A $150 million mansion is hijacked online, Brits will soon have to scan their passport to watch internet porn, and are organisations right to pay up when hit by ransomware?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by technology broadcaster David McClelland.
Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: David McClelland.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
- Mimecast: Grab your FREE Cybersecurity Awareness Training Kit from Mimecast, and share it throughout your company. Give your employees the information they need to make the best cybersecurity decisions.
- Get your free kit at smashingsecurity.com/mimecast
Links:
- What Is a Zillow Zestimate? — YouTube.
- Zillow sued over hacked listing of $150 million California mansion — Chicago Tribune.
- The Headington Shark, Oxford.
- UK Digital Economy Act 2017 — Legislation.gov.uk.
- AgeID | Your Access to the World of Age-Restricted Websites.
- CleanBrowsing DNS. — Free DNS Parental Control, DNS Filter and Web filter.
- Ray Charles - Georgia On My Mind — YouTube.
- Rural Jackson County, Georgia. recovering from ransomware attack — StateScoop.
- Georgia county pays a whopping $400,000 to get rid of a ransomware infection — ZDNet.
- Confidential report: Atlanta's cyber attack could hit $17 million — Atlanta Journal-Constitution.
- EmojiTetra (@EmojiTetra) on Twitter.
- Emoji Snake Game (@EmojiSnakeGame) on Twitter.
- The Butterfly Effect — Podcast with Jon Ronson.
- So You've Been Publicly Shamed — Amazon.com.
- How old do I look?
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
ROBOT. The end of March marks the date from which UK internet users will have to verify their age before they can visit pornography websites. This is definitely not Brexit-related, but you could say that certain freedom of movement is being restricted as a result of this. Smashing Security, Episode 119. Phishing, darknet, malware, hijacked homes, porn passports, and ransomware regret with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 119. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Hello, crew.
CAROLE THERIAULT. Hello, Mr. Cluley. This is late in the evening for us. We don't normally record this late.
GRAHAM CLULEY. Yes, it's Smashing Security late night.
CAROLE THERIAULT. It's because we have someone who's very busy on the show.
GRAHAM CLULEY. If you want to ring in with your—
CAROLE THERIAULT. Personal problems.
GRAHAM CLULEY. Yes, sexual relationship problems, marital—
DAVID MCCLELLAND. Stop it, it's my dream.
GRAHAM CLULEY. We have with us this week technology guru and broadcaster, David McClelland. Hello, David.
DAVID MCCLELLAND. Hello, hello, hello everyone. How you doing?
GRAHAM CLULEY. We're great. So what have you been up to?
DAVID MCCLELLAND. Where have you been?
GRAHAM CLULEY. You've been gallivanting around, things like that.
DAVID MCCLELLAND. Yes, you always seem to catch me just after I've returned from somewhere. And I guess most recently I've been in Barcelona for MWC or Mobile World Congress.
CAROLE THERIAULT. Great city.
DAVID MCCLELLAND. As everyone calls it. Oh, Barcelona is my favorite city outside of the UK. Yeah, I think so.
CAROLE THERIAULT. Outside of the UK city?
DAVID MCCLELLAND. Yeah. It's my favourite second city beside London.
GRAHAM CLULEY. Better than Slough?
DAVID MCCLELLAND. Oh, better than Slough, yeah. But I think I've been to Barcelona more times than I've been to Birmingham, and I don't say that lightly. Bolton? Bolton. Bolton. I've never been to Bolton or Blackburn or Barnsley. I have been to Blackpool, and I definitely prefer Barcelona to Blackpool. But yeah, it's the— I go there every year, several times a year, but it's the big annual mobile phone show, isn't it? And there's about 100,000-odd people all there geeking out over 5G and AI and blockchain and folding phones this year was a big one.
GRAHAM CLULEY. Oh, did you see a folding phone?
DAVID MCCLELLAND. I saw a folding phone behind a glass case, 'cause they're still that far away from being in people's hands.
CAROLE THERIAULT. You know what? I never understood why they got rid of them. They were the best. I mean, I know there's a hinge, but come on.
GRAHAM CLULEY. No, but these are ones with folding screens, Krow. Not like Captain Kirk.
CAROLE THERIAULT. Oh, you mean not like a Snap phone?
DAVID MCCLELLAND. No, they aren't the communicator. This is actual screen technology that folds in the middle for what reason? I don't— really know apart from the fact that mobile phone companies want to try and sell us something new and get us to part with £2,000 for a new device rather than £1,000.
GRAHAM CLULEY. That's the thing, isn't it? Because I'm finding that with my phone at the moment, I'm just thinking, well, what is the possible reason that I would want to upgrade this phone?
CAROLE THERIAULT. It's—
GRAHAM CLULEY. I don't really care about it.
CAROLE THERIAULT. Some water could fall on it and fritz the entire phone and short-circuit it.
DAVID MCCLELLAND. These days they're waterproof, splashproof phones, aren't they? I mean, I don't know how old yours is, Carole. Maybe it is time that you did upgrade.
CAROLE THERIAULT. My Apple 6S. It wasn't last week.
DAVID MCCLELLAND. Oh, wow.
CAROLE THERIAULT. Yeah. An expensive mistake.
GRAHAM CLULEY. Kroll's been having a pretty soggy time of it. So, Kroll, other than that, what have we got coming up on the show this week?
CAROLE THERIAULT. Well, Graham, you have a viewing at a California mansion listed on Zillow. Dirty Dave delves into the murky world of UK porn. And yours truly will be asking the big question: to pay or not to pay? All this coming up on this episode of Smashing Security.
GRAHAM CLULEY. So, chaps, I want to talk about Zillow. Now, we're all British, I believe, and so we quite possibly—
CAROLE THERIAULT. I was chosen. I just want you to know that.
GRAHAM CLULEY. Yeah. Okay.
CAROLE THERIAULT. I wasn't just born here.
GRAHAM CLULEY. None of us know what Zillow is. Is that right?
DAVID MCCLELLAND. No, never heard of it before.
GRAHAM CLULEY. Well, apparently it's a big deal. Have you heard of it?
CAROLE THERIAULT. Isn't it a house buying, you know, whatever, like, like, right Rightmove, like Rightmove in the UK.
GRAHAM CLULEY. That's right. So what this is, is a website where you can look up hundreds of millions of different US homes, whether they're on sale or not, and it will tell you information about them. So it will tell you what it believes its price is, or how many bedrooms, or how many bathrooms, or it'll show you the property on Google Street View and all kinds of information.
CAROLE THERIAULT. Historically, interestingly, the UK equivalent is Zoopla. Also starts with a Z.
GRAHAM CLULEY. It does, yes.
DAVID MCCLELLAND. I was just thinking of them.
CAROLE THERIAULT. You and I are very smart.
GRAHAM CLULEY. Well, I wanted to look up an American home on it. So I typed in the address of one of our occasional American guests. Now they don't know that I did this. So I'm not going to name them. And I'm not going to give out their address. And hopefully I won't give away their gender or, you know, any sort of identifying birthmarks or anything like that. But if you click on the link, which I've shared with you, you will see the home right now.
DAVID MCCLELLAND. Oh, that's quite nice.
GRAHAM CLULEY. That does. I thought it looked quite nice as well, actually. I thought, well, they've done all right for themselves. Now, I've never been into this person's house, but now I know when it was built, how many bedrooms and bathrooms it has, all kinds of other information. I can see a picture of it from the street.
CAROLE THERIAULT. It's bloody expensive, isn't it?
DAVID MCCLELLAND. It is.
GRAHAM CLULEY. It was quite expensive, wasn't it? And I very much doubt that they added all of that detail themselves to Zillow. Maybe it was a previous homeowner. But the interesting thing about Zillow is it keeps information and it publishes information about your homes. Whether you're selling your house or not, and whether you want to be on Zillow or not.
CAROLE THERIAULT. They call these things Zestimates. That's fucking—
GRAHAM CLULEY. That's right. So Zillow has a thing called Zestimates. And what the Zestimate is really there for is if you're thinking of buying a property or if you're curious about your own property and what it might be worth, you go to the Zillow website, it will give you its Zestimate, and the Zestimate There is actually a disclaimer. It does say Zestimates are not professional appraisals, right? They don't walk around your house. It's just a computer algorithm based upon recent sale prices for similar properties in the area. And they may look at any information you've added, like, oh, you know, we did up the kitchen two years ago, or, you know—
CAROLE THERIAULT. Got a new boiler.
GRAHAM CLULEY. Right. Or, you know, we did out the basement, or we added an extension, or whatever it is, right? But it doesn't know that stuff unless you tell it. So it won't know that you've installed a new kitchen. It won't know that you ripped up the stinky carpet pit in the downstairs loo and replaced it with some tiles. It won't know that you've got a fibreglass shark poking out of your roof, which—
CAROLE THERIAULT. Ah, the shark.
GRAHAM CLULEY. The shark. David, if you haven't checked out Oxford properly, there is a house with a fibreshark— fibreshark? A fibreglass shark poking out of its roof from a guy called Bill Hyner.
CAROLE THERIAULT. He's a local celeb.
GRAHAM CLULEY. Quite incredible.
DAVID MCCLELLAND. Yeah, this is quite a famous bit of art. It's been sticking out of that same roof for quite a few years now, isn't it?
GRAHAM CLULEY. Maybe 30 years, something like that. So you can update the information in your Zillow profile if you claim ownership of the entry and add the information, right? Otherwise it won't know anything. So the practical effect of Zillow is that many buyers give those Zestimates, even though Zillow say, look, this isn't really something you can base anything on. They give it as much weight as a professional valuation and they use these Zestimates as a means of leveraging when they're trying to knock down the price on the properties that they want to buy. So someone is selling something for, I don't know, $600,000. But if Zillow says, oh, we estimate it's $550,000, you go in low and you say, well, why are you asking $600,000? You should be $500,000 or $550,000. In short, buyers love Zillow, but sellers aren't so keen.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. And in the past, sellers have tried to sue Zillow. There was one group who were suing Zillow, and they were trying to sell properties for $1.5 million, but Zillow was saying, well, they were only worth a meager $1 million.
CAROLE THERIAULT. Who are all these people throwing around, bandying around millions of dollars?
GRAHAM CLULEY. They're Americans, Carole. They've got loads of money.
CAROLE THERIAULT. $1 million, $1.5 million, same diff.
GRAHAM CLULEY. Okay. But, and Zillow, when asked to fix the Zestimate— I'm going to have to keep on saying Zestimate, aren't I?— they refused to do so. And they, but they also won't remove your property from the website. And so people get exactly to use the technical term. So Zillow, of course, being an American company, how does it defend this? First Amendment.
DAVID MCCLELLAND. Freedom of speech.
GRAHAM CLULEY. Yes. So they say we're protected. We're allowed to say this is what we believe your house is worth. And they have the little disclaimer on the page as well.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. So it's caused a bit of fuss. Mind you, I suspect sellers aren't complaining. When Zillow lists properties with a higher Zestimate than they really deserve, right? If they added a million on.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Now, here's the latest. Someone has claimed ownership of a Zillow listing that wasn't actually theirs. There is a $150 million—
CAROLE THERIAULT. Chump change.
GRAHAM CLULEY. Palatial. It's just like your pad, Carole.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. Palatial.
CAROLE THERIAULT. Helicopter. Helipad.
GRAHAM CLULEY. You joke. You joke about the helipad.
CAROLE THERIAULT. Okay, okay, okay.
GRAHAM CLULEY. Go on. It's overlooking the Pacific Ocean in Bel Air.
CAROLE THERIAULT. Boring.
GRAHAM CLULEY. Home of Wiki Wiki Wow Wow, Will Smith, right?
DAVID MCCLELLAND. About 40 years ago, yes.
CAROLE THERIAULT. Hey, hey, hey.
GRAHAM CLULEY. It's got 12 bedrooms. It has 21 bathrooms.
DAVID MCCLELLAND. Hang on a minute, hang on. 21 bath— How does that even work? There's 8 bedrooms, that's 2 baths.
CAROLE THERIAULT. So if every bedroom is a double, everyone can shit at the same time.
GRAHAM CLULEY. Oh, charm. You are charming, aren't you?
CAROLE THERIAULT. Almost everyone.
GRAHAM CLULEY. 38,000 square feet of interior space.
DAVID MCCLELLAND. I don't even know how big that is. I mean, was that an aircraft hangar or what?
GRAHAM CLULEY. It probably is, isn't it?
CAROLE THERIAULT. Parliament buildings? Something like that?
GRAHAM CLULEY. 17,000 square feet of whatever are entertainment decks.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. 3 kitchens, which I think is a bit paltry, to be honest. 5 bars, a fitness spa, a 4-lane bowling alley, a basketball court, a tennis court, a wine cellar.
CAROLE THERIAULT. Stupid, stupid.
GRAHAM CLULEY. And an 85-foot glass tile infinity pool.
CAROLE THERIAULT. Oh, now you're talking.
GRAHAM CLULEY. Yep.
CAROLE THERIAULT. I like a pool. Bonjour, bonjour.
GRAHAM CLULEY. Anyway, last month, a hacker gained control of this Uber Mansion's listing page on Zillow and updated its information. Now, if I had accessed that, I think I would have been tempted to change it in a different way, I think. You know, you would have made out that it was next to some sort of nuclear processing plant or a sewage pit. Oh, you know, like a—
CAROLE THERIAULT. like a hacker would.
GRAHAM CLULEY. Yes, exactly. And if you're going to hack it, that's the sort of thing that most people, I suspect, would do is just out of pure jealousy. They would deface it in that way. But what this particular person did is they used a fake mobile phone number and a Chinese IP address. They were able to waltz past Zillow's security questions in order to convince the site that they were the genuine owner. Now, remember, nobody puts their property up on Zillow. Right? The property is already there and you can claim it, which means that Zillow doesn't really know very much about you other than what's a public record and they've been able to grab from a database. So if you're able to confirm and answer their security questions, you may be able to claim any old property up there. Mm-hmm. But what this particular hacker did was they then posted a history of recent bogus sales of the property for up to $60 million less Ouch. Than the genuine owner is asking, because they're asking for $150 million right now.
CAROLE THERIAULT. So they're asking for $90 million as opposed to $150 million.
DAVID MCCLELLAND. Right.
GRAHAM CLULEY. And they had a number of sales in close succession, like over a few days of like, oh, it's been sold again for this price and it's up and down. But it's, it's basically a lot less than what is really being asked. And you have to wonder, why would someone want to do that?
DAVID MCCLELLAND. Yeah.
CAROLE THERIAULT. Because they want to process the deal. So it's maybe the was it called?
DAVID MCCLELLAND. The broker?
CAROLE THERIAULT. The realtor broker.
GRAHAM CLULEY. Maybe. Or maybe it's someone who wants to buy the property but wants to buy it for less. And suddenly you have a good price down.
CAROLE THERIAULT. I'm hooked. Tell me you have an answer to this.
GRAHAM CLULEY. No, I don't. But we don't know who did it. But they even announced on the page that there was going to be an open house on February 8th, and anyone can come along and go and view the property. And frankly, if I'd seen that, I think I would have been tempted. My wife definitely would have been tempted. She definitely would have wanted to check out those 21 bathrooms and 5 bars.
CAROLE THERIAULT. How many bogs can you look at?
DAVID MCCLELLAND. Seriously?
GRAHAM CLULEY. No, but a house, $150 million house, Carole, you are going to want to check that out, aren't you? Come on, it'd be a nice day out.
CAROLE THERIAULT. Have you ever been to a big office? Right? You could just walk around all the stalls and go, oh look, I've seen 100 toilets. That's exciting.
GRAHAM CLULEY. I do remember once when we worked at a particular security company, Carole.
CAROLE THERIAULT. I know exactly what you're going to say.
GRAHAM CLULEY. When we did a survey. Of the quality of the lavatory paper in different—
CAROLE THERIAULT. To see if the head honchos had a 3-ply versus the 1-ply donated to the first floor workers. I won't reveal the results. I would be giving away too much.
GRAHAM CLULEY. Anyway, it is alleged that Zillow was asked by the real seller's lawyers to pull down the bogus information, but it took them over a week and they still hadn't done anything. And Zillow said, oh, you know, we go to great lengths.
CAROLE THERIAULT. First Amendment, First Amendment, First Amendment.
GRAHAM CLULEY. We only put— we really try and publish only correct and accurate data, but something went wrong. And the way in which they work, they say, is unfortunately, if someone's able to provide responses to the verification questions, they're able to claim the home, at least its entry on the website. And they don't manually check.
CAROLE THERIAULT. That's fucking insane.
GRAHAM CLULEY. But also they ask you the same questions over and over again. So if you try 4 or 5 times, Carole, You're going to know what the questions are, and so you can be prepared with the answers. If you really want to do this, you can do it.
CAROLE THERIAULT. Yeah, no, no, I just think the model's insane because Zillow's basically holding homeowners hostage by providing misleading, at times, information, which is actually affecting the market. And they're saying, oh, First Amendment, we don't have any responsibility for actually assuring that this information is right because it's a Zestimate.
GRAHAM CLULEY. Imagine you were a big property magnate in America, for instance. You had a number of properties. Maybe you had one in Mar-a-Lago down in Florida. Maybe you had some in New York. And you wanted to inflate their prices, you know, in order to convince Forbes that you should be on some top-ranking list of the biggest earners. You know, you might well just think, oh, I'll just go onto Zillow.
CAROLE THERIAULT. I would flip my beautiful golden locks from one side to the next and add a zero.
GRAHAM CLULEY. So this is our message for people who might find their homes on Zillow. Unfortunately, you can't ask them to remove your house's entry. We can ask them, they're just not necessarily going to do anything about it. The only thing it seems you can really do if you're worried about this is visit the site regularly to check your entry and hopefully claim it for yourself so that someone else doesn't mess around with it.
CAROLE THERIAULT. That's the worst advice, because then you're saying, okay, so then you're tied to that listing of your house and it's your job to make sure the information is correct on it.
GRAHAM CLULEY. Okay, Carole, what's your advice? Is your advice to launch a denial of denial of service attack against Zillow so no one can get up there. Is that your plan? Or go and firebomb their offices?
CAROLE THERIAULT. Pass.
GRAHAM CLULEY. Oh, all right. Well, this current mega mansion, $150 million. They are asking for $60 million, 6-0 million, in damages against Zillow. So we will have to wait and see whether they manage to get any of that money out of them. Anyway, $60 million. Not bad, eh? I guess it's that much because Well, America, isn't it?
CAROLE THERIAULT. Chump change. Trump change.
GRAHAM CLULEY. Boom boom.
CAROLE THERIAULT. Firebombing their offices.
GRAHAM CLULEY. David, what's your story for us this week?
DAVID MCCLELLAND. Well, well, well. So, you know, when you guys got in touch with me last week to ask me onto the show this week, and you did say that that Smashing Security had been, well, languishing in the gutter over the last few episodes, and you were hoping I could help it to rise above once again.
GRAHAM CLULEY. It was all Maria's fault. No, it wasn't. It was your fault, actually, Carole, wasn't it? What? With your pick of the week, with the rude words.
DAVID MCCLELLAND. Anyway, I'm flattered that you ask me, and I do love a good challenge, but not this week. So, as we all know, there is a ticking time bomb afflicting the UK that looks set to come to an mighty climax at the end of the month. I'm not talking about Brexit. After countless mass debates and government ministers—
GRAHAM CLULEY. Oh my goodness. What?
CAROLE THERIAULT. You're gorgeous. Carry on.
DAVID MCCLELLAND. As I was saying, after countless mass debates and government ministers endlessly shuffling backwards and forwards, the end of— What? The end of March marks the date from which UK internet users will have to verify their age before they can visit pornography websites.
GRAHAM CLULEY. What?
CAROLE THERIAULT. So is it banned for seniors now?
DAVID MCCLELLAND. No, no, no. You have to be 18 or above. Oh, right. So you're okay, Carole. You're okay.
GRAHAM CLULEY. She's more than okay. She was okay a long time ago.
CAROLE THERIAULT. Just wait till you see my pick of the week.
DAVID MCCLELLAND. Oh, okay, okay. So yeah, this is definitely not Brexit-related, but you could say that certain freedom of movement is being restricted as a result of this. So before it's too late, for those of you who do have a penchant more for dirty websites, I urge you to head right now to www.legislation.gov.uk and in particular to the Digital Economy Act 2017 Chapter 30 Part 3, where the government deals with lots of issues arising from online pornography. In particular, aside from lots of talk of statutory instruments— they sound pretty brutal if you ask me— The legislation introduces the concept of an age verification regulator.
GRAHAM CLULEY. Now— I'm definitely getting the horn over this, I tell you that.
DAVID MCCLELLAND. I'm glad to hear it. So whether you think this whole thing is a good idea or not about restricting access to online pornography for under-18s, whether you think that's a good thing or not, and there are arguments on both sides, there is a sticking point, and that is how on earth technically can this age verification be enforced across all of the different websites, all the different social media and dedicated sites? That might serve up pornographic content, deliberately or otherwise, to under-18s. Now, the government minister in charge at the time was Matt Hancock. Perhaps he was a bit premature, should we say, by giving the world 9 months to try and figure it out. And he literally chucked it out there, didn't he, and said, hey, you guys have got 9 months until April 2018. You go away, you go and do that, it'll be fine, everything's fine. Anyway, Anyway, needless to say, that didn't work. A few deadlines have kept on getting pushed back until now, it seems. And April, maybe around about Easter, seems to be about the time when the government is saying they're going to flick the switch on this.
GRAHAM CLULEY. So they're going to slip this in. They're planning to slip this in under the carpet.
CAROLE THERIAULT. Oh, Bluey, don't even compete.
GRAHAM CLULEY. No, I'm not trying to. But I mean, what I'm saying is that all of Britain is obsessed at the moment with Brexit. The current omni-shambles which is happening around that. So that's in all the headlines, whereas this story, which is going to affect a lot of people and would be of interest to them, it's not really getting very much coverage, is it?
CAROLE THERIAULT. Who's going to complain? Who's going to complain other than the places that provide porn or the kids that want access that they're underage?
GRAHAM CLULEY. Well, people will complain if they are concerned that their personal information may at some point be breached in the future, and it may come out that they've been accessing these sites.
DAVID MCCLELLAND. And that is the point here. It's about the consequences. Of this particular enforcement. So this week, one of the biggest players in online pornography, MindGeek, which owns the likes of YouPorn and Pornhub and many besides, apparently, it has developed a system called Age ID. And so what'll happen is, Graham, is that when you visit one of MindGeek's sites, you'll be directed to a, I guess, a non-pornographic Age ID website, where you will be asked to enter in an email address and password as your username and password to confirm your age by using a credit card, a passport, or a driving license. That in turn will then enable you to log into any sites that support Age ID. Did you get that, Graham? Are you clear on those instructions?
GRAHAM CLULEY. So that— so these sites, these Age ID sites, are going to ask me for credit card to prove that I'm old enough, or a pass— yes, they want I need to give them my credit card information or scan in my passport.
CAROLE THERIAULT. Nothing important, or your driver's license. No biggie. No biggie.
DAVID MCCLELLAND. So look, it doesn't take a lot of imagination to realize that this is potentially loaded with trouble. First of all, you know, it's going to encourage teens to visit perhaps less reputable sites, not those MindGeek sites, places where maybe, you know, these aren't being enforced. To download VPN software, for example, that, you know, I hear people do to bypass geographic IP address checks. And as we all know, not all VPN software is above board and looks after your data responsibly. And yes, of course, it will open the door, I can guarantee it, to phishing scams as fraudsters look to set up fake verification sites to capture credit card, passport details. They'll set up fake porn sites. Of course, this data's got to be stored somewhere. So that makes then, you know, it a big target for, um, for potential fraudsters and scammers wanting to hack into that database.
CAROLE THERIAULT. Yeah. Now listen, you both are parents. Is this something that worries you, that your kids might access porn before 18? Is like, who's really worried about that as a, as an issue?
GRAHAM CLULEY. My son is of an age where he wouldn't encounter this kind of stuff at the moment because he just wouldn't go browsing around. But, um, I certainly know older children who have accidentally accessed this kind of stuff and been quite shaken by it. It and not found it very pleasant.
DAVID MCCLELLAND. Absolutely.
CAROLE THERIAULT. So it's the landing on it, like by accident, and it's a shock. That makes sense. Yeah.
DAVID MCCLELLAND. And I think that that's one of the parts of this legislation in a way, because on the one hand, some people go, you know, very deliberately to seek out pornography online. And I'm not saying there's anything wrong with that at all. Many people say that's very, very healthy indeed. But it's when it's stumbled upon accidentally. And goodness knows there are quite a few websites that have got perfectly innocent-looking URLs when you type them in deliberately accidentally, whatever, then you are presented without any filter whatsoever with extreme hardcore, potentially shocking content. And that is the stuff that should absolutely have some clamps put down on it to protect innocent young eyes.
CAROLE THERIAULT. I was teaching an English class and showing them how to use the web. This is way back, and we used to use a search engine called Hotbot. So I'll let you know what happened. You can— in front of everyone.
GRAHAM CLULEY. Yeah. So my son has a Chromebook because he uses those at school and I've actually set it up to use something called the Clean Browsing DNS. It's fairly easy to set it up. You just put it into the computer or on your router and that automatically blocks certain types of websites from being visited, whatever application might be using it. So you don't have to run any actual software on the computer, but just by changing the DNS records, it also puts things like Google into safe search mode and I think it does does it same on YouTube as well, which can block some nastiness.
DAVID MCCLELLAND. And that sounds like a really, really good idea. And like you say, you could set that up either at your router side so it only uses that SafeSearch DNS or on a device-by-device basis perhaps as well. I would like the sound of that, Graham. Good call.
CAROLE THERIAULT. You're so smart, Graham.
DAVID MCCLELLAND. Yeah, you're so smart. You're so smart.
GRAHAM CLULEY. So, I mean, this is all going to be kicking off in April. We really think this is going to Well, yes.
DAVID MCCLELLAND. So as late as autumn last year, the government was saying that they would hope to have it in place by Easter, which is quite late on in April this year. We don't know exactly when it's going to be dropping, but whenever it is, if I'm honest, I'm not sure this one's going to have a happy ending.
CAROLE THERIAULT. And societally—
GRAHAM CLULEY. Oh, goodness.
CAROLE THERIAULT. And we're going to have a lot of pent-up men who don't want to actually take part and give away their age information or driver's licence or passports running around the streets. Yeah.
GRAHAM CLULEY. Well, quite frankly, anyone who's going to unsavoury websites anyway should be using—
CAROLE THERIAULT. Porn isn't unsavoury.
GRAHAM CLULEY. Well, no, but they're—
DAVID MCCLELLAND. It's just adult.
GRAHAM CLULEY. All right, all right. But you know, if you may not want, for instance, your ISP knowing that you're going to these sort of sites. So presumably you're using a VPN anyway.
CAROLE THERIAULT. Yeah, so the VPN guy can know. Yeah.
GRAHAM CLULEY. The VPN guys are gonna start advertising. Well, no, some of the VPNs—
CAROLE THERIAULT. Some of them don't know, I know.
GRAHAM CLULEY. You know, the VPN guys are going to start advertising this as yet another reason why you want to use VPNs, aren't they?
DAVID MCCLELLAND. Yeah.
GRAHAM CLULEY. Maybe some good will come of it.
DAVID MCCLELLAND. Maybe there will be some good. For those sites that don't enforce this age restriction, there's some pretty hefty fines in place. You know, first of all, get blocked by all ISPs, but up to a quarter of a million pounds, which, you know, for many of these sites is going to be a big chunk of money for them.
GRAHAM CLULEY. And this, of course, will affect sites all around the world. You don't have to be a UK-based site. Based porn site.
DAVID MCCLELLAND. Exactly.
GRAHAM CLULEY. Wherever you are, if you are delivering content. So I wonder whether some sites may simply decide we don't want to get into this age ID thing. Let's just forget about the UK anyway, because they're not really intersex and we'll just concentrate on the Belgians. Carole, what's your story for us this week?
CAROLE THERIAULT. Come with me to Jackson County, Georgia.
GRAHAM CLULEY. Georgia.
CAROLE THERIAULT. Georgia. Jackson County is a quiet rural area in the southern US state with a population of about 64,000. They boast an impressive public library as one of its top tourist attractions. I'll show you. It's quite impressive.
DAVID MCCLELLAND. Take a look.
CAROLE THERIAULT. It's impressive.
GRAHAM CLULEY. I remember once I went on a trip to Zagreb and I thought, what am I going to do when I'm here? And I looked up on TripAdvisor, the top attractions. Number 1 was the cemetery.
CAROLE THERIAULT. Do you remember when we went to Geneva and on the top 10 was the world's longest bench?
GRAHAM CLULEY. Oh yes, yes, I remember the bench.
CAROLE THERIAULT. Yeah, we went and saw that. So Wednesday last week, bleary officials in Jackson County announced that they'd been hit by a ransomware attack. And it had managed to bring the entire fleet of computer systems to its knees. Now, the ransomware had hit on the 1st of March, 6 days earlier, and then they announced to the press. So you can imagine the hell the Jackson County IT team faced during those 5 or 6 days. Daily meetings, caffeine-laden systems, grumpy bosses, and they were probably blamed for not protecting against the attack. Back. Now apparently the entire county's government email was fritzed. The only thing that was left standing was the 911 emergency system and its website, right? So you get the picture, they were waist deep in ransomware doo-doo. The sheriff in town, Janice Mangum, which drives me nuts because I bet she wishes she could change her name to Magnum, so close. Anyway, Janice Magnum said everything we have is down. We're doing our bookings the way we used to do it before computers. We're operating by paper in terms of reports arrest bookings. We've continued to function, it's just more difficult. So Jackson officials don't sound super freaked out, but I bet this is a brave face for the press, right? It must have been a nightmare scenario inside. Now, they didn't confirm how hackers breached the network, all right, but some are speculating that it's the Ryuk ransomware. Um, this is a known but apparently undecryptable strain of ransomware that tags along with other botnets to creep into systems.
DAVID MCCLELLAND. Right.
GRAHAM CLULEY. So, only the bad guys can decrypt your data. You've gotta pay them to get your data back, right?
CAROLE THERIAULT. Exactly. Right. So, let me set the scene here. So, you're this small rural community in Jackson County. You've spent a week desperately trying to retrieve your files and data. You've had to announce to the press. And, you know, what do you do? Do you carry on or do you pay up?
GRAHAM CLULEY. Mm-hmm.
CAROLE THERIAULT. Do you wanna make a call?
GRAHAM CLULEY. No backups. No backups.
CAROLE THERIAULT. There's not a lot of mention in the press about that. They don't seem to wanna be coming really clean, but I'm guessing that's probably an issue. Issue, right? Because they ended up shelling out $400,000 to get their files back. So I did some maths, and it works out to about $6, $6.25 per Jackson County resident. Okay, now put that in your back pocket because it's going to be important later, right?
GRAHAM CLULEY. Wow.
CAROLE THERIAULT. So Jackson County official Kevin Poe said, we had to make a determination on whether to pay. We could have literally been down months months and months and spent as much or more money trying to get our systems rebuilt? Because I can count your 400,000 smackaroos down, but they have their data back, right? And most of us in cybersecurity would say, never pay, never pay, never pay, just say no.
GRAHAM CLULEY. I've got various thoughts about this. I think sometime, I mean, obviously in an ideal world, you would have a backup and you'd be able to recover and you'd be able to do it in a timely fashion and get your systems up and running. But I also I think that businesses need to be a little bit pragmatic. And if they haven't got a backup, if there's nothing to restore, then maybe it is easier to pay. But I hate, hate the idea of paying.
CAROLE THERIAULT. Mel Gibson never paid in ransomware. He never said, he never gave in. He never gave in.
GRAHAM CLULEY. But I hate it. First of all, because the bad guys end up, you know, cashing out. They're doing great from it. But also it sends as a message to everybody, this is an organization that's prepared to pay. And who knows if they fixed whatever problem it was through which the ransomware came in in the first place, they may get hit next time and asked for $800,000.
DAVID MCCLELLAND. Yeah, and it's that long-term thinking, I think, that's very easy to dismiss when you are a public servant, you have all of your computers scrambled in front of you. And yeah, like you say, it's gonna cost more money to reestablish those systems to get things back up and running again, or you can write a check straight away way, I can understand why they did pay. I hate the idea of it, but yeah, I can see that.
CAROLE THERIAULT. I'm very surprised actually by both your reactions because this was gonna be my big moment here. Okay. So you guys can just pretend to run with me.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Not yet. I'll tell you when. I'll say deep gasp now.
GRAHAM CLULEY. Okay. Okay.
DAVID MCCLELLAND. We practiced that. It's good.
CAROLE THERIAULT. You might remember the SamSam ransomware and in March it actually ended up taking down Atlanta's computer network. This is Jackson County's neighboring capital city. SamSam managed to knock out almost all of Atlanta's services. They couldn't issue warrants, process inmates, you know, court fee payments, accept online bill payments. It was all a bit of a mess. And to unlock the city systems and data, the hackers were demanding $51,000 in bitcoin— quite a lot less than what Jackson County was facing, right?
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And do you know what Atlanta did? They refused to pay.
DAVID MCCLELLAND. Right.
CAROLE THERIAULT. So my question in doing the story was, what did that cost the residents? So I did a little digging and initial recovery costs seem to be pegged at just shy of $3 million. So how many people live in Atlanta? I look that up, half a million. So it works out to $6 per person. And if you remember, Jackson County's was $6.25 per person. So right now, it's pretty aligned. It doesn't seem to be any difference in terms of doing the right thing or doing the wrong thing. So you're kind of thinking everyone should do the right thing.
GRAHAM CLULEY. So did— how did Atlanta recover if they didn't pay? Did they have backups, or did they have people to reenter the data, or what occurred?
CAROLE THERIAULT. Well, Atlanta just announced last week that the cost estimate has changed a teeny tiny smidge. It's up from $3 million to—
DAVID MCCLELLAND. I'm getting ready—
CAROLE THERIAULT. an estimated $17 million.
GRAHAM CLULEY. Georgia!
CAROLE THERIAULT. Georgia! So the cost to residents is now 6 times as much as Jackson County, the rural town that paid the baddies to go away. Now Atlanta is coming clean in saying that it's revamping its systems to be more secure, and that is reflected in this $17 million price tag. But yeah, who wins, right? The upshot seems to be that it costs a shitload of money to do the right thing. And I'll tell you one thing, the thing I learned in all this is if you're an IT sec guy out there listening to this, IT sec guy or girl, head to Georgia because they got the money smashing security, they need you.
GRAHAM CLULEY. The other thing, I think we spoke about this maybe about a year ago or something in another podcast. There are some companies which say, we will help you recover from a ransomware infection. Give us your files. And they charge the organization an amount of money and they use some some of it to pay the hackers. No. And they keep the profit. Of course they do.
CAROLE THERIAULT. Of course they do.
GRAHAM CLULEY. Which may look better PR-wise, I don't know, for the organizations who've been hit than simply paying the bad guys. It's basically protect your systems is what you're saying, Carole. Don't let this happen in the first place. Make sure you've got backups.
CAROLE THERIAULT. Exactly. Well, you know what? It's not just having backups, is it? It's having accessible. I can reload right away backups. I'm testing them monthly and I know it works. So, if anyone just grabs my systems, I know I might lose half a day's work for the company, whatever, but I'm not in that horrible scenario of going, "Oh no, I have backups, but..." And ironically, because we did a piece recently on cyber insurance, didn't we? Atlanta was saying, "And part of the $17 million is we now have cybercrime insurance." Yeah, it does make my blood boil.
DAVID MCCLELLAND. And before I did media-y stuff and talked about tech, I used to do tech, and I used to do, I used to do disaster recovery, business resilience, business continuity. And a backup isn't a backup until you've restored from it, and you need to make sure you understand your recovery time objectives and all, all that good stuff, how much data you're prepared to lose. And it seems to me that particularly in public services, that's stuff just doesn't happen the way that it should.
CAROLE THERIAULT. So it's a bit of a quandary. So watch out out there. It's an interesting little story. How much does it cost the residents? Quite a fun game.
GRAHAM CLULEY. When the sugar hits the fan, it's all about how quickly you can get back up and running again.
DAVID MCCLELLAND. Isn't it right, Carole?
CAROLE THERIAULT. Oh, cutesy cutesy.
GRAHAM CLULEY. You found that with your iPhone, didn't you? When you dropped it down the loo or whatever happened.
CAROLE THERIAULT. If only I dropped it down the loo. It had like two sprinkles of water. I swear to God. That's the only thing I can think that happened. And it really crits, like scarily, like magenta, you know, lightning rods across the screen. But apparently I have insurance, so let's see what happens.
GRAHAM CLULEY. Human error is at the root of 95% of all security breaches. It's all too easy for any of us to make a mistake that lets hackers win. Download a free cybersecurity awareness training kit from Mimecast, which will help your staff learn about threats like data leaks, ransomware, phishing, malware, doxing, darknet, darkweb, VPN, two-factor, VPN, LastPass, Sophos, Bitdefender, VPN, LastPass, Sophos, Bitdefender, VPN, LastPass, Sophos, Bitdefender, VPN, LastPass, Sophos, Bitdefender, Human Error is at the root of 95% of all security breaches. It's all too easy for any of us to make a mistake that lets hackers win. Download a free cybersecurity awareness training kit from Mimecast, which will help your staff learn about threats like data leaks, ransomware, phishing, malware, doxing, darknet, darkweb, VPN, LastPass, Sophos, Bitdefender, VPN, LastPass, Sophos, Bitdefender, VPN, LastPass, Sophos, Bitdefender, VPN, LastPass, Sophos, Bitdefender, VPN, LastPass, Sophos, Bitdefender, ransware, business email compromise, and phishing, and much, much more. Grab it for yourself at smashingsecurity.com/mimecast. And thanks to Mimecast for supporting the show.
CAROLE THERIAULT. Quote, most business security breaches are the result of one thing: sloppy password practices. Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts. Unquote. That's my co-host Graham Cluley. This is what he says on the LastPass Enterprise page. Page. And most of you know how much I hate to admit when he's right, but he is. Sloppy passwords are a huge contributor to security breaches within an organization. The way to manage that is get a password manager, and the one we recommend is LastPass Enterprise. Check it out at lastpass.com/smashing. On with the show.
GRAHAM CLULEY. And welcome back, and you join us on our favorite part of the show, the part of the show that we like to it's called Pick of the Week.
DAVID MCCLELLAND. Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book they've read, TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security related necessarily.
CAROLE THERIAULT. Should not be.
GRAHAM CLULEY. Now, a couple of episodes ago, the lovely Maria recommended Tetris 99 on the news.
DAVID MCCLELLAND. Oh, she did?
CAROLE THERIAULT. Have you been playing it? Have you been playing it?
GRAHAM CLULEY. I played it a little bit. I haven't played it as much as I would like. I don't tend to get— Well, I just don't tend I don't tend to get very much access to the Nintendo Switch because I'm sharing my house with a 7-year-old, correct?
CAROLE THERIAULT. Does your 7-year-old not go to bed?
GRAHAM CLULEY. Well, you know, I'm doing other things.
CAROLE THERIAULT. Are you one of those parents that has it in his room?
GRAHAM CLULEY. No, no, no, no, no. But it's— no, certainly not. No, no, no. Anyway, I don't need Tetris 99 anymore because I have discovered on Twitter an account called Emoji Tetra.
CAROLE THERIAULT. Okay, I'm checking it out.
DAVID MCCLELLAND. Clicking through.
CAROLE THERIAULT. Clicking through.
GRAHAM CLULEY. So Emoji Tetra is a Twitter bot written by a chap called Joe Sondow, and it uses Twitter polls so that the Twitter community can decide whether the falling block coming down the game of Tetris moves left, right, or twists, or drops. Now, and that's basically it. It is a way of playing multiplayer Tetris rather slowly slowly, and it's all computerised and bot-ised, and I just thought, well, that's very cute.
CAROLE THERIAULT. I'm not— okay, I'm not sure I get it. I mean, I understand it's a game. I don't understand how it works. I'm looking at a GIF of it. I need to—
GRAHAM CLULEY. Okay, so you're looking at a GIF of the current situation, and what you are seeing is an L-shaped piece, which in the fullness of time will descend down the screen, right? And it would fill a little bit of gap there, and you would fill up all those hearts. You see the greens and the purples. You'd get a line there, but there would be a gap underneath. Now you could choose choose, Kroll, to vote to rotate that?
DAVID MCCLELLAND. That's what I'm going with. I'm going to click on rotate.
GRAHAM CLULEY. I think that is the correct thing to do. So at the moment, 91% of people have chosen to rotate that piece. That is probably the most sensible thing to do. Now, you might then have to move it left, I'm suspecting, but we have to wait for the next one to come through. Looks like they happen every few minutes. And then we could drop it down and we would get two lines.
CAROLE THERIAULT. This information is going to be fascinatingly glorious for the gambling community to I don't understand how you guys, how the world chooses left, right, rotate, or down.
GRAHAM CLULEY. Well, I'm just saying you don't need a Nintendo Switch and multiplayer online support.
CAROLE THERIAULT. You just need Twitter because Twitter's amazing. Twitter's the best thing ever. Twitter, Twitter, Twitter, Twitter, Twitter.
GRAHAM CLULEY. You might be excited about Emoji Tetra. And then I discovered there's also the Emoji Snake game. So if you have—
CAROLE THERIAULT. I love Snake.
DAVID MCCLELLAND. I love it. Graham, that's not fair.
CAROLE THERIAULT. I like Twitter, but Snake. Snake.
GRAHAM CLULEY. So there's a snake going around. And you can decide whether to turn it left or right. And it's a group choice, right? It's every left or right, up, down. And yeah, how much fun is that?
DAVID MCCLELLAND. And this is the same guy again, is that John Sundover?
GRAHAM CLULEY. It's the same guy who's doing it. And I just thought, well, that's lovely.
CAROLE THERIAULT. Yeah. That's ingenuity.
GRAHAM CLULEY. How nice to see to see a positive, wonderful bot on Twitter rather than the normal Russian bots.
CAROLE THERIAULT. Well, you don't know that. How nice to see a wonderfully looking bot that seems to be doing no harm.
GRAHAM CLULEY. It's not spreading bile though, is it, Carole? It's not being unpleasant to people, trying to change their political views or anything that'll reinforce—
CAROLE THERIAULT. How do you know? Things are very hidden today.
GRAHAM CLULEY. Because it's a game of Snake and Tetris. That's why, Carole. Are you suggesting because it's Tetris, there's some Russian influence.
DAVID MCCLELLAND. What I should say is that the same guy, I've just done a bit of digging around on him. The same guy actually does a few of these bot accounts, and it seems as though one of the more popular ones, certainly more popular than Emoji Tetra and the Emoji Snake one, is Emoji Aquarium.
GRAHAM CLULEY. Yeah, I've checked that out. Yes, that's—
DAVID MCCLELLAND. it's got almost 20,000 followers on there.
GRAHAM CLULEY. David, what's your pick of the week?
DAVID MCCLELLAND. Well, we haven't talked about porn for a few minutes, so let's change that.
GRAHAM CLULEY. It normally takes me a few minutes to recover until I'm in the mood for it again, to be honest. But okay, right, so let's go for it.
DAVID MCCLELLAND. But this one, again, we're talking serious stuff here. So my pick of the week this week is a podcast— well, it's a couple of things, I suppose— by British author and documentarian Jon Ronson. Now, I first came across Jon's work, uh, via his book 'You've Been Publicly Shamed,' which is a brilliant read if you haven't come across it.
CAROLE THERIAULT. I've read it. It's wonderful. I found it— I love that stuff. Yeah.
DAVID MCCLELLAND. Yeah. So for those of you who haven't come across it, it is how social media, Twitter in particular, has essentially reinvigorated the centuries-old ritual of public shaming. So once upon a time—
CAROLE THERIAULT. shocking, actually. Yeah.
DAVID MCCLELLAND. When you were young, Graham, perhaps we used to lock petty criminals in the stocks in the town hall square and, you know, throw fruit at them. After a little bit of hiatus where society tried to convince itself that it was civilised, nowadays we're basically doing the same thing again, but this time on social media instead. So what John does in Saving Publicly Shamed is tell a number of toe-curling stories in the book through interviews with the victims, I guess, of how the mob descends and punishes those pretty ruthlessly who it deems worthy. The book's great, I've read it a couple of times. He reads the audiobook on Audible very well as well. But that's just the preamble, because speaking of Audible, Jon Ronson's recent projects have been serialized in podcast form, podcast documentaries, and one of them is called The Butterfly Effect, which for the avoidance of doubt is my pick of the week. So The Butterfly Effect, he explores how the web changed the porn industry and the ripple-on effect of that. So this isn't juvenile or seedy in the way that, you know, sometimes we talk about it on here. It's refreshingly—
GRAHAM CLULEY. Yes.
DAVID MCCLELLAND. Matter of fact. How dare you? All right, guilty as charged.
GRAHAM CLULEY. Shame him.
DAVID MCCLELLAND. Tomatoes out of tins before you throw them at me, please. So what it begins by doing is it starts by looking at the advent of freely available pornography on the web. So sites like Pornhub and those other mind geek sites. And then it looks at the ripple effect, the so-called butterfly effect, that the availability of this free on-demand porn has had on society, on the adult entertainment business, a big business around that obviously, and of course on adolescents as well, on, on children who stumble across this material. John has a really sharp understanding of internet culture, and I really enjoy his analysis of how it impacts on so many facets of our lives, sometimes subtle, sometimes profound ways. So the podcast Butterfly Effect, The Last Days of August, which is a spin-off of that, and You've Been Publicly Shamed, they're all my pick of the week.
GRAHAM CLULEY. Ah, so awesome.
CAROLE THERIAULT. I have listened to The Butterfly Effect, which I really loved. I've read most of his books. I have read Publicly Shamed. I also read Psychopath test. And Graham and I, with our partners, we bought tickets to see Jon Ronson in Oxford doing a reading of The Psychopath Test, or something, with special guest psychopaths, as I remember.
GRAHAM CLULEY. Oh no, they were victims of psychopaths, they weren't actually the psychopaths. Or were they? I can't remember now.
CAROLE THERIAULT. All I can say is I think he's great on audio. Audiobook. He's— his audiobooks are incredible because I really like his voice. I know not everyone loves it. I really love it. I find his, his cadence just really lovely. But, uh, yeah, there you go.
DAVID MCCLELLAND. He's, uh, he's done a TED Talk on So You've Been Publicly Shamed, and also he's on tour again in this country. He's based in the United States now, but he's on tour again talking about Butterfly Effect, last days of August, in May this year. So interesting feedback, I'm thinking of going to go and see him do this tour.
CAROLE THERIAULT. Do, do, and let us know what you think. Okay. Yeah.
GRAHAM CLULEY. We thought he was shit.
DAVID MCCLELLAND. But I love him. Oh, that's interesting, isn't it? It's interesting.
GRAHAM CLULEY. We were so looking forward to it, and maybe it just wasn't working for him that night, but it was just—
CAROLE THERIAULT. Hashtag being nice.
GRAHAM CLULEY. Yeah. Yeah. Well, you're not going to have me saying it was shit, are you? She's editing this up. Krow, what's your pick of the week?
CAROLE THERIAULT. Okay, so I live in Oxford, and we have a few smarty pants Oxford professor friends. La di da, I know, I know, I know. No, you're not one of them. I don't even think you even went to uni. Okay, so one of them, get this, is a professor of quantum computing, right? And he came over here for dinner on Saturday night. Now, I can only assume that he sees us as a normal adult sees an 8-year-old. Old. Like, honestly, like that we get the most basic concept but lacking any real depth of thought or anything. Because this might be the reason why he introduced us to howold.net, a Microsoft attempt to get in on the facial recognition party. No, I'm kidding. Am I?
GRAHAM CLULEY. I don't know.
CAROLE THERIAULT. So basically, the premise is simple. Upload a pic and let the algorithm do its work. And it gauges how old you are. So of course I loaded pics of both of you. I started with you, Clue. I started with you.
GRAHAM CLULEY. You uploaded my photograph to Microsoft.
CAROLE THERIAULT. Go back to episode 106, uh, you did the same to me. Okay, so I started with you, Cluley.
GRAHAM CLULEY. Okay, I've already got your excuses ready.
CAROLE THERIAULT. And I was— I was— I chose the picture that you looked the oldest in. I went along your site on grahamcluley.com. I looked for the picture that was the oldest, and guess Guess what happened?
GRAHAM CLULEY. What happened?
CAROLE THERIAULT. They thought you were 37.
GRAHAM CLULEY. Thank you very much. It's because I don't have any wrinkles because I'm so fat.
CAROLE THERIAULT. So then I went on to, I went on to, uh, start page image search, right? Found a little pic of our friend David here. And, uh, David, I don't know how old you are, but I think you're, I think you're younger than what it thought. It said 44.
DAVID MCCLELLAND. Oh yeah, okay, interesting. Interesting. Yeah, I am younger than that, for the avoidance of doubt.
CAROLE THERIAULT. I thought for sure you were. Yeah. So I was thinking, okay, so of course then, you know, I thought maybe I should load myself up because hashtag be nice.
GRAHAM CLULEY. That's what we're waiting for.
CAROLE THERIAULT. And it wouldn't be fair if I didn't slap up my own mug. So I grabbed one from my local machine called Crawl.
GRAHAM CLULEY. Was it like an airbrushed photo? Was it one you had done at a studio?
CAROLE THERIAULT. No, no, no. I literally just— I just literally went to— I searched for my name, found No one slapped it up, okay? And I'm sorry, guys. I promise, hand on heart. And I'm really sorry because I came out rather well in this, okay?
GRAHAM CLULEY. Oh, forgive you.
CAROLE THERIAULT. Okay, are you ready?
GRAHAM CLULEY. What's it going to be?
CAROLE THERIAULT. Check it out.
DAVID MCCLELLAND. Oh my word.
GRAHAM CLULEY. And so it's saying 73.
DAVID MCCLELLAND. To be fair, to be fair. Be fair, Carole.
CAROLE THERIAULT. I know. Okay, so then I thought about it, right? 73 is a great age. My mom rocked 73. And besides, I think everyone plays the age game totally wrong. Isn't it much smarter to tell everyone that you're like a decade, or hell, decades older than you actually are, so they can marvel at your youthful appearance and physical abilities? So yeah, I'm 73. Hottest one in the room. Boom.
DAVID MCCLELLAND. I think this all says far more about Microsoft's really piss-poor AI than it does about any of our photos or ages.
CAROLE THERIAULT. Okay, honest, I freaked out, right? Of course, when it said 73, I totally freaked out. I freaked out and I madly searched for another picture, found this one, slapped it up, and it actually gave my correct age. 'Cause I did this, it gave it exactly.
GRAHAM CLULEY. Oh, but you're doing the kind of Princess Diana eyes there, aren't you?
CAROLE THERIAULT. They're the only two I have on my desktop, so they're the ones that I used. But it's— there's a 30-year age gap between the two. So, well done, Microsoft.
DAVID MCCLELLAND. High five.
CAROLE THERIAULT. Don't you love how they say— don't they say on it somewhere, like, I think they say, like, don't be mad if we got it wrong. Yeah, sorry if we didn't get it quite right. It says underneath the pictures.
DAVID MCCLELLAND. We are still improving this feature.
GRAHAM CLULEY. So do they actually ask you to enter what your real name is?
CAROLE THERIAULT. No, no, no. And I would never have done that. I obviously gave them yours. So I emailed them especially. But yeah, I kept David and mine private because we're not, we're not, yeah.
GRAHAM CLULEY. Because we're a student podcast. Good. Well, that just about wraps it up for this week. David, I'm sure lots of our listeners would love to follow you online and follow you on your travels. What's the best way for folks to do that?
DAVID MCCLELLAND. Well, on that there Twitter, I am @DavidMcClelland, all one word, two C's, three L's. Cross your fingers and hope for the best.
CAROLE THERIAULT. He's never said that before, ever, guys.
GRAHAM CLULEY. You can follow us on Twitter @SmashInSecurity, no G, Twitter won't allow us to have a G. And you can continue the discussion on Reddit. We've got a Reddit subreddit now, imaginatively titled Smashing Security. So just go looking for that and you can chat about things you've heard about on the podcast or tell us what we got wrong.
CAROLE THERIAULT. So huge warm hugs to our Smashing Security sponsors. LastPass and Mimecast. Their support helps us give you this show for free. And fist bumps to all our glorious listeners. Yes, you! If you like what you hear and want to help us grow, then do that leave a review thing. It really, really helps.
GRAHAM CLULEY. Until next week, cheerio, bye-bye, bye-bye. I forgot to save Goodbye. Oh my goodness.
DAVID MCCLELLAND. I was waiting for you. Ladies first.
CAROLE THERIAULT. I know, I know, I know. That's very polite. And I just forgot. I'm still reeling from the 73.
DAVID MCCLELLAND. I really enjoyed his analysis in The Butterfly Effect in the last days of April as well. Sorry. Another podcast. Oh, I'm sorry. What is that noise?
GRAHAM CLULEY. I was trying to mute my microphone. It's my dog. My dog is underneath me and he's scratching rather loudly at the carpet.
CAROLE THERIAULT. So, okay, okay.
GRAHAM CLULEY. I was just trying to mute the microphone so it wouldn't put you off.
CAROLE THERIAULT. We just heard quack, quack, quack, quack. Okay, sorry, I didn't mean to interrupt you.
GRAHAM CLULEY. Carry on.
DAVID MCCLELLAND. I did wonder what was going on there. We'll just remove his audio. So yeah, John has
-- TRANSCRIPT ENDS --