I was thinking he'd put the phone down on the table and then dangle her head over the phone whilst using your fingers, your index finger and ring finger, maybe to yank up the eyelids. You know?

How do you dangle someone's head?

Well, you know what I mean? You'd hold it from above and just kind of hold it above the phone.

But the head's attached to a body. I'm just gonna dangle the head. It looks so easy.

That's true. That might wake her up.

Smashing Security. Smashing Security Episode 256: Virgin Media Just Won't Take No for an Answer. NFT Apes and Bad Optics with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security Episode 256. My name's Graham Cluley.

And I'm Carole Theriault.

And we're joined on this last podcast of the year by Mark Stockley. Hello. Yay!

Mark, thanks for joining us for the last 2021 podcast of Smashing Security.

It's a pleasure. And can I say how much nicer it is to join you from inside my house, whereas last Christmas you made me go and sit in my greenhouse in the dark where I was getting bonked on the head by cabbage suspended from the ceiling by a piece of string.

What a year it's been. That should really have warned us, shouldn't it, as to what was going to come over the following 12 months. Now there's this thing in the news, isn't there? Log4Shell, Log4j. There's this vulnerability thing. Everyone else is talking about it. I don't know if we should talk about it on the podcast or not. Carole, have you heard of this?

I've heard of it. I'm kind of on holiday at the moment, so I'm trying very hard not to pay attention to security.

Other people aren't having a holiday at all because they're scurrying around trying to fix this vulnerability, which is in millions and millions of devices and pieces of software and internet-connected things. What's your take, Mark?

Well, this has been very much my life. So luckily I'm not one of those people that has to go and actually fix this stuff, but I do have to understand this stuff and write about it. And this is the universe of cybersecurity at the moment. This is the one and only thing that's happening. And if you want to know how it works and all that kind of stuff, I mean, everybody in the world who cares about this stuff has written an article about it and they all basically say the same thing. And it's all just what you can read on the Apache website. What I would like to do is just give a shout out to the people that maintain this piece of software. So basically, what's happened is there's a problem in a piece of software. And that piece of software is maintained by a very, very small group of volunteers. They maintain this piece of software for free in their spare time. I can't remember if there's 3 of them or 6 of them. But what happened was the entire world decided they were going to use this piece of software in their bits of software because that's how software works. You use libraries and things. You reuse code. This is a bit of software that helps you with logging in Java, and there are lots and lots of things written in Java. Generally, when you write a computer program, you want to do lots and lots of logging because that helps with security, and that helps with just understanding what's going on and troubleshooting and all that kind of thing. Through no fault of the maintainers, everybody went, "Oh, free stuff. Fantastic. Yes, we'll use your free stuff." But people have actually been quite mean. I think it's completely unfair. It's like they did this for free and then you saved some money and, you know, okay, now you have to pay a cost. I'm very sorry.

In their rush

Yeah, but still, if you give something for free, that's an interesting ethical question.

to hit the delete button. But you know how it goes. You know, basically people went, "Oh, we'll use that. That's great." Their finger slipped.

Okay, well, as everyone else in the world is talking about this thing, we thought we don't want to talk about it. We're sick of it.

Good thing that Mark was so succinct.

Glad I didn't come on here to talk about it.

I mean, it's just totally something which you

To thank this week's sponsors, 1Password and Upticks. It's their support that helps us give you this show for free.

can just consume into the budget, isn't it?

Now coming up in today's show, Graham, what do you got?

Oh, I'm going to talk about companies who bombard you with marketing emails. The budget of your marketing efforts.

Hmm. Mark, what about you?

I'm going to be talking about a mediocre picture of an ape.

Okay. And I'm heading to southern China and looking into some facial recognition shenanigans. Mark. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, have any of you ever bought a service or a product and found yourself—

Never.

—receiving emails and marketing communications from the company afterwards?

I think the yacht club is just a name. It's not really— I mean, they're not really apes, OK? They're just pictures of apes. And they're not really bored, because they're pictures.

I think that's why I went

Have you met banks? And pictures can't get bored. And it's not a yacht club. And also, the things that you get, the benefits that you get when you sign up, don't exist yet. But they will exist soon.

off email, actually.

But we don't know what they are. But we do know what one of them is. So one of the benefits that doesn't exist— well, the only one that doesn't exist that we know what it is, is the bathroom. It's called the bathroom.

No?

And the bathroom— is a sort of MS Paint for everyone who is a part of the Yacht Club. And you can add 1 pixel to the bathroom every 15 minutes, or at least you will be able to when it exists, because it doesn't exist yet.

Neither of you?

This happens to me quite a lot. Have you ever bought a service and not been sent email? That's just permission to just be your best friend, isn't it? It does seem to be like that, doesn't it? And that's the kind of relationship which happens. Now, I want to talk to you about a company.

So they have 2 million customers and they each got an email?

Well, they may have more than 2 million customers, but there are 2 million customers they sent a message to. And the message said, we want to let you know that we won't be raising your price this year. This means the price you pay for your current package right now will stay the same in 2020. Okay.

So somebody at Virgin Media thought that this was some form of celebration. We just wanted to let you know that we're not arbitrarily increasing the price this year. It's a bit it'd be awful if something happened to that nice dog of yours, wouldn't it?

You guys are gonna play the protagonists here in this story.

Well, what kind of grumps are you guys? Isn't that a lovely message to receive?

Mark, maybe you can take the lead since Graham always takes the lead.

Being told we're not going to put your price up?

I want you to imagine that you are in your late 20s.

No, we've put your price down. That would be a lovely message. 'Virgin Media is free this month.' That would be a lovely message.

To be fair, it's not as crazy as buying an NFT of a Bored Ape and joining

Yeah, I'm with Mark on that one.

some kind of yacht club in order to scrawl a penis on the wall, is it? Yeah. Okay. So 1.3 million customers who had opted in to marketing communications from Virgin Media received that message and then presumably, Mark, hit the delete button and thought, 'You really didn't need to tell me that.' Carry on with your day. I'd rather have known about a price cut. It's not the maddest thing I've heard in the last 20 minutes.

Right. To be fair, though, 90% of emails fall in that category of 'I really didn't need to know that.' But thanks.

Yeah, there's a lot of it about. There's a lot of it about. Now, that was 1.3 million of the 2 million people who received the email. So a further 209,000 customers who had specifically opted out of marketing communications from Virgin Media also received it. Do you think there's a problem with that?

Do you think that's all right? What's 209,000 people between friends?

I don't know if it is. I wonder if the gray area is that it's not necessarily marketing information, it is sales information. Yeah, I think it's arguable, isn't it?

Because you could, I mean, although obviously there's a marketing benefit in so much as, aren't we nice guys for not increasing the price? High five us. It's also slightly informational, I suppose. Okay, okay. So we've nearly gone through all the 2 million recipients because there were an additional 451,000, almost half a million customers, who had also specifically opted out of marketing communications from Virgin Media. And they were told about the price freeze, but they had an additional bit tacked on to the end of the email. Mm-hmm. And what they were told was, we'd like to stay in touch about all of the great Virgin Media stuff we have on offer for you. Marketing stuff. Yep. You've currently said no to receiving marketing messages from us. Which means that we are not able to keep you up to date with our latest TV, broadband, phone, mobile news, competitions, products, and bundle offers via online email, post, SMS, and phone. Apart from this one. You can change your preferences by simply registering or signing in to virginmedia.com/opt-in. Click My Profile, then My Preferences. So it's now changed a bit, hasn't it? Because it seems the bulk of the email is no longer about there's a price freeze. It's now, you know that thing you opted out of? You can still opt in if you want. You can still get messages from us.

We are also sponsored by Uptycs. Uptycs is a cloud-native security analytics platform built to protect the modern attack surface. I think it's quite a clever workaround if, you know, they're under pressure to get some business going. Maybe the numbers are low. Uptycs zeroes in on blind spots that are preventing you from identifying and responding to existing threats and vulnerabilities in your ecosystem. Plus, Uptycs normalizes telemetry across macOS, Linux, Windows, and containers, records system activity for historical investigation even when no alert has fired, and enables you to build complex custom detections. In short, Uptycs provides observability across both cloud workloads and endpoints in a single centralized platform. Visit smashingsecurity.com/uptycs. And so they go, oh, I know I've got a really good workaround. Let's spam people that deliberately asked not to ever be contacted by it. That's U-P-T-Y-C-S to learn more about its cloud-native security analytics platform. And thanks to Uptycs for sponsoring the show.

Yes. Yeah. We know full well that you've opted out of marketing emails, but maybe you want to change your mind. Maybe you want to opt back in. So how would you have responded if you'd got one of those, if you were one of those 451,000 people?

I wouldn't have read it.

You'd have deleted it? Oh, I see. Maybe the problem is my eyes instead. So I stumbled across this webpage on emojipedia.org. Yes, there is a Wikipedia for emojis. And it is all about what every heart emoji really means. And I thought, oh, this is quite useful because it's one of the most common emojis that people send to each other, either a broken heart or a real heart.

I wouldn't have seen it. I wouldn't have seen it.

And apparently there are different meanings and there's been an awful lot of research done into the popularity and usage of different emojis, which I thought was quite interesting. Brown hearts, not popular. I'm totally using that from now on. Well, you don't see a lot of emails actually, don't you? Exactly. Yes.

Well, you can find me on Twitter @MarkStockley, and also you

That's a thought which seems to— sometimes quite important emails. That's why we're partners.

You help me with this.

can find me on OpenSea, and you can find NFTs that I've listed there under the name Mark Stockley.

Yeah. So it's at this point that one single itsy bitsy opted-out customer read this email and thought, I'm a bit pissed off with this. And he complained to the Information Commissioner's Office, who are the data watchdog in the UK, arguing that the email had posed as a routine communication about prices, but was actually an attempt to get everybody to opt back in to marketing communications. Yeah. I don't know why I'm defending Virgin.

I kind of that they didn't tick the box without them, you know, saying opt out if you want, because that's following the law, I suppose. Yes, well, they're breaking the law by emailing them a marketing communication is what you're saying.

Yeah. I mean, if people have opted out, was that stepping over the line to say, you know, maybe you're missing out? So the ICO, they quizzed Virgin Media about this. And Virgin Media said, yes, yes, we acknowledge those 451,000 recipients had opted out of being spammed. But according to Virgin Media, that had been over a year ago and they might have changed their mind. So they said that they'd had customer feedback from time to time that people changed their mind about wanting to receive marketing emails. And so it was quite right of them just to double-check and say there's still an option to opt back in if you want. Okay.

And the ICO went, oh, okay, I totally get it.

Okay, thanks. Well, no, ICO wasn't that impressed. So they said this was no justification. In fact, the other thing that Virgin Media said to try and justify their point of view was they said, well, 6,500 people did choose to opt back in after receiving this mailshot. So it worked. They said it worked. They said to the ICO, doing this works if you keep on bugging people and say, "Oh, are you sure? You don't want to come back in?"

Oh, you sure you don't want to come back in? So in reality, 6,000 people don't know what they clicked.

Yeah. They just fell against the keyboard and randomly— So, the ICO did not accept this as a good reason to keep on sending people marketing emails. They said the fact that Virgin Media had the potential for financial gain from its breach of the regulations by signing up more clients through the direct marketing is an aggravating factor, not a defence. And they have fined Virgin Media the enormous sum of £50,000. Take that, Virgin Media.

Yeah, they're gonna feel that.

Where it hurts. Well, they're not going to feel a £50,000 fine, actually, because they're going to pay it before January 9th, which will reduce it to £40,000. In other words—

It's just like parking tickets. It is.

In other words, it is the equivalent of 8 pence per opted-out recipient, which I think is quite a good deal for Virgin Media, really, isn't it?

Yeah. Is ICO going to send that out to each of the recipients, the little cheque for 8p?

Oh, no, no, no, no, no. Any money you pay to the ICO in fines goes back to Her Majesty's Treasury ultimately.

I'm a bit stuck on this January discount. So this is basically the UK government performing a bit of accountancy sleight of hand. They're trying to get this money on the books this tax year, aren't they?

Well, they've also said if you don't appeal, that's the other rule. If you pay up in time and do not appeal, which obviously would incur some costs.

So another, "It'd be awful if something happened to that lovely dog of yours." Yeah, but yeah, a saving of 10K for Virgin Media is basically, I don't know, a square of toilet paper, really. Well, it's—

You just think, "Oh, well, if we want to get more people on our newsletter list, these people are just going to cost 8 pence per month each." Without naming any names, all 3 of us on this call, I know someone who has spent similar amounts of money to that on marketing campaigns that received absolutely zero clicks.

Yeah. Yep. Whereas they got 6,500 people to sign back up. So it's actually pretty good. It's a pretty good deal, isn't it? So shouldn't the fine have actually maybe been 10 times more or 100 times more or even more? Should it? I mean, there have been people in the past who've taken the spammers to court and got £300 per email. So maybe the ICO should be charging way more than this kind of thing if it wants to actually have a proper deterrent.

Maybe they should make Virgin Media send everybody an email saying, hey, guess what? Great news. We're not keeping your prices the same this year. We're actually going to cut the price to all of our users by 8p.

So, yeah, so be careful, obviously, when you choose whether you want to opt into marketing email promotions and the like.

Be careful because the people you're opting in with might just ignore you and send you emails anyway.

So be careful. And they may decide that after a year, well, a lot of people change their minds, and so we'll give them an option to change it afterwards. The other thing is that sometimes on these forms, the wording is really confusing, isn't it? When you click on these things as to whether you are actually opting out or opting in, you sort of get a "do not click here to not unsubscribe from future marketing emails," pre-ticked. And you've got this knot, this Gordian knot you're trying to unravel of logic and triple or quadruple negatives to try and determine. And then there are web pages you go to which say, "Okay, well, if you want to opt out, confirm your email address and your name and your company name and your size of company." So, whoa, whoa, whoa, I'm giving you even more information in order to get off this bloody list.

Oh, isn't it nice you have a holiday coming up, Graham?

I so need a holiday.

Did you know they've just changed the law in the US so that they can no longer run that scheme where you sign up for something online, but you have to phone them to unsubscribe? And it was really popular with newspapers. I signed up for The Wall Street Journal once because I wanted to read an article. And then I spent days on the phone trying to call someone to get unsubscribed. When you're in that sort of process, you know exactly what thinking is going on there. They've sat down and they've gone, "How can we make this as difficult as possible? No chance that people are going to voluntarily remain subscribers, so we must trick them into continuing to use our quality product."

It's a bit like having to go to the council office, go down into the basement where the light bulb is broken, and there in a broken lavatory behind a sign which says, "Beware of the leopard."

In a filing cabinet. Yes.

Right. What have you got for us this week?

My story today is about somebody who accidentally sold a picture of a cartoon ape on the internet for $3,000. Well, that doesn't sound like an accident.

That sounds like a success to sell a picture of a monkey for so much money.

Well, you might think that. But this is an NFT story. So it wasn't an accident that they sold it, as you very astutely picked up. It was an accident in the sense that they meant to sell it at a different price. In fact, it was a massive accident because they got the price wrong by a factor of 100. The seller was somebody who goes by the handle MaxNaut, and he made what he called a fat-fingered mistake. And he typed in the price. So he was on the NFT marketplace, it was called OpenSea — it's the biggest NFT marketplace, it's where you go to go and buy NFTs — and he was on there and he was typing in the price, and he got the price wrong by a factor of 100. And because we live in the lunatic upside-down world of non-fungible tokens, I'm not saying the price should have been a very generous $3. It should actually have been a ridiculous $300,000.

What? How should it have been?

For a bitmap file?

For a bitmap? Well, are we going there, Graham? It's not for the bitmap file, is it? It's for the token on the blockchain that references the bitmap file.

So MaxNaut typed the wrong number of zeros.

Yes. He basically — yeah, he probably forgot there was probably pence in there, or cents, and he didn't see the little squiggles below.

Well, this is Ether, so it would've been 0.000000 something, something, something. That's the trouble when you're dealing with cryptocurrencies, because they're so massively inflated. Obviously, when they were invented, the people who invented them thought, well, you know, obviously one of these is going to be a reasonable quantity. That now one of them is worth $1 trillion, so people trade in 0.000000 fractions. So it's quite easy to type in too many or too few zeros. And normally, you think about listing on Amazon or something like that, this wouldn't be a problem, right? You type in the wrong number. And Max Knott realized his mistake pretty much immediately. But because we live in the lunatic upside-down world of NFTs, immediately is actually way too slow. Because someone grabbed it. Well, someone, something had grabbed it. So as soon as it was listed, it was purchased, and it was relisted at $250,000.

But hang on, hang on, hang on. Does this matter? Surely he can just produce another bitmap with an extra squiggle on it.

Well, no, of course not. He can only make 10,000.

So Graham, feel bad for him.

We live in the world of artificial scarcity. And what he was selling was a picture of an ape, but not just any picture of an ape. This is a picture of an ape with benefits. So this is— sorry, people have apes with benefits? That's new. Let me get to the benefits. You've met my husband, right?

You have an ape with benefits, do you, Carole? A Wookiee with benefits.

So this ape in particular, is part of the Bored Ape Yacht Club. And the Bored Ape Yacht Club is a collection of 10,000 pictures of apes, which are of a standard that would not disgrace a middle-ranking art college. And they're sort of digitally assembled. So by the look of it, there's a bunch of ape components, and then a computer program has mix and matched those to make 10,000 unique apes. And then they're all being sold. And they're all sold for 0.08 Ether each. And it's terribly democratic because they're all sold for exactly the same price. And there's no premium tier or anything like that. But of course, they get sold, and then they instantly get relisted for whatever the market demands. And what the market demands at the moment is about $250,000. Anyway, you're not just buying a picture. Because quite often with NFTs, you're not even buying the picture. I mean, you're just buying the fact that there's— basically, you're buying a receipt.

You're buying a URL.

You're just giving someone money. You're just giving someone money is what you're actually doing. You're not doing anything else.

Down in the basement, in the locked filing cabinet behind the toilet door, there is a list of who owns what ape picture. And what you're buying is you're buying your name on that list. Okay? And that list says, you know, Graham or Carole Theriault owns ape picture 3,700, whatever.

Who is buying this? Famous people! With no sense. Post Malone. Host unknown? What?

Post Malone is a famous person.

Right. Never heard of him.

He's one of the famous people that has bought Ape Yacht Club mediocre ape pictures. Anyway, I must get onto these benefits because what happens is the NFT is not just a picture of an ape, which you would not put up in your home. It is also a login to the Bored Ape Yacht Club. The Bored Ape Yacht Club, it allows you exclusive entry to a range of features that don't exist yet.

Is this a real yacht club? So if you bought enough of these apes, you would be able to more quickly scroll some kind of message.

You would be able to draw in more of the penis.

Yeah, which inevitably is what someone's going to draw. Yes.

This is— these are all going to be owned by men in their 20s who are collaborating on a drawing on a bathroom wall in cyberspace. It's going to be a penis. Anyway, you too can join this club for the bargain sum of $250,000. No, thank you.

He didn't lose any money, right? Because he, presumably the seller, Max Knott or whatever, bought it from whoever posted it, 0.7 Ethereum or something, and then he basically sold it for the same amount of money, it seems, by accident. So he's lost nothing.

Well, in— he was— CNET spoke to him and he seemed very phlegmatic. I think this is very much, you know, we live in the crazy world of cryptocurrencies where billions of dollars go missing because you let someone have your billions of dollars to look after. And that happens about every 2 weeks. So I think if you get into this stuff and you're serious, you probably just mentally write off a bunch of money already. Like, if he's going to make $300,000 on the next one, he's not going to worry about losing a mere $297,000 on this one.

It's just a swimming pool I do not want to dip my toe into. Oh. Just— Yeah, I'm skirting that.

Well, let me just swim out into the deep end slightly with you. Because I want to tell you about my favorite part of the story. OK. OK, because that isn't my favorite part of it. My favorite part of the story is— so I told you the transaction happened instantly, right? Yeah, yeah. OK, now have you ever bought anything with cryptocurrency? No. Right, instantaneous transactions are quite difficult to pull off. Like, you can buy things with bitcoin, then you can wait hours. Or days even, which is why it's a terrible idea for currency. Because you want to buy something, right? But another terrible reason why— so if you want to get it instantly, you have to pay a transaction fee. You're basically paying to grease the wheels and speed things up. How much do you think that this robot that bought this robot-generated monkey picture paid to make that transaction happen instantly?

Take a guess. Oh, so of course it's a market. And the faster you want it—

£20.

Graham's saying £20.

I don't know, 10 grand. I have no idea.

I'll give you a benchmark. I bought a house a few years ago, which cost about the same as a crap monkey picture. And I paid a £30 fee to transfer the money to pay for the house. And I thought that was pretty Victorian. This computer program that bought this monkey picture paid $34,000 in transaction fees. But it's still quids in. I mean, the math is correct. But you know— Yeah, the math works. I looked this up. And basically, the future of the world is a currency where it either takes days for the currency to go through, or you have to pay a mere $34,000 to make it happen instantly instead of using your debit card, which can do a faster payment now, which is instant, doesn't cost you anything. I looked up the numbers. And also, obviously, cryptocurrency is trashing the planet because they consume so much electricity. You can do 140,000 Visa transactions for the same amount of energy as it takes to do a single Ethereum transaction. 140,000.

Banks could fight back, you know. Banks could say, hey, you know what? Every account that we have under our roof, you know, every day we're gonna give someone a random amount of money in one account. No, I know. I just think if they're losing people to crypto, maybe it's the excitement. You're just gonna land with a bunch of money from us as a present. They have to gamify banking.

I just can't cope with the world.

Well, I've got you guys a little Christmas present.

Is it a frickin' monkey?

I hope so. Yes, I spent $300,000 and I bought you a monkey.

Not even a real monkey. Just a URL of a monkey. It's not a monkey.

I'm just gonna paste something into the chat window. Okay. So you have to look in the chat, 'cause I'd read out the URL, but you'll see when you see it in the chat window, you'll see why I didn't read it out. Okay. Oh, it's a picture. Oh, look, is this our own NFT?

I find this extremely frightening. Why couldn't you have connected us the other way by our ears?

Do you remember? Because it's really important with NFTs is that there's a bit of a story. Okay? So do you remember a while ago, you invited me on the podcast, and we spoke about Twitter. And there was a kind of minor scandal where if you uploaded a picture to Twitter, and there was a white face and a Black face, it seemed to always show the white face. And to celebrate this for you guys, I created a Twitter account called Graham or Carole. And I uploaded pictures of you two to see which one Twitter would pick. And the avatar for that Twitter account is now an NFT. Okay, so this is not just some random picture. This is a picture which is linked to Smashing Security, which has got some history. And if it sounds like I'm selling this, it's because I'm selling this.

Link's in the show notes.

This is for sale on OpenSea. If you want to bid—

Don't dash all at once, folks.

If you want to bid on Graham Cluley on OpenSea. The starting bid is 0.15 Ether. Oh my God. Okay, and the reason it's 0.15 Ether is because it's not cheap to get these things on OpenSea.

Oh, really?

Yeah. So if anybody listening to the podcast feels like bidding on this NFT, you could scrape back some money, recoup some of my losses on this. It's a nice gift. Anyway, I'll read out the description for people who are interested, because I think we've probably hooked in a few people by now, because you've got a lot of listeners, right? Billions, yeah. So this is— it's a one-of-a-kind coming together of one of the most distinctive and humorous voices in cybersecurity and Graham Cluley.

Carole, what have you got for us this week?

Okay, it's a long, long time ago. Yeah.

Yep. And you live in a place you probably have never visited in your life— Nanning, southern China. Yeah. You are waiting for your girlfriend to show up. That's something you've certainly done.

So I live in China, I'm in my 20s, and I've got a girlfriend. Yep. So very, very close to my current existence.

And your girlfriend got in touch earlier, and she was feeling a little under the weather. And you, the boyfriend, the nice chap that you are, offer to cook her dinner, look after her, sort out her little cold meds to help her sleep, all the stuff. And you fuss over her and get her all cozied up in bed. And soon, no surprise, she falls asleep. You sit beside her, look down at her, and you think— do you think I hope you feel better soon? Or I hope she likes— you know, I hope that got me some points looking after her.

I'm a man in my 20s. That's not what I was thinking.

Well, were you thinking that, oh, maybe I'll just get her Huawei phone and grab her little index finger and open up her phone. What?

Yes. Yes. No, I mean, yes, yes. This is me, isn't it? Yes, absolutely. That's what I was thinking. Yeah.

According to, well, a few papers, maybe he hid some of the cold meds in the food that he cooked so to make sure she was fully sleeping at this time.

Fully sleeping? I slipped some drugs into her food to make sure she was fully sleeping? My lord.

And the reason, Mark, that you want to do this is it turns out you are broke and you need some wonga, pronto.

Okay? Has she got an NFT on this phone?

No, see, that would be— I'm sure he's looked for it. Because you've got a secret addiction, see? You gambling. And the people that you owe money to are starting to get really serious about it. So you're thinking, "Hey, I've unlocked her phone." I know she uses Alipay, right? Okay, which is a money transfer app. I'm just gonna head over there and open that baby up. But there's a snag because she set up facial recognition to open the account.

I have to say, Mark sounds like a terrible boyfriend.

So does that mean he's screwed at this point?

Well, is her face still there?

Her face is there. Okay. But her eyes are shut, and, you know, he seems to have trouble getting the picture to work. Right.

So he needs to draw some eyes on her eyelids. That is smart. That might work, actually. I was just thinking if he's a 20-year-old man, he would probably draw it on and then just completely forget about it and not clean up afterwards, because it takes a while for you to develop those sorts of habits. So she'd wake up with eyes on her eyelids.

I was thinking he'd put the phone down on the table and then dangle her head over the phone whilst using your fingers, your index finger and ring finger, maybe to yank up the eyelids.

You know? How do you dangle someone's head?

Well, you know what I mean? Like, he'd hold it from above and just kind of hold it above the phone.

Yeah, but the head's attached to a body. You're just gonna dangle the head. Oh, it looks so easy.

That's true. That might wake her up.

Graham, do you have any ideas? Oh god. Could you not Photoshop some different eyes onto her face? Maybe her face is enough. And if you— Or take another photograph of her and cut and paste her eyes onto her. No, I mean, I don't mean actually with paper and glue and things. I mean, not actually with an image. That was Mark's idea.

Right. Oh. Glue some eyes on her eyelids.

But Graham's very clear that's a ridiculous idea.

Well, I don't know how he managed to do it, but he did. And he managed to transfer over 150,000 won, or about £18,000, $25,000. Of course, clever guy, he managed to change her password as well. And all this happened, of course, while Girlfriend is in slumber.

Hang on, isn't changing her password a bit of a clue?

You mean she might notice that?

Yeah! Up till now, all very, very secret, secret, you know? Drawing eyes on—

Yeah, she might notice $25,000 gone.

That's a good point. That's good. Yeah.

So, she wakes up, yawns, right? "Hi, honey. Nuzzle, nuzzle." And it doesn't take her long to realize that her account's been decimated. Huge money transfers, can't get into her account. And he's like, "Oh, no. I can't believe this happened." So he was the perfect boyfriend once again, acting completely innocently. She ends up calling the authorities, files a police report.

So when she's like, "Why are there eyes drawn on my eyelids?" But she wouldn't know.

She wouldn't know, would she? Because they'd only be visible when her eyes are shut. It's a brilliant place to hide something from somebody, is on their eyelids.

Yeah. Until she winks in a mirror, he's fine.

Or has a friend of any description.

Oh, yes. Okay, fair enough.

First Zoom call of the day.

And this guy, so he's only identified with his surname Huang. But according to the South China Morning Post, he was accused of doing all this, and he ended up getting arrested in April. And he was found guilty of theft by using secret methods to steal someone else's property, which is a pretty interesting—

So it's a crime to use secret methods rather than known methods, is it?

Yeah. Maybe this is a translation issue because obviously this happened in China. And there's a number of different articles on this, which I have in the show notes. But yeah, interesting. And the judge sent him to 3.5 years in prison and slapped him with a 20,000 won fine, or £2,500.

What, stealing from your sleeping girlfriend? Drugged-up girlfriend? Yeah. My big question though for you guys is this. If he asks her out again, does she say yes?

It won't be on Sticky Pickles. Oh, it'd make a great Sticky—

When's Sticky Pickles coming back? This would be a great story for them. So what's the next great security threat at work? How about burnout? The first annual 1Password State of Access Study illuminates the grave dangers unwittingly posed by checked-out, apathetic employees, including security professionals. Work-related exhaustion isn't a new phenomenon, but it's been amplified by COVID-19. And when it's left unaddressed, burnout can put companies at risk because it influences employees' habits and decision-making. Burnt-out employees are 3 times more likely to say security rules and policies aren't worth the hassle. And nearly half of burnt-out security professionals say it's unrealistic for companies to be aware of and manage all apps and devices that employees use. This free report establishes a clear connection between employee burnout and exposure to cyber threats, as ready-to-resign and otherwise disengaged employees let down their guards and circumvent their company's rules and protocols. So go and read the report for yourself and find out what you can do about it at your company. Go visit 1password.com/resources. That's 1password.com/resources. And thanks to 1Password for supporting the show. And welcome back. Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week. Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily. Better not be. Well, my Pick of the Week this week is not security-related. For a while now, I've noticed I've had a bit of a problem with technology. And my problem has been emojis. I can't handle emojis. I don't really understand.

Those emojis take up a lot of bandwidth.

They do take up a lot of bandwidth. But worse than that, they're very small and they're hard to tell apart. So someone will send me an emoji of something and I have to take a screenshot of my own camera and then enlarge it in order to find out that it's an emoji of a filing cabinet or a leopard or whatever.

How do I say this nicely? The problem is not the emojis.

I think all Smashing Security listeners should start using brown hearts. Need to embrace the brown heart.

Well, purple hearts, quite popular. And I thought purple heart, I thought that must be something to do with the Vietnam War. But no, no, no. Apparently is the go-to emoji for fans of Bangtan Sonyeondan, if you're familiar with them, better known as K-pop band BTS. Yes, yes, exactly. So, if someone's in purple hearts, it means that they're into their K-pop. But there's lots of other interesting stuff if you go into this article, all about the different meanings of hearts and how they are used. For instance, there are those ones where you get someone's smiley face where the hearts are over their eyes. It looks like a Jammie Dodger biscuit, for instance. And the relative popularity of some of these and how they are used at different times and in coordination with other emojis as well. I found it quite interesting that such a study had been done because this is really a new— this is how the youth are communicating, Carole.

Right. I'm glad that you're here to help me with that.

If we are going to have any chance of understanding digital apes as NFTs. We have to start somewhere, and maybe we start with emojis.

This is the nerdiest cry for help I have ever heard.

I'm now gifting you a brown heart.

Mark, what's your pick of the week?

Well, my pick of the week is a unique, desirable, one-of-a-kind artwork. Which you can find on NFT marketplace OpenSea. It is— it has tremendous cultural and sentimental value. Which, and I think anybody that sees it will agree that visually, it is definitely better than a random, automatically generated picture of a Cartoon Ape. I'm talking, of course, about the next big thing, which I think we all know is going to be Graham or Carole, which is an NFT which I saw today is available on OpenSea, which you can currently pick up for the bargain price of about— it's about $560.

Well, I'm looking now. Yeah, give us the latest price.

Latest price. It's $566.19 now. This is an auction, and it only lasts for 7 days.

What is it now, Mark? What is it now? Can you give us an update now?

It's still— I'm refreshing. I'm refreshing. This is a fast-moving situation. The price is now $566.19. Wow. Now, it's cryptocurrency. There was probably an enormous spike between— I know it looks like they're the same, but it probably crashed and then went to $40,000. But it's still $566.19. But if this is the cheapest it's ever going to be, okay, this is an auction, prices only go up, prices only go up. And these are NFTs, so I mean, prices go up by with zeros on the end, okay? So take it from me, you want to be on the ground floor. Yep, Patreon supporters, you hear this first, okay? This is a genuine opportunity. To make something from that, you know, because I know you don't get much from these guys, you know. Ouch. This is your chance.

Graham, are you there? Yes, I couldn't hear a word of it. Ha ha ha. Carole, what's your pick of the week?

Okay, well, the holidays are here, or almost here, and some people love the holidays, and some people need something engrossing something tense, maybe perhaps dark, to take their minds off their immediate holiday traumas. So this Pick of the Week is for you. It is a TV series called Mare of Easttown. Have either of you seen it?

I've heard of it.

Well, it rings a bell. It's very good.

It's on HBO. And basically, the premise is a tightly wound-up hothead detective named Mare, and this is played by Kate Winslet, and she plays the lead detective on a local murder. And of course, meanwhile, her own life is unraveling, and she's guzzling back the beers and vaping ferociously and cutting anyone dead who gets in her way.

Strong female cop, excellent at solving crimes, personal life is unraveling at the same time. That's a unique plot device that we've never heard before.

Well, I've seen 5 shows right now, and I would say it's fresh. I have no idea where this is going. I really feel like it's, "Ooh."

What's different about it, Carole? What's different?

Well, Kate Winslet's amazing. She's good in it. She's really good in it. And her accent's great. She's just an amazing actress. Also, they're killing off people that play quite big celeb roles that you think obviously will be there till the end of the series. They die very early. I won't name any names.

Do you know that's my favorite thing? I love it too.

What's your favorite thing? When you have a movie and there's some big star, but they die in the first third of the movie unexpectedly. That sort of thing.

When I was at college, 'cause I went to art college, I read lots and lots of comics, loads of comics, 'cause that's kind of what we were studying. And I thought, "I better know something about this." And they just never ever kill off characters. So there's no consequences. You know, these comics, Batman's been running for 90 years or something. And occasionally gets bloody nose. And so it's really refreshing when you watch a TV series where they invest a bunch of energy into a character and then they're, that character's dead, because it actually creates genuine tension.

I totally agree. So if this sounds up your street, people, it's called Mare of Easttown. It's from HBO. I think they're in season 2 now, or maybe it's already completed. So that gives you quite a few intense, engrossing viewing hours of something dark smart to cheer you up during the holiday season. Enjoy.

Is it Mare of Easttown as in town mayor, or is it Mare as in horse of Easttown?

Her name is Mare, probably Marion or something like that. And she's known around town as Mare. M-A-R-E is how they spell it.

All right. It's not a very flattering name to give a woman, is it? Mare? It's calling her Horseface or something. Well, that just about wraps it up for this week, Mark. I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that? And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't have to have a G. And we're also on Reddit in the Smashing Security subreddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app because you'll want to do that because we're going to take a break for a few weeks, but we will be back in the new year. So if you don't want to miss out, make sure you are subscribed in the likes of Apple Podcasts, Spotify, and Google Podcasts.

And huge, huge shout out to this episode's sponsors, 1Password and Upticks. And of course to our wonderful Patreon community. It's thanks to them all this show is free. And as always, for episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 255 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye. Happy holiday.

Happy new year.