She claims that at age 9, she created very detailed drawings of a time machine. Now, you guys are both parents.

So did I.

You guys are both parents, right? Does that indicate genius to you? Is that a sign?

No, just means you've drawn a police box or something.

I mean, what is that? Yeah, exactly. Exactly, yeah.

What do you mean, very detailed drawings of a time machine?

I told my husband this and he looked at me completely nonplussed and said he and his brother made a full-size TARDIS console out of cereal boxes at age 9, so she could fuck off.

Smashing Security, episode 243: Breaking News, Apple Zero Clicks, and Bad Blood with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 243. My name's Graham Cluley.

And I'm Carole Theriault.

And we're joined this week by a special guest. It is Thom Langford.

Is he that special?

He is, apparently.

He thinks he is.

He keeps coming back. It's you know—

Like gonorrhea.

Yeah, well, when I was born, they broke the mould and unfortunately it keeps going back.

You know, it's a bit friends with benefits, right?

I hope not.

What time should I pop over, folks? Yeah.

I'm just saying, you just call on Thom when you're a little bit bored and you're "oh God, I need another show." Again.

Yeah, I always deliver, always deliver the goods.

We'll see.

On time, on budget.

And let's thank this week's glorious sponsors, TiVo Networks and 1Password. It's their support that helps us give you this show for free. Coming up on today's show, Graham, what do you got?

I've got some industry news.

I've got a story that you'll give zero clicks about, and I'm going to natter about a high-tech startup that had a tech scandal.

All this and much more coming up on this episode of Smashing Security.

Well, chums, it's that time of the show where we head over to our news sources over at the Supermarket PA Newswire, who've been very busy bringing us the latest and greatest supermarket news from around the world.

Industry news. All new Waitrose deliveries and in-store

Industry news. Tesco cherry lovers in for a treat after UK tropical weather creates huge crop flush. Industry news.

collections will be bagless, eliminating an estimated 40

Coffee just got a latte better. Sainsbury's makes it easier than ever to recycle aluminium— aluminium for our friends— coffee pods at home.

million plastic bags per year.

Industry news.

Walmart announces major partnership with Litecoin. What?

Industry news. And that was this week's Industry News.

Tell you what, it's being in the room.

Now, some fascinating topics there brought to us by our US correspondent.

Huge if true.

Huge if true. One of them which caught my eye was this news from Walmart. Walmart, of course, I think many Brits may not be that familiar with them, but certainly in the States, they're a bit big, aren't they? They're big in North America. Do you have them in Canada?

They're huge. They're huge. They own ASDA.

I was going to say, aren't they?

Yeah.

Yeah. Okay.

Well, they are by far the largest food retailer in the States, big grocery chain. And they issued a press release this week saying that they would accept the Litecoin cryptocurrency as payment at its retail stores from 1st of October. Huge cryptocurrency news.

I can't believe it.

And also that well-known cryptocurrency Litecoin. I think even Dogecoin is more known than Litecoin.

Okay, Thom, Yeah, which one of their customers? Who are all the Litecoin users where they think this is useful?

Yeah, well, you know, everyone's going to be getting Litecoin now if Walmart are using it, and I would imagine lots of people are getting terribly excited.

Oh, and I see where you might be going with this as a result.

what about you?

Well, this is why it is terrible, is because if it was true, this would be huge news, but it is not true. Shock.

Okay, so someone who's listened to the show for what, 4 minutes have we been live now, and decided they had to go for a poo and didn't want to take their phone with them or didn't have their Home Assistant in their bathroom will think this is true. Well, you buried the headline.

Huge but not true.

So by Home Assistant, do you mean Butler?

It is fake news, everybody. This big news about this partnership between Walmart and Litecoin was announced on Globe Newswire. They are a news agency. They're not some new kid on the block. They've been around since the late 1990s. So it's a respected newswire like the PA Supermarket Newswire, like BR Newswire, like all those other newswires who are out there. And this news release, which appeared to come from Walmart, was picked up by the likes of Reuters, CNBC and others, and it was even tweeted out by Litecoin itself after they saw news about their digital currency reported by Reuters.

So all of these established companies just re-released this information without any kind of fact-checking.

Including one of the organizations which was actually being referred to in the press release.

So it was about them partnering with Walmart. Well, I mean, I can understand that. I mean, who knows with some of these crypto companies, right?

Well, look, at the time of recording, Graham, Apple's making some announcements, right? And what if an announcement came out, a tweet came out saying, hey, and the next iPhone is going to feature a Graham Cluley etching on the back of the phone. This is very exciting. Would you retweet it?

Oh, it could match the one on the ceiling of my bed.

Whether you thought it was true or not, would you retweet it? We know the answer.

I'm slightly more disturbed by what Thom's just said. Well, no, of course I wouldn't, because I wouldn't believe it was true. No, I would not.

You would retweet it going, look at this, guys, smiley face, smiley face.

It would match your blue tick on Twitter.

Now listen, listen, you chumps. Listen, you scallies. What do you think happens when news like this comes out about a cryptocurrency teaming up with the world's largest grocery chain?

I guess they get a lot of visits and a lot of purchases of Litecoin, perhaps.

Exactly. People buy Litecoin thinking, well, that's got to be good news for Litecoin, that's going to increase adoption of that cryptocurrency, I'm going to move my investment into Litecoin.

I can get plastic pools and furniture and food for life, right, if that climbs up in value.

Unethically sourced food. I'm happy to pay for that with cryptocurrency.

Well, we're all used to cryptocurrency prices being volatile. The value can rocket to the moon at lunchtime, tumble back to earth within a few hours, up and down, up and down, up and down.

So much like a roller coaster.

The price of Litecoin jumped from £125 per token to £170 in a very short period of time. Yeah, an increase— I don't know if either of you are any good at percentages— an increase of 40? Oh, close. I'm very impressed, Thom. 36%. 36%.

It's kind of meh.

Not a bad profit.

Yeah, but, you know, I don't know.

Well, I mean, if you're responsible for that story and you time it right, you're making 36% free money.

Yeah, exactly.

That's the point, isn't it? It's like the bank that made an announcement that they had been breached. Or a financial institution, their stock price fell dramatically. By the time the bank had realized that actually the announcement was not made by them, the attackers who did make the original announcement had bought their stock, then announced that they weren't breached and that it was an attack and they should ignore it. The stock went up and then they sold it.

Yeah, like a little pump and dump, but with a modern twist.

They did that all before the bank itself or financial institution itself could actually respond themselves.

Well, that's really interesting, isn't it? Because of course we see all these ransomware gangs who announce their victims. They could potentially, because they run websites where they announce, you know, who's been caught and some of the media are closely following those. They could announce that a company has been hit by ransomware when it hasn't and make money on the stock market, couldn't they?

Yeah.

Very sneaky. Well, CNBC were amongst the media that reported the news before verifying that it was true. It's only when they contacted Walmart's press office asking if anyone could come on and talk about the new partnership that they discovered it was nonsense, and Walmart confirmed that they had no relationship with Litecoin whatsoever.

So what they did was they ran the story and then phoned Walmart?

Yeah.

Well, no, because they want to double down, right? They've written a story that had gotten lots of clicks. So they wanted to do a, you know, a little interview, and that's where it all fell apart, I bet.

And, you know, it appeared to be a press release put out through an official channel from Walmart, so most people will take that at face value. I mean, Litecoin believed it.

Yes.

So, you know, I wonder how many algorithms actually purchased Litecoin based on that news. Yeah, not people.

Yeah, that's absolutely a possibility because they would just see a shift in purchase, in buying trends, wouldn't they? Yeah, the algorithm, and then join in or decide not whatever to do.

Well, some people took to Twitter to say that they'd invested in Litecoin upon hearing the news, only to then see the price tumble down again, leaving them out of pocket. So they're not very happy. And like you said earlier, this is a pump and dump scam. Where the share price has been artificially inflated through fake news. It's the kind of scam that John McAfee was accused of perpetrating, where he was sort of promoting cryptocurrencies and it was said he was doing it for his own financial gain. But the question is, who— is it possible to determine who was responsible for this one? I don't think it was John McAfee for obvious reasons.

Whoever put out the freaking press release, right?

Yeah, but through the company, the—

Through Globe Newswire.

Yeah.

If I leave my car door unlocked and someone steals it, is it my fault?

Yeah, but I don't think necessarily, Carole, it was the case that the bad guys broke into Walmart's app.

I didn't say that either. But it definitely wasn't— I'm saying it wasn't Walmart that put out the press release. Right? And it may be some insecurity on their side or on a supplier side somewhere they were able to inject that message in and get it to be read as though it was Walmart's. And everyone just gobbled it up because that's always the way it has been until now, right?

They say that they are improving their security. They said a fraudulent user account was used to issue an illegitimate press release, and they say this has never happened before, and they are adding some additional authentication.

I'm thinking ex-employee, ex-employee, ex-PR firm, somebody?

I think it just may have been anyone just created an account at Globe Newswire.

Oh, really?

Well, you know, I kind of think this might work, but just in case, I'm not going to bet the house on it.

The world's burning in front of us here. Okay.

So there's one clue that Joe Tidy picked up on, on the BBC News report about this incident, which is that a press contact email address, which was included in the press release, pointed to a web domain which had only been registered a few weeks ago.

Okay.

And emails to that address bounced as undeliverable. But that's something clearly which Globe Newswire could have checked to see whether, you know, any email addresses and things that—

You have services that do that for you. Yeah. And whether or not they've got Cyrillic characters in them and all that sort of stuff. There's plenty of companies. I mean, there's about 3 or 4 main ones, but plenty of companies that will do that, you know, automatically.

Homoglyphs, you can look out for those as well.

Yeah.

All those sort of things. Please, Carole, don't snigger at the word. And anyway, so Globe Newswire clearly to my mind didn't have enough security in place. They weren't properly verifying that people were who they claimed to be. But also the media sort of let the site down as well, I think.

But you say that about Globe Newswire. Did Globe Newswire Has it been confirmed it has actually come from inside their own domain, or was it a copycat domain with an email or something coming from—

Yeah, Graham?

It was posted on Globe Newswire's own website, so it really did appear on their website, and Globe Newswire have printed a sort of 'please disregard the previous press release,' as have the others as well.

say they take security seriously?

We'll put links to the show notes where you can see everyone sort of panicking and saying, 'We didn't mean that.' Reuters published a retraction as well, so everyone's now saying, 'Look, this definitely was fake,' but of course people have been left out of pocket. And somebody, I suspect, might have made an awful lot of cash, or at least Litecoin, out of it. And posted it out under Walmart's name, which suggests they don't have enough checks in place to verify that people are associated with the company. Now, one conspiracy theory would have it that Litecoin itself might be behind this, right? And Charlie Lee, who is the founder of Litecoin and its head honcho, he went on TV.

Well, 36% increase. Yeah.

Carole, that is a lot.

Yeah.

Yeah.

That's £3.60 on £10, that is.

He was being quizzed about it. He admitted that they completely screwed up by doing the retweet, obviously, which didn't really help matters, did it? But he says one of the reasons he's confident that it wasn't them is he says he currently only owns about 20 Litecoin tokens.

Yeah, exactly.

Very good, Thom. I'm impressed.

Or £7.20 on your 20 Litecoin.

Maths GCSE. So he said, well, I wouldn't be making much out of it now. And so he didn't have much incentive for the fake news to come out. Now, if the founder of a cryptocurrency only has 20 tokens himself, not much of a vote of confidence, is it? Not really.

Thom, save your brain. You got to do your story next.

Oh my God. So just before I joined this lovely podcast, I was watching the Apple announcements of the Apple event, Absolutely. Of course I was. I was watching it while cooking dinner. My dinner, while slightly burnt, was very delicious.

But as a result of watching it, of course, we want to know what you ate now.

you know, of its new products. We want to know. It was lovely. It was a chicken and plum hoisin noodle stir-fry. It was lovely. Very good. Anyway, that's not my topic, believe it or not. So I was watching that, but my topic is about Apple because today my work laptop was rudely rebooted for me, almost literally in front of my eyes, because Apple had rushed to block a zero-click iPhone spyware. And when you dig into this, you see that actually this is a story that has been running for a while, actually. Now, zero-click spyware is where you quite literally don't do anything apart from receive a file in an email or a message or iMessage or something like that. And the mere presence of that file, and I think in this case it was a malicious PDF, actually allows your iPhone or your device to be snooped upon. Now, interestingly, this vulnerability was discovered and exploited by a company called NSO Group, which has been described as hackers for hire or hackers to the highest bidder. So effectively, I guess they're mercenaries in the hacking community. They were employed, and I don't know by who, but they were employed to snoop on a specific person in a different country. And they used this particular vulnerability. And then the people who had paid NSO Group then exploited it further and started to spy on journalists and all that sort of thing. In fact, I think you may have covered this a few weeks back.

We have talked about the NSO Group before. Yeah, they do all kinds of nasty things.

Dodgy stuff. Yeah, that's right. And literally to the highest bidder, which is normally some, you know, as you said, nasty, nasty government. And this is another one. So because there is no protection against this, or very little protection, I should say, Apple released patches very, very quickly. And as I say, we're pushed down to probably a lot of corporates today with very little announcement and time. And, you know, certainly not a Patch Tuesday, but a Patch Now job.

Patch right effing now.

Yeah, that's right. I think what gets me is where is the legality of groups like NSO in this sphere? Because the industry relies on security researchers without a shadow of a doubt for bug bounties and actually finding the vulnerabilities in the first place. And one could argue that NSO Group is simply security researchers who are monetizing their research for the highest bidder. But the problem, of course, is that it actually creates problems for most people, for everybody else in the world as a result, because all of these vulnerabilities get weaponized, they get found and put into use in the real world. I mean, the reality is, of course, unless you're famous, a prince or a diplomat or someone in a senior government position, you're very unlikely to be targeted with this. But it's still out there in the wild. And so it just concerns me that organizations like the NSO Group exist and profiteer from this and are actually, to be blunt, making the world a worse place as a result.

Thom, what's your story for us this week?

You nerd.

Yeah, we were speaking, I think, a couple of months ago about NSO Group with the Pegasus spy software, which they've been using to target smartphones of journalists, activists, political leaders.

Yeah, yeah.

I mean, they claim that they only deal with legitimate governments and sort of trusted intelligence agencies, but—

But that was debunked very quickly, wasn't it?

It does seem that these tools fall into the wrong hands regardless, doesn't it?

Yeah. Didn't I see a whole bunch of tweets about some hardware that this NSO Group sell only to legitimate governments, etc., that, oh look, look what I found in a field. Here's a piece of hardware. Oh, it's from the NSO Group. How did I get hold of this? Obviously just making fun of the fact that they were able to get hold of this thing and they're not a government or an agency or whatever.

No, and they help to breed the paranoia that people have already with devices, right? Like we're kind of now so intertwined, it's like our heroin technology, right? I don't know if anyone on the planet can imagine living without a mobile phone or a computer or whatever.

You know, it's security research is very, very useful and it's almost like when you go far enough around the spectrum, a security researcher just suddenly becomes somebody who almost legitimately breaks the law for their own profit, regardless of what the impact it has.

So what do you want to see done, Thom?

Ooh, yeah, Master Thom.

I would like to see some clarity. I'd like to start a global discourse on actually where is the NSO, because I'm seeing lots of stuff on Twitter, for instance, fuck NSO Group and all that sort of stuff. But are we being outraged? You want to see a global discourse. What are you suggesting? Well, hopefully not my WhatsApp because I don't think I'd cope. But you know, links in the show notes.

But what happens if they start sending PDF files to each other?

Well, exactly. I mean, there we are. It's just we're damned if we do and damned if we don't. But no, I think actually understanding the legality of where they sit on this and actually is this ire that is being directed at NSO—is it valid? Are NSO actually doing something perfectly legal and perfectly valid for our security industry? Or are we just grabbing the torches and pitchforks to go after the nearest bad person?

Well, if they're not reporting these vulnerabilities to Apple directly, then I would argue that they're not really helping most of us, are they?

No, exactly. I'm not sure that they are, but some might say it's still research. It's just that they use it first.

So in that— so in the meantime, everyone needs to patch just like you've patched today and your laptop's been rebooting and—

Absolutely rebooting. And that's across macOS and iOS.

Everything with a little apple with a bite taken out of it.

Yeah, exactly. Your TV, your watch, your little network device, everything, just in case.

Carole, what have you got for us this week?

Well, I'm going to cheer us up.

Finally.

So Theranos, not Theranos, but Theranos, okay?

Sorry?

It's not Theranos. Theranos. So, I'm going to talk about that today because it's fascinating. And I'm going to try and weave in some cybersecurity, okay? Try to find a few angles that will make it tie tangentially to the show, but it's just too fascinating to not do. And it's all about tech. So, apparently the name is made up of two words, a coinage, if you will. Can you guess what they might be?

Something and -itis.

Thermos phalloscopiuritis? Is that what it is? Is that how they collect the blood? I don't know.

I have no idea.

Therapy and diagnosis.

That is rubbish.

Rubbish! Isn't it rubbish?

Therapeutic diagnosis.

Before it was changed to Theranos, it was called Real-Time Cures. And I think one of the reasons they may have changed their name is because there was a typo that went out once. And can you guess what it read? Real-Time Curses.

I know. Alas, that's a bit like Susan Boyle's album.

Yeah, that was brilliant.

Theranos, people, not Susan Boyle. Theranos exists no more.

Theranos. The blood

And since August 31st, right, just a few weeks ago, the founder, Elizabeth Holmes, has found herself in federal court fighting off 12 fraud charges. And if found guilty, facing 20 years in the clink and possibly a $2.7 million fine. So, not, you know, big, big stakes here. We're gonna go through this story very quickly, okay?

people, the blood testing bit.

I'm just gonna give the highlights of the Elizabeth Holmes story, 'cause I've been totally drinking it like Kool-Aid.

Give us the how, what, where, when, whatever.

So, she's a straight-A kid, strong work ethic. She claims that at age 9, she created very detailed drawings of atomic bombs, time machine. Now, you guys are both parents. You guys are both parents, right? Does that indicate genius to you? Is that a sign?

No, just means you've drawn a police box or something. Yeah, what do you mean, very detailed drawings of a time machine?

I mean, yeah, exactly, exactly.

I told my husband this and he looked at me completely nonplussed and said he and his brother made a full-size TARDIS console out of cereal boxes at age 9 so she could fuck off anyway.

But she was touted as the next Steve Jobs at one point, I think, wasn't she?

I know.

On the idea that it could run blood tests using their own tech that required only a finger prick. Finger pinprick and a small amount of blood, a few drops. And Olivia said the test would be able to detect medical conditions like cancer or, you know, high cholesterol or even miscarriages, pregnancy, heart problems.

And they can do all this just from a single drop of blood rather than have to take multiple samples, right?

Because people are terrified of needles. Needles are complicated. You have to put them away safely. People can get hurt, all the stuff. But the thing was, Elizabeth needed some big bucks to pull off this medical marvel. She had to get her act together. She had to make herself memorable. And her approach, Thom, she put on the black turtleneck à la Steve Jobs. That's also French.

Great.

Is the black turtleneck, is that a euphemism for something? What does black turtleneck mean?

She wasn't trying to pretend to be Sterling Archer.

Apparently, she loves Steve Jobs. She even decorated her office à la Steve Jobs. She never took holidays à la Steve Jobs, and reportedly lowered her voice from its natural timbre to having more gravitas.

Like Margaret Thatcher.

Did she do that?

Yeah.

Yes. She's driven.

Do you like me more now?

Do you trust me?

Thom, could you just let Carole finish her story before you interrupt?

Whatever she did, investors lapped it up to the tune of hundreds and hundreds of millions and millions and millions. And it's one gave, then the others followed millionaire lemmings, right? Literally, just the same as your story, Graham. She even learns Mandarin. And she decides she wants to go into medicine, but she discovers that she's terrified of needles, which later influences her wanting to start this company, Theranos, right? And actually to yours, Thom, too. It's all about people just going, "Oh, if they did it, it must be true. I'll just follow." And Theranos's raison d'être— that's French, Graham.

It's all kind of technical gobbledygook medical stuff, but it sounds really clever and they've put money in, so we better put money in as well, 'cause otherwise we're gonna miss out.

All right. So Graham, I want you to imagine I've got this bazillionaire amazing idea and I've just given you the pitch and you have got basically, you know, you've got to send me over it. You're just, I want—

You've dreamt up an idea, I'm gonna do a podcast about pickles. I'm thinking, that sounds amazing.

I've got a pickle and it's regularly sticky.

Oh, that is going to make an awful lot of money. I'm thinking, okay, right, exactly, exactly right.

Now I would say to you, you never get to know how I make this amazing show. Right? So she never revealed how the technology worked to anyone. Plus, she'd have final say over anything and everything that had to do with the company. But she still wanted people to part with hundreds of millions of pounds. I don't know, man.

It scares me to death that people say, "Okay, no problem." More fool them, to be honest with you, because I think it's a very compelling business case, but— You can't do a huge amount of analysis on a pinprick of blood.

Yeah, but it's been a breakthrough. That's why it's amazing, Thom.

Then tell us about the— as investors, and I've seen Silicon Valley. I know how investors work in the Three Comma Club and all that sort of thing. If the fact that they were not insisting that, okay, we need some more information, we need evidence of what you are doing here is actually going to work. You know, or at least if it's not working, that you actually, you know, you've cracked three-quarters of the problem.

Yeah, and she went completely the other way. She's, you want to come visit the company? You need to sign an NDA before you're allowed in the building, and a security guard's going to follow you everywhere, even the loo.

That's fine, as long as they give me the information. If I'm gonna, you know, drop up, you know, a metric fuck ton of money onto something this I understand that there is security at play here. It's understandable. And I also need other independently qualified people who will also sign NDAs and have people watching them go for a poo, actually validate what it is you're saying.

I wish there were more people you, Thom, because meanwhile, she was making big kick-ass deals, right? capital Blue Cross, Cleveland Clinic signed to offer Theranos tests to all their patients. Walgreens made a deal to open Theranos testing centers in their stores. They also formed a secret partnership with Safeway worth $350 million. And she, during all this, becomes the youngest female billionaire. On paper, anyway. But rumors are starting at this point. So this big brain, right? This big testing thing called Edison, the secret machines that test the teeny blood samples, right? Is temperamental, not ready for real-life workhorsing.

Okay, they're still ironing out some of the bugs.

Results were not trustworthy, but you can just imagine it having worked in the corporations before, right? Clearly, you know, we're meeting our deadline, we are not shifting the deadline, we are going live on this day, fix it or else. But someone tipped off the Wall Street Journal and reporter John Carreyrou, very hard name to say, Carreyrou, started digging. And he published his investigation into Theranos' struggle with the technology. He found out not only were they not able to give accurate results, that Theranos was actually running its samples through its competitors' blood testing machines.

That's right. Yeah, I remember. Hang on. So they got drops of blood, which they said, oh, we'll test these in our amazing machine. And so you had all these, basically sweat labs, people going through and trying to get everything done in time because they had a turnover time that was faster than anybody else. a nightmare. And she's, you know, she's still spinning the wheels and bringing in the money and doing— and she's a press queen. the press adore her. She's just—

Well, she's got a black turtle neck.

She's got a very deep voice. They love that.

Yeah.

Sorry, Graham, I didn't mean to interrupt.

Anyway, so this Wall Street Journal article comes out. Holmes does not take it lying down. She goes on CNBC's Mad Money. And she says, "This is what happens when you work to change things. And first they think you're crazy, and then they fight you, and then all of a sudden you change the world." So she'd be fun at a dinner party.

She wouldn't have time for such frivolities.

Yeah, exactly. She claims she only sleeps 4 hours a night.

Does she get up an hour before she goes to bed?

Exactly. But things are heating up, right? Because of the rumors, FDA have now been investigating, Wall Street Journal's written their article, regulators from all kinds of government bodies that oversee laboratories are finding major inaccuracies testing of Theranos. And this is all over Walgreens and stuff.

I've got two words to say to this: due diligence.

People were being told they had cancer when they didn't, right? People were told that they were miscarrying when they weren't, people were told they were pregnant when they weren't.

Right?

Just crazy stuff. Basically, 2018, the federal grand jury charges Holmes, and this is where she is now. She's now newly married because of the pandemic, everything got delayed. She's newly married, she has a 1-month-old baby, and she's facing 12 fraud charges, and if guilty, faces 20 years in the clink.

So, is the argument whether she was deliberately doing this, or is her defense team gonna say that she was just incompetent?

Well, that's very fascinating. I think the argument's gonna be in so far as, "Well, I had a co-starter with me" who was 20 years older than me and I was kind of in love with, and he was very strong-minded and he ran everything. So I promised a little infosecurity here, right? So when the subpoena request went to Theranos saying, "Hey, can you give us the whole lab database data?" Because she always said, "It's in the data," right? "The data speaks for itself. You need to see the data. You need to see all the data in order to make an opinion." So they're like, "Okay, it's the data."

It's the data.

It's the data.

It's the data.

Give us the data.

Exactly.

Yeah, like that pillow guy and his proof of election fraud is all in the data.

Right. So a subpoena is sent to them, "Give us your fricking data from your lab so we can just see how crazy all this is." And 2 and a half months later, they do exactly that. They send over an encrypted database with a password. Great, right? Except the database required not one, but two distinct passwords to access the encrypted data, and only one was sent. So, when the time that the guys realize this, they call Theranos and go, "Hey," but Theranos is now defunct, it's now been dismantled. They're like, "Hey, well, we took it all apart, we dismantled the database, and we ate the passwords, and so, how dare you? Because that would have totally vindicated us, right?"

"All the data that you've now lost, feds." So, yeah, there's a case there for, well, one, for timely investigation of the evidence that he sent to you. But two, also, you know, the criminal use of, "Oh, sorry, I forgot." Have you heard the podcast all about this, Carole?

I listened to it. I think it's called The Dropout.

Yeah, there's Dropout, there's also Bad Blood, right? That was the book written by The Wall Street Journal, and he's now just releasing now a live one, which I've been following as the court case is unfolding slowly.

So is he live tweeting?

No, he's not live tweeting. He's just giving his kind of views as it's coming closer because he's discovered more things since he's written his book. So there's lots of information, it's just fascinating. And why are we fascinated? Because it's a female leader, is that why?

With a very deep voice.

With a very deep voice.

Around 80% of business data breaches result from weak or reused passwords. Using 1Password in your company can close the gaps in your security, combat shadow IT, and help your workers stay both productive and secure wherever they are. With the right tools and the right mindset, you can create a culture with 1Password where your employees feel empowered to share responsibility for security risk management. Everyone needs to be on board, working together to stay protected. Find out more and try 1Password for free for 14 days at 1password.com. And thanks to 1Password for sponsoring the show.

Listeners, it is time to get serious about preventing and detecting credential abuse, privilege escalation, and entitlement exposures. My friends over at Attivo Networks have tackled this challenge, and I want to share how it works. The Attivo Identity Visibility Bundle finds exposed admin credentials from the endpoint, conducts over 200 continuous checks on Active Directory, and identifies risky entitlement and over-provisioning in cloud environments. The Attivo Identity Detection Bundle cloaks production credentials and AD objects to hide and deny access and deceives tools like Bloodhound, steering the attacker into decoys for threat intelligence gathering. If you want to learn more and kick credential attacks to the curb, go to attivonetworks.com. That's attivonetworks.com. And thanks to Attivo Networks for sponsoring the show.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

Well, my Pick of the Week this week is not security-related. My Pick of the Week is something which I have been watching on streaming services. Specifically, I've been watching it on BritBox, but I imagine you can also rent and buy it on other streaming services. It is The Trip with Steve Coogan and Rob Brydon, where they travel across the country, initially the UK, then other European countries, eating food in nice restaurants. It's like a road movie.

Didn't this come out 2003 or something?

It came out some time ago, but they keep on doing new series of them. So they've gone to—

Oh really? I didn't even know that.

Yeah, they did in the UK. I think they've done it in Italy. Maybe they've done it in Greece as well. I'm possibly other places. And it's most amusing. They're sort of playing versions of themselves. And a large part of it is them sort of bantering and doing rival impressions of Michael Caine.

Can I tell you, Graham?

Can I?

Really? What's wrong with Rob Brydon?

I just find him— I agree that intellectually he's funny. You don't know this about me,

Is he a bit too Welsh for you?

No.

Is he a bit too intellectual for you? I love—

for real. I can't stand Rob Brydon.

Racist.

Am I?

You are racist. You're just anti-Welsh.

Whoa.

We've got a lot of listeners in Wales, you know. Can I say for the record, I really think Rob Brydon is funny.

You don't like Piers Morgan. What does that say about you?

I think Rob Brydon is most entertaining and he does amazing impressions.

Questions.

Must be of Ronnie Corbett.

Yes, he does. Yeah, certainly. My God, it's like he's in the room.

So again, I really don't like him. He does that TV show, he does a series.

Would I Lie to You?

Yes, that's brilliant.

I love The Panel. I don't— I just—

Bob Mortimer is amazing.

Yes, I agree.

And Rob Brydon holds it all together. He's very, very funny. Well, Kroll, you know, maybe this isn't a pick of the week for you. But I like The Trip and I recommend it and go and check it out. My pick of the week.

Stay away, guys.

Thom, what's your pick of the week? And please don't suck the joy. Well, I won't suck the joy of your pick of the week, unlike Kroll.

Well, my pick of the week, I think, is a good one. It's a serious one. Not security per se, but a small element of security in there. But it is an app you can download for your phone called Traffic Cam. I downloaded this about a month ago when I realised that my travel schedule was about to start up again after 18 months.

Getting the old scooter out.

Exactly. So I, last week I was in Amsterdam and we stayed in a couple of different hotels. Now, what this app does is it prompts you to take photos of your hotel room, and you select an icon at the bottom of, say, the bed or the sink or the toilet or a desk or something, and you take a picture of it and you create this selection, and then you upload them to this Traffic Cam app. Now, the purpose of this is to try and curtail and as well as try and ascertain the location of the sexual trafficking and molesting of children, because much of it is done on the move in hotels, etc. You know, so all the details are in the background and various agencies, Interpol, Europol, etc., they try and— when they come across this material, they try and work out when and where, etc., it happens so they can try and ascertain who the victim is, who the perpetrator is, and all that sort of thing. It starts to build a big picture. So the idea of Traffic Cam has been out for about four years apparently. I've only just come across it. It is that by crowdsourcing this, and you say, you know, it checks your location and say, okay, I'm in Hilton Amsterdam, which room are you in? Room whatever. And here's a picture of the bed in that room. Here's a picture of the light stand. Here's a picture of the sofa. Here's a picture of the sink, the toilet, the bath, etc. All that gets loaded up and can then be used by the analysts to, you know, pull together and hopefully give them more data in order to capture the perpetrators. You know, it may well warrant you doing your own research on this. There may be other apps out there.

You know what's annoying though is it says cuss alternatives, but it doesn't tell you— each cuss word has an alternative. A distinct requirement, right?

And if there are, I'd love to hear about them. But this, from what I can make out from my own research, is completely legitimate, is providing information.

You say certain ones for certain things. And I kind of would like some guidance on when to use this, right?

It's part of a larger organization. I'm trying to remember what the name is.

Because I can imagine saying shiitake mushroom in an entirely wrong context.

I can't remember off the top of my head. It's E-I, I think.

Because in an image of some child sexual abuse, for instance, there may be something in the background like a light fitting which could potentially identify the location and then may even lead to the identification of the perpetrators or the victim.

Yes, maybe even the location or even the time, because it may have been that those light fittings were replaced this year and were there last year. And so therefore you can sort of try and ascertain a rough period of time, etc., perhaps even, you know, look through videotapes. The kind of volume of data this can generate could be very, very useful.

Yeah, I think I would have to rely though on corporate trips to do that because I can't imagine going on my honeymoon or an anniversary and going, just hold on, honey, I'll bring you over the threshold in a minute. I just want to—

Absolutely.

Yeah.

The Exchange Initiative. I'm on the website.

Exchange Initiative. There you go.

Yeah, I'm on the website at the moment. And it's also been in coordination with George Washington University and Temple University.

There's probably plenty of others out there, but this is the one I came across. But if there are others, let me know.

And that's TrafficCam. Traffic is C-K and then cam as in camera, right?

That's right.

Well, that's very interesting.

Yeah, not very funny, I'm afraid, but yeah, fascinating.

Well, we're used to that from you, Thom, to be honest. Carole, what's your pick of the week?

It's not a podcast this week, but a webpage. Okay, so it's in the show notes. You can go click on it. And this is a webpage with cuss alternatives. My niece suggested that maybe I had a propensity to be a little bit sweary.

Oh, so these are alternatives to swear words.

Yeah, so she was trying to give me some alternatives and I thought, oh, I'm sure someone's put together a website with alternatives that I can try and learn. So this page came up and I wanted to show it to you guys and ask what the heck some of these meant.

Gee willikers, Carole, what is this?

Yuck you, Carole.

There's one says go lick a duck.

Oh, friend of the show.

Well, poo on a stick is all I can say to that. And what about Caesar's goat? No, that's a euphemism.

There's one that says jerk water, which—

I know. Or you're just behaving like a fart knocker, which as far as I'm concerned is a poo, surely.

Hang on, there's one here which just says Barbara Streisand. That seems rather unfair. Thom, stop being such a hobnocker, will you?

What, have I got my camera on?

Anyway, that's my pick of the week, trying to learn how to cuss less with weird alternatives. This is not a great one, so if anyone has a better one, I'm all ears.

Because you need them, Carole, because basically, I mean, you have got a potty mouth, haven't you?

Yes, I just swear a bit, especially, you know, swear a bit.

Fudgeberries, that's an understatement.

Good night. That's one too, apparently. Good night.

So, suffering succotash, that just about wraps up the show for this week. Thom, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?

Oh, Twitter @ThomLangford. That's Thom with an H because Twitter would let me have the H. And on my website, ThomLangford.com. Fabulous. And you can also follow us on Twitter @SmashingSecurity, no G. Twitter doesn't allow us to have a G. Huge, huge thank you to this week's episode sponsors, TiVo Networks and 1Password, and to our wonderful Patreon community. It's thanks to all of these people that this show is free.

Until next time, cheerio. Bye-bye.

Stay secure, friends.

Whoa, deep tone.

Stay secure, my friends.

Stopping recording.