And you think, yep, this guy's all right. We're going to give him the thumbs up. Gets my seal of approval. And the company makes John an offer. Jack. Jack.

His name is Jack.

I thought his name was John.

You said Jack twice.

You said Jack. Oh, I've got to pretend to Jack everywhere now.

Well, I don't know which one's right. Oh. Oh, his name is John.

Oh, so his name is John. Okay, John.

So this guy called Jack— John.

I love it.

Smashing Security, episode 260. New hire mystery, hacktivist ransomware, and digi-dating with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 260. My name's Graham Cluley. And I'm Carole Theriault. And Carole, we've got a special guest, our first of the year. Oh, finally. Who might it be? My favorite.

Maria! Hi! Oh my gosh, I'm honored to be the first guest of the year and to bring you both back into guesting. Guest host. Exactly.

Host guesting. Yes. It was time, wasn't it? It was time.

I was— yes, it was definitely time. We were just very busy and now we have a bit more time and that makes it so much more worthwhile and more fun.

And I think also we were beginning to go a bit stir-crazy with just each other on the podcast. It was a bit our own personal lockdown with each other. Oh, it's we need other people.

Shake it up, shake it up.

Yeah, and when people started reaching out on Twitter saying they need guests, that's when you know it's getting desperate.

Thanks, thanks for reminding us.

Maria, get on the show. Okay, all right.

Let's thank this week's sponsors, 1Password and Upticks. It's their support that helps us give you this show for free. Now coming up on today's show. Graham, what do you got?

I'm going to be discussing remote working problems.

Ooh, and Maria, what about you?

Operation Scorching Heat. And I'm heading to the online dating world. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, you work high up in IT security at a company.

In this make-believe world. Yes. Not in real life.

Nope. You're a big cheese. Alright. The IT VIP. You've reached the top and had to stop, and that's not bothering ye. Ye?

Yeet?

Alright. And sometimes as part of your job, you get called in as part of the interview process, don't you? When new hires are brought in, I should just vet them, make sure they're a good fit.

Sure. Yeah, yeah, yeah. I remember all that. Yeah.

Isn't that a thing I delegate to somebody lower than me so I don't have to do that stuff?

Well, you might delegate the earlier stages of the interview to weed out the chaff. Yes. But eventually you get to the person you're going to be working alongside maybe for years and years. Right. So this chap called John, he gets interviewed. Obviously, it's a remote interview because this is 2022. And he goes through a couple of rounds of interviews. And the people before you, the ones who are doing the preliminary interviews, they decide he's the guy for the job.

God, he must have had a nice suit on, or at least a nice shirt and jacket. Yeah, yeah, yeah.

He dressed up, he ironed for the process. Yep. Shaved. Plucked his eyebrows, whatever it required. Nose hairs. Removed bits of apple from between his teeth. He knows the subject inside out. He seems confident. His resume looks good. He checks out. So, the company has effectively thrown out all the other candidates, and he comes through to the third and final panel, which includes you as a big cheese.

I'm now going to, as the IT VIP, I'm going to get to meet this.

Yeah, online, remotely, you're going to rubber stamp it probably, because it sounds like they're probably a good fit already. And so, you interview him online. You ask him some tricky questions. He handles it with aplomb. Aplomb. Aplomb. Well, well, well used aplomb. And you think, yep, this guy's all right. We're going to give him the thumbs up. Gets my seal of approval. And the company makes John an offer. So, all is good. John starts working remotely for the company.

Yeah. All right.

So, he gets hired. He gets the job. High five. He's in. Rock and roll. Yeah. Okay.

He's in. He's in. Right. And so, he's attending conference calls. He's on Zoom meetings. He's on Teams. WhatsApps, all those sort of things. He has hard stops. All of those things going on.

Right.

And the only weird thing, I mean, everything is good apart from when you're on a Zoom call with John one time.

Mm-hmm.

You think you spot something odd about him.

Me, the VIP IT guy.

Yeah. You spot something confusing, and something's confusing you because John, that guy you interviewed a few weeks ago that you've now hired. Mm-hmm. Seems a bit different. He's got different hair. And now he's wearing glasses.

Oh, that's okay, right? I mean, so he didn't get a haircut. He's wearing a wig and, you know.

Yeah, it could be. It could be. John's also talking a lot about working in the garage because his kids and wife are home. But in the interview, he'd mentioned that he was single and he was sitting in somewhere with loads of desks. Oh. Hmm. Bit odd, isn't it?

Double life, maybe?

Well, it could be. Could be a bigamist. Who knows? It's been a bad time for bigamists, let's be honest, during lockdown. It's been very tricky to juggle the two families and two households. But, you know, I imagine some people manage it. John also can't answer a number of questions that they previously discussed in the interview. Things which he'd been able to handle, things which seemed pretty pivotal and important to the job that he's taken on. Doesn't seem to be able to handle them.

Okay, so John is— John's not John. That's what you're saying.

John is Jack now. Yeah.

And John is being aloof and a little bit timid, whereas the John who was interviewed was confident, articulate. So what do you do as the head cheese of IT? Well, you know, what do you do at this point? If you've got the suspicions.

And none of us have actually met him in person, right?

No one's met him in person. It's all happened remotely because that's the modern way in which things happen. Well, this was a question post on the Ask a Manager website where a wife wrote in saying that her husband who worked in IT at a mid-sized private company had exactly this happening in the office right now. And he had his suspicions about a new colleague. And had become convinced that the person they'd hired was not the one who was now actually doing the job.

Gee. Can't you just say, you're not the person I interviewed? Well— You were not the person I gave the job to.

Well, you've got to be careful saying something like that, because what if they are? Right? Because HR and legal, who are the bane of all of our lives, the ones who ruin all the fun in the office.

Right? So much for happy hour.

Yes. They're going to get involved.

Now, well, I mean, is there anything illegal about saying, I don't know if you're the same person? Is there some sort of thing that says you can't say that? They might get unhappy saying that's mean, but it's not, right? No.

Well, what happens if you then take action against that person? What if the person says, well, you know, you weren't justified in what you were saying, or you're picking on me, or you just didn't like my nasal voice, or, you know, I don't know.

Was the interview recorded? Because then you could do a voice check.

Or you could take a screenshot. I mean, there's all kinds of things you could do to try and compare. So, the interesting thing is, according to this woman who wrote into the Ask a Manager website about her husband's predicament, someone else then, high up in the company, Holly, the boss of her husband, had suspicions as well. And Holly called up the husband on mobile phone. She said, "I don't want there to be a record of this," and said she had suspicions. But she didn't want to accuse him of anything in case they were way off. There were legal concerns.

So she was onto John as well, not being John. Right.

She thought, this is weird. Is there something weird going on here?

Because this guy knows sweet F-A about IT, let me tell you.

I mean, I remember working at companies where people were hired in senior positions, and I assumed that somehow some sort of hobo had walked off the street, you know, and been given this job with no knowledge whatsoever. Yes.

I've worked for many of those people.

Well, is Jack or John or whatever his name is, is he actually getting the work done?

Well, no, he doesn't appear to be very competent. I mean, he's getting a bit of it done, but he's not really the star who they were expecting to hire. So there's concern.

Is he a stand-in for the actual John? Has John gone on holiday for a month or something and just said, look—

Oh, very good questions.

Okay. I'm just trying to figure it out. I'm trying to figure it out.

Because Holly and the husband of this woman who's written into the website are trying to figure it out as well. And Holly says, you know, I was on a Zoom call with him. And he didn't seem to know who I was. And I introduced myself. And that's despite me being present on all of the interviews. And he was, well, who are you? What do you do? You know, oh, you know, and it's— I heard a story, by the way, I heard a story, by the way, of someone who got hired for a job remotely or something. They went into the office and it was a couple of months later and they were in the kitchen area. And this guy comes up to them and they kind of vaguely recognise them. They're not sure who really they are because there's so many new people in the office. And he's sort of asked, you know, how you getting on? How you settling on? And he goes, oh God, job's a bit boring to be honest. You know, it's a— And it turns out it was one of the guys who interviewed him. Oh Lord. So you do have to be— Rookie move. You have to be quite careful. So Holly and this chap, they're trying to work out, you know, if he is an imposter, what might he be doing? And should IT put some monitoring software remotely on his PC to watch his behaviour and activity? Oh no.

Oh, come on. No.

Well, legal told them they could. They said, it's our computer. We can install that. Okay, okay. Yes, you can. Malware. Because they'd shipped him a computer, you see. And he was using it, and he's accessing data. And that sort of— But they're a bit nervous of calling him out as a liar. So the eventual consensus, lots of toing and froing, lots of, oh yeah, and the eventual consensus is that HR should have an online meeting with this guy to discuss the concerns. And they said, what we'll do is we'll say it's about your performance and whether you've been overselling your abilities on your resume.

Fascinating how everyone's pussyfooting around, eh?

Gently tiptoe around it.

Maybe put him on a performance, what are they called? Performance enhancing plan. What are they called? Something else.

So a call was arranged for that child, but before they could ask him their very first question, just as he began to get the hint of how it was going to go, John said, "Thank you, but I'm quitting." And he hung up the call and has not replied to any messages since.

How long has gone by since he was hired to this point?

It's not entirely clear. It feels like it's been a couple of weeks.

So he's made some cash. Yeah.

And he's definitely had access to all the things.

Yeah. So God knows what he was up to.

Yeah. Yeah. Yeah. I mean, that should be easily discoverable by any competent IT team, one would hope. But, ooh, yeah.

So I did some reading about it, and apparently this fake interview thing is very real. So there's a variety of ways in which it can take place. So it might be, as appears to have happened in this case, someone different actually takes the interview. Right. Yeah. And you just don't remember. Maybe you're hiring so many people and it's a bit taking an exam test or taking a driving test for somebody else. Yeah.

Like you use your cousin's ID to get into the bar and you guys look kind of similar. You're, "yeah, I'm totally 18. I could totally go here." Yeah, yeah, yeah.

That's me. Some remote interviews, they tell you to take your earbuds out in case you're getting sort of answers linked to you. But even that wouldn't work, would it, if someone was in front of you with a whiteboard writing down the answers as you asked them over the call?

Come on, come on, come on, come on. If I had to hire somebody who actually was backed up by 4 different people, all of which had a part of the job covered, and they represented themselves as one entity to do the work for me, do I actually care? The problem here was he wasn't doing the work very well. If he was a stellar performer, would they have given a shit?

Well, you might have done because there's still some lying involved.

But they don't know who the first guy is either.

No, but there is some deceit, isn't there?

It's not necessarily trustworthy. So what you're saying, Carole, is that basically it all falls apart because he wasn't doing a good job. But if he was, this guy could have just been a mole and just sat there and taken a whole bunch of confidential data and no one would've been the wiser. Oh, take notes whoever wants to do this. Just note, don't do it.

Or if you were following Carole's advice, you could be outsourcing it to someone, I don't know, in another part of the world and all of the company's data. Now I had a bit of a think about this and I thought, wouldn't it be a good scam, right? Because of all this remote working, there's no reason why I couldn't take on more than one remote working job. I could have a full 5-day-a-week job, but in multiple places. Maybe I could have 7 different jobs at the same time. I'm sure people are doing this right now.

Right?

Oh, people are definitely doing this right now. Definitely.

And you just turn up to some Zoom calls and things. You participate very ineffectively, or sometimes you just say, oh, I couldn't get the internet to work. And wait to get made redundant. And you're gonna cash in, aren't you? Just work for 8 weeks a year and you've probably been paid enough for the entire year if you had enough companies like this. So right now I'm recording for the Cyberwire. Maria, what story have you got for us this week?

So I'm gonna start with questions for the two of you. I'm gonna do a little free association. So when I say the word hacktivism, what do you think of?

Vegans. Sorry, was that— you just asked what was top of my head. That's just what came out.

It doesn't have to be just a word, but let's— phrases when you think of what hacktivists do.

I would say a bit of anonymousness, right? Going after maybe political entities they don't agree with or people who've done bad things.

Defacing websites is the first thing I think of.

Yes, defacing websites, stealing data, maybe exfiltrating it from a database. DDoSes? Yes, so we don't like you, we're gonna shut you down, right? So there's that. And then, okay, when I say ransomware, what do you think of?

So another little free association. Oh, just extortion and I think more sort of organized crime rather than hacktivists, personally. It's more about the money rather than the political stance.

Yes. So I also think with ransomware, people kind of biding their time and waiting for the right moment to strike. That's a sort of a more recent-ish wrinkle with that one. So we've talked about hacktivism and ransomware. So what do you think would happen if you tried to put the two together? Hacktyware. Ransomism. What if I told you the answer is, actually, in all seriousness, this has happened recently in the last week, and it's called Operation Scorching Heat, and it was political hacktivism that used ransomware. Have you heard about this?

No, no, no, tell me everything.

Okay, okay, so you may know that there is some tension going on in Ukraine between Ukraine and Russia. I'm sure you're aware. And this hacktivist ransomware attack was done by a group calling themselves the Belarusian Cyber Partisans. Belarus being a neighbor to Ukraine and Russia, kind of involved. I don't want to get into too much of it. I think we all know that there's a— it's very complicated, right? So the Belarusian Cyber Partisans are— please don't hack me, guys, if I get this wrong— aligned with the opposition. And they put out a notice on Twitter, and I'll read to you exactly what they wrote on Twitter because I think it's really fascinating. "As a command of the terrorist Lukashenko, who is the leader of Belarus, Belarusian Railway allows the occupying troops of Russia to enter our land. We encrypted some of Belarusian Railway's servers, databases, and workstations to disrupt its operations. Automation and security systems were not affected to avoid emergency situations, but we have encryption keys and we are ready to return Belarusian railroad systems to normal mode. Our conditions are release of 50 political prisoners who are in most need of medical assistance and preventing the presence of Russian troops on the territory of Belarus." Crikey.

Yeah, so they're holding all the people that depend on those rail systems for work, for everything, to getting A to B, kind of hostage as well because they can't travel, right?

Of the railway.

Of railway systems, yep. To me, fascinatingly, screenshots that they took during the cyberattack showing directories within the Belarusian railway systems. And one tweet said this: "Screenshots taken during a #ScorchingHeat cyberattack on the Belarus railroad reveal that employees frequently used pirated software. Do you think it's connected to how they got hacked?" With a bunch of upside-down smileys afterwards. And the screenshots showed VMware Workstation Keymaker directories and directories called crack, so lots of warez type stuff going on. Yeah. So what a shit show. Oh no. Yeah. Yeah. So a lot of people in the press are saying that this is pretty much the first time we've ever seen political hacktivists using ransomware to achieve their goals, which sounds about right to me because I can't think of another situation where this has happened.

And the demand wasn't financial, correct?

They're not trying to extort the railways. They're not trying to get money. They want political prisoners released, and they want Russian troops to get out of Belarus, basically. So in terms of who did this, who are the cyber partisans? They actually have a spokesperson, Yuliana Shemetovets. And she's not part of them, but she's their spokesperson, she says. So she says that the opposition activists once worked in Belarus's well-respected computer science community. That was pretty much all we know. And NATO is trying to stay away from this because, as you imagine, you don't really want to get involved. According to a NATO intelligence officer they said, "I have no reason to doubt that they're an independent outfit, and they don't appear to have done anything more than a decent hacker might do." So was this a sophisticated hack? I don't really know if we can say that, but it seems like a lot of these targets are sort of ripe for being hacked. And there's some worry that this is going to escalate and start— there's going to be counterattacks and retaliation. So I guess put a pin in it, watch the space. But if we start seeing Russia getting attacked by hacktivists...

Yes, and they're doing it to keep Russian troops from sort of amassing on the border with Belarus and Ukraine. It's still not super clear to me if it's been 100% effective, but I'm just going to assume that it was, because there was a lot of chatter in the press that they— people were asking for proof that they actually did manage to hack into these systems. And what was interesting to me, because I started reading about the story a few days ago when it broke, and it's been developing rapidly since then, and I'm sure by the time this podcast is out, there'll be more.

But this is definitely going to happen, isn't it? I mean, whether state-sponsored or not, you can expect defacements and attacks to occur from people's bedrooms.

When the cyber partisans were asked for proof, they actually posted a thread on Twitter with screenshots sort of proving to the public that they actually had been able to access bank statements, file servers on the backend— Yeah, because these guys aren't associated, these cyber partisans are acting independently. They're not associated with any state. They say, I mean, they say they're not, you know, they're not being supported by another nation, they say. But you know, if somebody goes after, say, Russia, we know that Russia knows how to counterattack. So it would be a lot of escalation happening and that could get really nasty.

It does seem rather ambitious to ask for the release of 50 political prisoners. I mean, I'm not saying that's a right or wrong request, but millions of people though depend on the rail systems for supply chain, for work, for everything. But how long does it take to fix computer systems? You may have a backup or you may be able to restore. I mean, there have been railways which have been disrupted by ransomware attacks in the past and it may be disruption for a few days or whatever.

If it was disruption for a few days, then presumably, and they fix the vulnerability and they go, okay, everything back to normal, then it fizzles out, right?

I just think they're asking for quite a lot. I think you should start small, maybe asking for the quality of the sausage rolls on the railway or something to be improved or something like that.

And Carole, there's actually, there's still some doubt as to whether or not they were able to stop any of the railways from operating. So it may emerge by the time this is put on the internet that they were actually able to shut things down, but right now it doesn't seem like they were. It just seems like they have access and they have the ability to—

Right? They're saying they're threatening to do it unless—

I think so. Yeah, yeah. It's one of those things like, you know, I'm not there so I can't—

Listeners in Belarus, let us know. Yes, super.

I'm fascinated by this, but it's also kind of scary because I'm imagining a lot of people are going, oh, that's a great idea, you know, I don't want the next president of the United States to get installed, so maybe we're gonna do something similar, you know. I imagine someone's taking notes. I am not doing that, please don't come after me.

So yeah, in your time away from us, did you forget this was a comedy show?

I know. I was really nervous about talking about this on the show. I'm like, I'm going to get targeted. No, I'm not. I'm not that important. No, I just thought it was such a fascinating story because it's the next evolution. It seems almost logical that we've gotten to this place. And I'm going to be very interested to see where this goes.

Carole, you should know more than anybody that you don't have to be funny on this podcast.

Oh, wow.

Carole, what have you got for us this week?

Well, Maria, my dear friend, and Graham, we are visiting the online dating world. Oh, must we? Well, you see, you were interested in cyber, political ransomware. I'm interested in the mega changes that have happened in the online dating world over the last few years because, you know, coronavirus changed stuff for everybody. You couldn't meet in person very often or easily, and you couldn't go out and do stuff. And it basically threw a huge curveball on how people use the sites. I mean, dating is kind of a social activity, and social distancing doesn't really align, right?

That's the problem. It's kind of a social activity.

So no surprise online dating apps hit this all-time high during this time. Tinder recorded 3 billion swipes in a single day at the height of the pandemic. 3 billion swipes.

Seems very bored.

Really bored. And OkCupid saw a 700% increase in dates. So there's these surveys. Bumble put out one saying there's been a strong shift in how we view online dating. So are you surprised if I were to say to you that 91% of Americans say they believe there's no stigma attached with online dating?

How many percent? 91. It's 9 out of 10.

Yeah, they say there's no stigma.

Yeah, I would believe.

I think most of the stigma has disappeared these days, actually, because it's just so common.

And what about this one? 2 in 3 Americans believe it's possible to fall in love without meeting in real life.

It's a lot easier than when you do meet them.

Well, you don't have the smell factor. Well said. So because of the pandemic, virtual dates have become a big thing. I mean, I can see it's easier, cheaper. Virtual dates. You meet on Zoom or something and not in person. People are saying they wait a month virtual dating before they go for a real date.

So what, they're sitting on the Zoom call and they both have dinner at opposite ends and—

Yeah, play cards, do an online game, watch a movie together.

Okay. Right? Okay, yeah.

Come on, when you were in lockdown, you must have done those kind of things with people.

Yeah, okay.

The survey also showed that people seem to be more interested in serious relationships now as opposed to hookups, and they say that when they do meet in person, they ask if the person is vaccinated. Okay. So since last summer, Tinder offers users vaccinating or vaccing soon interactive stickers for profiles.

Yes. Yes, I heard about that. Yep. Right.

Main dating apps in the US, Tinder, Hinge, OkCupid, and Match partnered with the White House to raise vaccine awareness by offering features such as profile badges or boosts or super likes for anyone who revealed that they were vaccinated. And even the UK government teamed up with, I think, Snapchat to provide in-app bonuses for vaccinated profiles. But do you have to be—

Do you really have to be vaccinated to get one of these stickers, or can you just say yes on the app and get a sticker?

No. So that's, I think, something to put in your back pocket. I have a problem with that too. In France, for the moment, as of Monday, you have to have a vaccine passport. So if you want to go to a restaurant or go to the theater, you have to prove that you are fully vaxxed. Do you have that? Have you had that at all in Boston? Vaccine passports?

Yes. A huge controversy.

Yes. Yeah. And we had them when I was in Canada everywhere. You couldn't go anywhere without it. And I quite, I was okay with it. Right. Anyway, so, okay, back to the story. Right. So, so it seems that if you advertise your vaccination status on these sites, you improve your chances of interacting with others. But at the same time, advice from security pundits like us would say, hey, you know, be careful about giving full identification. Don't use your full name. You know, don't say where you live. Don't say where you work. You know, use a real photo, but not, you know, a unique photo, not one that's tied to other profiles of you.

Your LinkedIn. Yeah, your LinkedIn. Exactly. Right, other way around. Don't use your Tinder photo on LinkedIn. But yes, okay.

And not a recent photo if you've been under lockdown either, because you'll have— yeah, one before the pandemic.

Yes, 2019 only.

Okay, so I'm asking this question. I'm asking this question. Do we have views on it being acceptable for dating sites to request that people indicate medical situations? Because I know, I get we're being asked for medical information, you know, we're being encouraged by our governments to share this medical info in order to encourage people to be vaccinated. I feel that's a fair statement to make, Professor, right? But is it a slippery slope for it becoming the norm to request that people advertise this type of information, medical stuff?

You presumably don't have to say if you don't want to. It's only a request, isn't it?

No, no, but you do get more dates if you do. Put out your status.

Yeah, but maybe you don't want dates with

Yeah, but you're also, you know, spending time and/or money there trying to find dates. So I think— and you don't have to prove it, so I'm sure some people are lying.

people who are so inclined in that fashion, If you're anti-vax, do you have a sticker saying 'I'm anti-vax'? Because I bet that really works well, finding other anti-vaxxers. I think a lot of people— you know. Yeah, self-selecting, right?

Yeah, they just write 'I listen to Joe Rogan' and that's all we need to know.

No, no, okay, but put it this way, right? So we want to know whether someone's vaxxed or not vaxxed because we don't want to be at risk or all the stuff, right? We all, we all know this stuff. But what about asking stuff on someone, oh, you know, are you sane? We don't ask that of people. We don't expect them to put that in their profile.

Sometimes you can just infer it from reading the profile.

Well, what if a profile was just, do you have all your limbs? Yes or no?

Well, that's a binary thing, isn't it? You know, yes or no, whether you have all of your limbs, but sanity, you don't know. That's a, that's a sliding scale.

All I'm saying is if I put that in my profile description, that's up to me, right? So if in my profile description, it's really important for me to communicate my vax status, I can say, hey, by the way, I'm totally vaxxed. But for them to have the option there, if it said, please enter your BMI, right? Some people would be, screw you, that's personal, private medical information.

Well, a lot of people lie on dating sites. There's the whole joke about how every man on those dating sites is a certain height, and then when you meet them in person, you're like, you definitely are not the height you said you were. Same thing with the ladies often saying, I'm this weight, and then you meet them in person, you're like, you are definitely not that weight. So people lie. I agree, people lie.

But therein lies another paradox of people. If people are trying to move to more serious relationships with people, I worry that people are gonna be more open with their information because they're saying, "Hey, this is me, let's go," and might be wanting to share more and more information. And I'm not so much worried about between two people, but there's a company in the back that we have seen many security vulnerabilities with insights on the dating world, right? And they're collecting a ton of info here.

Okay, so I thought you were asking the question more, is it bad socially to be putting this information up front? But you're saying, is it bad to be providing this information because that's just too much information in the hands of the companies, or is it both?

Yeah, because now it's not in a profile description, it's now as a tick box that you can choose. So by not answering that tick box, I am making a— it seems now a political choice. But by answering it, I'm also giving away medical information which I agree right now we're all sharing that information, but is that something that we want to creep into other bits of our medical information?

But you know, you do have a choice which dating site you join. I bet there are sites for people who aren't vaxxed. By the way, the whole idea of I'm not vaxxed, it just makes me think of Eastern Europeans saying that I am not vaxxed. Would you be interested in me? I am totally vaxxed for you. Sorry, I'm being filthy.

Oh my God.

So there's loads of liars. So if you're in France right now, and you now have a vaccine passport, and you've been lying on your dating app saying, yeah, I'm totally vaxxed, man, to all the people, have fun going on dates, right? Because you'd be like, oh, let's go down and see this restaurant. I'd love to go.

Yeah, no, maybe we can go to the park, right? Yeah, I mean, I'm thinking at it from the situation I'm in, in the States, where Boston, which is the city I'm near, does have vaccine passports, but none of the surrounding areas do. And also a lot of the places where we get vaccinated are actually through private companies. So that information is already in the hands of private companies. I got vaccinated through a Walgreens, for example, my first two shots were through a hospital and then my third, my booster shot was done through Walgreens. So that private company has that information already that I'm vaccinated and boosted and all that stuff. So for me, I'm just like, a lot of the information is already in the hands of private companies in my case. So that horse is out of the barn. Yeah, I don't know. It's an interesting question, though, Carole. I think it's— I'm glad you're asking it.

And it's kind of sucky that they might be using that for advertising purposes, too, right?

Oh, yeah. I mean, people put this stuff— I know you're not on Facebook anymore. If you are, you would see that many people put that information on their profile photos, hey, I'm vaccinated. It becomes a way of people to self-select. I don't know. I mean, I—

It's just a slippery slope, but I see how we got here, right? Yeah, in an emergency situation, you're, "I know, let's all encourage everybody, let's do this."

It's not as though this were new, right? Okay, so it's happening with vaccination, but I bet before the pandemic it was happening with, "do you like the poetry of Emily Dickinson?" Or, you know, "do you like whatever it is."

But that's not private, personal medical information.

It is private, personal, not medical information. No. Do you like walks in the park? Do you like—

BMI information for the most part, assuming people aren't lying, is already in there. A lot of people will disclose their height and weight, so that's already there. Age is already there. A lot of cases where somebody lives is already there. Yeah, I mean, if you have a visible disability, you can't hide that. If you were born missing a limb, that's already— a photo will reveal that about you. You know, I don't know, it's an interesting question. I mean, what does somebody do with knowledge that somebody's vaccinated?

I'm just waiting for Google to buy one of these dating sites and see what happens. There you go. There's my joy for the day.

You said my story was depressing.

Secure your online payments and grow your business with Brex and 1Password. Growing businesses have enough on their plates, don't they? Well, let 1Password and Brex simplify finances and online security so you can focus on doing what you do best. Brex is the financial operating system that powers tens of thousands of businesses, and now that power is accessible through 1Password in the browser. With this new integration, Brex customers can autofill their Brex corporate and vendor card information while checking out anywhere on the web, right from 1Password in the browser, making online payments simple, secure, and frictionless. 1Password's integration with Brex is available right now to 1Password Teams and business customers based in the United States. To find out more about 1Password and Brex, check out smashingsecurity.com/brex. That's B-R-E-X, smashingsecurity.com/brex.

We are also sponsored by Uptycs. Uptycs is a cloud-native security analytics platform built to protect the modern attack surface. Uptycs zeroes in on blind spots that are preventing you from identifying and responding to existing threats and vulnerabilities in your ecosystem. Plus, Uptycs normalizes telemetry across macOS, Linux, Windows, and containers, records system activity for historical investigation even when no alert has fired, and enables you to build complex custom detections. In short, Uptycs provides observability across both cloud workloads and endpoints in a single centralized platform. Visit smashingsecurity.com/uptycs, that's U-P-T-Y-C-S, to learn more about its cloud-native security analytics platform. And thanks to Uptycs for sponsoring the show.

And welcome back and enjoy us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily. Better not be. Well, my Pick of the Week this week is not security related.

Week. Pick of the Week.

It is something that's been around for some years. But I remembered it this morning and I thought that was a bit of fun. And so I've been playing it today. And if I were to tell you that at this very second, I am baking 75,143 cookies per second. What? Would you know what game I am playing?

No. I have no idea.

I am playing Cookie Clicker.

Cookie Clicker.

Cookie Clicker is a very addictive and utterly pointless game. Free and online. I'm playing it right now.

That sounds an

Oh my God, I'm playing it right now.

Okay, click on the cookie. I am.

I've got 38, 41.

Okay, so you're creating cookies. Now what you'll find is when you've got some cookies under your belt, you will then be able to buy things to help you click on that cookie.

insult. You cookie clicker.

You'll be able to buy little cursors which will click every 10 seconds onto the cookies.

And after a while and you're 18 and I'm bored.

I'm bored. After a while. After a while you'll be able to get grandmas who will do the cooking for you and factories and mines and kittens and even a portion of some how long spent doing this?

How do you not get an RSI from doing this?

Yeah, this is the thing. So I said, so I haven't been clicking throughout this recording, but I have recruited grandmothers and farms and all kinds of other things which are doing the clicking for me. You see, so I have so far in the last 3 hours or so, I've— let's see how many cookies I've actually— so many I've baked so far, 182 million cookies.

I would you more if I— if you actually baked real cookies. Ow. Well, maybe this will inspire me.

It's quite a funny and amusing JavaScript-based game. It's free. It's a bit of fun. And I find it rather addictive thinking, well, what's going to happen next? And you open achievements. I'm sure some people will enjoy this because I enjoyed it.

Yeah, I agree with Maria. RSI. No, it's not. I haven't been clicking. You, you ninny.

I haven't been clicking all this time. It's because I've got things which are clicking for me. I've paid money.

I'm at about 200 cookies in my—

Have you bought anything on the right-hand side yet? A grandma. You've got a grandma. I've got two grandmas now. Okay, so now you will see that your cookies per second has increased.

Oh, it's growing exponentially. So now we're talking math. Okay. Right.

Now you're a math geek. It's a math game.

Okay, and the scientific notation. Okay.

I'm so glad Maria's here. This is— I would be so underwhelmed on my own here. Okay.

I really thought Maria would be into this.

No, my husband loves games this though. And I'm always making fun of him for playing games this.

Well, I hope he enjoys this. It's called Cookie Clicker. Link's in the show notes. I think it's somewhat entertaining. And that is why Cookie Clicker is my pick of the week.

Pick of the week, bottom of the barrel.

Yep. Unbelievable. See what yours is. You're gonna laugh. Maria, what's your— what's your cookie clicker? What's your pick of the week?

What's my cookie clicker of the week?

What's your cookie of the week?

Well, I have not been eating many cookies because I've actually been on a bit of a fitness kick since the beginning of the year. I love bicycling, it's my absolute favorite sport, and I'm very slow. I'm also very short, so I'm not great at it, but I love doing it, and I got myself an indoor bicycle, one of those trainers, not a Peloton. I got a different one, so I have a little tiny living room, and I have my bike in there, so I can sort of watch TV as I'm biking. And I've been looking for good things to watch while I'm on the bike because I'm in there a lot now. And I've been going through my Netflix, and a show that I've been watching recently that I really have been enjoying is Getting Curious with Jonathan Van Ness. Which is a video version of his very famous podcast. So this is— there's some fascinating guests on there, some really interesting conversations, and it's been very bingeable and very watchable while you're exercising or whatever. So what would be a typical show? Well, the first episode was about bugs, how cool are they, what do they do, and are they— how delicious can they be? Like, have you ever eaten a bug?

Knowingly eaten a bug? Because Jonathan Van Ness, I've seen him on Queer Eye. He's very hairy, isn't he? He's not that hairy, but I think he's sort of— not compared to your husband, but I mean, I would imagine— but he's actually quite well groomed despite the amount of hair, so I wouldn't think he has a lot of bugs on him.

No, no. Yeah, but I think it was sort of, bugs gross me out, maybe I should learn about them to figure out what the big deal is about them. So the first episode was interesting also about people who eat bugs. I've eaten bugs knowingly, I've had crickets, they were delicious. But there was another episode about the history of hair and hair grooming around the world. Oh, that's why he's such good hair groomer. Well, he's a— he was a hairstylist for ages and ages, so, as you know, you try. So I'm only about 3 or 4 episodes in, but every episode I've seen was really very interesting, and I'm looking forward to watching the rest of the season.

He's a bit full-on, Jonathan. I have watched some episodes of Queer Eye, and although sometimes there's an emotional story in it, and some of them are quite charming, it can be a little bit too much, can't it? Personally, I think. And he's possibly the best.

He can be a little extra, sure. But I mean, that's part of the fun, I think.

That's part of the fun.

Graham, some people might think that you're a bit OTT, you know.

I don't think so. No, no, no, no, no, no comment. Carole, what's your pick of the week?

So interesting, Graham. My pick of the week is also food related. You came over for dinner recently and he made you this dish. Oh my goodness, chicken fatte, not like fatty, but fatte, F-A-T-T-E. It's good, right?

It was incredible. It was delicious. Yeah.

And it's a recipe that from a restaurant I used to frequent in London in the before days called Moro. Now, Maria, the reason I chose this is because you're on. So let me send you the link.

Yeah. Okay. I do love to cook.

So yeah, yeah, I know you love to cook and I think this is gonna be right up your street.

Send me that recipe, I wanna check it out.

And I'm gonna send it for everybody, they can put it in the thing. So basically, it's kind of rice chickpea, allspice, cinnamony, there's crisp breads, there's yogurt, and it kind of looks complicated when you see the recipe, but it's not. It's so different and unusual, and you could totally do it veggie if you wanted. So anybody out there, we all have to eat, right? And sometimes we get really bored with the stuff we cook. We all have what, 7, 10 dishes that we do on repeat.

Oh, really? Fantastic. This recipe says serves 8.

I have to say it's so delicious. I think it could serve 1.

It served 4. I actually made the whole recipe and it served 4 on the weekend. Yeah, it was pretty good. I can also recommend all of Moro's cookbooks, which I own and cherish, and they're a delight to cook from. And in fact, I was thinking, oh, what would you have after this? Maybe I should throw a dessert in, right? Moro's chocolate apricot tart, which, Graham, you've also had.

Oh my gosh, what a great combination.

It's the most delicious fucking— sorry, delicious tart in the world. So I'm putting that inside the links for you guys as well. Okay, so there you go. Just cook something a little different. It's February. It's a dark, dreary month for many of us. So do something delicious.

Yeah. You don't get this kind of content on the Cyberwire, do you? Well, that just about wraps up the podcast for this week. Maria, I'm sure lots of our listeners would love to know more about what you're doing and follow you online. Is there a way of doing that?

Yes, pretty much on Twitter. @mvarmazis is where you can find me. And if you want to see the artwork I make, it's @mvarmazisart. Yay!

And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G, and we also have a Smashing Security subreddit. And don't forget, if you want to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Overcast, Apple Podcasts, and Google Podcasts.

And big shout out to this episode's sponsors, 1Password and Upticks, and to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsor membership information, guest list, and the entire back catalog of more than 259-ish episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye.

Graham, why do you say two goodbyes? I only noticed now that you say cheerio, then bye-bye. Is that for your US and UK following?

Can't say it in both languages.

Yeah. Yeah. In case people don't understand cheerio, Arrivederci!

Au revoir! But you gotta say the au revoir twice as big, right?