WannaCry's "accidental hero" pleads guilty to malware charges, Samsung and Nokia have fingerprint fumbles, the NCSC publishes a list of 100,000 dreadful passwords, and Apple finds itself at the centre of an identity mix-up.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by John Hawes.
Follow the show on Twitter at @SmashinSecurity, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: John Hawes.
Sponsored By:
- MetaCompliance: People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management.
- Go to smashingsecurity.com/metacompliance Promo Code: SMASHING
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- "Gents! Stop airdropping your pics!" — Smashing Security episode 038, where we discussed the arrest of Marcus Hutchins.
- Marcus Hutchins plea agreement — PDF
- Statement from Marcus Hutchins (aka MalwareTech)
- "Stick to the good side." — Marcus Hutchins on Twitter.
- The Samsung Galaxy S10's ultrasonic fingerprint scanner is hacked — Graham Cluley.
- Video of Nokia 9's fingerprint sensor failure — Decoded Pixel on Twitter.
- Nokia 9 buggy update lets anyone bypass fingerprint scanner with a pack of gum — ZDNet.
- Most hacked passwords revealed as UK cyber survey exposes gaps in online security — NCSC.
- Facebook hoovered up 1.5 million users' email contacts without permission... "unintentionally" — Graham Cluley.
- Facebook: we logged 100x more Instagram plaintext passwords than we thought — Naked Security.
- Second Payment Services Directive (PSD2): 8 things businesses needs to know — Information Age.
- Teen sues Apple over accusations of Apple Store thefts — 9to5Mac
- Student Sues Apple for $1 Billion, Blames Face-Recognition Tech for False Arrest — Insurance Journal.
- Thunderbirds - 50th Anniversary Specials — Century 21 films
- Thunderbirds 1965 - Documentary — YouTube.
- Clash Royale: Enter the Arena.
- Oxfordshire Artweeks.
- Details of Carole and John's exhibition — Oxfordshire Artweeks.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Both John Hawes and I club together and are presenting our stuff at a venue.
GRAHAM CLULEY. Oh my goodness.
JOHN HAWES. It's very exciting.
CAROLE THERIAULT. I know. And John is doing—
GRAHAM CLULEY. It's not nude modeling, is he?
CAROLE THERIAULT. He is. He's doing nude modeling.
GRAHAM CLULEY. Oh.
CAROLE THERIAULT. Let me send you a link, Graham.
UNKNOWN. No, no, no, no, please don't. No, no, no. Please, no, no, please. Smashing Security, Episode 125: Pick of the Thief, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 125. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Hello, Carole.
CAROLE THERIAULT. Hello. How was Easter? Did you fatten up on chocolate?
GRAHAM CLULEY. No, no, no. I've, I'm not, I'm not someone who eats chocolate anymore. Oh. Or sweets.
JOHN HAWES. Yes.
GRAHAM CLULEY. Oh. It's, it's day 2 in the Cluley household. There's no chocolate being eaten.
CAROLE THERIAULT. Oh, right.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Wow. Okay.
GRAHAM CLULEY. Yeah. I'm doing pretty incredibly well.
JOHN HAWES. Well done.
GRAHAM CLULEY. Thank you very much. And further cause for celebration is that we are joined by a special guest, Mr. John Hawes from Ampso. Hello. Hello.
CAROLE THERIAULT. Hi, John.
GRAHAM CLULEY. Good to have you back, John.
JOHN HAWES. Good to be here.
GRAHAM CLULEY. Now, has anything crazy been happening over the Easter break in the world of computer security? Quite a lot as it happens, and some of it we're gonna be talking about today.
CAROLE THERIAULT. Thank God, otherwise we wouldn't have much to talk about today.
GRAHAM CLULEY. Well, one of the things which happened, Carole, have you heard of Marcus Hutchins?
CAROLE THERIAULT. What, Michael Hutchins from InXS?
GRAHAM CLULEY. That's right, yes. Also known as MalwareTech.
CAROLE THERIAULT. Oh.
GRAHAM CLULEY. Yes, different one.
JOHN HAWES. That's a different person.
GRAHAM CLULEY. He is the chap, the accidental hero, who defeated WannaCry, if you remember that from a year ago.
CAROLE THERIAULT. Well, hero, quote unquote.
GRAHAM CLULEY. In his own words, accidental hero, because he registered a domain name which crippled WannaCry and stopped it from causing even more problems for the likes of the National Health Service. He, of course, was arrested in the United States.
CAROLE THERIAULT. That's right.
GRAHAM CLULEY. As he attempted to fly back to the UK from the Black Hat conference. And in August 2017, as we discussed way back on episode, 38, he pleaded not guilty to charges related to writing and potentially selling malware called Kronos.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. Now, he got a lot of support from the tech community, some of whom donated money to his defense fund. And plot twist, he has now done a plea deal and admitted that he did create, and in partnership with someone else called Vinny K, sell malware. Between 2012 and 2016.
CAROLE THERIAULT. That doesn't necessarily mean that he is 100% guilty, though. Knowing the little that I know about the American system, 98% of cases are pled out, and often you're facing such huge incarceration or such long sentences that it's not worth trying to fight for your innocence.
JOHN HAWES. Like 170 years and things.
CAROLE THERIAULT. Yeah, versus doing two.
GRAHAM CLULEY. He did have something like about, I think it was like 10 or 12 charges against him, and he's only pleaded guilty to two of them.
CAROLE THERIAULT. Exactly. And he'd probably be facing doing those consecutively, right? That would be a risk.
GRAHAM CLULEY. I don't know if it would've been, but anyway, he has made a public statement where he says he regrets what he did and accepts full responsibility for his mistakes. He says it was in his years prior to his career in security. It's interesting seeing how people have responded. Some people have said, "You're a bad man, Mr. Grinch. You know, you've done bad. You could never be good." Other people think very much, "Oh, he should be forgiven for what he did." his youth, although he wasn't that young. He was still doing these kind of things when he was about 21, 22.
CAROLE THERIAULT. So he's owning up to it. He's saying publicly, mea culpa, dudes.
GRAHAM CLULEY. Yep.
CAROLE THERIAULT. Okay, that's a different story.
GRAHAM CLULEY. And he's also said that there is a misconception that to be a security expert, you must dabble in the dark side. He says it's not true. You can learn everything you need to know legally. Stick to the good side. Quite sort of wise words. We will link to the court documents. We can read more about the case if you're interested in the show notes. My guess is he's going to end up with some time in jail. He's already been stuck out in the States for a long time, but I'd imagine maybe he'll get like 6 months to 12 months or something in jail before he eventually comes back.
JOHN HAWES. He might get off with time served.
GRAHAM CLULEY. Yeah, look at it kind of cynically. Potentially this could also make him, couldn't it? Because it makes him all the more notorious. He became an internet celebrity through the WannaCry thing, then his arrest, and now through this as well. May end up on the speaking circuit, who knows? Anyway, one of the hot stories going on in the world of computing right now. What else we got coming up on this episode of Smashing Security, Carole?
CAROLE THERIAULT. Well, on this episode, Graham, you are talking about a rather unusual way to bypass fingerprint security. John's delving into the truth about how we use passwords, the good and the bad. And I'm looking at how some young guy is planning to get payback from an identity theft snafu. All this and so much more coming up on Smashing Security. Smashing Security.
GRAHAM CLULEY. So chaps, I don't know if you're aware, but there have been some changes in the way recently smartphones have been handling fingerprint scanning. In the original days, I mean, I think probably most famously we had Touch ID, didn't we, on the old Apple iPhones? It was part of the case, as it were. It was part of— on the bevel, wasn't it? There was a big round circle which you pressed to scan your fingerprint. Well, more modern Smartphones like the Samsung Galaxy now actually have an in-screen fingerprint scanner. So last month—
CAROLE THERIAULT. What, the entire screen can take your fingerprint?
GRAHAM CLULEY. No, no.
CAROLE THERIAULT. Or just in one location?
GRAHAM CLULEY. There'll just be a part of the screen. So it's not a physical button. You just touch the actual visible screen where it's displaying a fingerprint icon, and that will scan your fingerprint. You see, it's really clever technology, right? If it works. Now, last month, the Samsung Galaxy S10 came out, and one of One of its big features was its next-generation vault-like security with its ultrasonic fingerprint scanner fused directly onto its front screen, which it said could even work when your hand was wet.
CAROLE THERIAULT. Ultrasonic.
GRAHAM CLULEY. Ultrasonic, because a scanner which is working through the screen, my understanding is it has to work in a different way because obviously you're touching glass rather than something on the edge. I don't really know how this works, Carole, I should be honest. Let me refer to the blurb from Samsung themselves. They say, using ultrasonic pulses, we detect the 3D ridges and valleys of your fingerprint, so only you can access your phone. It's secure and convenient, they say.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Sounds great, doesn't it? Mm.
CAROLE THERIAULT. Okay. I feel I can understand what maybe the bypass is, but I'm going to wait. I'll wait and I'll tell you if I was right or wrong.
GRAHAM CLULEY. Okay. Well, so what happened was a couple of weeks ago, So just a couple of weeks after this phone came out, an Imgur user called Darkshark, he posted a video demonstrating how he was able to unlock the Samsung Galaxy S10 with a 3D copy of his fingerprint. And he was able to make this at home. He captured a photograph of a print he had left on a wine glass, and he then sort of printed it onto the finger of some gloves. And he was able to give these rubber gloves to people and they could open his phone. And the outcome of all this was he said, well, look, there's nothing really stopping me stealing your fingerprints without you ever knowing, then printing gloves of your fingerprints, and I can go about and commit crimes and break into your phone. Okay. And some people said, well, hey, whoa, whoa, whoa. They said, well, where are you gonna get our fingerprints from?
CAROLE THERIAULT. Do you want a drink? Surely? You could just, not very hard, okay.
GRAHAM CLULEY. Well, there's that way, but also you could just steal your phone because your phone, everybody's phone is gonna be covered in their fingerprints, isn't it? Unless you're wearing gloves, Carole.
CAROLE THERIAULT. Is he walking around with one of those posh little CSI brushes to find the fingerprint?
GRAHAM CLULEY. No, no, no, no, listen. If he just steals your phone, he takes it back to his lair inside the volcano where he then gets the photograph of your fingerprint and creates his gloves, right? So phones are being lost all the time and they're covered in fingerprints. They're covered in the very thing that you use to unlock it.
CAROLE THERIAULT. I got you. So phones are actually considered maybe less of a commodity now that they're so hard to break into. And he has found a way to make them viable again because he can break in.
GRAHAM CLULEY. Certainly in the case of this one, yeah. And it turned out to be ridiculously easy. He said that he could do it in about 3 minutes with his 3D printer.
JOHN HAWES. It makes stealing phones worthwhile again, basically.
CAROLE THERIAULT. Yeah, right, right.
GRAHAM CLULEY. Yeah.
JOHN HAWES. Wasn't there a similar thing with the— I think it was the iPhone first added their fingerprint reader that people were doing it with gummy bears.
GRAHAM CLULEY. Maybe, I don't know. I think maybe the Chaos Club in Germany, I think maybe they had managed to do this with some smartphones as well. It's just that the ease and speed with which he was able to do this, and it didn't require a lot of technical know-how from the sound of things, required a decent 3D printer to create these things. Now, I thought that would be hard to beat. I thought, well, that sounds pretty impressive. Here we've got new technology which has been vaunted as more secure than past fingerprint technology, turned out to be not very good at all. And Samsung hopefully are going to release an update. And then The Nokia 9 PureView Android smartphone came out. An update was pushed out to this in the last couple of weeks, which purportedly improved its in-screen again. So it's inside the screen fingerprint scanner.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And a number of users discovered there was a problem with this, including a British user interface developer from Birmingham who calls himself—
CAROLE THERIAULT. Birmingham.
GRAHAM CLULEY. He calls himself Decoded Pixel. On Twitter.
CAROLE THERIAULT. And, um, that's pretty good, actually.
GRAHAM CLULEY. Thank you very much. Um, and he found, and he made a little video, that the Nokia 9 smartphone can be unlocked by anyone. Oh, doesn't matter if you have even fingers or not. In fact, Decoded Pixel discovered that it could be unlocked by someone wearing leather gloves or even something as banal as a packet of chewing gum.
CAROLE THERIAULT. Well, leather gloves sounds easier than chewing gum.
GRAHAM CLULEY. Well, you might just have a packet of chewing gum in your pocket. You may not be wearing it. It's a hot day, Carole. You may not be wearing leather gloves.
CAROLE THERIAULT. Do you mean chewing gum?
GRAHAM CLULEY. No, no, no.
CAROLE THERIAULT. Or do you mean like the packet?
GRAHAM CLULEY. Just the packet.
JOHN HAWES. It is vaguely finger-shaped, I guess, a packet.
GRAHAM CLULEY. Maybe. You could probably mould it into that sort of shape if it isn't, I suppose. So he's made this video and you can go and check it out online and we'll link to it in the show notes again, where there's a locked phone And he demonstrates, first of all, himself unlocking it with his thumb. And then he takes a packet of chewing gum, plonks it on the screen, and it recognizes that as his finger. And then he tries it with a coin, and he even got someone else's finger involved in the video, a stunt finger, which unlocked it as well. And lots of other users of the Nokia 9 are discovering this as well. So the actual Smartphone fingerprint scanner, which was supposedly updated, appears to be weaker.
JOHN HAWES. Just completely pointless.
GRAHAM CLULEY. It's not been upgraded at all. It looks like it's completely feeble. I think there's potentially an awful lot of emphasis being put on maintaining security and privacy of your smart devices by fingerprint scanners, but you might be wise not to rely on them, at least not to rely on them only to secure your devices. Maybe a good old PIN would be better.
CAROLE THERIAULT. It wasn't clear. Is the Nokia 9 supposed to be super secure? Do they say that it's a secure phone?
GRAHAM CLULEY. Well, I'm sure they don't say it's an insecure phone, but—
JOHN HAWES. Just having fingerprint scanning kind of implies that it's doing it for security purposes, not just for a laugh.
GRAHAM CLULEY. You would expect if they're asking for fingerprint authentication, it would actually authenticate the fingerprint or make some token gesture of it. Whereas if you're wearing a pair of marigolds and that will unlock it, you know, that's— Or a packet of Wrigley Spearmint gum will open it.
CAROLE THERIAULT. Have they come out and said, have they come out and said, oops, sorry, sorry, sorry, we're on this. It was a bug.
GRAHAM CLULEY. Well, we are recording this on Tuesday and it's been a long Easter weekend. Yes, we'll see. We will see whether they come out with another update. But interestingly, this update, supposedly one of the improvements was supposed to be to the fingerprint sensor because some users have actually said they had problems with earlier versions of the Nokia 9 as well. And maybe it's actually even got worse with this latest update. So if you have a Nokia 9, 'be very careful.' Could it be—
JOHN HAWES. so you said he demonstrated by showing it working with his thumb. Could it be that he just left a fingerprint on the screen and the reader was scanning that fingerprint rather than whatever was on top of it?
CAROLE THERIAULT. Maybe.
JOHN HAWES. Maybe he had particularly greasy fingers.
GRAHAM CLULEY. I don't know.
CAROLE THERIAULT. He'd eaten a big bag of crisps. Then slapped his thumb on it.
JOHN HAWES. Yeah.
CAROLE THERIAULT. The fingerprint is then moulded onto that place, and then anything he puts on just smooches that grease into the screen. I love it.
GRAHAM CLULEY. I love it. John, what's your story for us this week?
JOHN HAWES. So I wanted to talk a little bit about authentication as well. Not so much about the fingerprints and things, but more passwords. I know that's something that all security people tend to talk about pretty much all the time, but it's something that always seems to come up. So the last few weeks we've had a whole bunch of password snafus. Facebook was storing possibly hundreds of millions of passwords in plain text, I think, from Instagram users.
CAROLE THERIAULT. And you couldn't make it up.
JOHN HAWES. Kind of said, oh yes, we, oops, we forgot we were doing that. We'll delete them. And then like a week later said, oh, well, actually there's another few hundred million we forgot to mention as well. Yes.
GRAHAM CLULEY. Which rather like the Mueller report, they snuck out just before the Easter break, didn't they?
JOHN HAWES. So, so gross.
GRAHAM CLULEY. What was the Instagram revelation as well? I think a lot of the tech press maybe missed it.
JOHN HAWES. It's another Facebook story. I think it was last week, maybe the week before, where they were asking people for password to their email service, claiming it was required to verify their login or something. Yes. And then they went into 1.5 million people's email accounts and scraped all their contacts and fed them into the great Facebook mall.
GRAHAM CLULEY. Incredible, isn't it? Again, you know, I feel like we shouldn't even call it scraped. We just say they stole them. You know, they just took them without permission. They just grabbed people's address books and took them and who knows what they were planning to do with them. But if they hadn't been caught out by the press and maybe they'd have never fessed up to this.
JOHN HAWES. Shame.
GRAHAM CLULEY. Shame.
JOHN HAWES. I think in that case, they'd said they used to do it regularly and they had a little message saying, if you give us your password, we'll scrape your contacts. And then at some point they took off the message but kept on doing the scraping or something. Yeah, it was a horrible mess basically. Facebook has not been doing very well on the security front lately. Yeah, but you know, both those cases, those are both, both pretty bad things from both sides though. I mean, storing passwords in plain text, that's a bad thing to do from the provider side. But from the user side, you know, if someone says to you, can I have a password for your email account? And that person is not your email provider, you shouldn't be giving it to them. You shouldn't give anybody a password for something that is not their service.
GRAHAM CLULEY. Well, that's the thing. We're teaching people all the time, you know, to be very careful who they give their passwords to, make sure you give them to the right people. So if it doesn't matter that it's Facebook asking for your Yahoo password, you should be equally skeptical about that. And Facebook even doing that sort of normalizes the behavior, doesn't it?
JOHN HAWES. So then the other thing that came out, I think over the Easter weekend for some reason, the National Cybersecurity Center here in the UK released a most hacked password list.
GRAHAM CLULEY. Is this a list of the passwords that have been most hacked from them?
JOHN HAWES. No, this is, so this is, they've taken it, I think it's from the Have I Been Pwned database.
CAROLE THERIAULT. Oh, our friend Troy Hunt.
JOHN HAWES. Yes. This is a pretty standard story in security circles. I mean, dozens of organizations release lists like this every few months and they make very easy fodder for quick blog posts and articles and very, very easy to do. I'm sure all of us have written several dozen of these pieces and they've done it quite nicely. You know, they've kind of flicked through it and gone, oh, look, here are the most popular superhero passwords and the most popular football team passwords. Just to kind of really broaden their reach out into various different kinds of publications to pick up the story for them.
CAROLE THERIAULT. Okay, and what's the number one? Is it password?
JOHN HAWES. 123456, obviously.
CAROLE THERIAULT. Oh, that's the number one? 123456.
JOHN HAWES. 23 million people were using that one apparently. Well, they don't really say exactly how. I think they said they looked at the top 100,000 breaches or something. I can't remember anyway.
GRAHAM CLULEY. Well, I think they've released a list of the 100,000 most commonly used passwords, which you can download from their website.
JOHN HAWES. Yeah, so their push is basically to say, here, take this list, and if you're a website admin, make sure you're using this as a blacklist and don't let people use these passwords.
CAROLE THERIAULT. Cool. I like that idea.
JOHN HAWES. Well, yeah, it's all right as an idea, but I mean, really? And we were just saying password managers, you should have a unique password. If your password is something that has ever been used anywhere else, then you shouldn't be using it.
CAROLE THERIAULT. I know, but think about it from an admin's point of view, right? He's sitting there or she's sitting there managing potentially thousands of different accounts, right? And good way way to just block stupid answers are that maybe requirements of length or complexity might be really popular. So you could just say, uh-uh, not that one.
GRAHAM CLULEY. And you can also link into the Pwned Password API, something Troy Hunt runs. So you could link your service in with that. So when a user creates password, it will say, actually, this is a password that has been previously breached and this many times and encourages more random use of passwords. And of course, is encouraging password management as well. I find a certain irony here that The NCSC, who of course are part of GCHQ, an intelligence agency which hacks into people's accounts and acquires information from foreign governments, they are actually sharing with the world what appears to be a list of the most commonly used passwords. That in itself sort of makes an endorsement for this list, doesn't it? Because if you wanted to hack into accounts, maybe this list would be quite a good place to start if you wanted to work your way, you know, spraying passwords into a system. This is the GCHQ-approved list.
JOHN HAWES. They do acknowledge that at some point somewhere in one of their posts on this, they do say, oh, this is all public information anyway. We're not publishing anything that isn't already out there.
CAROLE THERIAULT. Exactly. And I mean, how else do you get people to kind of look out for it within their network?
GRAHAM CLULEY. And the bad guys have many, many millions more than this 100,000 list anyway.
JOHN HAWES. I mean, of course they do.
GRAHAM CLULEY. They've got access to vast amounts of data.
JOHN HAWES. Anyway, so Basically, that's another one. Don't, don't use ridiculously simple passwords and don't allow people to use ridiculously simple passwords. But really, I mean, the solution to all of these is, is two-factor authentication. I mean, that's pretty much—
GRAHAM CLULEY. Not fingerprint scanners.
JOHN HAWES. Yes. Well, maybe not ideally fingerprint scanners.
GRAHAM CLULEY. Not on the Samsung or the Nokia.
JOHN HAWES. If you had, if you had reliable 2FA in place, none of these would be a problem anymore because, you know, you can really, you can just make your password public. Like, and as long as your two-factor authentication is secure, then you're fine. Using fingerprint readers, even face readers on phones these days are becoming pretty mainstream. So more and more people are kind of getting on board with what two-factor authentication is. They're understanding it better. And I think that is something that's really going to ramp up in the next 6 months or so because of PSD2, the European Union Payment Services Directive.
CAROLE THERIAULT. Okay.
JOHN HAWES. Do you know about that?
CAROLE THERIAULT. No.
JOHN HAWES. It's basically, it's a new set of rules for banks and things that is, it's actually already been implemented, but it has to be— the final deadline for adopting all of its rules is, I think, middle of September this year.
CAROLE THERIAULT. Okay.
JOHN HAWES. And one of those rules is that banks must use, I think they call it strong authentication, basically 2FA for transactions. So like when you go into a physical shop, you have your card, you have a chip in the card, that's something you have, and then you have the PIN as something you know. So it's kind of two factors, but they're also looking at putting an extra factor on there. And there was a big rash of stories around Christmas time that some of the UK banks had already started implementing this and there were people who were, you know, turning up in the shop and trying to use their card and being told, oh, we need a special code off your phone and their phone was dead and it was a nightmare and they couldn't buy their Christmas presents and their children were crying and—
GRAHAM CLULEY. Ah!
JOHN HAWES. Yeah. So, and basically that kind of stuff is going to be picking up quite a lot through this year because by the middle of September, all banks across Europe are going to have to implement some kind of better, stronger authentication for payments, especially mainly on the internet. But it looks like it's also going to be happening in person as well.
CAROLE THERIAULT. As long as they don't start asking for urine samples.
JOHN HAWES. Well, this is the thing. What are they going to do? I mean, exactly.
GRAHAM CLULEY. But if you have your child there screaming, maybe the child could also, you know, donate a little bit of, you know, pretty soon it's going to be a DNA swab.
JOHN HAWES. The one that I've been— so I wrote a few articles about this some last year or so, and I keep getting contacted by people saying, oh, nice article about this. Do you know anything about this type of 2FA, people trying to basically persuade me to write about their 2FA, but a lot of them are talking about contextual data. So that's getting the something you are component of a two-factor system just based on, you know, something you are being the sort of person that goes to the corner shop at 2 AM and buys 50 quids worth of booze.
GRAHAM CLULEY. I've nailed you, Kroll. I've got you.
JOHN HAWES. Which, you know, from a usability point of view, it's pretty, it's pretty easy. You don't have to worry about it. It basically just means the bank is monitoring everything you do and building a profile of you so it can say, oh, he's not the sort of person that would buy a TV online at 4 AM and have it shipped to Nigeria.
CAROLE THERIAULT. Yeah, but it does suck when everything gets frozen when you find yourself on holiday in the Bahamas.
JOHN HAWES. Exactly. Yes. And it also means that the banks have to gather huge amounts of data on all of their customers at all times. Which is a bit of a minefield in itself.
GRAHAM CLULEY. Well, there's a lot of loyalty cards and things which have been doing that for years, haven't they?
JOHN HAWES. Exactly. Yes. Yes. Well, maybe that's the thing. Yes. Maybe the supermarkets will start using their loyalty card data to guess whether their customers are really the person they claim to be based on what they're buying.
GRAHAM CLULEY. John, you've covered a lot of topics here, a lot of different aspects here.
CAROLE THERIAULT. In depth.
JOHN HAWES. Yes, it was a little bit of a scattergun approach.
CAROLE THERIAULT. No, no, it's interesting.
GRAHAM CLULEY. No, it's very good. Very good.
CAROLE THERIAULT. Anyway, password managers, it seems.
JOHN HAWES. Yes.
CAROLE THERIAULT. Yet again.
JOHN HAWES. Password managers and authenticator apps.
CAROLE THERIAULT. Yeah.
JOHN HAWES. Right.
GRAHAM CLULEY. Good. And yeah, stop using dumb passwords.
JOHN HAWES. And don't eat crisps when you're using your phone.
GRAHAM CLULEY. Carole, what's your story for us this week?
CAROLE THERIAULT. So my dad had years of drama because someone with his exact name, well, the same middle initial, his exact birthday, who lived in a neighboring town, somehow got his personal information misentered into some important database. And the misentry impacted like mobile phone usage purchases, traveling, credit scores, tax payments, health records, everything. Both guys suffered, right? And it was a total pain to sort out. The two guys ended up getting in touch, and both were contacting the various bodies to get, you know, the problem rectified.
GRAHAM CLULEY. So this, this really happened? It wasn't that your father didn't have a secret second family or something on the other side of town? Okay, so this— okay, all right, okay, interesting.
CAROLE THERIAULT. And even with both parties working, uh, to end the mix-up, it took years, right? So I can only imagine how annoying it would be if your identity was stolen and used for nefarious purposes without someone wanting to help you fix the whole snafu. I mean, how the heck do you regain your identity? And how do you seek retribution for the sheer pain and the assness of it all? I thought you'd like that one. Now, I have a story all about this, okay? And I want you to hear me out and put yourself in the protagonist's shoes because I want you to tell me what you would do if this were to happen to you. Okay?
JOHN HAWES. Yep, ready.
CAROLE THERIAULT. All right, so you're, you're about 17, 18, a young adult, right? And you're living in New York.
GRAHAM CLULEY. New York.
CAROLE THERIAULT. Uh, you probably, you probably have a really strong New York accent.
GRAHAM CLULEY. Hey, okay.
CAROLE THERIAULT. Oh yeah, East Shore, Max.
GRAHAM CLULEY. Hey, okay.
CAROLE THERIAULT. And, and maybe, uh, you're out one night, maybe you're having spaghetti and tomato sauce or something, and then you head home and, uh, you maybe listen to some ASMR podcast to lull you to to sleep and you're snoozing away and suddenly bang, bang, bang, bang on the door, right? It's 4 AM. WTF is going on? You look outside, you see cops and they're there with an arrest warrant for you. Okay. And you are panicking. You asked to see the arrest warrant. And while all the information is correct, your name, address, the mugshot is not you. It doesn't remotely look like you.
GRAHAM CLULEY. That's not me. That's Mr. Terrio.
CAROLE THERIAULT. And even the cops see that it doesn't look like you.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Right?
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Now, do you think the cops just back off with sincere apologies or—
GRAHAM CLULEY. Of course not. It could be a disguise. It could be a disguise, couldn't it?
CAROLE THERIAULT. No, you get hauled in. And that's what happened to Hussein Bah. This is the actual New York 18-year-old. Who was bolted awake by the sound of cops pounding at his door to arrest him, and they hauled him in anyways. Now, it turns out Ba was a person of interest in an Apple Store theft that happened in Manhattan, and sadly, Ba was no stranger to these accusations. Now, the following is with much thanks to insurancejournal.com because they laid it out really well.
JOHN HAWES. I'm a big fan, one of my favorite insurance Websites, yes.
CAROLE THERIAULT. In doing this story, I was looking around and a lot of people were quoting the same sources, but—
GRAHAM CLULEY. I'm very impressed, Carole. I'm very impressed.
CAROLE THERIAULT. Now, Mr. Baugh claims that about a year ago he lost his learner's driver's license, which had his name, address, date of birth, sex, height, and eye color.
JOHN HAWES. Yeah.
CAROLE THERIAULT. The document specifies on it that it cannot be used for identification purposes. Okay, so remember that. And also, it does not have a photo.
GRAHAM CLULEY. Mm-hmm.
CAROLE THERIAULT. Okay. So he lost this interim permit, didn't report it to the police. He knew he was going to get an actual permit shortly, didn't care.
GRAHAM CLULEY. Right. Yeah.
CAROLE THERIAULT. Later on, he receives a summons for $1,200 for an Apple Store theft at a Boston Back Bay store. Apparently, the theft included multiple Apple Pencils. Now, when I say pencils—
GRAHAM CLULEY. Is that what, like, when I steal the biros from Argos?
CAROLE THERIAULT. They retail at $99 each, so I hope not.
GRAHAM CLULEY. Oh, okay.
CAROLE THERIAULT. Okay. They're like pencils you use on your Apple Mini or something.
JOHN HAWES. Stylus.
GRAHAM CLULEY. Oh, I'd say for drawing on the—
CAROLE THERIAULT. And they're quite small, so probably easier to steal, right?
GRAHAM CLULEY. And it's all very free and easy in the Apple Store. You kind of come in, you mess around with the hardware.
CAROLE THERIAULT. Yeah, shove a ton of pencils down your pants and then—
GRAHAM CLULEY. Exactly. Exactly. Yes. Yeah.
CAROLE THERIAULT. Now, the problem was Mr. Ba had never been to Boston until this court appearance, this court summons, which meant he'd come. Now, Apple has a security firm that it hires called Security Industry Specialists. Now, they help protect Apple stores from theft. And they sent a rep to these proceedings in Boston, and the rep said he witnessed a suspect steal Apple Pencils on a security video. Okay, so when Ba's attorney said, hey, let me see this video, the guy said, uh, sorry, it doesn't exist anymore. Huh, weird.
GRAHAM CLULEY. Okay, whether using VHS tapes or something, so I think Apple would have not a problem with storage, you know.
CAROLE THERIAULT. Okay, the whole thing basically ended well because Ba was able to prove that he'd not been in Boston on the day of the theft and goes back home to New York only to receive a handful of other notifications about other stores and other Apple thefts. One in New York City, one in Delaware, one in New Jersey. And then months later, at 4 AM in the morning, we have the New York City Police rapping on his door with an arrest warrant for robberies at the Manhattan store. And this is where the arrest warrant has the right information but the wrong mugshot.
GRAHAM CLULEY. I would be a little bit peeved by this point, I think. I'd be a little bit annoyed.
CAROLE THERIAULT. Okay, that's great. And John, are you feeling a little bit like this? Because this is a bit of a hassle, right? You've been, you know, going around the country trying to clear your name.
JOHN HAWES. It's more the 4 AM thing that I'd be annoyed.
GRAHAM CLULEY. I have checked out John's mugshot on the Smashing Security website, and he does bear an uncanny similarity with someone. I'm not quite sure who. But yeah, there is— Yes, so what happened next, Carole?
CAROLE THERIAULT. So mystery number one, whose pic is on the police warrant? Because it's not Mr. Baz, and what's going on?
GRAHAM CLULEY. Right.
CAROLE THERIAULT. After a bit of detective-ing, they realize it's probably a pic of the thief. And the thief used Baz's learner driver license, you know, during a purchase or one of his heists. So apparently Apple security technology identifies suspects of theft using facial recognition technology. The detectives suspect that the person who had committed the crimes presented Boz's interim permit as identification during one of his multiple offenses. They were— they assumed that that face was tied to that information. So it was Apple's facial recognition software that basically tied it all together.
JOHN HAWES. Um, why, why was he giving identification to do a crime?
CAROLE THERIAULT. So he may have gone in and done a crime as well, you know, I, I'm buying one Apple Pencil, right, and I've got 12 down my pants.
GRAHAM CLULEY. Yeah, it was a pic of the thief. Pick of the thief.
CAROLE THERIAULT. So, um, Ba's attorney was able to explain the situation to the DA and then get everything sorted out, right? So the whole thing went away because they were able actually to get their hands on the surveillance footage, the one that the Apple security firm said didn't exist.
JOHN HAWES. Oh, there was a backup, right?
CAROLE THERIAULT. Okay, so it's all a big complexy complexy thing, right? And a bit of a nightmare. Now, Ba has issued a lawsuit, right, suing Apple. He's had a bit of a bad time, hasn't he?
GRAHAM CLULEY. Yes, yes, right, right. Yes.
CAROLE THERIAULT. And the lawsuit's accusing Apple of using facial recognition technology in store Okay, so Bloomberg writes that Ba claimed his name may have mistakenly been connected to the thief's face in Apple's facial recognition system, which he says the company uses in stores, you know, to track people suspected of theft.
JOHN HAWES. And presumably everyone else too, right?
CAROLE THERIAULT. Once Apple, though, had tied Ba's name to the wrong face, Ba had no way to correct the error.
JOHN HAWES. Lazy. Just lazy.
GRAHAM CLULEY. What a mess.
CAROLE THERIAULT. So, okay, so here we go. So here we go. So Mr. Baugh has had about a year of crap as far as I worked out, thanks to losing his learner's permit.
GRAHAM CLULEY. Yes.
JOHN HAWES. Yes.
CAROLE THERIAULT. And I get that Apple should not have accepted learner's permit as, you know, as ID. That was a mistake. And Apple misidentified him, you know, as a thief. And he suffered court summons and all this stuff. Woke up at 4:00 AM, right? The worst thing ever, John.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And, you know, it's taken a year to clear his name. And, you know, it's, you know, he said it led to severe stress and hardship. So how much is Barr going to sue for? What would be an appropriate amount for that amount of BS?
JOHN HAWES. The whole of Apple.
GRAHAM CLULEY. Let me, let me just remind myself. He's based in America, isn't he?
CAROLE THERIAULT. Yeah, he's based in the States.
JOHN HAWES. New York.
GRAHAM CLULEY. And he's suing. I'm imagining it will be quite a large amount of money.
CAROLE THERIAULT. Yeah. Why don't you give me what you think it might be and what you think it should be?
GRAHAM CLULEY. I'm going to say—
CAROLE THERIAULT. like, you think I was putting you in the position, right? This has happened to you. This has happened.
GRAHAM CLULEY. I think he might be suing for $10 million. Okay. And I think I think he should really probably be happy with— he'd be very happy with $100,000.
CAROLE THERIAULT. A new iPhone? Okay.
JOHN HAWES. I don't get up at 4 AM for less than $100 million.
GRAHAM CLULEY. You and Linda Evangelista.
JOHN HAWES. Yeah.
CAROLE THERIAULT. Okay, well, you're both wrong. Okay. He is suing for $1 billion.
GRAHAM CLULEY. A billion?
CAROLE THERIAULT. A billion. Okay, so I've worked it out because I'm good at maths, as we all know, right? As we know, and it works out to roughly $270,000 a day for his hardship.
GRAHAM CLULEY. How many Apple Pencils can he buy for $1 billion?
CAROLE THERIAULT. I mean, how is this remotely justifiable? I see. And I don't understand why the courts wouldn't just throw it out immediately, just like, you're having a laugh.
GRAHAM CLULEY. Well, it's just a negotiation, isn't it, Carole? It's just a haggle. That's what it is. They— you know, it bugs me.
JOHN HAWES. Does it?
CAROLE THERIAULT. Yeah.
JOHN HAWES. Does that really work though? If Apple's saying here's $10K and he's saying no, I want a billion and they go, okay, we'll go halfway between. Pretty sure they don't.
CAROLE THERIAULT. Look, it is, that's what they're going to argue for. They're going to argue for a percentage of the request. Well, if it's not going to be the billion, we need a percentage. Even 1% is pretty shit high. You know? Anyway, I just think it's insane and But an interesting idea on the idea of actually trying to sue based on facial recognition falsely tying you to another person and then confusing that information and making your life hell for a while as you try and clean that all up.
GRAHAM CLULEY. Well, an overreliance in a way of computers and technology, isn't it? Whereas a human could have said, well, hang on a moment, that's clearly—
CAROLE THERIAULT. Well, thank God we're all heading towards the dark ages rather than relying more and more on computers every year, Graham.
JOHN HAWES. Wait till we get the RoboCops.
GRAHAM CLULEY. I thought we'd get through without mentioning Brexit, but there you are. We've done it again.
CAROLE THERIAULT. Through stories, realistic scenarios, the MetaCompliance guys provide animated e-learning and even games like phishing drills to test your knowledge. Plus, these guys get passwords, they get GDPR, they get security, and they've won awards for security awareness. Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance and entering the code SMASHING. That's smashingsecurity.com/metacompliance. Quote, most business security breaches are the result of one thing: sloppy password practices. Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts.
GRAHAM CLULEY. Unquote.
CAROLE THERIAULT. That's my co-host Graham Cluley. This is what he says on the LastPass Enterprise page, and most of you know how much I hate to admit when he's right, but he is. Sloppy passwords are a huge contributor to security breaches within an organization. The way to manage that is get a password manager, and the one we recommend is LastPass Enterprise. Check it out at lastpass.com/smashing. On with the show.
GRAHAM CLULEY. And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the thief. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
CAROLE THERIAULT. It should not be.
GRAHAM CLULEY. Now, my pick of the week this week is not security related. Instead, it harks back to a wonderful era of television known as the 1960s, and specifically the work of Gerry Anderson, who made such fantastic shows as Stingray and Captain Scarlet and the Mysterons. Now, you may think that those shows are just part of yesteryear. If it— for anyone who's listening, has never seen a Gerry Anderson show, The thing is, they were all done with marionettes. And so there was puppets. And the most famous show of all is one called Thunderbirds.
CAROLE THERIAULT. Aha, that's where I know.
GRAHAM CLULEY. Which was a tremendous TV program and still beloved by kids today. And international rescues, you know, there'll be some disaster or something will be falling down or people drowning and they'd come in and they'd come and save them with their fantastic gadgets. A couple of years ago, a guy called Stephen Larivière, who was obviously a bit of a fan of Thunderbirds, he raised over £200,000 in a Kickstarter campaign to remake some classic Thunderbirds episodes. Because back in the 1960s, they made 3 episodes just for vinyl records, just for LPs. So just audio. And he said, why don't we take those recordings and film those episodes. We've got the original voices, Brains and Lady Penelope and Scott Tracy and so forth, and remake them using superb marionation techniques. And they did it.
JOHN HAWES. But with that, does he have the original puppets too?
GRAHAM CLULEY. He has some of the original puppets. And this was all done in coordination with the Gerry Anderson estate and his son, Jamie Anderson, as well. And it looks tremendous. Wonderful. 5, 4, 3, 2, 1.
CAROLE THERIAULT. Thunderbirds are go! Graham, can I say something? I think this is your best pick of the week ever.
GRAHAM CLULEY. Really?
CAROLE THERIAULT. Yep. Very, very cool.
GRAHAM CLULEY. Oh, wow. Cool. This is quite something. Well, I've put a couple of links in the show notes where you can check out some trailers and a short documentary, a half-hour documentary, all about the making. It is wonderful. And I think it's awesome. And that is why Thunderbirds 50th Anniversary, Thunderbirds 1965, is my pick of the week.
JOHN HAWES. Brilliant. Are they going to do any Captain Scarlet?
GRAHAM CLULEY. They haven't done any Captain Scarlet. Captain Scarlet actually was my favorite more than Thunderbirds. So I have to say there was something very dark and mysterious about Captain Scarlet and the Mysterons. What they did do is they made their own short clip. There is a TV show called Endeavour, which is about the early days of Inspector Morse. Inspector Morse is a young man in the '60s, and I believe there was an episode set on a studio where they were making one of these puppet shows. And they actually remade a classic— they made up their own classic Supermarination episode to appear in this episode of Endeavour. Again, you can see some clips of that over on the Century 21 Films website.
JOHN HAWES. They dropped some murder clues into that?
GRAHAM CLULEY. Well, I don't know. I haven't seen it, John, but it's quite possibly— who knows? Maybe someone was strung up by the strings or something. Anyway, lovely, lovely, lovely. And I think it'd be a hard one to beat. So John, what's your pick of the week?
JOHN HAWES. Some time ago, I think it was probably the first time I was on the show, my pick of the week was a game called Clash of Clans.
GRAHAM CLULEY. Yes. Yeah.
JOHN HAWES. I still play a little bit, but there's a kind of sister game from the same company. It's called Clash Royale. It's quite a different kind of game, although it kind of has some of the same characters in it. And it's a very simple kind of tower defense thing. You're paired up with a random person and you have to attack their towers and try and stop them attacking your towers. You have a range of characters you can choose from and you pick your card deck and you have to hope that yours matches up against theirs so you can fight them evenly and stuff like that. It's very simple and very fun. It takes about 3 minutes to play a game. But my favorite thing about it, it has this little in-game kind of chat system or heckling or something. And there's just little buttons along the bottom of the screen and you don't really, there's not really a lot of choices. You can basically say, I think, good luck, well played, good game. Thanks, wow, oops. And then there's a few little kind of emoticons, things like thumbs up, angry, club, crying, laughing. They've added a bunch more of the little pictures recently, but they're a bit gimmicky. I try and stick with the old school ones. But it's amazing how in-depth the conversation you can have with whatever random child in China you happen to be playing against. With just this little tiny selection of words and images, you can have a proper little chat going on. It's really quite fun. And I find anybody that basically, there's a lot of people that just use angry face all the time. Don't like them. They're clearly douches. And there's also the laughing face. Very, very few occasions where you can use that appropriately. So it's actually a very, very small set of things that you can legitimately use to have a polite conversation with. And you can get a real sense of the sort of person you're talking to.
GRAHAM CLULEY. If you were a criminal or a drug dealer or something like that, John, do you think you could use this communication system to communicate your secret messages? Is this a replacement for something like Signal? Would the intelligence services be able to intercept what you're communicating with your angry face and your thumbs up? Someone in China?
JOHN HAWES. I don't know. You might have to kind of prearrange a few particular signals. I don't know if you could say, you know, we're hitting the Barclays Bank at 9 AM tomorrow morning. That would be difficult.
CAROLE THERIAULT. The specifics would be hard.
JOHN HAWES. Yeah, it's more of a feeling kind of thing. You just get a sense of personality. Yeah, Graham.
GRAHAM CLULEY. Right.
JOHN HAWES. Well, sorry. But there's also, I mean, it does have a, there's like a, you can have a team, your clan, and you can, there's an actual chat thing that you can have with them. I don't do that bit.
GRAHAM CLULEY. No. Sounds like more fun what you're doing, I think, to be honest. So that's Clash Royale, comes strongly recommended from you. Thumbs up, right?
JOHN HAWES. Thumbs up.
GRAHAM CLULEY. Wow.
JOHN HAWES. Thanks. Good game.
GRAHAM CLULEY. Carole, what's your pick of the week?
CAROLE THERIAULT. Well, all three of us are based in Oxford. And two of us on this podcast today are taking part in an upcoming Oxfordshire art festival.
GRAHAM CLULEY. Oh, really?
CAROLE THERIAULT. So I'm giving that a shout out. Yeah. And it's not you, Graham.
GRAHAM CLULEY. No, it's not.
CAROLE THERIAULT. So Oxfordshire Art Week starts in May next month, and it's where artists or designers exhibit their work across Oxfordshire. So there's 500 locations across the county, and there's like group exhibitions and individual artists. Some of them are in their own home, right? And like 100,000 people come and this every year, and it's free, and you can see what all kinds of different artists are up to. And this year, both John Hawes and I, along with a few others, have clubbed together and are presenting our stuff at a venue.
JOHN HAWES. Oh my goodness, it's very exciting.
CAROLE THERIAULT. I know. And John is doing—
GRAHAM CLULEY. it's not nude modeling, is he?
CAROLE THERIAULT. He is. He's doing nude modeling.
GRAHAM CLULEY. Oh.
CAROLE THERIAULT. Let me send you a link, Graham.
GRAHAM CLULEY. No, no, no, no, please don't. No, no, please.
CAROLE THERIAULT. Yeah, I'm sending you a link right now. Don't worry, don't worry.
GRAHAM CLULEY. Okay, let's check this out.
JOHN HAWES. Okay.
CAROLE THERIAULT. Okay, here's John's nude modeling career.
GRAHAM CLULEY. I'm not sure I should want to— Oh!
CAROLE THERIAULT. Oh! It's not John.
JOHN HAWES. It's not me that's nude.
GRAHAM CLULEY. But it is a nude model.
JOHN HAWES. It's the models that are nude.
CAROLE THERIAULT. Yeah, so John makes models, small models. They're amazing.
JOHN HAWES. I prefer the term sculptures.
CAROLE THERIAULT. Sculptress. I'm sorry. You see, I'm doing cartoons. So of course, I, you know, lower the tone on this whole artist thing. And we also have an artist called Calista, and she's doing these amazing ink sketches on self-help wisdom. So kind of distilling all that. And we've got another guy called Ollie who does like some rude lighting with like lampshades made out of cuttings from like harlequin romances, and I think he's using Fifty Shades of Grey. Oh fuck, I think I just got the joke because he's making lampshades shades of grey.
GRAHAM CLULEY. Oh yeah, there it is.
JOHN HAWES. Yeah, see what he's done there?
CAROLE THERIAULT. That funny. Do you think that's what he was doing? If you like the idea of nosing at people's art, you might meet Graham because Graham's certainly going to come and visit during Art Week.
GRAHAM CLULEY. I'm not going to miss this now. No, I'm coming to this.
CAROLE THERIAULT. So you can go to artweeks.org as the website, so A-R-T-W-E-E-K-S. Smashingsecurity.org.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. And you can come visit us. We are listed on the map, entry 127 to 129 in East Oxford.
GRAHAM CLULEY. Oh, crikey.
CAROLE THERIAULT. And love to meet some smashers face to face.
GRAHAM CLULEY. Wow. Well, Carole, this has really upped the artistic stakes for this episode. And John, I'm looking forward to checking out your little naked sculpture as well. What a delight that'll be to see you in the clay.
CAROLE THERIAULT. He's the real artist.
JOHN HAWES. He is.
GRAHAM CLULEY. Yeah. Well, that just about wraps it up for this week. Um, thank you very much, John, for joining us this week.
JOHN HAWES. Thanks for having me.
GRAHAM CLULEY. Folks at home, you can follow us on Twitter at Smashinsecurity, no G. Twitter allows us to have a G, and you can join the discussion on Reddit. We've got an active community up there. Quickest way to find us is at smashingsecurity.com/reddit.
CAROLE THERIAULT. And shout out to this week's Smashing Security sponsors, LastPass and MetaCompliance. Their support helps us give you this show for free. And huge thanks to you guys. We'd be lonely souls without you. Thank you for listening and helping us grow.
GRAHAM CLULEY. And check out smashingsecurity.com for past episodes and to follow us there. Until next time, cheerio, bye-bye.
CAROLE THERIAULT. Later.
JOHN HAWES. Bye-bye.
GRAHAM CLULEY. So, art weeks.
CAROLE THERIAULT. Art weeks.
JOHN HAWES. Mm-hmm.
GRAHAM CLULEY. In this world, of unwanted commodity. Crow takes the ordinary to fabricate the desirable. What does that mean?
CAROLE THERIAULT. Keep reading.
GRAHAM CLULEY. Just kidding. Beautiful, useful stuff. Also small naked people.
CAROLE THERIAULT. And you're snoozing away and suddenly bang, bang, bang, bang on the door, right? It's 4 AM.
GRAHAM CLULEY. Oh, the dog's barking.
CAROLE THERIAULT. Do you want to go take care of that?
JOHN HAWES. Yes.
GRAHAM CLULEY. Hang on.
-- TRANSCRIPT ENDS --