You can't say that to the man with half a billion passwords.

Sorry, dude.

You know, it's like he's got this great big butterfly collection and telling him butterflies suck. Smashing Security, Episode 64: So Just a Teeny Tiny Security Issue Then, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to another episode of Smashing Security, Episode 64.

My name is Graham Cluley.

I'm Carole Theriault.

And we're joined today by the doyenne of data breach disclosure and general internet superhero from down under, it's Troy Hunt. Hello, Troy.

Well, that was really good until the last bit. Well done.

I don't know if you've heard the last few episodes, but he's been doing a lot of really, really bad Australian accents. I can't even believe you're on the show after hearing those.

Yeah, well, anyway.

Are there any particular Australian phrases which you think would improve our accents? Anything we could try out? Because we want to increase our audience down there.

No, I think you should just go back to sending bad people from your end of the world over to our end of the world. You know, that worked out very well. Thank you very much for that. Have you seen where you sent the worst people?

What was wrong with you people? I know, it was insane, wasn't it? We gathered together all our bogans, our dags, our dropkicks. We sent them to us and we sent them to Australia of all places. We should have gone to Australia and left them in— Yeah, when I say we, I am Canadian. So you're sort of—

You're on your own on this one.

We'll be right back after this break. Thanks to MetaCompliance for supporting this episode of Smashing Security. People are the key to minimizing your cybersecurity risk posture, and MetaCompliance makes this easier by providing a single platform for phishing, cybersecurity training, policy, privacy, and incident management. Listeners can get a 10% discount off the high-quality cybersecurity e-learning catalog by quoting the code SMASHING. Just visit www.metacompliance.com. That's www.metacompliance.com.

Rapid7 is sponsoring Smashing Security. Rapid7's Insight IDR has been named a Visionary in Gartner's latest SIEM Magic Quadrant. It is an intruder analytics solution that gives you the confidence to detect and investigate security incidents faster. You can download a 30-day trial by visiting rapid7.com/insightidr.

And welcome back. And as always, what we've been doing is looking back over some of the security stories, things which piqued our interest in the world of computer security and online privacy and computers going wrong. And there are various ones which we thought we would bring to your attention. Let's start by talking about phishing. You know, the traditional way that phishing works is that the bad guys trick you into clicking on a link to take you to a website which may appear to be your online bank. The fact is, it looks like a legitimate login page, doesn't it, for your bank, your social media account, but really it's on a different domain. If you could check out the actual domain it really is on, you'd realize, oh, it's not on Lloyds Bank, you know, it's on sort of IIoids Bank instead. Or, you know, they might have used a trick like that, or they may have used some HTML shenanigans in the email to make you think you were clicking on one thing, but you end up on another. Yeah. And so that's fundamentally, I think, how phishing works, right? But what if the phishers were able to actually create a subdomain of your real site? So if you ran a company called example.com, www.example.com, what if they were able to create a subdomain which was login.example.com or accountlogin.example.com or something like that, which that would seem pretty convincing, wouldn't it, if it really was part of example.com. And it would imply and infer that the bad guys had managed to breach your organization in order to create that subdomain.

Okay.

On Monday, I was approached by a pal, a fellow podcaster, who participates in the Intego Mac Security Podcast and also a number of other podcasts, Kirk McElhone. And he's a longstanding Apple Mac journalist. So he knows his onions. And he also runs a blog called Kirkville.com, and Kirk had received this weird email from Google's Webmaster Console telling him that Google had found hacked content on his site. And I mean, Troy, I mean, I think people like you and me who run our own blogs, that would be a nightmare scenario, wouldn't it?

Yeah, it's not a good look, but you know, I was just thinking when I was reading this, it's very similar to phishers exploiting the I guess, the neutral or positive reputation of an existing website to host content there. You know, the number of WordPress blogs out there that have got a phishing page somewhere on the site, and it is leveraging the fact that, you know, here you have a domain that's existed for a while, it doesn't have a negative reputation, and they leverage that. And I guess it's the same thing here, grabbing a subdomain. And I think that's what, you know, Google often will pick out. It will find a blog or something where the bad guys have managed to inject spam selling Viagra or something onto your pages, maybe exploiting a vulnerability in WordPress or something that in order to get their messages out there.

What?

So, yeah. So in other words, an unauthorized party was able to create subdomains for someone else's website.

Now, okay, so Namecheap had shitty security.

Well, we don't know where the— they haven't actually shared very much information as to how on earth this was possible to happen.

Okay.

But it sounds like his account wasn't actually compromised, but it was possible to create subdomains for other people's accounts. Now, in Kirk's case, it probably isn't that catastrophic, right, because it's just a blog. But imagine if he had been some online site which people logged into. This could have been used for phishing instead, and that could have caused all manner of problems and highly convincing login pages could have been created. So Kirk wrote about this on his site saying this has happened, and he wanted really to warn other people, you know, if you get a message from Google Webmaster Console, if you've been warned you've got hacked information on your domain, then this is something to watch out for. So I tweeted out a link to Kirk's story, right? Namecheap, not very happy. They tweeted a reply to me saying, look, look, we definitely don't want word to spread about this, and we want to keep these— You are kidding.

No.

And we want to keep—

This always works out just fine. They tweeted back when—

Shh, shh, hey, hey, hey, keep it quiet. And they said, "We want to keep this under the radar." On Twitter? Yes.

This is a DM, this is a direct message.

No, no, it wasn't a direct message. This was just from their support team.

Hang on.

You're going to go look for it?

Let me tweet it to my follower army.

Yeah.

It's, I mean, their point of view was, look, if someone has managed to do this to one of our customers, we don't want it happening to other people's. But the thing was Kirk wasn't saying how it was done. Kirk doesn't know how it was done. I still don't know how the bad guys did it. All he was saying was, this has happened to me. Watch out, chaps. It might've happened to you. Be aware of it. Don't panic if you get one of those hacked messages from Google, which you need to sort out because it appears to be a Namecheap problem. So obviously that was really silly of them to do, but I think that's the story we come across so often, isn't it? Anyone can have a vulnerability. Anyone can have a screw-up and there can be bugs and daft things like this can happen or bad guys can exploit them, but it's how you handle them, how you respond to them.

Yeah, it's really bad if you handle it by, now they look awful. They look awful by trying to hide. Who can trust them?

Well, we are still waiting for them to send an email to their customers explaining what's going on. They say that they're doing a proper audit of the situation. We're recording this on Tuesday evening and they haven't contacted the customers yet. Maybe by the time this podcast comes out, they will have done. What they have said is on Twitter, they've said that the problem only affected, and I'm quoting, a teeny tiny group of users.

Well, Namecheap, I'm Oh, scientific.

Exactly.

And they weren't very impressed.

You're probably not familiar with that term, Graham, but it is very scientific.

It's teeny tiny. Yes.

sure they've got millions. Very, very scientific. Yes.

So I don't know if that means 1, Well, with a name like that, yeah, why not? 5, 100, 3%. I don't know how many

Right.

Now, I chatted to Kirk about this to see what he felt about how this had been handled. I chatted to him earlier today and we can have a little listen to him now. users they have in total.

And my initial interest in publishing this, and when I asked you by email what you thought about it, you agreed, is essentially so if someone else is in the same position as I am and they Google this to know what's going on to find an answer. And as a journalist, I run a blog that I've been running for 20 years. This is the kind of material we write about when we encounter a problem like this and we figure it out.

There's always the assumption that, well, if I couldn't find something, that means someone will.

It'll take me 20 minutes to write it up and I'm helping other people. And of course, Namecheap didn't really like that.

I hope we're going to see a proper communication from them to their customers who might be affected and maybe we'll get to the bottom of just how many users were affected by this.

Yeah. As of now, I haven't received anything. I would assume that I would assume they'll be sending an email to all users that are affected, which should include me, even though I'm the one who brought it to their attention. But as of now, we are 30 hours later and I haven't heard anything other than their replies on Twitter.

What's your feeling about how Namecheap has handled this?

I have been thinking of moving my hosting for a while now because I've had performance problems with them in the past. I'm going to accelerate this move as soon as I can. Of course, as you know, moving a website takes a lot of time. It's not something you just do at the drop of a hat, but this is really, you know, the last straw with them.

So our advice for other companies in this situation, I don't think there's much helpful advice we can give to users running their own sites other than to keep an eye open for these kind of alerts. If Kirk didn't have Google Search Console set up for his site, he probably would never have known that this was going on.

True, true.

But, you know, companies have a lot to learn, I think, about how they respond to incidents and, you know, be transparent. But teeny tiny doesn't really work, does it?

I think they've actually deleted the tweet because I'm going back through your thread because I was curious now and I've found you replying to them. It's not me with the issue. I'm not a customer of yours. I was linking to McElhaney's blog.

When they realized it wasn't a DM.

And the parent tweet is gone. That's— that's— oh man.

Don't worry, I've got a screenshot. I'm sure you do too. Links in the show notes. So Troy, what have you got for us this week?

So this week I have been writing about minimum password lengths. And for a little bit of context, I put out last year this massive set of passwords called Pwned Passwords as part of Have I Been Pwned. And they're about 320 million passwords. They're all SHA-1 hashed because some of them do have a bit of PII and stuff in them. And the sort of the premise of it was you could take these and then when someone registers, logs in, changes password, you could hash that, compare it to the set, and say, hey, if your password is in this 320 million set, it has appeared somewhere in a data breach, probably not a good password, you want to do something else with it.

Okay, so you can check your password against the 320 million that you've collected effectively. Troy, I have to say, that's a pretty teeny tiny number of passwords.

Wow, it's interesting you say that.

Let's be scientific for a moment. Interesting.

Yeah, that's roughly 320 million. But, you know, the premise is, I guess, not so much to check your own password, but more if you are running a web application and you want to try and encourage your users to use good passwords, the theory is that you should be looking at previous breach corpuses to see if someone's using a password that's appeared publicly before. So I'm doing a V2, which incidentally is now over half a billion. I've just finally wrapped up the complete set. And as part of that exercise, I wanted to sort of look at, could I possibly try and reduce the size of this a little bit by trimming out the stuff that was beneath some sort of certain threshold? Because websites just shouldn't be allowing that length. And I thought, oh, look, I'll go through and do this little exercise. I'll just see what sort of minimum length the world's largest websites have.

Okay. Yeah.

Cool.

I like it.

Yeah, so I'll put the question to you. What is the correct minimum length? What do you guys reckon?

I don't know.

I know what I would say. I would say minimum, I would say 20 characters, but I suspect it would be more like 12.

You don't like customers, do you?

Yeah, I'm not running retail.

It's true.

I would think for a website, I mean, I think when I generate a password with my password manager, I mean, obviously try and go for as long as possible, but certainly I begin to get a bit twitchy if it's less than 12. I'd probably want it to be longer than that though.

But you wouldn't be surprised if you saw a site that had 8 of them, 8 characters?

No, but I'd begin to feel a little bit uncomfortable, probably.

So, you know, we need to be clear that there's a nuance here, and the nuance is that there's a difference between when you go to a website and you create a password for yourself and you decide what length it should be, versus when you are the creator of the website and you say, well, what is the minimum threshold we're going allow. And to the earlier point about locking users, the challenge here is that the shorter we make it, the easier we make it. The shorter we make it, people will also fall down to that lowest available level of security, and that will pose other risks. So I often ask this question when I run workshops. I sort of go, okay, well, look, you know, what's the right number? And most people sort of guess it around the, you know, 8-12 kind of mark. And the interesting thing I found, I looked at 15 of the world's largest websites, is that by far the most common number is 6.

Wow.

Yeah.

Which is less characters than the word password. You would expect them—

Very good, Graham. Very good.

Thank you. Or indeed, let me in, you know.

So it was kind of curious actually, because we ended up finding that 9 of the 15 sites I looked at allowed 6. So Facebook, Reddit, Amazon, Twitter, Instagram, LinkedIn, Pornhub, eBay, and Imgur all allow 6. And then there are only 4 of them which had the next highest limit, which was 8. And we had Google, Yahoo, Microsoft, and Twitch all allowing 8. Now that was sort of the usual spread. That the couple of outliers here is that Netflix only requires 4. And I can kind of get that in so far. Yeah, well, all right. So, well, this is an interesting sort of tangential discussion. So what I was going to say is I can kind of get it because you're often entering this on a TV remote. So from a usability perspective, there's that. The tangent there around— I think that the path we're about to go down there is it's only your TV, you know, and it's only movies and things.

But your credit card.

Ah, see, there's the change.

Yeah, that's the thing. Yeah.

And I actually just linked to someone, linked someone to this in a tweet. I linked back to that story from years ago about Matt Honan's epic hacking, the one where someone basically got the last 4 digits of his credit card from one service, then used that as identity verification into others. So, you know, my Netflix password, I'm pretty sure, I definitely know it's not 4 characters. It's not the usual sort of 30 or 40 I'd use with a password manager either.

I've made mine very simple, actually. My Netflix password is just the last 4 characters of my credit card. I thought that would be the simplest thing of all to use.

We laugh, but I've seen a lot of passwords and, you know, the times—

Actually, do you— could you tell us, out of all your 320 million passwords you've collected— half a billion, sorry— how many are under 6 characters, do you reckon?

8.7%.

Oh.

That's not as much as I thought.

Yeah, that's quite small.

Well, you know, the reason I know this is because this is where I was originally going. I was thinking, can I chop out anything under 6 characters? Because that will then bring the size of this whole thing down and it will be a little more manageable. But when I found that and it was such a small number, I was like, there's really not much point chopping that out. Now you've got to remember also that these passwords come from real data breaches, so that the number under 6% is not so much a representation of "Oh, thank God people don't choose really, really bad passwords." It's going to be more to do with the fact that there are a lot of sites that have a minimum length of 6. So what I'm going to do when I publish these is I'm going to write this up and I'll do a little bit of analysis on the distribution of passwords by length as well. And it will just be interesting to see if there's a very heavy distribution towards 6 and 8 character long passwords because that's the minimum that so many sites require.

Yep, I like it.

When I read your blog post about this, one of the interesting things I found was that everyone is choosing an even number of characters as their minimum in their passwords. There's no one saying it has to be 5.

I know. So this is a funny thing. And I even had a couple of people reply going, "The number I choose is 9." And I'm like, "Okay, why?" "Because it feels right." It's like, oh, that's— this is the whole thing, right? This is not a scientific decision. And a lot of the point of the blog post as well is to sort of make the observation that passwords these days are becoming a lot more than just, do I have two strings, right? So do I have a username and a password? And are the ones in the system the same ones that are provided by the user who comes to log in? So they're evolving beyond that. And we're really getting to a point now where there are many other mitigating controls with authentication. You know, that could be everything from resilience to brute force attacks to confidence levels in user agents and IP addresses to all sorts of other things. Hopefully monitoring my own password set and making sure the password's not in there. So it's getting much, much more sophisticated and we're moving away from these really simple, basic mathematical criteria, you know, X number of characters long, uppercase, lowercase, you know, all this kind of rubbish. So fortunately, that is now starting to go away and we're getting a bit smarter about them.

They still suck though.

You can't say that to the man with half a billion passwords.

Sorry, dude.

You know, it's like he's got this great big butterfly collection and telling him butterflies suck.

No, it's not the same. I love that you're doing what you do. I hate the fact that we have to use passwords to get access to anything, but I don't have a better solution.

So no, well, then that's the thing, right? So they still suck and nothing is about to change. And every single time someone pops up and says, "Oh, we've got a thing which is going to fix the problem with passwords and we will never need them again." I've, in fact, I wrote something just yesterday on a column I write about precisely this. Every time someone pops up and says they've got a thing, it never happens. And it never happens because passwords are something that's so simple that everybody understands them. And that's why they live.

We're going to be living them for some time to come, aren't we?

Living the dream.

Passwords. Carole, what have you got for us this week?

So I'm breaking the rules because I'm allowed.

Surprise.

And it's not security related at all, but it's important technology stuff and I think we should all be thinking about it. So that's what I'm talking about.

It's kind of like a pick of the week, which you have somehow promoted to the main section of the show.

My pick of the week is not security related either.

Oh, well, I'm glad you joined us on Smashing Security this week.

Graham, let me start with a question to both of you. So if I gave you both 4 hours of uninterrupted, unfettered personal time, what would you do with it? Don't be rude because we've had a complaint about—

We did have a complaint, yes.

But it wasn't on the show I was on, was it?

No. So don't say boobies or anything like that. So 4 hours.

I know what I'm not doing now.

4 hours.

You play chess, Graham.

I'd probably play chess or watch a chess video or I'd do some sort of Doctor Who marathon. I'll find some classic Doctor Who episodes from 1978 to watch.

I'd actually do something interesting. I think I'd go to the beach, I'd go out on the water, you know.

Okay, I'm hanging with Troy. I'm hanging with Troy. So the thing is, is after sleep and work and basic life maintenance, by which I mean eating, bathing, you know, making sure your kids are awake and going to where they need to go, you apparently have as an adult about 4 to 6 hours of personal time. And this is where, you know, you do your hobbies, you have a hot date, you have family time and all that cool stuff. So apparently this 4 or 6 hours that we have, we are spending about 90% of it on our screens.

Oh, that's tragic, isn't it?

It is kind of tragic considering that, well, certainly me and most of the people around me spend maybe 100% of their working life in front of a screen.

Yeah.

I'm not surprised by this, but it does make me feel a bit icky because I know I spend way too much time in front of screens. But I somehow excuse it because I think most other people are doing the same thing, so it must be okay.

And also at the moment, Carole, you are crippled in bed with your spinal injury.

I know, yes.

You know, as your husband put your monitor pretty much in front of you, there's not much else you can do, is there?

I know, it's tragic. I'm getting better. I'm getting there slowly, slowly. Now, why has this happened? So there's been a dramatic increase. So in 2015, only 2 years, 3 years ago, it was about 75%. So it's gone up quite a lot in the last few years. And one of the reasons is to do with FOMO, or the fear of missing out. But some people are saying that algorithms that are designed and implemented by the big internet giants are actually fueling addictive behaviors in us that very much counter our well-being. So for example, social psychologist Adam Alter maintains that we are literally addicted to modern technology products. And there was this excellent piece published in The Guardian this weekend about how YouTube's algorithm distorts truth. And it talks about how YouTube cherry-picks controversial or sensationalist up next for your autoplay to keep you glued to the screen.

Crumbs.

So there's this group of Silicon Valley insiders. Now interestingly, these are all ex-Facebookers, ex-Googlers, who basically now have seen the error of their ways, and they have called— their organization is called the Center for Humane Technology, or humane-tech.com. The group is dedicated to raising awareness about the negative effects of social media and technology on society. And it's spearheaded by Tristan Harris. Now, he spent years working at Google as a design ethicist, but has started campaigning against the dangers of these big websites like Facebook and Google. Anyway, so the group this week have announced a partnership with nonprofit media watchdog Common Sense Media to basically talk about tech addiction. And this isn't small potatoes. They got $7 million from Common Sense Media. And they got $50 million in free media and airtime from Comcast and DirecTV. So I'm suspecting a lot of our American friends are going to see these ads.

So, oh, hang on a moment. So there are media outlets like Comcast and DirecTV who are funding a campaign to prevent people from looking at screens.

Mind you, well, maybe their TV, they're missing the viewers.

Well, I see. Exactly. That's what I'm thinking. Because the big competition to TV stations these days is Facebook, YouTube, your smartphone, etc., etc., isn't it? I do think there really is a case that people are getting addicted to these things.

Question really is, right, it's about design ethics. Are the big kids on the block doing what we want them to do, or have we all become slaves to their offerings for reasons we can't even understand? Humane Tech say Facebook, Twitter, Instagram, and Google are all caught in a zero-sum race for our finite attention. And they need that to make money. Things like Snapchat. I don't use Snapchat, but Snapchat has this feature called Snapstreaks. And basically it shows users how many days in a row they've sent a Snapchat picture to their friends. Right? So if you miss a day, if you miss it in 24 hours, you lose your streak.

Oh, I see.

So if you're in between, right? And your parents force you to go on vacation and you have no airtime, apparently very stressful because you lose your number that you've been working on for so long.

There must be people on Fiverr or something like that who you could hire to carry on posting onto your Snapchat.

I saw an article where kids are actually sharing their Snapchat passwords with 5 or 6 of their friends so they can keep it going while they're away, which, you know, I do have a security angle.

These people are going to keep Troy Hunt busy for a long, long time, aren't they, if they're doing this with their passwords.

I was actually literally busy just checking my Twitter. So what was all this about? That's outrageous. So this is— you're being a perfect example, Graham. So, you know, I find the best fix to all of this is physical exercise because that's sort of the one time where it's actually really hard to look at your phone. And if you can do something that tunes you out for a couple of hours, so yeah, I'll play tennis or I'll get on the water or do something like that. And I sort of have a couple of hours where you can't look at it. And of course you come back afterwards, right? And there's a flood of whatever's happened while you've been gone. But yeah, I think that more than anything, that is the way to tune out. And that's good for you in all sorts of other ways too.

Absolutely. 'Cause ultimately it's all about money, right? How much time you spend on the site, snarfling up the content and watching ads, lines the internet giants' pockets. So it's basically about taking back control and making sure you use it properly. And it's also for your kids, right? I mean, Graham, you've got a kid and you've mentioned before that he's online a lot.

Oh yeah, he's, he really loves YouTube and things like that. Absolutely. And actually, I remember an old video that Troy put out on his YouTube channel where he was introducing his son, I think, to a site called code.org, which is basically teaches kids how to program and write little games and things. And it's fantastic. And so what I've tried to do is I've taken my child's interest in technology and things like that and said, look, if you're going to be stuck in front of a screen because it's a rainy day and you want that, let's at least—

Or you're addicted.

Well, or whatever, but let's at least get you programming. And he got such a thrill out of doing that.

Is he still doing it?

We haven't done it for a little while. Well, he's back at school at the moment, so he's just exhausted in the evenings, but half term's coming up and I'm sure we'll be doing it again.

Oh, cool. So how do we take back control? Just a few little things. And I know these aren't popular, but everyone who says they do them say it's great and it's worthwhile. I'm trying them. So this is turning off notifications. So anything that interrupts your thoughts or current activity. So in other words, go visit your WhatsApp feed and your Twitter feed when you're ready to do so rather than getting the feed, getting the notifications. Create specific no-screen time for the family, be it Tuesday night or whatever. But really, you were saying, go out and get some exercise. But you see, I go out for walks a lot and I, well, when I could walk, but I do it with headphones, right? I'm always listening to podcasts. So I kind of think I may have to unplug completely for a bit of the time. Set alarms. People say no screens rule in the bedroom. I've heard people have that rule. And turn off autoplay. I think that's a big one. Turning off autoplay can pull you out because you'll notice a lot of these apps, they hide the clock as well because I use my phone obviously as my watch, right? And they'll hide the clock. So sometimes I'll be on a feed, something reading, I read and I think, I wonder what time it is. And because it's not top of the phone, I'll actually go, I'll look later and carry on snarfling up the feed.

By autoplay, Carole, do you mean things like Netflix?

Yes. Or YouTube. So YouTube, you have a little toggle, right? Kind of, you know, you play a movie and then it'll you know, whatever, a little video, and then it'll just decide for you. And who's deciding that? So that's the other problem. They're deciding that based on the feeds, the things you've already watched. But what if you're watching something for research that I may not necessarily be interested in personally? I don't need them in my feed.

I think you make some excellent points here. I think—

Thank you very much, Graham Cluley.

I know. Oh gosh, I hope you're not going to capture that audio and use it against me. But I think that there is a real addiction problem with this technology, and we are teaching our kids to be addicted as well. And I think in many ways smartphones are the new cigarettes and people do get very twitchy if they haven't checked their feeds for a while or they haven't checked out Facebook on who's posting what. And we do need to try and be much more disciplined and grown up about this. And I think, I mean, I'm putting my hands up as well. Yeah, I say check out humane-tech.com. They've got some good information on their site. All right. Thanks very much.

This episode of Smashing Security is sponsored in part by Rapid7. Trusted by over 6,700 organizations globally, Rapid7 security solutions harness the critical information essential to protect an organization's best interest. Rapid7's InsightIDR has been named a Visionary in Gartner's latest SIEM Magic Quadrant. InsightIDR unifies SIEM, UBA, and EDR and is an intruder analytics solution that gives you the confidence to detect and investigate security incidents faster. You can download a 30-day trial by visiting rapid7.com/insightidr. That's rapid7.com/insightidr.

And thanks once again to MetaCompliance for supporting this episode of Smashing Security. People are the key to minimizing your cybersecurity risk posture. You can save 10% as a Smashing Security listener off the high-quality cybersecurity e-learning catalog by going to metacompliance.com and quoting the code SMASHING. That's metacompliance.com. And don't forget the code Smashing Security. On with the show. And welcome back. You join us at our favorite part of the show, which we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Thanks, Grom.

Oh, geez. So Pick of the Week is that part of the show where everyone chooses something they like. It could be a funny story, a book they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever you like. Doesn't have to be security related necessarily.

Graham, it's so weird that that is your pick of the week because only last night I was listening to the latest Sam Harris podcast, which was called AI Racing Towards the Brink. And it was a conversation with Eliezer Yudkowsky, who's a decision theorist, computer scientist, who is all about AI. And he was talking about AlphaGo and exactly this topic. So it's worth listening if you're into it, go listen to that podcast. It's quite interesting. And he's an interesting guy.

It was interesting. I mean, I personally would have preferred a little bit more depth in the documentary, I think, because I kept on thinking, You know, there are some scary things about this which aren't touched upon at all. It's more the, "Oh, isn't this a tremendous achievement?" And clearly it is a tremendous achievement from a programming point of view. Wow. You know, that they've managed to do this, but I think there's deeper stories to tell here.

Good. I'm glad you're finally getting a bit afraid about AI. I've only been barking about it for a year.

What, you think I haven't been afraid?

No, you're "Oh, sounds future stuff, Carole." Carole, go back to 1990. He's a son-in-law.

'91, I was terrified of Furbies.

That's a different issue.

Troy, what's your pick of the week?

Because I was too busy tweeting and I didn't really think about it in advance—

So cool.

I realized that it's a special privilege to be able to sit here and have connectivity that actually works across my entire house. And I wanted to talk about what I redid with my network a little while ago. I ripped out all the old crap, which was this sort of consumer-grade, the kind of box you get from your ISP kind of router deal, ripped it all out. And I went and bought a bunch of Ubiquiti stuff and put that in through the whole house. And my house glows at night now. Put it this way, I've got so many wireless access points and now what happens is I can go into this one central administration interface. I can see all the different devices around the house. I can see all the clients that attach to them, where they move around. I can remotely administer them. So I set up my parents and I set up my brother and I remote update stuff via the cloud, which is actually really cool because it actually updates. And one of the things I know— I'm getting really choked up. Everyone I got really excited about these stupid things that, you know, in retrospect, they're stupid things. You know, I got excited about the fact that here I have firmware and software which actually updates.

Networks, you know.

Yes, well, I think that's a very good one.

I'm just amazed you have 7 access points.

This is a little bit bigger in Australia than they are in England.

That's what I was about to say. This is a huge difference between the UK and Australia, isn't it? They've got all that room.

But this is a nice thing, and you know, I can see them all here, so I can read through it and I can see I've got the front room, the garage, the living room, the lounge, the master bedroom, the study, the barbecue and the jet ski, and everything is on here. Yeah, yeah, no, Google it. Seriously, there's a blog post about it.

It's a real thing.

See, you're addicted, Troy. You're addicted.

Troy's actually recording this right now from the jet ski. That's something you have to remember. The quality is amazing.

Yeah, very good noise removal techniques on this microphone. But yeah, look, I mean, I have to do things like webinars. I do training remotely now as well. Having said this, none of this solves the problem that my outbound internet connection maxes out at less than 2 megabits a second up. So that still is a problem that even Ubiquiti can't fix.

Is that the problem of Australia basically being on the end of a yogurt pot and a piece of string?

Yeah, it's a little bit like that.

I remember in our days at Sophos, Carl, when we used to make videos and the upload speed from Sophos HQ was so bad I used to drive home to upload them from my home.

Yep. We would send you home.

Yeah. Horrendous. And who knows how much they were spending on their internet connectivity, but it was appalling, wasn't it?

Well, I'm finding I have to go outside and sit in the sun and enjoy the weather whilst this happens, which is terrible.

Oh, stop showing off. It's winter here.

It's always winter here.

Me and my fricking jet ski bombing around with my Wi-Fi connection.

Carole, cheer us up. We don't want to hear about his happiness any longer. Tell us what your pick of the week is.

My pick of the week. So we know Valentine's Day is fast approaching. And I had a big swanky foodie day at a Michelin-starred restaurant day planned out with my hubby. And because of— I had to scrap it all because of my little back snafu. So what to do, right?

You could have given your table to me, by the way. So I could have gone to your Michelin-starred restaurant.

Yeah, it's not cheap stuff here, Graham.

No, I'm just saying.

Yeah, well, anyway, look here, do this instead. Get your apron on, kids, because we're going to make a crepe cake because it's easy and it really is impressive, right? Literally, you just make a ton of crepes, stack them up, and between them put layers of delicious stuff. That's it, really. And it's good. Everyone loves it. Kids love it. Everyone loves it. I have a crepe recipe inside the show notes. It's a good one. And here's some favorite fillings. I'm doing this. I'm doing this. You ready?

So we've had Carole's Agony Corner and now we're having Carole's Recipe Corner.

It's Valentine's Day. I'm stuck at home feeling sorry for myself. I'm hoping my other half's going to make me a crepe cake. This is how I'm getting the message to him.

I hope he listens to the show.

Well, we're going to find out, aren't we?

Oh yeah, good test.

So no one tell him directly, please. So yeah, there you go. So check it out.

Well, thank you for that.

Great pick of the week.

Crepe pick of the week. Absolute crepe from Carole there.

Mine's the most delicious of the bunch.

Well done. And thank you to Troy as well for joining us. If you haven't already checked out Troy's blog at TroyHunt.com or his fantastic Have I Been Pwned project, which you should definitely sign up for so you get notification if you're included in some of these ghastly data breaches, then please do so. And Troy, where's the best place for people to follow you. I guess it's on Twitter, isn't it? That seems to be where you are. You're there right now, aren't you? @TroyHunt. And if you're going on Twitter, you can also check us out. We're at Smashing Security without a G. Twitter didn't let us have a G. And maybe if you like the show, you might want to rate us on Apple Podcasts. It helps new listeners discover the show, which keeps us happy and it entertains Carole Theriault as well. If you leave a review, because at the moment she's stuck in her bed, unable to move. And the only thrill she gets is refreshing iTunes.

Graham, you do, you're very good because you do send them every time there's a new one, you send it to me and I really love reading them. So, more, long may it continue.

Well, let's hope your back fixes itself soon. Until next time, cheerio, bye-bye.

Later.

Thanks guys, bye-bye.