And this data dump contained over 280,000 text messages which were sent and received by one of Paul Manafort's daughters.

So, hang on, one of his daughters sent and received 280,000?

Yes!

Is she a bot?

Smashing Security, Episode 95: British Airways Hack. Mac apps steal browser history, and one person has 285,000 texts leaked with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security Episode 95. My name is Graham Cluley.

I'm Carole Theriault.

And we are joined this week by— well, he's sort of a new guest and he's not a new guest because we tried to get him on a couple of weeks ago, didn't we?

Yes, we had some sound issues, if I remember correctly.

So David Emm from the Global Research and Analysis team at Kaspersky Lab. What on earth were you doing in that wind tunnel? Why couldn't we hear you properly?

Well, you know, the things I do for work. No, we had a hardware problem, Graham, and problem with any of the microphones I tried. Hopefully this is much clearer.

Now I want to ask about David's name. So I've never heard the name Emm before. It's spelled E-M-M, right?

It is.

And is that well known? Is that something that you run across often, or—

It's a pretty unusual name. I mean, there's a cluster of Emms around the Salisbury region, which is where my dad was from, and one or two dotted in other places of the country.

But were you guys hiding from cops, you know, so I can just see the cops asking, what's your name? Uh, David Emm.

Yeah, yeah, yeah. Well, I don't— not as far as I know.

Oh, we don't know of a checkered past.

As far as I know.

Well, I would imagine if M was going to hang out anywhere, it might be not that far away from Terry O.

Jesus. MetaCompliance, the security e-learning experts. Make learning best practice engaging and fun through stories, realistic scenarios. The MetaCompliance guys provide animated e-learning and even games like phishing drills to test your knowledge. Plus, these guys get passwords, they get GDPR, they get security, and they've won awards for security awareness. Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance and entering the code SMASHING. That's smashingsecurity.com/metacompliance. MetaCompliance.

Okay, well, there's been some bad news potentially for fans of the Mac App Store, the default place where Mac users tend to download their programs after they've been vetted by Apple.

Talking about their problems.

Well, there are problems, Carole, because lots of people imagine that apps which are downloaded from the Mac App Store are safe because they've been tested.

Oh, because you have told them that repeatedly over the years, saying to people, you should definitely go to the App Store because things are vetted and it's more likely that they're safe.

Well, it's true that at least someone has looked at the programs, whereas if you get them from any Thom, Dick, or Harry website, there's no guarantee that anybody's had a third-party look at them. But it doesn't mean that the Mac App Store is entirely safe. And in the last week or so, there have been a number of apps which have been booted out from the Mac App Store after being found scooping up users' private data, such as their browsing history in the background. Naughty, naughty, naughty.

You need to have a lot of access to do that.

Well, you would think so, wouldn't you? And some of the Mac App Store's highest-grossing paid utilities, ones top of the charts, are making some pretty grand promises. So these aren't obscure apps which are doing this. There are apps which say, oh, we'll keep your Mac safe, we'll get rid of annoying pop-up ads, we'll discover and remove threats on your Mac.

Pretending to be security firms or security apps that actually they're there snaffling up?

Well, just hold your horses.

Oh, is this a popcorn moment?

Because—

Okay, I'm ready.

Okay, they're bragging about how great they are at keeping your Mac secure, but what they're less keen to brag about is the fact that they are also snaffling up this data, such as your browser history, and uploading it to their server. Now, a couple of researchers, a guy called Privacy First—

A guy called Privacy First?

Yeah, I imagine—

Names are getting wacky.

It's a bit like Reality Winner, isn't it? Anyway, some guy who's calling himself Privacy First on social networks. He spotted the problem initially, but he found it hard to get Apple to take any action about these apps.

Okay.

He then worked with another Mac security researcher, someone who we've spoken about before, I believe, Patrick Wardle. He and Privacy First— how am I going to talk about him?

Mr. First?

PF.

Called PF.

He and PF wrote up their findings. Whereupon others uncovered more data-slurping Mac apps, and Apple ended up booting out apps such as Dr. Cleaner, Dr. Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery, and Duplicate Finder out of the App Store.

How did they get there in the first place?

Well, they were put there by the developers, of course.

No, but how did they get through the testing, the vetting?

Well, somehow or another, the vetting wasn't sufficient, whether it was the case that the apps actually knew that they were being vetted by Apple and didn't perform this browser snarling functionality or not, I don't know. But what was most interesting to me is who was the developer of these data grabbers?

Do we know them?

Let me stroke my beard here, right? As if I could grow a beard.

That'll take 10,000 years.

David, have you ever had a beard or a mustache or anything like that which you've twiddled?

Oh, a mustache a lot of years ago.

Did you?

Just very briefly.

I bet you looked very handsome, David.

I got rid of it pretty quickly.

Very sensible in my experience.

I like a mustache. I do.

You've married a very hairy man, to be honest. He doesn't find it difficult to shave.

Magnum P.I. was unavailable.

So who was the developer? None other than security vendor— David's panicking a bit now that it might be Kaspersky. It's not Kaspersky, it's Trend Micro.

Shut the front door.

Yeah. No, no, no, no. Okay. What? What?

I don't believe it.

It was, it was Trend Micro. Trend Micro, who of course write a number of security products, both for corporations and consumers. They put some code—

They're a big anti-malware player, like top 5 in the world.

Oh, totally. Totally. Trend Micro put some code into their consumer products, which they say was designed to help the software determine if users had recently encountered online threats. And yet that code was also incorporated into products which were not security-related.

Hmm.

Now, people didn't really like the idea that Trend Micro might be snaffling up people's browser history. Hmm, surprising that. Trend Micro went into panic mode and issued a statement. They said, look, this was a one-time data collection done for security purposes to analyze the browser history, work out if someone had recently encountered adware or other threats, and thus to improve the product and service. So you could argue that in short, what they were trying to do was they were improving the user security by compromising their security.

Okay. Did, I'm guessing, did their agreements say that they were doing this? Their terms and stuff?

Well, this was the thing. They were at pains to point out that not only was the data collection occurring once per installation, and wasn't actually including the full browser history, but also the users had agreed to this because they had approved the software license installation. And there, buried away in the small print, was this little bit which said, look, we're going to take some of your data to analyze this. Which raises an interesting question, isn't it? Because it's often the spyware and the adware and nastiness like that, which takes advantage of people not properly reading the EULA, right?

I'm depressed now.

People don't read EULAs, you mean?

I know, it's a shock, isn't it, David? Yeah, apparently not. Are you in the habit of reading a EULA?

Yeah, yeah, generally, but there are exceptions, of course, because as all of us know, sometimes those things are not just half a page long. Sometimes they're just a bit longer. Well, I think it gets even worse because even in situations where this is down to a manageable size, and I'm thinking here about the permissions that apps ask for, people don't even read those either.

That's right. I mean, when you install, for instance, an app on your Android device, it will say, you know, are you happy with it accessing the microphone and your location, even though it's an app to produce a flashlight, for instance, and people just go, "Yeah, yeah, yeah, just give me the app," don't they?

Exactly.

Well, it's not like a lot of this stuff is done super clearly a lot of the time, right?

No, but—

I think there's a lot of trickery involved in trying to get access to as much data as they can. This is not all companies, but a lot of apps do that.

Yeah, I mean, some apps will actually exploit vulnerabilities or weaknesses to waltz past this permission screen. I know with a new version of macOS 10, which is coming out soonish, they'll warn you more about what the actual apps are trying to do. But fundamentally, I think relying upon your users to read the license agreement, well, legally that might get you out of hot water because you have kind of told them. But in all honesty, you haven't really told them, have you?

I think also comes back to your earlier point about something in the official app store, that there's a sort of inbuilt feeling because people like us tell them, look, stay on the beaten track. You're more likely to be safe if you download from a reliable source like that. And that people lower their guard because of that. And also, you know, we've got to face the fact that although we work in this industry and therefore we're attuned to this stuff, other people aren't. They're looking for this or that or the other functionality, and they're not necessarily savvy about whether XYZ functionality is needed for what they're doing.

Totally. And, you know, lots of people don't even know how to read legal mumbo jumbo, and it's not always easy. You know, I often read and have to read it out loud really slowly, and who's going to take the time to do that?

And furthermore, we're talking about Macs here, right? And I think there's still this perception amongst many users that you've helped build— what, what, I've helped build what?

You have often said if you want better security, choose a Mac.

No, I haven't. What I've said— no, that's completely inaccurate. I'm gonna pick you up on that one. No, what I've said is if you want less attacks, less arrows being thrown at you get a Mac, because there is much more malware.

It's kind of the same thing.

No, no, no, it's not at all. There's much more malware and spyware for PC, so I do believe if you're running a PC, you're perhaps more likely to get infected by things and something nasty happen to you. But that doesn't mean that you can forego protection and sensible practices on your Mac as well. I wasn't suggesting that. I just, look, Apple has a reputation for being safer. That's true.

This is a screw-up. And I think the screw-up actually is more than just having a bad app in the App Store. It's that companies that we are supposed to trust and want to build a relationship with and use their services, you know, maybe they're giving themselves a bit too much license and a bit too much access to stuff.

I heard—I read something online, therefore it must be true—that the number of—if you were to read all the EULAs of the software you run during the course of a year, it would take around about 80 days.

Well, it does, it feels creepy. I said that last week, but it still feels creepy.

To read all of them. Is that possible? It does. And I think it's not good for the security industry as a whole. I mean, it's a statistic from the internet, so I think it probably is believable. Cybercrime is a bigger problem than ever before, but we don't need incidents like this corroding users trust in security firms, do we? We want people to— we want people to install security software.

We want people to have a bit of freaking honor.

Well, I'm guessing, I'm guessing, to be fair, that this is probably more to do with a dropped ball than it is with sort of malice aforethought. Hopefully that's the case. Yes, hopefully that is the case. So I'm guessing these are now kicked out of the App Store.

Trend has issued an apology. We'll link to it in the show notes. They've done a few other things as well. They've deleted the functionality from the apps. They've also deleted their logs of the data which they collected. Good. And they've— including, they've also removed the feature from the non-security apps, which shouldn't have had that feature in it in the first place. And I think that's the other story here, which other software manufacturers can learn a lesson from. It's not only that you need to get positive, explicit consent from your users as to what you're going to do and what private data you might be extracting from them, so they actually consciously acknowledge that that's going to happen. But you also shouldn't be fattening up your products with unnecessary code. If you've got a shared code library, which appears to be what was happening in this case, if you're incorporated into programs which aren't planning or don't need that functionality, rip that code out. Don't leave it there because it increases the threat surface, the chances of there being a bug or some unexpected functionality which was the case in, for instance, the Unarchiver. Why would that need to check your browser?

You know what, I don't know.

It doesn't need to.

Because why not, right? Big data is big money. And I agree with your point, don't get me wrong, I totally agree with your point. But I think a lot of this stuff is being inflated because systems are faster, they can handle bigger programs, and they can just slap it in because why not? Because they can get more data.

Well, I certainly hope in this case that they were purely collecting the data for some sort of security reason. I haven't seen anything to suggest they were using it monetize it in some fashion or do advertising or sell it on to somebody else.

So basically you're saying everybody screws up once in a while.

Everybody screws up once in a while, Carole.

Okay.

As I believe we all know. Is that right?

I don't know. I don't remember the last time I've screwed up.

Well, you certainly remind me of the times when I screw up quite often. David, do you ever make any screw-ups?

Oh goodness, not.

David, what's your story for us this week?

Well, I've been following this story to do with the British Airways hack of data.

Oh yes.

380,000 people's data that's out there in play.

The sophisticated hack.

Well, yeah, we'll see how sophisticated in the end, no doubt. What certainly seems to be the case at the moment anyway is that rather than somebody digging into BA's backend systems and hacking into that, they were actually collecting it in real time from the forms that were being filled in. So this was done, it seems anyway, through a script on the website.

And this was a web page where people were making the payments for their upcoming flights. Exactly.

And that seems to be the data that's gone. You know, that's what BA is saying. It's credit card numbers, including, you know, the magic CVV number, the 3 numbers on the back of the card. Names, email addresses I've read. No doubt we'll get clarification on this at some point, but at any rate, this is not a case, as we've seen in the past, of people hacking a backend system and guess what, you know, people's usernames and passwords and so on are not being secured properly. This is a question of somebody doing it at the point at which it's being input. You know, not only when you carry out security audits have you got to look at the sort of traditional aspects of that, including web servers and making sure you're up to date and your password policies are good and all of that. But also you've got to make sure that any scripts that you've got running are also okay. And of course, it's often the case that companies are running third-party processes. A third-party process is being used to— for payment or to deliver ads.

Yes.

And where it's a third-party script, then you've got another issue because it's not yours. And therefore, you know, it becomes harder to verify the integrity. And so in that case, you've got to make sure that you are limiting the scope of what it can do.

And I remember this being a problem earlier this year. Do you remember tens of thousands of government websites and all sorts of things all got seemingly hacked simultaneously? And it's because they were all using this accessibility plugin designed for people who were, I think maybe were visually impaired or something like that. And that plugin got hacked. And suddenly all these websites which were pulling down the JavaScript from that site were themselves hacked en masse. So I guess one of the clues by which we know this is the way in which this occurred with the British Airways hack is they not only got the payment card regular details like your number and your expiry date, but they also got that magic 3-digit CVV number on the back, which isn't normally stored by businesses, is it? Exactly. They don't store it, but it is input on the webpage. So if that webpage has been compromised with a malicious script, there's the opportunity for the criminal to grab it.

Yeah.

So this is a pretty big hack and one of the biggest and most high-profile hacks which has occurred since GDPR came into effect.

Exactly. It will be interesting to see, you know, what the outcome of that is. And I know certainly, Graham, you talked about one of the issues to do with legal challenges to this and legal firms trying to round people up about getting compensation. Now clearly the ICO has something to say about this, and you know, they're pointing the finger at BA and there's culpability there. That's even worse.

So there is a US law firm which has just set up a UK branch called SPG Law. They actually set up the day after the BA breach was announced, and they instantly released a press release saying that they were launching a £500 million class action suit over the British Airways hack. What that actually means is that they are saying that they believe victims can claim up to £1,250 each. So multiply that by 380,000 and you get your £500 million. Now, I think they were being rather opportunistic, and obviously they got their name in the press and all the rest of it, because I'm not sure we necessarily want law firms instantly jumping into these things and offering to help people get compensation. I think that may not always work to the advantage actually of the consumer.

Where there's a blame, there's a claim. Yeah, but you know what I mean?

Do you know what? I would be super, super peed off if I were one of these. As soon as I heard of this hack, I was like, oh my God, did I book a flight? Did I book a flight? Because I use BA a lot. And I was so relieved that I wasn't, you know.

And although BA is saying that they won't see anybody out of pocket with this, that's great. But actually, the thing is that how do you link the two together? So if in 6 months or a year's time somebody gets hit with some kind of fraudulent activity, how as the victim of that do you tie it back into this? Because at the end of the day, your details could have ended up in play from other kind of attacks other than the BA one.

Yes.

So the answer there is that you've got to change your details right now. Really?

Yeah, absolutely.

A lot of the banks actually have already cancelled people's cards if they believe they were compromised by this incident. So they are reissuing cards. And it's good to see the banks do that. I feel a bit sorry for the banks as well. You know, the banks have taken this on the chin. Oh no, it's BA's incompetence here, right? Why should the banks have to?

Geez. Yeah.

I was going to say, I think also, you know, while all of us, especially in our industry, put our hands to our face when this happens, actually BA came out, proactively chased this down, said, look, this has happened. Here's who's affected. We're contacting people. How often have we seen the case where actually maybe months later or even years later, we're hearing about a breach that happened way after anybody had any chance to do anything about it.

Well, this is GDPR in action, isn't it, David? They are— they've got a scare on. They know they have to notify people quickly. They know that potentially they could lose— is it 4% of their gross worldwide turnover?

Yeah, 4% of the annual turnover.

Or €20 million, whichever is the higher.

Right. So it's a clouty fine, isn't it, potentially?

Well, that's a lot less than the money they'll have to pay out if everyone demands compensation.

Ah, I think a lot of these class action suits never come to anything very much. But we will have to see, I suppose. But BA, I suspect, are no longer everybody's favourite airline, are they? Do you remember that? They used to say that in their ads.

I do remember that.

And also they said, "We'll take more care of you."

"Fly the flag." We'll take more care of you. Fly the flag. Do you know what? I like BA.

You like BA?

I may not use their website as easily anymore, but I don't mind a BA flight.

You just don't want them bumping the drinks trolley into you next time you're on the plane, do you? You're a bit worried now.

Bumping the drinks trolley. I'm trying to—

Does that refer to something? Everything's an innuendo, isn't it? David earlier was talking about intruding on people's back end, and now BA drinks trolleys. Crow, get your mind out of the gutter.

Proud of the aisle.

So my story all hinges around Paul Manafort and his family. Now, for those of you outside the US political news orbit, tell me how you frickin' do that. Okay, no, so Paul Manafort was Trump's former campaign manager who was raided by the FBI, charged, and found guilty of 8 charges of fraud. And he's, I think he's sitting in jail waiting for his sentence. I think it's a maximum sentence of 80 years.

Yeah, and he's got a second trial coming up as well.

Yeah, yeah, basically he is not living the American dream at the moment, right? Nor his family, because this story is all about what's happened to his daughter. All right, I'm going to give you a bit of a quick backstory, and then I want your help in figuring out whether the wrongs outweigh the rights or vice versa. So about a year and a half ago, this big data dump was flitting around on the dark web, and this data dump allegedly contained over 280,000 text messages which were sent and received by one of Paul Manafort's daughters.

So hang on, one of his daughters sent and received 280,000?

I know, I worked that out. Yes, I worked this out. Okay, so if this cache was about 5 years old, okay, this is each person sending and getting 120-odd texts a day.

Is she a bot?

It's just insane. I was shocked as well. But yeah, so basically all of this daughter's text messages and the ones that she's received and sent, right, were basically collated into this big dump and it was kind of going around the dark web, right? And rumor had it that the reason this had happened was the daughter's phone was hacked, right? So at the time, some news agencies kind of tweezered out a few politically Manafort or Paul Manafort-related messages from this big glut. These are messages that seem to have some context around the political arena and some of his shady dealings with Russian-friendly forces. And it was argued that this was newsworthy and therefore warranted public attention. Of course, also some people might call less reputable media, like the National Enquirer, also dished out stories. One where Papa Manafort apparently allegedly had an affair. National Enquirer cited the hacked messages to kind of validate the story.

If only some mutual friend of Paul Manafort and the National Enquirer had managed to influence them.

Orange. Yes, a very tanned individual.

Had managed to convince them not to publish that story. Yes.

Yeah. Now, okay, so fast forward to a few months ago, 20th of July, a freedom of information activist known as Emma Best decided to make the full data set of personal text correspondence searchable and available to anyone who wanted. And it was announced via Twitter. It was written on Twitter, today I am releasing a searchable transcript of over 285,000 Manafort text messages that WikiLeaks would not publish. You can find the what, why, and where at. It gives a link.

Data which WikiLeaks wouldn't publish. Oh, maybe because of the Russian—

Well, maybe of the political, you know, it's perhaps not—

It wasn't their flavor.

It's not their penchant of political party, it seems, based on past experience.

If it had been Chelsea Clinton, then maybe they'd have done it, but yeah, okay.

Okay, so now zoom to a few days ago. This all happened about a month ago, and the reason this is back in the news is largely due to the Streisand effect, Manafort's daughter's lawyer sent a letter to Twitter demanding they remove this Emma Best tweet. And in turn, Twitter just this week sent the activist a letter saying, would you voluntarily remove the tweet? And she told Motherboard, no intention of doing that.

Right.

Okay, so here are the nuts and bolts of this. Okay, so the data set is a reported 7,000 pages of unredacted text messages. Between Manafort's daughter and friends, colleagues, family, etc., etc., etc. It's going to contain private stuff, confidential stuff, personal stuff. You know, if this happened to me, messages that, you know, you'd be affected, Graham.

Well, I think it's abominable because that— yes, exactly, it'll be her friends and family and all sorts of innocent people.

It just mushrooms out, doesn't it?

Even— I mean, I don't know if she's innocent of anything or guilty of anything at all, but it just— you know, what gave Emma Best, in quotes, what gave her the right to publish this thing and make it so easily accessible?

Exactly. So it's quite a contentious problem, right? Because to be a responsible freedom of information activist, must you provide all information, no matter how personal, to a victim circle? Like, can you not redact over, you know, maybe redacting gets you in trouble as well because people are saying, well, it's redacted, so who knows what's redacted?

Yes.

Now, interestingly, on the Emma Best website, the activist lists out seven reasons why the unredacted text messages were published. And I thought I'd share a few of those with you. So one is the data has already been exposed and the damage done. Well, no one has provided it in a searchable, unredacted format. So it's very convenient now.

Yes. A crime has already been committed, so I decided I'd commit it as well. Where's the harm in that?

Yeah, another point was tabloids and trolls have already mined the transcripts and exploited them, you know, so basically the damage has all long been done and mitigated. And this is one point I found interesting. It says those involved know that the messages were hacked and that their phone numbers and email addresses, in case of some iMessage, have been exposed. They've had over a year to change their numbers and take steps to block harassment. Therefore, any harm in this regard is minimal.

This is another of Emma Best's arguments why she's released the data. And it's— I've got no sympathy with this at all, I have to say.

Yeah.

All right. Well, doesn't convince me.

I know. So, and do you think Twitter is complicit in this in some way? Do you think Twitter is responsible for the content that they allow users to post? I mean, they've been warned. They've been told, look, this is upsetting people. This is hacked text that the woman didn't hand over that are being mined by third parties against the victim's wishes.

It's not the first people I would think to. I think if I had any complaint about this, then I might try and work out who Emma Best's web host was, for instance. Or I may go to Google and try and get links to that particular web page removed, you know, saying, look, this is damaging my privacy.

This is where Emma Best is promoting the site, right? This is where the traffic is coming from. Anyway, interesting. So not only does Twitter not let us have a G in Smashing Security—

How dare they—

It won't remove the link to a cache of hacked SMS messages.

But there's lots of bad stuff that goes on Twitter, Carole. Is this really the worst thing that happens on Twitter other than obviously the lack of a G?

Well, you know, I don't know. Ask Manafort's daughter, see how she's enjoying it. I mean, apparently she's just actually appealed to get her name changed. I don't blame her.

I think this may not be the only reason why she's changing her surname.

Or if you widen the circle, you know, I mean, there may be people who are not even remotely involved but are referenced in this stuff.

Absolutely. It's like you texted me, David, saying, God, Graham's a pain in the butt, right? And then that was posted somewhere.

I don't think it'd ever send a message. Hey, Carole.

Did you listen to my little bit about MetaCompliance and their e-learning?

Oh yeah, I heard that earlier in the show. Yeah, did you? Yeah.

Okay, well, have you signed up yet?

Well, no, I've been doing the podcast, Carole. I haven't had time to sign up for it, have I?

Well, women know how to multitask. Surely you can get a move on and sign up. We get 10% off. Just go to SmashingSecurity.com, you should know that website, /meta-compliance and enter the code smashing with a G.

SmashingSecurity.com/meta-compliance, enter the code smashing. Terrific.

With a G. Cool.

Hello and welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. David, David, you have to say Pick of the Week.

Okay. Pick of the Week.

Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like, doesn't have to be security related necessarily.

Shouldn't be.

And my pick of the week this week is something actually useful. It's not a TV show or a podcast or anything like that. No, I'm going to give you something which is really rather handy and may actually put some bucks or some pound notes in your back pocket. It is a website called airhelp.com — air as in aeroplane.

Airhelp.com.

Airhelp.com. And that gives you a clue because I was booked on a flight that was cancelled. There I was at Birmingham Airport trying to get to Edinburgh and the flight was cancelled, and I had to wait around at Birmingham Airport with you, Carole.

Yes, I remember.

For about three or four hours, and it was most unpleasant, or at least inconvenient. And then I heard about this website called Airhelp, and it said, look, if you've had a cancelled flight or a delayed flight, you might be able to get compensation. There I was, I was thinking, I wonder if I could get compensation for that. And all I had to do was enter my name and a confirmation number of the flight I was on, and it chugged and churned away, and about a month later it came back and it put £170 in my bank account — kaboom!

Did it?

Yes! Airhelp had taken about 25% as a commission, which was why I got £170 rather than, I don't know, £200 or something. But I figured that was a small price to pay for not having to do anything. It's a very handy website, so if you are on a delayed flight you might want to try airhelp.com — you can even import your flight history, should you feel safe about doing that.

I'm just looking at the privacy statement right now.

Don't try and make this security-related necessarily, Carole. This is a Pick of the Week.

I'm just going to say quickly, you know, because you're asking people to put in a lot of data here on this site. I didn't—

I hardly entered any information. I just had my booking reference number, my name, obviously my contact details, and the flight number, and it went chug chug chug, and I chose some radio buttons saying it was delayed.

Was it a BA flight?

Oh, I could maybe demand some higher compensation if it had been a BA flight. No, it wasn't actually, but yes, you can import flights you've made in the last three years if you want it to chug away and look at all of them.

All I'm saying is the privacy data doesn't look too bad at quick look.

Okay, all right, there, it's got the Carole seal of approval.

Good pick of the week.

David, what's your pick of the week this week?

Okay, well, my pick of the week is and isn't related to security. Something— an article in Forbes caught my eye, and it was really to do with employing autistic people, and specifically to do with stopping cyber attacks, because some of the characteristics and skills that autistic people— many autistic people have could be very useful. It doesn't just apply to cybersecurity, however. Seeing patterns, persistence, logical thinking, all of these things really— attention to detail is another one— are facets of autism. And actually, we're missing a trick if as a society we don't actually milk this, if we don't use these skills. Clearly, this is very topical in cybersecurity because we're facing a cyber skills shortage.

Yeah, right, right.

It's estimated that about 13% only of autistic people get employed.

Really?

And, you know, 1 in 100 people around about are autistic or on the spectrum somewhere. So given that, you know, these are really valuable skills, we could be missing out. You know, there's a danger, I think, as awareness about autism has grown, that people tend to think, well, everyone on the spectrum is like Rain Man, you know, or they can recite pi to 27,000 decimal places, which certainly one guy can who's autistic, but that's not—

27,000?

Yeah.

Who checks?

I believe a guy called Daniel Tammet did that, and it took place, I think, in the Bodleian Library in Oxford. And I think that's just the record for Europe. I don't think that's a world record.

I have to be honest, if that was going on at the Bodleian Library in Oxford, I'm not sure I'd buy a ticket to watch it.

Oh, I don't know, I think I would.

27,000 rolls. I wouldn't know.

I would have it written down on a piece of paper and I'd knock it off as he went.

What do you think? 72193641.

You'd need a toilet roll, Carole.

That's what they did. That's what they did. I think they just had mountains of computer printout paper with these on.

I love it.

So, you know, I think we, you know, there's a danger of pigeonholing people, but nevertheless, you know, these skills do exist. I mean, I can recall, I've got a son who's autistic, and I can recall when he was about 8. A bit of background. I mean, when Disney Pixar put out, I think it was Finding Nemo, it had a short film called Knick-Knack. And it was about knickknacks on a dressing table and how the guy in the snow globe wanted to join them for a party. But in Toy Story 2, it made a sort of cameo appearance. Woody, one of the main characters in Toy Story, gets kidnapped in that particular movie, and the rest of the toys know that it was the guy that advertises the toys who wears the chicken suit who'd kidnapped him. So they decide they'll flick through all the channels very, very quickly to find the advert with the chicken man in. And they're going through at a rate of knots looking for this. Anyway, we'd watch this and my son said to me, oh, that's a knick-knack. And I said, what do you mean it's knick-knack? And the next time we watched it, I stopped it and freeze-framed it. And sure enough, one clip, one static clip from one of the channels on those of this particular short film. How he saw it, I don't know, but you know, he's got that level of attention to detail. And so, you know, these are skills which not just in cybersecurity but elsewhere are very valuable.

So if anyone wants to hire David's son, I'm sure GCHQ are listening.

Yeah, is this— is that why you're on? Is this basically an advert? Is this a job advert?

No, no, but you know, feel free to give me a call.

That's excellent. Well, we'll put a link to that story into the show notes so other people can read all about that. Carole, what's your pick of the week?

Mine is rather silly this week. It's a Twitter feed. I thought as I'd kicked Twitter in the shins in my first story, might as well give it a little, get it back up there. So go to Cold War Steve on Twitter. This is a crazy photo montage world of McFadden's Cold War. It's kind of dark and it's snigger-worthy as well.

Steve McFadden, he's the guy from EastEnders, which is a British soap opera. Exactly. He's an egghead, Sontaran kind of person.

Right.

Yes.

So basically this is a Twitter feed primarily aimed at Brits or Anglophiles. So there's photo montages that are mashed up with some of our best known, if least liked, political leaders or footballers or soap stars. And of course, Noel Edmonds, who shows up everywhere. So you'll see Boris Johnson, Theresa May, even Ant and Dec make an appearance. David Cameron's tasseled loafers make an appearance. It's just, it's really quite fun. I've been looking, I saw it in an article in The Guardian, I don't know, a month ago or so.

I'm looking at it right now. So these are, yes, so these are photo montages, lots of British celebrities typically, although I'm seeing some Americans as well, in bizarre situations.

And it's basically Where's Waldo, effectively, but with our British beastars. And what's really cute is this guy apparently knocks these out on his bus commute, which, you know, I've done a bit of, you know, quick editing this, you know.

Microsoft Paint. Yeah.

I'm not this smooth without a bus. I don't even know how he manages that, but who cares? It's a great time-wasting website. I love it. So check out McFadden's Cold War on Twitter and enjoy.

All right. Well, thank you. Thank you, Carole Theriault. That's slightly strange, but amusing.

You see August 23rd. It's very good.

August 23rd. You're going to read out some of your favorite dates, are you?

David Cameron's in the foreground. Yeah, I can see Noel Edmonds is there as always.

Noel Edmonds. We're going to have to put in a link to something about Noel Edmonds so people who live in other countries know all about Noel. On that slightly bizarre note, I think we just about wrap it up for this week. David, if people want to find out more about you or follow you online, what's the best way to do that?

Well, they can go to securelist.com, which is where Kaspersky Lab puts all of its analysis on there. They can follow me on Twitter @memm.

And that's M-E-M-M. Yeah, that's right.

Emm, yes it is.

And you can follow us on Twitter as well, @SmashingSecurity. Security. No G. Twitter won't allow us to have a G. And we've got an online store where we don't make a single buck. We're giving away things for free. And if you follow us on our— what?

No, well, no, they're not totally free.

Oh no, you're right.

Don't make a buck.

We don't make any money.

He's overselling, guys. Sorry, I got excited there.

But, but, Carole, if people follow us on Twitter, occasionally we tweet special voucher codes where people can save 20% off their mugs and t-shirts.

Yeah, but it still costs something.

It still costs something.

Yes. All right, you've caught me out. Go to smashingsecurity.com/store for that. I know we got 5 new reviews last week. They were amazing.

We read them all. We read them all. We do. And we have a little private conversation, me and Carole, especially if you mention one of us or the other. And, you know, to say, you know, Graham is my favourite, something like that.

Yeah, Graham needs it more than I do, guys.

Until next time, cheerio, bye-bye, adieu!

I'm sorry, I've double entendre again. Yes, you are. I'd say I rose above it. Yeah. Was that okay?