IOvation is a company that creates authentication and fraud prevention solutions. It's letting Smashing Security listeners try out its brand new product LaunchKey for free. LaunchKey is a mobile multifactor solution that can be built into your mobile apps, websites, and online services, providing a simple, streamlined remote login function. Go to demos.launchkey.com and check it out for yourself. And thanks to IOvation for supporting the show.

Smashing Security, Episode 23: Covfefe with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Episode 23 of Smashing Security, the 1st of June, 2017. And as always, I'm joined by my co-host and good buddy, Carole Theriault. Hello, Carole. How are you?

Covfefe Graham. Covfefe.

No, covfefe.

Oh, covfefe.

C-O-V-F-E-F-E.

Must be the Canadian accent. John, you haven't heard of covfefe? Covfefe?

Well, no, I keep seeing it in website sidebars pointing me to exciting stories about it, but I've never actually clicked on any of them because—

It's a pretty big deal. Because there's this man who's made a typo.

What is this covfefe?

At least we assume it's a typo. And the whole world has gone mad. He made a typo on Twitter. I'll give you— Let's give— Should we give John— We'll let John narrow it down, okay? He's orange.

I keep seeing it today.

He's on Twitter.

I think I've guessed already. What does it even mean?

Okay.

So he tweeted, "Despite the constant negative press, Covfefe." C-O-V-F-E-F-E. That's it. And everyone's been going crazy trying to guess what it is.

And then he went to bed. That's the thing. So America was on tenterhooks. What could this mean? What could this mean? So they all went crazy. Then Europe woke up before Donald woke up thinking, what is this? What's he talking about? I think it's And we're making fun and there's been memes.

And then it gets removed, John, with no mention.

covfefe, not covfefe, isn't it?

He didn't explain it?

No. Oh no, he has tweeted something since. Oh, he has? Oh, did he? Yes, he has. He's deleted the tweet, but he said, I'll have to do the voice. Who can figure out? Is that— no, hang on. That sounds like— That's one of Marge Simpson's sisters.

That sounds like one of Marge Simpson's sisters.

I'm doing— imagine me, I'm doing the hand signals. I'm doing that weird thing with hands.

You've got the hands for it.

Cheeky bastard. Bugger. He's saying, "Who can figure out the true meaning of covfefe? Enjoy."

Okay, right. So he's now pretending to own it rather than falling down drunk and going to bed.

Yes.

Which is a possibility of what may have happened.

Yeah. Anyway, so the world has gone crazy about covfefe, hasn't it? And you've adopted the word. What does it mean to you, Carole?

Hello, my good man. I think that's how I'm going to use it.

All right.

That's certainly different.

Yeah.

Yeah. That'll be very useful, won't it?

Well, I'll be able to say it a lot.

I don't know, what does Donald

Save a lot of time.

Trump sound like? It's a bit Guys, guys, guys, guys. difficult now, isn't it? I've just realized we haven't actually introduced our special guest.

Oh.

Hello. Who's that over there? Who are you?

It's me, John Hawes.

Oh, John Hawes from AMTSO, the Anti-Malware Testing Standards Organization.

Indeed. Thank you for dropping by again and being our special guest. We really appreciate it. Thanks for inviting me. You mean jelly?

Yeah, okay, okay, good point. Okay. I think we Yeah. I actually think I'm pretty perfect. Is your hoo-ha a bit flappy? Are your norks going in the wrong direction? can all decide for ourselves.

My beard needs a bit of a trim.

Have you got something that Does that count? Well, not really, John, because what I'm talking about is cosmetic surgery. And you're not going to fly to Lithuania just to have yourself trimmed in that fashion, are you? maybe you want enlarged or

Oh.

maybe smallened? Something tightened? Before and after pictures. Private photos. Yes. And bad guys have taken not only data about the clientele. 25,000 private photos of clients alongside their details, alongside their bits, which they've flown to Lithuania to get fixed on the cheap. And the hacking group is called the SAR team.

It's ransomware? It's ransomware now?

And at first they tried to blackmail the actual cosmetic surgery whose name is, now you have to excuse my accent here because I'm, Grotio Chirurgiu. Well, it's not ransomware, but they are holding people to ransom because what they've done is they've taken personal data. They've taken scans of passports and addresses and national insurance numbers. And?

And before pictures?

That's very useful. We'll all be Googling that right now.

So yeah, basically take a whole pile of letters from Scrabble, remove most of the vowels, throw them in the air. You've got the name of a Lithuanian cosmetic surgery clinic. Exactly. Well, they originally were approached by the hackers who said, "Look, we'd like 300 bitcoins, please."

Go to the show notes, Holy moly.

And they say, "Look, you can have your data back for half a million dollars." Well, surprise, surprise, this Lithuanian cosmetic surgery, which I won't try and pronounce again, refused to play ball.

people, if you want to That's quite expensive. It's a bit, you know, they might have gotten away with it if they had just, you know, said, yeah. read about it.

Fifty quid or something.

Or fifty thousand, I was thinking.

Right. Now the hackers have targeted the patients. Plan B. Yeah, demanding up to €2,000 for the return of the photos and all the other information.

How many people do you think get plastic surgery but don't tell other people? Do you think most or?

So you remember Peter Andre potentially Well, I went to Gracijos Facebook page, and there are a fair number of people who are leaving reviews of how happy they are, including people from the UK and elsewhere, all across Europe, and maybe the world, are traveling to Lithuania to get themselves nipped and tucked. And the clients are thought to include some celebrities.

From the UK or the US?

had fake abs. I can't remember, Yeah, no, he's UK. And I think he was a bit like Peter Andre. I think maybe either—

Not really, okay. I'm not, yeah, okay. Okay, I know who he is. Yeah, no, he, yes. Yes.

Was it just one of those t-shirts?

No, I think— I think I— okay, I'm not swearing to this, but I think he did get an operation on his abs, or there were certainly reports that he had done that to get kind of a washboard stomach. Some people do that, don't they? And I'm completely natural, can I say. I've had spinal surgery.

I've had my wisdom teeth out.

I don't think they're that choosy, Okay, so we're just natural beauties, right? This isn't something we've required. But some people obviously do get these sort of things done. But you don't necessarily, even if you're completely selfie-obsessed, you don't necessarily want private photographs of your wobbly bits, you know, taken before and after the surgery falling into the hands of the public or the media. Yeah.

Yeah.

Yeah, well, certainly you'd think someone as big as BA.

to be honest, John.

No, you definitely don't. Right.

Yeah. So apparently they have over 500 data cabinets spread across 6 halls in 2 different sites, according to the Register.

I think they'll sell it to

And I guess if they did, you could sue the clinic.

And you think at that kind of scale of operation, you'd be very careful about your power. Grocio chirurgia. Yes, you could.

anyone they can.

Yeah. And you'd have a lot of redundancy and everything. Okay, so maybe they don't know yet.

Full what? Databerse. Yes. Nobody seems to actually know exactly what's caused it. I mean, a lot of people— so about a year or so ago, BA outsourced a lot of their IT work to India, which caused a big stink at the time.

Databerse is the Lithuanian pronunciation of database. Is now being offered for 50 bitcoin, which is just a measly $112,000 on the darkweb.

And the union has been saying, oh, it's because of this outsourcing where they don't have the experienced people on site anymore. And that's why.

They are greedy, greedy, greedy, aren't they? So the unions are politicising it.

Yeah, but they've reduced their price a lot. Come on.

But it's not just the fact that it went down. It took quite a long time to come back up. So there was still, through most of Sunday, there were still lots of flights cancelled and lots of issues. Are they trying to sell

There were horrendous scenes, weren't there? I mean, there were literally thousands and thousands of people. I heard people reporting that it was taking them hours simply to leave the terminal.

that to customers or to

Yeah.

Because there was such a long queue of people getting out. People couldn't get hold of their luggage.

'Cause that sounds like a lot of money for one person to hide the picture of their ugly armpits or whatever. a potential other blackmailer?

British Airways obviously was trying to handle the situation, and the CEO was making these videos. I saw one where he was wearing a high-visibility jacket. Although the photograph is obviously what's gonna get most people's attention, it's also social security numbers, addresses. And the clinic, who I'm not going to attempt to name again, they've been warning their customers, at least on the Russian language version of their website, saying watch out for dodgy text messages.

Wow.

He was like, oh, I can reassure you, I know what to do.

I think any, most healthcare people do tend to have to store huge amounts of information.

Sleeves rolled up, sleeves rolled up. Yeah.

Yeah.

Here I am in the IT control centre. No one else is wearing a high-visibility jacket, but I am, so you can tell I know what I'm doing.

My dad was a doctor and we had files on all patients locked in our basement. Oh, but come on, what are you going to do? It's a nightmare situation.

Did he? Did he have photo albums and things? No, no, no, no. Well, it is a horrendous situation, but it's the kind of situation which you plan for in advance, right? So I'm speaking to you right now, and under my desk, I've got a UPS. So if the power cuts out, my computer won't turn off, right? So it keeps on running.

But you have to keep the files for a certain amount of time. And at the time, obviously, it wasn't on a system, right? So it was a lock and key jobby.

So if something goes wrong with someone's plastic surgery, you need to be able to look back and see what you did so you can see what might have gone wrong and fix it.

And if you're working in a large organization, you have backup power systems, you have data recovery plans, and you test these plans. So if disaster should happen, if systems go down, you can recover. You have systems working in parallel which you can switch over to. And it appears that for some reason or another, they were unable to do this.

And it's a set amount of time, and I think it changes based on jurisdictions.

Well, you know what? That makes sense, doesn't it? But what doesn't make sense is not properly securing the information. We don't know exactly how the bad guys got in, but was the information properly encrypted, for instance? Clearly not.

Exactly.

Now, where— And they probably don't know why yet. I mean, it is Saturday this happened, right?

And of course, the clinic will

I think by now they should know what has happened. They've been blaming this power supply issue or a power surge.

only need to meet Lithuanian law

Those are the sort of situations which you need to prepare for if you are running the kind of infrastructure and complicated system which British Airways is running. They should have been able to cope with this better, and it appears to have been an enormous cock-up.

and EU law as well.

So not that good, but I think it's time for me to say, kofivī, which means let's move on. And frankly, someone's got to take the blame for this. You can't just say, oh, it's an act of God, or there was some really spiky electricity.

Hark ye, gentlemen. I don't expect anyone will. I'm not actually sure we'll ever actually find out what happened, really, because there was a similar issue with Delta sometime, I think it was last summer.

No, no. My meaning is let's move on for now.

They had 2,000 flights cancelled, I think, and they lost $100 million in revenues. And I was trying to find what the cause for that was. I wanted to talk about this, the BA outage. And I found there's a statement from Delta saying it was a fire taking out both their main and backup systems. Someone else was saying it was a huge power outage that covered a whole area.

Oh, yeah.

Someone in the Register said it was a faulty UPS that they tried to fail over to another one and that caused the whole thing to go wrong. So that's 8 months on and we still don't really know what happened. So that's been pretty big news over the weekend. I think it was on Saturday morning. Something went wrong with BA's computer systems and they basically had to ground all their flights pretty much around the world. The whole of Heathrow Airport and Gatwick in London were shut down to BA traffic. There were over 1,000 flights were cancelled.

Oh my God. This is why you regularly test your disaster scenarios, right? You play out these sort of things. So if you have key devices, part of your infrastructure, which are located in the same place, you have to imagine, well, what happens if that place blows up?

The share price of the owner company is down $170 million. Compensation is likely to be over £150 million.

How are we going to cope? How are we going to switch over? It's okay to be disrupted for a few hours.

So a nightmare. Like a complete nightmare.

Pretty crazy.

You know, everyone accepts that might happen, but for it to carry on for days and days and for 100,000 people to be inconvenienced. But British Airways hasn't said that it was hacked or suffered any kind of cyber attack.

I know, but that's exactly it. It was inconvenienced, right? No one died during this.

Well, no. It's very difficult to find any information on what's actually caused it. And their CEO appeared on a few videos on Twitter coming up saying, oh, sorry about this. Don't worry, people. And he's variously claimed it was a power supply issue and a power surge. I don't know. It doesn't sound very reassuring.

And we're talking about planes that fly, you know, 30,000 feet up in the air. So, you know, I think there's, you know, the silver lining here is, isn't it great that no one got hurt throughout this? I'd like to think that

Well, someone didn't make it to the World Table Tennis Championships. Good point. Sorry.

they'd have technology in place

Yeah. Yeah.

Okay.

BA is a very big global firm. They shouldn't just have one shed full of machines. They should have stuff all over the place.

I am sure they do not have one shed of machines. I am sure this is not the case. to control power surges. I think what's happening is there is a boardroom with a lot of disagreement on what the story should be and how they should present themselves. And I'm sure there's a number of different lines that they could use and they want to be consistent across the whole board. And that's taking some time. That's my guess here.

Yes.

Wow, you're so much nicer than me, Carole. You've got shares in British Airways.

Let loose, let loose, Graham.

No, I just think it's lousy. And I don't know whether the outsourcing has had anything to do with this and the fact that they didn't have as many IT experts working for British Airways as they did a couple of years ago who might have been able to help in this situation. I have no idea whether that has impacted this situation at all, but it's certainly a question worth asking. And I think the people who made that decision probably need to feel a little bit wary, you know, about what they claim the problem was and whether they were responsible or not. I don't know. It's a terrible situation, but what I want are other companies to learn from this scenario. So play out your disasters, see if you've got a proper recovery plan, and get back up and running as soon as you can, because it's not just about power, it's also about whether you've got backups and whether your data is properly synchronized. And if you can switch over to your secondary system easily should one go kaput.

They, of course, do I. Anyway, I'm not sure. I think we need more information.

Anyway.

I hope that's released. What was your meaning to that again?

Let's move on. Onwards, onwards, onwards, onwards, fellows.

Okay, so I want to take us back to 2015. Now, back then, there was a deal between Facebook, Twitter and Google. These guys all pledged to Germany that they would remove criminal forms of hate speech within 24 hours on their social services. However, it seems that these efforts to meet this pledge hasn't really impressed Germany. And in March earlier this year, Germany said that Facebook and Twitter were still failing to remove content in this timely fashion. So what's the government to do, right?

Are the Germans going to just block Facebook and Twitter?

I think that would make— yeah, that would get their attention. So what they're proposing actually is a fine, right? They're basically saying, if you fail to do this, we are going to fine you. And there's new legislation known as the Network Enforcement Act, which is in its planning stages and now already has planning cabinet consent. So this is kind of rolling along, right? So this was proposed and moving forward. Now, these fines are not chump change, okay? We're talking €50 million. So that's like $56 million US dollars. If content with obvious criminal intent is not removed or blocked within 24 hours. So it's a lot of money, eh? 50 million.

Is this per incident? Do you know?

They don't say, no.

And is this— this is Germany?

This is Germany.

So does it have to be something about German people or by German people or just that German people are reading? So there's a lot of complexity here. I can, you know, these are all the questions I was asking as well. Yeah.

Now, so you can imagine Facebook are not happy about this, and they last weekend, they've issued a statement explaining why this draft law is not suitable. Now, one of the things that they're arguing is saying that this law will only serve to force social sites to remove legal and legitimate content in order to avoid the heavy fine risk, avoid the consequence of a heavy fine if they miss something. And they're also questioning whether it's actually compliant with German and EU law. But I think the question really that interested me is, should Facebook and Twitter be held accountable for the content that they profit from effectively, you know, they're presenting this information and they're making money from it. And people say no, lots of people say no, they're not the ones who are creating the content, so why should they be held accountable for it? But I mean, I'd argue that they're curating the information, right? They use complex algorithms to— and ad revenue to decide what you see and what you don't see. So I think they're kind of—

Well, they have to be responsible for it because who else is going to be? Yeah, it can't be the users because no one can force them to say particular things. It has to be the platform because they have the control.

I mean, I know a lot of people that use it as a news service, right? So should they be accountable as any news should be? Should they meet those same guidelines?

Fake news.

Yeah.

Oh, let's not start that one again.

Well, the whole thing is trying to stop fake news and hate speech, right? That's the big deal. And I think that's a good aim. But is this the right way to go about it?

It sounds like a weird way for just Germany to be doing it, because presumably if it does affect anything that's on Facebook that Germany can then sue Facebook about, then presumably every other country in the world can enact the same law. And Facebook could be sued by every country individually for one post.

Hey, so there's some good news at least. You know, I think if Facebook has been told about something which is illegal, I think Facebook does, then they should take action. I think Facebook generally does a pretty poor job of policing content, even when they're alerted to it being offensive or malicious, or, you know, it quite often does seem to turn a blind eye. And recently we saw a leak of the guidelines which are given to Facebook's moderators as to, you know, what is allowed to be kept up and what isn't, and that caused some outrage as well. So I think as they grow bigger and bigger and more powerful and become a more significant part of the internet, they do have a greater responsibility.

TikTok practically own the web right now. And they were told back in, to your point, they agreed back in 2015 to deal with this and they haven't done a good job about it. And now they're kind of kicking up a fuss because a government is saying, well, look, if you're not doing what you said you'd do two years ago, you know, you're going to have to pay up.

Every time these really contentious posts get shared, they get more views. Facebook is displaying adverts alongside them. And it is profiting from this constant conveyor belt of content which people are posting up, whether it's contentious or not.

And Germany can't unfriend people, presumably.

Well, actually, I think you'll find Germany is currently unfriending Britain and America. I've just written an interesting article in The Atlantic all about that. Thank you, Carole.

You're welcome, Graham.

You're welcome.

Carole sent that over to me.

Link's in the show notes. Yeah, it's a good piece. I don't know. I've got a slightly awkward relationship with Facebook anyway. I'm not sure that they're quite as cozy and cuddly as they might like us all to feel about things. I do feel that they often do turn a blind eye to some of the more unpleasant stuff there.

Yeah.

I'm not saying it's an easy problem for them to solve in terms of algorithms, and sometimes mistakes may be made and there may be genuine innocent posts which are removed. But what I do think is they have a lot of money. And they potentially could hire people to maybe police and administer and deal with complaints in a more competent fashion than they have been in the past.

I agree. I think they need to exercise much more social responsibility. They are responsible for managing this world, which many people use all the time to communicate and to learn stuff. And in order for it to be useful, it's got to be good, right? And it's got to be true and it's got to be trustworthy. And they're failing right now.

But if it has to be done by people rather than algorithms, are there enough people? Doesn't Facebook have more users than there's ever been people alive or something?

What I'm talking about is dealing with the complaints. So when someone has reported something as being controversial, then it should be, you know, obviously there's a certain amount that algorithms might be able to do, but also you can have a human element there. A quality element. And that seems to be where they're failing.

But if you have a billion users, you're going to be getting—

Well, do you have too many users? You can't handle them?

Then you have to hire more people. But eventually they're going to get to the point where everybody is either a Facebook user or is working in a Facebook complaint call center. And then where will we be?

John, we're already all working for Facebook. It's just that we're not getting paid. Remember that, right? So this is a step up for all of us if we end up on the abuse team. Now, I'm thinking, Carole, we should do our sponsor slot here. Before the new segment of the show. What do you think to that?

Graham, why do so many apps rely on passwords? It's such— puts such a burden on the users.

It is a pain, isn't it? And that's why there are companies like Iovation, which are creating authentication and fraud prevention solutions, Carole. And you can probably guess by now that they are sponsoring the show this episode.

Oh, that's lovely.

Isn't that fantastic? They are letting Smashing Security listeners try out their newest product, LaunchKey, for free.

Cool.

And what it is, is a mobile multifactor solution. You can build it into your mobile apps, your websites, your online services, and it provides a simple, streamlined remote login function. Nice, eh?

Yeah.

All you've got to do, go to demos.launchkey.com, check it out for yourself, and thanks to Iovation for supporting the show.

Onwards. Kofifi.

Kofifi.

Well, now we come to an exciting new chapter of the show, don't we, Carole?

Yes.

Why are we doing this?

Well, we've received a number of emails and tweets saying that people would like this to be a longer podcast. So we thought, well, what can we do? And maybe we can actually show our non-technology or non-geeky side or non-security side. So we could actually throw forward some picks that we— recommendations. Of things that have tickled us this week.

Yeah. All right. So it's time for Picks of the Week.

Picks of the Week.

Picks of the Week.

Okay. Who wants to go first? Okay, I'm going to nominate Graham. Why don't we keep the same order? You go ahead.

You want me to go first?

Yeah, you go first.

Okay.

I like going first.

I am going to— Now you're— Okay. Look, guys, you may not be aware of this. I'm a little bit of a fan of a popular beat combo called the Beatles.

Yeah, I've known you for 20 years. Yeah.

So obviously, and I think you would agree, you don't have to say anything. The Beatles are the greatest rock group that has ever existed. Good. Glad we agreed on that.

Here's a— Graham once actually stopped dating someone who apparently didn't know who the Beatles were. Isn't that true?

Was it a child?

No, I can't tell this story.

Okay, don't tell it. We'll just leave everyone in suspense.

We'll tell it another time. So as you may have heard, because there's lots of media hype at the moment, it is the 50th anniversary of the Beatles' 1967 album Sgt. Pepper's Lonely Hearts Club Band, which isn't, in my opinion, the greatest Beatles album.

Oh, it's a great album.

It's good.

It is good. It's got a good cover.

It's got a great cover and it's got the lyrics written in it and there's lots of clues suggesting that Paul McCartney might be dead. But it isn't, I think, their greatest work, but it is absolutely fabulous, right? It's an incredible piece of work. It came out in 1967, you know, it's tremendous. And what they've done is Giles Martin, who is the son of the late George Martin, who was the producer of the original album, has taken the master tapes and he's flung them up in the air and he's put them back to piece and he's used modern technology to remix the album. Because if you listen to— so I grew up with the stereo version of Sgt. Pepper's, right? And because of the number of tracks which they had at the time when they were recording the album, you get this rather strange experience because the Beatles didn't have the greatest technology even at the time, let alone by today's standards. But you get this situation when you're listening to the stereo version where, for instance, McCartney's voice will be in your left ear and the music will be in the right ear, right? And it's kind of a weird thing.

That's a bit strange.

And it is weird. And it does seem weird. And that's why a lot of Beatles fans actually prefer the mono recordings of the Beatles, at least of their early work, because they actually participated and were involved in the production of the mono versions. And when it came to the stereo version, they're like, oh, I'm just going to go home now. You know, because they didn't really care about that. Because, you know, who cared about the stereo mix? And so it's just left to some guy to quickly sort of paste together. But what Giles Martin has now done is he's taken these tapes and he's fixed them. And there's unbelievable clarity now in the recording.

And you can't— Too much clarity? Too much clarity?

You can't have too much clarity when it comes to the Beatles. It's fantastic. Because now you've got the voices centralized. It's much more powerful. The drums and the bass are stronger than ever before. McCartney's bass is incredible on this album. And it is in many ways a new experience. It's like you've taken an incredibly beautiful, you know, picture. Do you remember, Carole, there was that picture with— there was a painting which was in some Italian church.

I have a copy of it in one of our bathrooms.

And it got rather grubby over the years, right? And then this woman came along, decided she would restore it herself, and she was a little bit too keen on the restoration. And we'll link to the picture soon.

It's one of the most wonderful stories ever.

I love that story. Anyway, she goofed it up. Giles Martin has not done that. What he's done is he's produced this greater clarity. He's made, in my opinion, Sgt Pepper better than ever before and brought out new things. And on the bonus discs, you get all these outtakes and rehearsals, and you hear all the chitchat between McCartney and Lennon and Harrison and Starr.

Okay, you've sold it. It's fantastic.

Even if you aren't a fan of The Beatles or indeed Sgt Pepper, I'd really recommend it. And so that is my pick of the week, Sgt Pepper's Lonely Hearts Club Band 50th Anniversary 27 Remix. Thank you very much, confifi.

Is it available on streaming sites?

Wasn't that a big thing that The Beatles weren't for ages? Yeah, because The Beatles did a deal with iTunes, and I think The Beatles are on most of the streaming sites now. And I think even this brand new mix I think I read somewhere that it might be on Spotify or something like that. So if you want to check it out there, it's probably up there too. Awesome. It is awesome. Thank you for agreeing. John, what have you got for us as your pick of the week?

I thought I wanted to pick up Clash of Clans. I don't know if you know that.

It's a game.

It's an app for your phone or your iPad, unbranded tablets. It's a kind of classic tower defense game where you build a little village and you have to defend it against people attacking. So you build cannons and walls and then you go out and raid other people's villages and steal their money and spend it on more cannons and walls and that typical kind of game really.

Do you love this game?

I do love it. It's wonderful. And it has a nice community as well. So you join a team and you help each other out and you fight wars with other teams to get rewards. On the downside is it's one of these in-app purchase games. So it's basically, it's trying to make you get bored of waiting for things. The more you go on, you want to upgrade your cannon. Oh, it's going to cost you.

Can we ask how much you've paid them? How much have you paid them in the years?

I have not paid them any money at all. No, because some people play, I will feed you as much money as I can to speed up the waiting time. And other people, it's more of a challenge in itself to just say, I'll see how much I can do without actually spending any money.

Wow.

But yeah. So, and last week or maybe the week before they released— so they periodically release big updates with new weapons and new characters and new features. And last week they did a huge one with a kind of a secondary game inside the game, which has much less of the waiting time. It's a rebalanced version of the normal game, but it's all much quicker. So you don't have to sit and wait for half an hour between your raids or whatever.

Because I've just Googled this thing and I see that there are hacks available, not hacks as in computer security, but hacks to sort of get hold of free gems without spending cash or maybe to fiddle with the clock and things.

I see that there's various things you can do to get around the rules, but no, it's— But you don't do that sort of thing, John, right? You just happily wait for hours.

You get off on the fact that you don't give them any cash, don't you? You like that, don't you?

Sometimes I feel a bit guilty about it because I do quite like it and enjoy it. And then, you know, other things like, what's the big one? Candy Crush, which, you know, you hear about people giving it tens of thousands of pounds in a weekend because they went crazy.

How long ago was that? Was that like 2, 3 years ago? Candy Crush, like the craze?

It kind of boomed, didn't it? I'm sure it's still going on.

Of course it's going on. I think Candy Crush might be the most evil thing in the universe.

Yeah. So I mean, I played that a bit and I never gave them any money and I never felt bad about that. But somehow with a game that you actually quite like, you feel like, oh, maybe I should. I feel like I should donate to them.

We might be able to donate money to them rather than pay for, you know, John, you may not have given Candy Crush any money, but what you gave it was probably years of your life.

Yes.

Just spent going ka-chink, ka-chink, ka-chink, pressing here.

You've just advertised for them.

Oh, like they need any of that. No, I bet half of our listeners are playing Candy Crush right now. It's the most addictive. I've never dared play it, because I've seen it and I've heard it go ka-chink. You've never played it? No, certainly not. I'm terrified of it.

It's not heroin.

Are you sure?

Yeah, I've played it and I somehow got out of it without giving any money away and it not taking over my life.

So one other cool thing about Clash of Clans, I know a lot of games like this, I think that they have this kind of in-game chat system. So I am a member of a clan and most of the other people are in Tamil Nadu.

Have you made some friends, John? Well, you made some pals.

Most of them kind of come and go. They don't tend to stay around long, but they have this little chat window where you can say to people, please give me a giant or something like that. But I've always thought that these would be a great place for spies to meet up or something, you know, where it's going to be very, you know, you don't have to go and sit on a bench and say, oh, the ravens are flying low this weekend. You could just kind of drop into the little chat room on your game and, and because there's millions and millions of these groups out there, there's no possible way anyone could track or monitor it. And you're all over the world and you're all connected together through this slightly obscure system. If I was a spy, that's what I'd be doing.

I do remember actually, I think GCHQ or someone like that was, there was a story which was going out that they were trying to recruit youngsters, you know, teenagers and so forth to go into games like Second Life because there was this fear that terrorists might be communicating via them. And yeah, of course they might be, but equally they could be using Signal or FaceTime or, you know, whatever else as a method. I'm not sure you necessarily have to create yourself a little secret room inside a game to do these things as well.

I'm sure people do though.

I'm sure maybe some of them do, but it's—

I don't know.

I don't like— well, I see I'm feeling a bit guilty now because here I am sort of saying, well, I don't like all these addictive games and things like that, but I'm completely and utterly obsessed by chess.

Exactly. So that is— that's the same thing. The same thing. I'm sure people do.

Yeah.

Does your chess app have a chat window?

It does. Yes, they do. Oh, you say good game.

Yeah, well done.

Thank you, sir.

Thanks for kicking my ass again. I bet you say that a lot.

Carole, Kofifi, what have you got?

Okay, well, do you remember a few weeks ago, I don't actually know how long ago, maybe a month ago, we had a special guest called Michael Hucks from PC Pit Stop.

Yes.

And this is Sweet Sweet. Is that sweet as in candy?

Yeah, it's like sweet sweet. Yeah, like candy candy, but sweet sweet. So he regularly plays with a band called Sweet Sweet based in the States. And this band has been invited to go play Bonnaroo, which is on June 9th.

All right. Yes. And so it's very— yeah, so I'll send a link to the page, but they're a really cute band.

Now this is a big, big festival in Manchester, Tennessee. Like 80,000 people go there, right?

Well, look, I think this new segment of the show has proved that we're well-rounded individuals. I'm still living in the '60s and still addicted to the Beatles. John is playing—

So it's a big deal. And so they are currently trying to get there and they're trying to raise some money in order to be able to attend and rent some transportation to get down to the gig. So I am putting that as my pick of the week because they are a great band and I'll put a link in so you can listen to them and I'll put a link into their GoFundMe page. Is it Clash of Clans? Clash of Clans.

Clash of Clans. And Carole is listening to Sweet Sweet and helping them get to the Bonnaroo Festival. That's all fantastic. I hope you've enjoyed the show. Thank you, John, for joining us. Thank you, Carole, as always, for being a wonderful co-host. If you loved the show, why not let us know? And you can do that best and support the show by subscribing to us in your podcast app or leaving a review on iTunes or something like that. Just telling people, it really makes a big difference. And thanks for tuning in. If you like the show, tell your friends, let us know what you think, go to www.smashingsecurity.com and you'll find an email contact form and a link to our Twitter as well. And until next week, toodloo!

Bye everyone!

Bye-bye! Kofifi.