I always remember Oliver Reed explaining how to be scary in a movie. You very, very quietly say, if you do that ever again, I will kill you.

I think that's actually what I did. It was in the school canteen.

Okay, whoa, I didn't know I was on the fucking show with two psychopaths.

Smashing Security, episode 219. Cheerleaders, dating apps, and crisis PR with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 219. My name's Graham Cluley.

And I'm Carole Theriault.

And this week, Carole, we are joined by someone who's brand new to the show, but not new to the world of cybersecurity by any means. Someone who's been working in the background mysteriously, pulling the strings, manipulating. Yvonne Eskenzi, hello, Yvonne.

Hi.

So, Yvonne, explain what you do and where you sit in the cybersecurity business.

Okay, so just over 25 years ago, there was a new little baby show called Infosecurity, and I used to do PR for running big exhibitions. I used to work at News International, and then I decided to go on my own and was asked to run this little show. I had no idea what the hell I was doing, especially when it came to IT security. Basically, I started to do all the PR for Infosecurity and ended up specializing in cybersecurity. Well, then it was called information security. Fast forward 25 years, we've helped, I think, probably every single cybersecurity company there is to do an IPO or be acquired. And we've got about 30 clients at the moment, and we beaver away, you know, that's what we do.

You do, yes. Well, you've been in the industry forever. We've known each other forever, and anyway, you're everywhere.

Yeah.

Okay. Let's thank this week's sponsors: 1Password, CrowdSec, and SailPoint. Their support helps us give you this show for free. Now, coming up on today's show, Graham, what do you got? Oh, are you a cheerleader? I bet you are. Yvonne, what about you?

Oh, I'm going to take

Oh, we're going to talk about crisis comms because it's very much in the news at the moment, isn't it? With SolarWinds and all the stuff that keeps happening, cybersecurity crisis.

you into the crazy world of cheerleaders.

Yeah, totally. And I am going to delve into the world of online dating because it's had a little bit of a ripple of action. All this and much more coming up on this episode of Smashing Security.

Now, chums, I might know the answer to this already, but just to be absolutely clear, have any of the three of us ever been a member of a female cheerleading squad? I haven't. I'm going to put my cards on the table and say I absolutely haven't been. You haven't been, Carole? Yvonne?

Oh, would I not just love to have done that? Been so much fun.

Really?

Yeah, with those great big pom-pom things. Absolutely love to. But we don't — you don't do things like that, do you, in the UK? It's very much American, isn't it?

I think it is mostly American, but I think it's becoming a little bit more popular over here as well. I think you could start doing it if you wanted to. I mean, that might be something.

Why would you want to cheer someone on? Why not want to be the person that's being cheered? Why not be the athlete?

Oh yes, good point. There's a Netflix documentary series called Cheer. Have you seen that?

Mm-mm.

Don't mix it up with Cheers. I'm not talking about Norman, Cliff, and Ted Danson. Cheer is a documentary all about these extraordinarily athletic people involved in the brutal, high-pressured world of cheerleading. And I look, I watch it. I'll be honest with you. I look at it and I think—

Really?

That looks like a piece of cake. It looks like a piece of cake to me.

I just think that's really pervy.

It's not just women in cheer. There are men in it as well. I mean, these are athletes. They're doing really impressive things. They're throwing themselves around and bouncing off things. And, you know, these people are hard as nails.

Yeah. And it's kind of like gymnastics, really. I mean, there's a lot of muscle action going on, isn't there?

Yeah. Yeah, and it is pretty impressive stuff. And so they're really tough, as are their coaches. And of course, the parents behind them as well, 'cause it's a fiercely competitive world. And sometimes, dare I say, a little bit crazy, a little bit psychotic.

I remember some story about cheerleaders where it's quite tough rules.

Yeah.

See, I'm remembering Dallas Cowboys for some reason, but there was this exposé where this woman was like, we weren't allowed to chew gum, we had to wear our hair a certain way, we weren't allowed to touch our face. Ever in public, can't weigh more than this amount of weight, huge amounts of rules for your entire life.

There are lots of rules. Right. You're talking about people who are cheering on the Dallas Cowboys. But if you're just a member of a regular cheerleading squad, you are expected to behave in a certain way and not do certain things.

Well, you don't get chubby cheerleaders, do you?

Well, I think you don't be so fattist. I think you could do. There's no reason why you couldn't.

Graham, in the little program that you've been watching, have you seen chubby cheerleaders?

I think if you watched Chris Farley come down on— what was his name— Dave Letterman Show. Chris Farley did an entrance coming on the show, and I swear to God, I don't think— we're gonna put a link in the show notes for anyone who wants to see it if you haven't seen it, because he was quite gymnastic. Yeah, he changed my view on what people can do. There's two things there, right?

Was that the night he had a heart attack as well? I'm not sure, but it was quite— Anyway, in the world of cheerleading, as I say, it is a little bit crazy, because of course, you all want to be the person who's sort of thrown up in the air five stories and tumble 28 times and all the rest of it. You have to be a bit nuts to that. Tempers can flare, rivalries can grow, and sometimes, really unpleasant things can happen.

Having no friends.

Now, what happened last year is that some of the teenage girls on a cheerleading squad in Pennsylvania called the Victory Vipers, they began to receive unpleasant texts and voicemails. And some of these messages told them, "You haven't got any friends. You should go and kill yourself." Which isn't very nice, is it? Not something a young woman wants to hear.

Yeah.

That's one thing. But jumping to killing yourself in the same line is a bit like, whoa.

It gets worse. Because not only were there texts and messages like that, they were also sent photographs and videos purporting to be the girls themselves caught drinking, smoking, vaping, and generally being in the nuddy.

Being in the nude?

Yes.

Certainly not eating Dunkin' Donuts, eh?

Stuffing their face down at the local—

That's normal fun.

That might be against the rules as well. I don't know, I don't have the precise rules. But the thing was that they were being sent these photographs, and of course they were mortified because they're thinking, I might get thrown off the team.

Someone's a PI, so someone's following them and taking shots of them, or there's some conspiracy going on.

There's some sort of subterfuge. But the thing was, these girls were looking at these photos and they're thinking, well, hang on a minute, I haven't been vaping in the nude. I haven't been drinking and smoking. That does appear to be my face, but—

Oh. Here entereth the security angelith.

I was wondering when that was gonna happen.

So generally, they were receiving messages, and they're making claims about things which they shouldn't be expected to be doing. The images were sent to these girls and to the girls' families as well.

Oh my God.

Alongside comments about their lewd behaviour. That they were dating boys.

Oh my God! Is that not allowed either?

One mum received a text claiming that her daughter was drinking at the Shore. I don't know what that means. What does that mean, at the Shore? Is that a club? I don't know.

By the beach, maybe?

Oh, maybe, maybe. Smokes pot and uses as a screen name, Attention Whore 69. It's a bit tacky, isn't it, to be—

Well, she must have paid for that.

I mean, that's pretty exclusive in the— No, but you wouldn't want to be accused of that necessarily. Would you, of any of those things? Or for your mum to receive a message that about you as a teenager.

I don't know, drinking at the shore sounds quite nice.

Okay, you're a mom, Yvonne. Okay, so if you got these texts, you— what would you just ask your daughter and go, what is this? With pictures?

I would say, darling, what were you doing drinking at the shore?

Yeah, what is the shore, darling?

Explain to me.

I've met Yvonne's daughter. I wouldn't be surprised if she was drinking at the shore.

I'm drinking at the shore, and she was smoking her pot. And she was doing the Attention Whore 69. I suppose I would say to her, darling, that's okay to drink at the shore, certainly if you have to smoke pot, but actually the Attention Whore 69, no, not so sure. That's a great screen name.

Yeah, that's your PR advice as a professional from the world of public relations. You think that would be bad for the—

Okay, but what if she says, it's not me, Mom, I haven't done any of that stuff. I haven't been to the shore, I haven't been smoking pot, and that is definitely not my screen name.

Absolutely.

I'd say there was a crisis comms situation there.

Yeah.

Well, these teenage girls, some of them of course had been hiding the abuse from their parents. It's only when their parents got the messages as well that they said, "Oh yeah, this has been happening. I've been getting these for months and months." And you can imagine enough pressure on teenagers anyway, but getting those sort of things. So, it's been claimed that these pictures had been photoshopped, and the videos might actually be deepfakes to give the appearance of these cheerleading girls doing all of these things.

See, it's so interesting, right? Because there's so many different facets of parents, right? There would be parents that would freak out at the first sight of it. There would be parents that would kind of just go and chat with their kid and kind of go, hey, what's this? Talk to me. And there would be some that would just be like, something suspicious here. Like, you know, you can just see all the different reactions happening.

Yeah, yeah.

But also the kids thinking that the parents will kill them.

Yeah, right, of course.

But do remember, these are cheerleading parents, so they're going to be the ones that freak out.

Yeah. Yeah.

Well—

So it's all a lie. They were all photoshopped.

Well, this is the thing, that in reality, it appears that some of these pictures, for instance, have been screen grabs from the teenagers' social media where they might have had bathing suits on and the bathing suits have been digitally removed. And in other cases, the photographs may have been taken and then used in a deepfaking app in order to create these videos as well.

Okay, so who's the digital illustrator in the group?

Right.

Well— Right?

So, the police were obviously called. And the problem is that whoever was sending these texts and even these voicemails was using multiple different phone numbers. The investigators found that they were being sent using an iPhone app called TextFree. And TextFree cloaks your real number and identity and lets you choose whatever phone number, I guess, you want from a list.

Okay, so can I guess what happens next?

Is this like a whodunit?

Well, yes. And Hercule Poirot here is gonna twiddle his moustache in a minute and tell you.

My moustachette. So the cops— Sorry, yeah, I've lost where I'm at now. Because you made me laugh.

Sorry.

Oh, sorry. Won't happen again.

Whodunit? Whodunit? Who was it?

So the cops went to the TextFree service, and they were able to track the IP address to a home in Bucks County, Pennsylvania. It was the home of one Raffaella Spohn.

Raffaella. Look, I can see Raffaella.

Oh my god!

You can see Raffaella now, can't you?

She's not a teenage girl. She's not a cheerleader. She is the mother of a cheerleader.

Are you kidding me?

No, a mother of a teenage girl on the Victory Vipers cheerleading team.

I was assuming it was going to be a guy. Isn't that weird?

No.

Yeah, I thought it was going to be some 16-year-old spotty teenage boy.

Yeah, who didn't get his way. Yeah, who just was trying to piss off everybody. Wow, so it was a mom.

According to reports, Raffaella Spohn's daughter, she fell out with some of her fellow cheerleaders after another parent, another mum or dad, said, look, you're not to hang out with that girl anymore because she's bad news. Maybe she's been drinking at the shore or something. At the shore, yep. You know, something like that.

Smoking pot.

And the claim is that what this did to Raffaella Spohn is it unleashed the Gorgon element of her, right? She erupted, rah! The kraken awoke. Because nothing knows the fury of a parent whose child has been badmouthed, right?

Yes. I know, I could tell you a thing or two about that.

Yeah, I bet you could, because it's just a primal instinct, isn't it?

Oh, it is, yeah.

How dare you do that to my kid?

I once did that. I once did that to a 6-year-old.

Well, you deepfaked a 6-year-old kid.

No, no, no. She was being horrible to my 4-year-old and I went up to her and I went, "You'll never do that again, ever." And I looked back and I thought, "God, she was only 6.

That was really mean of me." I always remember Oliver Reed explaining how to be scary in a movie. What you do is you don't shout at someone, you just go up to them and you very, very quietly say, "If you do that ever again..." I will kill you.

I think that's actually what I did. I think that's actually what I did. It was in the school canteen.

I didn't know I was on the fucking show with two psychopaths.

Anyway, the police have seized Raffaella's phone, cell phones, her laptops, an Xbox, a modem, digital TVs.

Okay, just to be clear, the mum's pissed off, so she decides to just badmouth all the other kids and threaten them.

Allegedly. Allegedly.

Allegedly. Reportedly. Reportedly.

Yes, to try and get them thrown off. This is the claim that they're—

This is so that her daughter could get in.

Exactly. They will be thrown off. It'll be revenge. They will no longer be on the cheerleading team.

It's, you know, it's leveling the playing field for her daughter. That's what she's doing, literally. Interesting.

Allegedly. Well, Spohn's own attorney says that she's denying everything.

Prove it, she says.

Well, and it says that she's received death threats because obviously people are very upset about this. She's had to go to herself, and her life has been turned upside down. There's no suggestion that the daughter knew about what was going on.

Well, what if she's being set up? That's not—

Oh, you love a conspiracy theory, don't you? You love a little twist.

Why is there a conspiracy theory?

Well, no, you just added an extra little twist in it, haven't you? It's just quite impossible.

But then to have your own attorney— what sort of people have their own attorneys?

Well, I guess, I guess you get one if your daughter's in a cheerleading squad, honey.

If you'll drag me into the cop shop, then you're a cool one. Now, you know, the thing is, though, that this deepfake technology is getting quite extraordinary. Have you encountered deep Thom Cruise on TikTok?

No.

I wouldn't mind.

Well, link's in the show notes. In fact, what I'll do is I'll play right now a video of Thom Cruise pretending to be a snapping turtle coming out of his shell. Click on that link right now.

Are you falling for that? You think that is actually something that exists on the planet? That deepfake?

What do you mean, do I think that exists on the planet?

Well, you're just saying they're so astounding that they're gonna fool people. I don't believe that Thom Cruise is actually a snapping turtle now.

No, but— no, he's— okay. He's not actually pretending to be a turtle, Carole. Have you watched the video?

No, I don't have the link.

It's in the bloody Google Doc.

It's in the Google Doc.

Okay, okay, TikTok impression time. This is a 5-second impression of a snapping turtle coming out of its shell.

He's still quite handsome, isn't he? So what this is, this is all pretend. It's not really what he's doing himself. Someone else is doing it for him.

Did it mess up my hair?

This, the guy you're looking at here, and the guy who runs this account is an actor called Miles Fisher, who is a fantastic Thom Cruise impersonator. Yes, but he doesn't look exactly like Thom Cruise. But what they've done, he does a great voice. He does all his quirks, all his Thom Cruise craziness, but they've deepfaked his face over.

That is phenomenal.

You know what, I kind of feel like I can tell it's deepfaked.

Really? Do you think?

Yeah, I think it's brilliant.

Absolutely. I think it's astonishing.

Well, look, I am—

I would fall for that totally, 100%. I'd fallen for that deepfake.

I find it— I think there's something— Imagine him saying, "Hi, Yvonne." I think there's something odd about it. But I think also there's something odd whenever you see a video of Thom Cruise. So it's not an unusual unsettling feeling which you're having. But it seems to me so plausible.

Why don't you try and be Thom Cruise? Do a Thom Cruise deepfake.

Well, I'm a little bit taller and possibly a little bit chubbier.

Well, you don't know though. When did you last see Thom Cruise? It could be choppy. He could be choppy now, couldn't he? Which means he could be a cheerleader.

Maybe he is CGI'd when he appears in the movies to get rid of his saddlebags.

Muffin top.

His muffin top. Thom Cruise with saddlebags. I that.

Yvonne, what have you got to talk to us about this week?

Okay, so we have had an awful lot of awful breaches, haven't we? We're just inundated with them at the moment. SolarWinds, you name it, they're everywhere. And I was actually thinking this the other day, that I actually think at some point I'm going to have to sit down with all my clients and say, listen guys, this is going to be you sooner or later because everyone is going to be breached at some point. And lots of people are not prepared. And it costs a hell of a lot of money if you are actually breached. I mean, I was having a look at some of the figures. Google, they were fined $50 million. H&M, $35 million. You know, where the hell did they get that sort of money from? BA, $22 million. So crisis comms. So this is something that we all should be doing. And especially as 88% of our companies are all going to be breached. So I thought it'd be quite fun rather than just to talk about what you're supposed to do, because of course you're supposed to do an awful lot of things to make sure that you don't get caught with your pants down. And the most important thing is actually to plan and to keep your head on and keep calm, all that sort of stuff, I thought we could do a bit of roleplay. Do you fancy that?

Oh yeah, I always love a bit of roleplay. It's been a long time and I've been under lockdown a while, so let's do some of that.

So we'll do some deep breathing.

Go into character.

We'll do some lovely deep breathing. Okay, so here we go. A breach occurs and you're in the IT security department of a major retailer called Mars and Bender. You've just got a call from two investigative journalists, one called Graham Cluley and the other Carole Theriault, and they've been tipped off that you've suffered a breach. You've not got any idea what they're talking about, so what's the first thing you do as you have them on the end of the phone? They tell you you've just been breached. Do you— can I give you this one? A, B, C, D?

Yeah. Okay, give us options. Yeah, yeah.

Okay, here's the options. So A, do you reply, well, no, we've not been breached, and deny it as you've not seen anything? B, do you decline to comment and say no comment? C, do you hear them out and tell them you'll come back to them once you've looked into the alleged incident? D, other.

Definitely other. I would say, oh no, not again. We had all this last week and we managed to somehow keep it out of the papers. "Thank you so much. Can you give me your details so I can get my lawyers to write to you to gag you from saying any more?" I think that would be a very successful approach.

That's one option.

That's one option. Yes, that's an option, yes.

No, I think another option would be you could call the Daily Journalist, "God, can I tell you what happened off the record?" Oh my God, that would be so awful.

So, for all of your listeners, you never say— don't ever say anything, it's off the record, because that's just amazing.

Yes.

Yes, I back him 100% on that. Never say that. Okay, so I think the right answer here, I think the right answer is C. Am I right?

Good girl, good girl.

What was C again? What was C again?

Hear them out.

Yeah, hear them out. Who, what, where, why, how them. Okay. Get all the info you can, say nothing, and say you'll get back to them. Yeah, something about the shadow around

And then say, that's really interesting. You know what? I'm gonna get back to you as soon as I can. Let me find out.

But let me talk to you about this new product we did this week. the edge of the face, it's

Okay, you both get A stars for that. You're very good at doing this. Okay, so what happens now? You put the phone down, you go, what the hell are you going to do now?

just— there's something wrong.

Okay. So what do you do? B, do you initiate your fabulous incident response plan that you've been practicing for the past 10 years? And this is your time to shine, right? And here we go. A, do you run into the toilet, be sick and pretend nothing's happening and then go off sick, go home, don't just don't tell anybody? Because you have been doing this day in, day out, right? C, oh my God, you have no plan in place, but you keep calm and you pull together an emergency team that includes all your functional management team, your legal counsel, your IT forensics, your CEO, your CISO, your finance, your comms, your HR. And actually you also get some legal advice and you pull in your PR team, Eskenzi PR.

Plug.

Is there a D or is that other?

D is quite an important one. It's issue immediately an internal statement for all your staff, letting them know what's happened with clear instructions of what to do. To do and not to do?

Oh, that's good. Interesting.

I know what the answer is.

Can I? Okay, that's good. But I'm gonna— I'm just— hold up, hold on.

You guess first and then I'm going.

No, I'm not guessing. I'm not guessing. I'm just saying something. I'm thinking it'd be great to get everybody together, right, and have a chit-chat and all agree on what to do. But having lived that nightmare in a large company, really, you have that situation where everyone disagrees. So you've got 12 people all there going, I think we should do this, I think we should do that, I think we should do this. So I think if we have a smaller team, I think PR is super important in there. IT is super important. CEO is super important. Head of security, right? But other than that, I would be need to know, need to know. Anyway, Graham, over to you. You have the answer.

My initial reaction is I would think about who I will make the sacrificial lamb. Who is going to fall on that sword for this?

Oh my God, it's gonna be that poor old bloody Suso again, isn't it?

However, if I wanted to win a point, I might be tempted to say a bit of a combination of B, C, and D, because I think you should have a plan, but sometimes a plan can be a bit dusty and Yeah, yeah.

An emergency call list.

I'd certainly want to bring a little team together, I think, to discuss it and bring some outside expertise too, and try and get a handle on it. maybe not have been all thought through. So, you may want to call some people together. I would certainly, from the PR point of view, which of course one of the areas you're coming from, Yvonne, I would want to control what kind of message comes out of the company and make sure that regular staff aren't tempted to speak to the press and give conflicting statements.

Well, I think that's actually key. So you're right, it's all of the above really, apart from being sick in the toilet, which is probably all of the above as well, and pretend nothing's happening and then go off sick. I think you probably want to do that too. You know what? I'm not—

Yeah, because I'm not in IT, but if it was all on your neck and you're thinking, holy fuck, everyone's going to blame me for this. And I think I would be, you know—

Well, actually, I wanted to survey, and I asked a load of security people if there's— if they've actually discovered a breach and have they actually rubbed it underneath the carpet and just not said anything to anybody. And a huge proportion of them had said they had done that, because I think that's— that's the natural instinct to do, isn't it?

I think another natural instinct is to put out a press release which explains it was a highly sophisticated attack. Advanced persistent threat. Yeah, so we couldn't possibly have been expected to beat it. And by the way, my name is Dido Hardin. And blame it, and blame it on the intern. I thought that was such a really nasty thing to do.

Yes, yes, I know.

So now you've been breached. Now, now you've been breached. Okay, what's the score? Who's winning at the moment? I think you actually, well, I think you just did that one beautifully, Graham.

Normal afternoon. Thank you very much.

Thank you.

He needs to be in the lead. It's okay.

No, it doesn't need to be in the lead.

We just had this issue last week with another quiz.

He needs it with his ego.

Yeah.

Okay, so now, so now you know what the breach is. You've identified what's actually happening. It's with a third-party supplier. So now what do you do? Okay, A, do you avoid all journalists and all their calls? Do you B, email the journalist saying no comment? C) Do you tell them it's not your problem, it's a third party, and they should go and talk to the third party? Do you go back to Mr. Cuddly and Ms. Tickle Me and be as honest and as open as you can with as much clear information as you can give them? You need to explain the steps you're taking and tell them how you're moving forward with informing your customers and other stakeholders. You have a consistent message and all that jamboree.

I've got the feeling you're leading us in a particular direction here.

Do you feel that, Graham?

Because I was feeling that a little bit, a little bit, a little bit.

Do you prepare, which is what you just now said actually, Graham, do you prepare an ongoing statement that you issue to all stakeholders across all communication channels? Lots and lots of companies have this already prepared, don't they? They cut, paste, cut, paste, ready for it.

Yeah, I can answer this one, Graham, because I think I'll talk— I'll speak for both of us actually. I'm not confident on this answer, but I think the way when we've had these situations, we used to have a statement because it's all crazy when you're in the eye of the storm.

Yeah.

And I know it's you should stay calm, you cool, but it is incredible the amount of investor, business partner, customer pressure that is put on a company in that situation. And having a statement ready that you can just fire out and go, sorry, we need time. We will be publishing this information, but we need time to make sure it's all right. And we're not racing to get all the info out because you can get it so wrong. Yeah, people on It changes sometimes, you know, hour to hour. the list don't work there anymore, for example.

You're good. You're very, very good.

Thanks.

That's 15 years.

I have 15 years doing that stuff.

That's it. It is about being quick and it is about being prepared and it is, I think, very much about being honest and being in control and don't let other people force you or shape the narrative. And I also think the most important thing is owning up and taking responsibility.

Absolutely.

Yeah, hold your hands up and just kind of go, you know what, this has actually happened, we're looking into it, we're going to take responsibility, we're owning it, I think that's what people respect you for.

And even if it is a third party—

Graham, why don't you try it out? Try it out.

Just say, "I fucked up." Just say, "I fucked up." No, because I know you'll cut it out of the recording and you'll use it against me in future. But you're absolutely right, Yvonne, because I mean, it's just one of the rules on how to say sorry, isn't it? And even if it is a third party who's goofed up rather than you, your customer still wants to hear you say, this is not good enough, and we are disappointed, and we feel like we've let you down, and we're going to do what we can to put this right.

And seriously, it makes no business sense throwing your supply chain under the bus because they may have gotten fucked. Before you find out if they deservedly got fucked, you know, may as well do the— do you know what I mean? If you're supply— you can't just go, oh, go see the supplier that we've been paying because it's all them, not us, not us.

And what's really strange is if you're honest and you can be upfront about it, things work out at the end. Your share price may bounce back. You take a bit of a hit, or a couple of days later, things always seem to bounce back. And yes, it's yesterday's chips or newspaper, whatever you call it, the newspaper that's inside the chips. What are they called? Yesterday's fish and chips paper.

Yeah.

I think you're back to the Dunkin' Donuts again, aren't you?

I know, I'm going to die.

She's hungry. That's the problem.

I just started to diet, and everything comes down. Now it's clear.

Carole, what have you got for us this week?

All right, all right, you guys can kick back now. Close your eyes, and I want you to imagine you are a free and single, à la partner-free, adult.

Oh, wonderful.

And I also want you to imagine that you're terribly, terribly hungry for love. Okay, okay, so it's 2021. What do you do?

I know I do, obviously, instantly. I'll just immediately go and start to cruise around on all the dating sites. Fantastic.

Exactly. You hit the online dating scene.

It has all the excitement of meeting people and flirtation without the unpleasant yuckiness of actually having to meet them face to face. It's perfect, isn't it? What an ideal relationship.

And you slap up a profile and you wait for a computer algorithm or two to align you with some people. And maybe after 1,000 or so swipes, it's bonjour, bonjour time. Super hot, beautiful, beautiful person. You check the profile. Graham, you see Doctor Who lover, check. Peanut butter hater, check.

Right?

Knows who the Beatles are, check. Right? Yvonne, Thom Cruise lookalike, check. Check. Shore cruiser, pot smoker.

Check.

Dunkin' Donut lover.

So you find this perfect match, right?

Check, check, check, check, check.

And then you see an option at the bottom of the profile, a button that says click here to upgrade to find out if this person has had any involvement with violent crime.

With violent crime.

Do you upgrade?

That's great.

Well, it's handy if you're looking for someone to rob a bank with or something, I suppose.

Violent crime, crime, sexual harassment crime, or—

I don't think most people are looking for a date that though, Carole. Aren't they looking for someone who isn't involved?

So you get to vet your match to make sure, check their history at a swipe of a button to see if they have anything on record. Anywhere.

Also, this isn't—this isn't that people have filled in their dating profile and said, oh yes, I've been done for assault.

No, it's a new service. Okay, so, so the idea is, would you press the button? So Yvonne, you were, yeah, right away I'd click it. I would too, totally, right? I'd be, I'm new to the dating scene, I don't want to be in a sticky, shitty situation.

No, does it tell you whether they've actually been smoking pot by the shore?

No. Let me give you the background and then you guys can question me at go-go and see what I know. So this is Match Group. Match Group own Tinder, Match, Meetic, OKCupid, Hinge, Pairs, Plenty of Fish, a ton of dating sites.

That's amazing.

It is incredible. And they're all competitors.

The Procter & Gamble of dating.

Unbelievable.

Yeah.

Now, Match Group has made a significant contribution to a company called Garbo. And Garbo is a background check platform.

Hang on, wasn't Greta Garbo famous for saying she wanted to be alone? Yeah, well, seems a bit strange for a company involved in dating to name their company. Wait, it's so interesting, right? So, okay, so Garbo collects public records and reports of violence or abuse, okay? Okay.

And the point of Garbo is to help you proactively prevent violence by providing people transparency and info about whoever they connect with on dating sites. Okay, so let me just— I'm gonna pivot quickly. So 3 things are highlighted on Garbo's website. Okay, so 3 things that they highlight. First, no last names required. In most cases, all you need to search is just a first name and a phone number. Okay. 2, we are aggregating dozens of data sources to provide the most comprehensive view into someone's history, including arrests, convictions, orders of protections, and more fabulous. And third, we accept your evidence. So if you want to submit some stuff and submit convictions and arrest information, they'll look at it and add it to their database if they feel it's right. Questions, thoughts at this stage?

I actually think it's brilliant. And because I think that's the biggest fear, is it not, that as a woman you have no idea of the guy that you're talking to, that he could be some mass rapist or some weirdo. And actually, from all my friends and my kids and stuff that have dated, they've always thought it'd be a good idea. I think it's still a good idea that you rate your exes as well, like a review, and you kind of go, you need to look out for this guy because he's got the following problems. That'd be really good.

That's interesting, actually. I'm going to think about that, the whole rating, the rating of us. Yeah, it's interesting.

It'd be good, wouldn't it? Because you're not going to talk about how horrible you are or your kind of, you know, your failings or your shortcomings. But all your exes would immediately, brilliantly summarize it fantastically for you, wouldn't they?

So, yeah, yeah.

So Yvonne's clicking upgrading. Graham?

It's perhaps less of an incentive for me because, to be honest, well, I'm a man, and I think I'm less worried probably about encountering someone who's violent via online dating. It's really— well, I mean, I don't think I've encountered anyone violent during my dating life. I have encountered people who didn't know who the Beatles were, and I had to dump them when I realized I wasn't going to be able to talk to them about the Beatles.

You're saying basically, I'm not going to have this problem, so I don't care.

Well, no, it's not that I don't care. I think my other concern would be if the information is reliable and how that's— what you're going to do if sort of poisoned data gets into the database. How would you have that extracted from there? From your record would be a concern. So I totally get the fear there must be amongst some people and the anxiety about meeting someone who's going to be inappropriate or may cause problems in the future, but I would also worry about toxic data.

But it is the biggest concern of a woman, certainly, when they're actually dating. That's definitely the biggest concern. So that's just really, really such a wonderful idea.

Okay, well, so I have a few things I wanted to discuss. So these are things I thought about too. So one, they talk about arrests being listed, right? So say someone is arrested for something violent, like, I don't know, whatever, something awful, but they're never prosecuted. So when you're arrested, it's different from in the court.

Of course.

You get arrested and then the police then hand it over to prosecution. They decide, oh, we're doing nothing with this, or we are doing something, we're going after them, we're not going after them, whatever. But there's still an arrest report. Some people get arrested and shouldn't be, right? It could be contested or unwarranted or— I mean, at a time when we don't even trust police forces in USA, where this is where it's going to be trialed, is in the States, not here in the UK. But that worries me a bit because if it was all people that had been convicted of a crime—

So who's going to store this data? Is it going to be stored reliably as well?

Couldn't find much information on the actual specifics of how they're running this. So there's a lot of press articles about, hey, this is cool. No one's kind of questioning— I'm questioning it a little bit. The other thing is, so Match Group is going to be charging for this. This is going to be a service fee on top of the Tinder fee, it's an add-on.

Who pays? So who pays, the women or the men?

You pay to go see, to have access to the reports on the person you're dating. So I think the gender is irrelevant, right? Someone may want to do this on, right? They may want to go, I'm— oh, I'm looking at Yvonne, she's kind of cool, but I just want to know if she's got a violent background. How do I go check that? Pay and go and do it. So I was thinking at first they shouldn't have to make you pay, but then I thought, if you don't make people pay, every single teenager, employer, teacher, employee, student will use it on anyone they know at any given time, all the time.

Yeah, you've got a good point there. Absolutely.

So then they have to charge maybe to stop the abuse of it. Maybe.

How is the data tied to an individual? How is that link made? That's what I don't— so when you create a dating profile, imagine I was— imagine I've done a few dodgy things in the past.

Okay.

I should have been arrested a little bit in the, you know, some nastiness I might have done in the past.

Not Mr. Cluley.

But there I am, right? I've created a dating profile. Do I have to give them my National Insurance number, my Social Security number, or— Well, this is the other thing that bugs me about this.

They say often all you need is a first name, not even a last name, and a phone number.

That doesn't sound right.

And when I saw that, I was like, that's not a SIN number. That's not your social insurance number. That's not your identifiable number.

It's—

No, people's phone numbers can change. Other people can get hold of your phone number.

I was thinking the poor SIM swappers, right?

There's them. I don't know. I don't know. I mean, I—

There's more. I know it's complicated. I'm not saying there's an answer here.

Do you think we should just brand people?

Well, you could look into— they could look into their

So say you've gone to prison, Graham, or say you were convicted of a crime, right? And you went and did your stuff, and you did all your prison stuff, and you did all your time on the chain gang. Yep, you're reformed, you're back into society, and you're trying to reintegrate and say, look, I'm now a new person.

eyes the old-fashioned way.

And guess what? No one dates you.

You don't care. Don't care.

Yeah, so Yvonne's like, I don't care, you're not dating me.

You've been in prison. I'm not dating anyone that's been in blinking prison, and I'm not dating anyone that's been violent either.

Maybe I was convicted of a crime I did not commit. I was David Banner, the Incredible Hulk.

Or what if you weren't convicted though? What if you were just arrested for a crime you didn't commit?

Write that in the blurb. So when you talk about yourself, you'd actually kind of go, oh, I was actually not— I actually didn't really do it, but I'd been in prison for something I never did. Talk to me about it.

There are some women who deliberately contact serial killers in prison and things, don't they? And they get into relationships with them. This may actually be an attraction to some people.

Yeah, and they marry them, yeah.

Yeah, yeah. Why is Match Group leaving it up to the user? Oh right, why isn't Match Group saying, look, you know what, we've decided we're going to run background checks on everyone that appeals, that comes in and does our, you know, wants to be part of our service, and if you don't meet specific requirements which we decide privately, you can't join?

I think it's a money

I think it's a load of old nonsense. I think that, I think they're just waving this under people's noses, saying, isn't this going to be good?

spinner, or it's legal, they're

Isn't this going to be good in the day? The truth is that if you've got a— if you find out that your particular dating site does this, all you're going to do is get a different phone number and call yourself Nigel rather than Harry.

discriminating against people. It is a unique selling point, actually. So it's actually kind of, would you go to that website just because they offer that information? And I actually think it's a really good idea. I like it a lot, and I would probably say to my girls, do pay that extra money.

Yeah, yeah. You know, remember Clearview AI, right? So Clearview AI, you would just throw a picture of any person in it and out would spew every single picture on Instagram, Facebook, LinkedIn, all the social sites, all the Google blah blah blah blah blah. And we were all wow, that's a bit crazy. That curated amount of information about someone is a bit dangerous.

I don't know, it's a difficult one, isn't it?

I've really wrestled with this one. I'm all ears, listeners. Help guide me. Tell me what you think. Tell me how you think we should— how this should go. But I think it's going to change the face of what we are expected to know about other people.

Maybe we should just— maybe we just shouldn't do online dating. Maybe we should just tie a knot in it, right? And hang on.

Tie a knot in what?

Well, all right, I was talking for myself. But we should hang on until after lockdown. Ah, that's what Lionel Richie— that's what my mum used to And just meet ladies the old-fashioned way, at a pottery course or something that. Something lovely.

Oh, it's like me. They're not— they're in my pottery. I do a pottery class actually, and they're all over.

tell me. If you're ever unsure how to treat a woman,

It's so fabulous, I can't even tell you. But they're all very, very old, and their hands are getting very crippled. You know, but there is something very lovely about playing with pottery and doing the pottery.

just think, what would Lionel Richie do?

You're not going to get picked up in a pottery class, Graham.

No, you don't think there'd be a— you could be my Demi Moore and I could— no, we couldn't.

In your dreams.

Okay, let's go to break. You know you can't do business without technology, and you also know you can't securely access technology without identity security. Enter SailPoint. Identity security for the cloud enterprise. It enables access and protects businesses with automated, managed, and governed access in real time with AI-enhanced visibility and controls. SailPoint lets companies run with speed, security, and scale in a cloud-critical, threat-intensive world. Plus, it tracks usage and enforces policies for all users, apps, and data. Continuously. Want to learn more? I bet you do. Check out smashingsecurity.com/salepoint. That's smashingsecurity.com/salepoint. And thanks to SailPoint for supporting the show.

This week's podcast is also sponsored by 1Password's Random But Memorable podcast. Random But Memorable is a podcast filled with lighthearted security advice and banter with hosts Matt, Anna, and Michael. I've been on the show myself, so I can confirm it's great fun. Tune in to Random But Memorable to hear about the latest security horror stories. They've produced over 50 episodes covering data breaches, password hacking, surveillance, and more. Check out Random But Memorable in your favorite podcast app, and thanks to 1Password for their support.

Hey, Clue Clue, did you hear my CrowdSec special interview that I did? Yes, yes. Yeah, I've heard it. Okay. I don't know if— I don't know if I believe you.

Oh, okay. CrowdSec, they're building a community where you, SecOps and DevOps can join forces around the world and actually make a difference against all the new attacks which are coming out. Because no matter what your business size is, CrowdSec offers an adaptive response to security issues such as credential stuffing, port scans, password brute forcing, and much, much more. Okay. Tell me how they analyze visitors' behaviors. Okay. Yeah, they analyze your visitors' behavior. They deal with the malicious traffic and, oh yes, they automatically share details across the community to ensure everyone is protected. So the more data that CrowdSec aggregates, the stronger it gets.

Okay, that's great, except you forgot the most important thing. It's free and it's open source, so anyone can benefit from this. So join the CrowdSec community and let's make the internet safer together. Find out more at crowdsec.net/smashing.

And Smashing Security listeners, there's a special offer just for you. Go and join the CrowdSec user community and you could win free tickets to the next RSA conference. Just go to crowdsec.net/smashing. And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. Doesn't have to be security-related necessarily.

Better not be.

Now, if I was on an online dating site, which I am not, but if I were, then I might be thinking all the— oh, crumbs, you know, I'm getting notifications all the time.

I'm so popular in that imaginary world. I feel like the Fonz.

Oh my goodness. Yeah, I just can't keep track of it all. All the time it's going ping, ping, ping, and it's oh, there she is, there's Sheila, there's Fredrika, you know, I don't know, is it just a name? You know, there's a Bertha, they're all contacting me, right? But I might have a special one. There might be someone special. I think, oh, she's a little bit fruitier than the others. Maybe I'm a little bit more interested in her, in Camilla or whoever, than the others. In which case I might want to assign her a different noise. And my pick of the week this week is all to do with notification tones because I've been getting, I'll be honest with you. I've been a little bit bored under lockdown.

Oh, I thought you were going to give me credit for giving you this Pick of the Week at that point when you said you were going to be honest, but okay.

And so I said to my friend Carole earlier today, I said to her, I said, maybe, maybe there's somewhere we can go and find some different notification sounds so that we can get away from the humdrum standard ones, which comes smartphone. And there is a website called notificationsounds.com. Which will give you a long list of bings, bongs, and burbles, all Creative Commons, and they're cute. And it's a cute little site. You can download them on your phone or your Android or your whatever. And each has its own little cute little write-up. And so I've been spending the day changing my notification sounds for different people. So if Carole texts me, for instance, she'll give me a— I had the no tone I choose. And then for other people, I might choose a little bling, a little bling of joy or a little— Anyway, notificationsounds.com. I know it's not revolutionary.

Note to all the friends of Graham Cluley, make sure to text him when he's in the room just to find out what your noise is.

And that is my pick of the week.

Funny.

Yvonne, what's your pick of the week?

My pick of the week is a fabulous one. My daughter Jasmine has been raving about her favorite app called Blinkist. For Mother's Day, she got me Blinkist. It's a phenomenal, phenomenal, phenomenal app. It's really cool. It's basically every single bestselling book wrapped up into 15 minutes. You read all the highlights of that particular book in a 15-minute—

15 minutes?

15 minutes. 15 minutes. So, literally, the book is summarized in sort of what they call 6 or 7 blinks, and they summarize it. You read it, and in 15 minutes, it has to be in 15 minutes, and then, if you haven't got even time to read it in 15 minutes, you can listen to it, a little shortcast, and I'm loving it. I'm listening to it before I go to bed, and when I wake up, and I go for a walk, and I've learned so much because I'm trying to learn a lot about creativity and productivity for an app that I'm building, actually, so it's quite fun.

Wow, okay. So when you first said that, when you said books, I was thinking literature, and I was thinking what? So it's a kind of Cliff Notes of maybe Shakespeare or something, but it's not. When I'm looking at all the collections, it's more kind of society and culture, nature and environment, psychology, all the— so it's more kind of fact-based information, and you get it in smaller nuggets in here. So you can kind of—

Exactly, cool.

Exactly.

It's fabulous. And all those self-help books and everything like that, that basically are saying the thing throughout the whole chapter, you know, throughout the whole book anyway. It just summarises all the sort of salient points, and it's really clever.

Is an app like this completely safe? If I were, for instance, to read a book, I don't know, DIY Dentistry or DIY Brain Surgery or something like that, would I want the 15-minute summary, or should I really be encouraged to read the full book?

But you can read the full book. So what's happened with me is there's some I've actually listened to, and I thought, I want to buy that. I want to buy that. It's really fantastic.

Oh, I see.

It's kind of like a sample.

Exactly.

Cool. Okay, so that is Blinkist.

Yes. Fabulous.

An app. And there's also a website as well, blinkist.com. I'm looking at it now.

Yeah, that's good. It's good. I really, really— because I know you said this to me and I thought, oh, have I just bought myself a cheese grater? But no, I haven't. I thought this would be better.

It's funny you say cheese grater. Okay, Graham, walk me in. I've got a great one.

Crow, what's your pick of the week?

Okay, I'm setting the scene for this one, okay? Sunday afternoon and we're having, we're recovering at home from a little fracas that happened, okay? So fracas in my house are rare, pretty poignant when it happens. So everyone's a little bristly still in the house. And I decide to olive branch myself out to the situation, offer to cook a big roast dinner, right? Roast veggies, roast potatoes, pistachio sauce, which is the most delicious sauce in the fricking universe. Anywho. Almost ready, right? Smells amazing. And I take the pan out of the oven and check it. And I say to the Wookie husband, I said, "Don't touch the frying pan, okay? Just came out of a 400-degree oven." And then I pick up the frying pan with my bare right hand. So we're talking 18 points of contact on my right hand along the frying pan handle.

Oh no. Oh golly.

So my pick of the week—

Is a replacement hand.

Aesthetic.

I cook a lot and I do get into little kitchen accidents fairly regularly. So immediately, you know, do what everyone does, plunge your hand in freezing water and really for a long time, 10 minutes, much longer than you think, as long as you can handle it. But I have two other tips. One is get yourself some burn gel.

Yes.

I used Acriflex.

Yes.

It is godsend. My hand right now, I would not even, I think, been able to do this podcast. Fast, and I would certainly not be able to edit or use a computer after what happened. But because of— and I used probably half a bottle of the stuff or half of the tube, but my hand is incredible shape considering.

Yeah, we've got Hold on, hold on, Carole, are you sure about that? I'm sure that was an old wives' tale, that one. that. We use it.

No, I'm not saying smear it on. I'm saying use it as a cold brick, because I was in searing pain for at least 7 hours after it happened, and clinging on to that frozen butter was my life-saving element. Yeah, Acriflex, everyone buy it and throw it in your drawer because you will be

Do you mean the butter while it's still wrapped up?

Yeah, the butter's wrapped up, it's in the freezer, right? It's just a cold block, it's just an ice block, but it's not water, and it doesn't stick to your hand. It doesn't freeze at the same temperature as water, so it's not uncomfortable. so thankful. And the other thing is a DIY tip, is get some butter from It just has beautiful coldness of— and then as soon as it starts to melt, throw it back in the freezer. I have two now in there. the— put some butter in the freezer for exactly this situation.

The old wives' tale used to be put a smear butter on it. Did you know that? Smear butter all over?

Well, you know, I can understand that because that night I did smear it completely with stuff to make sure it didn't blister too badly, and that totally helped as well. So I imagine that's just a moisturizing cream, you know. I imagine that's the idea of it anyway. My hand's in good shape, but get yourself burn gel stuff.

And that's such good advice. I think that's brilliant. My niece did that about a month ago. She burnt herself exactly like you. She was doing her cooking and she burned herself so badly, and then she actually jumped back but didn't realize that she broke her foot because the burn was so bad. So she— and the pain— so I actually do really sympathize with you. The pain was so bad that she didn't realize she actually broken her foot. It was about 4 days later She couldn't understand why she couldn't walk, and she's a doctor.

Oh my God, that's awful. That must have been so painful. She didn't even know her foot was broken. Okay, well, the takeaway here, guys, is don't burn yourselves. But if you do, burn gel. Acroflex. Have it in the house. Lifesaver. And that is my pick of the week.

Fantastic. Well, on that terribly sensible note, all it requires is for me to remind you to seek medical advice and don't hold Smashing Security's responsibility. I'm responsible if anything bad happens. But that just about wraps it up for this week. Yvonne, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way of doing that?

They can go on LinkedIn or they can go on Twitter. They can always email me at .

Fantastic. And you can follow us on Twitter @SmashInSecurity, no G, Twitter doesn't allow us to have a G. And we're also on Reddit on the Smashing Security subreddit. And don't forget, make sure you never miss another episode. Smashing Security in your favorite podcast apps, such as Apple Podcasts, Spotify, and Google Podcasts.

And huge thank you to this week's episode sponsors, 1Password, CrowdSec, and SailPoint, and to our wonderful Patreon community. Thanks to all of them, this show is free for all. And for episode show notes, sponsorship information, guest list, and the entire back catalog of more than 218 episodes, check out smashingsecurity.com.

Until next time. Cheerio. Bye-bye.

Later, skaters. See, I'm just trying to cling to youth there. It's me.

What do you mean? I don't understand. What do you mean, later, skaters? What do you mean?

I'll see them next week. It's like I'm in a skate park.

All right.

OK. And I'm like, later, later, dudes.

What generation are you, Carole? Are you Generation X, Y, Z. Which one are you?

I'm very multifaceted.

Generation X, Y, Z. What, which one are you?

Certainly not the marmy one.

No.

Okay, I'm stopping recording.