Customers may return the Freedom Phone unopened within 30 days of purchase. Now, I can understand that if it's a pair of underpants which you bought, that they wouldn't accept it back, but it seems a little bit unfair.

How do you know if you don't like it if you've not used it?

Before you've opened the box.

Oh, I know.

It's like your toilet paper, right, Graham? You can't return that.

Well, not once I've used it, no.

Well, once you've opened the package, presumably either. You can't just show up and say, sorry, I only used one of the 250 rolls.

I didn't need all of them.

I needed quite a lot. I couldn't get all of them this time.

It was quite a long year.

Smashing Security, episode 237, Nuna, Nunu, Nana, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 237. My name's Graham Cluley.

And I'm Carole Theriault.

And this week we're joined by returning guest, it's Thom Langford. Hello, Thom.

Hello, hello, hello. Good morning, good afternoon, good evening.

You lifesaver.

Apparently so. Apparently I'm somewhere on one of your lists of people to call in case of emergency.

Right. We had another guest scheduled today, didn't we, Graham, who had to dash off and do real work.

Dead to you now, obviously. Absolutely dead to you.

Yeah, well, we got you on speed dial, don't we, Thom?

Apparently so.

You're welcome.

Yeah, I mean, getting woken up at 3 AM by Carole's going, Thom, Thom, Thom.

Okay, there's some wee jokes there.

I mean, it sets you up for the day, what can I say?

Thanks to this week's sponsors: 1Password, Offensive Security, and KnowBe4. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I am going to be getting somewhat classical with you. Back to the classics.

Okay, and what about you, Thom?

I'm celebrating my freedom.

Celebrating your freedom. Okay, and I am heading to professional services to figure out who has the most pertinent and private information. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, I don't know about you, but I love a Greek myth. That's not a—

Do you?

It's not a young woman from Athens with a speech impediment. That's what Greek myths— I love all that. Didn't you love all that when you were a kid?

Well, I still do. I'm just surprised we've never talked about this.

Stephen Fry does a huge amount of Audible books on this stuff, doesn't he? Yeah, really good at them.

Mythos, isn't it?

Mythos. Yeah, that's it. They're really good.

Yeah, well, you've heard of Medusa, haven't you? Remember Medusa?

Yes.

Oh, she was a scary gorgon, wasn't she?

I wore that as a Halloween costume once.

I did.

Yeah.

Did you have all the snakes in your hair?

Yeah, I filled them all like little socks, like nylons, and I filled them with cotton wool. And they were just with wire and, you know, what do you call them? Wire hangers.

Oh, really?

Yeah, it looked great. I might do that again, actually. That's a good outfit.

I did that with one sock once, but I didn't wear it as a hat.

Oh, please.

Oh, you need help down there, do you?

Of course.

Kroll, going back to you. Did you turn people to stone? Did you turn them rock hard?

No, I'm not even going there.

Right. And you've probably also heard of Poseidon, right? Do you remember Poseidon? I remember that. Bank holidays, BBC.

I don't remember which one he did. Is that the one?

Clash of the Titans and—

No, no, no, I'm talking about Poseidon Adventure.

Oh, oh, right, right, right.

Sorry, we just moved from Greek mythology, okay.

Crappy B-movie Hollywood films.

Mm-hmm.

It wasn't crappy, it was brilliant. The liner capsizes in the Atlantic on New Year's Eve. Gene Hackman and Ernest Borgnine and Shelley Winters clambering up a Christmas tree trying to escape their watery grave. Yes, yes, it was also the Greek god of the sea. Well, I don't know if you know enough about Greek myths, but I discovered that one day, possibly via a dating app, Medusa and Poseidon, they got together. Did you know that?

How did that work?

Well, I think Poseidon put a bag over Medusa's head to prevent himself, right, you know, right, having that particular problem. But from their unholy union was born an immortal winged horse called Pegasus. Pegasus, a bit strange, isn't it, to have it off with a snake woman and out comes a horse?

So between a fish man and a snake woman, a winged horse comes.

That's right. And worse than that, if you remember your story of Medusa and how she was killed by Perseus who beheaded her, Pegasus the horse actually sort of popped out of her pregnant body after she was beheaded. A bit grisly.

Do you think this was the first instance of disinformation in the written world?

Well, you don't believe this.

I think actually it's the first story of bro culture and a bunch of dickhead males, because Medusa, she gets the snakes for hair and turns anybody who looks at her into stone. And she thinks, you know what, in order to not sort of upset anybody, I'm going to go live in this cave. And yet every day some fella wants to go in there, you know, take a look, etc. And then she's surrounded by, you know, stone men.

Yeah, well, of course. But good thing for her, she can see 360, right?

Because the snakes were just minding her own business, for goodness sake.

Well, what has got my goat right now this episode is that the wonderful story of Pegasus. It's been taken away from us because it's not just classic myth now, Pegasus. It's also the name associated with some rather nasty spyware. Because Pegasus is the name given to some smartphone spyware developed by an Israeli company called NSO Group. Have you heard of NSO Group?

I am very glad you're talking about this, Cluley, because I've seen this in the press, and I haven't followed the who, what, where, when, how. So I know nothing of the story. Ask Thom.

Oh, right.

So you can educate me. Tell me like I'm 5.

Well, they've called their spyware Pegasus, after the classical mythed winged horse, because apparently it can be sent flying through the air to infect phones.

Did they explain this?

That's—

Or is this you?

No, I think this is how it got its name. Yes.

Does it make clip-clop whinny sounds as it infects your phone?

Listeners, this is when Graham assumes. I could tell in his voice. Okay, carry on. You're doing great.

Well, Pegasus, the spyware, has been back in the news this week. It's actually been known about since 2016 when a human rights activist called Ahmed Mansoor, he received a couple of suspicious SMS messages on his iPhone. And being the sort of type who has been regularly surveilled and suspected of being up to no good by the regime over there, he was smart enough to pass on these links to Citizen Lab, the security researchers there, and they looked into it and they discovered some sophisticated malware lurking at the other end. And it was claimed at the time that he might be the most spied upon person in the world.

God, can you imagine having that?

God.

Well, that discovery back in 2016, that prompted Apple to push out some urgent security updates to everyone's iPhone because they were worried that other people might be susceptible to this, may click on links and have their phones compromised. But of course, that was back then, right? And in the years since, there's been a lot of allegations about the activities of NSO Group and information about how the Pegasus spyware has developed over time. For instance, a couple of years ago, Facebook claimed that Pegasus was being used to intercept WhatsApp communications between activists, journalists, politicians in India, all the real top people, podcasters probably as well, you know, all the really—

I don't know if we'd be that interesting, honestly. We record everything we say, so I don't know.

That's right.

Anyway, there were accusations that the Indian government may have been behind the attack because of the nature of the journalists and activists and politicians who are being targeted. And NSO Group, what they say when you go to them with an allegation, they say, oh, look, look. They do a little shrug. They're not French, but—

No, I was gonna say, yeah.

But you know, they do that in a kind of Israeli way. They say, look, our products are only used against criminals and terrorists, so they shouldn't be used in any other way, and we sell it with that stipulation that no one's going to use it in any other way. And yet, over in Mexico, drug cartels, actual criminals, were using the spyware to spy on journalists. So there are journalists in Mexico who were uncovering criminal activity in Mexico.

Yeah.

So do you think that they might have, I don't know, ignored the end-user license agreement?

Well—

Probably didn't read it.

Does anybody?

Yes, some people do.

It's a bit— Even if they did read it, they could just say, no, no, I accept these terms. It's a bit like when you fly to America and they say, are you a Nazi war criminal? And they ask you all these questions, you say, no, no, of course not, of course not, except for that one fancy dress party at university. I think that's Prince Harry.

Well, allegedly he's moved on.

He doesn't like that photograph to come out.

No, no, exactly.

He's got a tell-all book coming out apparently, I read.

Yes, yes, that's terribly exciting.

Anyway, carry on, Graham. I'm really more interested in your story.

Yes. Now, do you remember Jamal Khashoggi, the journalist?

Yeah. Oh yes, yeah.

Oh my goodness, the most horrendous story. He was chopped into little pieces at the Saudi consulate in Istanbul. He went there to get his visa stamped or something like that. Now, it's said that the Saudi authorities used the Pegasus spyware to track and spy upon him. So it already had a bit of a bad name, Pegasus.

Yeah.

So what's happened this week, I hear you ask?

Mm-hmm. That's why we're here.

I thought you'd actually say it. That's all.

What has happened this week?

Thank you, Thom, for playing. Well, I'll tell you, Thom, what's happened. There has been a leak of 50,000 phone numbers. Now, normally you'd think, so what?

50,000? No, that's not what we do every week. We make a big deal about these things.

Well, 50,000 actually is not that many records anymore, is it?

No, I mean, very sad. Every record matters. Every record matters.

This 50,000 phone numbers claims to be a database of people of interest. Of NSO Group's customers. So people who want to buy Pegasus, right, go to NSO Group, say, we'd like to buy this software. Here's the phone numbers that we would like to use this software against. And now—

They have to disclose those upfront?

And—

Well, I guess you've got to tell them who they're going to target.

So is it a service or is it a piece of software?

I think there is a service component. I'm not actually a customer.

Interesting.

Of NSO Group. So I haven't got that far, but I think there has to be some kind of exchange of information which goes on.

But if they'd send some free vouchers, you know, good for 10 uses, 10 phone numbers.

So this list has come out, and what journalists around the world have been doing, they've been looking into investigating this for a while, and it's just gone public. They've been looking into whose numbers are these, because we believe they're people of interest to people running the Pegasus spyware. And what they found was not only were many of these numbers not appearing to have any links whatsoever to terrorism and crime, which goes against the NSA rule, but also it appears that these are the phone numbers of people who have had their phones hacked. So they analyzed a number of the iPhones, and a good deal of the ones— they haven't obviously gone through all 50,000, but they've managed to get hold of some of them, and they found that they have been hit by Pegasus spyware, which kind of links it all together.

Okay, so what you're saying is there was a database that has been leaked that contains phone numbers, and it turns out that on initial research that the phone numbers are basically indicating that this device has been infected.

Exactly.

With Pegasus, right.

And they've been infected by this malware, which allows people to spy upon your messages, see where you are. And this is zero-click malware. So this is an in-the-wild exploit which is being used right now to target the iPhones of activists, journalists, politicians around the world. It means a hacker could remotely compromise your iPhone without you realizing or you even having to click on a link.

Yeah, let me just clarify here. You did say that Apple did release a patch for this.

That was back in 2016, but Pegasus has been continually developed ever since. So there's now an Android version of Pegasus. It's not just for iPhone. New functionality has been added as well. Back in 2016, you had to click on a link. Now you don't have to click on a link, and it's been updated to deal with the latest versions of iOS, for instance, because Apple over the years has hardened the security. In fact, they were just bragging recently about how they've hardened the security of iMessages to prevent these kind of exploits from working. And journalists have been going through this database and they found the numbers. For instance, most of the numbers are coming from Mexico, Morocco, the UAE. One of the numbers belonged to a freelance Mexican reporter called Cecilio Pineda Birto. And back in March 2017, Pineda, he was looking at his pickup truck and he's thinking, that's a bit dirty, I need to get that cleaned. So he drove off, went to the local car wash, and he got into a hammock to have a little snooze round the back of the car wash while it was getting washed by the people. Somehow, gunmen knew where he was, and they murdered him in his hammock.

He couldn't even see them coming because the hammock sides.

Well, also, he was snoozing.

That and his eyes being closed, yeah. Yeah, I mean, they could have followed him, in fairness.

It is possible. We don't know for sure that it was Pegasus, and his phone apparently disappeared from the scene of the murder. So it's never been examined, but his phone number was in this list. And there've been other incidents as well where nasty things have happened to people.

Hmm. So the other thing I've got to comment about this is, are we really that surprised that tools that can be used for good are being hijacked and used for bad?

Yes. The entire premise of this show is based on that.

Oh, I thought it was based on something very different, but—

It's like a grand piano. A grand piano can be a thing of great beauty, unless—

Or I could play it.

Or it's dropped on your head.

Yes, exactly.

And then it's a murder weapon. I haven't seen that episode of Columbo yet. I'm looking forward to it.

If it's out of key, it's also basically a— Yes.

It's not a murder proposition. And it's just really, really unpleasant.

So do you— okay, if I say— I'm gonna say a statement, and I wanna know if you agree or disagree, okay?

Right, yes.

NSO Group are digital gunslingers. Agree, disagree?

No, they are marshals who have probably—

Self-appointed marshals.

Self-appointed marshals, but who have possibly, allegedly, any lawyers please interject, taken a few backhanders to sell their services elsewhere.

Maybe.

Maybe, maybe not. I mean, it's pure supposition, not accusation.

But they're saying, they're effectively saying, a bit like Facebook, nothing to do with us, gov, we're just selling the tool. It's the guys who are using it in a way that's illegal.

And they claim that they're very careful about who they sell it to.

Yeah, just like,

Yeah.

There goes 30% of our audience.

You wish.

you know, gun

Now, one important thing to point out, a lot of the media attention about this has been around the iPhone because there clearly is at the moment, there is a vulnerability on everybody's iPhone, which means your iPhone could be hacked without you having to do anything and people could spy on your messages, track you, etc., etc., right?

manufacturers in the US.

There's loads of attention on that.

Turn it off, people, turn it off.

Well, isn't the attention on the iPhone because frankly, it's the more secure choice generally? And so if they put their effort into breaking up the iPhone security, or at least subverting it even for a short period of time, the payoffs will be greater because people who do care about that security will be using an iPhone over a vanilla Android.

I tend to agree with you. iOS is more locked down. The other point which the researchers have made is that the security advances which Apple have built into the operating system actually leaves more forensic clues to determine that it has been hacked. So with Android, it's easier to clean up after yourself and not make it appear that it's been hacked. So it's actually harder to tell. Now, should you be worried as an iPhone user about this? Well, probably not. You're probably not targeted unless you're—

You're probably not important enough. That's what you're trying to say to our listeners.

Exactly. And neither are we, mostly.

It costs money to put this thing on your iPhone, right? It's not— and probably not pennies.

But if you want to look, Amnesty International has released a tool which can help you check if your iPhone has been hacked. But it's not very easy to use. It's very much command line. It's kludgy and clunky, and you've got to be a bit of a nerd, and you've probably got to go quite far.

Are you offering services to our listeners?

No, I'm not. No. Bring your iPhones round to me. Form an orderly queue, socially distanced, please.

Get your £10 notes out.

And I'll have a look at them for you. Thom, what's your story for us this week?

Well, it's somewhat related because we all know what it's like to have our free speech curtailed, right? We all know that these trigger-happy tech companies will ban you for the slightest thing. I mean, Donald Trump is now suing Twitter and Facebook and others, etc. He knows all too well, you know, that they'll just happily censor everybody. And we all know what it's like when our favorite apps, you know, like Parler or whatever, are just removed from app stores because something about, you know, free speech and blah, blah, blah.

You're a big user of Parler, are you? And Gab? And are those some of your favorite? What are your favorite apps? What are the ones you most commonly use, Thom? Which would cause you most trouble if they disappeared?

Do you know what? I'm looking at it now. Well, there's my Lego Star Wars one. That's probably going to be a bit of trouble. Or the one that allows me to unlock my car. That's going to be a bit of a problem. And probably Twitter.

You've got an app to unlock your car?

Yeah. Haven't you?

Well, no, I have a key to unlock my car. Why do you need an app to unlock your car?

You probably don't have a key, Graham. You have a button.

Well, same thing.

A key fob.

Oh, so a button. So your key sends an electronic signal over the air to your car.

Yeah.

Yes, but I'm close to it when it happens.

So am I. Why would I want to unlock it when I'm in the town, you know, over the road from you?

Can it start your car?

If you've got—

Sorry, this is something of a digression, but if you've got an app, presumably the app does it use the internet?

It can do, if you wish, yes.

I see.

Absolutely. Yeah.

Interesting.

Not really. Carry on.

Carry on. Okay. Right. Okay. Anyway, so there was just another little segue just to bring these diverging stories together. There was a chap who you may recall called Erik Finman, the self-proclaimed youngest bitcoin millionaire, a young American chap. He became a millionaire at 18 after investing in bitcoin.

As you do.

Yeah. Blah, blah, blah. Anyway, so he felt somewhat aggrieved at all of this censorship and cancellation culture that was going around. And he tweeted just the other day, today I'm announcing the Freedom Phone. Fuck yeah. This is the first major pushback on the Big Tech, capital B, capital T, companies that attacked us for just thinking different.

He timed it with Freedom Day in the UK as well.

Exactly.

Not a PR numpty.

It's almost like you know what you're doing, Carole. Complete with its own uncensorable app store and privacy features, all uppercase. We're finally taking back control. And then a little link to freedomphone.com. So please, you know, given the visual medium of this audio-only podcast, please do go to freedomphone.com.

Oh, it's like there's an American stars and stripes flying a lot.

Flapping, flapping in the wind.

Freedom Phone, completely uncensored. Buy it now. $499.99.

Exactly.

It looks remarkably like an iPhone in that picture.

Well, it's a very smart looking phone, but keep scrolling down.

Keep scrolling down.

All the way down. So ban free uncensorable App Store, preloaded apps. I think Parler is one of them. A free speech first operating system called Freedom OS and your privacy guard. Say hello to trust. Now, would you like more information on this? You know, specs, what is Trust? What does it do? What's FreedomOS based on, etc.?

That's it.

That's it.

Yeah, I'm looking. There's all the buttons say buy it now, buy it now.

There's nothing. Oh, there's nothing there. No other features.

They're just buy links.

Yeah, they're just buy links. And so if you go back to Eric and I'm not going to start quoting him again, but he basically says we've worked with the freedom-loving people of Hong Kong. And we've completely re-engineered the phone and used the most secure components and yeah, and all that sort of thing. So when I saw this, my first thought was, get your money out. No, I said, this is from The Onion, right? You know, The Onion satirical pages, because surely people aren't taking this seriously. Well, apparently not. It really is true.

So it really exists.

It really is. It's available. Number of comments. Those things are uncensorable equals pirated apps. Malware infested. Sounds perfect for criminals. So the NSA and the FBI have backdoors already. There was someone called Hacker Fantastic on Twitter, did a series of breakdowns, and it turns out that it looks like it's a $100 Android white box phone. I'm trying to read this guy's tweets. It appears he's blocked me. Oh, oh, Hacker. Oh, he's blocked you.

I am blocked by him on Twitter. I think it's possible. Is he not the partner of Jennifer Arcuri? Former dancer and close personal friend of Boris Johnson.

Yes.

I wonder if— 'Cause she hasn't blocked me, but her partner appears to have done. Okay, anyway, all right.

Did you give us some money?

But I can't.

Well, use your sock puppet account, Graham.

I found an FAQ, so that's interesting.

Oh, okay.

Did you? At the bottom, in the footer, where they— There's an FAQ there. Now, there's also a privacy statement. First one, what is your refund policy? Yeah, love it. I think they are expecting a few refunds. So yeah, this person, Hack Fantastic, he's basically backward engineered in inverted commas from the photos and ascertained that it's using a certain chipset by a white box manufacturer and thinks it's this chipset because the reference models that use this chipset always have things like the SIM slot in this location, the camera, this location, the fingerprint sensor on the back in the center at the top. Yeah.

Until there is some kind of confirmation of what this product is. But it seems to me like the world's biggest scam that a lot of people are actually going to buy into. You know, so an upsell on a $100 phone with what is ostensibly—

It's 5 times the amount, right?

It's 5 times the price.

Yeah.

And there's nothing illegal about that, but which will have a custom OS, which is possibly the same as what was in there before, but just reskinned maybe with an American flag and some aircraft flying majestically above it.

Oh, that is a lovely image, isn't it?

It is. I mean, they're very nice.

Yeah.

You know, and the branding as it stands is not bad. But do you know what? Certain people will flock to this phone thinking that they're, you know, owning the libs with it and they're the ones that, you know, it's going to be more like pwning.

Well, we don't know if they're up to anything naughty or not at this stage, right?

No, no, not naughty per se, but I think they'll be using what is ostensibly an insecure platform.

I'm just reading the fairly minimal FAQ which Carole put out on their site. It's got this bit about, you know, what's the return policy if you don't it?

Yeah.

Customers may return the Freedom Phone unopened within 30 days of purchase. If it's opened—

And you checked it out and it doesn't work.

Yeah, yeah. If you've actually opened the box and thought, well, this is a pile of shit. Now, I can understand that if it's a pair of underpants which you've worn. That they wouldn't accept it back. But it seems a little bit unfair.

How do you know if you don't it if you've not used it?

Well, you've opened the box.

Oh, I know.

Well, not once I've used it, no.

Well, once you've opened the package, presumably either. You can't just show up and say, sorry, I only used one of the 250 rolls.

I didn't need all of them.

I needed quite a lot, but not quite all of them this time.

It was quite a long year. You know, it looks a duck, quacks a duck, swims a duck, tastes a duck. You know.

Sorry, I thought you said it looked a phone.

I thought you said—

What?

It's probably a duck phone. Yeah. Or a phone duck or something. I don't know.

Carole, what have you got for us?

Okay, we're gonna

Okay?

Oh, brains. Prove that you actually have some here.

It's hot today, Carole. I don't know if I can do this.

I know it is hot. Trust me, I know.

My brain is like a balloon full of lukewarm porridge.

have to use

Porridge. Yeah.

I'm in a sealed room right now with a huge window. I understand.

Okay.

So first off, tell me what you think. What services or professions do you think have the most private info about you? our brains for my story. Like if they got hacked, you would just kind of go white as a sheet.

STD clinic.

Oh, good. Yeah. Doctors. Yeah. STD clinics.

Dominatrix. If I was on a— if I had an account with a dominatrix.

Yeah.

Really? Would that really upset you

No.

Well, you doth protest too much.

if people found out about that?

You mean that number you gave me is not valid? Is that what you're saying?

What about your therapist?

Oh yeah, yeah, yeah, right. Yeah, there was a Finnish psychotherapy clinic which was hacked and all that information ended up in the hands of bad guys. Do you not think that people— That was really terrible.

Accountants and tax dudes, that would suck, but because it's basically on money fronts, I suppose, right?

It just shows how little you give to charity, right?

Plastic surgery on your nuna.

Oh yeah, on your nuna.

Is that what people are doing these days?

On your— oh, is nu-na female?

Okay, on my nu-nu. Is it a nu-nu for a man and a nu-na for a woman?

It's your toilet

No, it's a foo-foo for a woman, isn't it?

No, God.

I'm keeping up with kids today.

I know.

I don't think Thom's a kid. I wouldn't take his advice on this. paper, right, Graham? All these people, like therapists, accountants, lawyers, priests, STD clinics, dominatrixes, they have information about you that you want to keep private, or you want to share in a limited fashion, or the way you choose to. Who wouldn't want your nana to know about your dominatrix proclivities? You can't return that.

My nana? What? Hang on, I know what a nuna is. What's my nana?

It's your moneymaker, Graham. It's what you sit on.

And like a lot of these, other than the dominatrix in this story that has shown up, like lawyers, therapists, accountants can lose their jobs, right? If they don't represent you properly. So as this show is vaguely security-based, let's pretend one of you or both of you are the head honchos of a ransomware crew, okay?

Mm-hmm.

Oh, bad guys?

Yeah, you're the bad guys.

Thom is bald, so that already makes him slightly evil in my eyes.

Let me grab a local alley cat to stroke on my lap while we do this.

And what profession would you try and hit first of the ones we talked about? What profession? Ransomware is all about the money. Healthcare?

Absolutely.

Smashing Security is now giving advice on who ransomware gangs should target next. That's what you're doing.

I'm not giving advice. I'm just saying what you would do.

No, you're suggesting we come up with some suggestions for them.

We're like the NSO here in the sense that, you know, we merely provide the information. What people do with it is entirely up to them. So yeah, I'd hit healthcare because they have lots of sensitive information. Take lots of people's money but never spend it on security.

But it doesn't really win the hearts and minds of the folks that hear about it afterwards, right?

Hearts and minds of who? I'm a criminal.

I think there's optics is what I'm — I think there is optics from the bad guy's point of view as well.

Do you?

Do you really think so? I'm a criminal, I'm bad whatever I do.

Yeah, I think they do. I think some do.

I'm bad, I'm bad, I'm really, really bad.

I would argue that lawyers are the ticket. Lawyers are a good ticket here because —

Are you representing, you know, a ransomware gang or something from a PR perspective here, Carole?

No, because I'm really freaking moral. Lawyers 'cause they know the prestigious ones, they swoon over their rich clientele, trot them out whenever possible to lure in new clients. So you know who's on their books, not maybe everyone, but you know a few. And people seem to open up to lawyers and give them a service fee every month, if you're using one regularly.

Well, Thom, first of all,

And lawyers care a lot about reputation and trust. So I'm wondering if they would be more likely to pay the ransom to have everything shut up, don't dox us on the darkweb.

there's nothing to find out.

Well, maybe, maybe, yeah.

It's a very good point as well, because actually also the lawyers' clients will also be flush with cash potentially. And you can also hit them too. Can I just stress that?

That's the information you want. I mean, I'm guessing that's what you want to either nab or lock up. So let's say, boys, that your law firm, you guys are, you know, swinging around with lots of cash, and your law firm that you trust with all your financial business and even some personal goings-on gets hit by ransomware.

Oh, hang on, we're good guys now.

Are we still criminals yet?

Yeah, because we were the ransomware gang.

Now I know, I know, we're swapping sides, right? So now —

Oh, right, right, pivot, pivot, pivot, pivot.

Okay, so what would be the things you'd want to know? If you find out your law firm's I don't think they tell you. been, you know, hi, sorry, we've been — Okay.

Okay, yes, I definitely would. I definitely would want to know that, and I would want to know that they knew how they'd been got and that they were going to stop it.

And how long they'd been in there for.

Right. Yeah, I love when they really kind of come clean, right? Say that on this date, this happened. We noticed at this time, we then did this, we didn't. I love that. So this week we learned that a so-called prominent and I assume very expensive law firm was hit by ransomware earlier in the year. And in the show notes, I've put in their statement that's on their website and I've highlighted some key areas. But I want to know if you think what's good about this and what's bad. People are listening to the show and this is going to happen to people where they're going to have to inform people, yeah, you know what, we've been hit by ransomware. What's leaving a bad taste in your mouth here, if anything?

Oh, I'll tell you the first thing which annoys me. So I'm reading this right now. I imagine we're going to put a link to this in the show notes.

Yeah, we will, definitely.

Yeah, I'm reading this, right? It looks like it's been written by a lawyer.

It's so boring.

It says Campbell blah blah blah blah blah is providing notice of a recent data privacy incident.

I think that's very interesting though, that title. So the title, let me just read it out correctly so people can know. Well, for example, if a bunch of richy rich people at a swanky law firm, if a law So Campbell, Conroy, and O'Neill provides notice of data privacy incident. So that is a kind of key word because you're going to look for ransomware hack, ransomware attack, you know, or victims, and there's nothing in there. firm gets hit, you might not feel as bad as if it's a bunch of cancer patients that So I found that quite interesting.

They've got anti-SEO people working on it.

can no longer get their meds because the machines have been screwed.

The following notice includes information about the event, steps taken since discovering the event, and resources available to help individuals protect against potential misuse of their information should they feel it is appropriate. I'm already bored.

No keywords. No keywords.

Yeah.

That is fascinating.

It's quite dull.

So they say it all happened on the 27th, right? So that's a long time ago, 5 months.

27th of what?

27th of February. Sorry, 27th of February 2021.

Wow.

So that's a long time they took to kind of—

That's about right, you know, upwards of 9 months in most cases.

Oh, so it wasn't that they were hacked then, that's when they became aware of it?

Yes.

So for months they've known about this.

And they've only just said?

Mm-hmm. And they say at the end, Campbell's providing notice because investigation thus far determined— okay, so now 5 months on— determined that certain information relating to individuals, i.e., you guys, the clients, was accessed by the unauthorized actor. So you want to know what information they stole, Graham?

Yes, exactly.

Please, please list out and tell me if you'd be worried.

So what information was involved? So we want to know what data has come out. Okay. We cannot confirm if the unauthorized actor accessed or viewed any specific information relating to individuals. However, we determined that the information present in the system included certain individuals' names, dates of birth, driver's license numbers, state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials, i.e., usernames and passwords.

Passwords?

So basically, people use lawyers as a kind of online vault for passwords, right? Because they can go and access these accounts as well. Like, that is worse than what you give any other profession, I think. Like, you'll give your therapist some of that info, but not all of it.

Have they got my data? Have they got our emails? Anything we've said to you, is that now in the hands of criminals? What the hell's happened?

Yeah.

Like, everything is in there. So what they said was, we're not sure what was taken. But here's a list of data that we hold on you just in case. Yeah, what do they take? What do they take? Yeah, okay, they take — okay, that's a good question. Anything else?

What version operating system you're using on your systems, because that'll tell me pretty much how much data they've got. Because if you're using Windows XP, then —

And we can't confirm or deny that they've seen this, taken it, or will do anything with it. Jesus Christ. And it took them 5 months to work— they could have announced that the day after.

You mean which service pack do you have?

Why would you care about that? But don't worry, the next paragraph, 'What we are doing,' and then we get that famous sentence that we love.

Because if 'Cambridge Analytica is committed to and takes very seriously its responsibility to protect all data entrusted to us.'

It's all a bit waffly. It's not really very much in the way of detail here, is it? You don't care.

they're using — Yes! But also, if they take it all so seriously, why were passwords there? Let me finish. It might be your show and all, but blimey, I'm the guest.

Like, were they encrypted?

Probably not.

Were they hashed? Probably not. Well, if they were encrypted, it wouldn't have been lost. VIP guest.

So if they're using Windows XP,

Yeah, hashes, yeah.

Yeah, that's fine.

But now you've been paying your lawyers, right? You've been paying these guys. Let's say they've been paying them $5,000 a month, right?

right, then I've got a case

So you go to another set of lawyers who might then lose their—

And they've been your dutiful lawyers with all your passwords and your passport information and your SIN number and all your stuff. What do you do at this point, right? So you're reading this and you're thinking, well, what do you give me?

Might take— exactly.

What's the kickback? Because this kind of sucks for me in a big way, right?

for gross negligence against my lawyers.

Would you care about how they got in?

Yeah. How are you going to help me? I don't know if I would. No, I don't know if I— not if I— no, I don't know.

Oh, I know, I know, I know what they're going to give them. They're going to give them a year's free credit check with a credit check agency.

Would you care about what they're going to do about it if you're unhappy with what information, if it has an impact on you? Yes, two years. Two years. They went out, yeah, 24 months of complimentary access to credit monitoring, fraud consultation, identity theft restoration services.

Yes, of course, absolutely.

So, but they put it on you, right? Like, they'll pay for it, but it's your responsibility to manage all this and to activate it. Like, it's not by default. And they'll only give it to people that they say, we can guarantee your information was at risk, but they don't know that.

Okay, so not all of their clients are going to get it. Anyone who they believe are affected, even though they don't know who was affected or what data was lost.

Exactly. So they give you the telephone number and the times to call when they will answer, and then they'll say the call center will verify whether you're eligible for services between 4 and 4:05 every third Thursday. And then they say, they don't stop there. They also say, hey, this is how you can help monitor your accounts. So there's a load of stuff you can do, get one free credit report annually to check. If you've used that already, oh well, too bad. And you can get a fraud alert. So all these things that don't impact your credit score, but can— well, just by security versus usability, it locks up your account. So you can't— people can't do checks without you confirming, yes, that one's okay, you can go do a check.

You can also do a thing called a credit freeze, can't you?

Yeah, yeah.

And I see that they're suggesting that to people. All you have to do is contact the organization with your full name, Social Security number, date of birth, lots of other—

Photograph of your driving license, addresses for the past 5 years, proof of current address. Yeah, it's so—

Please just email this to .

So it's kind of interesting, I don't know. And I was thinking I wouldn't be happy with this, right?

Can I just ask, they've said what happened, they've said that they take it seriously, they've then said, here's what you are going to do about it. Have they said what they are going to do?

They are, as part of their ongoing commitment to the privacy of personal information in our care, we are reviewing our existing policies and procedures.

Well, I'll tell you what they're going to do. They're going to lose some customers.

Yeah.

Who are going to go to another law firm.

That is what I wanted to know. That was my next question. Would you just walk at that point? Or would you think, oh, my data's already out, who cares? At least, you know.

I would want to have a meeting, a face-to-face meeting, maybe with others as well, you know, other customer clients, but a face-to-face meeting with their head honcho who can look us in the eye and talk about all the things that they did wrong and now what they're doing right. About it. And if that didn't satisfy me, then I would definitely walk.

You basically want a public lynching, don't you, Thom?

I mean, you know, pitchforks are optional, obviously.

But surely the clients are the real victims with no culpability whatsoever. So do you feel it's fair to say they have some culpability in it because they agreed to secure the information that we shared with them and they let the side down?

I'm not a lawyer, so I wouldn't be able to tell you if they're culpable or not. I'd need to engage some sort of law firm to give you advice on that.

Exactly.

But don't you feel— I would say the more carefully worded these kind of communiqués are done, the more it gives me, I want to pay more attention to what you're not saying.

Yes, but you're never going to get any empathy or humanity from a lawyer, Carole Theriault, are you? What's the first rule of a revolution? Is that you line up all the lawyers to shoot them?

Don't you have lawyers in your family? You have lawyers in your close family, do you not?

I do.

That's why I know so much about them.

Wow.

That's why I know how they can be— Wow.

Smashing Security sponsors Offensive Security, our industry leaders in providing training for your organization. The training is designed by the same minds behind Kali Linux and OSCP. Oh, now you're paying attention. So Offensive Security offer a number of different programs. There's the OffSec Flex program, which allows you to train on your own schedule. There's the OffSec Academy, offering industry-leading OSCP certification through dedicated one-to-one mentoring and virtual training. Or if you want to develop your team's pentesting skills in highly realistic simulated networks, offensive security experts have got your back. See, it comes down to this: the skills gap is increasing, meaning it's more important than ever to train your staff effectively and efficiently. Learn more about offensive security at smashingsecurity.com/offsec. That's smashingsecurity.com/offsec.

Create a culture of security with 1Password. Around 80% of business data breaches are due to weak or reused passwords. Well, using 1Password can close the gaps in your company's security and help your employees stay secure wherever they are. With the right tools and the right mindset, you can create a culture where your employees feel empowered to share responsibility for security risk management. 1Password makes the secure thing to do the easiest thing to do by letting your employees stay secure without slowing them down. 1Password makes it easy for employees to play their part in personal security and, by extension, the security of your company and customers. Learn more and try 1Password free for 14 days at 1Password.com.

So what's a con game? It's a fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors KnowBe4 can tell you, human error is how most organizations get compromised. Where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are able to make smart security decisions. And to do that, they need new-school security awareness training. KnowBe4, the provider of the world's largest security awareness and simulated phishing platform. See how your security culture stacks up against KnowBe4's free phishing test. Get it now at knowbe4.com/freetest. That's K-N-O-W-B-E and the number 4.

Smashingsecurity.com/freetest. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

Sound like in harmony there. Wow, amazing. My pick of the week this week is not security related. Instead, it is a love story.

What?

Yes, it is a love story.

You went soft on us.

Are you talking about Columbo again?

No, no, it's not about Mrs. Columbo or anything like that. It is a love story about Randy Santel and Katina DeJarnett, how they met and fell in love.

Are we supposed to know who they are?

Let me read to you the opening paragraph of the article, which will put it in some context.

Okay.

Randy Santel didn't really develop feelings for Katina DeJarnett until he saw her scoff down king crab legs, salmon pizza, shrimp calamari, seafood tacos, a Cobb sandwich, halibut, fries, onion rings, and chowder in 1 hour, 36 minutes, and 40 seconds.

Is this eating competitions?

They are both professional full-time eaters who became friends on the circuit and then found love.

Oh.

I don't know if you've ever thought about professional eating, Thom, and becoming a professional eater.

Obviously, you've been thinking about it nonstop while you've been on your fitness craze. This explains everything.

Well, it's a heartwarming story which I read, and I thought that's rather lovely. And it tells the story of how they make money eating and the amounts which they eat. And they have millions of YouTube subscribers and Facebook fans and have somehow managed to monetise this. And people love to see these sort of things. Anyway, they found each other and fell in love. And so I read that story, and I will put the link in the show notes, and you can read more of this.

Yeah, I don't know how I feel about eating competitions. I don't— I'm not comfortable with them, and I don't know why.

Yeah, it's not the '50s anymore.

Yeah, I don't judge the people that like it.

You sound pretty judgy to me.

Okay, I'm not trying to sound judgy. I just think—

I'm with you, Carole, on this, I have to say.

Yeah, I wouldn't want to go to an eating competition and watch. I might have some morbid fascination, but then it would be more— I wouldn't feel— I wouldn't like that either, right?

What about love? Isn't it good? Love's great.

Love, love.

You can find love in all kinds of places.

Yeah, maybe they could have found love in a park. You know, rather than sat in front of half a ton of food that they eat within an hour and a half. That produces vast amounts of waste.

Do you think, yeah, do you think they're ever sick? Do they have a sick bag close by at all times? Just, you know.

Tina says she's never actually thrown up as a result, but I think Randy sometimes has.

He visits the vomitorium afterwards.

Yeah. Anyway, I think, you know, it's good that they found love and I found friends.

This is evidence that Graham has a heart. Is that what you're saying?

That's what I'm saying. I'm just producing evidence today that I have a heart after the abuse I've had recently for some of my picks of the week. I'm just trying to give you something a little bit different. So that is my pick of the week. Thom, what's your pick of the week?

Well, I'm going to produce evidence that I'm actually a bit of, still a bit of a nerdy child at heart. So one of the many lockdown hobbies that I've taken up is I find myself as an adult with enough— not enough disposable income, but enough disposable income to buy all the Lego kits that I never got as a kid.

He was saying under his breath, Lego, Lego, Lego.

So yes, yeah. And I now have, you know, Saturn V and the lunar lander and the space shuttle and all that. So all of big stuff, right? And a few of the Star Wars heads and stuff, you know, helmets collection. And I just finished over the weekend a typewriter that actually makes, you know, you can actually type things. It makes clicky clacky noises.

Oh, really?

I like typewriters a lot.

Yeah. Yeah. Oh, well, you'll love this. I'll send you some photos.

Oh, you and Thom Hanks?

Send me a pic. Send me a pic. Well, me and Thom Hanks.

But my pick of the week is not LEGO directly. It's actually an app called Brickit. Brick IT. And you can, if you're in front of a computer right now, go to brickit.app. It will give you even less information than the Freedom Phone because it is quite literally an app. But what the app does, and this is the really cool tech part, is you lay out the Lego that you have, all the pieces that you have on the ground, spread them out a bit, hold your phone up, press the scan button, it scans all the Lego you have, identifies what each piece is, what color it is, and then suggests things that you can build with said Lego. Oh, even to the point where it will point out where the particular piece that you need is in the pile.

Okay, that's amazing.

Okay, yeah, Thom's won. Thom's won. Stop the show.

This is a first version. It's only on iPhone, not on Android, probably a security thing. But at the moment, you can only build stuff, build sort of non-LEGO ideas for want of a better term. But I believe that they will be in the future. You could lay out the stuff for, I don't know, your motorized AT-AT walker, and then it will find everything for you and then give you the instructions for how to make that in the future. That's possibly coming down the line. But right now it will categorize. I believe it will also, you know, start to create a list of what you've got and all that sort of stuff. And just actually watching it do its thing is worth the download alone. It's free currently, although I think many people would end up paying for it, you know, for advanced features, maybe such as being able to rebuild your original LEGO kits and stuff. But yeah, absolutely brilliant. It works.

Is it pretty new? It doesn't seem to have a ton of ratings at the moment. I'm just looking at it.

It is literally the last couple of weeks, I think.

It looks brilliant, Thom. My concern is that the evil lawyers at LEGO are going to shut this down.

Well, maybe they might, or maybe they will see it as a partnership that will allow them to help to unleash further creativity, because that's where they go.

Yeah, just because they didn't think of it, maybe they'll buy it. That would be the smart thing to do.

Exactly. Yeah, or invest in it. Exactly. Yeah, you know, because it will reinvigorate interest in old Lego, you know, and reinvigorate the brand. So I'm hoping this will be a good news story, not a harbinger of you know, it all going wrong.

So, okay, keep your eye on the story and then you come back and let us know.

Yeah, absolutely.

Wow.

That is, I mean, I obviously haven't tried it, but it looks like an amazing app. How cool.

I once bought my nephew, you can buy, I think it was on eBay. You can buy kilos of Lego, right? That people sterilize, they say. And you buy these huge bags of it.

Yeah.

And I gave him— I bought a ton of bags and gave it to him. So yeah, but God knows what's inside that. It's just different pieces. So this would be kind of perfect, wouldn't it?

Yeah, that's exactly it. It really helps you do that sort of thing. Now I don't have enough because my collection is literally just the stuff I've bought in the last 9 months basically.

And they're all

And they're all made. So I've literally got the 6 pieces that are left at the end of every pack, you know, in a box, and it says, can't make anything out of this. But we've got some, you know, in the loft somewhere, so I'm probably going to dig it out and, you know, pull out, pull up a handful out and see what it comes up with. Yeah, it just looks really cool.

made. You don't

Looks really cool.

take them apart, do you? Yeah, it's a great pick of the week.

No one's going to read my competitive eating love story now. No, everyone's going to be looking at briquette, and I don't blame them. Oh, what have you got? What's your pick of the week, girl?

An animated series. Now I've chosen this because my buddy Thom here likes a cartoon as much as I do. We've talked on the show before about Rik and Morty, Final Space, Bob's Burgers, Invincible. Yes, Invincible. And a new one for you, Central Park. I don't know if you know it, Thom. Yeah, it's available on Apple TV and available for purchase as well. Do you like it?

Yes, I'm not a huge fan of musicals, but it's growing on me, I have to say, because it's by the same people who did Bob's Burgers, right?

Yes, that's right. So basically the story is an animated musical series that tells the story of a family who live in the middle of Central Park, and they're the park caretakers. And their whole, I guess, the premise of the show is they have to protect the park from people that are trying to, you know, commercialize it, for example. And what's really kind of cool about is it's the first time I've ever seen something set in New York City that wasn't focused on buildings or loud, crazy streets, right? You're kind of in the peaceful Central Park the whole time. And there's this wonderful foil on the show, Clue, that you would love. There's this grumpy old harridan called Bitsy Brandenham. And she's just gorgeous. She's conspiring to demolish Central Park and turn it into condominiums and shopping malls. But she's perfect because she's played by none other than Stanley Tucci, right, who is just a hair behind Geoff Goldblum and just ahead of that, what's his name, the hairless UK conservative politician, short guy, William Hague. William Hague, who I love as well, right on the hot scale. So Stanley Tucci's hot.

I thought you were going to say something like Baby Voldemort or something like that.

No, I just have this thing for William Hague.

I can't explain. Oh really? Oh yeah.

Better than Bitsy is her assistant. She's the maid, the shit eater, the caretaker. She's played by Daveed Diggs, and she hates her job but wants to be written into the rich employer's will. So she puts up with all the crap. But the real star of the show are the tunes, I think. The songs are pretty on point. I was looking at them going, God, the rhymes are so good. The beats, melodies, everything. And then, so I went looking to see who is doing this. And there's a huge list of contributors, right? Cyndi Lauper, Fiona Apple, Kate Anderson. There's tons and tons of them. So, and it's, I would say, probably for 10-year-olds, maybe a bit, maybe 12 and upwards. Check it out.

Central is 50.

Oh, at least 99.

Yeah. So, check it out. It's called Central Park. I'm going to get back into it. You should.

Second series, I think, is even better.

Very, very cool. Sounds great. Well, that just about wraps it up for this week. Thom, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

I'm on Twitter @ThomLangford. That's Thom with an H. Thom Langford and ThomLangford.com. And that's about it really. So yes, please join me in my quest to get a blue checkmark just like Graham.

And you can follow us on Twitter @SmashInSecurity, no G, Twitter allows to have a G. And we're also up on a Smashing Security subreddit. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.

And thanks to this episode's sponsors, KnowBe4 Offensive Security and 1Password, and to our wonderful Patreon community. It's thanks to them this show is free for all. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 236 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye, bye, ciao!

You know what's not weak, bro? Thom's riposte to Javad on the latest Host Unknown podcast.

Oh yes.

There was a bit of argy-bargy.

There was.

I haven't heard it.

Tell me.

Let's just say tempers got a bit raised. Emotion. It got emotional.

Jav decided to up the ante and actually it did, although he did piss me off and I did say that, but frankly, it made for a good podcast.

It was great. Yeah, great. Because you both had your opinions very strong. I actually agreed with you, Thom. Yeah, I have to say.

Yeah. And they pointed that out when they read your blog post. Oh yeah. It doesn't surprise us to see Graham's on the side of the old white man Thom or something like that.

I'm going to go listen now. You see, you got my interest.

Yeah. We've had a couple of comments about how it's good to have a podcast where not everybody agrees with each other.

Oh yeah.

Yeah. So I agree, Graham.

I agree, Thom.

I don't agree.

I think it's a good podcast.

No, it's a terrible idea.

I agree. Terrible.

The thing was, if I'd known he was going to do it, I think it would have been more fun, but it just came out of nowhere. And then I said, is he serious about it? Is he honest?

He was very serious.

Yeah. But he said afterwards that he decided he needed to stop as the spittle started to drop from his lips.

And you had to mediate, Karl.

Yeah, he did.

And he would be a good mediator.

Come on, boys, it's not worth it. It's not worth it, lads.

Leave him, Darren, he ain't worth it.

Hey everybody, Carole here. Now I've got to do this week's review selection really quickly because someone is using a chainsaw nearby. However, we got two very cute reviews. The first one comes from Wilsonium, who writes, "I have a bit of a reputation for getting out in the weeds, mostly unintentionally, but I never regret the journey. Carole, Graham, and friends take me out into the cybersecurity weeds every week, and I love it. Thanks for all the episodes full of warnings about which IoT wearables to avoid, apps to avoid or delete, and what happened to the eccentric players. Best of all is the rich history brought to the table with a colorful sense of humor shining a light onto some of the not so great tech out there. Thanks again for all the hard work and dedication put into each episode." Wow, that's positively swoon-worthy, Wilsonium. And we also got another delicious review. This one might have been from a baby or toddler who was playing with the phone. The review gives us 5 stars. The title is "XX" and the message is "SDD" and it's from EEJFGNJH. So thank you very much. And you guys stay safe out there and see you next week.