This incident alone may cost Missouri taxpayers as much as $50 million. I'll do it for half that much.

Which buddies did you call, Mr. Governor Parsons, to look into this? They quoted that number.

Smashing Security, episode 248, Press F12 to Hack with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 248. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, who have we got with us this week as our special guest?

An old favorite.

I'm not that old.

Dave Bittner from the CyberWire. Who's older between the two of you?

Ooh, that's a good question.

I was born

I was born in the summer of '69.

Oh, so close.

So we all know who the grandpa is. Grandpa is around here.

Yes, the advantage is yours.

before the summer of '69.

You'll be in diapers before me.

That's right, that's right. Maybe we can find a nice retirement home for both of us and we can take turns wiping each other's mouths as we drool on our food.

We'll be Jack Lemmon and Walter Matthau. Yes, yes, exactly.

I'll make sure to visit often.

That's good.

Let's thank this week's sponsor, 1Password. Its support helps us give you this show for free.

Now coming up on today's show... Well, I could be pressing Ctrl+U, or I could be hitting the F12 key.

Sounds geeky. Dave, what about you?

I'm gonna have a story about how your Ring camera might be costing you a lot more money than you had planned for.

And I am looking at the explosion of facial recognition. All this and much more coming up on this episode of Smashing Security.

Now, chums, gentlemen and ladies, I bring you grave news from the plains of Missouri, where a website run by the Department of Education was reportedly hacked last week, and 100,000 Social Security numbers of school teachers, administrators, employees may have been exposed. Pretty bad stuff, I think you'll agree.

They're probably all going, yeah, yeah, yeah, we were part of the Equifax hit ages ago. Who cares?

A sophisticated actor, no doubt.

Yes, yes. Well, isn't it always? You know, despite taking security seriously, a highly sophisticated attacker can get in. No less a person than Mike Parson. Do you know who he is? He is the governor of Missouri.

Oh yeah, of course. No, I wouldn't know that.

He's big in Missouri, let me tell you. And he held a press conference on Thursday where he stood tall and proud. He adopted a very serious stance, quite a wide stance, and he denounced the actions of the hacker who, it was claimed, had used a multi-step process, who had decoded the HTML source code and then viewed the Social Security numbers of education workers. Now, you're probably wondering just how sophisticated was this attack? Who could have been responsible for this serious hack? The hacker in question is said to be an individual called Josh Renaud. Isn't Renaud French for fox? Is that right?

No, Renaud. Renaud.

Close enough. Close enough, I think you'll agree.

I think the French would have an opinion on that.

He's trying everything to goad me, I can tell. He's in goad mode.

Anyway, look, it's R-E-N-A-U-D. Is that fox?

No.

Right. Anyway, regardless, the wily hacker snaked his way in, and Governor Parson was not a happy man. You can watch the video of his press conference where he says, "The state does not take this matter lightly. This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians." That's a great word, isn't it?

Missourians. Missourians.

Sounds nice, from Star Trek.

I think it sounds great.

So what the heck is going on, you're thinking? What on earth could be up? Well, the day before the press conference, the St. Louis Post-Dispatch, which is a newspaper out there, they reported that they'd found a teeny weeny, tinsy winsy little flaw in the Department of Elementary and Secondary Education website, which had left the Social Security numbers of employees and teachers exposed. So it's just a tiny little flaw.

This is after the hacker has done its bit. Is that right?

So to recap, this security breach had happened on the Missouri education website, which had exposed Social Security numbers. The newspaper, the St. Louis Post-Dispatch, had reported on it and the flaw which they had found. And then there followed the press conference from Governor Mike Parson. Now, you're probably imagining that this was some kind of security hole which the hacker had been able to get through, you know, really sophisticated, highly sophisticated attacker using nation-state hacking techniques, quantum computing, computers, all kinds of really, really sort of expert stuff in order to get in.

Yeah, you said it was a multi-step process, so.

Yeah, yeah, yeah, exactly. In fact, in fact, all the hacker, in quotes, did was go to the webpage and click view source on a publicly accessible webpage.

Brilliant.

Now, if clicking view source is a little bit too techie for you, you can just press the F12 button in a browser. Or Command+U, and that will do it as well. The choice is yours. And when the reporter at the St. Louis Post-Dispatch did this, because this guy, Josh Renaud, the guy who has been named the hacker, was in fact a reporter at the newspaper. He had found this, he'd gone to the webpage, he'd begun to use it, hit View Source, and he'd seen other people's Social Security numbers. When he found that security hole that could be exploited with just one click, what did he do? He told the state government about it responsibly. He responsibly reported it to them.

Reported to Mr. Parson, presumably.

Right. Well, I don't—

Got wind of it pretty soon.

Well, yes. I don't think they rang him up. If they did, maybe that explains everything.

I'd be willing to bet he wasn't the first person they called, as will be clear as you continue to tell the tale.

And so the newspaper actually held off reporting about the goof until after the problem had been fixed. So that's quite responsible of them, right? They didn't expose anyone's Social Security number. They found a problem on the website. They told the department about the problem. They waited until the department fixed it, and then they published about it.

Yeah, responsible disclosure. Perfect.

Right. Well, someone who isn't happy is Governor Mike Parson, who vilified the reporter as a hacker. At his press conference and said that they were going to be reported to prosecutors. And when you watch a video, I'll link to the video in the show notes as well. When you watch the video of the press conference, it is truly breathtaking.

But let me be clear, this administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians.

It is unlawful to access encoded data and systems in order to examine other people's personal information.

And we are coordinating state resources to respond and utilize all legal methods available.

He considers it a completely criminal act that this person came in and clicked on view source. He says the state is committed to bring to justice anyone who hacked our system and anyone who aided and abetted them to do so. He says that the St. Louis Post-Dispatch was attempting to embarrass the state and sell headlines for their news outlet. And then he says how much it's going to cost the taxpayer to get to the bottom of all of this.

This incident alone may cost Missouri taxpayers as much as $50 million. I'll do it for half that much.

Which buddies, which buddies did you call, Mr. Governor Parsons, to look into this? They quoted that number. So did anyone say to him, could you just define hacker?

Well, no, he defines hacker.

A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.

He says, we will not rest until we understand the intentions of the individual and why they targeted teachers. It's, well, the intention was clearly to tell the state there was a problem with their website and to get it fixed.

Yeah, this is almost the true definition of misinformation, isn't it? It's you find a flaw, you do everything that you're supposed to do. This is not, this is 2021, people, right? And this happens and it sets us back. You know, I can just imagine people our other papers writing about this, his speech at the press conference saying, we're a little worried.

Oh yeah, the tech press certainly have been having a good old laugh about this. And if you go on to Twitter, you will find thousands of tweets of people replying to the governor going, I'm not so sure about this.

And the governor has doubled down too, even after getting all of this feedback from people who actually know what they're talking about. He is not backing off.

Well, I think this is a war, isn't it, basically on a newspaper which he sees as not being supportive of his administration. And so it's all part of this thing which is going on all around the world where we're all sort of split down the middle and it doesn't matter about the truth or facts. It more matters as to were you having a go at me or not? Were you making me look incompetent or stupid?

I'm curious, a little side issue here, Graham, but you sort of brought this up, and one of the things I saw on Twitter was people getting all bent out of shape over the use of the word hacker and what exactly it means. I'm curious for the two of you how you define a hacker and what it is and is not, and also what you think about— there are people who are really, in my view, a bit pedantic about its use.

Yeah, I'm quite pedantic about hacker as well. I think hacker is anybody who wears a baseball cap sideways and has baggy trousers. I think that is the definition.

I agree.

You agree with that, Carole?

100%.

Yeah.

All right. Well, moving on then.

Well, what do you think it means?

Well, I think one of the problems with the word is that it has contradictory meanings depending on the context. Its broadest use is sort of someone who is not good at something. A hacker is someone who's not good at playing golf, right? He's a hacker.

Oh, I see. Oh, right. Yes.

Right. But in computing, it means someone who is skilled, but it also has the definition of someone who is attempting access to systems, attempting to circumvent protections against systems, not always, but sometimes for bad purposes.

And that's what gets some people's knickers in a twist, isn't it? Because I quite often get feedback from people saying, "Would you not describe them as a hacker, please? Can you call them a cracker instead?" It just drives me up the wall.

I like the word, actually. I don't know, I feel for people that do it for a legitimate job, and they don't want to be — you know, they don't want the term to be always used to mean bad agents or bad actors. I like the term bad actor.

Oh, do you?

Yeah.

It just makes me think of Nicolas Cage.

But I wonder if it's kind of like the word theory, which is that the word theory means something different to scientists than it does to people in the general public, right? People in the general public, they'll say, oh, that's an interesting theory, but to a scientist, a theory actually is a much higher level of scrutiny.

Well, that's not flattering yourself.

And so I wonder if it's the same thing with hacker. To professionals, it means one thing, but to the general public, it has different connotations. And because of that, I think it's silly that people get all bent out of shape when it is a word with such often contradictory terms depending on its context. I think people just need to kind of let it go.

Yeah. And I think quite often the people who work in cybersecurity find it hard to let things like this go, don't they? You think?

You think, Graham? Is that something that cybersecurity professionals tend towards is not being able to let things go? I haven't seen that on Twitter at all.

Dave, what have you got for us this week?

Well, my story comes — it's been reported many places over in your neck of the woods. This particular story I'm linking to is from the Daily Mail.

Oh, was it not in any newspapers as well?

I thought I was walking into that one. I was actually going to say, before we continue, can you give us a little assessment of the reputation of the Daily Mail.

Yeah.

This has been covered in the BBC and other places, but the reason I'm using the Daily Mail is because their coverage of it has the most photographs, which is perfect for a podcast.

Yes.

Dave's going to be describing the pictures from an article. Okay, great.

Well, all right. So the other reason this caught my eye is that I believe this is in your neck of the woods. This is in Oxfordshire. That's where you all are?

No, we actually live in Oxfordshire. So that's the kind of —

Well, I say Oxfordshire.

Do you?

Yeah.

Anyway, it's happening in Thame, isn't it? Well, that's not very far from Oxford. Yeah, that's quite close to us.

All right. So this story is about a woman who may be in for £100,000 being paid by her neighbor after a judge ruled that the neighbor's Ring Smart doorbells were a privacy violation according to GDPR. And this gentleman installed 4 Ring doorbells all over his property. He claims that 2 of them were just dummy doorbells, but the judge didn't go for that. And so it seems like these 2 neighbors got in a bit of a disagreement. She was upset that his Ring doorbells, which of course record video and audio and can send them to your smart device or wherever — she was upset that his smart devices could see into her property.

Yeah.

See her back garden, her front walk, all that sort of stuff. He pushed back, and according to this article, fairly aggressively, and so she took it to court, and the judge has found in her favor, and because this is a GDPR violation, he could... Next month in November, there's going to be a ruling as to whether he may have to pay £100,000 for violating her privacy.

Should we do a wager right now on that?

Well, this isn't America, so I'm sure it won't be £100,000. It'll probably be about £32.50.

I think it's going to be take down your ring, right? Or rearrange your rings so they don't—

We're a little bit more sensible here normally.

But I mean, why doesn't he just buy a fence?

Well, so that's what I, some of the things I want to dig in on this story is if you install something like this in your house, and if you, the two of you look at some of the pictures here, these are, actually these aren't next door neighbors. There is a house in between their two homes, and these are attached houses. So here in the States, we would refer to them as duplexes. I'm not sure what you call them over there.

Semi-detached, we call these.

Semi-detached, yeah.

There you go, yep, yep, yep. Yeah, so there's actually a house in between their two homes, but close enough that you can certainly understand that one could see into the other house, but evidently one of the things that the judge took issue with was the fact that the Ring doorbells record audio, and that they can record audio from quite some distance, and so the judge thought this was a violation of this woman's privacy because the Ring doorbell a couple doors down could hear conversations that she was having on her front porch, for example. Do you think that's reasonable?

Well, I don't really like the idea of Ring doorbells taking video and recording audio. I do think they do snoop on people and, you know, they do infringe privacy. But why these people couldn't just have come to some sort of settlement between themselves rather than going to court just seems crazy to me. It seems rather bonkers.

Well, there are some neighbours out there when you might go over, they might just go, why don't you fuck off, right? And then what do you do then?

Well, I was about to say, I don't know where you live, Carole, but—

No, my neighbours are all lovely.

So what do you think, Carole? How would you feel if your neighbours installed one of these camera recording things?

I don't like it. I do have someone who lives down the road, so almost neighbour, and they have a sign on their front window saying, "Smile, you're on Candid Camera," or something, or, you know, "We have CCTV in operation," or something. And it's sticking— he has a camera facing the road. So the road is public property. I don't know if my neighbors near him are under that surveillance, but I wouldn't like it next door to me.

Yeah. A couple of my neighbors have Ring cameras, and I live in a townhome community, which is rows of houses that are connected. And so the way that the parking works in my community, if I park my car and then go to my house, I have to pass by several of these cameras on my way to and from. And that's given me pause from time to time to think, well, you know, my comings and goings are being recorded. I'm not sure how I feel about that. But in this case, it's interesting because it is a private community. It's not technically a public street, but it is a shared space.

Dave, the way you talk about this community that you live on, it sounds— is this sort of sheltered accommodation for the elderly? It sounds like, is this where podcast hosts go in their sunset years?

It's utopia.

Yes, that's exactly what it is. It's a gated community, Graham, and it is only made up of retired—

How do I get in?

You need a Zimmer frame.

Right, right.

Start working on that green card, Graham. I know some people, maybe I can get you in. It's really wonderful. Yep, they cut up all your food for you. It's just— no, it's wonderful. It's a great place, great place to be. I wonder with this, you know, is this a matter of neighbors getting together? If I was installing something like this and if a neighbor came to me and said, "Hey, what's that camera there?" And I would say, "Well, let's work here, let me show you the interface, let's work together to make sure that this is masked off in such a way that you're comfortable with it." But they didn't happen here.

No, Dave, you've got the wrong idea. What you want to do is this, right? You want to team up with your neighbor and say, "I'm putting this camera here, all right? I want you to take me to court, right?"

Haven't really thought this all the way through, have you, Graham?

Yeah.

So why don't you just give me $50,000?

Yeah.

No, here's what you do, Graham. You anonymously send a camera to the third neighbor that neither of you like.

Right.

Right.

Now you've got it. That's the way to do it. Right.

Yes.

Yeah. Carole, what have you got for us this week?

Well, there's been a bit of an explosion of facial recognition software being used for all manner of things. And the pandemic is being cited as one of the main reasons for this intensity of facial recognition buy-in. But at what cost to the rest of us?

Well, I think the cost is that we're gonna have to take

Well, I am going to waltz you guys through a few facial recognition trials and adoptions that are going on around the world just to get your thoughts on them, okay? And as D-dog is here, Dave Bittner, let's start in the US.

our masks off for the facial recognition to work, which is gonna

So federal agencies have turned to facial recognition as a contactless, automated way of verifying the identity of people applying for unemployment or other public benefits.

be a bit of a nuisance, isn't it?

I was going to ask you, is there anywhere in your life where you have facial recognition as part of that you have to go through, maybe at a bank or—

No, just my iPhone. I use Face ID on my iPhone. That's it.

Yeah, I don't have facial ID on my iPhone or anything. I'm thinking it would happen at an airport.

Yep, totally.

But of course, I haven't been going through very many airports recently.

Yeah.

According to MIT Technology Review, 27 states are working with ID.me. This is a company that offers face recognition technology. And the driver here is to stop fraud.

Yeah.

US Department of Labor is providing millions in funding to states to implement fraud prevention measures, which has pumped more money into facial recognition. So in recent months, there have been reports across the country of incidents where unemployment systems are failing to recognize applicants' face scans, and individuals can find themselves in precarious financial situations because this is all having to do with unemployment. So imagine your company tanks, you lose your job, you've got kids to feed and a house, and you do your recon and you realize that your situation qualifies you to get unemployment. And if the system doesn't recognize you through its facial recognition software, you can find yourself shut out from the benefits.

Mm-hmm.

One of the issues here is it concerns about 5 to 10% of the population who seem to get somehow shafted by facial recognition. You know, maybe they've had plastic surgery or they've had an accident change their facial features or they're transitioning or they have facial hair, whatever.

If I was unemployed, I might want to change my face want to take up a hobby to fill the time, like growing a moustache or a beard.

Right. That'll take you a while. You're not going to be getting a job in the next 10 years, I think.

It would take me quite a long time. Yeah, it would be counterproductive, wouldn't it? I wouldn't be able to get my dole money.

But there's no recourse for these people. So that's what the big complaint is. It's like, okay, it locked me out, I totally need this and I can't get a way around the system. Like the system, the algorithm is running the show.

But also, facial recognition is notoriously bad at dealing with people of color.

Yep.

Time and time again, we see the studies say this, and that's—

Anyone who's not white, really.

Right.

Yeah.

Right, exactly. Because most of the big training sets are white people.

And we move now to the UK, where there's 9 schools in Scotland that have begun taking payments for school lunches by scanning the faces of their pupils. Okay, this is according to an article in the Financial Times, and more schools are expected to follow. Now, the idea behind it again is, you know, it's to save money, right, and cut costs, because the idea is that it will speed up lunchtime sales by scanning the faces of pupils at the tills. But why is this better than having a contact card?

Yes.

So they're also saying in this time of COVID we don't want to touch anything. Okay, I get all that. And they're using that to try and get this into lots of places. But what's wrong with a contact card?

Oh, you know what it is, Carole? You need to take yourself back to the playground. Especially imagine a Scottish playground where the kids are tough and red-haired.

Well, they go, "Give me your food card!" Well, exactly.

People would be bullied. Mind you, school dinners, normally you don't want more of the food, do you? But maybe in Scotland you want a fried Mars bar or something, and so you might go back for seconds with someone else's card. It is possible, it's possible.

A lot of them schools apparently were using fingerprint recognition. Maybe that's the reason to stop the bullies.

But then the pupils start cutting each other's fingers off, you know.

And when I was back in school, the lunch ladies— and back in the day, it was all lunch ladies, the female canteen workers, right? Exactly. Female lunch ladies. They knew all the kids. And so now I will just get on my soapbox briefly and just say that I believe school lunches should be free anyway. Just make it available for everybody. It's harder for kids to learn when they're hungry. So why make them pay for lunch at all? Just give them the food and be done with it. All right, getting off my soapbox.

Yeah, I high-five that as you come down. So David Swanson, so the managing director of CBR Cunninghams, these are the people that installed the software, said this was the fastest way of recognizing someone at the till. Okay, so listen to this. In a secondary school, he says, you have around about a 25-minute period to serve potentially 1,000 pupils. Fuck off. Are you telling me, are you telling me that schools with 1,000 students all have the same lunch break of 25 minutes?

No.

Like, show me a canteen that's handled that ever in their lives. It's a ridiculous statement. We need fast throughput at the point of sale. This is what he told the Financial Times. Now apparently it sped up the lunch queue significantly, cutting the time spent on each transaction to 5 seconds. Can you imagine? So you're sitting there and you see, you know, the lunch person, you're like, hi, and like, no time for that, go, go, go, go!

Move along.

I don't know, you could just stagger lunchtime, seems to me. That might be an easier way about this.

Hang on, 5 seconds per pupil?

Yeah.

And he's saying it is 1,000 pupils? Yeah.

Oh, oh, here comes the math.

Well, that's not going to happen in 25 minutes.

Interesting.

Is it? It doesn't make sense because this is the thing. When I'm at the airport and it does the facial recognition thing, it takes bloody ages, right? Doesn't it?

Yeah.

Make sure you're standing properly, open your eyes properly, you know, don't smile. Yeah.

And I have no real problem with doing it at airports or at places of, you know, high importance like that. But for lunch? For lunch. According to Silky Carlo, the director of Big Brother Watch—

Who?

Silky Carlo. Isn't that

Silky Carlo?

Silky Carlo.

It's gonna be my radio DJ name. Silky Carlo coming at you with the stacks of wax and the platters that matter.

Silky Carlo, the director of Big Brother Watch. This biometrics company has refused to disclose what information they are getting. Put some kind of chain a good name? from their ear to their And that is causing some red flags. Like, what are you collecting through letting people use their face as their meal ticket, literally? nostril to their eyebrow.

Seems to me you get one kid who decides that this is the day they're going to come out of their shell and decide to go goth, and they've gummed up the whole works.

Or grew a little face fuzz, right?

Right.

Shave their head. Who knows? Decided to go heavy on the eyeliner, and everybody's backed up now because—

Yeah. Yeah.

And then they don't get lunch.

Right. And everyone behind them is tapping their fingers waiting because they've gummed up the works.

And they're saying, look, hey, we got the okay from all the parents on this. And it just, yeah, would have loved more time to go look into this to see where the schools are and what parents said.

In summary.

In summary.

In summary. It's gonna take longer than ever to feed your kids, and it's gonna cost a fortune.

Yep. And it's gonna go wrong, and the data will get stolen. And then where you at?

Right. Immutable data.

Yeah. You don't want hungry Scottish kids.

You know what? I'm opting out of going outside, I think, in all this. That's what I'm gonna do. 'Cause that's the only thing. I can't even be at home if my neighbor has a Ring.

Mm-hmm.

I don't like it. I'm going to become a hermit.

How would we tell? Wow.

For the last 15 years, the great team at 1Password have been helping folks stay protected, private, and productive, whether they use 1Password or not. And now, with the launch of 1Password University, they've used their expertise to create fun, dynamic, and free learning resources for people of all skill levels. Learn how to make the most of your 1Password account's features. Find out how to build a culture of security in your workplace, or discover why reusing the same password across multiple accounts puts you at risk. Broaden your knowledge starting with the basic building blocks of security. Learn at your own pace and discover the tools and tactics that will help keep you safe on the internet. Whether you're a business leader looking to create a culture of security in the workplace, or you're a user trying to understand why you need a unique password for each account, 1Password University's free courses have got something for you. Go check them out right now. Try 1Password University for free at www.1password.university.

That's www.1password.university.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

Well, my pick of the week this week is not security related. It was pointed in my direction by my friend Petra.

Ah.

Yes. While the rest of the world has been watching Squid Game and Succession, my friend Petra has been watching a TV show called Married at First Sight Australia. And she said, you might like it. She said, it is a cultural feast. She said. And so I checked it out. Now, specifically, I'm talking about Married at First Sight Australia, not the UK edition, not the US edition. Has to be the Australian one. And it has to be season 6, which is the best. Well, it's the only one I've seen.

Very specific.

Now, this was first broadcast in Australia 2 years ago, but it has just reached British shores via the All 4 streaming service. I think it was on E4 here.

The rest of you, I don't know how you're going to get a hold of it, but I think I saw, well, maybe it was a different name show, but this premise was the same and it was in Australia and it was on Netflix.

It may be. So the basic premise of Married at First Sight is that two people get married literally at first sight. They've never met before. They don't know anything about each other. They don't know what they look like. They don't know what their partner's name is. Nothing at all.

What could possibly go wrong?

Exactly. Relationship experts have matched them up as part of a scientific experiment. So they get married, and then the TV cameras follow them through those early weeks of marriage as they get to know each other.

Because that's totally natural to have cameras all over your face. We just have Ring doorbells everywhere.

Oh my word. I've seen the British version before, which is pretty tame in comparison with the Australian, especially season 6. Which is the one I'm recommending because although there were some lovely, there was one lovely couple who you just thought, oh, they really are in love. And you thought, this is so lovely and she's lovely and he's lovely. And they're obviously going to be with each other forever because it's just worked.

For real?

Yes. Yes. Yeah. There were some others who had a little bit more of a problem. And I was watching that with the popcorn, my jaw open as I plowed and binged through this TV show. As it was just twist after twist after twist.

Can you give us an example?

Let— oh, you see, I don't want to give too much away.

He can't remember.

Yeah, no, I can't remember. He slept through it. I don't want to give away too much of what happens later in the series, right? Because there are some major shifts.

So you follow the same couple throughout the series? It's 3 couples, is it?

Oh, no, it's not 3 couples. No, in the Australian version, they have probably about 8 couples. And the couples meet up at dinner parties and discuss how it's going. Oh my God.

Where the alcohol flows.

I love how there's scientists involved in this fucked up show.

And scientists are watching their interactions and determining how well they're getting on. And people are getting into arguments and partners are unimpressed by what their partner is saying about their relationship. And so there's Matthew the Virgin, who says he's gone on the show because he's 30 and hasn't had sex yet. And there's Lauren, who's definitely up for some. And he has to reveal that he's a virgin. No big deal. There's Mick the farmer who gets set up with Jess. Things I could tell you about Jess. Ines, who gets put together with Bronson the stripper. She's very unimpressed. I'll put in a little link to a video.

Yeah. So this is car crash TV with a little science layer to give it a little bit of—

You know what? In some ways it's really heartwarming because you think that is a lovely way to watch something. There was another bit. There were a couple, Mike and Heidi, who I found fascinating. They weren't the most car crash couple of all of them. But Heidi kept on pointing out things that were wrong with Mike. For instance, Mike went out late to bring back food for their dinner. And he ended up coming back with food for himself and not for Heidi. And he said to Heidi, "Sorry, your shop was shut, so I haven't brought you back any food, right?" A dick.

A douche. Yeah.

Heidi understandably brought this up with the relationship experts and said she thought it was rather inconsiderate. To my surprise, the relationship experts just told her, let it go. I mean, for goodness sake, aren't you being a bit nitpicky here? And I was watching the TV going, no, this guy is an arse doing this. And he does this.

I'm going to have to watch this tonight. Oh my God.

He does. There's a lot of episodes, Carole.

I'm going to watch season 6.

Okay. Well, okay. There's a lot.

How many episodes in season 6?

31.

Wow.

I fast forwarded through a lot of it because there were particular people I was really interested in. Ines, Jess, Mike and Heidi. They're very interesting. You want to watch those. Anyway, the show is called Married at First Sight Australia. You can find it on All 4 streaming in the UK. And I was surprisingly engrossed in it. So that's why I'm not watching Squid Game and Succession.

Would you say it's highbrow?

There are brows in it, which are sometimes high.

Your brows were high the whole time you were watching it and your jaw was low.

Look, it's my guilty little secret. And as guilty little secrets go, it's not that.

It's hardly a secret. You just announced it on the podcast.

Yeah, because I feel this— I'm

Yeah.

Links in the show notes if you want to see a clip of what— how Ines reacted to her husband the very first time that she saw him. sort of cleansing myself, you know. Dave, what is your pick of the week?

Well, let me ask the two of you, is late-night AM radio a thing over in the UK?

I'm— this is like a confessional.

No, not really.

Not AM, no, no.

I love that stuff though. I spent my childhood listening to that.

Okay, so you're familiar with it, Carole, from your Canadian upbringing. Perhaps you heard some of the Clear Channel stations making their way over the border from your friendly southern neighbors. Our neighbors here in the U.S.

Yes, while we were warming ourselves, you know, inside a bear carcass, yes.

Right, exactly, snuggling up with a moose, absolutely, right. Well, there is a very well-known late-night AM radio host named Art Bell, and he hosts a show called Coast to Coast AM, and this show is all about the paranormal and conspiracy theories and—

My mom's obsessed with it, loves it.

Is that right? Yeah, yeah. So there you go. If you want to learn about ghosts and aliens and Bigfoot and the Loch Ness Monster, and this is the show for you.

And she's not into all that stuff. I think she just likes his voice and she kind of snoozles. She sleeps kind of listening to it. Yeah.

Yeah, yeah. And it's been running for a long time and it's very popular. Well, my pick of the week this week is a podcast and it's called Dark Air with Terry Carnation. And it's actually starring Rainn Wilson, who is one of the stars of the US version of The Office.

Yes.

He plays Dwight Schrute in The Office. And he plays a version of Art Bell. And this is a dark comedy about his life and this radio show that he's on and some mysteries that happen in his own life. His wife disappears. And there's some intrigue that happens with that. It's a smartly written show. It's very dark humor, so if you like that sort of thing, and if you're someone who spent any time listening to these old AM radio shows, this pokes fun at all that in a very affectionate sort of way. So it's called Dark Air with Terry Carnation, and it is my pick of the week.

That's great.

Is Terry Carnation a friend of Silky Carlo, by any chance?

They're old college chums, sure. They had an old vaudeville show together back in the day.

Graham, check out Art Bell on Wikipedia. It's just the best picture ever.

Oh, okay, hang on. Let's look. Art Bell, Wikipedia.

It's a very unusual Wikipedia picture. Is it perfect?

It's perfect.

It's like he's got the Columbo cigar, but the black turtleneck of the Steve Jobs.

Into the paranormal.

I mean, if you called up central casting and said, "I need you to send over a late night radio host to talk about conspiracy theories from 1978," yeah, this is that guy. He has not visited his optometrist in three decades.

Funny. Carole, what's your pick of the week?

Great pick of the week. Mine is a miniseries, a tense British procedural drama called Vigil. It's created by Thom Edge, same producers as The Line of Duty, and launched on the BBC in August this year. And the whole thing is in Scotland. Much of the action takes place on a fictional ballistic missile submarine of the Royal Navy. And the tagline is, "The deeper you go, the darker it gets." When a sailor is found dead on a submarine, HMS Vigil, DCI Silva uncovers a conspiracy. It stars Suranne Jones, Rose Leslie, who I thought was great in this, Sean Evans, Patterson Joseph. There's loads of people. The whole thing, though, is kind of ridiculous in my view. I imagine if I ever worked for the Navy or any military services and watched this show, I would just be appalled. The chain of command is just so loose. There's just so much crap going on.

You just think, "That's ridiculous." It's a bit like watching the governor of Missouri talk about a cyberattack—you just think this is nonsense.

Exactly. But it is fast-paced, and the game of the show is find the murderer—who's hiding amongst all the people in the submarine. Could it be the HR liaison? Could it be the XO? Six parts. It's much more reasonable than 31. Could it be the doctor? Could it be the sonar specialist? Could it be the captain?

Forty-five minutes

Hmm.

So you have a lot of that, but there's some excellent thrilling scenes. The opening scene is probably why it's here as my pick of the week, 'cause it's pretty wow.

Wow. It's a pretty strong opener. It's a James Bond-style opener. each or so? How many parts is it, Carole?

Probably.

Okay. So you can stream it on BBC iPlayer. It's probably available for sale. Right. Now we're sucking on diesel.

There's not much smiling in this one. There's not many jokes, right?

Because there was a lot of laughter in Line of Duty, wasn't there? Yeah, there was. He was there for the comedy effect. Hastings.

Anyway, I enjoyed it. I hope if some of you do, get in touch, let me know. Fantastic. Well, that just about wraps up the show for this week.

I am on Twitter @Bittner, that's B-I-T-T-N-E-R, and everything else is over at thecyberwire.com.

Marvelous. And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't have to have a G. And we've also got a subreddit, just look for Smashing Security up there. And don't forget, if you want to be sure never to miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.

And of course, thank you to this episode sponsor, 1Password, and to our wonderful Patreon community. It's thanks to them all that this show is free. Episode show notes, sponsorship information, guest list, and the entire back catalog of more than 247 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye.

Bye.

Bye-bye.

All righty.

Don't click F12.

Yeah, you don't want to become a bad actor.

Bad actor.

No, no. Violate the Computer Fraud and Abuse Act.

Hey everybody, Carole here. Well, you guys are pretty amazing. We received a smattering of 5-star reviews in response to last week's statement, and they're glorious. I want to thank 1212456 for saying, it's not only a great way to catch up on the news, but it's also pretty funny too. I look forward to listening every week. Also to Tiny Techie, who said Thursdays have become my favorite day of the week because I get to listen to Smashing Security during my morning commute. Huzzah! Nickna is happy, says it's always informative and entertaining and shall defend our honor. Belvedere Jack says, I've listened to this podcast for many years hoping I'd enjoy it and get something out of it. Fortunately, each time has exceeded my expectations. Shucks. And last but not least, JX Koi Graham Cluley, who says, "I love this podcast. Very informative. Keep it up. Great work." We're thrilled. And we're grateful. And we will keep it up. Not that way, Graham.

Geez. What are you gonna do with him? But we do wish you all a superb week.