Whatever happened to Crackas with Attitude, perfidious Albion College's approach to locking down Coronavirus, and the Bridgefy mesh messaging app falls down when it comes to security.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Anna Brading.
Visit https://www.smashingsecurity.com/193 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Anna Brading.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- CIA boss has his personal email account hacked… and yes, it’s on AOL — Graham Cluley.
- Two years' detention for UK teenager who 'cyberterrorised' US officials — The Guardian.
- Kane Gamble sentencing remarks (PDF).
- What It’s Like for a Hacker to Get Back Online After a Two-Year Internet Ban — Motherboard.
- Fearing coronavirus, a Michigan college is tracking its students with a flawed app — TechCrunch.
- Bridgefy, the messenger promoted for mass protests, is a privacy disaster — Ars Technica.
- Bridgefy’s Commitment to Privacy and Security.
- Mesh Messaging in Large-scale protests: Breaking Bridgefy — Technical paper by Martin R Albecht, Jorge Blasco, Lenka Marekova, and Rikke Bjerg Jensen of Royal Holloway, University of London.
- How to Watch The Avengers Movies in Order — Digital Trends.
- "Thor: Ragnarok" Official Trailer — YouTube.
- Sounds of the 90s with Fearne Cotton — BBC.
- Super Sapiens: a card game to help change the world — Etsy.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Hey dudes, it's Carole Theriault, and I'm here to give a shout out to our incredible Patreon supporters. These are just some of the people that help to make Smashing Security free for all, even those that can't afford it, which in my view makes you cooler than rock stars. This week, shout out goes to Geeky Grump I Am, Stephen Hodgson, Simon Inman, Carl Kronberg, Thom Ploger, Darren Kenny, Dan Billing, Gordon Everett, Eric, and perhaps my favorite username of all time, Chubby Ninja. If you want to join this community of amazing people, all you got to do is visit smashingsecurity.com/patreon and know that we would absolutely love to have you on board. Now let's get this show on the road.
ANNA BRADING. Imagine you two have kids of college age.
GRAHAM CLULEY. Okay, us two?
ANNA BRADING. Yeah, both of you. Not together. Oh, thank God.
ROBOT. Smashing Security, episode 193: Hacking the CIA. Bridgophy and College Lockdowns with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 193. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And we're joined by a blast from the past, someone we used to work with, Carole, and someone who's been on the show before. It's Anna Brading. Hello, Anna.
ANNA BRADING. Hello. Thank you for having me back.
CAROLE THERIAULT. Hi, Anna. Hi.
ANNA BRADING. Pleasure to be here. Is it? Is it?
CAROLE THERIAULT. Of course.
ANNA BRADING. Yes.
GRAHAM CLULEY. Now, Anna, some of our listeners will know you, not only from your previous appearance on Smashing Security, but also because you were the host of the Naked Security podcast.
ANNA BRADING. Yes.
GRAHAM CLULEY. There've been some developments, haven't there?
ANNA BRADING. Well, there have. It's on a long pause, I think is the official line, but I am no longer at Sophos, so it's unlikely I'll be appearing on that again. So yes, very sad.
GRAHAM CLULEY. A big shame. So that means you're available, basically, if anyone's been interested in hooking up with you in a work fashion.
ANNA BRADING. Well, maybe.
GRAHAM CLULEY. Oh, okay.
CAROLE THERIAULT. She's from Reading, everything goes.
ANNA BRADING. Yes, in a work fashion, I am available if anyone wants to get in contact.
GRAHAM CLULEY. Reach out. We'll hand out your, what, your Twitter address or something like that later on, shall we?
ANNA BRADING. Yeah, or feel free to look me up on LinkedIn.
GRAHAM CLULEY. All right. Oh yeah.
ANNA BRADING. There's an extensive list of everything I've done on there professionally.
GRAHAM CLULEY. Yes. And hopefully nothing else. Carole, what's coming up on the show this week?
CAROLE THERIAULT. Well, first, thanks to this week's sponsor, LastPass. Its support helps us give you the show for free. Now, coming up on today's show, Graham explains what crackass with attitude means. Anna deliberates some of the corona safeguarding tools found in schools. And I tell you about a pretty nasty mesh networking app screw-up. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, first of all, Carole, I think I need to correct you. In that introduction, I think you referred to crack-ass with attitude. What?
CAROLE THERIAULT. Is that what you told me to say?
GRAHAM CLULEY. Well, no, no, no. It's crackers with attitude. I don't think it's crack-ass.
CAROLE THERIAULT. Crack-ass.
GRAHAM CLULEY. I think crack-ass is something else instead.
CAROLE THERIAULT. It's something that you've had a lot of in your life, because your trousers are always hanging half— well, basically behind your knees.
ANNA BRADING. Oh, Charmin.
GRAHAM CLULEY. Now, whatever happened to Crackers with Attitude? Crackers with Attitude was an online hacking gang which was set up by a teenager, a chap just 15 years old, a Brit going by the name of Kane Gamble. A rather unlikely name, to be honest, for a Brit. But there you are. Kane Gamble was the chap who founded the organisation. And over a period of 8 months, until his arrest on the 9th of February, 2016, from his bedroom at his parents' home in Leicestershire, Gamble was gaining access. He was cracking into the online accounts of high-profile figures.
ANNA BRADING. Okay.
CAROLE THERIAULT. So what, you bet, like celebs and stuff like that?
GRAHAM CLULEY. Well, not so much celebrities. Not the sort of people that you'd see on MasterChef or Strictly Come Dancing. Although, who knows these days? Instead, we're talking about the personal email account of the then Director of the CIA, John Brennan, and the Director of National Intelligence, James Clapper, amongst others. So cracking into some pretty serious email accounts.
CAROLE THERIAULT. Well, serious if, depending on the defenses they had in place, if the password was Bob the Cat, it might be easier than if it was 25, you know.
ANNA BRADING. God, I need to change my password.
CAROLE THERIAULT. Random letter.
ANNA BRADING. Yes.
GRAHAM CLULEY. Well, Bob, don't worry, because I don't think the passwords were as easy as that. But actually, it didn't matter how carefully chosen the passwords were because of the methodology which Gamble used, which I will describe. Now, once he gained access to the CIA boss's personal email account, he found a host of sensitive government files that you kind of assume a government official shouldn't be sending to his personal email address. Now, you might be wondering, What type of personal email account John Brennan, the then director of the CIA, where would he have his email account, do you imagine?
CAROLE THERIAULT. His personal email account?
GRAHAM CLULEY. Yeah, his personal one, yeah. What sort of service would he be using?
ANNA BRADING. Something, surely something super secure. Hotmail?
GRAHAM CLULEY. Yeah. Yes, something like that. Well, you know, I'm not sure what's more embarrassing, being hacked as the director of the CIA or having an AOL email account. Because clearly, Mr. John Brennan had received one of those CDs through the post back in 1994 and thought, "I should get on this internet thing," and set himself up with an AOL account.
CAROLE THERIAULT. You know what? I think that's normal. I think there are so many people today that have old accounts they set up 20 years ago, and they're still running them because they don't know how to export them into a new app.
GRAHAM CLULEY. I think that's a common problem. Yeah, people, particularly the less tech-savvy maybe, don't know how to migrate an email account. But don't you think that when you're appointed the director of the CIA, that there might be some, I don't know, security-minded folks who might say, "Let's take a little look at your life and how we better protect you." Yeah, before 2018, I would have said, "Yes, of course there is." But, you know. Well, Kane Gamble, this teenage student, he broke into the CIA director's contacts list as well.
CAROLE THERIAULT. His personal contacts list.
GRAHAM CLULEY. Into the personal one, that's right. But it seems that was a fair amount of work going on there. His call logs and, quote, "extremely sensitive documents" on military and intelligence operations in places like Basingstoke and— no, no, no, in Iraq and Afghanistan.
CAROLE THERIAULT. OK, so do you not think this is happening everywhere? Because companies, particularly the government, would say you cannot have access to your work accounts from home. We have a tight-knit perimeter, and you can only do it within the building, and yada, yada, yada.
GRAHAM CLULEY. Well, not so much these days, Corinna.
CAROLE THERIAULT. Well, no, but this is pre-Rona.
GRAHAM CLULEY. This is pre-Rona. That's true. But I would like to think that— If someone was in a really important job like that, they might be able to give them some sort of secure device, a VPN to go through, which would put them in a secure tunnel to their communication phone. We were doing that way back then, right?
ANNA BRADING. Yeah.
GRAHAM CLULEY. That's how we did it.
CAROLE THERIAULT. Pain in the butt though.
ANNA BRADING. Well—
CAROLE THERIAULT. God.
GRAHAM CLULEY. You had to make cookies for the IT team, didn't you?
ANNA BRADING. Maybe it's just the path of least resistance. It's much easier to just send it to his AOL account.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. I think that's not uncommon. Now, this hacker, Kane Gamble, once he grabbed all this information, of course, he started to try and embarrass him. So he was posting some of it on Twitter.
CAROLE THERIAULT. He's trying to embarrass, like, the CIA agent?
GRAHAM CLULEY. That's right, CIA director, by posting it on Twitter, sharing it with WikiLeaks, generally causing mayhem. And the CIA tried to shut down the AOL account, right? They contacted AOL support. But what Gamble actually did was he posted on Twitter a screenshot of the AOL inbox with the different requests. So the CIA would send a request saying, can you shut down this account? AOL would reply saying, 'Are you sure? We're just checking that you want this AOL account shut down.' And then Gamble would probably, 'Oh no, no, no, that's a hacker pretending to be the CIA.' What an idiot though, doing it, yeah.
CAROLE THERIAULT. I don't know how I would get, say, for example, Gmail on the phone, right? I would assume it's quite complicated to do.
GRAHAM CLULEY. Oh, I think it is for the regular person, but probably if you're in law enforcement. So, so how did this hacker do it? Well, it wasn't really hacking in a way. What he was doing was social engineering. He impersonated his victims and he called up call centers claiming he couldn't get into his account. So he was conning them into divulging confidential information. And then he began to send emails from accounts. He was accessing more sensitive military information, and this information was getting leaked. And him and his gang were really in the habit of not just cracking into accounts, but then subjecting their victims and their families to online abuse, harassment, and of course, bragging about what they were doing on social media too.
ANNA BRADING. So he's a douche.
CAROLE THERIAULT. So he got access to something super valuable and then didn't know what to do, so just went after everybody and did some personal abuse, 'cause he's a kid.
GRAHAM CLULEY. Crackers with Attitude, they claim to have political motives, right? It was all about the Palestine and Israel and things like this is what they used to claim. But the amount of information, it's staggering. Let me tell you some of the things. What ended up happening was the hacker tricked Verizon, for instance, into revealing the CIA director's telephone number, his home address, his ISP account details, even his router's serial number. He managed to get hold of the Social Security number. He gained access to his Apple iCloud account and even his car insurance details, which is something I have trouble finding my car insurance details. Yeah. So, get a hacker to do it instead. I mean, that's— When you consider that's the director of the CIA who's having all that information collected about him, that's pretty worrying, isn't it?
CAROLE THERIAULT. But once you get access to the email, how many emails would have that kind of information in there?
ANNA BRADING. Yeah, exactly.
GRAHAM CLULEY. And it wasn't just John Brennan's accounts which he was targeting. He also targeted the CIA director's wife, Cathy. So he hijacked her Twitter account. He impersonated her to trick AOL into changing her password. You know, you set up security questions. To protect your account, to prevent other people from resetting your password.
ANNA BRADING. Yeah.
GRAHAM CLULEY. And so, the answers to those security questions were hacked, hacker, and V for vendetta, which possibly could have been a bit of a giveaway. Something odd was going on, rather than Kathy setting that. And then he began to make numerous phone calls to the house. Even calling them while Mrs. Brennan was on the phone to AOL, telling them her account had been compromised. Oh my. So, like you said, A bit of a douche. Well, it gets even douchier.
ANNA BRADING. Okay.
GRAHAM CLULEY. Then he attacked and targeted the US head of Homeland Security at the time, Jeh Johnson.
CAROLE THERIAULT. So he's feeling like a frickin' hero right now. Oh, yes. He's thinking, I'm in my bedroom. No one knows who I am. They would never imagine it could be me. This is fantastic. Let's up the stakes.
GRAHAM CLULEY. And it's actually described in court documents how he was saying to one of his cohorts that he was basically quaking in his boots at what he thought was the biggest hack ever. He was listening to voicemails sent to the head of Homeland Security, sending texts from the head of Homeland Security's phone, posting information online. And then, and then, right? Let's take it up a further notch. He found out the head of Homeland Security had IoT devices in his house.
ANNA BRADING. Oh, good.
CAROLE THERIAULT. Tell everyone about this, 'cause I'm apparently the only person in the world without them.
ANNA BRADING. Carole, I don't really—
CAROLE THERIAULT. Good. Alexa, there's no Alexa in your house.
ANNA BRADING. I don't want to talk about her.
GRAHAM CLULEY. Don't mention the A-word.
ANNA BRADING. She was bought for me as a present. Well, she's in your house. I turn her off though.
CAROLE THERIAULT. Okay, smart.
ANNA BRADING. I only put her on for requests for Frozen music and stuff like that for my son.
GRAHAM CLULEY. Well, via the Homeland Security head's Comcast account, which of course had also been hacked, He sent a message to the family TV set, which popped up a message saying, "I own you." He posted images on the daughter's— There's a 15-year-old daughter in this household. Posted images on the account of that girl saying he'd like to bang her.
CAROLE THERIAULT. Oh my God. Okay, see, that's now super, super gross.
GRAHAM CLULEY. Well, he is 15 as well. That's the other thing. Yeah, but still.
ANNA BRADING. Yeah, but imagine being that girl.
CAROLE THERIAULT. I mean, you don't know who it is.
ANNA BRADING. And then yeah, you're receiving that. That's horrible. Scary.
GRAHAM CLULEY. There was an executive assistant director at the FBI, a name of Amy Hess. She got targeted too. And he basically downloaded films onto her TiVo. V for Vendetta, After Porn Ends, and Hackers, of course. I don't know that one. And check, this is the worst thing of all, actually, of everything that he did. He changed her voicemail settings to Spanish.
ANNA BRADING. Oh no.
CAROLE THERIAULT. That's not that big a deal.
ANNA BRADING. How do you get back?
CAROLE THERIAULT. Yes, I could. You'd work it out. I could work it out. I know enough Spanish, I could do it.
ANNA BRADING. Oh, you're so good.
GRAHAM CLULEY. Estoy hasta, estamos hasta, right? Yeah, yeah, you're— yeah, like you said, you can get by, right?
CAROLE THERIAULT. Practically.
GRAHAM CLULEY. You see, Anna, I used to read the shampoo bottles, right?
CAROLE THERIAULT. Yes, yes, but before the phones, when you're having a wazz, right, you read the shampoo bottles and you get the French.
GRAHAM CLULEY. Yes, you're having a what?
CAROLE THERIAULT. And you get it in German.
ANNA BRADING. Yes, we've talked about this before, Anna and I, the shampoo bottles. In the olden days, before you had a phone in the toilet with you, you had to read other things because it got boring.
GRAHAM CLULEY. Is this what you're going to tell your kid, Anna, when they say, oh, in my day we didn't have phones?
CAROLE THERIAULT. Yeah, you had to shit alone.
ANNA BRADING. No, but he already asks me when he's on the toilet to read him a book.
CAROLE THERIAULT. Oh, and you go, yes, my prince.
ANNA BRADING. I started reading it and I thought, no, we've gone too far now.
CAROLE THERIAULT. It's getting stinky.
GRAHAM CLULEY. Another victim even had threatening phone calls made to the salon where she got her hair done. So a lot of douchey— douche now seems like the wrong kind of word to use after this discussion.
CAROLE THERIAULT. Yeah, it does. It's full-on nasty and malicious.
ANNA BRADING. Yeah.
GRAHAM CLULEY. In summary, he's a bit of a shit. And his crackers with attitude were, as you would say, crack-ass.
CAROLE THERIAULT. Yeah, I think my word was way better.
ANNA BRADING. Yeah.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. So the weak link here, of course, are call centers. These weren't elite-level hacking techniques being deployed. It was people impersonating other people and being convincing. And that's something which is difficult for all of us to really get a handle on. And we're so reliant on companies themselves having proper procedures in place to defend our accounts and not give in too easily.
CAROLE THERIAULT. It's really complicated because, you know, part of me would like to try and see how easy such a thing would be. But in fact, it's illegal illegal to do so, right? Unless you get the okay from the company beforehand, it's illegal to impersonate someone else and try and get private information.
GRAHAM CLULEY. So would it be cool if one of us were to give the other permission to try and do this?
ANNA BRADING. Yeah, should we try it?
GRAHAM CLULEY. As an experiment.
ANNA BRADING. Who's going to be the easiest to crack?
GRAHAM CLULEY. Everyone stands back from the microphone, goes on mute. Now, the reason why I'm talking about this today, because obviously this happened you know, 4 or 5 years ago, is that there is a great article on the Motherboard website all about Kane Gamble, this 15-year-old who did this. He's no longer 15, and he has now been released from prison. And it talks about how he literally counted down the minutes until the 20th of April, 2020, waiting for it to be midnight, because at that point he was allowed to use the internet again, having been banned since his arrest way back in 2016. And imagine not using the internet for that long.
ANNA BRADING. You'd be reading shampoo bottles.
GRAHAM CLULEY. Well, exactly. Because what would you be able to do? You wouldn't be able to use the internet components of any smartphone. If you had a Nest thermostat, does that count if it's internet-connected?
CAROLE THERIAULT. I think I'd be fine.
ANNA BRADING. Oh my god, I wouldn't.
CAROLE THERIAULT. I mean, we'd have a problem with the podcast, right? We'd have to do that in person, so that would suck.
GRAHAM CLULEY. Totally. You could send in your contributions by letter, and we could use a sock puppet to talk to.
CAROLE THERIAULT. I'd get to focus on my art, right? Get to focus on scriptwriting.
ANNA BRADING. Baking?
GRAHAM CLULEY. Imagine not being able to take a sneaky look at Wikipedia if there's a pub quiz. Imagine—
CAROLE THERIAULT. I'd never have done that. Do you do that?
GRAHAM CLULEY. No, well, let's move on. But you know, anyway, no, of course not. I don't need to. But lots of people do.
ANNA BRADING. Of course. Yeah, yeah.
CAROLE THERIAULT. Sounds like you do.
GRAHAM CLULEY. Anyway, don't do it, kids, because even if you think you're having a laugh and a lark, like presumably they did, and they thought it was super cool—
CAROLE THERIAULT. Imagine 4 years without the internet, okay?
GRAHAM CLULEY. Just imagine that. Just presume— Well, I'm trying to say things which might actually influence kids. That would actually have quite a big impact on us.
CAROLE THERIAULT. There's a lot of kids listening to the show. So thanks, Daddy Cluley.
ANNA BRADING. What would be worse, prison or no internet? Do you get internet in prison? You do, don't you?
GRAHAM CLULEY. I think you can get it illegally, because someone will bring in a tiny little— one of those little Nokia phones. Don't they sneak them in a cavity?
CAROLE THERIAULT. Would you rather that, Graham? Would you rather be in prison with internet or in your house with no internet? You can't even answer.
ANNA BRADING. Oh my god.
GRAHAM CLULEY. I am under lockdown. Right, Anna, what have you got for us this week?
ANNA BRADING. So last week you guys were talking on the podcast about contact tracing apps.
CAROLE THERIAULT. Yes, with Rory Kevlin-Jones.
ANNA BRADING. Exactly. And so you were talking about how the NHS in the UK had started with this centralized app where it stored some user data centrally, but obviously people weren't happy with that. And then Google and Apple came along and were like, "Hey guys, we've got a decentralised way of doing it. This is much better for privacy." And now the NHS has a decentralised app, so does Germany, and US states are doing the same. Alabama, Virginia have both rolled out an app based on Google and Apple's Exposure Notification API.
GRAHAM CLULEY. And as Rory described last week, it's still rather up in the air as to whether any of these apps really work.
ANNA BRADING. Exactly.
GRAHAM CLULEY. Regardless of the methodology.
CAROLE THERIAULT. No, they function. They just— we don't know if they help.
GRAHAM CLULEY. If they're effective.
CAROLE THERIAULT. Yeah, yeah.
ANNA BRADING. We don't know how many people they've alerted, how many cases they prevented. So a college in the US has a better way of doing things. That's good.
GRAHAM CLULEY. Yeah.
ANNA BRADING. So obviously there's a lot of chat at the moment about how schools and colleges and universities are going to keep their students safe from COVID when they go back for next term. And a lot of students are coming back now after having 6 months away. They've been doing online learning, or maybe not much learning at all. And so the schools are coming up with plans about how to prevent the spread of COVID And different schools are trying out different prevention measures. So in the UK, I know in England, they're not currently recommending that students wear masks, although there's a lot of chat about it at the moment. Yeah.
CAROLE THERIAULT. I find that shocking.
ANNA BRADING. Well, in Scotland, they're considering it. Things might have changed.
GRAHAM CLULEY. I got a letter from my school— not my school, my son's school today, saying parents have to wear masks on the way in. Teachers, it's optional. Whether they wear a mask or not, and the kids aren't going to be wearing masks.
ANNA BRADING. It is difficult.
CAROLE THERIAULT. How do you feel about that?
GRAHAM CLULEY. How do I feel about him going back to school, to be honest? It's a little bit, you know, but I'm also seeing the impact of him not going to school. You know, he wants to be around his mates. He doesn't want to be around us grown-ups all the time.
ANNA BRADING. Yeah. My son is at preschool and he's 3, so it's not even like they're maintaining any kind of social distance.
CAROLE THERIAULT. Of course, I imagine.
ANNA BRADING. Yeah. And if they fall over and they hurt themselves and they cry, cry, the preschool teachers are still going to cuddle them and make sure they're okay. But obviously, as a result of that, there's a, there's a risk. There's more of a risk to him, and there's more of a risk to them.
CAROLE THERIAULT. Let me just put my garbage bag on. I'll be right there, sweetie.
ANNA BRADING. Exactly. Strap on my mask.
GRAHAM CLULEY. I wish I was going to preschool. I'd love to have a little cuddle.
CAROLE THERIAULT. What, you want to wear diapers again and have a little cuddle?
GRAHAM CLULEY. It'd just be nice to have a cuddle occasionally.
ANNA BRADING. Oh, Graham, how's it going with Mrs. Cluley, dude?
GRAHAM CLULEY. Well, it's all right, thank you very much.
CAROLE THERIAULT. Maybe you could ask her.
GRAHAM CLULEY. Well, yes, but it's not quite the same. You could dress up as a preschool child.
CAROLE THERIAULT. And she could wear a sort of prison uniform.
ANNA BRADING. He would look great.
CAROLE THERIAULT. Little overalls.
ANNA BRADING. Just something to consider.
CAROLE THERIAULT. Little turtleneck. Romper suit.
ANNA BRADING. Anyway, so Mr. D. Trump has said he's going to send out 125 million reusable masks to school districts, although I'm not clear whether they're actually being mandated to use them. I don't think they have yet. So Albion College has come up with this other way. And so when its students return from their break, they're going to be tested, which makes sense. They're also banned from leaving in campus to limit the risk of anyone bringing COVID in once school has started. So 14 weeks they're in campus.
CAROLE THERIAULT. So they're locked in. They're locked on campus.
ANNA BRADING. Well, yeah, apart from not with a key, but with a phone.
CAROLE THERIAULT. I would hate that so much. I, when I went to uni, I spent 50% of my time off campus, right?
ANNA BRADING. Yeah, you need your free— It's your first taste of freedom.
GRAHAM CLULEY. Where are you meant to take your laundry? Don't students take it home to their mum to get cleaned every week or something like that?
ANNA BRADING. Well, they're gonna have to learn to do it themselves, Graham. That's the problem. Um, so they— what they're going to have to do is they have to install this app called Aura on their phones, which the college is saying should help deal with any outbreak on campus. But the snag is that it tracks the students' locations at all times, and there's no opt-out.
CAROLE THERIAULT. And that's mandatory? They have to have the app?
ANNA BRADING. They have to. So parents have launched a petition, obviously, to make the use of the app optional, but so far the school is remaining strong on it. It's saying, chill out, guys, the only time a student's location data data will be accessed is if they test positive or if they leave campus without permission. So actually, they're not going to be locked in with a key, but if they leave campus, the app will ping the college and the student's ID card will be locked, and they have to go through various things, like they have to quarantine and they have to be tested. So it's, yeah, quite a strict measure.
CAROLE THERIAULT. I'm glad that parents are saying, hey, this is a bit weird. So I guess, but now it's too late for kids to register for another school. So you're kind of— yeah, you're kind of stuck.
GRAHAM CLULEY. But hang on, if Rory was here this week, like last week, right? His argument is there's a global bloody pandemic going on.
CAROLE THERIAULT. That wasn't his argument. He said that is an argument that he didn't necessarily agree with.
GRAHAM CLULEY. But he was presenting an argument, which was that maybe the privacy thing has been accentuated too much. And there's a bigger worry here, which is that maybe these students can't be trusted or indeed people generally can't be trusted to be sensible. And if you've got students going off here, there, and everywhere and having parties—
CAROLE THERIAULT. What rights do a college have to a student's free time and where they choose to go? These kids are not like 12-year-olds.
GRAHAM CLULEY. These are adults.
CAROLE THERIAULT. Some of them are over 18.
GRAHAM CLULEY. But colleges also have a responsibility to look after their students as well, right? And if there's a few of them who are going crazy and might be bringing something in, I'm just saying, you know, there is a counter-argument.
CAROLE THERIAULT. I don't think people who have the virus have gone crazy.
ANNA BRADING. I don't think—
CAROLE THERIAULT. I don't think that's how it works.
GRAHAM CLULEY. No, no, but you know what I mean. No, it's like the spring— it's the spring break crowd, right? They're going off to Florida and they're out there on the beach and going, oh yeah, man, and having their Jagerbombs.
CAROLE THERIAULT. So just because there's a few douches out there, does that mean everyone has to be punished and locked in like sardines for 14 weeks? Weeks.
ANNA BRADING. That's the thing. Yeah, I mean, you can see they lock them all in, you know. If they've tested them all and, and no one's got it, then it's not going to get in. And I can see they're not— maybe they're worried about being sued or whatever. And they're saying you've all got fitness tracking tools on your phone. It's basically the same, except obviously these tools don't track you all the time if you set it correctly. It's only when you've chosen to have your run or your cycle or whatever. And you could remove them when you want, and it doesn't affect your education. And so, so, so—
GRAHAM CLULEY. Hang on a moment, hang on a moment, right? So I'm just imagining I'm a student at a university.
CAROLE THERIAULT. Stretch your brain.
ANNA BRADING. Well, actually, Graham, let's do some roleplay. Let's do some roleplay, Graham.
CAROLE THERIAULT. Yes.
ANNA BRADING. Graham, okay, so imagine you two have kids of college age, okay?
GRAHAM CLULEY. Us two?
ANNA BRADING. Yeah, both of you, not together.
CAROLE THERIAULT. Oh, thank God.
ANNA BRADING. Yes, good to say. Don't wanna think about that.
CAROLE THERIAULT. Oh God.
ANNA BRADING. Oh, I need to wipe my mind. Carole, you've got little Tommy Theriault. Okay, Carole Theriault. And Graham, Colin Cluley. They've grown up and they're ready to fly the nest. And they've chosen Albion. Right. So I'm going to be Colin, okay?
CAROLE THERIAULT. Yep.
ANNA BRADING. Daddy!
CAROLE THERIAULT. Your voice hasn't broken yet.
ANNA BRADING. Not yet, no. I mean, it's Graham, sorry. I am going to Albion College this month, but they're making me install an app that tracks me at all times. What shall I do?
GRAHAM CLULEY. I'm sort of tempted to say, why don't you get yourself a second smartphone and leave the one which is tracking you in your room when you want to go out to get your laundry done?
ANNA BRADING. Ooh, good idea, Dad. I mean, good idea, Daddy!
GRAHAM CLULEY. That seems to be the flaw in the plan here, right?
CAROLE THERIAULT. Yeah, that's interesting, isn't it? Yeah. Because are they mandated to carry their phones around at all time? Will they be punished if they don't have their phones?
GRAHAM CLULEY. Are they gonna be frisked? You can't be frisked. You have to keep distant. You can't frisk me.
CAROLE THERIAULT. You can frisk with those, you know, those garbage picker-uppers?
GRAHAM CLULEY. You know, the ones that don't let you bend over?
ANNA BRADING. How easy is that to use that to frisk someone? I'm not sure.
CAROLE THERIAULT. I don't think I'd remember that.
ANNA BRADING. Carole Theriault, like, this is Tommy.
CAROLE THERIAULT. Same question?
ANNA BRADING. Yeah, no, no, no, no, different question. Mummy, I've got a scholarship to go to Albion College in the United States of America, but if I get homesick, I won't be able to leave campus. And if I do, they'll be able to tell from my location data and lock down my student ID. What should I do?
CAROLE THERIAULT. Stay here, darling.
GRAHAM CLULEY. How come Tommy's got the posh jolly hockey sticks accent and mine's got this abomination?
ANNA BRADING. I think it's a question of education, Graham. Oh, okay. Do you want to know how it works? You want to know how the app works?
CAROLE THERIAULT. Okay, tell us.
ANNA BRADING. Alright, go on. So when a student's tested for COVID, the results are fed into the app. And if the results come back negative, the app displays a QR code, which then and lets scanners around the campus know that the student's free of the virus. So presumably they're gonna have to scan themselves in. If the results are positive or the student hasn't been tested yet, the QR code will say denied, and they won't be able to go to— I guess they'll get stuck in their room.
GRAHAM CLULEY. Hang on, hang on. This is another flaw in the system, isn't it? Because if it's a QR— Borrow your friend's phone. Well, you can either do that or you do— I've seen people do this, which is when you have a cinema where they have the QR code code, which has your ticket on it, you just take a screenshot of the QR code, don't you? That's what you show. So you show it from 3 days ago when you were clear.
ANNA BRADING. That's true. Maybe there's a— maybe they've got some kind of date or something. They must have thought of that. But they have found— so they have found vulnerabilities, of course.
CAROLE THERIAULT. Oh, wonderful. Okay, Graham, can I hijack your story for a second?
ANNA BRADING. Of course.
CAROLE THERIAULT. So Graham, say imagine you're going on a plane somewhere, right? You're a paying customer, like these students are paying customers of the school. And they're like, look, we want to make sure you're okay. We're going to test you before you fly anywhere. And we're going to monitor your entire trip everywhere you go and what you do. And this is the airline because they have a responsibility for your safety even while after they've dropped you off because they have to bring you back home. Would you be cool with that?
GRAHAM CLULEY. No. No, I don't like that idea.
CAROLE THERIAULT. Look, I have no problem if I had it. I think if I was found to be infected and someone said, look, we're going to slap a bracelet on you until you're clean. That's going to track your movements because basically you're going to be staying at home or at the hospital presumably while you're sick. But not everyone gets sick.
GRAHAM CLULEY. Yeah, we could still be spreading it.
CAROLE THERIAULT. Yeah, but you know, you— of course you'd still be spreading it. So that's the thing.
ANNA BRADING. So you'd be—
CAROLE THERIAULT. I guess what I'm saying is some people might be sick and still leave because they don't feel, and that's the issue, right?
GRAHAM CLULEY. Oh yeah, well, those people are one. Yeah, you shouldn't do that. If you've, if you've been tested positive, you've got to stay at home.
ANNA BRADING. But it's— yeah, but it's not just— it's not the people that have tested positive, is it? It's just every single student in this school. Yeah. 1,500 students.
GRAHAM CLULEY. Maybe we should just brand the students on their foreheads. Why don't we just put the QR code there? Then they can't copy it off someone else's—
ANNA BRADING. And also hard to change the QR code. Yes, more tricky.
CAROLE THERIAULT. Erasers don't work.
GRAHAM CLULEY. Crow, what's your story for us this week?
CAROLE THERIAULT. For another seriously fun topic, we're going to talk about protests. So there have been protests all around the world. This is where large groups of people are banding together to fight injustices. In Hong Kong, we were fighting with mainland China. Russian citizens were Vlad's questionable reelection. US MeToo and Black Lives Matter. India, Iran, Zimbabwe, and most recently Belarus. And all these protesters in these different places have faced a similar problem, and that is the problem of communication. When the services are jammed up with loads of traffic or worse, authorities effectively kill the internet, how do you stay in touch? Actually, I was, let me sidestep for a second. Here's an interesting stat on kill switches. So they're getting turned on more often. So there was a report suggesting that 122 major internet shutdowns occurred in 2019 in 21 different countries.
GRAHAM CLULEY. Oh, where they just turned off the internet?
CAROLE THERIAULT. Just turned off the internet to try and control the people. Yeah. And stymie communication. When you think about how reliant we are on it, eh, Graham?
GRAHAM CLULEY. Well, yeah. I bet lots of shampoo's being sold though, right?
CAROLE THERIAULT. You'll be in jail. You'll be fine. You'll have your own Wi-Fi in jail.
ANNA BRADING. Does the kill switch reach the jails? Is Graham all right?
CAROLE THERIAULT. So when protesters get into the situation, they're there is a neat way to try and stay in touch with people who are nearby, and that is mesh networks. So a mesh network, for those that don't know, is kind of different from traditional networks. In a mesh network, you have nodes that connect directly and dynamically rather than more traditional methods where there's a dependency on a single node to perform a task. So, you know, they say that it reduces maintenance, speeds up latency issues, yada, yada, yada. And it allows people to talk without having to use their data plans necessarily.
GRAHAM CLULEY. Yeah, it's very cool. I've always wanted to use one of these, and I've always wondered when the opportunity might be. So I've been at concerts, for instance, and I can't remember the name of it. There's one called Red something or Fire, I can't remember anyway. But there's, and I've sort of opened the app thinking, oh, there must be someone else at this concert who's got this as well. And it never finds anybody. So I'm obviously going to the wrong demographic or something other than some radical protest. But I think the technology is really clever, 'cause like you said, it doesn't require 3G or 4G or mobile connection or internet or anything like that.
CAROLE THERIAULT. And they use other comm tech, like, so they might use Bluetooth or a peer-to-peer Wi-Fi. But it does rely on people being near-ish. That means Graham and I, don't worry, we'll never have to do this 'cause we're never together, right?
GRAHAM CLULEY. We're socially distant.
CAROLE THERIAULT. Socially distant, responsibly socially distant. Now, there are a number of mesh networking-based apps out there that might help you with communication.
ANNA BRADING. Right?
CAROLE THERIAULT. You have Signal offline messenger. You have the Voyager app, V-O-J-E-R. And sadly, the brilliantly named Zombie Chat has been discontinued, but it was touted as a peer-to-peer post-apocalyptic communication tool for when zombies take over the planet.
GRAHAM CLULEY. I heard it was coming back from the dead.
CAROLE THERIAULT. Oh!
GRAHAM CLULEY. I hope it's resurrected.
CAROLE THERIAULT. But if you wanted to text your nearby mates without wasting your data plan, so Graham, like pre-Rona, that was a perfect situation where this would be great at a concert, right? You're trying to find your mates, trying to find your friends. Where are you? You know, oh, we're by the bleachers, or if you're at a sports event or at school.
GRAHAM CLULEY. Sometimes the mobile connection is all jammed up because everyone's using their phone. And so it would be good to be able to communicate some other method.
CAROLE THERIAULT. And if you're a journalist, for example, in a dangerous area, you need to keep in touch with your team, or if you're a protester, these apps can be a total lifesaver. So the one I want to talk about is called BridgeFi and its marketing pitch, which presumably we can thank the Twitter co-founder Biz Stone, who is a backer of BridgeFi and the marketing dude behind this app.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. So BridgeFi is an official messaging app that lets you communicate with friends and family when you don't have access to the internet by simply turning on your Bluetooth antenna. Ideal for festivals, sporting stadiums, etc., etc. So it's pretty groovy, and they claim to have about 2 million downloads. So that's not huge, they're not a market leader, but they're certainly making a few waves and probably catching the attention of investors. Now, according to this article from Ars Technica, BridgeFi was initially set up to help those in rural areas with shitty connectivity to communicate. And, uh, that we've been reading a lot about, that we're actually— there's Wi-Fi buses going into these rural communities just to try and provide some, uh, online online assistance for students to help them do their homework. So you can imagine this would be really cool to help people stay in touch, although 300 feet, right?
ANNA BRADING. You have to stay, you have to have small houses.
CAROLE THERIAULT. If you were in a tower block, you'd be perfect.
GRAHAM CLULEY. This is like a mobile cyber cafe, or it brings a hotspot into your area, does it?
CAROLE THERIAULT. Brings a hotspot into the area to allow kids to do, you know, if they don't have Wi-Fi at home. But with this past year's increase in large, scary protests all around the world, BridgeFly company representatives began telling journalists that the app's use of end-to-end encryption protected activists against governments and counter-protesters trying to intercept text or shut down communications. And earlier in the month, the CEO of BridgeFly continued to ride this wave, declaring that last year they'd become the protest app, right? He used those words. So on the Google Play Store until recently, it said, don't worry, your messages are safe and can't be read by those people in the middle. And the company encourages iOS users to have secure and private conversations using this app. So sounds amazing, right? They take security seriously and they allow you to communicate without having, you know, if everything gets jammed. But thank God some dudes decided to go do some digging and unveil some less digestible truths about this app. So this is a paper called "Mess Messaging in Large-Scale Protests: Breaking Bridgefy." So the title says it all. So these are researchers from University of London and they performed what they call a security analysis on on this app and SDK, the protestors' so-called best friend. And they found, let me quote them, "Our results show that BridgeFly permits its users to be tracked, offers no authenticity, no effective confidentiality protections, and lacks resilience against adversarially crafted messages." So they verified all these vulnerabilities by demonstrating a series of practical attacks on the app. And I've linked obviously to the papers, so you can go see that on the Smashing Security website. And they say if protesters rely on BridgeFi, an adversary could track them, produce social graphs about them, read their messages, impersonate anyone to anyone, shut down an entire network with a single maliciously crafted message.
GRAHAM CLULEY. Oh, yoink.
ANNA BRADING. Wow.
CAROLE THERIAULT. So shitty, shitty security is what I'm saying. So as a result, researchers conclude that participants of protests should avoid relying on this app until the vulnerabilities are addressed. Now, So I dashed, as soon as I read that, I dashed over to the BridgeFi website, right? To see if there was anything on there. And I wouldn't mind if you guys went to that website, take a scan of their blog post. So this came out, look at the date that it came out.
GRAHAM CLULEY. Yes, just recent. Yes.
CAROLE THERIAULT. Very recent. Remember that the Twitter guy, the Twitter guy is the marketing brains behind this operation and a backer. So it makes for an interesting read, 'cause we're all pretty strong at crisis communications. We've had quite a bit of, you know, snafus in our careers that we've had to deal with, not of our faults, but that we had to get everyone else out of a pickle, right? Sticky pickles happen. So let's see what you make of this post. So one thing I like, if you look down, you'll see there's a bulleted list. So they say, these are things we are gonna fix, right? They say man-in-the-middle attacks done by modifying stored keys will no longer be possible. One-to-one messages sent over the mesh network will no longer contain sender and receiver IDs in plain text. And people use this for privacy. A third person will no longer be able to use the server's API to learn others' usernames. All payloads will be encrypted. So—
GRAHAM CLULEY. So it's all good news. That's what they're saying is good news. Great news. We're improving everything. There's even an exclamation mark near the top.
CAROLE THERIAULT. I know.
GRAHAM CLULEY. Isn't this great?
CAROLE THERIAULT. The tone bugs me because in a way they're doing what I'd like, they're doing what I want them to do. They're kind of coming clean saying we are up We're going to fix this. And they do thank the researchers of London at the very bottom of the blog article, right? But this bugs me, the tone of this message. Over the past year, we've learned a very valuable lesson. Users decide how an app is best used, not us. So not our fault, guys. Our primary focus has been to provide users with a reliable way of communicating without the internet. And while we never expected to become the default protest app, well, A, $2 million. And two, you, you claimed it in many articles. Yeah. Yeah. So we're thankful that so many people have chosen BridgeFi as a communication tool to tackle blah blah blah. So I don't like it.
ANNA BRADING. Yeah. No.
CAROLE THERIAULT. And they don't apologize. I mean, I get it. Why play fast and loose with liability when it's your fault? But they may have put a lot of people in danger and they've basically presented themselves as a secure place without actually having tested the app or cared enough to test it if they're making those calls.
ANNA BRADING. Yeah.
GRAHAM CLULEY. I've just been reading some of the technical details as to what was wrong with the app, and there's some very elementary security goofs which they made. For instance, they've got an IDOR, the insecure direct object reference flaw. This is one of the most commonly encountered flaws in online applications, a way of basically just change a parameter and you can access someone else's details.
CAROLE THERIAULT. It's like elementary to security dev world. Yeah.
GRAHAM CLULEY. Well, it really is. Now I'm sure that the chap from Twitter isn't maybe involved in the coding or whatever, but surely he has some influence and experience of trying to harden.
CAROLE THERIAULT. Like, let's get a pen tester and see how it does.
GRAHAM CLULEY. Well, you know, I think people, anyone involved in producing messaging apps, I think really needs to hire some hackers to hack themselves rather than than wait for the bad guys to try and do it.
CAROLE THERIAULT. But I think the bigger problem here is that we've done our jobs very well, Anna and Graham, right? We've made security and privacy an important thing in people's lives. We certainly helped with that fight over our little careers. So now people are using it as a kind of fashion statement or as a messaging purpose in order to get customers. And it may not be true at all. So we can't believe the marketing stuff. You have to say, well, how do you do this? Show me, prove to me that you do this.
ANNA BRADING. This. Yeah.
CAROLE THERIAULT. And that puts a lot of onus on the buyer.
ANNA BRADING. Yeah. And it's hard for the average user to understand enough. Yeah.
CAROLE THERIAULT. Now, these— this app is not yet ready. They say they're going to fix everything, and for those that are still diehard fans, um, that should be done in about 2 months, they say. September, late— mid to late September 2020, they say. I'm going to guess October, November, having worked in the world for a while.
GRAHAM CLULEY. So don't use it until then. It's interesting what you say, Carole, about this idea of how it's been used as a marketing tool. A marketing tool. You know, these concepts of security. I'm just reading this blog post which you've linked us to here about their commitment to privacy and security.
ANNA BRADING. Yes.
GRAHAM CLULEY. And they've got these bullets of all the things they fixed. And then they write, what does this mean in plain English? It means using BridgeFi will now be much, much safer. Well, my response to that is it means using BridgeFi has been up until recently and possibly for the next couple of months It's less, less safe than you imagined it was in the first place.
CAROLE THERIAULT. Yeah, a big fucking shit show, not at all what you advertised.
ANNA BRADING. Yeah.
CAROLE THERIAULT. That's what I think it is. Anyway, wish you luck, BridgeFi, but it annoys me that people can go out and say, "We are end-to-end encryption," and tell journalists this and try to get away with it. So I applaud the media outlets out there that are calling their attention to this, because this isn't cool.
GRAHAM CLULEY. And also, well done to the researchers who found the vulnerabilities, who haven't been paid, I imagine, and did it off their own back. And appear to have done a good job.
CAROLE THERIAULT. Yes. And anyone who's interested, please click on the show note link. Show notes link.
GRAHAM CLULEY. Which of those links should you click on?
CAROLE THERIAULT. Show notes. Hey, you IT security guys out there, I know that you have a tough job. If you want increased security without impacting productivity, if you want to secure every entry point to your business business. If you want to unify access and authentication, then check out LastPass. They have the tools to make your life easier. Learn more at smashingsecurity.com/lastpass. Oh, and the rest of you out there, don't freak out. There's a free password manager for home use. Check it out at smashingsecurity.com/lastpass.
GRAHAM CLULEY. And welcome back. Can you join us on our favorite part of the show, the part of the show that we like cool. Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
ANNA BRADING. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, my Pick of the Week this week is not security-related. It has been the school summer holidays where I live. And also under lockdown means there's not much to do. And one of the things that my son began to— he must have seen some YouTube video or something. He said, Dad, Dad!
ANNA BRADING. Oh, wow. Oh, that's your voice. What did Colin say?
GRAHAM CLULEY. He said, I want to see the Marvel Avengers movies. And I thought, well, I've never seen any of those. Aren't there like 80 gazillion of them? And my wife expressed an interest as as well, wanting to watch them. So we got our— we got— we turned on Disney Plus for like tenner or however much it costs a month. And we set off to watch them in order. So we found out— we found an online list of how to watch the Avengers movies in order, because there's all these different characters and it's very complicated.
CAROLE THERIAULT. Well, is there really a list across?
GRAHAM CLULEY. Yes, there's— oh, Carole, you've got no idea the complexity.
ANNA BRADING. My husband has been doing the same thing.
CAROLE THERIAULT. Do you watch this stuff, Anna?
ANNA BRADING. No. Anna doesn't watch anime, does she? I'm too busy reading books.
GRAHAM CLULEY. I found them incredibly tedious. I would typically last about 20 minutes before falling asleep or walking off.
ANNA BRADING. See?
GRAHAM CLULEY. Walking off to tinker with my website. I've got no interest in seeing robots fighting robots. It's like, bish bash, thump thump.
CAROLE THERIAULT. You're like, who gives a shit? It's like my dishwasher fighting my fridge.
GRAHAM CLULEY. It's, yeah, exactly, exactly. And when they've got masks on as well, there were a couple— the original Captain America movie, it's like, oh, they're humans. They're humans in the Second World War. Okay, I can understand this. I can deal with it. Then he puts on his spandex and I'm like, oh, really?
CAROLE THERIAULT. Like, who wins? Who cares? You don't care.
GRAHAM CLULEY. Yeah. So we've been through about, I don't know, 10 of these movies so far. And each time I bail out quite early on because I think I can't watch this.
ANNA BRADING. 10? Over a weekend?
GRAHAM CLULEY. No, I didn't say over a weekend. Over the summer holidays.
CAROLE THERIAULT. Oh, okay.
GRAHAM CLULEY. Although my son, he would watch 10 over a weekend, to be honest. Anyway, and then one came on, which is called Thor: Ragnarok, and it's different. And I went, oh my God, this one isn't shit like all the others, because this one has got a sense of humor. This one, it's like they've changed it. It's like, whoa, whoa, whoa, how come now it's not all posturing?
CAROLE THERIAULT. Tell us a joke. Tell us one of the jokes.
GRAHAM CLULEY. There's still— well, well.
ANNA BRADING. Go on then.
GRAHAM CLULEY. I'm not going to tell you a joke, but what I will do is I will link to the trailer in the show notes. And Carole, I will tell you who's in it. Some of the people— that's Chris Hemsworth, right? Thom Hiddleston, Cate Blanchett, Mark Ruffalo playing the Hulk, and Geoff Goldblum.
ANNA BRADING. Ah, Carole!
CAROLE THERIAULT. Bonjour, bonjour!
GRAHAM CLULEY. Now I've said Geoff Goldblum, you instantly kind of get the kind of a kind of kooky kind of humour.
CAROLE THERIAULT. It's the opposite of Thom Hanks.
GRAHAM CLULEY. Right, exactly, which is going on Let me just cross my legs. Anyway, it's so interesting to see this movie franchise, and I don't know what the later Avengers movies are going to be like. Maybe they return to form, I don't know, or have been rubbish. But the Thor: Ragnarok, I thought, simply because it's a little mirage— it's, or no, it's actually an oasis. It's an oasis in this desert of nothing.
CAROLE THERIAULT. Okay, I want to go watch it. Come on, hurry on.
GRAHAM CLULEY. Well, I'm not saying it's that brilliant, but compared to the others, if you've made your way through the others, then thank goodness for Thor: Ragnarok, because it did make me laugh.
ANNA BRADING. If I watch it, am I going to have to have watched all the other ones to know what's going on?
GRAHAM CLULEY. Well, I haven't watched any of the other ones, because I can't bear it. And it has— I'll be honest with you. It didn't completely keep my attention the whole time, right? But I could see it was so much better than the others. And it did amuse me and make me laugh occasionally, even though I didn't know who absolutely everyone was. But I thought this is good, and I was pleased to see them make this positive step. And that is why it deserves to be my pick of the week, Thor: Ragnarok.
CAROLE THERIAULT. Yeah. Holiday August, Eilidh.
ANNA BRADING. That's right.
GRAHAM CLULEY. Anna, what is your pick of the week?
ANNA BRADING. So, who remembers the '90s?
GRAHAM CLULEY. I do. Yep. I was around then.
ANNA BRADING. What were you two doing?
CAROLE THERIAULT. I was partying.
GRAHAM CLULEY. I think I was at primary school.
ANNA BRADING. Were you?
CAROLE THERIAULT. In the '90s.
ANNA BRADING. Yeah, sure.
CAROLE THERIAULT. You must have been really smart. Were you like 25 and studying?
GRAHAM CLULEY. I'd been held back. I'd been held back for about a decade and a half.
ANNA BRADING. Right, okay. So Graham was at primary school and Carole was partying.
CAROLE THERIAULT. Partying at uni, yep.
ANNA BRADING. Yep, okay. So, yeah, so in the '90s, I was at primary school, some of it, and secondary school for some of it. Show off. I'm very young. We spoke a lot about the information superhighway and the World Wide Web.
GRAHAM CLULEY. Yeah.
ANNA BRADING. We got our internet via the AOL discs.
CAROLE THERIAULT. Oh, there you go.
GRAHAM CLULEY. Praise be to Al Gore for inventing it. What would we have done without him?
ANNA BRADING. Yes, well done, Al Gore.
CAROLE THERIAULT. Al Gore?
ANNA BRADING. Yes.
GRAHAM CLULEY. The internet superhighway, he did.
CAROLE THERIAULT. Oh, right. Is that his keyword? That was his—
ANNA BRADING. That was his branding. So we also worried about the Y2K or Millennium Bug.
CAROLE THERIAULT. Oh yeah, yeah. I was working then. Yeah.
ANNA BRADING. Netflix and Spotify were in our fantasies only. And we were sort of getting our grips around mobile phones. What was your first mobile phone?
CAROLE THERIAULT. Nokia 3770, I think, something like that.
GRAHAM CLULEY. A Nokia, I think it was a 3310.
CAROLE THERIAULT. Oh, 3310 was the first one.
ANNA BRADING. No, 5110 was first. That's what I heard. And then 33 came after.
GRAHAM CLULEY. I think I had my first Nokia in about 1992. So I don't know what the model was.
CAROLE THERIAULT. You're young Nokia. I still have my handset upstairs.
ANNA BRADING. Do you?
CAROLE THERIAULT. Yeah, my first one. I didn't keep any others.
ANNA BRADING. Does Snake still work?
CAROLE THERIAULT. Oh, I did have Snake. That changed the bathroom behaviour, didn't it?
ANNA BRADING. Yes, no more shampoo bottles. And the battery lasted for a week.
CAROLE THERIAULT. It was brilliant. Yeah. And you can make phone calls.
ANNA BRADING. Oh, I'm sadly no podcast though. Exactly, exactly. And you know, I don't talk to many people on the phone, Carole. I'll make an exception for you. Uh, we played on Game Boys, SNES, PlayStations. Maybe I, I did, maybe you guys didn't. I actually got RSI from playing too many games of Super Mario World, um, and I had to give up playing computers because of my rage for computer games.
CAROLE THERIAULT. I didn't know that. Yeah.
ANNA BRADING. Oh yeah, I can't. Oh, it's too much.
GRAHAM CLULEY. Well, you turn into the Hulk or something. What happens?
ANNA BRADING. Oh, it just makes me really angry in all walks of life.
GRAHAM CLULEY. Oh, that's just—
CAROLE THERIAULT. What if you don't win a game? If you lose a game?
ANNA BRADING. Yes. Or just the intensity of it. I put everything into it.
GRAHAM CLULEY. I remember playing chess against you. That was—
ANNA BRADING. Yeah, well, I didn't— I mean, I was never gonna win that, was I? There was no COVID. No Trump. No Brexit.
CAROLE THERIAULT. Well, there was a Trump, but not in the office.
ANNA BRADING. Yeah, not a Trump making so much hassle. And there was the music, of course. So we had Britpop in the UK.
CAROLE THERIAULT. Oh yeah, Oasis, Pulp.
ANNA BRADING. Yeah.
GRAHAM CLULEY. It was shit in the '90s, wasn't it?
ANNA BRADING. You brought music.
CAROLE THERIAULT. Music was excellent in the '90s.
GRAHAM CLULEY. Yeah, no, it was awful.
ANNA BRADING. What? DJ Jazzy Geoff and the Fresh Prince? Celine Dion? Hanson.
CAROLE THERIAULT. There were some great '90s acts.
ANNA BRADING. There were boy bands. Oh, don't get me started on all the boy bands.
GRAHAM CLULEY. I bet you were an East 17 girl, aren't you, Anna?
ANNA BRADING. Of course I was an East 17 girl.
CAROLE THERIAULT. Well, I couldn't name one song.
ANNA BRADING. Oh, there was East 17 and there was Take That, Carole.
GRAHAM CLULEY. There was no way you were a Take That girl.
ANNA BRADING. Take That for the good girls, and East 17 were not. There was obviously Backstreet Boys, there was NSYNC. I was all sorts. Anyway, a personal highlight for me was Kris Kross, who were in America. I don't know, do you guys remember Kris Kross?
GRAHAM CLULEY. I have no idea what you're talking about.
CAROLE THERIAULT. Kris Kross, the K-K's, right?
ANNA BRADING. Yes, yes. And they were an American hip-hop duo who were both called Kris. Yeah. But who wore inexplicably wore their clothes backwards. I was actually sad to find out when I was Googling Kris Kross.
GRAHAM CLULEY. Have they got a new album out? Is this your pick of the week?
ANNA BRADING. I'm very sad to tell you that one of them actually died.
CAROLE THERIAULT. Oh dear.
GRAHAM CLULEY. I didn't know this.
ANNA BRADING. This. And so it was quite difficult for me.
GRAHAM CLULEY. Was he walking across the road backwards or something?
CAROLE THERIAULT. Was it something related to having his clothes on the wrong way round? The hood blew up over his face. Couldn't see where he was going, got hit over.
ANNA BRADING. I actually once tried dressing like Chris Cross for a day.
CAROLE THERIAULT. Backwards?
ANNA BRADING. Yes.
CAROLE THERIAULT. How did it go?
ANNA BRADING. It went really well. Middle-class white girl from the UK.
GRAHAM CLULEY. Come, come, you're not middle-class. You're an East 17 fan.
ANNA BRADING. That's true. Yeah, I had to let it out somewhere, didn't I? So my, anyway, my pick of the week is a podcast which is called Sounds of the '90s.
CAROLE THERIAULT. Oh, I've seen this being touted. Is it great?
ANNA BRADING. Annoyingly, it's just on BBC Sounds and not on any of the other podcast providers, which it does irritate me. And it's Fearne Cotton. So that's why I went, well, because I can't make up my mind whether I like her or not. But she relives the '90s through music, but also she's got guests on. So she had like Mel C and Geri from the Spice Girls. Oh. Tennis legend Tim Henman. And wait for this one, TV soap star Adam Rickett.
CAROLE THERIAULT. Do you know what? This is so smart of a podcast, isn't it?
ANNA BRADING. It's great.
CAROLE THERIAULT. They're all at home. They're like Z-list now.
ANNA BRADING. Yeah.
CAROLE THERIAULT. Right? They're free.
ANNA BRADING. But they talk about songs of the '90s, and obviously there's a huge playlist, but they also talk about TV, film, clothes, soaps. All of it. And because Fearne Cotton is a similar age to me, she's talking about things that are very— that sort of struck a chord with me. So it is a nice trip down memory lane for those of us who were around in the '90s. Graham might not remember because he was a bit young.
CAROLE THERIAULT. Or if people want to know what it was like, what we did when we didn't have phones. Yes. Yeah.
ANNA BRADING. Yeah. When you had to sort of make sure you were at your television for 5:10 for Home and Away and 5:35 for Neighbours.
GRAHAM CLULEY. We're sounding so old now, aren't we? Carole, what's your pick of the week?
CAROLE THERIAULT. I have a pretty good group of awesome friends. Like Anna, you're definitely in our tier zero zone, right? Yes. Graham, definitely solid two. Solid tier two. Cool.
ANNA BRADING. Still some work to be done there, Graham.
CAROLE THERIAULT. But I have a few other stellar friends, and one of them found herself in a bit of a situation. She has a daughter, a two-year-old brown multi- heritage daughter. This is her words. And she just couldn't find any educational fun games or toys that would allow her to kind of identify with, you know, so often you buy dolls for your kids and you buy someone that may look like them or that they can relate to, like, and she couldn't find any that matched her needs. So what does she do? What does my friend Alexa do? She gets a bunch of people from around the world together and creates a toy. And it's, well, a game. It's called Super Sapiens. And it's a deck of cards that focuses on inspiring women from around the world. And I've got a pack right here, and, um, it's like a 3-in-1 game. So you have like a snap game, a memory game, and a guess game. And it really— you can play with 3-year-olds to whatever age. I think on the card she says— oh yeah, she says from age 3 to 103. So there you go. And some of the women who are featured, you have Fatima al-Fihri. She was a Tunisian woman in the 1st century who founded the world's first university in Morocco. And Marianne Kahn, a Jewish resistance fighter who snuck Jewish children out of Nazi-occupied France. So all of them are kind of big topics. And Alexa really believes that these are things that we should try and introduce to our kids slowly in a kind of controlled way and in a way that's, you know, responsible so they can learn from you.
GRAHAM CLULEY. What do you do with the cards?
CAROLE THERIAULT. Well, like, you have a deck and you, for example, there'll be like 3 pictures of the same person. So if you're playing Snap, map.
GRAHAM CLULEY. Oh, I see. Okay.
CAROLE THERIAULT. And each one has a picture or kind of illustration of the woman, and then there's like a brief description of them. But it just kind of lets those names kind of, you know, go through your head and kind of get into your mental image of what are great people. And oh wow, some of them are women. So it's kind of cool. Plus, 75% of the profits go to Black, Indigenous, and people of color-led organizations. So that's pretty cool too. If you like the sound of this, then you can check it out because she's just opened her Etsy shop and, um, I will put a link on the Smashing Security webpage.
ANNA BRADING. Very cool. It is very cool.
CAROLE THERIAULT. I was kind of amazed because I remember her having the idea early on. We were in the pub pre-Rona, and she just mentioned— she was saying about this, she goes, I think I'm just gonna do this.
ANNA BRADING. What do you think? What do you think?
CAROLE THERIAULT. And I was thinking, oh God, that's hard. Like, you have to build, you know, you have to make something physical, you've got to store it, you've got to get it to people, you got to make sure, you know, there's so much involved. I don't think I would do it. And she was like, oh, thanks for back. And then like 4 months later, there it is. So I think amazing.
ANNA BRADING. Yeah.
CAROLE THERIAULT. So check it out, Super Sapiens, and you can find it on the Etsy shop. And well done, Alexa.
GRAHAM CLULEY. That's very cool. So Kroll, I've had an idea which you can pass on to Alexa. Maybe she's already had this herself.
CAROLE THERIAULT. She might be listening since we're—
GRAHAM CLULEY. Oh, okay, since we're plugging her product.
CAROLE THERIAULT. Talk to her directly. Talk to her directly.
GRAHAM CLULEY. Hi, Alexa. I've had an idea. What about if people could pay you a bit of extra money and you could have some customized cards? So then we could have a card with Carole Theriault, podcaster.
ANNA BRADING. Yeah.
GRAHAM CLULEY. Anna Dastashi, right? Or something like that. Or you could— so you could make a pack and give it to your friends. Or I don't know, it's just— I'm just thinking, wouldn't it be fun to be playing this game? And you're not in there, are you, Carole? No. You're not in the collection as far as you know.
CAROLE THERIAULT. I didn't make the cut.
GRAHAM CLULEY. Oh, I see.
CAROLE THERIAULT. Yeah. Okay. Somehow I didn't cure cancer or anything, so I didn't make it.
ANNA BRADING. Still time, Carole.
CAROLE THERIAULT. I've still got time. Exactly.
ANNA BRADING. I'm still young.
GRAHAM CLULEY. Get a move on.
ANNA BRADING. Yes.
CAROLE THERIAULT. Forever young.
ANNA BRADING. They could do, she could do a pack of cards that had the greatest IT people in history, eh, Graham?
CAROLE THERIAULT. Oh, that's where he was going. Ah, but there's only, he said greatest 11th, maybe we'd have to focus on the top 10.
ANNA BRADING. Yeah.
GRAHAM CLULEY. Well, on that controversial bombshell, we've just about wrapped it up for this week. Anna, I'm sure lots of our listeners would like to follow you online, get in touch, offer you a job.
ANNA BRADING. I'm @AnnaBrading on Twitter. And, uh, yeah, send me, uh, your requests for my work. I'm available for all your content needs. Not all of them, you dirty people.
GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G. And you can also join our subreddit, uh, go and look for Smashing Security up there. And don't forget, if you want to be sure never to miss another episode, please subscribe in your favorite podcast apps, such as Apple Podcasts, Spotify, or Pocket Casts, and you will be updated as soon as we push out a new episode.
CAROLE THERIAULT. And thank you to all of you for listening, supporting the show, and sharing our work with your people. Also, high five to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free. Check out Smashing Security for past episodes, sponsorship details, and information on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio. Bye-bye.
ANNA BRADING. Bye-bye. Bye!
GRAHAM CLULEY. Oh dear, well look, I've almost run out of things to read on my shampoo bottle, so I'm gonna have to either flush or hang up.
ANNA BRADING. I'm about to go and find mine. I've got a new shampoo, so it's quite exciting for me.
CAROLE THERIAULT. Ooh, Anna living the dream!
-- TRANSCRIPT ENDS --