Newsflash! Newsflash! Smashing Security has made it to the finals of the European Security Blogger Awards. If you can be asked, please go to smashingsecurity.com/vote and you can vote Smashing Security the best security podcast. Voting closes on the 1st of June, so don't delay or I'll electrocute your eardrums. That's smashingsecurity.com/vote, and now on with the show.

Because I understand spreadsheets a bit, but I'm no expert in all this stuff. Why are you guys giggling?

He's thinking it now. He's trying not to laugh.

Is this because of the term backend guru? I'll wait you out. You guys go ahead.

Smashing Security, Episode 79. Ransomware Bots, Mobile Mania, and Backend Gurus with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 79. My name is Graham Cluley.

I'm Carole Theriault.

Hello, Carole. We are joined this week by the returning Maria Varmazis. Hello, Maria.

Hi.

Is that going to be your new name?

It's my new name. Good morning, Maria. I'm going to put that next time I'm at a conference just above my head.

It almost sounds biblical.

It's great to have you back, Maria. And Carole, you're over on Maria's side of the Atlantic as well at the moment, aren't you?

Yes, I am. Now, you may notice that the sound quality at my end is not very good, and that's because my £200 microphone has decided to explode. So I am actually using native microphones from my computer.

You mean £200 British sterling, don't you? You don't mean £200 in weight?

Yeah, no, that would have been quite heavy to bring over by plane.

Right. Now it's an exciting time here on Smashing Security Show because of course today is Thursday, the 24th of May, 2015.

Yes.

2015? No, 2018. I wish.

Yeah.

2018. And that means that tomorrow is GDPR day.

Woo-hoo!

It's the final countdown, folks.

It is the final countdown.

Headbanging as I speak.

Da da da!

Okay, Graham.

I think for copyright reasons, that's all we can do, Carole. We just have you singing that, okay?

Oh, do you think that? Now Graham, I need to ask, in the '80s, did you have long flowing locks, tight leather jeans, and a cut-off jean jacket?

No, no, I was dressed a little bit more I was still living in 1974.

Oh, so nothing's changed then.

No. So I wasn't really into the heavy metal and all that, if you can consider Europe and The Final Countdown heavy metal.

No, no, no, you can't.

Can you?

No, you really, really can't.

But I wasn't a big user of the hairspray either. But, you know, we might need to go to that kind of effort, Carole, for our live shows next month. Do you notice the segue there? Because we are taking Smashing Security live up and down the UK.

Very exciting. Cambridge, London, Manchester, Edinburgh.

That's right. And people can go and book their tickets if they want to see us. It's all part of the Secure Tour with our good chums at Chess Cybersecurity. And if you want to find out the dates and want to find out what on earth we're going to do at a live podcast, or if you want to come see us—

I'd love to come see you.

Oh, take a flight over.

I'd love to see you guys live.

Go to smashingsecurity.com/live to register your interest. And hopefully we will see you on the tour. But not you, Maria.

No, not me.

It's my dream that one day the three of us can do a live show. That would be a wonderful, wonderful day.

Oh, a threesome would be fantastic.

Whoa!

Oh my goodness.

Not on your life, bucko.

Crikey, we're all married.

Not to each other though, just to clarify.

This episode of Smashing Security is sponsored by LastPass. LastPass Enterprise makes password security effortless for your organization. LastPass Enterprise simplifies password management for companies of every size with the right tools to secure your business with centralized control of employee passwords and applications. But LastPass isn't just for enterprises. It's an equally great solution for business teams, families, and single users. Go to smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses.

And welcome back. Now I've got a question for you girls. Have you ever been in trouble with the law?

Oh yes, loads of times.

Any little indiscretions you'd like to tell us about?

No, not a single one.

None of them you'd like to mention?

No.

Okay, well, I'm sure there will be a few listeners who may have been hauled to the police station from time to time for some little misdemeanor, maybe had their photograph taken or their fingerprints taken, or perhaps even worse has happened to them. In September 2013, a chap called Jesse T. His full name hasn't been released for reasons that will become obvious, was arrested and taken to a Californian county jail where he was photographed and his fingerprints were taken. Now, 12 days later, I don't know why it took them quite so long anyway, they decided to release him and he was never charged with any crime and it was just classified as a detention. Now—

I've never heard that term detention before.

Well, we used to get detention at school all the time. Just means you've been detained, just been sort of, you know—

Held against your will for 12 days.

Okay. Kettled. Yes.

This is America.

Burglarized. That's another crazy one they do. About a year later, a lady friend of Jesse told him that she'd been searching for him online, you know, as you do, and she'd found his picture, his name, his address, and the charge when he was arrested on the mugshots.com website.

So this comes back to that time he was taken to the Californian county jail.

Indeed. So all of his information, including his embarrassing mugshot— now, mugshots, your police mugshot is quite often quite like your passport photos, not always the most flattering thing in the world.

No, mine's stellar.

But nowhere did it say that he hadn't been charged or convicted of any crime, but it was still up there, right? And he was enraged. And he thought back to that, you know, he'd made about 100 or so job applications in the year for construction and electrical jobs, none of which he'd had any response to. So he was having a pretty grotty time. And naturally he began to think, well, could this have affected my chances of getting a job? So he was on this website going, "Argh, I can't believe this website done this," and he saw a link on the website to another site called unpublisharrest.com, which told him if you ring an 800 number and pay at least $399, you can have your mugshot removed.

Yippee! Wow!

And that is a racket for sure.

It is a racket, isn't it? I'm shocked.

Okay.

Jesse thought it was a racket too. He was enraged, and so he rang the number and told them it was extortion. And you know what the other people did, the people on the other end of the line?

No.

They laughed. They laughed and they hung up.

Hehehe.

Right. And eventually, because Jesse kept on ringing them, they stopped answering his calls.

So he didn't go at this stage to the cops or anything? What would one do?

Remember last time he'd been at a police station, he got held for 12 days.

Detained.

Yes, exactly. Still not terribly pleasant, I imagine.

Mm-hmm.

But yes.

Realistically, what could the cops actually do here? I mean, not a lot. That information is public record, I think, isn't it? So.

Well, quite. Now, eventually this unpublisharrest.com, they stopped answering this guy's calls, but he kept on calling and they were ignoring them. But one time Jesse had the foresight and wits to record when unpublisharrest.com called him back. And this is how the conversation went. Now, one of us should be Jesse, and one of us should be the person ringing from unparked.

I'll be the phone. I'll be the phone sound.

Okay, you— oh, you're going to do the phone sound effects, are you? Yeah. Okay. All right. Maria, I think that means you're going to have to either be Jesse or the person ringing Jesse.

I want to hear you say it. Okay. With your American accent.

You be Jesse and I'll be the caller. Okay. So, Carole, you start off with the phone noise.

Ring, ring, ring, ring.

That's not an American phone. I'm just saying.

Okay.

There we go.

Click.

Hello?

This is the third time you fucking bitch. We never answer your calls again. You've been permanently published, fucking bitch.

Click.

What was that?

That was an evil person. I'll tell you, an evil person.

Oh, right. An evil person.

Well, yours sounded insane, Graham. You were sitting there laughing the whole way through.

I'm the Joker. I'm angry.

She seemed quite happy about it. Now, Jesse T., not to be mixed up with the drink, was not the only victim of this unpleasant extortion. Loads and loads of other cases. In fact, if you read the court filings, you will hear about some of them. For instance, in 2005, a woman called Shaw was arrested and subsequently convicted and served some time in relation to a drugs bust. Seven years later, she discovered her picture was on mugshots.com. And the way in which she found out she was on mugshots.com was rather unpleasant. She was trying to set up a playdate for her young daughter with one of her daughter's classmates, and the classmate's mum Googled Shaw, found her photo, and rang up Shaw and said, my daughter's not going to play with your daughter because that's the daughter of a drug dealer, and we shouldn't even be going to the same school as you. Wow.

So, you know what, Graham, I have two points to make here, if I may. One, this would never happen to you, not because you wouldn't necessarily ever be arrested, but because you Google yourself daily, so you would have spotted the mugshots.com before anyone else would have and dealt with that. And you would have probably done the whole trick of burying the news by publishing tons and tons and tons of articles and social posts to bury that so-called needle in the haystack. Right?

Yeah, no extortion money. Well, that's— You can SEO it.

Well, that's an interesting technique because the mugshots.com website is still up and live. And I have to say, girls, when I went to it earlier today, the first thing I did was I entered your names.

Ah, jeez.

I went looking for you. Excellent, because now you're now in the search logs. So we're both in the search logs, Maria.

My name's a little bit unique, so I'm pretty much the only Maria Varmazis on there. I am with some confidence, I can say.

And this is how we treat every single guest. This is the stellar VIP treatment that you get as thanks for being a guest on our show. So thank you, Maria. And Graham has sent you his own special thank you.

We checked to see if you're there on the registry. And Maria, I'm afraid you weren't there. There were a number of Theriaults, I have to say. But Carole, I think the fact that you are Canadian may have meant that you do not actually appear. So I need to find a Canadian equivalent to this site, perhaps. I did find some Cluleys.

Of course you did.

And if you scroll down in our shared document, you'll see some screenshots of a Cluley.

He has your hair.

No, he does not.

Are you kidding?

He looks rather sinister, doesn't he?

Well, it's not a happy time.

Yeah, he could be having a bad day.

I don't think you do the whole— was it chin down, eyes up when you're doing your mugshot?

I would never be able to grow facial hair like he's got in some of those pictures.

That is a very respectable beard he's got, just gotta say.

But yeah, but he is not the only person who's been mugshotted because what's happened now is that the cops are very interested in mugshots.com. And in fact, what they've now done is they have charged a bunch of these guys with extortion, of course, and not just with extortion. They've also charged them with money laundering and identity theft. And this means that the mugshots of people connected to mugshots.com are now all over the internet, right? They're everywhere, being published in news articles. Now, they haven't been found guilty yet, these gentlemen, but I think there is a sense of some justice here, isn't there? I think, you know, some karma coming back to them that this is now happening to them. Now, mugshots.com has a disclaimer on it which says that just because a person is featured on the site, it's not an indication of their guilt or their innocence. But clearly the use of these mugshots can do serious damage to people's reputation, and there are people who think they have lost out on their jobs. I read about one student who was arrested at a bar when there was a fracas, and they were just, you know, the police were just photographing everybody who they'd picked up. And later on surveillance footage, it turned out this guy had done nothing at all. He had lost out on a number of job interviews with financial institutions because they'd searched for his name and there it was. It was a very high ranking for his name in the search results.

Now I have another few suggestions on this front. People could change their names. That would help to obfuscate this kind of drama if you were caught up in this. I know it's not an ideal solution.

It's a pain in the ass. I've done it.

And you've got to be so careful when you change your name as well, because you may change your name to some other hoodlum, wouldn't you?

Graham Cluley, for instance.

Carole Theriault.

Yes.

That would involve a sex change as well, I suppose.

Not necessarily.

You became a Terry.

Get with the times.

There are female Terrys.

Well, there are male Terrys.

Terry Gross, for

Terry Gross?

Yes.

Our beloved institution.

You'd have no— I cannot believe you've never even heard of her. She runs NPR.

And what is Fresh Air?

Ah!

I know. God. It's embarrassing. Let's just leave it on that. Everyone in America right now is groaning in embarrassment for you. example, who runs Fresh Air.

The NPR listening community.

I'm sure lots of Americans don't know who Dickie Davies is.

Nor do I.

That just sounds like a sex maneuver. I'm sorry.

That really does not sound like a real person.

Maria, what's your topic for us this week?

Sorry, that segues way—

Wow.

No, actually, speaking of Terry Gross, I was driving along the other day listening to NPR in my car. Because that's what one does when you're sitting in traffic. And they often will play the BBC. And I was listening to a BBC radio story that made me a little bit twitchy. And I thought we could discuss the story a little bit and maybe if the angle's a little off.

Okay.

Part of the reason the story made me a little twitchy is they kept using a word that frankly sounds a little gross and it's sharenting.

Sharenting.

Yeah.

Not to be mixed up with 'shartening' or anything like that.

Is that supposed to be shortening or shartening?

Okay, so 'sharenting'. What is 'sharenting'?

Any guesses?

Is it a friend of

Is it when you share the rent for a property?

Oh, good one, Brad. Share renting.

Is it co-parenting?

Is it co-parenting with Cher? Or something in Cher fame?

Sharon's? Is it doing something

Cherenting. Not Sharenting. Cherenting.

Is it parenting that Sharons do?

I can't do a Cher impression, so I'm not gonna try. I all these guesses, and I really Cherenting. That one I'm filing away and saving it for later.

with lots of people?

But sharenting— sharenting? Is, I guess, putting photos and moments of your kid online for the world to enjoy, I suppose.

Ah, so parents putting pictures of their kids on social media, right?

They're sharing, they're parenting with sharing, sharing. It just sounds gross. Anyway, so just to put a little perspective onto what this whole sharenting thing means in terms of the volume of stuff going online, there's this company called Nominet and said in 2016 that UK parents on average post nearly 1,500 photos of their child by the child's 5th birthday.

Gee.

The interesting thing is that roundabout by their 7th birthday, you post none at all because you basically lost interest in your child by then. Are you speaking from experience? I know.

Can I take your kid out for some ice cream or something?

I feel bad.

Or if you've had a second child, what you find is that you take lots of photographs of your first child.

Second child, it's, speaking as a second child, I can verify that that's true. 100% true.

We're barely existing here. We're not going to bother taking any photographs. Yep.

My older brother, a million photos. None of me. And this is before the internet, so that's so true.

That's so true.

I'm not bitter about that at all.

I'm a firstborn, so don't know what you're talking about.

And it's all great, isn't it?

Yeah, it's super.

It's super. So this whole sharing thing, story, ugh, I hate that word, comes up with some frequency. It's a great topic 'cause it riles people up. I mean, people get really passionate about whether or not they should be sharing photos of their kids online and people telling them not to.

Mm-hmm.

And you know, it also hits the whole parenting guilt thing. You know, some folks feel guilty about it and other folks go, you know what? Fuck you, I'm gonna share as many photos of my little baby.

Look how happy we are.

Yeah.

We're amazing.

I'm super not angry about this. No. Some people are really, I'm just gonna do whatever I want and don't tell me what to do. So the little factoid in that story I was listening to on the radio that made me stop in my tracks metaphorically and not mid-drive, I promise, was this. And I quote, "sharenting is the weakest link in risking online fraud and identity theft," warns Barclays, as in Barclays Bank in the UK. The bank says parents are compromising their children's future financial security with so much online sharing. Barclays forecasts by 2030 it could cost almost £670 million in online fraud.

So what is the actual information that Barclays feel that parents are exposing by putting up pictures of their kids?

So the classic one is you put a photo of your kid blowing out their candles on their birthday cake and saying, you know, my little John is turning 6 years old today on this exact date. And then you've just given someone on a silver platter your kid's name, birthday, age, all that kind of stuff.

I thought you were going to say something your favorite PIN number on it or something like that.

Little Johnny drop tables or something.

Or maybe there's a picture with the entire family and the family pets and everyone's tagged, including the pets.

But that, yes, actually that's another one. I mean, oh really? Well, I mean, think of it a lot of people, they do their kid's birthday as a password. They do their pet's name as a password. I mean, all these classic things that people use as passwords, the address, the school the kid goes to, all the stuff that people often use as that barely there security from their accounts. So that alone can cause problems for the parents, but for the kids, in theory, if somebody says, well, your kid's 6 years old and you've given me all the info I need to, I don't know, steal their identity. I've got 12 years until, at least in the States, 12 years until that kid's identity is legally theirs for credit reasons. So I can now, I have 12 years of time in which I can do whatever I want with that kid's Social Security number and rack up all sorts of charges and that kind of thing.

Yeah, I remember there was something in this, I think in France, maybe 2 or 3 years ago, there was a big stink about this, the fact that potentially it was breaking French law for when parents put pictures of kids online without their explicit consent, because of course kids couldn't give consent. They weren't considered.

But what kind of consent could you ask for from some newborn child anyway? You know, if they dab at a touchscreen or something, they may hit the OK button or they may tick it.

Maybe we should just obscure parts of the children's faces. So every time you have a picture of your child, the eyes are exchanged with fish eyes or something.

Oh, that's a weird dystopian future I don't want to live in.

Admiral Ackbar. It's a trap.

Or maybe you have lots of emoji. You've got an emoji type thing which allows you to use any type of animated something to kind of obfuscate their true features.

But it's not just—

It's not just their faces. Their photograph.

In some cases, the photograph is kind of irrelevant. It's what the information you're sharing, in the example Maria just gave of on the birthday, oh, look, little Teddy is now 7 years old.

And look at Joni at her first day at school at St. Gregory's.

Right.

So I don't think it's of any dispute that there is certainly a potential problem here. And certainly £670 million by 2030 is potentially an entire generation of children just coming into adulthood that will have a whole load of problems in front of them, basically due to a completely preventable behavior by their parents. So that alone is a shame. Again, I'm not disputing any of that. What I wonder when I heard this story was how much we can actually trust the statistic of £670 million. It sounds a little bit like, what is this based on? What does that actually mean?

Yeah, show me the algorithm. Show me how you work on this.

Back to the algorithm thing.

I mean, but in the words of Jennifer Aniston, here comes the science. That's what we want, isn't it? What? I don't want the Excel spreadsheet because I won't understand it. Well, yeah, I want to hear the science of it. These numbers are always like, oh, you know, well, you know what?

I think you guys— I think that's not the thing to focus on, really. I think we could all agree that it is maybe a problem that parents try to share too much information online and they're doing it with the best intentions of showing faraway family members, look at how little Frankie's grown up and look at this and he's gone to school and he has a pet. And I think the intentions are all good. How do you educate them to see that those things can be taken, that they actually can contribute to a serious problem that their child may face when they're older?

I agree with you. My only concern is if this kind of statistic is hyperbole, kind of like the whole cost per breach record that we often hear about, that sort of makes people shut down and go, well, this is a huge problem. There's not much I can do about it. And then people kind of give up.

Yeah. I'm not sure if that this actually helps that because, and to be fair, you know

Yeah.

what, your wording that in the quote that you provided, Barclays forecast by 2030, it could cost There's a lot of weasel words there. So basically it's faux math. almost £670 million. A lot of weasel words in there.

Okay, but maybe we can give some very simple advice to parents though, which is that if there are legitimate, I think, reasons for sharing photographs, particularly if you have family far away who may not be able to be at a birthday or something, so just tighten down on your privacy controls on those posts, because ultimately it's not your information you're giving away, is it? It's the information of the child instead. So be a little bit considerate for them, otherwise they may by the time 2030 comes around and they've grown up a bit, they may be a bit fed up with you.

Yeah.

Amen to that. Yep.

Yep. And consider my trick of using overlay cartoon eyes.

Fish eyes.

Cartoon eyes. Snouts. Snouts, right, Graham? We put some snouts on the face.

Why? It's always pigs with you, isn't it? I like pigs. Or rather with me.

I like pigs. Obviously.

Turn photos of your child into a terrible collage of animal parts. That sounds great and not scary at all. Grandma's going to love that.

What have you done to little Billy?

No, no, it's Photoshop. It's all good.

Crow, what have you got for us this week?

Well, on Tuesday this week, the Washington Post issued what I would call a rather disturbing article about the FBI. Of course, this comes at a time where controversial POTUS has been particularly vociferous about his own national agencies, including the FBI, for their Crossfire Hurricane investigation. Now, do you guys know where that term comes from? Hurricane Crossfire?

Crossfire Hurricane. Yeah, I do.

Do you?

It's a Jumpin' Jack Flash. It's a Rolling Stones song, isn't it? It's a lyric from the song.

Exactly. I was born in a crossfire hurricane and I howled at the morning driving rain. Exactly. Now, to vent his anger, numpty trumpy—

Oh, because that looks so good, doesn't it? Calling him names. It's good that we've risen above his tactics.

Well, yes. Now, to vent his anger, numpty trumpy took once again to Twitter on May 17th with this colorful tweet. Despite the disgusting, illegal, and unwarranted witch hunt, we have had the most successful first 17 months of administration in U.S. history by far. Sorry to the fake news media and haters, but that's the way it is. This is despite— I don't know if you read, but recently there's been stories about the White House security officials pleading with Trumpy that he hand over his phone that he tweets from to do a security check. And as of last reading, he is still refusing. So that's great for national security.

How has his phone not been hacked?

Good point. Maybe it has, and that's why he's not handing it over. Ooh. So what is all this hoo-ha about? Turns out that the FBI may have just misled both Congress and the American public. And they've done this— remember this whole story about device encryption, that the FBI was prevented from legally searching the contents of approximately 7,800 phones connected to criminal investigations last year in 2017? But the number is more like 1,000 to 2,000 phones. A lot of people are quoting about 1,200. So that's a percentage increase of— Graham, quick, quick, can you do it?

Sorry, from what to what?

From 2,000 to 7,800.

That's like—

You're looking it up?

No, I'm not looking it up. It's like 300%.

Yeah, almost 250%. Very well done.

Very much.

This bogus, grossly inflated number of 7,800 phones that supposedly had sufficient encryption capabilities to block the FBI from accessing the content was used by the FBI to underline the seriousness and importance of addressing the going dark problem. So in other words, they used that huge big number to say, this is a big problem, guys, we really need to figure out a way to get into these phones. Let me quote the Washington Post here. Over a period of seven months, FBI Director Christopher A. Wray cited the inflated figure as the most compelling evidence for the need to address what the FBI calls going dark, the spread of encryption software that can block investigators' access to digital data, even with a court order. Now, the question I have reading the story was, did the FBI inflate this number knowingly? So did they mislead the public with intent? And the FBI are saying, no, no, no, no, no, no, this was just the result of a programming error.

What?

So I decided to go looking into the programming error. Right now, currently, the FBI maintain that they became aware of this miscount about one month ago from today, and they still don't have an accurate number. And the bureau said the problem stemmed from the use of three distinct databases that led to repeated counting of phones. A test of the methodology conducted in April 2016 failed to detect the flaw, according to the people familiar with the work. I happen to have a database architect and backend guru— not that kind of backend, Graham. Jesus, see, as soon as I said, I was worried you're gonna say something rude, and I'm you can't because it's my brother.

I was thinking it, but I just wasn't going to say it. I wasn't going to say it.

Yeah, well, you see, I trust you, Maria. I trust you. Okay, so I called up my brother Mark. I wanted to see what he thought of this FBI answer and see if he would confirm my gut feelings, because I understand spreadsheets a bit, but I'm no expert in all this stuff. Why are you guys giggling?

He's thinking it now. He's trying not to laugh.

Is this because of the term backend guru? I'll wait you out. You guys go ahead. I'm sorry, brother, if you're listening. I'm sorry. I just do a podcast with children.

A baby can be delighted to be referred to in that fashion.

Anyway, yeah, okay.

Right. Okay. Carry on, Carole Theriault.

So I wanted to know what he thought of this FBI answer of, oh, bit of a fluke with the databases stuff. And I want to know if he confirmed my gut feelings. So let me paraphrase our chat. So sure, every entry in a spreadsheet can be counted uniquely. So for example, this database has 200 entries, therefore 200 rows. Another database has 300 entries, therefore 300 rows, ipso facto 500 entries.

Yep.

But obviously every phone has unique identifiers such as the phone number, right? And also the International Mobile Equipment Identity known as IMEI. And these uniquely identify every single device. So in other words, even the most basic user of a spreadsheet or database would know to filter on unique identifiers to isolate each device, not do a total of column count, effectively a row count. Am I making sense? Are you guys following this?

No, I understand. Yes. So you've got a database and you're saying this is the number of phones which they believe to be encrypted, and are these phones in the database? Have they got assigned to them a unique identifier as well so that you don't count them more than once?

Exactly. So my question here is, if the— is the FBI actually using as its excuse that the person who managed the data, the person they've hired to manage these databases, does not understand the basic functionality of how databases work? Did no senior official check the data over before they went public announcing 7,800 phones having gone dark?

So I think these are totally valid questions to ask. Let me put forward a different theory though, just to be devil's advocate for a second.

Shoot.

Which is maybe the reason why this database of phones which were encrypted does not have that unique identifier may actually be for privacy reasons. It may be that they thought, crikey, we shouldn't store this information. This is purely that we're trying to collect statistics of how many encrypted phones we see. We shouldn't also contain the information as to which phones they are, because potentially if that ever leaked out or if that was ever given to the wrong agency, that could be a privacy issue in itself.

I cannot imagine the FBI gives a fig about anybody's privacy. That doesn't read. I mean, well, if we're saying the unique identifier is the phone number, but that's not unique. You can swap a phone with it, keep the phone number to different phones.

Oh, granted, but the IMEI number you cannot.

Yeah.

No, but I'm just thinking anyone who counts, I mean, I have worked with databases very rarely, but you know, if you've got 10,000 entries in something, surely you do a filter on the main kind of identifier and say, is there more than one here?

You are a bit of an Excel guru, aren't you, Carole? You are pretty tasty with your pivot tables.

I also say you and pivot tables.

I know the term pivot tables. I've been shown. There's no way in hell I can do them.

It's all backend stuff. You know, it's hard to understand.

I don't know anything about backend stuff. So basically, we need to wait for this story to unfold. And I hope that investigative journalists, as well as the EFF, get to the bottom of the snafu because I'm finding it a little bit tenuous what I'm hearing at the moment. And the sad thing in all this is I can just see, you know, Team Trumpalot doing a collective fist pump as the FBI suffers another chink in its armor, right? It's a real war between them.

Sorry, I'm just getting all those images. We've got Trumpalot, we've got a collective fist pump, and we've got a chink in armor.

Yeah.

Thumbs up. Yes.

And then the backend stuff.

Meanwhile, Time Magazine is out there saying Apple wants to make a totally unhackable phone. That even Apple or the authorities cannot break into. So all I can say is watch the space, lovely listeners. Forget my co-hosts who are insane.

To summarize, the FBI said there's 7,800 phones within this time period which we couldn't look at because they were encrypted. Something needs to be done about encryption and all these things. Turns out it was in reality maybe a third of that or so.

Overstating the problem dramatically. Yes.

It's no wonder that those gray-haired senators and all the rest of it think that maybe there's a much bigger problem than there really is.

Is it worth sacrificing all of our privacy for the sake of 1,000 phones? That seems to be—

Exactly, exactly. And I like that Apple is trying to address this. I mean, the argument that the FBI and all authorities will make was, we need to know all this information to keep you safe. But I find this whole argument of safety wearing very thin.

I just don't 100% trust that Apple would make a phone actually completely unhackable. I think there still might be some stuff going on that we might not—

There's no such thing as 100% security, is there?

Can I ask you a question, Maria? Do you think that Apple or Android phones are safer?

Well, that depends, but I would go with Apple. Mainly because most Android phones are never updated. And I know that if I had an Android phone on the carriers that I have here, they're so many versions behind, they're completely vulnerable to all sorts of things.

Exactly.

Yeah.

So at the moment, what I feel that Apple is a better choice of handset if you're up for privacy. Yes, it costs price of a firstborn these days, but you know, if your privacy is very important to you, I think that's probably the way to go.

Yeah, I just— it's saying an unhackable phone. That's quite a lofty promise.

I mean, I don't have any illusions of that right now, but to be fair, that's why I said Time magazine says, but Apple may have come out and saying we want a phone to be less easily hacked. And that has been contorted into a clickjacky title.

Fair enough. Fair enough. Yep.

That's a pretty flat end. We need a better end here.

Okay.

Flat end. Do you want me to go back to the back end stuff? There you go.

Listen, that was hard. That was very difficult for me.

Very— but can I say, very professionally done, Carole.

I try. This episode of Smashing Security is sponsored by LastPass. LastPass simplifies password management for companies of every size, but LastPass isn't just for enterprises. It's equally a great solution for business teams, families, and single users. Learn more at smashingsecurity.com/lastpass.

And welcome back. Can you join us at our favorite time of the show, the part of the show which we like to call Pick of the Week?

Pick of the—

Pick of the Week!

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever they like. Doesn't have to be security related necessarily.

Definitely not this week.

And my Pick of the Week, well, I'm going to do something a little bit bold. I'm going to recommend a TV show that I've not completely watched yet. In fact, I've only—

When you say bold, you mean stupid.

Yes. Okay. Because they've only broadcast one episode so far, but I did enjoy it and I think the rest of it will probably be quite good. They are showing on BBC One right now. So if you're able to access BBC iPlayer, I won't ask questions as to how you're able to access BBC iPlayer, but if you are able to—

Because you're in the UK only, that's why. Or maybe it's been shown on BBC America, perhaps. Who knows? Maybe as well. I don't know, but there is a TV show called A Very English Scandal. I don't know this story.

That is a very English scandal.

It is "A Very English Scandal." Well, it gets a little bit more confusing than that because Jeremy Thorpe was having a homosexual affair in the 1960s with a young man called Norman Scott. And at the time homosexuality was banned. You could get in all sorts of trouble if you were engaged in it. And obviously it was not the kind of thing which was seen to be very good for public figures and the popularity of the party. So it's quite interesting, and the story of what happens next— I remember being 10 or 11, I remember this being in the news about the court case against Jeremy Thorpe and some of the other fellows who were involved in this particular case. So it was very interesting to me, but I never really knew the whole story because I was too young, and obviously there were elements of it which were sort of not suitable for my ears perhaps. But now you can see it dramatized. Jeremy Thorpe is played by none other than the national treasure, Hugh Grant.

That's very apt, isn't it?

Well, Hugh Grant, of course, is a— well, no, he's a— I think he's a great actor, actually, although he's always doing this sort of foppish, "Oh God, oh bloody hell," you know.

Do you identify with him?

Do you feel connected to him? If only, if only.

When your biography comes out, he's playing you, is what I'm saying. I'm hearing.

So he's playing Jeremy Thorpe.

He knows about scandals as well, so he could really method act on this one, couldn't he?

So Ben Whishaw, who I think plays Q in the most recent James Bond movies, he is playing Thorpe's lover, Norman Scott, who's a rather disturbed figure as well. Now, the fun bit of this is that you may have seen previous Pick of the Week, Paddington 2, at the cinema recently. And where that links in with this is Hugh Grant plays the villain in Paddington 2, whose name is Phoenix Buchanan, and Ben Whishaw plays the voice of Paddington. So when you're watching "A Very English Scandal" where they're getting up to all their rumpy pumpy together, you can actually imagine that this is Paddington 3 and that Hugh is something of a pervert.

I was just going to call you a pervert. I decided you definitely must be a pervert because who would come up with this crazy connection.

Everyone is. Everyone's thinking of it. If you've seen—

Really? Everyone? The whole world?

Just a couple of months ago, it was a huge movie here in the UK, Paddington 2. It's very good, by the way.

Fo shizzle my nizzle. No, no, it's not about the movie. It's about the fact that you've tied the actors of Paddington 2 into—

It's the same people starring in it.

Yes, yeah, but you're saying when you're watching this children's movie, think of the villain and the hero having sex because that's what you're saying. And that's not weird at all.

Is that one?

Anyway, the drama "A Very English Scandal" has been very entertaining so far.

How many episodes are there?

I believe there's three episodes. It's been directed by Stephen Frears, who did "Dangerous Liaisons," you may remember, and some other super things as well. And so that is why "A Very English Scandal" is my pick of the week. Okay, wow.

Thank you very much. It's very raunchy.

I have to say, rumpy pumpy is one of my favorite English phrases. That's definitely a great one.

Hanky panky.

That's another good one.

Wishy-washy. I'm not sure that's English, Carole. Fo shizzle my nizzle. It sounds a little bit— yes, a bit Snoop.

It's still English language.

Sure.

I don't think it is. Anyway, okay, so let's move on to Maria's pick of the week.

So my pick of the week is an app. And I don't know if either of you have heard of this app. It's called Moment. And basically it's an app to try and help you use your phone less. So it kind of seems a little counterproductive, but okay. I think I've mentioned before on other, maybe on the last Splinter episode we did that I've been trying to wean myself off of my smartphone and off of social apps in general. Just, yay. Yeah. Because I use my phone a lot. I've been pretty much addicted to it.

Yeah. We talked

Yeah, we did. Yeah, we did.

about that in

So this app Moment, it basically keeps track of how often I'm using my app, what apps I'm using, how often I pick up my phone during the day, and which ends up being a lot, and how many minutes, if not hours, I tend to log daily on my phone. And I'm curious if either of you have any guesses on what my average daily use is on my phone.

the Facebook Splinter, didn't we? Okay. Okay.

So time, you mean?

How many minutes plus do I use my phone per day on average?

I would say around 400 minutes.

I was gonna say 4 hours. Oh wow, I'm not that bad. Oh, that's good.

In a 24-hour period, you wouldn't use it 4 hours?

4 hours, no, no, not at all. I'm down to about 2 hours and 45 minutes on average.

Oh, well, we weren't that far off.

Well, 4 hours to me is, I don't know, but I think that the app has reported that people on average are a little over 3 hours, at least for people who use this app. Self-selecting folks who are trying to use their phone less are around 3 hours a day. I mean, that, I mean, to me, even though it's 2 hours and 45 minutes, that still sounds like a ton of time. And I think if you had asked me just a few weeks ago before I started using this app, I would never have guessed that high. I would've said, oh, 20 minutes or something. I don't know. I'm completely off. So let's just work that out. So you're using it 180 minutes, 3 hours a day, or 2.5 hours a day, you said? 2 hours and 45 minutes. Yeah. Okay. Do you wanna guess how many times I pick up my phone per day?

Times 7 times 52. So you're averaging 63,700 minutes a year at your current rate. Yeah. Between 7 and 15% of my waking day I'm on my phone is what the percentage is telling me.

73 times.

So that, and just so you know, that works out about 44 days a year you're on your phone.

My God.

If my math is correct, which don't trust because wait to hear my pick of the week.

So it's quite an eye-opener. And again, I know this is something I need to do less of. I would wager a lot of people are using their phone a lot more than they realize because I can hear people tsk-tsking me right now going, man, she's on the phone.

No, I'm not.

I bet you anything. I think you'll find out you're on more than you.

All right, well, I think it's scary, isn't it? And I think apps like this— I mean, I don't know this particular app, but the idea of this is quite a good one because I think we do all need to become much more aware of how much we are using these devices and how much we're looking at them. So does it actually know how often you pick it up as well? It's not just when you are interacting with it.

I wonder if they're selling this information to Google 'cause they'd love that.

So this is the thing I wanted to mention because this is a security podcast. So the app monitors a lot about your phone usage. So not surprisingly, it asks for an absolute ton of permissions. So you do need to be aware of that if that kind of thing makes you feel squirrely, which I would completely understand. To the app's credit, they have a very in-depth explanation for each and every single one of the permissions it asks for and why it asks for those permissions and how it helps the app actually track what it needs to track for the purposes that you're downloading it for. So that is a lot more than most apps ever bother to do. So they're pretty transparent about why they need this stuff. And they even have video explainers about why we need each of these permissions.

So it sounds like they're doing GDPR correctly.

Wow.

So it's not bad, yeah.

Cool.

Do you know, Maria, if it takes that information and uploads it into the mythical cloud, or whether it's doing the processing locally on your phone to give you those reports?

So they actually do have a very robust privacy FAQ, and they have that information here. It says, all your location information is stored on your device and only on your device. So that's your location information. Your device and app use information is sent securely to us. Your location and GPS data is never sent anywhere, including Moment servers. And they tell you what they collect and what they don't. And they say that the information is transferred securely and also anonymously. So it's there for you to find whether or not you want to trust that completely.

I think that sounds good, Maria. And it's helping you. You feel it's helping you. Have you brought your numbers down, your usage down?

I have. I mean, they actually have coaching, little things within the app that tell you, if your goal is to use your phone less, either in big chunks of time or pick up your phone less, it'll actually notify you throughout the day. So if I'm on my phone continuously for 15 minutes, it'll actually say, hey, you've been using your phone for 15 straight minutes, put the phone down.

Maria, Jesus, get off the phone.

Yeah.

They don't have the phone permissions to give you a little electric shock, which would be the equivalent to Carole's rubber band. Oh shit, you know, I was holding this thing.

Like licking a battery, right? They haven't done that yet.

Carole, what's your pick of the week?

You know what, Graham? You don't get to say that all the time because every time you say pick of the week, the music has to go with your—

Doesn't have to.

No, I agree.

Pick of the week.

My pick of the week. Well, first, before I start, I am mildly dyslexic, and especially when it comes to numbers, which is why I was making that comment earlier when I was doing a bit of quick math with your—

It's dyscalculia, right? Isn't that right? Yeah, that's right.

And I mix up Ds and Bs, so the worst words are words like bed. I'll often write Deb instead, which—

I'm a bit dyslexic, or at least when it comes to spelling your name. I have a real problem with that.

That's not dyslexia. Don't make fun of my illness or my condition.

So apologies.

Now, thing is, I do love math. It's beautiful. Or maths, that's what you guys call it, isn't it?

Maths.

I hate that. Have you heard that, Maria?

Oh yeah, it's just math.

Yeah, yeah. I don't know, I don't say biologies.

Well, it's mathematics, right?

So yeah, mathematics. What's your problem?

Seriously, I just told you.

Now, unlike the FBI, I always like to double-check even the simple calculations to make sure I get them right. My lovely, or well, used to be lovely co-host Graham introduced me ages ago to percentagecalculator.net. This is a great site if you need to quickly figure out percentage increases or decreases. You just go to the site, plug in your numbers, boom, and you're out and you've got the numbers, which is how I got my 250% increase on the FBI numbers.

You've been using it on the sly during the podcast. I see. Yeah, baby.

Now I suggest check it out and bookmark it and feel free once you check it out and realize how great it is by voting for us in the Smashing Security Best Technology Podcast in the EU in our upcoming Blogger Awards. Or you can give us 5 stars in the Apple Podcast reviews. That would work as well. 'Cause it's that good of a pick of the week.

Did you slip in a subliminal message telling people to go to smashingsecurity.com/vote in order to vote in the awards?

No, that wasn't subliminal at all. It was pretty direct actually.

That was blatant.

Maria, actually, good question. Have you voted for us?

I have, early and often.

No, but I saw that you said so on Twitter. I'm just double checking.

I have indeed. Yes. And I wrote, hey, they should have that Maria guest on a ton because she's the best part of the show.

And look where you are now. You see what can happen?

It actually happens.

I put that out into the universe and it came back to me.

Oh, I don't think we can promise that for everyone who votes that they'll then come on. Maybe we should.

Maybe everyone who votes gets to be a guest on the show.

Yeah. Why don't we tell everyone what we decide to do with that after we win the award?

We'll come to your house and record the podcast in your living room.

Yay! Graham's house is the best.

I think it's time to wrap this up.

On that bombshell.

Yes. Thank you, everybody. If you want to follow us online, you can join us on Twitter @SmashingSecurity. There's no G. Twitter wouldn't allow us to have a G. You can download stickers and mugs and t-shirts and cushions and things.

All the things you want.

Everything you want. You can buy those at smashingsecurity.com/store. And Maria, thank you for joining us. Where should people find you online if they want to find out what you're up to next?

Oh, Twitter's the best place to find me. So it's @mvarmazis, M-V-A-R-M-A-Z-I-S. I'm sorry, my last name's a pain to spell, but mine is too.

All of our names are difficult. Don't think you're special with your surname.

With the V and the Z. Oh yeah, I don't know. I've got a lot of consonants.

No one can spell Cluley either.

Yeah, they haven't got a clue how to spell it.

That's true. I rarely spell your name correctly.

No, yours, yeah.

Even though I've known you 20 years.

Thank you for tuning in. If you like the show, as Carole says, rate us on Apple Podcasts. It really does help new people discover the show. Until next time, cheerio, bye-bye.

Bye, see ya. Exhale. What's wrong, Graham?

Yes?

Are you okay?

I'm excited. I— that felt— no, I don't know if I am.

You didn't think that was a good one?

I don't. I felt I was all over the place. I don't know why.

No, no, no. Hush, hush, hush.

But I loved the back end guru stuff. And I loved hearing Maria try and stifle giggles for the next 5 minutes after that section.

Well, because she said he does back end stuff and I'm like, that's not better.

That's way worse. It's like, Carole, this is your 4th attempt and you've just made it worse. Super worse.

I so did not do that on purpose. Oh my God, it was completely just