Now, what drew their attention to this initially was one of the vendors of one of these alarm systems put up on their website that the security of their system was unhackable.

Ah, see, red flag to a bull.

That's also like, which instills confidence, isn't it? When you see a claim like that.

Yeah, that is a hornet's nest you do not want to whack, right? Because when you say unhackable to a bunch of hackers—

Roll up your sleeves, lick your lips.

That is like red meat.

Yeah, oh really?

Watch this, hold my beer.

Smashing Security, episode 122: The Big Fat Con at Office Depot, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 122. My name is Graham Cluley.

I'm Carole Theriault.

Hello, Carole. Strange way of pronouncing my name. What a peculiar person you are. And we are joined this week by returning guest. One of our fan favorites is Dave Bittner from the CyberWire and Hacking Humans podcast. Hello, Dave.

Hello, hello. Nice to be back.

Fellow podcaster on the CyberWire and Hacking Humans.

Yeah, that's right.

I work with them as well because both of you do Hacking Humans.

So you both appear on that.

We do. Well, Carole does CyberWire as well. She's all over the place.

Oh, she is all over the place.

I can't get rid of her.

Yeah.

So Carole, what have we got coming up on the show this week?

Well, you, Graham, looks like you're going to get your IT ware serviced at Office Depot. Dave gives us the dirty down low on third-party car alarms. And I dive into a privacy dilemma specifically for apartment and condo dwellers.

Hmm.

All this and so much more coming up on Smashing Security. Hello, Graham.

I like how you script your hmm.

I know I did. I put it right in there.

Hmm. Now, chaps, chaps, we are all a little bit nerdy, at least, aren't we? I mean, we're into computers, we're savvy around the keyboard, we feel comfortable.

Not that nerdy.

But compared to the average person, compared to your Auntie Marge or she who works down the— She's not average.

Well, she's pretty awesome.

Is she? Oh, okay. But compared to the typical person, we probably know a little bit more. But there are so many people these days who are using computers and are dumbfounded when something goes wrong with them and they need some help. And if they don't have a nerd on call—

Or the nerd doesn't pick up.

Right. Yeah, yeah, totally. Tell me about it. Exactly. Oh, I recognize that mouth.

In my family, I say, I pick up the phone and I say, hello, Dave's Free Lifetime Unlimited Tech Support. Dave speaking. How may I help you?

Well, imagine you weren't related to Dave. What would you do? Chances are you might pop down to the local shopping mall and see whether Right. Or it's weird, isn't it, that Currys sell computers? I always feel that's— there is a techie shop which is offering you a free PC health check.

Do they even exist anymore?

I don't think they do. They do exist, but I just think that's like trade descriptions. How can they advertise? They don't actually sell curries. But they do computers. It seems so wrong. But maybe in the United States you would go to a store like Office Depot or Office Max.

Oh yeah, I know Office Depot.

Right, where they have free PC health checks. And if you went there to get a free

Right.

PC health check, or as they sometimes call it, a professional tune-up, and these are things which And normally they say, look, this is normally worth $19.99 or even as much as $60, but we're going to offer this to you for free if you come to Office Depot. have been advertised on radio commercials and print and online.

Ah, so the idea is bring in your computer, we'll do a quick scan on it, make sure it's, you know, make sure the basics are covered, and maybe you'll buy, you know, some printer paper.

Maybe you will, maybe you will, but you know, it's a friendly, generous thing to do.

Loss leader.

Yeah, you know, and obviously sometimes there'll be a problem with the computer as well, which, you know, they might be able to sell you some antivirus software or something.

Oh, totally. Yeah, good point.

So if you go in, you come across one of their experts and they will say, you know, when was the last time you had a professional tune-up done on your PC? I don't know what that means. No, well, that's the same with me. I've never had my PC professionally tuned up.

It's not a car.

So the answer is instantly you're just thinking, oh crumbs, you know, I haven't, you know, no, I've never done it. They can go, sharp intake of breath between the teeth.

You've never had your USB ports rotated?

Ooh. And so they run this program on your computer which will try and make your PC run faster or check for viruses, things like that. And the program they run, this PC Health Check program they run, first thing it does is it displays a message. It says, does your computer have any of the problems listed below? And it gives you 4 options. So it will either say frequent pop-ups or other problems preventing you from browsing the internet, or has it become much slower or too slow to use. There'll be a member of staff who's walking you through it, and so he's asking you questions. You may well be looking at the screen at the same time, but he or she is choosing—

doing the tune-up.

Yeah, well, an expert, exactly. It's a professional tune-up. You wouldn't be doing this on your own.

Oh, a Currys or something

And it then says, you know, have you been warned of a virus infection or asked to pay for virus removal, or does your PC frequently crash? As if a Windows computer would frequently crash.

where they sell computers, that Never seen that ever in my life.

So you go through this process and maybe you answer some of those questions. Well, yes, that does something.

kind of thing.

My computer does crash sometimes, or it does seem a little bit slow. Well, the workers at Office Depot and OfficeMax— they're all part of the same company these days— they were selling this service, or rather they're giving this service away for free, but it was actually something which did bring in a decent amount of cash because at the end of the process, if there was a problem with the computer, they could sell you some kind of repair service. And PC Health Check was responsible for a substantial share of the store's tech service revenues. And in fact, staff were being encouraged all the time, if anyone comes through the door, really try and get them to bring their computer in so that we can take a look at it, work out what the problem is. Don't wait for them to come in with the computer saying they've got a problem, you know, encourage them, say, oh, you know, maybe you should get that checked out, let's make an appointment for you. Now, this PC health check software was created by a company called Support.com.

Sounds very legitimate and nice.

Yeah, they bought an expensive domain name there, probably, right? And Support.com, they have a website where the Office Depot staff can download the latest version of PC Health Check, and it would keep a record of when the software was downloaded and used by staff, and it would send those records to the management of Office Depot, allowing them to monitor and compare different stores' performance. You know, how many health checks are going on, right?

So, you know, is Dave, who works at this Office Depot, doing enough of these tune-ups compared to everybody else.

Exactly.

Right. So it's like employee monitoring kind of thing.

Right. And many of the staff were being incentivized with weekly goals as to how many PC health checks are you doing?

You too, employee of the week.

To be honest, this is all good, right? Because this is all helping people deal with problem PCs and maybe finding malware. You know, what could possibly go wrong with this? You know, it's fantastic news. What a great altruistic thing that Office Depot is doing. But, uh-huh, the PC Health Check software, when it did its quick malware scan, turns out it wasn't actually looking for any malware.

Okay.

It was actually producing a report describing the computer's security status as poor, and it would say it found malware symptoms or infections regardless of which checkboxes had been ticked. So if you remember at the beginning, I said there are 4 checkboxes at the beginning that say, does it sometimes slow down or does it sometimes crash? Any of those boxes were ticked, it would say you've got a problem and you've got a security problem, and you would be advised to get some costly, up to $180, diagnostic repairs protection service.

Hold on a second. Okay, so I go into Office Depot with my computer and I say, hey, something, check this out, you want to tune up, you're begging to look at it, here you go. They asked me one of those four questions. If I said no to all of them, nothing would happen, I guess. They'd say, oh, you're all fine. But if I said yes to any of them, it would just bill a negative report on my machine saying it's infected.

It would show a little progress bar, as though it's scanning something.

As though it's scanning.

As though it was scanning something, and it would look at various things like the disk integrity, but including the security, and it would come up with the conclusion that your security was poor. And there was malware or malware symptoms on the computer.

Come with me. Let me bring you to the cybersecurity range available at Office Depot.

Understandably, in this day and age, people would be scared by that.

It's also kind of like asking a barber if you need a haircut.

Yeah.

Right?

Yeah. Yeah, exactly.

Right. Yeah, and so you'd end up paying maybe up to $180 and you'd get your copy of McAfee and you'd get 12 months virus removal from Sophos. Feeling relieved. Yes, you'd be so grateful thank the Lord.

Thank you for begging me to come in. You were so right.

You would be. I suppose you could make the argument that you would be leaving in a better position than when you came in, because now you might have some actual real antivirus running, whereas before you didn't.

You could say that. I mean, obviously you could also use some free antivirus or an antivirus of your choice, but it might be — I mean, $180 is a lot more than most people pay for antivirus software, isn't it? I guess that's because you've benefited from a professional tune-up, a professional check, which happened there.

You always trust that, those three little letters, pro.

So I dug into this and it turns out that from 2009 until June 2011, the Health Check software said your system could be infected with malware. For the next four years or so, it started to say it had found malware infections on your system, regardless of there being nothing there. And then from October 2015, it said it identified potential malware symptoms. So basically over time, PC Health Check became more aggressive with some of its reports. And so it became a little bit scarier for some periods of time. But here's the thing. The companies knew about this.

What? Office Depot?

Office Depot. Office Depot had known about this since 2012. In May 2013, OfficeMax even warned its stores that it shouldn't run the software, shouldn't run the PC Health Check after PCs had been serviced, because if they did that, the warning message would come up. So if you brought in your computer to get fixed and they fixed it, they actually told their staff, don't run the check again because it'll still say there's a problem on the computer.

So it was all smoke and mirrors, the whole thing.

Yes, Support.com even contacted the sales management team at Office Depot to remind them. By the way, this is the way the software works. It's unbelievable.

It's really gross. So Office Depot, have you — they have them?

We do. Yeah, there's one right down the street from where I stand right now.

Right.

Go shake your fist.

I will drive by and I will shake my fist angrily at them. Say, you rascals.

You won't be the only one who's annoyed because the staff working at the stores, they weren't oblivious to what was going wrong either. You know, some of them obviously were genuinely technical, rather than the typical person you meet in such stores. And some tried to blow the whistle. Some claimed it was deceptive practice. Some even left their jobs over this. Meanwhile, the ones who kept quiet were getting all these bonuses because they were bringing in the cash.

Oh, this is so disgusting. Oh.

Now eventually, in November 2016, one of these guys working at Office Depot went to the CBS TV show This Morning and said he blew the whistle, right? And they went undercover, they took computers into the stores to see what would happen. They even bought brand new computers from one Office Depot, drove around to the next Office Depot with that new computer, and were told, "Oh, oh, I love it, this is dodgy, poor security on this one." And I've actually got a clip right here where you can see some of that report: "Office Depot technicians repeatedly told us our computers were infected and that they could fix them for a hefty fee."

Actually, it looks like it's $180, right?

Okay, so this is what I need to get rid of that malware.

"The only problem? All the PCs were brand new and fresh out of the box. We even purchased one of the new computers there you go, guys, at Office Depot. But when we brought it to technicians at a different store, malware symptoms were found in the machine. Office Depot employee Shane Barnett says his bosses ignored his repeated warnings and were more concerned about sales and quotas."

"I refused to do it. They're like, you have to hit these numbers. I'm like, I'm not going to make things up so you can hit your numbers. I'm not going to do it."

So really astonishing practice.

Well, and this is the sort of thing I think we've seen with auto repair shops before, where I've seen this exact same thing where your consumer advocate on your local TV station will— they'll take a brand new car just taken off the lot, and they'll take it over to a repair shop, and they'll get a little old lady to drive the car, or someone who looks like they might be an easy mark for these repair scammers. And they'll say, "Oh gosh, you know, you got a problem with your pressure release valve on your widget wadget."

And my dipstick had to be recalibrated once.

Yeah, how interesting that computers are the new frontier for this, right? I guess not that new.

I think that's a great comparison, though, because I mean, I know I'm absolutely clueless about cars. And, you know, I wouldn't have a clue if someone said to me, "Oh, something's wrong." You know, I'm just gonna have to give you the money.

Yeah.

And I guess it's the same for most people when it comes to computers. These are highly technical things which do require sometimes some maintenance, but that's out of the bounds of the typical user, isn't it?

Right. Don't have someone you can run things by, well, you're going to be susceptible to these things.

Well, Support.com, who wrote the PC Health Check software, and Office Depot and Office Max, they made millions, tens of millions of dollars in revenue from this PC Health Check program. And until it got onto the TV screens, it'd been going on for something like 7 years, this scam. This week they have agreed to pay— there's been an FTC settlement, $25 million Office Depot is going to pay, and Support.com has agreed to pay $10 million for what they've done. They're not admitting any guilt.

Dave will moon them when he drives by next time.

Well, I do that already. I mean, that's standard operating procedure.

While driving? That's pretty hard.

I'm a man with many skills, Carole.

Dave, what's— Hitch up your trousers and tell us. Oh, thank you very much. What's your story for us this week?

Good thing we're not on YouTube. My story comes from a company called Pentest Partners. They provide third-party testing and they provide verification of security. So these folks at Pentest Partners, they took a look at third-party car alarm systems. So we hear stories about people with these fancy key fobs that can be cloned and someone could run off with your car.

Well, drive off.

Right, yes, thank you for that.

If you're carrying it, then wow.

That's right, that's right.

So people will install third-party alarm systems to try to make their car more safe. And what Pentest Partners found was that some of these systems could actually make your vehicle less secure. Now what drew their attention to this initially was one of the vendors of one of these alarm systems put up on their website that the security of their system was unhackable.

Ah, see, red flag to a bull.

Yeah, that's also something which instills confidence, isn't it? When you see a claim like that.

That is a hornet's nest you do not want to whack, right? Because when you say unhackable to a bunch of hackers—

Roll up your sleeves, lick your lips. Yeah.

That is red meat.

Yeah. Oh, really?

Watch this. Hold my beer. So what they did was they went and they purchased several of these systems and they fitted them to cars that were owned by some of the people who work there. And as everything does these days, these systems have an app, right? Everything has an app.

Oh yeah, you gotta have an app.

You gotta have an app. And that's where the trouble was. So the apps, turns out, had what's called an IDOR vulnerability. Graham, does that mean anything to you?

It's an insecure direct object reference. Yes. Are you impressed?

No.

I am very impressed. Carole, are you impressed?

No. It's not a peephole in a hotel room door. It's an eye door. No. Yes. But what it is, is it's a thing. So it's where you're passing a parameter, which may be the user ID and maybe in a number. And simply changing the number allows you to access someone else's account or information. So it's a very sloppy way of protecting accounts.

Yeah.

Yeah.

Right. Right. So the app had this vulnerability and basically what this meant was that the bad guys could get into someone's account. They could change that person's password. They could lock out the original user and have control of the alarm system's functionality. And speaking of functionality, you could use the app to first of all, search by vehicle type. So you could say, "I would really like to have a Land Rover." Okay. So you could look up and see Land Rovers.

So I see, let's say I see 50, I guess.

Yep.

Okay, then.

Yep, and you find one that's close to you on the map.

Oh, you have a GPS coordinate?

It tracks GPS real time.

Oh, gosh.

So you go, you find this vehicle, and you take over the account for it.

Yeah.

And once you have control of the account, you can set off the alarm. You can trigger the immobilizer. You can unlock the car doors. On some of these cars, you can kill the engine while the car is in motion.

Oh, that's not a problem.

Kill the engine?

What?

Why would you want that functionality anyway? Why have they built that in?

That is in there in case someone steals the car, that while the bad guy is driving the car away, you can shut the car down.

And he's pressing on the gas.

But I think that maybe that could be abused by someone.

No, no. Now, it gets better. And by better, I mean worse. Some of these systems have a built-in microphone to allow for SOS-type calls. And guess what the bad guys can do with a microphone?

Oh my God, can they eavesdrop?

They can!

No way! They can!

They can snoop on the passengers in the car through the mic. On some cars it also gives them access to the CAN bus. Are you guys familiar with that, with what that is?

No.

So the CAN bus is on modern cars, it is the internal network that the car uses for all the different systems to communicate with each other. You have, for example, some cars these days have automated cruise control. So the cruise control can communicate with the brakes, with the accelerator, with different sensors on the car, and they all tell each other, this is what's going on. Turns out that that system is unencrypted, and messages can be sent around in the clear on the CAN bus. So guess what happens when you give the alarm system access to the CAN bus? You have control over things like the brakes.

Oh, it's a good job these alarms are unhackable, isn't it? Yeah.

Thank God.

That would be a problem if they were.

Thankfully, the marketing team have assured us that it's unhackable. You know, we think it would be better if we said unhackable rather than hackable. You know, the nerds are like, well, I don't think you can really say that. Yeah, just leave it to us. Thank you. We're building the website. Yeah.

Pipe down, nerd boys.

There's such irony in this too, isn't there? Like they're saying, we're going to keep your car more secure by actually putting your life at risk.

Yes. You've spent money getting this other lock, the other alarm system and the app and all the rest of it, thinking I'm going to secure my car better and it's made it worse.

Graham, you know what, when he was talking about CAN buses or whatever, I was just thinking you should ask Dave next time you have a car problem. He seems to know a lot more than we do.

Do you often have a bit of oil on your hands? You a bit— are you a bit like Cooter in The Dukes of Hazzard?

Oh yeah, that's me, all right. Good, good.

Yeah.

That's right.

Krow, what's your story for us this week?

So I think the three of us all own houses, or at least we're in the agonizing process of handing over incredibly large chunks of money of our paychecks to pay for these said houses. And homeownership is really the American dream, isn't it? I mean, who wouldn't want to spend weekends trying to evict a zillion wasps from their attic or unclog a stinky drain? Or repave the driveway. I mean, so fun, guys.

So that's useful.

Living the dream. Living the dream.

And it's a pretty different lifestyle to those that live in condos or apartments because you don't need to worry about maintenance so much. I mean, I guess you pay for it, right? You pay a fee and then it gets all taken care of. And that means you can actually go to the park and do something fun instead of all these crazy jobs. And there seems to be a growing trend towards renting, and the reason is pretty simple: many people can't afford to buy where they work. Take the tech sector. They're a well-paid bunch comparatively, right, compared to other industries. And San Francisco is a big tech hub. Can you guess how many potatoes the average home in San Francisco costs?

So they buy things with potatoes now in San Francisco?

Yes. Read the news, Graham. Read the news.

Inflation's really bad.

So, yeah, $1.6 million is the average house price in San Francisco.

Wow.

Yeah.

And the average detached home in London, Cluley?

I have no idea.

Almost a million quid. 900 quid. Really? Yeah. So about a million dollars.

Insane.

So how many people in tech can afford those prices? Right. And if the techies can't afford it, you got to consider all the backbone of society, right? Teachers, cabbies, artists, cops, podcasters. We don't stand a chance. So all this to say, more and more of us are renting. But it seems that there's an unusual situation that renters might be facing that private house owners do not.

Is it where to keep all the potatoes? Is that the challenge?

So, fortunately there is a happy ending to this story. Pentest Partners did reach out to the companies involved, and to their credit, all the companies fixed these things within a matter of days. The vulnerabilities were easy to find, easy to fix, and they turned it around quickly and pushed out updates. Your potato larder.

Exactly. Yeah, you don't have a basement.

As with everything, there could be people out there who have not yet updated their systems, and they estimated that there could have been about 3 million people who were vulnerable based on the number of installations. But yeah, really an interesting story. I actually interviewed one of the guys who did the research here, so if you're interested in hearing more about it, one of our CyberWire Research Saturday shows, you can go look it up.

Actually, it's an ethical dilemma and I thought we could noodle on it. So in the news this week was the Atlantic Plaza Towers.

I guess we'll have a link in the notes as well. He tells the story, and it's a doozy. It's quite a story. Yeah, yeah.

Now this is a 700-unit rent-stabilized apartment complex in Brooklyn. And they recently sent out letters to tenants saying they would soon be introducing using facial recognition.

Oh, marvelous. They had a flyer from the management and it said, "Your daily access experience will be frictionless, meaning you touch nothing and show only your face. From now on, the doorway will just recognize you."

And a functioning camera system. So the question is, why is management forcing tenants to submit photographs for its new facial recognition system? Not all tenants are super pleased with this. Some of them are quite peed off, and they're talking to the housing rights attorneys and logging complaints. And I don't know, I wanted to know what you guys think. Do you think it's different having facial recognition versus CCTV? Because CCTV is kind of an invasion of privacy. So it's not a privacy thing so much. But facial recognition—

CCTV is introduced typically to improve security, isn't it? That's the argument is we will, if something bad happens, we'll have a record of it and we'll be able to follow up on it because we'll have some sort of video content which will be able to give to the cops. Right.

If the cops came over and said, "We'd like to see the CCTV footage from this time to this time," you can then look at it. But they are the ones who are coming to do the work. It's not basically taking a picture of every single person saying, "Dave Bittner at 9:02 has walked into the building."

And it's also not making your access to the building contingent on the ability to recognize you. With CCTV, I can wear a hat and sunglasses and a fake beard, and not that I do that every day, but I could, and still go about my business. With this, I couldn't get in the building without it actually recognizing who I am. Exactly. And there's another really interesting thing. So this New York Times journalist, Jeannia Belafonte, wrote on this story a few days ago. And she says, "It is not an accident these systems would arrive in otherwise low-tech disadvantaged communities like Atlantic Plaza Towers."

And I thought, well, maybe these people are less likely to complain than say the hoi polloi living on Fifth Avenue. Right? It's going to be hard to find a replacement place to live. And then there's this other weird problem that comes up. Facial recognition may not be that reliable. Some studies that have been done by Stanford MIT find that gender and skin type bias is alive and kicking. So an examination of facial analysis software showed an error rate of 0.8 for light-skinned men. But 34% for dark-skinned women. So if 10 dark-skinned women walked in front of it, it would get it 3 to 4 wrong.

Yeah.

So, golly, if that— does that mean that if the facial recognition system doesn't recognize you because you happen to be a darker-skinned lady living in a rent-controlled apartment, can you not get access to the building?

So are they purely going to use facial recognition? There's no sort of backup system? There's no, well, if it won't let you in, you can use this fob, or you can ring the bell to get the security guard.

That's what I would imagine would happen, is the security guard is there also, just in— They'd have to be. Because what happens if you're outside the building and someone is out there chasing you or trying to do something bad to you, and you can't get in because it doesn't recognize your face? Well, now the apartment complex is in big trouble.

Yeah, exactly. Yeah, if Monique from apartment 920 can't get in her apartment, because the facial recognition system just says, "Oh, you're not her." I mean, what happens if, you know, something happened to your face, like you fell over, Graham, right?

What if? Yes, yes. Or what if I grabbed Dave Bittner in a headlock, had him under my arm, and yanked his head up to the camera to let me in?

Keep going.

Is that your dream? Huh?

I'm sorry.

I said it out loud. Yeah.

All right.

Another similar project, not without its own controversy, is called Project Greenlight. This is in Detroit.

Smashing Security.

This is a system of monitored interconnected security cameras outside businesses. It's been going for about three years. It's kind of a pilot to see if all this interconnectivity will help reduce crime. It started with only eight businesses, but now 400 businesses in the area are involved. I read somewhere, but don't quote the number, but I seem to remember somewhere it said that crime has gone down 11%. They're claiming because of this system. Now, it gets interesting because the Detroit Housing Commission and police are ironing out an agreement that will bring 26 real-time— that's what they call them instead of facial recognition— real-time cameras to Sheridan Place 1 and 2. These are two high-rise towers on Jefferson Avenue that cater to elderly and near-elderly community. And one of the problems is it needs a mobile phone. And not everybody, especially those that are older, have access to smartphones. Once again, it's security— security seems to be pitted against privacy.

I think there's an important component of this, which is for the three of us here talking, you know, three middle-aged white people, it'd be easy for us to overlook that there's a racial component to this, particularly here in the US, where in these rent-stabilized apartments, you have a high percentage of these folks are going to be people of color, and they are rightfully sensitive to being kept track of by the police. Surveilled.

Yeah.

Surveilled by the police, by ICE. So I think there's a compelling case to be made that whether or not, regardless of the legality of this, that they have a justifiable sensitivity to this sort of surveillance.

Just be devil's advocate for a second on that point though. If they had a fob or some other electronic means for gaining access to the building, that could be recorded as well. So that would just as easily say, oh, Brian Smith just entered the building at 7:03 PM or whatever, in the same way that facial recognition would. But for some reason, facial recognition gives us the jeepers a little bit more, doesn't it?

It does.

But also, if my cousin Lenny wants to get in the building, yeah, I can loan him my fob.

Yeah. Yes.

And I can't do that with facial recognition.

The fob is not compiling a list of my biometrics.

And don't forget John Travolta and Nicolas Cage when they swapped faces.

Well, there's that.

That got very confusing, didn't it?

That's not at all an edge case. No, that could happen.

I don't know. I think unless people make a stink about this, I think it's going to be the accepted norm sooner than later. And I think it's really unfair that people that live in apartments or in condos, I don't think it's even actually just for renters. I think anywhere where you have a shared space, this is now something that can be asked of you if you want to live in that building. It can be demanded of you as part of your contract.

And furthermore, facial recognition systems, you know, there seem to still be headlines about them being fooled or tricked or into thinking they're seeing someone and they're actually seeing someone else instead. You know, there's ways to get around them. And I can't imagine that they're going to have a terribly expensive, top-quality system in this particular property.

And when they say they're not going to share any of this information with anyone, well, my response would be, prove it.

We're unhackable, right? No one's gonna get to our very, very secure, unhackable servers.

If you're baffled by threat intelligence and how it might be able to help secure your company, the Threat Intelligence Handbook from Recorded Future is the book for you. It'll tell you what threat intelligence is and what it isn't, and you'll learn how other firms are applying threat intelligence inside their organizations. Grab it now for free at smashingsecurity.com/intelligence.

Quote: "Most business security breaches are the result of one thing: sloppy password practices. Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts." Unquote. That's my co-host Graham Cluley. This is what he says on the LastPass Enterprise page. And most of you know how much I hate to admit when he's right, but he is. Sloppy passwords are a huge contributor to security breaches within an organization. The way to manage that is get a password manager, and the one we recommend is LastPass Enterprise. Check it out at lastpass.com/smashing. On with the show.

And welcome back. Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they wish. Doesn't have to be security-related necessarily.

Better not be, boys.

And my pick of the week this week comes from the Scottish Highlands. Aye, it's a Breard Brook McTaggart tonight and a Bonnie Hoots McGonigle, because I'm going to tell you about a 71-year-old woman called Jo Cameron, and she apparently, according to media reports, is one of only two people in the world known to have a rare genetic mutation. No, not a mutation that makes her Scottish, a mutation that means she feels no pain at all.

Oh, yes, there's only one of two in the world.

So she— so it is claimed by no less an illustrious organ than the BBC News website. So I'm going to believe them.

Yeah, I listened to a show on BBC, actually, all about— there's a big pain research center in Oxford, actually, that does this kind of stuff, and there was someone in there that didn't feel any pain. Maybe he was the other person.

There's a pain research center in Oxford? What do they get up to?

Yeah, at one of the universities. So they basically shock you and do different levels of pain. Some of it can be quite intense, and then it's to help to see, understand if this— how a shockwave that I could take would make you pass out. Yeah, right?

So is it electric or is it— Yeah, electric. They drop something on your foot or what? What do they do?

Yeah, they have a sledgehammer. They have a sledgehammer and they sledgehammer your hand and then they see how you react.

Is this legal to inflict this kind of pain?

Well, you got to read the eulogy. It's in there.

It's the sort of thing you expect business executives to pay good money for. But you're saying this is some research project.

Anyway, I was stealing your story.

Go back to your story. All right, no, I'm fascinated. Anyway, Jo Cameron, apparently she only realizes her skin is burning when she's doing the ironing, when she smells the singed flesh. Wow.

It's like Heroes, the woman in Heroes, the girl in Heroes.

The cheerleader, save the cheerleader, save the world. It also means that she never feels anxious or afraid. So there's some good aspects to it potentially.

Oh, wow.

She only figured out she was different when she was about 65 because she was having some operations for osteoarthritis and the doctor kept asking her, are you in any pain? They kept on sending her to hospital because she would walk and she'd claim her hip would come out. And the hospital would say, well, does it hurt? And she'd say no. So they said, well, come back when it hurts. And her hip would keep popping out. And eventually they thought, we've got to get rid of this woman. We'll X-ray her. And they thought, oh, you've actually got quite serious problems. But the no pain gene has meant that she wasn't aware of them. So it's quite an interesting little story about actually how important pain can be.

I read this story this week too, and I think it's fascinating. And the other little details that caught my eye, one was that she doesn't scar the way most people do.

Really?

And also, because of her lack of anxiety, she spent some of her professional career working with folks who have developmental disabilities, who could be violent or unpredictable, and it just didn't bother her. She was fine where other people would be upset or would feel anxious about this, she could just roll with it and just be fine.

Well, I don't know what she did for a living, but it seems to me that maybe she

Well, I have

should have been hired by someone like the SAS or Delta Force to go into dangerous places and

a fascination with abandoned things.

sort out the baddies. Because she would have been like Schwarzenegger, wouldn't she?

And I was

Yeah. Dave, what's

thinking dirty socks, tissues.

But no, no, no, no, no, no, no. Like how you're driving along in the country and you see a house that has fallen into disrepair. And I wonder how could that happen? How could something as substantial as a house, something with as much value as a house, how a beautiful farmhouse? How does it fall into disrepair? And not long ago, I was watching a video on YouTube I'd wandered across where someone was exploring an abandoned house, and one thing led to another, and the next thing I knew, I was watching videos with people who were exploring abandoned gold mines in the American West. Now, I didn't know this was a thing, but I found myself fascinated with this and hooked on these videos. your pick of the week? And I've included a link to one of my favorite gold explorers, and his channel is called TVR Exploring. And he goes through— they find these old abandoned gold mines, and these can be 100 years old, and some of them are quite dodgy. They're— these are risky places to be. And they go back hundreds of thousands of feet into these mountains, and there's pits, and sometimes they'll find old abandoned ore carts and boxes full of dynamite and things like that. Yeah, I was watching one of them and I was trying to figure out why do I like these so much? Why is this so much fun for me? Why is this thrilling? And the guy who does these, he came to— he was in one of these mines and he's going down this long, long tunnel and he gets to a split in the tunnel. There's a fork in the road, right? There's a tunnel going off to the left. There's a tunnel going off to the right. And he says, well, which way should I go? And then it struck me. Graham, do you remember the first game you ever played on a computer?

Very first one.

Like an 8-bit computer, you know?

Yeah, they were— they were like text games because they weren't video— like text adventure games.

Like Zork. Right, exactly.

Yeah, yeah, yeah, twisty windy passages.

Well, the first game that I remember playing on a TRS-80 Model 1 was called Lost Dutchman's Gold. And it was— you would go and explore in an old abandoned mine and you were looking for the Lost Dutchman's Gold. And so I found myself thinking when we're at this fork in the road in this video and the guy, which way should we go? And I found myself thinking, go east, go east, get lantern. I'm playing along.

It's like, oh my, Watch out for the Gru.

There's a monster just around the corner. So spelunking. That's what you're doing.

Yes.

Now.

Yes.

Turns out you can play Lost Dutchman's Gold online. And I have a link for it here. The original text adventure game. It is available. It's a UK site, BBC Micro.

I'm starting now. I'm playing right now.

Oh, it's in a little emulator in your browser and it's like it's emulating a BBC computer. This is fantastic.

Yes. I hope

Yes.

Press space. Do what? There's saddlebags.

Yeah. Imagine 10-year-old version of me being completely drawn in by this.

you don't end

And I was hooked from that point on. So that the combination of videos exploring old mines and the Lost Dutchman's Gold text adventure game combined to make my pick of the week.

up a ghost like me.

This is totally cool, Dave. I'm playing it right now. And the language is like, rather than say, I can't do that, it says, I can't tell what you want. It's really in character. It's fantastic. So, Carole, what's your pick of the week?

So some of you might have enjoyed the Dirty John podcast. I may have actually had it as a pick of the week in the past. So it's produced a few years back by Wondery. And it's not porny. It's a fascinating look at crazy human behavior.

What's the premise of the show? I haven't heard Dirty John.

Dirty John? Well, Dirty John is about this guy called John Meehan. He's a pretty good-looking medical professional who seems to really have a way with the ladies. Or does he just really know how to pick his targets? You need to decide. So I think that Wondery was able to sell its rights to Netflix because Netflix last year put together an 8-part drama on Dirty John. Wasn't my favorite thing. But a few weeks ago, they put out a Dirty John documentary. It's called Dirty John: The Dirty Truth. And this is face-to-camera interviews with all the people closest to John Meehan and what role they played in it and how they were impacted by his behavior.

So is this guy a pickup artist?

I kind of don't want to give it away.

Oh, okay.

I kind of—

Because it's kind of shocking. You remember Staircase, Graham? We watched that. It's much shorter. It's only an hour and a half or so. So it's on par with that. I was watching with my husband. We'd stop it and just go, what the f—

And can we just watch the documentary if we haven't heard the— yeah, yeah, yeah, totally.

Oh, okay. Totally.

You want to watch the drama, do it first, then listen to the entry.

Don't do it the other way around.

Drama, shama, llama.

Yeah, yeah. So yeah, so my pick of the week is all things Dirty John related. Go to Netflix or go to Wondery to hit up the podcast. And I actually will— in the show notes, I'm also going to put an article from Bazaar that actually details out the timeline, because once you've read it and listened to it or watched it, you're gonna go, what?

How?

And then when they have it all outlined, you're like, aha. So I hope I have piqued your interest.

You have intrigued me, Carole.

Yeah, I think you'll like it, Mr. Cluley. I think you'll like it.

Okay, I may well check it out in the next couple of days. Thank you very much. And that just about wraps it up for this week. Dave, thank you for coming on the show this week. If people want to find out more about you and what you get up to, what's the best way to do that?

You can go to thecyberwire.com to find out

Superb. And we are on Twitter as well. We're at @SmashInSecurity, no G.

everything there. I am @DaveBittner on Twitter.

Twitter wouldn't allow us to have a G. And we have an active discussion group up on Reddit. You can get to our subreddit very easily by going to smashingsecurity.com/reddit.

Bittner on Twitter. And hat tip to this week's Smashing Security sponsors, LastPass and Recorded Future. Their support helps us give you this show for free. And thank you, lovely listeners. Where would we be without you? If you like what you hear and you want to help us grow, tell your friends about the show or leave us a nice review. It all really, really helps.

And you can check out smashingsecurity.com for past episodes and for details how to get in touch with us. Until next week, cheerio, bye-bye.

Bye. Right, take the sec— take sector. Take the tech sector. It's hard to say. Take the tech sector.