In fact, a US judge controversially ordered her to unlock an iPhone with her fingerprint. Now, the rule is, if you ever get caught by the authorities, by the feds—

Cut your thumbs off.

Yeah, cut your thumbs off quick.

Yeah, preemptively, just in case. You can never be too careful.

Bite it off with your

Bite it off and swallow those thumbs.

And then hope the fingerprint disappears before—

Oh my goodness.

Hope you have strong stomach acid.

Smashing Security, Episode 77: Why Paris Hilton Doesn't Use iCloud, Ransomware Hacking, and Facebook Dating with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 77.

teeth if you have to.

My name is Graham Cluley.

And I'm Carole Theriault.

Hi, Carole, how are you doing?

I'm fine, thank you. It's a beautiful beautiful day here.

And it's made even more beautiful by our special guest this week. It is the delectable, the delightful, the cyber wires, Dave Bittner. Dave, must be morning where you are at the moment.

Good morning, good morning, we've talked the whole night through. Good morning, good morning to you and you and you and you.

He's competing with David McKellen.

That's what he is, isn't he?

Coming after you, McKellen. There's only one David on this show.

I hope it's not raining where you're singing at the moment.

It is not. It's actually a beautiful spring day. It's lovely outside. And I'm sitting in a windowless dark room speaking to you all.

That's the pleasure of being a podcaster, isn't it? They lock us away.

So as promised on Twitter, we said there'd be singing. So there you go. Mission accomplished.

Because I think like David McCullough, you're a bit of a fan of the old musical theater from the sound of things.

I am. In fact, last week when you all were talking about chess, I must admit I still have the entire Chess soundtrack memorized. And I was a little bit— I was disappointed with Carole that you were unfamiliar with this. Where— what rock did you grow up living under that you did not—

Not under the musical— not the musical theater rock, obviously.

The Canadian rock.

The Canadian rock, right. If it had been Rush, then you would know— you would have known everything.

Ask me anything about how you make maple syrup, then I can answer you. Avril Lavigne.

Oh, wonderful. Bryan Adams. That's right.

Celine Dion. You're welcome. I guess the national tour of Chess never made it that far north.

Well, it just wasn't on my radar.

Right.

And despite being friends with Graham for 20 years, I am still none the wiser on musical theater.

It was.

What are you saying about me in musical theater? I'm not that big on music. I'm not like the Two Davids. I'm not them.

It's gonna be our new vaudeville show. The Two Davids.

I'm not in their camp, as it were.

Oh, I see. Okay, before this gets ugly, we should go to the ads. Fair enough. Geez, guys, gotta pay the bills.

Fist down, fist down.

What does that mean?

This episode of Smashing Security is sponsored by LastPass. LastPass Enterprise makes password security effortless for your organization. LastPass Enterprise simplifies password management for companies of every size with the right tools to secure your business with centralized control of employee passwords and applications. But LastPass isn't just for enterprises. It's an equally great solution for business teams, families, and single users. Go to smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses.

And welcome back. Now, fellows, I wonder if you are familiar with the name of Pezabakachadzayan.

I'm sorry, what?

Pezabakachadzayan. Pezabakachadzayan.

Oh, that's nice.

You have to imagine— Easy for you to say. So, Pezabakachadzayan, I'm not actually completely sure of how to pronounce it. I've been on YouTube, I've looked up news reports. Everyone seems to be trying to avoid saying the name of this Armenian hacker.

Why don't we say Pejtsar then? Just say his first name. Pejtsar.

Pejtsar. Oh, I think, I think Pejtsar is actually a lady, Carole. A lady from Armenia. Armenia, of course, famous for Charles Aznavour. And also for Pejtsar Bakachadzayan. And you may remember her.

Okay.

Because two years ago in 2016, if you remember that glorious year of 2016, she was accused of identity theft. In fact, a US judge controversially ordered her to unlock an iPhone with her fingerprint. Okay, now the rule is, Carole and David, if you ever get caught by the authorities, by the feds, cut your thumbs off. Yeah, cut your thumbs off quick.

Yeah, preemptively, just in case. Yeah, just bite it off and swallow those thumbs.

Yeah, you have to swallow it. Of course you would, right? Yeah, and then hope that the fingerprint disappears before—

Oh my goodness.

Hope you have strong stomach acid. That's right.

Whose job would that be? Anyway, so the thing is that you can be compelled by the authorities and she was compelled. A judge said, yes, you know, you do have to put your fingertip on this Touch ID sensor thing on this iPhone, where she wouldn't have had to have handed over her PIN or passcode.

Oh, this is the Fifth Amendment thing, right? Where you can't compel someone to say anything that incriminates them.

That's right.

But you can force someone to put their fingerprint and reveal the same information.

Now, as it turns out, she was probably the first or second person who was ever compelled to push her finger on an iPhone by the authorities, but it turned out it wasn't very helpful. According to her attorney, George G. Mijigzian, they got her to use all 10—

I'm batting 1,000 today with these names.

I know, you'd think you'd do a bit of homework and recon first.

I tried, I really tried. They forced her to use all 10 fingers. I don't know if they tried her toes as well to unlock the phone, but it didn't unlock at all, right? And so they said to her, what, can you just tell us the password please? And she said, well, it's not my phone. She said it's not my— the suspicion is that it belonged to her boyfriend, who was some kind of Armenian gangster. Anyway, she was done for identity theft, and I think she was put away for a couple of years. Well, she's in the news again because Pitsa Bispghanbian has just been sentenced to 57 months in prison in connection with hacks against no less an admirable figure than that of socialite and DJ Paris Hilton. Paris is a DJ? Oh yeah, everyone's a DJ these days, Carole. It's amazing. You can put a microphone in front of anyone and they think they're somehow professionally qualified.

Well, I know I am.

So why Paris Hilton?

Well, the thing is that poor old Paris, a couple of years ago, someone, a hacker, broke in. They stole her emails, nude photos, and credit card details.

They were lying around her house?

No, no, no. They broke into her iCloud account.

Oh, okay.

Gotcha.

They caused approximately— I'm going to just list some of the things which happened because it is quite serious stuff.

Okay.

The hacker caused $130,000 worth of damages, allegedly. They impersonated Paris Hilton. They duped her phone company in order to hijack her mobile devices, and they got access to her WhatsApp conversations and photos and videos and texts. They contacted Paris Hilton. So having hacked Paris Hilton, they then contacted her, said, hey Paris, I don't know if you're aware, but there is some other woman who's hacked into your accounts and is trying to sell all your details to the media and your pictures and things.

So, okay, yeah,

Their name is probably Punsha Btungbung, which is completely different from Pitsa. But they also contacted Paris's personal assistant claiming to be Paris and saying, could you just wire $50,000 into this bank account?

someone who's totally not me.

And apparently sent some extremely rude messages, which Paris insists she's not in the habit of being that rude.

So basically they got access to her username and password and then—

There's more. There's more.

Okay. Sorry. I'm just trying to understand.

Yeah.

Okay.

Sorry.

Carry on.

They targeted Paris's parents. So Rik and Kathy Hilton, trying to get them to wire money through after failing to get it from the PA. They tried to gain access to Paris's house in a gated community, presumably having found out her address from her information online. They booked a penthouse suite at the Roosevelt Hotel in Los Angeles. That should have been the giveaway. Why wasn't she staying at Hilton? And tried to throw a New Year's party on her credit card, tens of thousands of dollars worth of champagne. So all in all, she can afford it. Quite serious, right?

Yeah.

Now Paris turned up for sentencing this week, and I have to say she looked very glamorous. There are videos of her online. She's dressed up to the nines.

Can we see? Can we see?

Yeah, we've got a little video there you can check out.

Hey Paris, how'd it go in there? Oh wow, look at the glasses. She has pearl-encrusted sunglasses on.

She is dressed up to the nines, but at sixes and sevens with Apple over the iCloud security. And her message to the world is don't trust the iCloud. She says she doesn't use it anymore.

Are you going to switch from iCloud, or are you going to still be using an iPhone?

I don't use iCloud at all. I haven't since this happened. I don't trust it. So she doesn't trust the iCloud. We don't happen to know what her password was.

We don't.

Okay.

Not on this occasion, because I've been following Paris Hilton for some time. Not in the sort of stalky identity theft kind of way.

Oh no.

But way back when in 2005, when I was a young whippersnapper, she had her T-Mobile Sidekick hacked. Do you remember the Sidekick? No. The Sidekick was a little PDA which people had before iPhones. It was the really cool trendy thing which all the celebs had for texting. You know, I'm going to text Nicole. Yeah. T-Mobile Sidekick was beloved by American celebs, and she made the mistake of, you know, those password reset questions where they ask, you know, what's your mother's maiden name or that. She— one of her questions was, what's the name of your favorite pet or whatever? And she chose the name of her pet Chihuahua, Tinkerbell. And it wasn't hard to find out the name of her Chihuahua because she carried it around with her everywhere.

It was an accessory.

Yeah, nothing to do with me, nothing to do with me.

She once lost it, offered a $5,000 reward.

That was a while ago though. We'd only been banging on about passwords for about a decade then.

Well, yeah, I think that was way back in 2005. All I'm saying is this isn't her first experience of being hacked. And of course she's been used as a lure many times. We've "click here to see the Paris Hilton sex video," but this was obviously pretty nasty. Now she's tweeted up a picture of herself looking suitably poised, saying, karma has no menu. You get served what you deserve. So she's obviously very pleased that Patsapat Jitipaiang has now been sentenced to 57 months in prison for this. And it was obviously a very distressing time, not just for Paris, but also for her family and others. Now, a lot of people think Paris Hilton is a bit of an airhead, but I actually think she's quite sharp because she's made a career for herself with— I don't know what her DJ talents are, but somehow she has made herself a fortune by basically just turning up to other people's parties, hasn't she?

No, that's your dream job, isn't it, Graham?

No, no, she's made herself a fortune by being an heiress. Yeah, well, well, she kind of started off with a little head start being the heiress to the Hilton fortune. I mean, let's not leave that part out.

Yeah, the diamond-encrusted spoon.

Yeah, I mean yes, I know, but she's obviously augmented this enormously, hasn't she, by endorsements and rocketed to fame with a stolen sex tape, as you do. Well, maybe you do, Dave. But you know, she's kept herself in the spotlight. She's realized that she has a certain celebrity cachet. I mean, you know, but she's—

I think you have a thing for her because I think you'd be a little outraged if it wasn't her. I think you've got a little—

Well, no, I— well, look, we don't know that she did anything dumb here, right? Here's the lesson from this, right? I think she's been a bit mean on iCloud because who knows what other cloud services this could have happened with. My big question would be, did she have two-factor authentication enabled on her iCloud? My suspicion is that like many, many people at the time, she did not. Now Apple's become more aggressive about pushing you to enable that kind of feature these days. And so hopefully more people have, but I suspect there are many who haven't. We'll include a link in the show notes telling people how exactly to do that. But I don't think anyone deserves this to happen to them, whether they're huge celebrities like the CyberWire's Dave Bittner.

Thanks for putting that bullseye on my back.

Smashing Security's Carole Theriault. All ends of the spectrum, right? I mean, it's— could have been Steve Gibson from Security Now, you know. There you go. Yeah. I don't know what he calls his chihuahua. David, what's your story for us this week?

This story captured my imagination. This reads like a true crime novel. This is from the New York Times. The author is Reid Forgrave. Imagine you're Rob Sands, a mild-mannered prosecutor with the Iowa Attorney General's Office. He's given a case involving an unclaimed winning lottery ticket that's worth $16.5 million.

Whoa!

And they're not even sure that a crime has been committed. They have the serial number of the winning ticket, and they have security camera footage from the gas station where the ticket was purchased. And that footage shows a middle-aged overweight man wearing a— wait for it— hoodie. And he purchases the winning ticket. Now, the lottery in their history had never had a ticket worth more than $1 million go unclaimed. So time passes and they keep reminding people who live near here that, hey, this ticket is out there. Of course, several people try to claim the ticket, say I lost it, or, you know.

So the lottery is saying there's no such thing as this ticket because we don't have any ticket, we don't owe any money, we don't owe $16 million.

No, no, no, the lottery is saying this ticket is out there, we know the serial number of this ticket, we have video of the person who purchased it.

Why on earth haven't they come and claimed it? Yeah, how does the lottery know?

Why haven't they come forward to claim their $16.5 million? Where is this middle-aged overweight man wearing a hoodie? Exactly.

Okay, with you.

So hours before the deadline for claiming the prize, lawyers show up at the lottery's offices and they're claiming the prize on behalf of a trust whose beneficiary is a corporation in Belize. Now, unsurprisingly, this raised the attention of the Iowa Attorney General's Office. They opened an investigation. So time passes and this investigation is going nowhere. Years pass.

Okay.

Now, they don't pay out the money.

Yeah.

But they decide they're going to release the security camera footage of the person buying the ticket, so they make that public. And that footage has audio of the customer interacting with the store clerk.

Okay. Do you want a sandwich? No, thanks.

Turns out several people recognize the voice of the person buying the ticket, and they identify the person as belonging to one Eddie Tipton, who was employed as— wait for it— information security director for the Multi-State Lottery Association.

Shut up!

You know, that is a spot of bad luck, isn't it? Because you just happen to work—

What are the odds?

You happen to be in charge of IT security at the lottery, and right, oh darn it, I haven't won $10, I've won $16.5 million. Yeah, people are going to be a little bit suspicious.

What am I going to do?

What I'll do is I'll set up some fake company in Belize and get some lawyers to represent me, see if they can get the winnings.

Okay, shush, shush, Graham, I want to hear what happens next.

All right, okay. So what he did—

So, all right, so how did he do it? So what he did was he was the person who wrote the code for the random number generators.

Oh my God.

And so what he did was— this is actually quite clever— he inserted code that on 3 days out of the year, instead of using a random seed for the random number generators, it would insert a known seed which would reduce the pool of potential winning numbers to just a few hundred possibilities instead of about 11 million possibilities. So not stupid, not stupid. A very lightweight code.

Yeah, didn't really increase the file size and deals with his own guilt in that there is still the possibility of getting winning or not winning, right? Well, lowers the pool.

If you buy a few hundred tickets, I expect there was—

There will still be winners, right? It's not like he'll be the only winner. There will still be winners, so it won't seem like there's anything out of the ordinary. He has to go buy a few hundred tickets with every possible combination and then profit.

But that in itself looks a bit suspicious. But anyway, carry on.

Well, but there's more to the story.

Oh, okay, okay, I love it.

So they go searching back to find the history of Mr. Tipton, and they find that this jackpot wasn't the first winning ticket associated with Mr. Tipton. His brother had won $568,000 a decade earlier.

Yeah.

And his best friend had won $783,000. Each of them totally coincidentally on one of the 3 lucky days that occurred every year.

Lucky days. Wow.

Now another part of this story is the investigators made use of social media accounts to help connect the dots and find some of the people who helped him with this. And there were people who were in on it, like his brother and his best friend, but there were also sort of unwitting accomplices who he— he had an ex-girlfriend who he said, listen, since I work for the lottery, I'm not allowed to win, but I happen to have this winning lottery ticket for $20,000, and if you will go cash it in for me, I'll give you a few thousand dollars.

Everybody, give you a few grand, we'll call it a day, right?

So in the end, he was sentenced to 25 years in prison. He's expressed remorse for what he did. He will likely— he'll likely be out in 7 or so. But clever gentleman got carried away. Crime does not pay.

It's— I have to say, what a great story.

It really is. And please go check out the story because there are— I've had to leave out a lot of the details for time and it reads like a true crime novel. It is a compelling, fun read.

Yeah. And what brilliant work by the authorities as well to actually identify what was going on. My feeling is that he must have thought, oh no, why have I won so much? Because the fact that it was $16.5 million rather than, for instance, $500,000 or something like that.

First world problem, eh? First world problem.

It actually made it worse, didn't it? And then they had to come in at the last minute to try and collect the cash.

That's what unraveled the whole thing.

But also there's a moral here about the insider threat. You know, who's going to watch the watchers? You've hired people to stop hackers coming in to maintain the security of your systems. But what if those infosec people themselves are actually a bit bent?

So what would have happened, do you think, if he had basically anonymously sent the winning lottery ticket to a charity? Or to a worthy nonprofit?

Well, one of the rules in the Iowa Lottery is that you have to identify yourself in order to win. So you cannot win anonymously. It's a law out there.

And that's a state— that's like a state-by-state thing.

I believe so. And here in the states, you have state-run lotteries, and then you have these multi-state lotteries, which are the big prizes. They usually call them Powerballs.

Not like pennies, like $16.5 million.

Well, but those are the ones that get up to those big prizes. So this one that he won for $16.5 million, that would have been in a multi-state prize.

Oh right, okay, I see.

Yeah, but that's what he was in charge of. And they were lucky that they had the old computers in storage that had his rogue code in it. They were able to pull them out of storage, have someone go audit the code, and that's when they found it.

If I remember correctly, 'cause I remember this case coming up, he actually disabled some of the security cameras which were watching the servers or something like that.

Oh, I don't know, I didn't see that detail in the story. You should just do a little bit of Googling, man.

No, no, no, I remember writing about this. A while back, and I think that's when he installed this bit of code or something. It's just a few suspicious minutes. But of course, being the IT security guy, he had access to those systems. It is a fascinating case, and, you know, it's a salutary warning to all of us. 7 years at least in the clink. Oh, you think I'm smart? What's wrong with you now, Carole?

Nothing, nothing. I think it's genius. I think there's movie rights here. I think someone should write this up. David?

He just has.

Yes, right. Just add a bit of color and then we'll sell it.

Well, you know, it's going to be a musical.

Money, money, money. Carole, what's your story for us this week?

Imagine you have this really connected buddy. Now we're talking really connected. You know, a pal that knows everybody and promises to introduce you to new and exciting people. People with whom you just might be interested in having a bit of romance with. Now there's a problem. This buddy of yours very recently seriously let you down. Guess how? By sharing all your personal secrets and the secrets of your closest friends with God knows who.

Hmm.

So now they're sitting there going, they got caught and they're saying, sorry, sorry, sorry, won't happen again. But what do you do? Do you trust them to help you find the love of your life, or do you laugh and walk away?

Right?

I think it depends on how desperate you are for love. I mean, loneliness is reported to be at an all-time high these days, so maybe people are just desperate.

You're not talking about me, Carole. Have I done something that's upset you? I'm wondering where this is going.

Do I need to step out of the room for a few minutes while you two work this out?

Are we really going to do this on the podcast?

Graham, it's about time. I just need an explanation. I want to understand why at the latest Facebook annual developer conference, Mark Zuckerberg announced that Facebook was moving into the online dating service. So today we are announcing a new set of features coming soon around dating.

This is going to be for building real long-term relationships.

All right, not just hookups.

If you want, you can make a dating profile, and we have designed this with privacy and safety in mind from the beginning.

You're only gonna be suggested people who are not your friends. Right?

And he's saying 200 million Facebook users are listed as single on the app, and the Facebook CEO says he wants to help.

Because if there's one thing we know about Mark Zuckerberg, it's that he's looking out for us. Others.

Yeah, exactly.

Now, he's trying very hard not to compete with Tinder. So he said quite clearly that this will be focused on love and not hookups. Recode quoted the Zuck saying, you know, when he was reflecting on his empire, he said, if we're focused on helping people build meaningful relationships, then this is perhaps the most meaningful of all.

What? If there's one person I wouldn't trust for dating advice, it would be Mark Zuckerberg. Yeah, he must be the most uncomfortable, awkward person imaginable. It's like, we all saw him in those videos giving testimony, you know, reach for glass.

And they're still neck-deep down the merde, you know, with this personal privacy scandal involving Cambridge Analytica. So why during that time, why aren't they kind of going, hey guys, look, we're adding all these new privacy widgets to make, you know, to gain your trust. And instead, they're just asking for more information from its users. So am I missing, am I missing a play here?

I think it's another example of how tone-deaf they seem to be when it comes to these sorts of things.

Yeah.

Well, and also how tone-deaf maybe the users are too. I mean, there's, I think we're still waiting to see whether there's been a noticeable impact upon Facebook's numbers by all these scandals, whether people are still as knitted into the social network as ever. And something like this may make them even more sticky.

Yeah, the expression they're saying at the moment, it's gonna be free to use and free of ads. And just think, it's probably a digital crack model being used again, you know, get them hooked and then slowly start introducing targeted ads. I mean, they're not a nonprofit, right? So they're not just doing this for the love of it, no matter what he says.

No.

So there's got to be money-making somewhere here.

I did see a story recently, someone would make the point that if you really wanted an accurate dating service, then Google would be the one to run it because they know everything about you. They know the real you based on everything you search for. So there's the you that you put in your dating profile, which is the idealized version of you, but Google knows what you search for in the middle of the night. And so—

They could grass you up. Well, you could say, oh, you think you're the only one he's chatting with? There's all these other people. Or did you know about his fetish?

Exactly. So they can find people who have the same dark secrets that you do and connect you.

Oh my God, do you really want your dark secrets being reflected back at you?

Musical theater.

As creepy as it is, if you want to find happiness, then I guess finding someone who shares the same interests that you do would probably be a good thing.

I wonder if Facebook— because you have to create a new account, so it's a separate dating profile. So somehow you access this new profile through your existing Facebook profile.

Right.

But potential dates will see your special dating profile instead of your standard Facebook profile. This is easy. I don't even understand how this all works. But essentially they're kind of separated. And I was wondering whether Facebook just wants to see how profiles compare. You know, the dating one being, I'm in perfect shape, I look fantastic. A bit like Trump's doctor said his health was. Right, versus the reality or what they say on their— with their friends and family.

It doesn't sound like people would find this at all confusing doing that. So would you be able to have a different date of birth or different age on the data? Because that's what everyone does, doesn't it?

And we don't know a lot about it because it's only coming out in a few months. So I'd say look out for it or perhaps steer clear of it in the next few months when it starts making its play.

One of my aunts— well, one of my wife's aunts recently passed away, sadly, and it turned out her funeral that she'd been lying about her age the entire time, and she was 5 years older than everyone believed because she didn't want people to know. But I wonder whether— yeah, what sort of cross-pollination there'll be between the real profiles and the fake ones.

Yeah, but I just find it just staggeringly shocking that they're not still mea culpaing, because I think they ought to be. And instead, during the mea culpa, we're also launching this service where we can even get more of your stuff. And don't worry, it's gonna be safe, it's gonna be safe, gonna be safe. Don't worry, don't worry, don't worry, don't worry.

Well, Facebook does have a history of saying sorry, but it doesn't necessarily have a history of then fixing things.

Exactly.

Mm-hmm. There was an interesting article I saw where they were cataloging all of the apologies that Mark Zuckerberg has given over the years and we're gonna be better in the future. And it's like, wow, this was years ago. And yet the same problems keep on occurring again. And also dating sites, that's valuable information, potentially very sensitive information as well.

Exactly.

It's a good thing that there have never been any dating or hookup sites that have suffered badly at the hands of hackers like Ashley Madison or anything like that.

Exactly. Didn't we talk about one just a few weeks ago?

We're always talking about one.

It was Grindr, wasn't it? Grindr? It was Grindr, I think.

Yeah, yep, yep. So, Carole, are you signing up? Are you going for it?

Oh, definitely. Yeah, I plan to reactivate my Facebook account, get right on board.

Oh yeah, because we're not Facebookers anymore, are we?

No.

Are you missing Facebook at all?

Yeah, I've been crying so much. I was at— I was on the Devon coast this weekend. It was a glorious weekend, and, yeah, very beautiful. And I didn't miss— I had no coverage, thanks Three. And, you know, but I was quite freeing.

So yeah, maybe I'll just sign up as Graham Cluley since you're not on Facebook anymore and see what happens. See who—

See what happens.

Who wants to have a dream date with Graham Cluley?

I'm sure there's someone out there. Yeah, we'll find them.

I doubt it. Don't count your chickens just yet, honey. This episode of Smashing Security is sponsored by LastPass. LastPass simplifies password management for companies of every size, but it isn't just for enterprises. It's equally a great solution for business teams, families, and single users. Learn more at smashingsecurity.com/lastpass.

Right, okay, that's wonderful. Thank you. And welcome back, and you join us at our favorite time of the show. It's the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, an app, a website, a podcast. Whatever you like. It does not have to be security-related necessarily.

At all.

And my pick of the week is a website this week. Now, if you're the kind of person whose night can be completely and utterly ruined and you end up in a wobbly puddle of tears because a dog dies in a movie, something like that, then I've got the website for you. It's called www.doesthedogdie.com. And you can go to this website and it will tell you whether a dog dies in the movie or a cat.

Okay, I am a dog and cat lover and I think this is really a ridiculous Pick of the Week.

What do you mean ridiculous? No, it's quite handy.

Is it?

Do you remember Dexter the emotional support peacock? This is the kind of website those sort of people need.

Turner and Hooch.

So what, you're just not going to watch? You just close your eyes when something bad happens?

No, this is very useful. You're scrolling through the movies that you think you want to watch and you say, "Oh look, it's a delightful buddy cop movie with a dog. Well, before I'm going to commit myself to this emotionally, I'm going to go to 'Does the dog die?' and see if it's worth my time or not." I have a secret for you.

If it says drama, it dies. If it's comedy, it lives.

But some comedies aren't very good, Carole. Oh, that's true. And the dog might die. Or it might be a gross-out comedy where the dog dies.

You might be repeatedly— Over and over and over again.

Like Groundhog Day.

Or National Lampoon's Vacation.

That's a great movie.

Don't horrible things happen to the cat in Meet the Parents? Does he get electrified or go down the loo or something? Again, traumatic things.

Yes.

I'm sure doesthedogdie.com would cover that. And it's not just dogs and cats. It also checks for other triggers like, are there any clowns which appear in this movie? Or if shaky cam is used. Now they have catalogued 5,683 movies at the time of recording.

All right, so practically covered everything that's ever been done.

517 TV shows and a frankly rubbish 247 books. But I think this is—

They mention a clown on page 27, skip it. Do they tell you when to fast forward? Maybe you could just watch the movie but miss the 30 seconds.

You can— don't criticize the number of movies.

Is this crowdsourced? So we're watching it?

Yes, of course. There's not one lunatic who's going through movies looking for shaky cam and clowns.

No, because that never happens.

The cow gets paint on it.

It always starts with one, Graham. It always starts with one, and then there's a hanger-on that takes over.

Yeah, it's just like I was saying earlier about these are the— they know what you search for in the dark of night. This is the— this person found—

What do you search for, David? Because I'm getting interested now.

Musical theater history. You got a problem with that?

Because I searched like how to make a risotto.

A risotto? It's a risotto. Anyway, that's why doesthedogdie.com is my pick of the week. Thank you very much. Pick of the week.

Excellent.

Better be better than Graham's, just saying.

My pick of the week, which I would say is as good as Graham's excellent pick, is a game, and this game is called Kingdom Rush. It's not a new game, but it is a fun game. It's a game that I have been playing for several years now, a game that I enjoy playing with my young son who's 11 years old. We will sit on the couch together with an iPad and we will play this game together. We will team up and play this game.

Here I was imagining him running through the fields outside.

Yeah, well, he does that too—but then he comes home to me and we sit on the couch and we play together. This is a tower defense game, is the genre.

Oh, I like that.

But what I love about this is that it is witty, it is funny, they have a good sense of humor, and sprinkled throughout are all sorts of pop culture references, everything from the Sand People from Star Wars to Indiana Jones. So there's all sorts of fun little things along the way, little cute sound effects. It's a delightful game. And you can drop in and play for 20 minutes if you have some time to kill. You could blow an entire day playing this game, but it's hours and hours of fun. If tower defense games are your sort of thing, I highly recommend this.

What age would you say?

I'd say probably 10 and up, something like that. And there's not— okay, there's cartoon violence. There's orcs being killed and you know, you're launching arrows and spells and things like that.

But not for the faint of heart.

There's blood, but it's not gruesome or anything like that.

It's not red, it's blue, so it's fine.

Has it been categorized on doesthedogdie.com? I don't know if they do video games.

That's a good question. Do they do video games?

Ask Graham. I don't know.

Doestheorcdie.com. Graham, I think we're onto something here. So that's my pick of the week, Kingdom Rush. Check it out. But there are several sequels to this game, but it's hours and hours of great fun, so enjoy.

I'm impressed you managed to get out a daily CyberWire podcast if you're playing this. This sounds very addictive. Yeah. Yes, it is. Right, exactly.

Something happened today,

So this weekend was a long one. And we went off to celebrate my father-in-law's 70th birthday in Devonshire, which is close to Plymouth. Now, this is a drive that normally takes me about 3 hours, and it took 8. It was bumper-to-bumper traffic. So I was, you know, as wonderful as my husband is, I was very happy that I downloaded a pretty recent podcast thriller from Gimlet called Sandra. Now, the story's quite fun.

I don't know.

So you basically follow Helen, and she gets a job at a tech company called Orbital Dynamics. So think Amazon or Google, something like that. And the company is known for its great helpful AI called Sandra. So think Siri or Alexa. Now, while Sandra is revered by most as one of the best and most wonderful AIs, in reality, the whole service is powered by humans who are pretending to be a machine who is pretending to be human. How crazy is that?

Oh, orcs! Ow!

So there are 7 episodes, they're 30 minutes long, it's a bit ad-heavy, but the flow works, and you know, you weren't getting frustrated with it with a number of ads. There is one single problem: the end. It hangs. There's no conclusion, there's no hook. It's a dribble. So listeners beware. And that is frustrating, isn't it, when a story is kind of good? And especially, they call it a thriller themselves. I think that means there should be a conclusion. Of some sort.

Is there going to be another series of it or something?

I suspect there'll be another season, but they haven't confirmed that. But I just think even if you're planning two seasons, you can still have a mini end at the end of a cliffhanger or something. And they say they released all their episodes in late April, so there are 7 episodes. Maybe they're gonna release a bonus 8th one later on, but I just find it a bit irritating if that's the plan. Anyway, other than that, it's very good. I think it's worth listening. If you're on a long car drive, have a go. It's quite fun. And even Ethan Hawke's in it, you know. So he plays this power-hungry disaster of a boss, a bit like David Brent from The Office. So he's quite good at it. His voice gets all squeaky and stuff, same as it was when he was 20. There you go. So Sandra from Gimlet.

Carole, what's your pick of the week? Okay, well, I think we've all— can I say all of us, 100%, absolutely all of us have had wonderful picks of the week this week. So well done us. Especially yours. Well, that just about wraps up this show. David, if people want to follow you and the CyberWire online, what's the best way to do that?

Go to thecyberwire.com. You can find everything there.

Fantastic. And you can follow us on Twitter @SmashingSecurity, no G. Twitter won't allow us to have a G. And you can buy stickers and mugs and t-shirts and things at smashingsecurity.com/store. Thanks for tuning. If you like the show, rate it on Apple Podcasts. Thanks to everyone who's done that.

We've had a few new ones, quite a few new ones last few weeks. So thanks so much.

Yeah, I saw your one, Carole, actually.

I did, didn't I do it at one of the end of the last episodes? I said I was the best.

Yes. She said Carole's the best. So that was a really great review. Thanks, Carole. Anyway, it does really help new listeners discover the show and you can listen to past episodes at smashingsecurity.com as well. Until next time, cheerio, bye-bye, adieu. Sorry, I did go on a bit, didn't I?

No, no, shush, shush, shush.

Shush, shush, shush.

Don't speak.