And as the auditor asked, who actually has access to this room? And I said, well, it's only me and the external IT support people and the guys who use it for storing video equipment, and the boss and the other director. And the man who fixes the photocopier. There was a bit of that, and the air conditioning guys. And because we work on a farm, I think that the farmer likes to store some of the winter feed in there. Cattle feed. Smashing Security, Episode 135. Zombie grannies and Unintended Leaks with Carole Theriault and Graham Cluley.

Hello. Hello and welcome to Smashing Security, episode 135. My name is Graham Cluley.

I've been waiting for this episode. I'm Carole Theriault.

Why have you been waiting for this episode?

I like the 135. I don't know, it sounds really like we're over 100. We're over 125. We're serious now, professional. We've made it.

Well, we know that we've made it because we've got a special guest, someone who's been a long term listener, but a first time caller to the show. It's Oli Skertchly. Hello, Oli.

Hello, Graham. Hello, Carole.

So Oli is a friend of mine. We've been friends, I don't know, a year or so. And when we hang out, we actually talk about things like GDPR. And we really do. We talk about stupid devices and gizmos and stuff. So we thought he'd be an excellent voice of reason in a world gone mad on all things cyber.

Thank you very much, Carole. Oh, I do happen also to have a career in IT as well.

Oh yeah, yeah, there's that too.

Oh, yadda yadda yadda.

Show off.

Everyone works in IT, Oli. Stop thinking you're so big and amazing because you do that. Jeez. Carole, what's coming up on the show this week?

Well, big thumbs up to this week's sponsors, LastPass and MetaCompliance. Their support helps us give you this show for free. On today's show, Graham contemplates old age and zombies and malware. Oli questions the smartness of some everyday IoT devices. And I'm gonna see if I can convince Mr. Cluley, Oli, and some of you listeners out there to change your social ways for a few days. All this and truckloads more coming up on this episode of Smashing Security.

Now, chaps, chaps, old people—

Like you.

Look, get used to it. Old people are pretty scary, aren't they? Don't you find them scary?

You are scary.

Well, I think old people are scary. The truth is, of course, that age is creeping up on all of us. It's lurking in the background, hidden in the corner of your eye. Every day, drip, drip, drip, you're getting closer.

Nah, nah, nah, nah. I'm never getting old.

What? Aren't you? Nah. Well, I believe it's hiding out there where you never want to look. It's the ultimate horror story. Each and every one of us is metamorphosing into a cardigan-wearing version of ourselves.

Big word, Graham.

Wearing Crocs.

You should see the picture in Carole's attic.

Now I've been thinking about this recently because I had, I don't think I mentioned it on the show, I had a big birthday and—

Was it 60? Big 60?

I'm not going into details, but I've realised I have less years ahead of me than I do behind me. And the evidence is all there, right? I've got a landline in my house, which only old people have. I like nothing more than to take a bit of a nap. I don't think that's really—

The main—

No, but mid-show, mid-show even, Oli. You know, junk email segment. I'm off.

So I can tell.

Oh, it's true. You better not today.

Now, thank goodness I don't have a Facebook account because if I did, that would really confirm that I was officially old. But I don't know if you've noticed, but there are an awful lot more old people out there than there used to be, which has led me to the conclusion that they're not dying off anymore. Right? In fact, maybe they are the living dead.

Oh God.

Okay, I'm really trying to see where you're going with this.

Well, I'm not the only person who finds old people scary, it seems, because many folks have played a—

What are you scared of, a wrinkle?

Well—

Gray hair?

What is it?

A slow walk?

They could choke me with a Werther's Original.

A Werther's Original.

Many folks have played a spooky 3D video game called Granny. Oh, okay. Now, you wake up in Granny.

In Granny.

Oh, we've all done that. Well, no, no, you wake up in the Granny game in a bed you don't remember, in a room you don't recognise.

Okay.

Sound familiar?

Yes, very. Reminds me of my 20s.

And in this game, a crazy old granny carrying a bloodied baseball bat has locked you up in an old decrepit house. Okay, pretty spooky stuff. This is a 3D game which you can get for your computers and for your mobile device as well. Fun, fun, fun, eh?

Sounds fun so far.

Now this is a legitimate game, but the security experts at Wandera, mobile security company, they've discovered that someone has published an app in the official Google Play Android store called Scary Granny Zombie Mod: The Horror Game 2019. And this appears to be a modification or some sort of tinkering with the official Granny app.

So this isn't the legit app. This is a—

I think you can fairly safely say it is not the legitimate version of Granny. It's been downloaded 50,000 times.

This illegitimate one.

That's right.

Right.

And of course the app is malicious, otherwise I wouldn't be talking about it. That's the twist in the tale. It's a completely legitimate app. Oli, what's your story for us this week?

A twist to normality.

I like to keep people on their toes.

Great show. Great show.

No, no, no, no, no. It's a malicious app. It's a malicious app. But I thought it'd be interesting to describe how it is malicious. Maybe that would be helpful to people as well. So it does perform some dirty tricks upon installation.

So this is I'm looking for zombie granny game on my phone and I see this. And rather than downloading the legit one, I get duped into downloading this bad one.

Right.

Right. Okay. So this is what happens when the bad one's on your phone. Okay, go.

And so on installation, the game asks you to pay for the game or to do the free trial.

Right.

Now, most people on the first run are probably not gonna pay for the game, are they? They're gonna choose the free trial.

99.9% probably. Right.

And that's the point where the game actually takes you to a payment page for about $22, which is pretty fucking expensive.

So when you select free, it opens up PayPal?

Free trial, yes.

Okay.

Just in the hope that you're going to click through. Okay.

So that's a pretty big indicator that this is not all well.

That's one of the indicators.

£18 for a mobile game. Is that standard these days?

It's called reassuringly expensive.

Bit like Apple products.

There's so many games where you choose download for 99 cents and turn out to be rubbish. But this one is $22 or something like that.

What could possibly go wrong? You know, exactly.

Exactly. It's going to be fun. Now, when you run the free option of $22. When you run the app, it isn't instantly obvious that it's malicious.

Okay.

Because it bides its time rather like an old person can take rather a long time in the shopping queue as they get their checkbook out.

Or getting to their point.

Exactly. Just like, get on with it, right? Just like they can do that. Similarly, the app takes quite a long time as well because at first it runs perfectly normally, right? It just runs, but it starts doing naughty things after a couple of days.

Now, that means, of course, by the time most people would be bored because they haven't done anything.

Well, no, no, no, no, no, no, no, no, no. It doesn't pause. It doesn't just say loading for two days or something like that. It doesn't have a pause screen.

Does it run the legit game?

It is running a version of the game, yes.

Okay.

And according to the researchers, it's actually a whole load of fun. So for the first two days, you are having a blast.

Right? This is 18 quid well spent.

So you see, you're having a great old time. But it keeps its malicious activity couple of days. Now that means, of course, any security researchers who's taken a look at it probably isn't going to notice anything too suspicious. And indeed, Google's own vetting system, which allowed it into the App Store, may not notice about the other dodgy stuff it does.

You know what? The researcher was probably blinking when the PayPal page came up. Maybe, right?

I'm not sure if you're able to skip that. I imagine you're able to skip that. It's just like they're just taking a chance that maybe some people will choose to pay for it.

Is this an excuse for security researchers now to be playing every mobile game for at least two days before they issue their report.

In my experience, that is largely what they do anyway, is you go into a lab and they're just all sort of playing some sort of MMORPG or—

It's called research.

Exactly.

That's completely untrue, folks.

Now, not only does it wait a couple of days, but if you happen to be that very small number of people who are running the latest version of Android, good luck with that because most people find it very difficult to get their hands on the latest version of Android on their outdated devices, then it doesn't do any dodgy behavior at all. So again, if the researchers are using the latest version of Android, or if the testers have got an image of Android, which is completely up to date, then it's not going to display anything dodgy. But if what most people are running, which is older versions of Android, then they might see something suspicious.

Oh, that's very clever.

So basically it was downloaded 50,000 times, but does not necessarily mean that 50,000 people were infected.

Well, they might have been infected, but it may not be showing any actual consequences of the infection.

So no payload, you're infected, but okay. So let's get onto the payload.

Let's get onto some of the things which it does. So it's biding its time, as we say, but what does it actually do when it does trigger? Well, it displays a fake notification, sometimes inside the game and other times when you're just simply using your mobile phone, telling you to update Google security services. So it says, okay, you need to update Google Play and the services in order to carry on using your device. You say, oh yes, that's fine, click update because you've been taught security updates are important. And that takes you to a fake login page, a Google login page, which is going to ask you to reconfirm your username and password, of course.

Yep. And that would feel probably pretty legit to most people.

It would. Yeah, right. Because you're going to install a security update, you know, why wouldn't you be asked this? Now I've included in our notes there, which you can check out, a screenshot of that login page.

There's a quick giveaway there.

I wonder if you noticed the— it's highly convincing apart from one tiny little detail. Do you notice what that is?

Yeah, quite. Quite early on in looking at the picture, I spotted it.

Is it a new form of authentication?

Yeah. La la la la la la. Exactly. Rather than asking you to sign in, it asks you to sing in. So there's some voice biometrics here where you have to go, you know, sing your favorite song. Bird, bird, bird.

Bird is a word.

I think we're onto something. Songs as voice biometrics. TM Graham Cluley.

Power ballads.

Yeah. Oh God. I'm all about power ballads. Oh my goodness. That would be— Alone. Cher, Bonnie Tyler.

Jennifer Rush for me, please.

Thankfully, Kroll, we're not going to get into any copyright trouble with the way you just sang that. I think. So yes, it says singing rather than typing. Now, obviously the bad guys could fix that fairly easy, that little typo.

Right.

Some people might spot it and not enter that. But once it's grabbed your password, it will use that to steal your recovery emails, your birthday, your verification codes, cookies, and tokens, which could give hackers access to third-party apps and all kinds of other stuff as well.

That typo makes me doubt whether all the hoovering up of personal details would actually work seamlessly.

Well, that's in this version, and now we've publicized this in the podcast, of course, the bad guys are probably going to fix that typo, aren't they?

I do hope so, because it's just so embarrassing.

It is pretty shocking.

I feel sorry for them.

So they're grabbing passwords and they're also, of course, popping up all kinds of other ads while you're using your phone. But perhaps the sneakiest trick of all is the one which we alluded to earlier on, which is that the game actually works. And apparently it plays quite well. It's quite fun, according to Wandera, to run around the decrepit old house trying to find weapons to batter zombie grannies with.

You're trying to imply, Graham, that it's almost worth it.

Yeah, I know, it's a really weird angle.

I mean, you sacrifice a bit of your money and passwords and things.

What's wrong with you? Is this you being old? You just want all the kids to download malware? 'Cause you're threatened?

No, I'm just saying it's a sneaky trick that the thing actually darn well works.

So they obviously stole the code, right? The game code.

That's my guess, is that they stole the code and they adapted it and they added a few bits of nasty stuff. Now, Wandera have offered some tips on how to spot suspicious apps, which I thought might be worth reiterating for folks at home. One is look out for bad reviews and inconsistencies and poor user experience. You have to be careful though, because some of these malicious developers are devious and they submit false reviews to make an app look more popular than it really is. Another clue which can tip you off that something might be up to no good is overzealous advertising. By that, I don't just mean that it has an ad in the corner of the screen or something, but that they're popping up all the time. Indeed, with some of these apps, including this one, the ads will be appearing even when you're not running the app. Even when you restart your phone, you start to get ads popping up, maybe while you're using Facebook or other things as well, which actually only begin after installing the Zombie Granny app.

But probably not right away, maybe two or three days later.

And look out for app permissions which are excessive, right? We've talked about this before.

You mean the T&Cs, that kind of thing?

Well, when you actually install an app on Android, it will give you a long list of all the permissions which it's asking for and things which it's asking to do. And as we've said on previous occasions, always be suspicious of those. If it seems to be asking for too much, it's why does it need to know this? Why does it need to have this particular privilege?

Access to my camera and my contacts and all my other apps, that kind of thing.

And it's really cool that they make that really obvious now upon installation, right? Because then you can look and go, whoa, why do you want access to all this stuff?

Right. If you've got a relatively up-to-date version of Android, then it will give you warnings about that. And even if they're not up to something deliberately malicious with the app, if for instance they're accessing your address book and maybe uploading it to a server, maybe for some sort of social sharing facility. That's something I would also suggest being cautious of because you don't know how secure those servers are and what else they might be planning to do with that data. So you need to treat those sort of things with great care.

Well, of course we won't have read the T&Cs or the privacy policy.

Oh, good God, no.

Yeah. It seems I'm the only person in the world that does that.

And also social engineering. So if it's using manipulative practices, taking you to the pay page after you've requested a free trial, then that should be something which begins to ring alarm bells in your head as to how this thing's been designed and whether it's truly professional or not. Now, the good news is the Zombie Granny has been eradicated now from the Google Play Store, but who knows what still lurks there? My suspicion is there are many, many— Old people. Yeah, many, many old people who frankly need to be—

Scare the shit out of you, it seems. Don't look in a mirror, man. Get some— you want to hide all that. Don't look in the pond. Might fall in.

Well, thank you. Oli, what story have you got for us this week?

Just imagine it's night. It could possibly be the daytime. I haven't quite decided. It's an optional thing. It's a choose your own adventure. You're close to home. You're running. Unlikely.

Graham running?

You're scared.

I'm picturing it right now.

Well, let's just say you're being chased. So you're moving. Well, let's say you're being chased by some zombie granny with a baseball bat.

Right. Yes.

So you're probably moving about the same shuffling speed. Carole, you're Canadian, you're being chased by a bear.

Right, right.

That kind of thing. Anyway, you finally reach your front door.

Yes.

Your front door is locked.

Oh!

Absolute terror. You've got to get your key out of your pocket or your bag. You're fumbling around. You're pulling out your keys, your key ring. Your key ring's got 12 keys on it. It's got the key to your desk.

You're emptying the whole bag upside down onto the sidewalk.

Exactly. Oh my God. There's gonks on it. There's trolls. There's all— oh my God. There's the key to the bike lock that you haven't— you've lost 3 years ago. Eventually you manage to find your door key. You're scrabbling around near the lock 'cause you can't quite get it in.

You're dead is what you're saying.

Well, just before that terrible moment, you think to yourself, if only there was a simpler way to actually get in my own home so I could be safe, so I could not be beaten to death or hacked to pieces or—

It is a genuine concern. This is something which worries many people. Yeah. Is how they're going to escape zombies. I love the zombie theme we're having today. Yeah, and get into the house safely.

Quite exactly. You know, I know where you live, Graham. So, you know, this kind of thing is probably a nightmare for you and your family.

I think you're at the dodgier end of town than me, so I think it's more likely you're going to encounter them.

Okay.

All right, Graham, let's just say you're almost home, but you're absolutely busting for a wee, and the last thing you want to do is fumbling around in your pocket. And really what you want to have is—

What would the neighbours think if you whipped it outside in the front garden?

I don't want to use the letterbox.

I've done that before. So you want to be able to get into your house quickly and also preferably have some kind of pair of self-removing trousers or something like that. They don't exist just yet, but what does exist is the smart lock. Possibly today's most convenient and wonderful internet of thing.

Hmm, really?

Okay, tell us about it.

Well, can I just say, better than a fridge.

So, okay, but how would it work? How does that make my life easier at the door?

Well, with today's modern smart lock, you approach your door and you either type in a quick PIN. Yeah. Or you press your finger against it so it can read your fingerprint, or even it can sense your approach by connecting through Bluetooth to your phone. So the door literally flies open as you're—

Do people really do that?

So I'm led to believe.

So basically don't lose your phone. Right.

Okay.

My mum's car, not a smart car or anything, but you know, she can have the key fob in her pocket and she doesn't have to ever take it out. Right?

Exactly. I'm sure we will get to this later.

Okay. Okay. Okay.

But let's just say one lock you could buy is the Utech Ultralock UL3.

Sounds impressive. That sounds serious.

Oh my God. It's a very impressive thing. If you go to its Amazon page, you will discover it was developed as part of an Indiegogo startup.

Oh right, like a crowdfunder.

Crowdfunder. That's the kind of thing. And there's a little section, it says, about the startup. It says, give 3 words to describe the startup. It says, real keyless smart lock. You think that's— I think that's 4 words.

That's 4 words, yes.

So, you know, they're off to a good start, but instead of, let's say, making smart and lock one word, no, they've made real and keyless one word.

What? What? So—

It's realkeyless.

Realkeyless.

Realkeyless.

Ridiculous. Ridiculous, yes. Okay, so we've got this crowdfunded smart lock. All right, so it's the answer to all of your dreams. Fantastic.

Now, I've picked out this particular lock because it's recently had a thorough going over by Pentest Partners, who are a UK-based penetration testing company, and the lock has been found to have quite a severe set of vulnerabilities. No! I know, can you believe it? There are 4 main flaws.

Okay.

Firstly, the actual physical lock is easy to pick using a thin piece of metal that you can slide into the paperclip, the bits of casing, that kind of thing.

Like a key?

Funny, Graham.

Funny.

You still got it. You might be older, but you still got it.

Okay. So it's easy to pick, right? Okay. That's something.

You can apparently also trivially unlock it over Bluetooth. Obviously trivially in a, if you're familiar with Bluetooth low emission encryption sense of the word trivial.

Mm-hmm.

Using the API that the mobile app uses, basically from anywhere on the internet, you can reset the lock pin, locking the user out or allowing you to unlock their door.

Oh, so someone could potentially lock anybody else's door and lock them out using the API.

Yeah, because you could change their PIN and then they can't get in if it requires a PIN to enter.

But also, using the mobile app API, which as it turned out had no server-side authentication at all, you can recover personal information data from any user's account, often enough to actually locate the building where the lock is.

You know, oh, for fuck's sake. I'm just so sick of devices that don't have baked-in security. This is just abysmal.

In fact, it's Reliculous. Reliculous. That's what it is. Reliculous. Was that in The Princess Bride? No, it was inconceivable.

Okay.

Reliculous. Yeah. Okay.

Now, the good people of PTP let the lockmakers know about the API vulnerability.

Right.

And the Bluetooth vulnerability. And to their credit, the lockmakers have now fixed— Oh, that's good. Well, they fixed the API vulnerability, but not the Bluetooth one. But also, they're not the only lock to have come up short on quality or expectations recently.

And so you're just saying, yeah, take a piss in the garden, Graham, is what you're saying.

I don't think— I don't know if that was the focus of what Oli's talking about, Carole, is my urinary habits.

No, but he set the story up very well, suggesting that you may have a toilet requirement, an urgent toilet requirement.

Why?

Why would it be me?

I am talking about myself just as much as Graham, just to defend him here.

Thank you.

You know, it's, you know, we're all men of a certain age. Well, not all of us.

I'm certainly not.

Everything starts to get a bit, you know, looser as we grow old.

But you're saying do not get one of these locks to help you get into the house faster.

No, what I'm saying is you have to ask yourself when you're thinking about a smart lock, what is the problem that I'm actually trying to solve? Because simply getting over the horrible inconvenience of using a key doesn't really apply to most people.

Well, here you go being negative about smart locks, but I think there are some good reasons to have smart locks actually.

Name one.

I'll tell you one. If you are in an office scenario, I don't know if you've ever set up smart locks inside your office, Oli, as soon as you're sort of in charge of security and things like that. But the problem is that you give keys to everybody, right? Everyone's got a key so they can get in and out. What happens when someone leaves the organization? They've still got the key. Do you have to go round and change all the locks physically, or can you use a smart lock and just reset the PIN to something else. Wouldn't that be handy?

That is an absolutely superb point. And may I say, I have bought myself a smart lock recently for work.

Is this because you've got a weak bladder or some other reason?

It's for my— it's for the server room where—

That's not really where I would recommend to do it.

Definitely not in the fans.

I have a bucket in there. So it turns out that when you sign a data processing agreement with clients and it says on it, we reserve the rights to audit your premises for IT security and GDPR, then they actually mean it. And one of our clients did send the auditors in.

Oh, you poor sod. How horrible for you.

It was a valuable learning experience for all of us.

What was the big takeaway for you when that happened? You must have been shitting yourself.

Well, we've already covered that, I think.

It's a good thing I had the bucket.

This is getting scary.

The big takeaway was don't worry too much about it. Everybody, you know, fucks up on something, but if you think you're doing all right, you're probably okay. You know, since GDPR, where we've all had to go in a bit of a panic about the data that we process, I think most people these days, hopefully, are a bit more at least aware of the kinds of things that they need to polish up on before somebody did send some auditors round.

So did you have a smart lock in place on your server room before the GDPR audit?

No, we did not.

Right.

And as the auditor asked, who actually has access to this room? And I said, well, it's only me and the external IT support people and the guys who use it for storing video equipment.

Right.

And the boss and the other director. And the man who fixes the photocopier. There was a bit of that. And the air conditioning guys. And because we work on a farm, I think that the farmer likes to store some of the winter feed in there.

A couple of sheep.

Yeah, exactly.

There's a very small chicken door for the chickens to go in and out. So, so he said, well, maybe just in case somebody does go into the server room and help themselves to all the floppy disks and punch cards and all of the fancy IT tech that you've got in there.

Yeah.

Maybe you should get yourself one of these smart locks.

Right.

And so I've done that.

But are you pleased? Do you feel now that you're more secure as a result or not?

I feel empowered because now finally I am the one who can see who's going in and out. And of course now I can restrict it to as few people as possible. But it did take a certain amount of research to—

Not get a dud lock.

To not find something that was completely shit and was gonna fly open every time a fly buzzed past it.

Yeah, so there's an argument for inside businesses then, I guess.

Well, there are many other reasons, I'm sure, in many other secure locations, but I know that certain people are buying these locks to have on their guest homes, their holiday lets, their Airbnbs, so they don't need to be there to meet the guests or tell them that the key's under the mat or something like that. But when something does go wrong, then suddenly you've got people standing out in the cold and that's not a 5-star review.

And I think that just happened recently, didn't it, with one of these cloud-based locks where lots of people were locked out.

It was a Google service that went down, didn't it?

Was it?

Yeah, I think it was the Nest services. Yeah, Nest services went down and people couldn't get in or out. But it is serious. So I'm in Canada, right? And it's been crazy weather here. And we had a serious storm in Ottawa the day before Canada Day. Serious storm. The power went out for an hour. And so the next day, I was driving with the cabbie. And I was talking about the storm. And he said, well, look, my day job is at an old age home. And when the power went out, all the doors unlocked. So there's patients that are really sick. They were wandering around in the dark halls everywhere.

Oh my god.

Oh my god, yes, it's all Tyson. And because there was not very much staff on because it's a big holiday weekend. So it was a real nightmare. So it only took an hour, but they were really freaking out.

Yeah, he'd have to herd them all up, wouldn't he? With baseball bats.

So it was a holiday weekend and all the staff went home and just locked the old people in.

That's what it sounds like now.

And then the doors all unlocked themselves and they were rampaging with their baseball bats.

Yeah, I'm changing my mind, Graham. I think I understand why you're Okay, so this morning, a beautiful morning this morning, I get a text message from my Croatian friend named Andy. Okay, no words, just a link. And I've shared the link with you guys so that you can take a click and describe it. Okay. afraid now. Oh, good God.

So I'm looking at a rather cute cat who appears to be playing the flute.

Is that a six-legged cat?

What's that then? A cartoon flute.

So, you know, when your cat just stares at you because it wants something, but it doesn't obviously move, they've kind of put little cute little hands, little— it's just a cute little meme, right? And this is what social media basically means to me. It's a few random fun memes that gives you a moment of something, a little giggle. And I never post, as most of you know, and I never read anything unless someone emails me or sends me a text message with a link, and then I'll go in. But it seems I'm unusual, because Graham, you are what I would call an avid user of Twitter.

I quite like Twitter, yeah. I enjoy Twitter.

Yeah. And Oli, are you on social media, or do you—

Oh, a pause. No.

Oh.

I missed the Facebook boat, and I'm delighted about it. And I haven't quite managed to tweet, though I have several Twitter accounts. And I have an Instagram account, and I have a few followers, but I've never posted anything.

Are you not on anything else? You're not on Pornhub or anything like that?

Well, I don't consider that social media myself.

Okay, right, all right.

For the handful of listeners that treat social media as I do, with disdain, there are thousands and thousands of you out there who are much more like Graham here. Not looks, obviously, or age, but you're probably more likely to be actively managing one or more social media accounts, such as Twitter, Facebook, LinkedIn, Insta, and all that. And so this story is for you guys, you dirty social media whores.

That's a bit of a jump, wasn't it? Now you're calling us whores.

I agree, Carole. They're all whores.

No, no, but this centers around a call to action to strike against social media. And this social media strike, a declaration of digital independence they've called it, is scheduled to kick off on Thursday this week, July 4th, Independence Day.

Happy Independence Day. Although presumably a lot of people won't actually be using social media as much on July 4th if they're American, or maybe they will be telling distant family members happy Independence Day, whatever it is.

I don't know. Lots of people would take pictures of their burger and put them online. We're having so much fun over here, but it's more fun here than where you are.

Yeah.

So I wanted to share the social media strike's main gist and see whether this movement can count on you, Mr. Cluley and Skertchly. Is that right? Skertchly. Your name's harder than mine.

Pronounce it however you like.

Please know what the name of our guest is. Give him that respect at least. He's your friend.

It's clearly made.

So I want to see if you guys are going to support this or not.

Not.

Okay, so let's first talk email. Each of us own the content of our email. So if, for example, you use Gmail and you decide Gmail was no longer for you and you wanted to move to another service, you, the user and owner of the content, could collect all your messages and shove it into a new email service.

Thank you, GDPR.

Well, I don't even think it was that. I think you could always do that. You could move from, say, Gmail to Proton, and that'd be fine. That would work. Now, the same goes for websites and blogs and podcasts and text messages. You could choose to export that content and use another service provider. But this is not the case when it comes to some of the social media players. Seems like giants like Twitter and Facebook have a firm grip on its users' short and curlies effectively. Not only do they provide the actual platform, but they also have a stronghold on your, or fistful of your content.

Nice.

So for example, Graham, all your tweets, you couldn't just go, I've had enough of Twitter, I'm just going to take my content and move it to a new platform, to a new service provider. You would have—

I wouldn't really want to move old tweets there, would I? I mean, would they really think about Facebook?

Some people have recorded their whole kids' lives on it, or their marriages and all that stuff. You know, maybe they don't have the original pictures anymore because they lost—

But you can download your archive, can't you? You can download your old ones. It's just you haven't necessarily got anywhere where you can upload them to again easily.

Easily.

Carole, what's your Yeah, right.

Okay, effectively, I guess the issue is whether or not it's important to you to have your old tweets, are you the owner of said content and are you in control of that content? I mean, come on, you have all those Piers Morgan, you know, your Piers Morgan pissing contests and all that. You wouldn't want to lose that.

I've never had an actual pissing contest with Piers Morgan. story for us this week? In fact, I've never had a pissing contest with anyone as far as I know, other than Oli earlier on in this podcast.

It was great.

Right, so the question here is that the strikers are asking all of us is, shouldn't social media providers provide a neutral, fully interoperable service which would allow you to import and export your content at will? So the idea is to decentralize social data, and for this to happen, that means the social media giants and all the services must agree on a common universal set of standards and protocols. And that's the issue. They built them all in silos originally, not working together and not making a universal set of standards that they all agreed upon. In principle, do you think it would be useful if they used a common universal set of standards? So if we could get people like Twitter and Facebook to agree—

I think it sounds like something that the lawyers really wouldn't be very keen on.

Oh, I'm sure.

And this is why there's this whole strike. Let me just go back a second. This whole strike idea came from someone quite interesting. This is Larry Sanger. That name ring a bell, Graham?

To you? No.

So he's one of the contributors and maybe arguably a founder of the Wikipedia project.

Oh, okay. I know Jimmy Wales. Yes.

Okay.

So he's one of his buddies, right?

Well, not anymore. We'll get to that in a second. So now he's the CIO of Everpedia, which is very similar to Wikipedia, but it boasts that it has a blockchain and crypto elements. Everpedia, interestingly, also seems to have some social media elements. So this might be the personal driver behind this campaign. Maybe Everpedia is experiencing some growth issues because of Facebook's Twitter stronghold and they want more interoperability in order to grow their platform. Anyway, just an interesting on his blog. So if you go to Larry— I always call him Sanger, so don't stop me. Sanger, I know, right? Not—

That'd be much better.

So what they're asking is that you not post anything on social media on Thursday, July 4th, Independence Day, and the day after, the 5th, unless it's in direct support of this social media strike, right? So that means declare that we're on strike using the hashtag Social media strike, blah blah blah. You can point to the copy of the Declaration of Digital Independence. Yes, that's right, there is a Declaration of Digital Independence that they pulled together, which has all the principles of decentralized social networks. I put a link in the show notes. I've read it, sounds pretty cool to me.

I just think this is a bit weird, isn't it? I mean, if you're not happy with the way Facebook and Twitter work, then quit Facebook and Twitter and go to a service which you do like the way it works. And there are an increasing number of sort of federated social networking services, which give you more control over your data and allow you to move it from place to place rather than it being with one company.

I don't think you're thinking about this as— so let's say, for example, you have a lot of followers, say on Twitter.

Right.

And let's say you start getting really pissed off with the way Twitter is handling certain things. And you think, you know what, I've had enough. The same way that happened with Facebook.

Yeah.

I don't think you would walk away. If you had the option to actually transfer those followers and some or whatever of the content to another supplier, easy peasy, I think you would choose that over just dumping it all. And we've had those arguments before when we've had to do that in the work world.

Well, I think most of these services now give you an ability to download the data. I don't see what the incentive is for them, or the business case there is for them, to allow people to sort of populate or to work alongside the likes of Facebook or other services more closely so that this data can be easily exchanged.

Do you think blogs and websites should work like this? Do you think if you have, for example, a WordPress blog, you should not be able to, you know, choose a different supplier and make, you know, and port over your content?

Well, I can do. I can do.

Of course you can.

Because I can download my data. Yes, but what—

It's the universal protocol.

Well, but why have you decided that Facebook and Twitter and Instagram are doing the same thing? They're not doing the same thing. They're doing different things. And they have— or YouTube— they're focused around different elements, whereas a blog is a blog. It's something which has an article and a headline and links in it. You know, it's— they're more comparable to take the data from place to place.

I guess we're coming to the idea that you can't unilaterally move off Facebook. So people tend to be stuck on Facebook because that's where everybody else is. And you could say, well, I'm going to take away all my content and I'm going to take away this, do this, and I'm going to publish all my Facebook content on a WordPress site. And that's how I'm going to give all my updates. But then you're not taking part in that community. And the same with Twitter, the same with all of these other things. You're part of that siloed community. So unless they bring those communities together in some special way, you're forced to stay within that single community because going away then means that somebody, for example, you Graham, if you moved on to Mastodon, the idea of taking all of your loyal followers over to that as well whilst they're still on Twitter because they want to follow other people, it's just not going to happen. It's not realistic.

I get that we've accepted that that's how it works. The idea of this whole strike is to put that into question. Like, do you think they should pay attention and figure out a way to work better together so that we can have better ownership and better interoperability so that we can port or delete or whatever with our data? And I think it sounds like a great idea. Now, how they're going about it though, the idea of the strike is that no one posts anything, although I was guessing you can sit there and read the feed of it saying we're on strike. That's the only thing they want you to post. And the idea would be, wouldn't it be amazing if on Facebook and Twitter all you could read were, hey, support this, support this strike. There's a lot of press on it, though. So it's going to be interesting to see whether this guy, Larry Sanger, is able to pull it off.

Larry?

Larry Sanger.

Larry.

It's okay when people get your name wrong, especially if they're really difficult, complicated ones.

On the site, so this is on Larry's site. There's some controversial bits also, because he sort of says, strikers will start calling out scabs for posting when they should be striking.

Scabs?

So effectively, if Graham, on July 4th, you decide, well, I don't care, and you put out, hey, we've just put out our new episode.

Yeah, that's exactly what I'm going to do on Thursday morning. I'm going to be tweeting that people can listen to this ruddy podcast.

That's what I'm going to do. And if you get trolled by some of these people that feel that you should be on strike, how are you going to handle that? He's also suggesting they create a strike bot, which I find not very nice. Oh, what, to automatically abuse people who happen to be— Yes. Well, I just think these are horrible people.

Well, I do quite like the idea that the social media sites will reach a level of maturity where they've made so much money that they just think, well, hey, why not just give more people more power and ownership over their data in the way that Tim Berners-Lee wants us all to have? And let's all work together and let's move forward into a beautiful future, singing and smiling together and walking into the rainbow. I think the stockholders and the lawyers who will probably have more to say about this than anything else.

The thing is, I agree with the principles of it as well. So I've read them, I like them, I think it makes sense. The issue I have is actually with this guy Larry himself. He has on his own website— okay, so everywhere in the press right now, you know, he's basically banking his fame on his years at Wikipedia, right? I see I'm So lots of the titles you'll see in the press are ex-Wikipedia founder and this kind of stuff. And of course, most of us— or I don't know, maybe I'm talking out of my, you know what— but most of us kind of assume Jimmy Wales, as you said, Graham, is the Wikipedia main founder. He's certainly been the most high-profile person, hasn't he? Right. going to say So this is on Larry's website. Just listen to this quote. I was far more active than he was in the first 14 months of the project. And my influence in the community in terms of organizational work, general policy, blah, blah, blah, blah, was far greater than his. Larry Sanders again. Larry Sanger. I point to my memoir. I'd also point out that Jimmy Wales has written no similar memoir, because he really did not do very much in the community to write about. So there's a lot of bitterness there.

Yeah, I wasn't really sure about that.

You don't say.

Yeah. What's annoying about this for me is you have to both. You have to the policies and you have to the person who is trying to get the argument going. And my research in this made me think, I don't the idea of yelling at people that don't want to take part.

I think encouraging people to be trolls just because they don't agree with you.

I think there's a lot of people who don't the founder of Facebook. They don't the founder of Twitter sometimes, but sometimes they find these services useful. If you feel really strongly that you don't want to be part of them, there are alternatives out there where you have more control over your data and your data isn't being held by one corporation. It's called the Fediverse.

See, this is the kind of thing that sort of starts to put me

Go and check it out. Yes, of course it can be a pain building up a community again or getting your pals to join you.

off social media. I may have to stop.

But I think you probably are better off starting that sooner rather than later, rather than hoping that the existing social media giants do what you want them to do, because I don't think they're going to do it.

But I also think that no matter how much we talk about it and stroke our beards and say what we think is going to be right— I'm not stroking my— I don't have a beard. What about you? Okay. Neither do I.

Don't quit your day job.

Carole could grow a beard quicker than I can.

Hey, Graham.

Yes.

There are people out there with companies a little bit bigger than ours. And one of the issues that they face is visibility and oversight. And when it comes to cybersecurity, that is super important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass Enterprise. They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier. Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employee keys. Check it out at lastpass.com/smashing. Let me try that again, folks. Check it out at lastpass.com/smashing. We also are sponsored by MetaCompliance.

Now, MetaCompliance reduce cybersecurity risk by providing a platform for training. Yeah, they do online training. They've gamified it. It's animated e-learning, teaches you and your staff all about the risks of phishing and other threats which may impact them inside business.

And best thing, it's not boring.

No, not boring at all. You learn everything: GDPR, malware, data security, password safety. You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/metacompliance.

And with a show.

And welcome back, and you join us, our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Oh, Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

And my Pick of the Week this week is not security-related. I wonder if you can cast yourself back in time 50 years to July 1969.

I didn't exist then. What was it like, Graham?

Well, it was a momentous time, Carole, because Apollo—

Beep!

Because Apollo 11 was landing on the moon, of course. The incredible Apollo—

Do you remember that?

I don't know. No, no, no. I do remember some of the Apollo missions, but not Apollo 11. I was a little bit too young for that. But Apollo 11, of course, took place around about 50 years ago, sometime in July, wasn't it, when they landed? And I have found a tremendous website called ApolloInRealTime.org, and I checked this out the other day, and it is an interactive presentation of the first mission to land on the moon as it actually happened. And there's a timeline where you can go through the entire mission. Some days, of course. And you can hear the radio chatter, you can see pictures scroll by, you can see video footage, you can scrub along very quickly to the relevant part of the mission that you want to watch. Maybe you want to watch the launch or the landing or the first steps on the moon or when President Nixon rings them up. You see a transcript of all the chatter which is going on between Tranquility Base and—

Say no more! I think everyone's sold already. It's super cool.

15,000 searchable utterances.

Yeah, you go. Wow. And it's quite fascinating. There is, I believe, a documentary which has just come out on CNN. I haven't seen it yet, but I believe it's going to be coming to our cinema screens very soon here in the UK as well. All about Apollo 11, which has taken reconstructed footage of—

So they've reconstructed the mission?

Yeah, well, no, they haven't done it for real.

That would be a feat.

Anyway, I love this kind of stuff, and I had a great old time checking it out. An incredible historic document at apolloinrealtime.org. Go and check it out.

I'm very busy, dear, or we'll make it for dinner.

You know, I kind of like this sort of thing. And it is a very well-put-together website. It's astonishing.

Cool. Okay, I'll go and check that out. Great. Good pick of the week, Luke.

Thank you very much. Oli, what's your pick of Pick of the week?

My pick of the week is series on Netflix, a gentle tale of the intertwined relationships between four families, a hint of spooky goings-on, a dash of adventure, and quite a hefty helping of child kidnap and murder.

Lovely.

I'm not, of course, talking about the new series of Stranger Things, but series 2 of Dark.

Oh, of course you are. I've watched some of this.

I know this. This is a drama, is it?

Drama, documentary or something? It's a, yeah, drama. Not a comedy, not a documentary. It's from Germany.

So it's dubbed really well. So it's not just, we, oh, I've watched it dubbed.

It's dubbed.

Well, you say that it's dubbed. And a friend of mine at work said, oh, I liked it, but it was a bit dubbed. And I thought, well, not after I'd pressed the subtitles button and went to the subtitles and had German audio. So I think you've got a— there's a choice. There's a choice of audiovisual.

I love the dubness though.

I didn't know they still dubbed things. I just assumed they always—

Oh no, Graham, there's this really new cool game we play in our house, right? So you turn on, you watch a dubbed film, right? So you're listening to whoever's translated, but you also turn on what's it called, the text? Yes, it's called the subtitles. And it's different translators that do both of them. And there's a really cool meta experience because sometimes one of the translators is in a shitty mood, so you're much more sweary than the other one. And sometimes they're much more authoritative, and you can spot all these crazy inconsistencies. And it makes watching things that might be vaguely more for your partner than for you much more fun to watch.

I see. I was about to say, why don't you just stop watching this rubbish. Yeah, that's what you're having to do. But okay, it's because you're sharing the viewing experience. Fair enough.

Exactly.

Brilliant.

Well, you've just told me how to make all TV more exciting. But getting back to Dark, the reason I absolutely love this series, and I think it may be because it's German, whenever they open up one of these mysteries or questions, they do gradually start to answer the mysteries and questions later. It doesn't turn into another Lost or program where you just end up with a whole bunch of—

And you're frustrated because you realize at some point they're never ever going to explain this to yourself.

And then eventually—

And you're damn you, I've given you hours of my life.

Exactly. But with this one, you kind of know that they are going to get around to that. I mean, obviously they've, at the end of the first series, they've closed enough of the questions, but not too many to leave it open for series 2. And I've just started watching season 2 and I've realized that I need to probably watch the second half of series 1 again to try and work out what's going on. But I'm enjoying every second of it.

It's complicated.

Oh yeah. But it's worth it. It's worth every second because you know you're actually going to get your money's worth out of it.

Oh, and that's called Dark.

That's called Dark, and that's on Netflix.

Carole, what's your pick of the week? Marvelous.

I recommend it too. Thumbs up for me as well.

Hmm.

Especially with subtitles and so dub and sub.

Yeah. Yep. Definitely.

Enjoy. You're welcome. Okay. It's a bit of a weird pick of the week.

Oh, what a surprise. Totally.

I don't think we've ever done anything like this before.

Okay.

It's been really hot around here, right? And I know in the UK there's been a bit of a heat wave, and Europe, the States—anyway, right? So everyone's probably suffering the same annoying thing that I have, unless of course you have air conditioning, and that is hot pillow syndrome.

Oh my God, oh my God.

Do you know when you're lying in bed and you're like, okay, oh, it's hot, I'm gonna flip my pillow over, and you get the cool side, and that's really nice? But if you do it too often, or if it's really hot out, you do it and it's hot on both sides. And that is the worst. Even if you make your pillow into a quadrant and you have four designated areas that you try not to overlap to make sure you always have a cool bit coming. I seriously do this.

Oh yeah, totally with you on this. You don't know what I'm talking about.

I've got no idea what you guys are talking about. I've never experienced this.

Really?

You don't get hot pillow, hot head?

I don't move my pillow. Why would I move my pillow? My pillow is fine.

Okay, well, anyone who's tweeting on the day that they shouldn't be tweeting, let us know if you're of the cold or non-cold.

This is the one exception.

I leave the window open to keep it—

No, no, it's the pillow. It's not about the air, it's about your pillow, the hot side. I sleep on my ear, maybe that's why I sleep on my side. Anyway, okay, I was complaining about this and started Googling, seeing how many other people complain. There's a lot of people that complain about this, right? And people started recommending this thing called the Chillow. Now, totally love the name, right? You gotta love the name. It's great, great name.

Yeah.

And the idea is that there's this cool gel pad something inside, right? And people were swearing by it on this certain feed I was reading. Okay, so during my search of the Chillow, I end up of course on amazon.com, right, to check out some reviews. And they have 1,000+ reviews but 3 out of 5 stars, right? 26% gave it a 1-star rating.

Oh dear.

So I was a little—I was, oh. So here are a few of my favorites, right? So we followed the instructions and the Chillow was cool at first. However, it got hotter and more uncomfortable through the night. By the end of the night, I was perspiring even more than I had before. The Chillow was putting a piece of plastic over the pillow and turning the heat up to 100 degrees.

I don't recommend doing that.

Apparently the Chillow has—you have to fill it with water and apparently the cap isn't secure and loads of people were talking about leakage inside their bed.

I have used that excuse from time to time. It's the Chillow, darling.

And the product—another one was the product was dismal at best. I was expecting better quality. I followed the instructions to the letter and ended up leaking and getting warm and staying warm when it was used by either me or my husband. Total waste of money.

It leaks warm water all over my crotch.

So okay, so that was going to be my pick of the week.

Until you realised it was rubbish.

I didn't want to buy it. So now my pick of the week is listeners, can you—those of you that are human and have the hot ear, hot pillow syndrome problem—if you have a cool pillow method, I need to know it. Okay, so what?

You a cool pillow?

So basically we're going to get—

Oli will be

Thank you very much. We're going to get bombarded by Chillo Pillow people now.

Well, maybe they can send me if it's— I'm not even going to use it if it's leaking.

Next week's episode starts at 5.

Are these bad reviews? Are these fake reviews?

Who knows? Could be by a rival, couldn't they?

interested in the results, right?

Well, who's the rival though? I want to know about the rival. Maybe the rival's brilliant. Maybe the rival—

There's quite a few. There's quite a few. I've put a link in the show notes of apparently, I know, here's 10 cool pillows, but I don't trust any of them now. The world's too complicated. I just want a cooler sleeping pillow. So any advice from a dear listener, I will take. Thank you very much. That's my pick of the week. It's not security related.

No, it certainly isn't. It's the kind of thing that maybe if you'd been on social media, you could have posted about and got some answers from all of your followers.

Maybe, maybe you will, because maybe you can do that for me.

Well, thank you very much for that Pick of the Week. And thank you as well, Oli, for joining us on the show.

Most welcome.

If people wanted to find out more about you, Oli, what would be the best way for people to do that? Is there any method whatsoever?

Well, firstly, more Phil Lemm. And secondly, maybe on July 4th and 5th, as a little bit of a protest to Larry Sanger, I will actually post some things on my Instagram account, which is Oli Light Industries. That's Oli spelled O-L-I, because I make lamps in my spare time. And maybe people want to look at a nice picture of a lamp.

Yeah, my young son, he bought a lamp from you, didn't he? Yeah.

Yes, yes. How's he enjoying that?

Well, it hasn't actually been delivered yet, Oli.

Oh, has it not? Oh, really? I hated to use the podcast to mention that, but I gave it to Kroll. I gave it to Kroll and she said she would deliver to you.

He's—

Oh, oh, oh, may I interrupt and thank this week's Smashing Security sponsors, LastPass and MetaCompliance. Their support helps us give you this show for free, so be sure to check out their offers.

And you can follow us on Twitter at Smashinsecurity, no G. Twitter allows to have a G.

Yep.

And fist bumps to all of you listeners out there. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.

Until next time, cheerio, bye-bye, bye-bye. Yes, no, every day my son is waiting by the letterbox saying, "I wonder if, I wonder if the light will come." He comes home from school, "Is it here, Dad?" I say, "No, Oli hasn't sent it yet. It's not here yet, I'm afraid." So—