Spy software known as Pegasus has been used to carry out surveillance on the smartphones of journalists, activists, and political leaders. Can a "Freedom Phone" be trusted? And a ransomware-hit law firm demonstrates how not to keep its customers informed.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Thom Langford.
Visit https://www.smashingsecurity.com/237 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Thom Langford.
Sponsored By:
- KnowBe4: Did you know that 91% of successful data breaches started with a spear phishing attack?
- Find out what percentage of your employees are at risk with KnowBe4's free phishing security test.
- Plus, see how you stack up against your peers with the new phishing industry benchmarks.
- Find out more at knowbe4.com/freetest
- Offensive Security: With the skills gap increasing, it’s more important than ever to train your staff effectively and efficiently. Industry-leading Offensive Security provides training for your organization designed by the same minds behind Kali Linux and the OSCP.
- Visit smashingsecurity.com/offsec to learn more!
- 1Password: Around 80% of business data breaches result from weak or reused passwords. Using 1Password can close the gaps in your company’s security, combat shadow IT, and help your employees stay both productive and secure, wherever they are.
- 1Password makes the secure thing to do the easiest thing to do.
- Instant control, effortless management. Quickly deploy 1Password to a single team, multiple teams, or your entire enterprise. Provision employees using trusted systems, respond quickly to domain breach reports, and offer every business user a free 1Password Families account for work-from-home security.
- Find out more and try 1Password free for 14 days at 1Password.com
Links:
- The Pegasus project — The Guardian.
- Revealed: leak uncovers global abuse of cyber-surveillance weapon — The Guardian.
- Pegasus: NSO clients spying disclosures prompt political rows across world — The Guardian.
- Pegasus: Spyware sold to governments 'targets activists' — BBC News.
- Revealed: murdered journalist’s number selected by Mexican NSO client — The Guardian.
- Forensic Methodology Report: How to catch NSO Group’s Pegasus — Amnesty International.
- Mobile Verification Toolkit (MVT) — Forensic tool to look for signs of infection in smartphone devices.
- Freedom Phone.
- MAGA World’s ‘Freedom Phone’ Actually Budget Chinese Phone — Daily Beast.
- Hacker Fantastic on Twitter.
- Finnish therapy clinic’s CEO fired after despicable data breach and blackmail threats — Graham Cluley.
- Campbell Conroy & O’Neil Provides Notice of Data Privacy Incident – — Campbell Conroy & O'Neil.
- They were competitive eaters. Then they fell in love — Wired.
- Brickit: Rebuild your Lego.
- Central Park — Apple TV.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. Customers may return the Freedom Phone unopened within 30 days of purchase. Now, I can understand that if it's a pair of underpants which you bought, that they wouldn't accept it back, but it seems a little bit unfair.
THOM LANGFORD. How do you know if you don't like it if you've not used it?
GRAHAM CLULEY. Before you've opened the box.
THOM LANGFORD. Oh, I know.
CAROLE THERIAULT. It's like your toilet paper, right, Graham? You can't return that.
GRAHAM CLULEY. Well, not once I've used it, no.
CAROLE THERIAULT. Well, once you've opened the package, presumably either. You can't just show up and say, sorry, I only used one of the 250 rolls.
THOM LANGFORD. I didn't need all of them.
GRAHAM CLULEY. I needed quite a lot. I couldn't get all of them this time.
THOM LANGFORD. It was quite a long year.
UNKNOWN. Smashing Security, episode 237, Nuna, Nunu, Nana, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 237. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And this week we're joined by returning guest, it's Thom Langford. Hello, Thom.
THOM LANGFORD. Hello, hello, hello. Good morning, good afternoon, good evening.
CAROLE THERIAULT. You lifesaver.
THOM LANGFORD. Apparently so. Apparently I'm somewhere on one of your lists of people to call in case of emergency.
CAROLE THERIAULT. Right. We had another guest scheduled today, didn't we, Graham, who had to dash off and do real work.
THOM LANGFORD. Dead to you now, obviously. Absolutely dead to you.
CAROLE THERIAULT. Yeah, well, we got you on speed dial, don't we, Thom?
THOM LANGFORD. Apparently so.
CAROLE THERIAULT. You're welcome.
THOM LANGFORD. Yeah, I mean, getting woken up at 3 AM by Carole's kind of going, Thom, Thom, Thom.
CAROLE THERIAULT. Okay, there's some wee jokes there.
THOM LANGFORD. I mean, it sets you up for the day, what can I say?
CAROLE THERIAULT. Thanks to this week's sponsors: 1Password, Offensive Security, and KnowBe4. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. I am going to be getting somewhat classical with you. Back to the classics.
CAROLE THERIAULT. Okay, and what about you, Thom?
THOM LANGFORD. Uh, I'm celebrating my freedom.
CAROLE THERIAULT. Celebrating your freedom. Okay, and I am heading to professional services to figure out who has the most pertinent and private information. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, I don't know about you, but I love a Greek Myth. That's not a—
THOM LANGFORD. do you?
GRAHAM CLULEY. It's not a young woman from Athens with a speech impediment. That's what Greek myths— I, I love all that. Didn't you love all that when you were a kid?
CAROLE THERIAULT. Well, I still do. I'm just surprised we've never talked about this.
THOM LANGFORD. Stephen Fry does a huge amount of Audible books on this stuff, doesn't he? Yeah, really good at them.
CAROLE THERIAULT. Mythos, isn't it?
THOM LANGFORD. Mythos. Yeah, that's it. They're really good.
GRAHAM CLULEY. Yeah, well, you've heard of Medusa, haven't you? Remember Medusa?
THOM LANGFORD. Yes.
GRAHAM CLULEY. Oh, she was a scary gorgon, wasn't she?
CAROLE THERIAULT. I wore that as a Halloween costume once.
THOM LANGFORD. I did.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Did you have all the snakes in your hair?
CAROLE THERIAULT. Yeah, I filled them all like little socks, like nylons, and I filled them with cotton wool. And they were just with wire and like, you know, what do you call them? Wire hangers.
GRAHAM CLULEY. Oh, really?
CAROLE THERIAULT. Yeah, it looked great. I might do that again, actually. That's a good outfit.
THOM LANGFORD. I did that with one sock once, but I didn't wear it as a hat.
GRAHAM CLULEY. Oh, please.
CAROLE THERIAULT. Oh, you need help down there, do you?
THOM LANGFORD. Of course.
GRAHAM CLULEY. Kroll, going back to you. Did you turn people to stone? Did you turn them rock hard?
CAROLE THERIAULT. No, I'm not even going there.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Ask Thom.
GRAHAM CLULEY. And you've probably also heard of Poseidon, right? Do you remember Poseidon? I remember that. Bank holidays, BBC.
CAROLE THERIAULT. I don't remember which one he did. Is that the one?
THOM LANGFORD. Clash of the Titans and—
GRAHAM CLULEY. No, no, no, I'm talking about Poseidon Adventure.
THOM LANGFORD. Oh, oh, right, right, right.
CAROLE THERIAULT. Sorry, we just moved from Greek mythology, okay.
THOM LANGFORD. Crappy B-movie Hollywood films.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. It wasn't crappy, it was brilliant. The liner capsizes in the Atlantic on New Year's Eve. Gene Hackman and Ernest Borgnine and Shelley Winters clambering up a Christmas tree trying to escape their watery grave. Yes, yes, it was also the Greek god of the sea. Well, I don't know if you know enough about Greek myths, but I discovered that one day, possibly via a dating app, Medusa and Poseidon, they got together. Did you know that?
THOM LANGFORD. How did that work?
GRAHAM CLULEY. Well, I think Poseidon put a bag over Medusa's head to prevent himself, right, you know, right, having that particular problem. But from their unholy union was born an immortal winged horse called Pegasus. Pegasus, a bit strange, isn't it, to have it off with a snake woman and out comes a horse?
THOM LANGFORD. So between a fish man and a snake woman, a winged horse comes.
GRAHAM CLULEY. That's right. And worse than that, Worse than that, if you remember your story of Medusa and how she was killed by Perseus who beheaded her, Pegasus the horse actually sort of popped out of her pregnant body after she was beheaded. A bit grisly.
CAROLE THERIAULT. Do you think this was the first instance of disinformation in the written world?
GRAHAM CLULEY. Well, you don't believe this.
THOM LANGFORD. I think actually it's the first story of bro culture and a bunch of Dickhead males, because Medusa, she gets the snakes for hair and turns anybody who looks at her into stone. And she thinks, you know what, in order to not sort of upset anybody, I'm going to go live in this cave. And yet every day some fella wants to go in there, you know, take a look, etc. And then she's surrounded by, you know, stone men.
CAROLE THERIAULT. Yeah, well, of course. But good thing for her, she can see 360, right?
THOM LANGFORD. Because the snakes were just minding her own business, for goodness sake.
GRAHAM CLULEY. Well, what has got my goat right now this episode is that the, is the wonderful story of Pegasus. It's been taken away from us because it's not just classic myth now, Pegasus. It's also the name associated with some rather nasty spyware. Because Pegasus is the name given to some smartphone spyware developed by an Israeli company called NSO Group. Have you heard of NSO Group?
CAROLE THERIAULT. I am very glad you're talking about this, Cluley, because I've seen this in the press, and I haven't followed the who, what, where, when, how. So I know nothing of the story.
GRAHAM CLULEY. Oh, right.
CAROLE THERIAULT. So you can educate me, like as if— Tell me like I'm 5.
GRAHAM CLULEY. Well, they've called their spyware Pegasus, after the classical mythed winged horse, because apparently it can be sent flying through the air to infect phones.
CAROLE THERIAULT. Did they explain this?
GRAHAM CLULEY. That's—
CAROLE THERIAULT. Or is this you?
GRAHAM CLULEY. No, I think this is how it got its name. Yes.
THOM LANGFORD. Does it make clip-clop whinny sounds as it infects your phone?
CAROLE THERIAULT. Listeners, this is when Graham assumes. I could tell in his voice. Okay, carry on. You're doing great.
GRAHAM CLULEY. Well, Pegasus, the spyware, has been back in the news this week. It's actually been known about since 2016 when a human rights activist called Ahmed Mansoor, he received a couple of suspicious SMS messages on his iPhone. And being the sort of type who has been regularly surveilled and suspected of being up to no good by the regime over there. He was smart enough to pass on these links to Citizen Lab, the security researchers there, and they looked into it and they discovered some sophisticated malware lurking at the other end. And it was claimed at the time that he might be the most spied upon person in the world.
CAROLE THERIAULT. God, can you imagine having that?
THOM LANGFORD. God.
GRAHAM CLULEY. Well, that discovery back in 2016, that prompted Apple to push out some urgent security updates to everyone's iPhone because they were worried that other people might be susceptible to this, may click on links and, and have their phones compromised. But of course, that was back then, right? And in the years since, there's been a lot of allegations about the activities of NSO Group and information about how the Pegasus spyware has developed over time. For instance, a couple of years ago, Facebook claimed that Pegasus was being used to intercept WhatsApp communications. Between activists, journalists, politicians in India, all of the, you know, all the real top people, podcasters probably as well, you know, all the really—
CAROLE THERIAULT. I don't know if we'd be that interesting, honestly. We record everything we say, so I don't know.
THOM LANGFORD. That's right.
GRAHAM CLULEY. Anyway, there were accusations that the Indian government may have been behind the attack because of the nature of the journalists and activists and politicians who are being targeted. And NSO Group, what they say when you go to them with an allegation, they say, oh, look, look, They do a little shrug. They're not French, but—
THOM LANGFORD. No, I was gonna say, yeah.
GRAHAM CLULEY. But you know, they do that in a kind of Israeli way. They say, look, our products are only used against criminals and terrorists, so they shouldn't be used in any other way, and we sell it with that stipulation that no one's going to use it in any other way. And yet, over in Mexico, drug cartels, actual criminals, were using the spyware to spy on journalists. So there are journalists in Mexico who were uncovering criminal activity in Mexico.
CAROLE THERIAULT. Yeah.
THOM LANGFORD. So do you think that they might have, I don't know, ignored the end-user license agreement?
GRAHAM CLULEY. Well—
CAROLE THERIAULT. Probably didn't read it.
GRAHAM CLULEY. Does anybody?
CAROLE THERIAULT. Yes, some people do.
GRAHAM CLULEY. It's a bit— Even if they did read it, they could just say, no, no, I accept these terms. It's a bit like when you fly to America and they say, are you a Nazi war criminal? And they ask you all these questions, you say, no, no, of course not, of course not, except for that one fancy dress party at university. I think that's Prince Harry. Yes, I don't think—
THOM LANGFORD. well, allegedly he's moved on.
GRAHAM CLULEY. He doesn't like that photograph to come out.
THOM LANGFORD. No, no, exactly.
CAROLE THERIAULT. He's got a tell-all book coming out apparently, I read.
GRAHAM CLULEY. Yes, yes, that's terribly, um, exciting.
CAROLE THERIAULT. Anyway, carry on, Graham. I'm really more interested in your story.
GRAHAM CLULEY. Yes. Now, do you remember, uh, Jamal Khashoggi, the journalist?
THOM LANGFORD. Yeah. Oh yes, yeah.
GRAHAM CLULEY. Oh my goodness, the most horrendous story. He was chopped into little pieces at the Saudi consulate in Istanbul. He went there to get his visa stamped or something like that. Now, it's said that the Saudi authorities used the Pegasus spyware to track and spy upon him. So it already had a bit of a bad name, Pegasus.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. So what's happened this week, I hear you ask?
CAROLE THERIAULT. Mm-hmm. That's why we're here.
GRAHAM CLULEY. I thought you'd actually say it. That's all.
THOM LANGFORD. What has happened this week?
GRAHAM CLULEY. Thank you, Thom, for playing. Well, I'll tell you, Thom, what's happened. There has been a leak of 50,000 phone numbers. Now, normally you'd think, so what?
CAROLE THERIAULT. 50,000? No, that's not what we do every week. We make a big deal about these things.
THOM LANGFORD. Well, 50,000 actually is not that many records anymore, is it?
CAROLE THERIAULT. No, I mean, very sad. Every record matters. Every record matters.
GRAHAM CLULEY. This 50,000 phone numbers claims to be a database of people of interest. Of NSO Group's customers. So people who want to buy Pegasus, right, go to NSO Group, say, we'd like to buy this software. Here's the phone numbers that we would like to use this software against. And now—
THOM LANGFORD. They have to disclose those upfront?
GRAHAM CLULEY. And—
CAROLE THERIAULT. Well, I guess you've got to tell them who they're going to target.
THOM LANGFORD. So is it a service or is it a piece of software?
GRAHAM CLULEY. There might— I think there is a service component. I'm not actually a customer.
THOM LANGFORD. Interesting.
GRAHAM CLULEY. Of NSO Group. So I haven't got that far, but I think there has to be some kind of exchange of information which goes on.
THOM LANGFORD. But if they'd like to send some free vouchers, you know, good for 10 uses, 10 phone numbers.
GRAHAM CLULEY. So this list has come out, and what journalists around the world have been doing, they've been looking into investigating this for a while, and it's just gone public. They've been looking into whose numbers are these, because we believe they're people of interest to people running the Pegasus spyware. And what they found was not only were many of these numbers not appearing to have any links whatsoever to terrorism and crime, which goes against the NSA rule, but also it appears that these are the phone numbers of people who have had their phones hacked. So they analyzed a number of the iPhones, and a good deal of the ones— they haven't obviously gone through all 50,000, but they've managed to get hold of some of them, and they found that they have been hit by Pegasus spyware, which kind of links it all together.
CAROLE THERIAULT. [Speaker] Okay, so what you're saying is there was a database that has been leaked that contains phone numbers, and it turns out that on, you know, initial research that the phone numbers are basically indicating that this device has been infected.
GRAHAM CLULEY. [Speaker] Exactly.
CAROLE THERIAULT. [Speaker] With Pegasus, right.
GRAHAM CLULEY. [Speaker] And they've been infected by this malware, which allows people to spy up on your messages, see where you are, And this is zero-click malware. So this is an in-the-wild exploit which is being used right now to target the iPhones of activists, journalists, politicians around the world. It means a hacker could remotely compromise your iPhone without you realizing or you even having to click on a link.
THOM LANGFORD. Yeah, let me just clarify here. You did say that Apple did release a patch for this.
GRAHAM CLULEY. That was back in 2016, but Pegasus has been continually developed ever since. So there's now an Android version of Pegasus Pegasus. It's not just for iPhone. New functionality has been added as well. Back in 2016, you had to click on a link. Now you don't have to click on a link, and it's been updated to deal with the latest versions of iOS, for instance, because Apple over the years has hardened the security. In fact, they were just bragging recently about how they've hardened the security of iMessages to prevent these kind of exploits from working. And journalists have been going through this database and they found the numbers. For instance, most of the numbers are coming from Mexico, Morocco, the UAE. One of the numbers belonged to a freelance Mexican reporter called Cecilio Pineda Berto. And back in March 2017, Pineda, he was looking at his pickup truck and he's thinking, that's a bit dirty, I need to get that cleaned. So he drove off went to the local car wash, and he got into a hammock to have a little snooze round the back of the car wash while it was getting washed by the people. Somehow, gunmen knew where he was, and they murdered him in his hammock.
CAROLE THERIAULT. He couldn't even see them coming because the hammock sides.
GRAHAM CLULEY. Well, also, he was snoozing.
THOM LANGFORD. That and his eyes being closed, yeah. Yeah. I mean, they could have followed him, in fairness.
GRAHAM CLULEY. It is possible. We don't know for sure that it was Pegasus, and his phone apparently disappeared from the scene of the murder. So it's never been examined, but his phone number was in this list. And there've been other incidents as well where nasty things have happened to people.
THOM LANGFORD. Hmm. So the other thing I've got to comment about this is, are we really that surprised that tools that can be used for good are being hijacked and used for bad?
CAROLE THERIAULT. Yes. The entire premise of this show is based on that.
THOM LANGFORD. Oh, I thought it was based on something very different, but—
GRAHAM CLULEY. It's like a grand piano. A grand piano can be a thing of great beauty, unless—
THOM LANGFORD. Or I could play it.
GRAHAM CLULEY. Or it's dropped on your head.
THOM LANGFORD. Yes, exactly.
GRAHAM CLULEY. And then it's a murder weapon. I haven't seen that episode of Columbo yet. I'm looking forward to it.
CAROLE THERIAULT. If it's out of key, it's also basically a— Yes.
THOM LANGFORD. It's not a murder proposition. And it's just really, really unpleasant.
CAROLE THERIAULT. So do you— okay, if I say— I'm gonna say a statement, and I wanna know if you agree or disagree, okay?
GRAHAM CLULEY. Right, yes.
CAROLE THERIAULT. NSO Group are digital gunslingers. Agree, disagree?
THOM LANGFORD. No, they are marshals who have probably—
CAROLE THERIAULT. Self-appointed marshals.
THOM LANGFORD. Self-appointed marshals, but who have possibly, allegedly, any lawyers please interject, taken a few backhanders to sell their services elsewhere.
GRAHAM CLULEY. Maybe.
THOM LANGFORD. Maybe, maybe not. I mean, it's pure supposition, not accusation.
CAROLE THERIAULT. But they're saying, they're effectively saying, a bit like Facebook, nothing to do with us, gov, we're just selling the tool. Like, it's the guys who are using it in a way that's illegal.
GRAHAM CLULEY. And they claim that they're very careful about who they sell it to.
THOM LANGFORD. Yeah, just like, you know, gun manufacturers in the US.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. There goes 30% of our audience.
CAROLE THERIAULT. You wish.
GRAHAM CLULEY. Now, one important thing to point out, a lot of the media attention about this has been around the iPhone because there clearly is at the moment, there is a vulnerability on everybody's iPhone, which means your iPhone could be hacked without you having to do anything and people could spy on your messages, track you, etc., etc., right? There's loads of attention on that.
CAROLE THERIAULT. Turn it off, people, turn it off.
THOM LANGFORD. Well, isn't the attention on the iPhone because frankly, it's the more secure choice generally? And so if they put their effort into breaking up the iPhone security, or at least subverting it even for a short period of time, the payoffs will be greater because people who do care about that security will be using an iPhone over a vanilla Android.
GRAHAM CLULEY. I tend to agree with you. iOS is more locked down. The other point which the researchers have made is that the security advances which Apple have built into the operating system actually leaves more forensic clues to determine that it has been hacked. So with Android, it's easier to clean up after yourself and not make it appear that it's been hacked. So it's actually harder to tell. Now, should you be worried as an iPhone user about this? Well, probably not. You're probably not targeted unless you're—
CAROLE THERIAULT. You're probably not important enough. That's what you're trying to say to our listeners.
GRAHAM CLULEY. Exactly. And neither are we, mostly.
THOM LANGFORD. It costs money to put this thing on your iPhone, right? It's not— and probably not pennies.
GRAHAM CLULEY. But if you want to look, Amnesty International has released a tool which can help you check if your iPhone has been hacked. But it's not very easy to use. It's very much command line. It's kludgy and clunky, and you've got to be a bit of a nerd, and you've probably got to go quite far.
CAROLE THERIAULT. Are you offering services to our listeners?
GRAHAM CLULEY. No, I'm not. No. Bring your iPhones round to me. Form an orderly queue, socially distanced, please.
THOM LANGFORD. Get your £10 notes out.
GRAHAM CLULEY. And I'll have a look at them for you. Thom, what's your story for us this week?
THOM LANGFORD. Well, it's somewhat related because we all know what it's like to have our free speech curtailed, right? We all know that these trigger-happy tech companies will ban you for the slightest thing. I mean, Donald Trump is now suing Twitter and Facebook and others, etc. He knows all too well, you know, that they'll just happily censor everybody. And we all know what it's like when our favorite apps, you know, like Parler or whatever, are just removed from app stores because something about, you know, free speech and blah, blah, blah.
GRAHAM CLULEY. You're a big user of Parler, are you? And Gab? And are those some of your favorite? What are your favorite apps? What are the ones you most commonly use, Thom? Which would cause you most trouble if they disappeared?
THOM LANGFORD. Do you know what? I'm looking at it now. Well, there's my Lego Star Wars one. That's probably going to be a bit of a trouble. Trouble. Or the one that allows me to unlock my car. That's going to be a bit of a problem. And probably Twitter.
GRAHAM CLULEY. You've got an app to unlock your car?
THOM LANGFORD. Yeah. Haven't you?
GRAHAM CLULEY. Well, no, I have a key to unlock my car. Why do you need an app to unlock your car?
CAROLE THERIAULT. You probably don't have a key, Graham. You have a button.
GRAHAM CLULEY. Well, same thing.
CAROLE THERIAULT. A key fob.
THOM LANGFORD. Oh, so a button. So your key sends an electronic signal over the air to your car.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Yes, but I'm close to it when it happens.
THOM LANGFORD. So am I. Why would I want to unlock it when I'm in the town, you know, over the road from you?
CAROLE THERIAULT. Can it start your car?
THOM LANGFORD. If you've got—
GRAHAM CLULEY. sorry, this is something of a digression, but if you've got an app, presumably the app, does it use the internet?
THOM LANGFORD. It can do, if you wish, yes.
GRAHAM CLULEY. I see.
THOM LANGFORD. Absolutely. Yeah.
GRAHAM CLULEY. Interesting.
CAROLE THERIAULT. Not really. Carry on.
THOM LANGFORD. Carry on. Okay. Right. Okay. Anyway. Anyway. So there was just another little segue just to bring these diverging stories together. There was a chap who you may recall called Erik Finman, the self-proclaimed youngest bitcoin millionaire, a young American chap. He, well, became a millionaire at 18 after investing in bitcoin.
CAROLE THERIAULT. As you do.
THOM LANGFORD. Yeah. Blah, blah, blah. Anyway, so he felt somewhat aggrieved at all of this censorship and cancellation culture that was going around. And he tweeted just the other day, today I'm announcing the Freedom Phone. Fuck yeah. This is the first major pushback on the Big Tech, capital B, capital T, companies that attacked us for just thinking different.
CAROLE THERIAULT. He timed it with Freedom Day in the UK as well.
THOM LANGFORD. Exactly.
CAROLE THERIAULT. Not a PR numpty.
THOM LANGFORD. It's almost like you know what you're doing, Carole. Complete with its own uncensorable app store and privacy features, all uppercase. We're finally taking back control. And then a little link to freedomphone.com. So please, you know, given the visual medium of this audio-only podcast, please do go to freedomphone.com.
GRAHAM CLULEY. Oh, it's like there's an American stars and stripes flying a lot.
CAROLE THERIAULT. Flapping, flapping in the wind.
GRAHAM CLULEY. Freedom Phone, completely uncensored. Buy it now. $499.99.
THOM LANGFORD. Exactly.
CAROLE THERIAULT. It looks remarkably like an iPhone in that picture.
THOM LANGFORD. Well, it's a very smart looking phone, but keep scrolling down.
CAROLE THERIAULT. Keep scrolling down.
THOM LANGFORD. All the way down. So ban free uncensorable App Store, preloaded apps. I think Parler is one of them. A free speech first operating system called Freedom OS and your privacy guard. Say hello to trust. Now, would you like more information on this? You know, specs, what is Trust? What does it do? What's FreedomOS based on, etc.?
CAROLE THERIAULT. That's it.
THOM LANGFORD. That's it.
CAROLE THERIAULT. Yeah, I'm looking. There's all the buttons say buy it now, buy it now.
THOM LANGFORD. There's nothing. Oh, there's nothing there. No other features.
GRAHAM CLULEY. They're just buy links.
THOM LANGFORD. Yeah, they're just buy links. And so if you go back to Eric and I'm not going to start quoting him again, but he basically says we've worked with the freedom-loving people of Hong Kong. And we've completely re-engineered the phone and used the most secure components and yeah, and all that sort of thing. So when I saw this, my first thought was, get your money out. No, I said, this is from The Onion, right? You know, The Onion satirical pages, because surely people aren't taking this seriously. Well, apparently not. It really is true.
GRAHAM CLULEY. So it really exists.
THOM LANGFORD. It really is. It's available. Number of comments. Those things are uncensorable equals pirated apps. Malware infested. Sounds perfect for criminals. So the NSA and the FBI have backdoors already. There was someone called Hacker Fantastic on Twitter, did a series of breakdowns, and it turns out that it looks like It's a $100 Android white box phone.
GRAHAM CLULEY. I'm trying to read this guy's tweets. It appears he's blocked me. I don't think Hacker Fantastic likes me.
THOM LANGFORD. Oh, oh, Hacker. Oh, he's blocked you.
GRAHAM CLULEY. I am blocked by him on Twitter. I think it's possible. Is he not the partner of Jennifer Akuri? Former dancer and close personal friend of Boris Johnson.
THOM LANGFORD. Yes.
GRAHAM CLULEY. I wonder if— 'Cause she hasn't blocked me, but her partner appears to have done. Okay, anyway, all right.
THOM LANGFORD. Did you give us some money?
GRAHAM CLULEY. But I can't.
THOM LANGFORD. Well, use your sock puppet account, Graham.
CAROLE THERIAULT. I found an FAQ, so that's interesting.
GRAHAM CLULEY. Oh, okay.
CAROLE THERIAULT. Did you? At the bottom, in the footer, where they— There's an FAQ there. Now, there's also a privacy statement.
THOM LANGFORD. First one, what is your refund policy? Yeah, love it. I think they are expecting a few refunds. So yeah, this person, Hack Fantastic, he's basically backward engineered in inverted commas from the photos and ascertained that it's using a certain chipset by a white box manufacturer and thinks it's this chipset because the reference models that use this chipset always have things like the SIM slot in this location, the camera, this location, the fingerprint sensor on the back in the center at the top. Etc., etc. And if you use a different set of chips, if you rip them all out and use different ones, as this Eric has intimated, then actually you have to change the structure of the board and everything moves around a bit. So it's extremely unlikely that any changes have been made, although obviously reserves opinion.
CAROLE THERIAULT. Yeah.
THOM LANGFORD. Until there is some kind of confirmation of what this product is. But It seems to me like the world's biggest scam that a lot of people are actually going to buy into. You know, so an upsell on a $100 phone with what is ostensibly—
CAROLE THERIAULT. It's 5 times the amount, right?
THOM LANGFORD. It's 5 times the price.
CAROLE THERIAULT. Yeah.
THOM LANGFORD. And there's nothing illegal about that, but which will have a custom OS, which is possibly the same as what was in there before, but just reskinned maybe with an American flag and some aircraft flying majestically above it.
GRAHAM CLULEY. Oh, that is a lovely image, isn't it?
THOM LANGFORD. It is. I mean, they're very nice.
GRAHAM CLULEY. Yeah.
THOM LANGFORD. You know, and the branding as it stands is not bad. But do you know what? Certain people will flock to this phone thinking that they're, you know, owning the libs with it and they're the ones that, you know, it's going to be more like poning.
CAROLE THERIAULT. Well, we don't know if they're up to anything naughty or not at this stage, right?
THOM LANGFORD. No, no, not naughty per se, but I think they'll be using what is ostensibly an insecure platform.
GRAHAM CLULEY. I'm just reading the fairly minimal FAQ which Carole put out on their site. It's got this bit about, you know, what's the return policy if you don't like it?
THOM LANGFORD. Yeah.
GRAHAM CLULEY. Customers may return the Freedom Phone unopened within 30 days of purchase. If it's opened—
CAROLE THERIAULT. And you checked it out and it doesn't work.
GRAHAM CLULEY. Yeah, yeah. If you've actually opened the box and thought, well, this is a pile of shit. Now, I can understand that if it's a pair of underpants which you've worn. That they wouldn't accept it back. But it seems a little bit unfair.
THOM LANGFORD. How do you know if you don't like it if you've not used it?
GRAHAM CLULEY. Well, you've opened the box.
THOM LANGFORD. Oh, I know.
CAROLE THERIAULT. It's like your toilet paper, right, Graham? You can't return that.
GRAHAM CLULEY. Well, not once I've used it, no.
CAROLE THERIAULT. Well, once you've opened the package, presumably either. You can't just show up and say, sorry, I only used one of the 250 rolls.
THOM LANGFORD. I didn't need all of them.
GRAHAM CLULEY. I needed quite a lot, but not quite all of them this time.
THOM LANGFORD. It was quite a long year. You know, it looks like a duck, quacks like a duck, swims like a duck, tastes like a duck. You know.
GRAHAM CLULEY. Sorry, I thought you said it looked like a phone.
THOM LANGFORD. I thought you said—
GRAHAM CLULEY. What?
THOM LANGFORD. It's probably a duck phone. Yeah. Or a phone duck or something. I don't know.
GRAHAM CLULEY. Carole, what have you got for us?
CAROLE THERIAULT. Okay, we're gonna have to use our brains for my story.
GRAHAM CLULEY. Okay?
CAROLE THERIAULT. Oh, brains. Prove that you actually have some here.
GRAHAM CLULEY. It's hot today, Carole. I don't know if I can do this.
CAROLE THERIAULT. I know it is hot. Trust me. I know.
GRAHAM CLULEY. My brain is like a balloon full of lukewarm porridge.
THOM LANGFORD. Porridge. Yeah.
CAROLE THERIAULT. I'm in a sealed room right now with a huge window. I understand.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. So first off, tell me what you think. What services or professions do you think have the most, I don't know, private info about you? Like if they got hacked, you would just kind of go white as a sheet.
GRAHAM CLULEY. STD clinic.
CAROLE THERIAULT. Oh, good. Yeah. Doctors. Yeah. STD clinics.
GRAHAM CLULEY. Dominatrix. If I was on a— if I—
THOM LANGFORD. yeah.
GRAHAM CLULEY. If I had an account with a dominatrix.
THOM LANGFORD. Really? Would that really upset you if people found out about that? Do you not think that people—
GRAHAM CLULEY. Well, Thom, first of all, there's nothing to find out. Can I just stress that?
THOM LANGFORD. No.
CAROLE THERIAULT. Well, you doth protest too much.
THOM LANGFORD. You mean that number you gave me is not valid? Is that what you're saying?
CAROLE THERIAULT. What about your therapist?
GRAHAM CLULEY. Oh yeah, yeah, yeah, right. Yeah, there was a, there was a Finnish psychotherapy clinic which, which was hacked and all that information ended up in the hands of bad guys. That was really terrible.
CAROLE THERIAULT. Accountants and tax dudes, that would suck, but because it's basically on money fronts, I suppose, right?
THOM LANGFORD. It just shows how little you give to charity, right?
GRAHAM CLULEY. Plastic surgery on your nuna.
CAROLE THERIAULT. Oh yeah, on your nuna.
GRAHAM CLULEY. Is that what people are doing these days?
THOM LANGFORD. On your— oh, is nu-na female?
GRAHAM CLULEY. Okay, on my nu-nu. Is it a nu-nu for a man and a nu-na for a woman?
THOM LANGFORD. No, it's a foo-foo for a woman, isn't it?
CAROLE THERIAULT. No, God.
GRAHAM CLULEY. I'm keeping up with kids today.
THOM LANGFORD. I know.
CAROLE THERIAULT. I don't think Thom's a kid. I wouldn't take his advice on this. All these people, like therapists, accountants, lawyers, priests, STD clinics, dominatrixes, they have information about you that you want to keep private, or you want to share in a limited fashion, or the way you choose to. Who wouldn't want your nana to know about your dominatrix proclivities?
GRAHAM CLULEY. My nana? What? Hang on, I know what a nuna is. What's my nana?
THOM LANGFORD. It's, it's your moneymaker, Graham. It's what you sit on.
CAROLE THERIAULT. And like a lot of these, other than the dominatrix in this story that has shown up, like lawyers, therapists, accountants can lose their jobs, right? If they don't represent you properly. So as this show is vaguely security-based, let's pretend one of you or both of you are the head honchos of a ransomware crew, okay?
THOM LANGFORD. Mm-hmm.
GRAHAM CLULEY. Oh, bad guys?
CAROLE THERIAULT. Yeah, you're the bad guys.
GRAHAM CLULEY. Thom is bald, so that already makes him slightly evil in my eyes.
THOM LANGFORD. Let me grab a local alley cat to stroke on my lap while we do this.
CAROLE THERIAULT. And what profession would you try and hit first of the ones we talked about? Like, what profession? Like, ransomware is all about the money. Healthcare?
THOM LANGFORD. Absolutely.
GRAHAM CLULEY. Smashing Security is now giving advice on who ransomware gangs should target next. That's what you're doing.
CAROLE THERIAULT. I'm not giving advice. I'm just saying what you would do.
GRAHAM CLULEY. No, you're suggesting we come up with some suggestions for them.
THOM LANGFORD. We're like the NSO here in the sense that, you know, we merely provide the information. What people do with it is entirely up to them. So yeah, I'd hit healthcare because they have lots of sensitive information. Take lots of people's money but never spend it on security.
CAROLE THERIAULT. But it doesn't really win the hearts and minds of the folks that hear about it afterwards, right?
THOM LANGFORD. Hearts and minds of who?
CAROLE THERIAULT. Well, like, for example, if a bunch of richy rich people at a swanky law firm, if a law firm gets hit, you might not feel as bad as if it's a bunch of cancer patients that can no longer get their meds because the machines have been screwed.
THOM LANGFORD. I'm a criminal.
CAROLE THERIAULT. I think there's optics is what I'm— I think I think there is optics from the bad guy's point of view as well.
GRAHAM CLULEY. Do you?
THOM LANGFORD. Do you really think so? I'm a criminal, I'm bad whatever I do.
CAROLE THERIAULT. Yeah, I think they do. I think some do.
GRAHAM CLULEY. I'm bad, I'm bad, I'm really, really bad.
CAROLE THERIAULT. I would argue that lawyers are the ticket. Like, lawyers are a good ticket here because—
THOM LANGFORD. Are you representing, you know, a ransomware gang or something from a PR perspective here, Carole?
CAROLE THERIAULT. No, because I'm really freaking moral. Lawyers 'cause they know the prestigious ones, they swoon over their rich clientele, trot them out whenever possible to lure in new clients. So you know who's on their books, not maybe everyone, but you know a few. And people seem to open up to lawyers and give them a service fee every month, if you're using one regularly. And lawyers care a lot about reputation and trust. So I'm wondering if they would be more likely to pay the ransom to have everything shut up, like don't dox us on the darkweb.
GRAHAM CLULEY. Well, maybe, maybe, yeah.
THOM LANGFORD. It's a very good point as well, because actually also the lawyers' clients will also be flush with cash potentially. And you can also hit them too.
CAROLE THERIAULT. That's the information you want. I mean, I'm guessing that's what you want to either nab or lock up. So let's say, boys, that your law firm, you guys are, you know, swinging around with lots of cash, and your law firm that you trust with all your financial business and even some personal goings-on gets hit by ransomware.
GRAHAM CLULEY. Oh, hang on, we're good guys now.
THOM LANGFORD. Are we still criminals yet?
GRAHAM CLULEY. Yeah, because we were the ransomware gang.
CAROLE THERIAULT. Now I know, I know, we're swapping sides, right? So now—
THOM LANGFORD. oh, right, right, pivot, pivot, pivot, pivot.
CAROLE THERIAULT. Okay, and, uh, so what would be the things you'd want to know? Like, if you find out your law firm's been, you know, hi, sorry, we've been—
GRAHAM CLULEY. have they got my data? Have they got our emails? Anything we've said to you, is that now in the hands of criminals? What the hell's happened?
CAROLE THERIAULT. Yeah, what, what do they take? What do they take? Yeah, okay, they take— okay, that's a good question. Anything else?
THOM LANGFORD. What version operating system do you're using on your systems, because that'll tell me pretty much how much data they've got. Because if you went using Windows XP, then—
GRAHAM CLULEY. You mean which service pack do you have?
CAROLE THERIAULT. Why would you care about that?
THOM LANGFORD. Because if they're using—
CAROLE THERIAULT. I don't think they tell you.
GRAHAM CLULEY. You don't care.
THOM LANGFORD. Let me finish. It might be your show and all, but blimey, I'm the guest.
CAROLE THERIAULT. VIP guest.
THOM LANGFORD. So if they're using Windows XP, right, then I've got a case for gross negligence against my lawyers. Yeah.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. So you go to another set of lawyers who might then lose their—
THOM LANGFORD. might take— exactly.
CAROLE THERIAULT. Would you care about like how they got in?
GRAHAM CLULEY. Um, I don't know if I would. No, I don't know if I— not if I— no, I don't know.
CAROLE THERIAULT. Would you care about what they're going to do about it if, if, if you're unhappy with what information, if it has an impact on you?
THOM LANGFORD. Yes, of course, absolutely.
GRAHAM CLULEY. Okay, yes, I definitely would. I definitely would want to know that, and I would want to know that they knew how they'd got been and that they were going to stop it.
THOM LANGFORD. And how long they'd been in there for.
CAROLE THERIAULT. Right. Yeah. Yeah. I love when they really kind of come clean, right? Say that on this date, this happened. We noticed at this time, we then did this, we didn't. I love that. So this week we learned that a so-called prominent and I assume very expensive law firm was hit by ransomware earlier in the year. And in the show notes, I've put in their statement that's on their website and I've highlighted some key areas. But I want to know if you think what's good about this and what's bad. Like, I'm thinking people are listening to the show and this is going to happen to people where they're going to have to inform people, yeah, you know what, we've been hit by ransomware. What's leaving a bad taste in your mouth here, if anything?
GRAHAM CLULEY. Oh, I'll tell you the first thing which annoys me. So I'm reading this right now. I imagine we're going to put a link to this in the show notes.
CAROLE THERIAULT. Yeah, we will, definitely.
GRAHAM CLULEY. Yeah, I'm reading this, right? It looks like it's been written by a lawyer.
THOM LANGFORD. It's so boring.
GRAHAM CLULEY. It says Campbell blah blah blah blah blah is providing notice of a recent data privacy incident.
CAROLE THERIAULT. I think that's very interesting though, that title. So the title, let me just read it out correctly so people can know. So Campbell, Conroy, and O'Neill provides notice of data privacy incident. So that is a kind of key word because you're going to look for ransomware hack, ransomware attack, you know, or victims, and there's nothing in there. So I found that quite interesting.
THOM LANGFORD. They've got anti-SEO people working on it.
GRAHAM CLULEY. The following notice includes information about the event, steps taken since discovering the event, and resources available to help individuals protect against potential misuse of their information should they feel it is appropriate. I'm already bored.
CAROLE THERIAULT. No keywords. No keywords.
GRAHAM CLULEY. Yeah.
THOM LANGFORD. That is fascinating.
GRAHAM CLULEY. It's quite dull. It's quite dull.
CAROLE THERIAULT. So they say it all happened on the 27th, right? So that's a long time ago, like 5 months.
GRAHAM CLULEY. 27th of what?
CAROLE THERIAULT. Of, uh, 27th of February. Sorry, 27th of February 2021.
THOM LANGFORD. Wow.
CAROLE THERIAULT. So that's a long time they took to kind of—
THOM LANGFORD. that's about right, you know, upwards of 9 months in, in most cases.
GRAHAM CLULEY. Oh, so it wasn't that they were hacked then, that's when they became aware of it?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. So for months they've known about this.
THOM LANGFORD. And they've only just said?
CAROLE THERIAULT. Mm-hmm. And they say at the end, Campbell's providing notice because investigation thus far determined— okay, so now 5 months on— determined that certain information relating to individuals, i.e., you guys, the clients, was accessed by the unauthorized actor. So you want to know what information they stole, Graham?
GRAHAM CLULEY. Yes, exactly.
CAROLE THERIAULT. Please, please list out and tell me if you'd be worried.
GRAHAM CLULEY. So what information was involved? So we want to know what data has come out. Okay. We cannot confirm if the unauthorized actor accessed or viewed any specific information relating to individuals. However, we determined that the information present in the system included certain individuals' names, dates of birth, driver's license numbers, state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials, i.e., usernames and passwords.
THOM LANGFORD. Passwords?
CAROLE THERIAULT. So basically, people use lawyers as a kind of online vault for passwords, right? Because they can go and access these accounts as well. Like, that is worse than what you give any other profession, I think. Like, you'll give your therapist some of that info, but not all of it.
THOM LANGFORD. Yeah.
CAROLE THERIAULT. Like, everything is in there.
THOM LANGFORD. So what they said was, we're not sure what was taken. 'But here's a list of data that we hold on you just in case.' Yep.
CAROLE THERIAULT. And we can't confirm or deny that they've seen this, taken it, or will do anything with it.
THOM LANGFORD. Jesus Christ. And it took them 5 months to work— they could have announced that the day after. Right. And it would have still been true.
CAROLE THERIAULT. But don't worry, the next paragraph, 'What we are doing,' and then we get that famous sentence that we love. 'Cambridge Analytica is committed to and takes very seriously its responsibility to protect all data entrusted to us.' So ongoing commitment, we're going to up our game, watch the space.
GRAHAM CLULEY. It's all a bit waffly. It's not really very much in the way of detail here, is it?
THOM LANGFORD. Yes! But also, if they take it all so seriously, why were passwords there? I know.
CAROLE THERIAULT. Like, were they encrypted?
THOM LANGFORD. Probably not.
CAROLE THERIAULT. Were they hashed?
THOM LANGFORD. Probably not. Well, if they were encrypted, it wouldn't have been lost. If you see what I mean, you know? If they were just hashes or whatever, then—
GRAHAM CLULEY. Yeah, hashes, yeah.
THOM LANGFORD. Yeah, that's, that's fine.
CAROLE THERIAULT. But now you've been paying your lawyers, right? You've been paying these guys. Let's say they've been paying them $5,000 a month, right? And they've been, uh, you know, your dutiful lawyers with all your passwords and your passport information and your SIN number and all your stuff. What, uh, do you do like at this point, right? So you're reading this and you're thinking, well, what do you give me? What's the kickback? Because this kind of sucks for me in a big way, right?
GRAHAM CLULEY. Yeah. How are you going to help me?
THOM LANGFORD. Oh, I know, I know, I know what they're going to give them. They're going to give them a year's free credit check with a credit check agency.
CAROLE THERIAULT. Yes, two years. Two years. They went out, yeah, 24 months of complimentary access to credit monitoring, fraud consultation, identity theft restoration services. So, but it— but they put it on you, right? Like, they'll pay for it, but you're— it's your responsibility to manage all this and to activate it. Like, it's not, you know, it's not by default. And they'll only give it to people that, that they say, we can guarantee your information was at risk, but they don't know that.
GRAHAM CLULEY. Okay, so not all of, not all of their clients are going to get it. Anyone who they believe are affected, even though they don't know what, who was affected or what data was lost.
CAROLE THERIAULT. Exactly. So they give you the telephone number and the times to call when they will answer, and then they'll say the call center will verify whether you're eligible for services between 4 and 4:05 every third Thursday. And then they say, they don't stop there. They also say, hey, this is how you can help monitor your accounts. So there's a load of stuff you can do, uh, get one free credit report annually to check. If you've used that already, oh well, too bad. And you can get a fraud alert. So all these things that don't impact your credit score, but can— well, just by security versus usability, it locks up your account. So you can't— people can't do checks without you confirming, yes, that one's okay, you can go do a check.
GRAHAM CLULEY. You can also do a thing called a credit freeze, kind aren't you?
CAROLE THERIAULT. Yeah, yeah.
GRAHAM CLULEY. And I, I see that they're suggesting that to people. All you have to do is contact, uh, the organization with your full name, Social Security number, date of birth, um, lots of other—
CAROLE THERIAULT. photograph of your driving license, addresses for the past 5 years, proof of current address. Yeah, it's so—
THOM LANGFORD. please just email this to .
CAROLE THERIAULT. So it's kind of interesting, I don't know. And I was thinking I wouldn't be happy with this, right?
THOM LANGFORD. Can I just ask, they've said what happened, they've said that they take it seriously, they've then said, here's what you are going to do about it. Have they said what they are going to do?
CAROLE THERIAULT. They are, as part of their ongoing commitment to the privacy of personal information in our care, we are reviewing our existing policies and procedures.
GRAHAM CLULEY. Well, I'll tell you what they're going to do. They're going to lose some customers.
THOM LANGFORD. Yeah.
GRAHAM CLULEY. Who are going to go to another law firm.
CAROLE THERIAULT. That is what I wanted to know. That was my next question. Would you just walk at that point? Or would you think, oh, my data's already out, who cares? At least, you know.
THOM LANGFORD. I would want to have a meeting, a face-to-face meeting, maybe with others as well, you know, other, you know, customer clients, but a face-to-face meeting with their head honcho who can look us in the eye and talk about all the things that they did wrong and now what they're doing right. About it. And if that didn't satisfy me, then I would definitely walk.
GRAHAM CLULEY. You basically want a public lynching, don't you, Thom?
THOM LANGFORD. I mean, you know, pitchforks are optional, obviously.
CAROLE THERIAULT. But surely the clients are the real victims with no culpability whatsoever. So do you feel it's fair to say they have some culpability in it because they agreed to secure the information that we shared with them and they let the side down?
GRAHAM CLULEY. I'm not a lawyer, so I wouldn't be able to tell you if they're culpable or not. I'd need to engage some sort of law firm to give you advice on that.
THOM LANGFORD. Exactly.
CAROLE THERIAULT. But don't you feel— I would say the more carefully worded these kind of communiqués are done, the more it gives me like, I want to pay more attention to what you're not saying.
GRAHAM CLULEY. Yes, but you're never going to get any empathy or humanity from a lawyer, Carole Theriault, aren't you? What's the first rule of a revolution? Is that you line up all the lawyers to shoot them?
CAROLE THERIAULT. Don't you have lawyers in your family? You have lawyers in your close family, do you not?
THOM LANGFORD. I do.
GRAHAM CLULEY. That's why I know so much about them.
CAROLE THERIAULT. Wow.
GRAHAM CLULEY. That's why I know how they can be like— Wow.
CAROLE THERIAULT. Smashing Security sponsors Offensive Security, our industry leaders in providing training for your organization. The training is designed by the same minds behind Kali Linux and OSCP. Oh, now you're paying attention. So Offensive Security offer a number of different programs. There's the OffSec Flex program, which allows you to train on your own schedule. There's the OffSec Academy, offering industry-leading OSCP certification through dedicated one-to-one mentoring and virtual training. Or if you want to develop your team's pentesting skills in highly realistic simulated networks, offensive security experts have got your back. See, it comes down to this: the skills gap is increasing, meaning it's more important than ever to train your staff effectively and efficiently. Learn more about offensive security at smashingsecurity.com/offsec. That's smashingsecurity.com/offsec.
GRAHAM CLULEY. Create a culture of security with 1Password. Around 80% of business data breaches are due to weak or reused passwords. Well, using 1Password can close the gaps in your company's security and help your employees stay secure wherever they are. With the right tools and the right mindset. You can create a culture where your employees feel empowered to share responsibility for security risk management. 1Password makes the secure thing to do the easiest thing to do by letting your employees stay secure without slowing them down. 1Password makes it easy for employees to play their part in personal security and, by extension, the security of your company and customers. Learn more and try 1Password free for 14 days at 1Password.com.
CAROLE THERIAULT. So what's a con game? It's a fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors KnowBe4 can tell you, human error is how most organizations get compromised. Where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are unable to make smart security decisions. And to do that, they need new-school security awareness training. KnowBe4, the provider of the world's largest security awareness and simulated phishing platform. See how your security culture stacks up against KnowBe4's free phishing test. Get it now at knowbe4.com/freetest. That's K-N-O-W-B-E and the number 4.
GRAHAM CLULEY. Smashingsecurity.com/freetest. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
THOM LANGFORD. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.
THOM LANGFORD. Better not be.
GRAHAM CLULEY. Sound like in harmony there. Wow. Amazing. My pick of the week this week is not security related. Instead, it is a love story.
CAROLE THERIAULT. What?
GRAHAM CLULEY. Yes, it is a love story.
CAROLE THERIAULT. You went soft on us.
THOM LANGFORD. Are you talking about Columbo again?
GRAHAM CLULEY. It's no, no, it's not about Mrs. Columbo or anything like that. It is a love story about Randy Santel and Katina DeJarnett, how they met and fell in love.
CAROLE THERIAULT. Are we supposed to know who they are?
GRAHAM CLULEY. Let me read to you the opening paragraph of the article, which will put it in some context.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Randy Santel didn't really develop feelings for Katina DeJarnett until he saw her scoff down king crab legs, salmon pizza, shrimp calamari, seafood tacos, a Cobb sandwich, halibut, fries, onion rings, and chowder in 1 hour, 36 minutes, and 40 seconds.
CAROLE THERIAULT. Is this eating competitions?
GRAHAM CLULEY. They are both professional full-time eaters who became friends on the circuit and then found love.
THOM LANGFORD. Oh.
GRAHAM CLULEY. I don't know if you've ever thought about professional eating, Thom, and becoming a professional eater.
CAROLE THERIAULT. Obviously, you've been thinking about it nonstop while you've been on your fitness craze. This explains everything.
GRAHAM CLULEY. Well, it's a heartwarming story on why which I read, and I thought that's rather lovely. And it tells the story of how they make money eating and the amounts which they eat. And they have millions of YouTube subscribers and Facebook fans and have somehow managed to monetise this. And people love to see these sort of things. Anyway, they found each other and fell in love. And so I read that story, and I will put the link in the show notes, and you can read more of this.
CAROLE THERIAULT. Yeah, I don't know how I feel about eating competitions. I don't— I'm not comfortable with them, and I don't know why.
THOM LANGFORD. Yeah, it's not the '50s anymore.
CAROLE THERIAULT. Yeah, I don't judge the people that like it.
GRAHAM CLULEY. You sound pretty judgy to me.
CAROLE THERIAULT. Okay, I'm not trying to sound judgy. I just think—
THOM LANGFORD. I'm with you, Carole, on this, I have to say.
CAROLE THERIAULT. Yeah, I wouldn't want to go to an eating competition and watch. I might have some morbid fascination, but then it would be more— I wouldn't feel— I wouldn't like that either, right?
GRAHAM CLULEY. What about love? Isn't it good? Love's great.
THOM LANGFORD. Love, love.
GRAHAM CLULEY. You can find love in all kinds of places.
THOM LANGFORD. Yeah, maybe they could have found love in a park. You know, rather than sat in front of half a ton of food that they eat within an hour and a half. That produces vast amounts of waste.
CAROLE THERIAULT. Do you think, yeah, do you think they're ever sick? Do they have a sick bag close by at all times? Just, you know.
GRAHAM CLULEY. Tina says she's never actually thrown up as a result, but I think Randy sometimes has.
THOM LANGFORD. He visits the vomitorium afterwards.
GRAHAM CLULEY. Yeah. Anyway, I think, you know, it's good that they found love and I found friends.
CAROLE THERIAULT. This is evidence that Graham has a heart. Is that what you're saying?
GRAHAM CLULEY. That's what I'm saying. I'm just producing evidence today that I have a heart after the abuse I've had recently for some of my picks of the week. I'm just trying to give you something a little bit different. So that is my pick of the week. Thom, what's your pick of the week?
THOM LANGFORD. Well, I'm going to produce evidence that I'm actually a bit of, still a bit of a nerdy child at heart. So one of the many lockdown hobbies that I've taken up is I find myself as an adult with enough— not enough disposable income, but enough disposable income to buy all the Lego kits that I never got as a kid.
CAROLE THERIAULT. He was saying under his breath, Lego, Lego, Lego.
THOM LANGFORD. So yes, yeah. And I now have, you know, Saturn V and the lunar lander and the space shuttle and all that. So all of big stuff, right? And a few of the Star Wars heads and stuff, you know, helmets collection. And I just finished over the weekend a typewriter that actually makes, you know, you can actually type things. It makes clicky clacky noises.
GRAHAM CLULEY. Oh, really?
CAROLE THERIAULT. I like typewriters a lot.
THOM LANGFORD. Yeah. Yeah. Oh, well, you'll love this. I'll send you some photos.
GRAHAM CLULEY. Oh, you and Thom Hanks?
CAROLE THERIAULT. Send me a pic. Send me a pic. Well, me and Thom Hanks.
THOM LANGFORD. But my pick of the week is not LEGO directly. It's actually an app called Brickit. Brick IT. And you can, if you're in front of a computer right now, go to brickit.app. Uh, it will give you even less information than the Freedom Phone because it is quite literally an app. But what the app does, and this, this is the really cool tech part, is you lay out the Lego that you have, all the pieces that you have on the ground, spread them out a bit, hold your phone up press the scan button, it scans all the Lego you have, identifies what each piece is, what color it is, and then suggests things that you can build with said Lego. Oh, even to the point where it will point out where the particular piece that you need is in the pile.
CAROLE THERIAULT. Okay, that's Graham.
GRAHAM CLULEY. Okay, yeah, Thom's one. Thom's one. Stop the show.
THOM LANGFORD. This is a first version. It's only on iPhone, not on Android, probably a security thing. But at the moment, you can only build stuff, build sort of non-LEGO ideas for want of a better term. But I believe that they will be in the future. You could lay out the stuff for, I don't know, your motorized AT-AT walker, and then it will find everything for you and then give you the instructions for how to make that in the future. That's possibly coming down the line. But right now it will categorize. I believe it will also, you know, start to create a list of what you've got and all that sort of stuff. And just, just actually watching it do its thing is worth the download alone. It's free currently, although I think many people would end up paying for it, you know, for, you know, advanced features, maybe such as being able to rebuild your original LEGO kits and stuff. But yeah, absolutely brilliant. It works.
CAROLE THERIAULT. Is it pretty new? It doesn't seem to have a ton of ratings at the moment. I'm just looking at it.
THOM LANGFORD. It is literally the last couple of weeks, I think.
GRAHAM CLULEY. It looks brilliant, Thom. My concern is that the evil lawyers at LEGO are going to shut this down.
THOM LANGFORD. Well, maybe they might, or maybe they will see it as a partnership that will allow them to help to unleash further creativity, because that's where, that's where they go.
CAROLE THERIAULT. Yeah, just because they didn't think of it, maybe, maybe they'll buy it. That would be the smart thing to do.
THOM LANGFORD. Exactly. Yeah, or invest in it. Exactly. Yeah, you know, because it will, it will reinvigorate interest in old Lego, you know, and reinvigorate the brand. So I'm hoping this will be a good news story, not a, you know, a harbinger of you know, it all going wrong.
CAROLE THERIAULT. So, okay, keep it, keep your eye on the story and then you come back and let us know.
THOM LANGFORD. Because yeah, absolutely.
CAROLE THERIAULT. Wow.
GRAHAM CLULEY. That is, I mean, I obviously haven't tried it, but it looks like an amazing app. How cool.
CAROLE THERIAULT. I once bought my nephew, like you can buy, I think it was on eBay. You can buy like kilos of Lego, right? That people sterilize, they say. And you buy buy these huge bags of it.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Um, and I gave him— I bought a ton of bags and gave it to him. So yeah, but God knows what's inside that. It's just like different pieces. So this would be kind of perfect, wouldn't it?
THOM LANGFORD. Yeah, that's exactly it. It really helps you do, do, uh, that sort of thing. Now I don't have enough because I, you know, my collection is literally just the stuff I've bought in the last 9 months basically.
CAROLE THERIAULT. And they're all made. You don't take them apart, do you?
THOM LANGFORD. And they're all made. So I've literally got the 6 pieces that are left at the end of every pack, you know, in a box, and it says, can't make anything out of this. But, but, um, we've got some, you know, in the loft somewhere, so I'm probably going to dig it out and, you know, pull out, pull up a handful out and see what it comes up with. Yeah, it just looks really cool. Looks really cool.
CAROLE THERIAULT. Yeah, it's a great pick of the week.
GRAHAM CLULEY. No one's going to read my competitive eating love story now. No, everyone's going to be looking at briquette, and I don't blame them. Oh, what have you got? What's your pick of the week, girl?
CAROLE THERIAULT. Um, an animated series. Now I've chosen this because my buddy Thom here likes a cartoon as much as I do. We've talked on the show before about Rik and Morty, Final Space, Bob's Burgers, Invincible. Yes, Invincible. And a new one for you, Central Park. I don't know if you know it, Thom. Yeah, it's available on Apple TV and available for purchase as well. Do you like it?
THOM LANGFORD. Yes, I'm, I'm not a huge fan of musicals, but it's growing on me, I have to say, because it's by the same people who did Bob's Burgers, right?
CAROLE THERIAULT. Yes, that's right. So basically the, the story is like it's an animated musical series that tells the story of like a family who live in the middle of Central Park, and they're the park caretakers. Um, and their whole, I guess, the premise of the show is they have to protect the park, um, from people that are trying to, you know, commercialize it, for example. And what's really kind of cool about is it's the first time I've ever seen something set in New York City that wasn't focused on buildings or loud, crazy streets, right? You're kind of in the peaceful Central Park the whole time. And there's this wonderful foil on the show, Clue, that you would love. There's this grumpy old harriss called Bitsy Brandenham. And she's just gorgeous. She's conspiring to demolish Central Park and turn it into condominiums and shopping malls. But she's perfect because she's played by none other than Stanley Tucci, right, who is just a hair behind Geoff Goldblum and just ahead of that, uh, what's his name, the hairless UK conservative politician, short guy, William Hague. William Hague, who I love as well, right on the hot scale. So Stanley Tucci's hot.
THOM LANGFORD. I thought you were going to say something like Baby Voldemort or something like that.
CAROLE THERIAULT. No, I just have this thing for William Hague.
THOM LANGFORD. I can't explain. Oh really? Oh yeah.
CAROLE THERIAULT. Better Than Bitsy is her assistant. She's like, I don't know, the maid, the shit eater, the caretaker. She's played by Daveed Diggs, and she hates her job but wants to be written into the rich employer's will. So she puts up with all the crap. But the real star of the show are the tunes, I think. Like, the songs are pretty on point. Like, I was looking at them going, God, the rhymes are so good. The beats, melodies, everything. And then, so I went looking to see who who is doing this. And there's like a huge list of contributors, right? Cyndi Lauper, Fiona Apple, Kate Anderson. There's like tons and tons of them. So, and it's, I would say, probably for 10-year-olds, maybe a bit, maybe 12 and upwards. Check it out.
THOM LANGFORD. Central is 50.
CAROLE THERIAULT. Oh, at least 99.
THOM LANGFORD. Yeah.
CAROLE THERIAULT. So, uh, check it out. It's called Central Park. I'm seeing it on Apple TV at the moment, but I think you can also buy the series in places, potentially, or probably from Apple So check it out. It's very good.
THOM LANGFORD. I'm going to get back into it. You should.
CAROLE THERIAULT. Second series, I think, is even better.
GRAHAM CLULEY. Very, very cool. Sounds great. Well, that just about wraps it up for this week. Thom, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
THOM LANGFORD. I'm on Twitter @ThomLangford. That's Thom with an H. Thom Langford and ThomLangford.com. And That's about it really. So yes, please join me, join me in my quest to get a blue checkmark just like Graham.
GRAHAM CLULEY. And you can follow us on Twitter @SmashInSecurity, no G, Twitter allows to have a G. And we're also up on a Smashing Security subreddit. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
CAROLE THERIAULT. And thanks to this episode's sponsors, KnowBe4 Offensive Security and 1Password, and to our wonderful Patreon community. It's thanks to them this show is free for all. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 236 episodes, check out smashingsecurity.com.
THOM LANGFORD. Until next time, cheerio, bye-bye, bye, ciao!
GRAHAM CLULEY. You know, you know what's not weak, bro? Thom's riposte to Javad on the latest Host Unknown podcast.
THOM LANGFORD. Oh yes.
GRAHAM CLULEY. There was a bit of argy-bargy.
THOM LANGFORD. There was.
CAROLE THERIAULT. I haven't heard it.
THOM LANGFORD. Tell me.
GRAHAM CLULEY. Let's just say tempers got a bit raised. Emotion. It got emotional.
THOM LANGFORD. Jav decided to up the ante and actually it's It did, although he did piss me off and I did say that, but frankly, it made for a good podcast.
GRAHAM CLULEY. It was great. Yeah, great. Because you both had your opinions very strong. I actually agreed with you, Thom. Yeah, I have to say.
THOM LANGFORD. Yeah. And they pointed that out when they read your blog post. Oh yeah. It doesn't surprise us to see Graham's on the side of the old white man Thom or something like that.
CAROLE THERIAULT. I'm going to go listen now. You see, you got my interest.
THOM LANGFORD. Yeah. We've had a couple of comments about how it's good to have have, you know, a podcast where not everybody agrees with each other.
GRAHAM CLULEY. Oh yeah.
THOM LANGFORD. Yeah. So I agree, Graham.
CAROLE THERIAULT. I agree, Thom.
GRAHAM CLULEY. I don't agree.
CAROLE THERIAULT. I think it's a good podcast.
GRAHAM CLULEY. No, it's a terrible idea.
CAROLE THERIAULT. I agree. Terrible.
THOM LANGFORD. The thing was, if I'd known he was going to do it, I think it would have been more fun, but it just came out of nowhere. And then I said, is he serious about it? Is he honest?
GRAHAM CLULEY. He was very serious.
THOM LANGFORD. Yeah. But he said afterwards that he decided he needed to stop as the spittle started to drop from his lips.
GRAHAM CLULEY. And you had to mediate, Karl.
THOM LANGFORD. Yeah, he did.
CAROLE THERIAULT. And he would be a good mediator.
GRAHAM CLULEY. Come on, boys, it's not worth it. It's not worth it, lads.
THOM LANGFORD. Leave him, Darren, he ain't worth it.
CAROLE THERIAULT. Hey everybody, Carole here. Now I've got to do this week's this review selection really quickly because someone is using a chainsaw nearby. However, we got two very cute reviews. The first one comes from Wilsonium, who writes, I have a bit of a reputation for getting out in the weeds, mostly unintentionally, but I never regret the journey. Carole, Graham, and friends take me out into the cybersecurity weeds every week, and I love Thanks for all the episodes full of warnings about which IoT wearables to avoid, apps to avoid or delete, and what happened to the eccentric players. Best of all is the rich history brought to the table with a colorful sense of humor shining a light onto some of the not so great tech out there. Thanks again for all the hard work and dedication put into each episode. Wow. "That's positively swoon-worthy, Wilsonium." And we also got another delicious review. This one might have been from a baby or toddler who was playing with the phone. The review gives us 5 stars. The title is "XX" and the message is "SDD" and it's from EEJFGNJH. So thank you very much. And you guys stay safe out there and see you next week.
-- TRANSCRIPT ENDS --