A bank has some of the worst password advice ever, travellers are told to be wary when USB charging their smartphones and laptops, and a gamer has his YouTube account hacked.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Geoff White.
Visit https://www.smashingsecurity.com/155 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Geoff White.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Giorgio Bonfiglio tweets about Fineco's bizarre attitude to passwords — Twitter.
- This Bank Had the Worst Password Policy We've Ever Seen — Motherboard.
- NIST password guidelines.
- Officials warn about the dangers of using public USB charging stations — ZDNet.
- MarcoStyle on Twitter.
- A YouTuber With 350,000 Subscribers Was Hacked, YouTube Verified His Hacker — Forbes.
- Massive wave of account hijacks hits YouTube creators — ZDNet.
- Popular gaming channel MarcoStyle has been hacked for days, running scams, but YouTube isn't responding — Reclaim the net.
- How my Youtube Channel got hacked for 2 weeks — MarcoStyle on YouTube.
- The Crown — Netflix.
- Aberfan disaster — Wikipedia.
- Aberfan - 50 years on — WalesOnline.
- Cliff Michelmore eyewitness report from Aberfan — YouTube.
- Dolly Parton's America — WNYC Studios.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GEOFF WHITE. And having recently, by the way, been to South Africa where the sockets are just crazy.
CAROLE THERIAULT. I've never been.
GEOFF WHITE. It's almost like a sort of socket on steroids. So like, how can we make this really inconvenient and massive and bit like, is that a socket in your pocket? We're gonna need a big socket in South Africa.
UNKNOWN. Smashing Security, episode 155. Juicejacking, YouTube hacking, password slack Ransomware Phishing with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 155. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Hello, Carole.
CAROLE THERIAULT. Hello, Groom. What?
GRAHAM CLULEY. Anyway, and we're joined this week by Geoff White. Hello, Geoff.
GEOFF WHITE. Hi, how you doing?
CAROLE THERIAULT. Fantastic. Thank you for coming on the show.
GEOFF WHITE. It's always a pleasure.
GRAHAM CLULEY. Geoff, what have you been up to? What's going on?
CAROLE THERIAULT. What's going on with your book?
GEOFF WHITE. Oh, the book. Yes, the book is in progress, I think it's fair to say. So it's going to come out, we think, late spring next year, and it's gonna be called crime.com.
So we are now at the stage of cover design. Ooh!
GRAHAM CLULEY. So what are you gonna do, go on fiverr.com and ask someone to do it, or what's the deal?
CAROLE THERIAULT. I sort of— I'm a budding artist actually, Geoff, so—
GEOFF WHITE. Oh yeah, hey, yeah, yeah, okay. I was thinking—
CAROLE THERIAULT. Pretty good with the old watercolour.
GRAHAM CLULEY. Microsoft Paint.
GEOFF WHITE. I was thinking my face, just my face, in extreme close-up with just the eyes, the nose, and the mouth, and nothing else. No title, no name, just the face. On the front in really excoriating detail on the front.
CAROLE THERIAULT. Do you know, I don't mean any offence in saying this, but that is something that Donald Trump would do.
GEOFF WHITE. I know, I know. I'm thinking capitalise on that. Yeah, yeah.
No, I don't know. All I could— I'm so bad at design, I'm so bad at all the visual stuff.
GEOFF WHITE. All I could think was, "I like the ones that are just a white cover with some black text on it." And the publisher looked at me as if to say, "What?" So do they actually ask you?
GRAHAM CLULEY. Do they ask your opinion?
GEOFF WHITE. Yeah, you get, you know, if you if you reject too many of their offers or their ideas, obviously they're just like, no. But you can sort of say, no, I don't like that, I do like this, or we should, you know, okay, you get inputs.
They don't just, they don't, yeah, yeah.
CAROLE THERIAULT. But yeah, because if Geoff throws his toys out of the pram, what happens then?
GEOFF WHITE. Exactly, you've got to please the talent, as it were. But yeah, so no, it's very exciting.
So cover being designed, and then obviously you've got to do all the proofreading and all that kind of thing. So yes, it's in process.
CAROLE THERIAULT. And you've got to wait like, what, 4 or 5 months before it hits the shelves?
GEOFF WHITE. About that, yes. Yeah.
GRAHAM CLULEY. And when eventually it does come out, I'm sure we'll talk to you before then, but will there be like a book tour or anything like that?
CAROLE THERIAULT. Yeah, do I get a signed copy? Would you— Is that the question I'm asking? I wanna know.
GEOFF WHITE. To both of those things, yes. To the latter question, yes, but it won't be free, your signed copy.
GRAHAM CLULEY. It will be—
CAROLE THERIAULT. No, no, I'll pay for it. Absolutely.
GEOFF WHITE. I just get— I keep getting people saying, "Oh, can I have a free copy?" And I sort of think, well, I do have to sell some, you know? Like, I can't bankrupt myself by giving away free copies.
CAROLE THERIAULT. Don't worry, I believe in supporting the arts.
GEOFF WHITE. Good, good. Okay. And in return, I shall buy one of your, one of your watercolours.
GRAHAM CLULEY. What's on the show this week, Carole?
CAROLE THERIAULT. Thanks to this week's sponsor, LastPass. Its support helps us give you this show for free. Now, on today's show, Graham tells us about a bank's unique approach to passwords. Geoff gives us the lowdown on public USB charging services. And I'm sharing the woes of a hacked YouTuber.
All this and loads more coming up on this episode of Smashing Security. And Graham, I have a neat idea for what we should do for our Patreon supporters, and I'm gonna share it at the end of the show. So don't duck out early, folks. Stay tuned.
GRAHAM CLULEY. Now, chums, we all know that passwords are pretty important, right?
CAROLE THERIAULT. No, I've never heard that.
GRAHAM CLULEY. You never heard that? Do you have any passwords, Carole?
CAROLE THERIAULT. Nope.
GRAHAM CLULEY. No, don't bother. Just the Enter key.
CAROLE THERIAULT. I just put CAT for everything.
GRAHAM CLULEY. Cat, right, for everything. Okay. Well, I think most of us know it's important to have secure passwords and to educate our friends, family, dear listeners out there about safe password practices. We're always going on about it, aren't we? And I think it'd be nice to think that companies are doing their bit too, to raise general password standards.
CAROLE THERIAULT. Well, it's within their interest to do so, I'm guessing, right? Because then they have less hacked accounts, less irate customers, etc., etc.
GRAHAM CLULEY. So just companies are recommending people enable two-factor authentication, you know, that message then spreads onto other accounts as well. And you begin to think, oh, maybe this is a good idea to enable it elsewhere. And one sector where you'd really expect firms to be on the ball is in the banking sector. So you'd expect financial firms to be really red hot on password security, right? They're not gonna be sloppy. So I want to take a look at one particular bank that was highlighted on Twitter last week.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. For its rather unique approach to password security.
CAROLE THERIAULT. I'm so intrigued, Graham. I have no idea where this could be going. I really didn't look at your story beforehand. I did no, you know. Oh, okay. Yep. So I'm brand fresh new to it.
GRAHAM CLULEY. Well, this isn't a bank you might've heard of. It's not really a household name. It's called Finaco. And although they're not a household name, they offer online banking and brokerage and investment services to more than 1.3 million customers across Europe. So it's not totally tiddly.
GEOFF WHITE. Okay.
GRAHAM CLULEY. And I think actually it's mostly sort of businesses who may be their customers as well. Most of them, it seems, are based in Italy.
CAROLE THERIAULT. Fineccio.
GRAHAM CLULEY. Oh, do you think that's it? Maybe that's it. Fineccio. Okay, we're calling it Fineccio.
CAROLE THERIAULT. I like that. Fineccio.
GRAHAM CLULEY. They want their customers to be super secure when they create their accounts. And so they actually give some advice when people create an account on their website. And what they say, and this has been translated obviously from the original Italian, depending on how the website is. It says, verify the security of your passwords. Type the password on Google, and if it returns less than 10 results, it means it's a good password.
CAROLE THERIAULT. Shut the front door. They do not say that.
GRAHAM CLULEY. They do. They say that this is a way of making sure your passwords are as secure as possible.
CAROLE THERIAULT. So if my password was ABC123, for example. I would type that into Google and go, oh, there's so many results. That's a bad one.
GRAHAM CLULEY. Well, ABC, it's as good as 123 wouldn't be accepted by them because that has more than 8 characters. Their website stipulates that you can only have up to 8 characters in your password.
CAROLE THERIAULT. Brilliant.
GEOFF WHITE. There's gotta be— I mean, do you think there's a technical reason for that? What they've got is an entire office full of Psion organisers, Psion 2, you know, the little ones they used to have in Marks Spencer's. That can only store, you know, 8K or something.
GRAHAM CLULEY. It's like, "Don't overload our buffers." Well, I think the thing is they're probably not hashing the passwords, 'cause if they were hashing the password, if they were just storing checksums of the password, then it wouldn't matter how long your password was, would it? So they're probably actually storing the password, and we've only got 8-character bytes to store it in, in the database. And so we can't have anyone who asks for more than 8 characters.
CAROLE THERIAULT. This is bank people. 1.3 million people save their money with them.
GRAHAM CLULEY. Well, it's not just the 8-character thing, but also this. You should Google your password. Yes! And not use if it appears 10 times or more. I mean, there's a view that maybe they're doing this because then you can use your browser history as a password manager. So if you need to look up old passwords, you can just look up your previous searches, or indeed anyone else who uses the same computer as you can go through your browser history as well and spot them there. Now they go on, they suggest a couple of passwords, you know, just to give you an idea of what would make a good password.
CAROLE THERIAULT. Okay, okay, cool.
GRAHAM CLULEY. And they give two suggestions. Both of them obviously not more than 8 characters long.
GEOFF WHITE. Right.
GRAHAM CLULEY. But again, these are the same suggestions which they give everybody and they're not randomly generated. So the idea is if you're too lazy to use Google or too busy, you don't have time to enter your password onto website, here are 2 passwords you can use.
CAROLE THERIAULT. Oh, that's lovely. It's a bit like those routers and they always have the password in the bottom and no one ever changes it unless you work in industry.
GRAHAM CLULEY. Right, you know, there's a whole load of IoT devices which use default passwords and obviously that sort of... And so you would think that maybe any criminal would think, "Oh, having spotted these two passwords, I'm now gonna add that to my password cracking database because maybe there will be some people out there who will do it." Now, maybe you've been scared by all this and you think, "Well, I really need to change my password at Fineco after spotting all these alerts about their dangerous practices." Right?
CAROLE THERIAULT. I have a much better 8-character password to put in.
GRAHAM CLULEY. Well, here is the fly in the ointment. Which is that you have to pay Fineco if you want to change your password. Fuck off!
GEOFF WHITE. You are kidding me!
GRAHAM CLULEY. Now, now, I should stipulate this is only if you want a new password sent to you via the post. I think, which possibly—
CAROLE THERIAULT. Who would want that?
GRAHAM CLULEY. Possibly you're paying for the privilege of decreasing your security. But they're going to charge you €0.95.
CAROLE THERIAULT. So it's about a dollar.
GRAHAM CLULEY. Well, I don't know, the postage varies, Carole, so... If you're, for instance, changing your password in the UK, I think it's over £2 which they're going to charge you to change the password there.
GEOFF WHITE. But what happens for that money, Graham, is a series of Italian postmen arrive at your door, and each one lifts up their top, and tattooed on their chest is the first letter, is the letter of each, and they arrive in turn, and you have to make a note.
CAROLE THERIAULT. Don't get the order wrong, Geoff!
GEOFF WHITE. And then at the end of it, after eight postmen have been, you have your new password, at which point they have to get tattoo removal. That's why it costs so much money.
GRAHAM CLULEY. It would cost a lot. It would cost a lot.
CAROLE THERIAULT. Okay, so my— okay, this is my gut. My gut speaking here. I think they sound like cowboys. I am shocked that a bank—
GRAHAM CLULEY. Like a spaghetti western, you mean? Yes!
CAROLE THERIAULT. No, but do you know what I mean? It sounds just a bit like they have done no research on how passwords work. And yet they're supposed to be a bank, you know.
GRAHAM CLULEY. I don't know if they have a competent IT security department or not, or whether they're simply ignored by the powers that be and told this isn't a priority. But it sounds like they've got a whole bunch of things which are kind of askew with how they're protecting their customers, which doesn't really—
CAROLE THERIAULT. It is surprising though that there's no legislation in place that would stop them from being so weird with passwords, don't you think? I don't know, GDPR?
GEOFF WHITE. But I don't know if that doesn't set a sort of minimum password safety, does it? I just— I don't know.
CAROLE THERIAULT. I think also— what information is kept in plaintext alongside your password?
GRAHAM CLULEY. Mm, good point. So I wonder if there's some sort of translation issue here, because I think, isn't it the NIST standard which says your password should never be less than eight characters?
GEOFF WHITE. Ah.
GRAHAM CLULEY. Ideally up to 64 or something like that. And maybe they mixed up minimum and maximum.
CAROLE THERIAULT. Did you not research that before you decided to present this story?
GRAHAM CLULEY. What research? What, you mean actually go onto a search engine and type in things about passwords? That could be rather dangerous, Carole. You can see all the trouble that they've got themselves. Anyway, the bank has been royally pilloried, and you can only pillory royalty at the moment, online for this attitude. And they say, we understand the criticism and we decided we're not going to suggest it to our clients anymore. Eventually, but I don't know if this maximum character limit is going to be lifted.
CAROLE THERIAULT. Maybe it was just a very overexcited CISO who came up with this idea and no one else in the room had the knowledge to say that's stupid. So they all nodded, right? And went, great, let's try. And actually it turned out to be not so smart.
GRAHAM CLULEY. Maybe. Yeah, but I don't go to my Auntie Hilda for password advice, Carole, right? I don't listen to her when she says, oh, I've got a great idea on how to choose a strong password.
CAROLE THERIAULT. I said CISO, CISO should know how to do it.
GRAHAM CLULEY. Well, yes, and he should know that you don't go and Google it, right? You don't put it into your browser. Maybe the marketing team added that on afterwards.
CAROLE THERIAULT. To make the page nicer.
GEOFF WHITE. Just playing devil's advocate here for a second. Is there a reason why Googling a password isn't a good way of working out whether a password is too common or not? Is there a— have I missed an obvious downside to that?
CAROLE THERIAULT. Well, it records it in your log.
GRAHAM CLULEY. Yeah, the first thing is it's going to store it in your browser history. The second thing is you have just given your password to Google.
Although it's extremely unlikely it would then fall into someone else's hands. But I think generally, our recommendation would be entering your passwords on the web anywhere other than the website where you're intending to enter it is a bad idea.
It's a bit like these websites which say, we will test your passwords, please enter your passwords here. And I'm sure some of them are legitimate and they will give you some sort of idea as to how common those passwords are.
But it's just a dangerous precedent because you're kind of saying to people, oh, it's all right to enter your passwords.
GEOFF WHITE. Yeah, yeah. The ones where you enter your password and it says, we'll tell you how secure your password— I've always had issues with that. This is a bit different though.
CAROLE THERIAULT. We should tell people this is a bit different from when a reputable password manager, for example, suggests a random password, wouldn't you say?
GRAHAM CLULEY. Oh yeah, well, that's what you should do, right? That's the answer is get yourself a password manager, get it to generate a strong password.
Hopefully your websites will take a password which is longer than 8 characters and make sure it's complicated and unique. I mean, I don't think humans should think up their own passwords and that's what their advice should have been, which should have been get yourself a password manager and get it to—
CAROLE THERIAULT. Yeah, and don't bank with a bank that has a limit of 8 characters.
GRAHAM CLULEY. Right. Yeah.
CAROLE THERIAULT. Yeah.
GEOFF WHITE. Yeah, Kroll. Yeah. Yeah.
GRAHAM CLULEY. Good advice, Kroll.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. So Geoff, what good advice have you got for us in your story this week?
GEOFF WHITE. The good advice would be, don't plug your phone into a random airport USB charger thing to charge your phone, is the good advice.
CAROLE THERIAULT. Well, you can't get to them because they're always packed with people. There's lines of people who want to use them.
GEOFF WHITE. Usually teens. I've noticed there's a lot of teens in Ugg boots.
CAROLE THERIAULT. Ugg boots in England are a bit funny for me. It's the wettest country in the world, and their ankles are slopped inward, aren't they?
So, their ankles are all crazily positioned, and they're wearing these wet, soggy, stinky things. Yeah.
GEOFF WHITE. It's teens in Ugg boots snap-facing each other on Google Insta or whatever it is they do these days.
CAROLE THERIAULT. Oh, Dad.
GEOFF WHITE. But no, revenge is now mine. Revenge is mine.
Because it could be that those kids are— and others who use USB charging points are the victims of the phenomenon of juice jacking. Juice jackin'.
CAROLE THERIAULT. Juice jackin'.
GEOFF WHITE. Juice jackin'. Which is the name for when your USB connection is hijacked in some way by malicious software.
So you plug your phone in to charge it, and inadvertently when you plug your phone in to charge it, that then gives the malicious software in the charging point access to your phone because your phone's obviously unlocked at the point when you're doing this and there's a data connection as well as a power connection between your phone and the charging point. And that's juice jacking.
So you think you're getting free power, but actually they're siphoning off data and/or hacking into your phone.
CAROLE THERIAULT. So this is a little bit like when we were talking about bank cards being skimmed at ATMs.
GEOFF WHITE. Hmm.
GRAHAM CLULEY. Hmm.
GEOFF WHITE. It is a little bit like that. Yeah. What's interesting about this, though, is the banks and ATMs, you know who the owner is. It's a bank.
You know that they're held to quite high security standards, a bank, and the police got involved and all that kind of thing. So they, in a way, the banks struggled to get on top of the, you know, ATM hijacking, carding thing for a while. But it was clear who should be in charge of that.
With these charging points at airports, I don't know whether it's entirely clear who runs them all. It's the airport's responsibility. Sometimes it's a private company.
There are these little safes where you can have a key. You unlock the little box with a key, you stick your phone into there and then lock it again.
And there's a company who provide those. The thing is, you just don't know really who's responsible.
You can go to the venue where you charge your phone up, but if it's an airport, they might say, well, you know, yeah, Company X, we give that thing to. Now this— I had heard about juice jacking before.
Yeah, I'd come across this. It's not a new phenomenon, but it is now being warned about.
So the LA District Attorney's Office has now warned against USB charger scams and is telling people, look, if you want to charge your phone, bring a normal power socket thing that you plug in. We have a 3-pin socket. Bring one of those.
CAROLE THERIAULT. Don't rely on just a USB socket, right, to plug into the key here, isn't it? It's like a USB socket is not the same as an electrical two or three-pronged plug into your wall.
GEOFF WHITE. And I find this a bit depressing, 'cause I had held out this wonderful hope for the future where, you know, 'cause USB's universal obviously all around the world. So suddenly we're in a position where instead of having to remember which charger goes where, and having recently, by the way, been to South Africa where the sockets are just crazy.
CAROLE THERIAULT. I've never been.
GEOFF WHITE. It's almost like a sort of socket on steroids. They're like, how can we make this really inconvenient and massive?
And it's almost like, South Africa's got an overblown sense of how powerful its own socket is.
CAROLE THERIAULT. Is that a socket in your pocket?
GEOFF WHITE. I know, it's like, we're gonna need a big socket in South Africa. I thought finally with USBs we can ditch all this power conversion bollocks.
And now I'm confronted with the fact that actually I'm opening up a security hole if I rely on that particular future.
GRAHAM CLULEY. Annoying. Well, anyways, it's no longer just the regular USB-A anymore, is it?
It's now USB-C, which is the tiny little one. And it's like, bloody— Innovation or— Now, like you, Geoff, I've heard about this years ago.
I think maybe about 5 or 6 years ago at some of the security conferences, people were demonstrating this kind of thing.
CAROLE THERIAULT. Oh, you're so ahead of the curve, Clew.
GRAHAM CLULEY. Well, no, I'm not saying that, but I do remember, I think it was in iOS 7, 'cause I think I wrote about this back then. They put something in where your iPhone will pop up an alert saying, "Do you trust this computer?"
And that's one of the differences is if it warns you that it's a computer you're attaching to, even if you don't realize you're attaching to a computer, then you can choose to say, no, I'm not going to do this, as opposed to it being a power thing. So that's one thing to look at.
And I think there's something similar on Android as well, whereas a similar sort of pop-up if you've managed to get yourself an update to Android, so you can protect yourself. And this is also something which could happen on aeroplanes as well, not just at airports and in hotels or at shopping centers.
GEOFF WHITE. Yeah, yeah, yeah.
GRAHAM CLULEY. Because there they often provide that kind of facility too, don't they?
CAROLE THERIAULT. And you might be actually plugging into the network. And trains, yeah, you have to.
GEOFF WHITE. I mean, it does strike me that you have to— I mean, in order for this to work, you have to get the malware into the actual, you know, the computer, the device behind the socket. So, you know, for the people who provide these points, there's obviously an issue for them about securing it to the point where I can't plug in a USB device and somehow get through to the technology that sits behind the panel, if you like, because that's what you've got to compromise in order to make it so that when people plug their phones in to charge them, you can then hack them.
You've got to have done something first to compromise the computer behind it. So, you know, I don't want to alarm people unnecessarily, but as I say, when US authorities are warning about it, I do think it's kind of reached a point where maybe thinking about that might be a good idea. I think I did. So I was going to say, I did chat somebody a while ago who was talking about a USB condom. Apparently these are available. You can basically slip, you know, so it basically says no data connection, just a power connection, please. You know, I love you, but not that much kind of thing, you know.
CAROLE THERIAULT. You guys hang out in the same circles.
GRAHAM CLULEY. I agree about not alarming people. I actually got a text this morning from my accountant. He said, Graham, I've seen this message on who knows where, something online where she'd read it. And she said, you know, I want to warn all my customers about this. Can you confirm whether this is an issue or not? And I sort of said to her, well, I think technically it's an issue, but I'm not sure whether this juice jacking thing has actually been happening maliciously in the wild, whether it's actually been happening in the real world. And I sort of think, well, we need to be aware of these things, but I would sort of say to most people, I'd say, I don't think this is widespread.
CAROLE THERIAULT. Yeah, it's a bit those USB cables that basically had malware inside them. So if you borrowed one, you know, the chances of that happening, it's not impossible, but the chances of that happening to average Joe in the street or average listener is pretty small.
GRAHAM CLULEY. Yeah, you talked about that in a previous episode, I think, didn't you? And there've also been these USB sticks which can fry your device as well by sending an alarm.
CAROLE THERIAULT. I thought you were going to say fry your brain.
GEOFF WHITE. Whoa.
GRAHAM CLULEY. But, you know, I think, you know, it's not necessarily that common to do it. And I think the biggest risk actually of this sort of thing happening might be if you go to a security conference. And if you're at a security conference and there's some device for charging up your phones. So if you're at a black hat style of—
CAROLE THERIAULT. Or a hotel.
GRAHAM CLULEY. Yeah, I'm just thinking where there'd be lots of hacker types who might find it amusing to do, then that might actually be the biggest risk of all. But because of course they still would have to, well, I suppose root the phone or jailbreak the phone in order to exploit some kind of vulnerability to get past it all. Because it's not you would unlock the device knowingly when you plug it in, would you?
GEOFF WHITE. And when you plug it in, there is a little prompt usually comes up on the phone screen, isn't there? Do you want to establish a data connection with the thing that you just connected to. So you'd have to get around that as well.
GRAHAM CLULEY. And so that's the point.
CAROLE THERIAULT. Mr. and Lady Ugg Boot would say yes, because they want to play their game, right?
GEOFF WHITE. They want to snap through to ClickFace. To Google Insta. Or Snapbook, you know, that's where they want to be. So yes, yeah.
GRAHAM CLULEY. Carole, what's your story for us this week?
CAROLE THERIAULT. I'm going to tell you a story about a hacked YouTube channel. Not my channel, but Marco Stahl's YouTube channel. Now, this type of hack is not necessarily new, and actually many YouTubers are really wary of this happening. So I thought this might be good to go through because he shared a lot of information about what happened, and we can see if there's any takeaways there.
GRAHAM CLULEY. So there's a guy called Marco Stahl who has a YouTube channel. He's got hacked.
CAROLE THERIAULT. And for a few years now, Marco Stahl has been building up his channel, right?
GEOFF WHITE. Like, for those unfamiliar with him, with his—
GRAHAM CLULEY. Me neither, me neither.
CAROLE THERIAULT. His— no, no, me either. He's not, he's not in my echo chamber at all, right? But he does have a YouTube channel that he doesn't treat as a hobby. And literally, this guy has hundreds and hundreds and hundreds of videos on his channel.
GRAHAM CLULEY. Okay, all right.
CAROLE THERIAULT. And his thing is gaming and commenting on his gaming.
GRAHAM CLULEY. Oh, how original.
CAROLE THERIAULT. Is that something your son would— is this his dream career?
GRAHAM CLULEY. My son actually has— he's been working all weekend on his YouTube channel.
CAROLE THERIAULT. Oh, has he?
GRAHAM CLULEY. Yes, he told— he told me the other day, he said, "Dad, Dad, I really think we need to put some serious effort into my YouTube channel because apparently you can make millions."
CAROLE THERIAULT. He's like you. He only says "we" when there's work involved.
GEOFF WHITE. I'm a star.
CAROLE THERIAULT. "We need to work on my channel."
GEOFF WHITE. "What can we do with my channel?"
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Yeah.
GEOFF WHITE. I'm intrigued by this. What's, what's, what's he got? What's, you know, what's—
GRAHAM CLULEY. Well, he idolizes a few YouTube gamers and he is basically emulating them. So he's got his Nintendo Switch and he's plugged it into the computer and he's—
CAROLE THERIAULT. Do you realize this is gold for a dad, right? This is gold. When he turns 14, I will—
GRAHAM CLULEY. No, I will take over the channel. He'll probably be going out with them and I'll be maintaining the channel. Keep on churning out the videos.
CAROLE THERIAULT. So this guy, Marco Stahl, just to get us back on track, right? He dedicated countless hundreds of hours playing and commenting on games like Division and Destiny, but he seems rather good at it. I mean, he does have 350,000 subscribers, right?
GRAHAM CLULEY. Not bad.
CAROLE THERIAULT. I guess what we're saying is he's an average YouTube guy, but he's probably ahead of average because he has 350,000 subscribers. He's doing this as a kind of business and trying to make money out of it. Now, a few weeks ago on November 2nd, he announced on Twitter that he lost control of the entire channel, and Marco Stahl had shared his story both on YouTube and on Twitter and with reporter Paul Tassi of Forbes. So it seems control of his site went whoop with a click of the mouse.
Now this is what Paul Tassi wrote, quote: "Mark watched everything he'd built burn starting with on November 22nd when he replied to an email looking to advertise on his channel, right? It seems like a real company and a standard offer for a channel of his size, but when he clicked a link for the product, an installer buried itself on his computer."
GRAHAM CLULEY. So somehow some malware got— he got taken to a website and it installed some malware. Yeah, right.
CAROLE THERIAULT. Okay, now he immediately knew what was happening, so he cut power to his PC, did a fresh Windows install, and changed all his login info. But it was already too late.
The hacker had gotten into his computer, got his Google account, and bypassed two-factor authentication and extracted his YouTube account from his Gmail. So that's phase 1.
GRAHAM CLULEY. Hmm.
GEOFF WHITE. Ouch.
CAROLE THERIAULT. Okay. Now what do you do? What do you do at this stage?
So imagine this is you, right? This is happening to you guys, your channel. This is where you make your moolah, where you make your dosh.
GRAHAM CLULEY. So this guy's changed my password. I can't access my YouTube anymore. Is that right?
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Because he's, and that's what's made you an attractive target is having 350,000 subscribers.
GEOFF WHITE. Yeah. And at this point, has he lost control of his whole Google account or just the YouTube bit? Have they hived off the YouTube bit?
GRAHAM CLULEY. It's probably the same thing. I think it's the same password for everything.
Hmm.
GEOFF WHITE. Hmm.
GRAHAM CLULEY. So, well, horrible, isn't it? I imagine you would try and reach out to Google. Good luck doing that.
CAROLE THERIAULT. That's exactly correct. So that's what I would do too, right? You could try and contact YouTube team.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Right. And this is what Marco Style does. And according to Forbes, he contacts YouTube who reply promptly acknowledging the issue.
Now you can see from his Twitter channel how it unfolded on the first day from Marco Styles' perspective. He wakes up the next day on November 3rd, and already his Twitter is all in Russian. They also grabbed his Twitch account.
GRAHAM CLULEY. Oh, also his Twitter and his Twitch, he's using the same password, right? Okay.
CAROLE THERIAULT. And if you look at the bottom of that screenshot I sent you, do you see the very bottom one? He says, it's pretty funny that I made a video laughing at scam emails a couple of weeks ago and then proceed to actually fall for a scam email. Well played, internet.
So I was, what's this, right? So I go and find this video he made about scam emails, and I had a listen, and around minute 8, you can hear him talking about responding to scam messages, basically wasting the scammer's time and being a bit smug, which I thought, oh, bet you regret that a bit now. But anyway, I don't think that's anything to do or anything related with this attack or anything, but just interesting how, you know, he got kind of, you know, he felt he was quite intelligent about these things from YouTube.
24 hours in, he got an email saying they acknowledged the issue. So days are going by, tick, tick, tick, tick, tick, tick, and now we're 5 days in and YouTube has still not blocked the hacker's access or emailed Marco to let him know what was happening. And now, do you want to guess what the hacker is doing with his channel?
GRAHAM CLULEY. Oh, they're putting up pictures of Vladimir Putin? These are Russians, right?
GEOFF WHITE. We think they have to— presumably on just again on the YouTube channel, the money he gets from YouTube channel goes to his account. So they must have changed the payment details on his YouTube account, so they're then getting the money from the YouTube videos, I guess.
CAROLE THERIAULT. Yes. Okay, and I'm glad you're saying that because there's a bit here that I was not fully clear on, and I was hoping— and I know that's hilarious, I do a story that I didn't do my research on, Graham, so, you know, very smug— but you can help me out on that. Both of you can help. Okay, so I'll get that in one second.
So basically, the hackers did not waste time. They got busy right away. So they sold Marco Stiles' channel on a Russian website for hacked YouTube channels. So that's apparently a thing according to the Forbes article. I'd never heard about it.
GRAHAM CLULEY. Yeah, because my son would love 350,000 subscribers.
CAROLE THERIAULT. Right, well, you could buy it for him for Christmas.
GEOFF WHITE. Do we know how much it went for?
CAROLE THERIAULT. No, I don't. I don't. See, I need you on my side. You're a professional investigative journalist.
GRAHAM CLULEY. Yeah, you could promote your book on something like this.
GEOFF WHITE. You could actually.
CAROLE THERIAULT. All his videos that he had on there, the hundreds and hundreds of videos, completely taken down. And his profile was changed to read Brad Garlinghouse.
GRAHAM CLULEY. Brad Garlinghouse.
CAROLE THERIAULT. Who's Brad Garlinghouse? Is that a made-up name? No, it turns out to be the CEO of Ripple, a fintech or financial technology company, and it's the owner of XRP, fourth most valuable cryptocurrency at the time I grabbed that little statement.
GRAHAM CLULEY. So I'm assuming it wasn't the real Brad Garlinghouse who hacked the account.
CAROLE THERIAULT. So this is where I needed help, right?
GEOFF WHITE. So somehow—
GRAHAM CLULEY. Hang on, what is going on in your neighborhood, Geoff?
GEOFF WHITE. I don't know, this is an unmarked police car. Two unmarked police cars just gone through. Hang on, is there a third one? Nope, there you go.
CAROLE THERIAULT. Look, Geoff and I, Graham, live in exciting neighborhoods, okay? We have stuff going on. We are where it happens. We take our jobs seriously.
So the people that bought the site from the person who hacked the site started running a live stream on Marco Stiles' YouTube channel, right? And this live stream was designed to scam viewers out of money. And by the time the stream was over, the hackers stole about $15,000 from viewers' Ripple wallets.
GRAHAM CLULEY. Oh, so that's why they claim to be this guy who was running the cryptocurrency.
CAROLE THERIAULT. So he's some big rich dude with some cryptocurrency.
GRAHAM CLULEY. So it's a bit like pretending to be Elon Musk or, you know, which we've seen a lot of in the past of people doing that. And then they, right, I've got you. Oh my goodness.
GEOFF WHITE. Was there a guy on the live feed dressed as Brad Garlinghouse, whatever his name is, like, "Hello, I'm the man who runs Ripple. Here's your instructions." It's bizarre, isn't it?
CAROLE THERIAULT. And it's not the only one. So the journalist at Forbes went and did some digging, and he found quite a number of websites that had the name Brad Garlinghouse associated with them. And maybe they had been all duped as well. Wow.
GRAHAM CLULEY. Uh-huh.
CAROLE THERIAULT. So, I mean, you can get it from Marco Stiles' point of view, right? He's thinking, "I've spent years building this following of 350,000. They trust me. I trust them. I give them what they want. And suddenly now my videos are gone. I'm spewing cryptocurrency spam and they're going to think I'm spamming them."
GRAHAM CLULEY. I'm spewing—
CAROLE THERIAULT. I'm— yes, not good for your reputation at all. And meanwhile, he's trying to get a hold of YouTube and get nothing from them. Now, a hacked YouTube account, it seems, needs to be dumped or sold extremely quickly because YouTube does end up giving them back to the rightful owners, providing the rightful owners can prove that— go through the whole rigmarole of proving that their site was taken off them.
So you need to sell them really quick before they become effectively worthless, right? What would you guys do then, right? So this is happening, you can see your channel being completely spewing garbage, YouTube's not responding to you.
GRAHAM CLULEY. If you did have access to other social networks, then that's the place probably to put up a message saying, yes, my YouTube's been hacked, trust me here instead.
CAROLE THERIAULT. Yes, all the fans, right? That's what we will do to you listeners if this happens to us and YouTube's ignoring. So that's what he does.
He encourages all his fans to report the videos, the video problem on his channel, and trying to get the channel deleted because he's actually more interested in getting it deleted and doesn't want— He says he doesn't want his, you know, his followers to get scammed. They'll follow him back to another channel, you know, because he's panicking now. It's 5 days.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. So effectively, this entire text file seems to be hackers use phishing emails to lure victims or an ad, right, to a fake Google login page, snarfle up their account credentials, break into the Google accounts, reassign popular channels, like reassign the channel to whatever you're trying to spew, but they also have to change the channel's vanity URL or name. And one of the big questions here in this story was, how did Brad Garlington's profile, clearly a fake identity, yeah, of a clearly hacked YouTube channel, actually manage to earn a verification badge from YouTube?
Something that Marco has been trying to— has been attempting to do for ages and has never actually got it.
GRAHAM CLULEY. So he's never got the little tick ever.
CAROLE THERIAULT. Nope.
GRAHAM CLULEY. But the scammer did?
GEOFF WHITE. Yes.
CAROLE THERIAULT. So I look up what YouTube— because I do my homework, Graham— I look up what YouTube verification badge really means. And according to YouTube, when you see a verification tick next to a YouTube channel's name, it means the channel has been verified by YouTube.
And it says, if a channel has been verified, it's the official channel of a creator, artist, company, or public figure on YouTube. Verified channels help distinguish official channels from other channels with similar names on YouTube.
CAROLE THERIAULT. So, hmm, this all went down and started off on November 2nd. Yeah, it took until November 13th for Marco Style to get control of his channel again and get his videos restored, 11 days after the hack started.
GEOFF WHITE. Whoa.
CAROLE THERIAULT. See, you were feeling stressed before this call, Graham. Can you imagine the conniption fits you'd be having?
Well, and he's got 350,000, you know, followers. Now, granted, I don't think these scams would go after smaller channels, so I think that if you are a certain size, you're probably a bigger, more juicy target. We all get that. But 350,000, you think, you know, you kind of think the size should help hurry it along.
GRAHAM CLULEY. And he says he had two-step verification in place.
CAROLE THERIAULT. Yeah.
GEOFF WHITE. Yeah.
GRAHAM CLULEY. I mean, two-factor authentication isn't 100% security. There are ways of getting around it. But normally most hackers don't go to all of that effort to do it.
CAROLE THERIAULT. Yeah.
GEOFF WHITE. It's interesting as well, because I mean, for YouTube, what YouTube have done by this sort of verified accounts thing is they've injected themselves into the sort of trust system here and said, "Look, we are verified." And if they're not doing a good job of that and if people are losing out as a result, then that's a real big issue for them. I mean, I thought YouTube's process for that was quite rigorous, but then I haven't done the research you've done, Carole. So it's just unbelievable. Like, wow.
CAROLE THERIAULT. I think the reason I covered this particular one, because again, this is not a new way for YouTube channels to get snarfed up by hackers, but I think what made this one interesting is Marco did a comeback video explaining everything that happened to him. He also spoke to a few people in the media about it, and you got to see his Twitter feed as it was happening and then him commenting on later, which I guess that's what he does for a job, so he's pretty good.
GRAHAM CLULEY. So have his subscribers gone up since this.
CAROLE THERIAULT. I don't know if his subscribers went up dramatically. We can go check his channel. He really was grateful for people standing by him, and I think that kind of says something for all internet people. Graham, if you're nice online, people will look after you. Just saying, FYI.
GRAHAM CLULEY. Well, I'm nice online. I'm nice in real life as well, Carole.
GEOFF WHITE. But there's good news out of this. He's got his channel back. Has he still got his 350,000 followers or whatever?
CAROLE THERIAULT. Yes, I'm just looking now. He's got 361,000, so perhaps he made an extra 10,000 through all this, which, you know, maybe it's a win-win. 10 days offline though.
GRAHAM CLULEY. Maybe he's the one doing the scam. Maybe he hacked himself.
CAROLE THERIAULT. Okay, okay, back in your box.
GRAHAM CLULEY. Made a big stink about it, got publicity on Forbes. Maybe my son needs to do something like that. He's only got 14 subscribers.
GEOFF WHITE. Sponsors!
CAROLE THERIAULT. Okay, hand on heart time. How many of you can say that your password hygiene is squeaky clean? If you're feeling it could use a tune-up, maybe check out LastPass Enterprise. With central admin oversight, controlled shared access, automated user management, you help every employee become part of your security solution. Find out more at lastpass.com/smashing. Plus, I would like to extend a personal invitation to an upcoming LastPass event on Wednesday, November 27th, in the wonderful city of Manchester. Occasional Smashing Security guest host Jessica Barker and yours truly are going to be talking about all things security related. We would love to see you there. Check out the registration page on lastpass.com/smashing. On with the show.
GRAHAM CLULEY. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
GEOFF WHITE. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or a Snapchat whatever they wish. Doesn't have to be security related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, mine is not security related necessarily. I don't watch a huge amount of television. I have to say I'm more of a podcasty news website kind of guy. But last night the wife and I sat down on the sofa and we thought, let's have a binge on a box set. And we said, oh, we said, we saw season 3 of The Crown has come out. Have you seen The Crown at all? Carole, Geoff, have you seen The Crown?
GEOFF WHITE. You mean The Crown or The Queen?
GRAHAM CLULEY. Oh, you see, I don't know what I'm talking about. The Crown, of course it's The Crown.
GEOFF WHITE. All about the details, investigative journalism, isn't it?
CAROLE THERIAULT. You see?
GRAHAM CLULEY. Yes, anyway, yes, yes, The Crown.
GEOFF WHITE. It stars The Queen, I think. I think she's in it.
GRAHAM CLULEY. It does, that's hence my confusion. And she wears— yes, and the Queen wears a crown and it's called The Crown. Anyway, but now we have it in season 3. We've got a new queen in the form of Olivia Colman, and Matt Smith has regenerated as the Duke of Edinburgh into Toby Menzies. So they've changed the cast.
CAROLE THERIAULT. Oh, you love Matt Smith.
GRAHAM CLULEY. I do, but he's not in season 3. He's in the first 2 series, and you should go—
CAROLE THERIAULT. You watched all this?
GRAHAM CLULEY. Yes, of course I watched.
CAROLE THERIAULT. You watched 3 series last night?
GRAHAM CLULEY. No, no, no. We've watched 2 series previously, but the 3rd series has just come out. Now, it's a really good show. I really like it. It's all set in the past, you know, Carole. It's all based upon things which have happened in history.
And you've got famous people and I'm there saying, that's Barbara Cartland. That's someone doing a very bad Harold Wilson impression. And so I'm loving spotting people and pointing them out.
We were watching this last night and we were quite enjoying it and we got to episode 3 and episode 3 started and it gave the title of the episode, which was Aberfan. And I looked over at my wife and I said, uh-oh, this isn't gonna be good. Well, my wife wasn't brought up in the UK, as you know.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. And so she doesn't know about the Aberfan disaster and maybe some of our listeners other places in the world.
CAROLE THERIAULT. I don't know about it.
GRAHAM CLULEY. So in 1966, there was in South Wales, there was basically an avalanche of coal waste that swept down, buried a primary school in the town of Aberfan, and tragically more than 100 kids died.
GEOFF WHITE. Gosh.
GRAHAM CLULEY. It just completely destroyed, and this particular episode was all about that disaster and the Queen's response to it. And I have to say, harrowing as it was to watch, it was extremely impressive, as the whole series has been, with the period detail and all the rest of it, but also, of course, because of the subject matter, incredibly moving as well.
And I just thought, this is fantastic, and I can overlook the fact that that's not a very good Harold Wilson impression because the rest of the episode was really superb. And so I thought, well, I'm going to make that my pick of the week.
A little bit glum, but a little bit of history. But also I really recommend The Crown, if not the Queen, because the name of the show is The Crown and it's on Netflix and it features the Queen.
GEOFF WHITE. I'm intrigued a bit by The Crown because when it first came on, me and my partner watched it and I was saying, well, this— the stuff in here that's quite spicy about the Queen, you know, in her early days and how the relationship was. And I thought, well, they can't know all of this.
There's got to be a certain amount of artistic license about this. But these people are not only still alive, they're still very powerful and influential. And as the series becomes more up to date, these issues are going to get more and more difficult, potentially more and more libelous. And frankly, given what we've seen over the past week with members of the royal family—
GRAHAM CLULEY. Yes, but maybe in a future episode we'll see them at a Pizza Express celebrating Beatrice's birthday party. Dear, oh dear. Geoff, what's your pick of the week?
GEOFF WHITE. Well, it's my pick of the week is sort of inspired by actually another Netflix— not to plug Netflix here, but another Netflix series, the great Tidying Up with Marie Kondo, where interior tidying expert Marie Kondo, which apparently is a job— somebody tells you put all of your things away, tidy up. That used to be just called, you know, my parents when I was a kid.
But now apparently somebody who tells you to put your things away is now a job that somebody has. So tidying up expert Marie Kondo. I did watch a bit of this out of the corner of my eye as I was reading the paper, and I just, I had, I was inspired. I was inspired. And I want to talk to you about the joy of Marie Kondo-ing your electrical computer cable cupboard, because I don't go in there.
GRAHAM CLULEY. I'm frightened of it.
GEOFF WHITE. I imagine it's more of a cave than a cupboard in your case, Graham. More an entire floor that— I imagine most people listening to this podcast probably have a drawer at the very least, if not a cupboard, possibly a whole room. And what I realized was I'd basically kind of bootstrapped myself into an infinity of cables.
Because I have to have this cable with this thing because that doesn't fit with that, but this laptop only takes that socket, so I'll get a converter and then I'll back convert that. And I've lost the power source to this, but I can use that power source by linking it to this. And it was basically, I'd created this main chain, daisy chain of hell.
And I laid all— at one time I laid all the cables out and I was like, this is just insane. And I thought, no, sod it, I'm getting rid of stuff. I got rid of all of the old stuff. I bought a new laptop because I thought I need a new laptop, will solve a lot of these problems.
And as soon as I did it, I got rid of so much stuff. And just this afternoon, an hour ago, a guy came around whose youth club was broken into over in Hackney. They needed some spare stuff. And I said, look, I've got all this spare stuff.
CAROLE THERIAULT. He's like, great, I was just gonna make fun of you and then you had to go say that.
GEOFF WHITE. I know.
CAROLE THERIAULT. I was just gonna say, so you Marie Kondo'd, you got Marie Kondo'd and you bought a laptop. That's basically what happened. You bought a new laptop, but then you went and helped the world.
GEOFF WHITE. So no, so I managed to give all the stuff away to people who needed it, and I managed to clear out an infinity account. And it feels— I cannot tell you how much more wonderful it feels not to have so many bloody cables hanging out.
CAROLE THERIAULT. Okay, but I have a problem with Marie Kondo. So just this weekend, so I have a lot of hobbies right? And hobbies demand a lot of stuff associated with my different hobbies.
But there's going to be a rather large number of people in my house pretty soon, and I was thinking, hmm, I better get rid of all this stuff. So I've put the stuff away, but now it's really irritating.
GEOFF WHITE. It's not there when you need it.
CAROLE THERIAULT. Exactly. Every time I want to do something specific, I'm like, oh, where did I put my guitar pick? God. You know, or—
GEOFF WHITE. Yeah, I did that at one point. I put all my little gadgets and stuff in little boxes. I was like, I'm going to put all the USB things in there, I'm going to put all of the keys in there, and then realized I have boxes inside boxes, and it all looks very neat but was completely inaccessible.
CAROLE THERIAULT. Exactly.
GEOFF WHITE. I do get that.
GRAHAM CLULEY. Carole, could you not suspend it from the ceiling? What if we used more—
CAROLE THERIAULT. My husband is very, very large.
GRAHAM CLULEY. Okay, I was just thinking if you were to sort of have a pulley system and pull up boxes.
CAROLE THERIAULT. I don't live in a fucking castle, Graham.
GRAHAM CLULEY. Do you not?
GEOFF WHITE. Suspend your husband from the ceiling, cut out the middle. Just thinking outside.
CAROLE THERIAULT. I'm thinking Thom Cruise style.
GEOFF WHITE. Like, you can winch him down when you need him and then winch him back up.
CAROLE THERIAULT. Yeah, like a— yeah, exactly. Oh, that's dreamy.
GEOFF WHITE. One of those things you hang towels over, like pots and pans in a kitchen.
CAROLE THERIAULT. Exactly, exactly.
GEOFF WHITE. Battery de Cuisine or whatever.
GRAHAM CLULEY. I think you'll find Carole's husband is someone you hang towels over. Carole, what's your pick of the week?
CAROLE THERIAULT. Okay, you guys are going to tell me who the star of my pick of the week is.
GRAHAM CLULEY. Oh, okay.
CAROLE THERIAULT. Okay. Clue number 1. She's from the US and held the title of most nominations of any female recording artist in history up to 2014 when Beyoncé snagged the title away from her.
GRAHAM CLULEY. Diana Ross.
CAROLE THERIAULT. She won 8 Grammy Awards, nominated 47 times. Wrote the song made famous by Whitney Houston, I Will Always Love You. And no, I won't sing that.
GEOFF WHITE. I am gonna go Dolly Parton.
GRAHAM CLULEY. Oh, good one. It's definitely Dolly Parton. It's Dolly Parton.
CAROLE THERIAULT. And yes, and once she entered a lookalike contest where she went up against drag queens who impersonated her. And she entered in secret and no one questioned her. They just thought she was a drag queen like everyone else. And she lost the contest where the goal was to look like herself.
GRAHAM CLULEY. We've all had that happen to us. Let's be honest.
CAROLE THERIAULT. Now, Dolly Parton. Now, the reason I'm talking about Dolly Parton is Jad Abumrad has put out a new miniseries. You don't know Jad?
GRAHAM CLULEY. Who's Jad Abumrad? This sounds like the other guy, Gabe Borgenborg.
CAROLE THERIAULT. Graham, Jad Abumrad is the host of the wonderful, amazing podcast called Radiolab. And it's been going for about 15 years. And he's a musical genius, and he puts stories together well, and it's super well produced, and he's just a star.
This new podcast, it's a miniseries called Dolly Parton's America, and it's basically an interview-style podcast with the Queen of Country herself, Lady Dolly. And I love Dolly, and I've loved her ever since I worked in Canada at Canada's donut heaven, actually, Tim Hortons. Because my favorite customer when I worked there, a man named Ed—
GRAHAM CLULEY. was Dolly Parton?
CAROLE THERIAULT. No, he was a lovely man named Ed, and he loved her, and he introduced me to her and lent me his CDs of her, and I fell in love with her. So, and then Ed died, so I always remember Ed when I think— I know, I know.
Now, this podcast is all about Dolly Parton, and it's led by Jad. And Jad also grew up in Tennessee. He's actually, he was an immigrant to Tennessee, and he did not have a very happy growing up experience.
And Dolly also grew up in Tennessee, and they kind of juxtapose their experiences, and it's quite, I don't know, intimate but also candid and lovely. So check it out. She talks about growing up, her music career, her big break.
She talks even about her boobs. She talks about how she spent her whole career sticking them in people's faces, so why wouldn't they comment on them? And then he asked her if she was a feminist.
So anyway, she is very old school cool. That's what I say, and she gets my vote. So check out Dolly Parton's America, and I'll put a link in the show notes and on the website.
That sounds great. It is really good. It's about, I don't know, I think about 9 episodes, so it's beefy as well. There's lots of content.
GRAHAM CLULEY. Mm-hmm.
GEOFF WHITE. Okay, fantastic.
GRAHAM CLULEY. Cool. Well, that just about wraps it up this week. Thank you very much. And Geoff, where should people follow you online or find out more about you?
GEOFF WHITE. My most active thing is Twitter always, which is Geoff White 247. Geoff with a G, white like the color, and the numbers 2, 4, and 7.
CAROLE THERIAULT. My most active internet account is Graham's Twitter. So if you need to get in touch with me, just call Graham.
GRAHAM CLULEY. And you can follow the show on Twitter at Smashing Security, no G. Twitter won't allow us to have a G. And we also regularly have conversations about the show up on Reddit as well. So join our subreddit.
CAROLE THERIAULT. And once again, thanks to this week's Smashing Security sponsor, LastPass. Its support helps us give you the show for free. And thank you, beautiful people, for listening to us, sharing our show with newbies, and supporting us on Patreon. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye-bye.
CAROLE THERIAULT. Now, do you want to hear my idea? Actually, Geoff, I wouldn't mind your thoughts on this.
GEOFF WHITE. Oh, go on.
GRAHAM CLULEY. What's this?
CAROLE THERIAULT. So we have Patreon supporters and we want to do something extra special for them, and we were trying to think what can we do before the end of the year. And I was wondering whether it would be interesting for people if I interviewed you, Graham, with questions they're dying to hear. So it's almost like an ask me anything, and you can do it back.
GRAHAM CLULEY. I'm about to say it sounds a bit like Emily Maitlis with Prince Andrew now. I don't want a sort of no-holds-barred.
CAROLE THERIAULT. No-holds-barred, but you get 3 pass cards.
GRAHAM CLULEY. Okay.
GEOFF WHITE. Oh, okay.
CAROLE THERIAULT. And that's it. So if you guys think it sounds cool, let us know on Twitter or email us or, you know, get in touch the usual way, and we'll pull it together.
GRAHAM CLULEY. All right.
GEOFF WHITE. Okay, sounds fun. Yeah, listen to that.
CAROLE THERIAULT. What would you ask? What would I ask?
GRAHAM CLULEY. He doesn't want to know anything about me. What is there to know about me?
GEOFF WHITE. You'd want to ask something personal, wouldn't it? So I guess, okay, here'd be my question. What's your password? Okay, no, I know that already. You know, when you go on holiday and you've unpacked your bags and everything, and you're on your nice sunny holiday or something, or whatever holiday it is you like, your sort of Gore-Tex-clad walking adventure.
GRAHAM CLULEY. That's it, that's me, yep.
GEOFF WHITE. You know, your first night of the holiday when you've unpacked and you're sitting there and you've had a sit-down, what's the drink that you have? What's your sort of treat drink or the first drink of a holiday? That's what I'd ask you.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Shall I tell him?
CAROLE THERIAULT. Because I know the real answer.
GEOFF WHITE. Well, probably a—
CAROLE THERIAULT. Oh, right.
-- TRANSCRIPT ENDS --