics, has a little splash philosophy here and there, and he interviews really great guests, much like we do. Not today.
CAROLE THERIAULT
Now, I really like this particular episode, episode 116, Money: Free Money for All. This is an interview with Rutger Bregman.
This is a Dutchman who is a champion of universal basic income. This is basically where government gives you free money.
And Rutger talks about the 15-hour work week, whether AI will impact our working lives, and whether we're basically wasting our lives in meaningless jobs in order to keep up with the Joneses.
It's just really interesting the way they bounce around the ideas, and I really enjoyed it.
So if you have an hour or so free, I'd recommend you check out episode 116 of We the People Live.
GRAHAM CLULEY
Okay, 15-hour work week.
CAROLE THERIAULT
Yeah, doesn't it sound great? Well, you know, the 15-hour workweek doesn't belong to Rutger. It's someone in the '30s. I think it's John Maynard Keynes.
GRAHAM CLULEY
Yeah, John Maynard Keynes.
CAROLE THERIAULT
He talked about that. And they expected by this time, that's what we'd be doing. And in fact, we're doing exactly the opposite, aren't we?
I think most people work over 40 to 45 hours at the moment, which is crazy.
GRAHAM CLULEY
Yes. It's more like a 15-hour workday sometimes, isn't it? In fact, you know what? AI is probably a bigger threat than those aliens.
I don't know why we're worried so much about these aliens sending us some messages. All those are Alexas. I just said the word. It's all these dinguses in people's homes.
They're the things we should be watching, I reckon.
CAROLE THERIAULT
Yeah, exactly. Anyway, worth listening to. Might give you some new ideas on how to handle this stressful life we're all living.
JAMES THOMSON
I was just going to add that if you read The Road to Wigan Pier by George Orwell in the 1930s, in which he talks about the appalling conditions in which people were working in industrial parts of England, he at the same time also considers how mechanization is going to reduce demand for physical labor and how are we going to manage that and what's everyone going to do when no one needs to work anymore.
So yeah, these issues have been around for a while.
GRAHAM CLULEY
They're going to tweet and post Facebook updates. In fact, that is what people are — that is the work they're doing, isn't it?
They're just feeding Mark Zuckerberg and his empire by constantly pouring data onto his servers.
CAROLE THERIAULT
Well, less and less every day.
GRAHAM CLULEY
On that cheery note—
CAROLE THERIAULT
Poor sausages.
GRAHAM CLULEY
We've just about wrapped up the show, haven't we, Carole?
CAROLE THERIAULT
We have. So first, thanks to everyone who listens to the show. It occurred to me today that this would be an exceptionally futile exercise if we didn't have listeners. So thank you.
And thanks, of course, to our sponsors, who help fund the cost of producing and publishing the show.
GRAHAM CLULEY
Oh, aren't they lovely? Now, if you like us, you can follow us on Twitter @SmashingSecurity, no G. Twitter wouldn't let us have a G. We're on Facebook as well.
We've got a Facebook group, and we have an online store at smashingsecurity.com/store. We don't just buy t-shirts.
Someone contacted us the other day and said, why do you only sell t-shirts up there? It's not just t-shirts. We've got cushions.
CAROLE THERIAULT
Stay away from the cushions, guys. Seriously.
GRAHAM CLULEY
We've got stickers. We've got mugs. The mugs are all right, aren't they?
CAROLE THERIAULT
Yeah, no, I do drink out of my Smashing Security mug.
JAMES THOMSON
Graham, Graham, what should I do if I don't like you?
GRAHAM CLULEY
If you don't like us, what you should do is... But if you do rate us on Apple Podcasts, it really does help new listeners discover the show.
And you can go to smashingsecurity.com to grab past episodes and for details on how to get in touch with us. So thank you very much for joining us, James Thomson.
JAMES THOMSON
My pleasure. Thank you for having me.
GRAHAM CLULEY
Carole Theriault, as always, you've been terrific.
CAROLE THERIAULT
I wish I could say the same, Graham Cluley.
GRAHAM CLULEY
Until next time, cheerio. Bye-bye. Bye.
CAROLE THERIAULT
My flatmate just come through the door.
JAMES THOMSON
I'm just going to say hello to Lena. Hello, how are you? Yeah, they just don't— yeah, could you just come here, Lena, and tell them that I'm not a spy? Oh yeah, they're accusing me.
CAROLE THERIAULT
We've never met Lena, so Lena is my wonderful Russian flatmate.
JAMES THOMSON
Well, because I live in Vienna, apparently that's enough. That's enough. But so do you. So, I mean, yeah, yeah, exactly. Thank you. Yeah, it's a wonderful culture place, isn't it?
GRAHAM CLULEY
Yeah, it is very convenient. People of all nations, isn't it, meeting up and exchanging information in dead letter drops?
JAMES THOMSON
It's good. They're talking in my ear at the same time, so I'm sorry if I'm not making any sense. It's all right.
GRAHAM CLULEY
No, you go and chat with your flatmates. Yeah, it's fine.
JAMES THOMSON
Don't worry about us. No, no, don't worry.
GRAHAM CLULEY
I'm not going to get ripped off.
CAROLE THERIAULT
I'm not. Fine. Fine. Okay.
JAMES THOMSON
No whispering. I heard that, cruel.
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.