Have we lost Thom?

Oh, I'm here.

I think he's loving it. He's loving it.

He's bored. No, it's just a conversation.

I would hate to interrupt a middle-aged man like Thom Langford. That could be very dangerous.

I'd never know when I could start again. Probably 4 o'clock in the morning. That's when it normally starts.

I'm up then too. You should text me. We can do it together.

Yeah. Just checking. Yes.

Do a live stream.

Yeah.

That's right.

Smashing Security, episode 262. Macro progress, eyeball tracking ads, and encryption backdoors with Carole Theriault and Graham Cluley.

You're right. You know, I'm like you.

Hello, hello, and welcome to Smashing Security episode 262. My name is Graham Cluley.

I don't interrupt people midway through their flow.

And I'm Carole Theriault.

And this week on the show, Carole, we are joined by a special guest. He's returning to us from the Host Unknown podcast. It's Thom Langford. Hello, Thom.

Ah, Thom, welcome.

Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.

That was very professional.

Sorry, it's a force of habit.

Do you know what? We could make a doll of Thom. You know, those pull strings on the back and he'd have his five sentences that he— You see, we've already been—

We've got the Thom AI on the podcast that we have.

Oh yes, I heard that.

So when I'm not there, they just rack out Thom AI, press a few buttons and off he goes.

Yes indeed. Unbelievable.

Okay, how about we thank this week's sponsors, Collide and Baramundi. It's their support that help us give you this show for free. Now coming up on today's show, Graham, what do you got?

Death to macros.

Oh, won't somebody think of the children?

Okay. And I'm looking at improving ad engagement in a quote unquote novel way. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, I think it's fair to say that we're all of a certain age, aren't we?

Now, some of us deny it, but yeah.

Yeah, some of us are not as old as the others.

Yeah. I don't know who's the oldest amongst us, Thom, but—

I do.

You do?

Yep.

If we were to go back in time 27 years to 1995, Thom, what were you doing then?

1995. Gosh, I was a field service engineer for a company in Southampton, as I recall. Installing AutoCAD.

That's quite impressive. Carole, what were you up to?

I was in university partying my butt off.

Yeah, not studying, I imagine.

Well, no, I was very smart.

Well, I was working for an antivirus company, and in 1995, in mid-1995, something extraordinary happened. The world shook, continents collided, volcanoes erupted because Microsoft accidentally shipped on CD-ROM the first Word macro virus, a virus called Concept. And this was the first ever virus which could infect Word documents. You may think, well, what's the big deal about that?

Mm-hmm.

Well, what the big deal was, was that previously viruses had spread via executable code like boot sectors or program files, which people were less likely to copy and send to each other. Whereas a Word document, you would share to each other.

Exactly. You didn't worry about that kind of stuff. Exactly.

Right. But you wouldn't be surprised if someone sent you a Word document and you'd open it and you'd get infected.

Okay, Thom,

And this virus called Concept, it was a very simple virus which had no purpose really other than to display a dialog box containing the number 1. And inside there was a little remark which said, that's enough to prove my point.

what about you?

The theory at the time was that there must have been someone who was trying to prove it was possible to write a virus using Microsoft Word and to then infect other Word documents. So that's why it was a concept virus.

So do you know which, what CD it was that this was shipped on? Was it like an MSDN CD or something like that?

It was on a CD-ROM called Microsoft Compatibility Test that Microsoft shipped to hundreds of corporations.

Because it must have been buried deep in some folder structure somewhere for it to not have been picked up?

Well, the truth was that there were no antivirus programs at the time looking for Word macroviruses.

Yeah.

And so even if they had scanned it, I think, as I remember, it was in some sort of distributor Word document agreement. And you'd think, well, even if Microsoft did send that out, would it really get widespread? But widespread it became. It became the number one virus in the world. And it proved that a virus could actually spread around the world potentially infecting thousands of computers in a matter of, well, really minutes.

What do you mean minutes?

How?

Well, because someone can send an email attachment containing a Word document to a lot of people who would then open it. Because if they use the right social engineering, and people, remember, weren't worried about Word documents because how can a data file infect your computer?

I don't think we really even had the term social engineering in 1995, actually.

Doesn't mean it didn't exist.

I'm sure we did.

Okay, we'll wager.

Maybe not in common day parlance, but I'm sure we did.

Yeah. And previously, viruses had taken months and months to spread around into the wild. Now, whether it be by floppy disk or—

Well, you had to install them yourself, really, didn't you?

Well, exactly. Because previously, if the media had said to me, what do you have to look out for, for a virus, Graham? And I would have said, don't boot from an infected floppy disk and be careful what programs you run.

Mm-hmm.

Whereas now, opening a Word document could get you— Now, over time, new macroviruses appeared. Melissa virus, the Wazoo virus, which switched words around in your documents. You're gonna name them all. And then Excel and PowerPoint macro— No, no, no. But for the first 5 years or so, until about 2000, macroviruses ruled the roost. They were the most common, the easiest to write, they spread the most successfully, but crucially, they didn't make their creators any money.

Oh, interesting. Okay.

Because they couldn't hijack your computer to send out spam, they couldn't turn you into a botnet, they couldn't open a backdoor to your computer. The language, the macro language, wasn't powerful enough to do that. So you could pop up messages, you could mess around with documents, but there wasn't really a way to make cash out of it. And so the bad guys, round about the early 2000s, began to think, well, how can we make money out of malware? And that's when they turned their back on macroviruses and started writing password-stealing code and bot code and all kinds of things instead.

Makes total sense. Yep, money rules the roost.

Yep, okay.

But there were still problems with malicious macro code out there. And in the late 1990s, Microsoft began to display warnings when a macro was embedded inside a document. And you may have seen this. So what would happen is you would open a Word document and you may see this little yellow strip at the top of your screen say, security warning, macros have been disabled, "Click here to enable content." Yeah, of course.

We all remember those, right.

And what the criminals found out was there was actually a way of getting the macro language to download further malicious code from the internet, which could do all these money-making things. And all they had to do was use social engineering to get people—

What year are we now in this story?

We're getting into the 2000s now, right?

Oh, we're getting into the— okay, good. Yeah, we're 20 years now away.

Okay.

No, this is the point, Carole. This has been a problem for a long time. I'm listening, I'm listening. So the viruses began to be able to do malicious stuff, but they had to get you to agree to enable macros. And they did this in a variety of ways. So when you'd get the poisoned Word document, albeit with Microsoft having disabled the macros, it would display a screen saying, "Oh, this document's created in an earlier version of Microsoft Word." You have to click enable macros to decrypt it for your security." So they're using all these sort of social engineering methods to get you to run the macros.

Playing with security when actually it's— yeah, it's the opposite.

Yeah, exactly. So what Microsoft did to try and fix the macro virus problem didn't actually work that well, and the bad guys found a way around it until this month. Because Microsoft have just announced, one quarter of a century after it accidentally shipped the first macro virus, they've said enough is enough and it is changing the default behavior of Office applications. So rather than saying, just click here on the yellow stripe to enable macros or enable content, which is potentially really dangerous and lots of people have been tricked into doing, they're now going to display a red strip. It says, "Security risk. We have blocked macros from running because the source of this file is untrusted. Learn more." Rather than enable macros.

That reminds me of the Red Dwarf skit where they say, "Kryten, let's go to red alert." He says, "Are you sure, sir? Because that means changing the bulb."

The other thing they've done is it doesn't say enable macros. When you click on learn more, you're going to get taken from April to a web page on Microsoft's site, which describes at some length— if you thought me talking about this was tedious, it will explain.

I'm not saying anything.

Is it going to be voiced over by Bill Gates?

And it'll explain why you shouldn't allow macros to be enabled. And it will only let you allow them to run if you're really determined.

Okay. Can I ask you a question?

Yes, you may.

Mr. I'm a security expert.

Thank you.

What do you think of this historical progress, this evolution of Microsoft managing its macro traumas?

This is quite literally Darwinian evolution. It's taken a long time.

It crawled from the primordial swamp, it climbed a tree, and it is now falling off a branch. It's taken quite a while.

Right?

25 years.

To change the hue.

Not just the hue.

And add a learn more link.

Yes, yes.

And to block them by default.

But you know who has stopped this evolution from happening earlier? Has been companies and particularly finance departments who insisted on using macros in their spreadsheets.

Yeah, to make their fancy pivot tables and their clever—

Yeah, they're useful.

Well, they can be useful. But the problem really is—

Says a person who doesn't work in a finance department.

I couldn't do a pivot table to save my life. I would not. I don't know how to do this.

You don't even know what a pivot table is.

Oh, come on. Really?

No, I don't.

Define what a pivot table is.

If you don't know what a pivot— It's a way of displaying data in—

I wasn't asking you, Thom.

Oh, okay, okay, okay. Fine.

Just one of his many skills.

It should be one of those things that everybody should know by the time they're 40. Why? Why? Because it's useful.

Not to me, it isn't. I've never needed one.

How would Graham apply a pivot table to his life to make it better?

Have you seen his personal finances?

No.

Neither has he because he's not used to pivot table.

So, so I think this is good news, albeit it's taken a while. Now you will be able to configure it so only if the macros have come from somewhere untrusted, like outside your organization, if they're not digitally signed, etc., etc. But it's an important behavioral change, and I think it's going to be much harder for a lot of the scammers and the people sending malware. And remember, sometimes ransomware is distributed in this fashion. It will start off with a Word document sometimes, which will then download something else. But they have to get you to click on that enable macros button. So this is quite good.

I find this depressing.

Depressing? Why?

Yeah, I don't know. I haven't used Microsoft products for a long time, so I'm kind of talking out of my, you know, wazoo.

Wazoo.

Yeah. But I just find it very 1990s solution.

Well, this is what the problem I find is that most IT departments and many, many third-party suppliers provide solutions to this problem and have done for the last 20 years. You know, making sure that you can't run macros unless you're explicitly allowed to and all that sort of thing. And what Microsoft is doing is something they literally would've been able to do the first moment they put up the yellow warning.

Right!

Yeah. And I, this is—

You waited 20 years.

Yeah. They've been treating a symptom for far too long rather than the cause.

Anyway, it will be interesting to see how this revolutionises the macro drama.

I just think it's gonna be a lot more effort for the cybercriminals to get round this than the old just click on the enable content button.

And that's good news. Yeah, absolutely. It's another barrier. Whether or not it's going to be sufficient by itself is another matter, but—

I'm sure there'll be ways to still subvert it. But it's going to make life harder for the bad guys. And we're all in favour of that.

And kids, don't forget your pivot tables.

Fuck, I hate pivot tables too.

You don't even know what they are.

I do. I used to have to do them for Graham.

A pivot table sounds like something like a sex swing.

Is it a piece of furniture? Thom's showing off.

Yes, that's exactly what it is, Graham.

It is, yeah.

Absolutely. That's absolutely right. Well, I have something else that is also an attempt to address a symptom rather than the cause of a problem. So you may know that the UK government has been upping the ante and has been really pushing this agenda of banning end-to-end encryption and ensuring that there are backdoors into cryptography controls.

Yeah, so I was gonna ask, do they wanna do away completely with end-to-end encryption or they just want a backdoor in that they're gonna use themselves, that they'll keep very safe and no one will ever get their hands on?

Well, I think the principle is that they get a backdoor into what they want. But of course, the problem being that when you break one set of cryptographic controls, you are ostensibly breaking them all.

Yep.

Because that's how maths works.

It's rule one of cyber club.

Yeah, exactly. Exactly. Break one, break them all. But the thing is, there's been a huge pushback, very much so from our industry, basically saying our whole economy and life depends on strong end-to-end encryption. Everything from banking to general online purchasing to the way you communicate with your friends, etc., etc. And by breaking this, this is actually going to cause real problems. And it's all very well saying, well, you know, if you've got nothing to hide, you've got nothing to lose, etc. But this is in the case of benevolent governments. And now, one, there's plenty of malevolent governments out there that will use this against its people. But also, in 10 years' time, I mean, who would have said 10 years ago that we would have had the UK government that we had today, right?

Well, I predicted it completely. I predicted it.

Yep. Well, obviously. You probably calculated it in a pivot table.

The thing is, the UK government, they're really keen on things like WhatsApp, aren't they? They're always WhatsAppping each other and inviting each other to their government parties. Bring your booze.

Absolutely. But the point of this story is they've upped the ante. So they have got a website, and I hesitate to advertise a website, but we need to know what's out there. But it's called noplacetohide.org.uk, which already gives you a sense of what this is all about. And if you do click on it, you'll see that it's all focused on, don't give child sex abusers a place to hide, focusing on end-to-end encryption. Now, the idea here is that this is just one part of a multimillion-pound sort of engagement campaign to change the public mind on end-to-end such that when the bill comes to Parliament, there's going to be widespread support of it. It will just go through because people are easily misled by this sort of thing. And it doesn't look like a government website. It's, you know, it looks like a very valid website. It's supported by many charities and all that sort of thing. The thing is, this particular website has cost the UK taxpayer, the UK Home Office, half a million pounds. That went to a marketing firm, M&C Saatchi. So you can see exactly where this is going. The British government have got some kind of agenda that they want to push onto the British people. So therefore they're using experts in communication to push this, even though it's not necessarily, in my humble opinion and many others, in our best interest. Now, all of the charities that are listed on there, and there's some valid—

Oh yeah, some legitimate charities here.

Absolutely. NSPCC, Barnardo's, the Children's Society, etc. All very good. They are on a steering group, an unpaid steering group for this campaign managed by M&C Saatchi. So again, you can sort of see this is not just an independent steering group thinking this is right. This is a steering group comprised of people who are already aligned with what the government wants. So there's stats in there like, what is it, 14 million reports of suspected child sex abuse online that could be lost if we don't stop end-to-end encryption. Quite how they get that data is interesting because we already have end-to-end encryption. Does that mean we are losing that many? No, it's saying they could. Now, the counterpoint to this comes from a chap called Alec Muffett. Now, Alec Muffett, he's a self-described stay-at-home dad for a home-based startup, which I think is his family, from LinkedIn. But he's got an unsurprising background in network security. He's also on the board of the Open Rights Group. And he's written a fantastic contrasting piece on this, which actually brings a lot of details and far more evidence rather than some kind of interpretation of a report done many years ago. Now, one of the most interesting parts I thought about this was they're focusing this on protection of children. One stat that Alec gives is that actually 90% of child sex abuse cases are carried out by people within the family or close to the family of the abused. So the end-to-end encryption thing is not about protecting the children. 90% of children are attacked and abused by people who are known to them.

Right.

Thom.

Thom, what have you got for us this week?

The end-to-end encryption thing is not going to change that. He then goes on to make a variety number of points, and he puts a number of stats in there and a number of links in there to details, you know, specifically that 14 million records, etc., etc. The interesting point he makes, and the most fundamental point he makes, is we should be putting our focus in on the source of this. On the societal change. On the support required to stop this kind of abuse in the first place, rather than putting in measures that actually are just going to punish people afterwards or send them even deeper underground. And the other point as well to this is, we've already seen this playbook run out before with the war against drugs, the war against terrorism. You know, the end-to-end encryption thing has already been played out in both those cases. Now it's the turn of, you know, the war against pedophiles, playing on huge emotional triggers for the general public to support this. This just removes us as citizens, our privacy, agency, control of data in our lives. And a point you made earlier, Graham, about actually, frankly, the government are quite happy to use end-to-end encryption. They're using WhatsApp and, you know, various messenger apps to send out-of-band communications to each other. We've seen that.

And those are applications which are run by companies which are based overseas.

Yes, exactly.

It's not—

And they're carrying out governmental business on these things.

Well, I— yeah, can I just say what bugs me here? So what bugs me on this website is there's only one mention at the very bottom of of your landing page that this is a campaign funded by the UK government, right? So it's kind of burying the government endorsement of it. And on top of that, it is providing you with one single, very emotive argument as to doing something. It is not a balanced view on the pros and cons of this. And it feels a bit propaganda-y even.

It definitely is propaganda because this is aimed at your Daily Mail readers who of course—

I'm looking at it and our listeners.

But yeah, but everyone else in the country or most people in the country, we obviously, you know, abhor child abuse and we don't want child abuse to take place.

Of course.

But this is the wrong way of tackling it because there are so many other people who will suffer if end-to-end encryption is weakened, if there are backdoors and who on earth is going to hold the keys for that? And can they be responsible and what happens when it ends up in the hands of others? I'll tell you what else annoys me about this website though. Did you say it cost half a million quid?

Yeah, £534,000 to do this website, but it's part of a large campaign. Okay, but the website is just one page and there's a one-minute video on it. I would happily have done this for £15,000. Well, it's a single page effectively, isn't it? It's not even— it's a poster.

Yes. And there's no meat to it. There's no evidence behind it. Well, I mean, I know that Alec Moffat, I mean, you've pointed to that one post of his. He's done a series of posts up on his blog where he talks about the different aspects of this and includes links to research and evidence. And I think overall that's much more convincing. But of course, he doesn't have the power of a PR firm MC Saatchi promoting his site.

Isn't this a problem? Isn't this a problem for, you know, I don't know, journalists to kind of go, guys, yeah, do you think the government should be doing this? Is this really a thing that we should be funding in order to convince people to approve our bill?

Well, we know you've got chums in the BBC, you two, so, you know, maybe we can get this amplified.

Oh yeah, because they're really popular with the government, aren't they, the BBC, at the moment?

Yeah, yeah. Well, someone's going to cut their, their Who is it?

Nadine Dorries.

Oh dear God.

Nadine.

Nadine. What's my password? I shout every morning. Dorries.

That's right.

Oh my goodness. Who would have predicted 10 years ago, apart from Carole? Who would have predicted?

Carole, what have you got for us this week?

Way back, Graham. Way back in episode 68.

Oh yeah, one of my favorites, yes.

I spoke about MoviePass. Now, MoviePass was a company that wanted to kind of deglue US butts from the couch and put them into movie theaters. And it was basically a movie theater subscription service. So you paid, I don't know, $10 a month.

Oh yes, yeah, I remember, yeah.

The service used this mobile app where registered users would check into a cinema, choose a film, showtime. You'd present your voucher, you know, da da da da da. And the thing is, it was super cheap, right? Because you could have a movie a day, every day for less than the price of a single movie ticket that you would pay for. 'Cause $10 a month, movie tickets cost way more than that. So, how would this work?

Yeah, how did it work? How did they make money out of that?

Data tracking. So, and they even came clear, and that's what that show in episode 68 was all about, was that the CEO, the then CEO, did a talk called Data is the New Oil: How Will MoviePass Monetize It? And during this keynote, he literally crowed about how much data they were currently hoovering up from their paying customers. And he said, we get enormous amount of information. We watch how you drive home from the movies. We watch where you go afterwards.

Okay?

But things didn't work out as planned because in 2019, September 2019, MoviePass shut down its mobile ticketing service. And its parent company soon filed for Chapter 7 bankruptcy and announced that it was ceasing all business. So this is pre-Rona. Have we lost Thom?

No, I'm here.

I think he's loving it. He's loving it.

He's bored. Okay.

Just checking. You know, unlike you, I don't interrupt people midway through their flow.

No, it's just a conversation. The show normally.

I would hate to interrupt a middle-aged man in mid-flow. That could be very dangerous.

I'd never know when I could start again. Probably 4 o'clock in the morning. That's when it normally starts.

I'm up then too. You should text me. We can do it together.

Yes.

Do a live stream.

Yeah.

So fun. Right. So MoviePass defunct, bankruptcy, bye-bye MoviePass, what a dumb idea.

Not a dumb idea. Oh, it was a great idea. Because you're trading something that you have, and you know you're trading it, for something that you want. And it's a transparent business arrangement.

You think most people realized how much data they were hoovering up? Because it was quite a little blip in the press at the time that they were grabbing all this data in order to cue where you were going.

Are you suggesting— People didn't read the terms and conditions and privacy policy, correct?

Yes! That is always my main point.

Well, also, if it's free, you are the product, blah, blah, blah.

It isn't free! You were paying a tenner a month.

A whole tenner a month for 30 films? Of course, I mean, it might as well be free.

Yeah, but it didn't work, 'cause they went bankrupt, right? So it was good for you, but it wasn't good for MoviePass.

Oh.

But like a groaning, knuckle-dragging, mud-drenched zombie, MoviePass has been raised from the dead. This past November, the original co-founder Stacy Spikes was approved ownership of the company by a New York bankruptcy court judge. And just a few days ago, this new CEO explained how it was going to change the movie business.

All right.

And our question is, is this a win-win for everyone? Obviously, it's going to be interesting. Thom, I look forward to your opinion on this. So just as a quick aside, though, okay, so the movie business obviously took a serious hit during the pandemic. In 2021, I think ticket sales hit $4.4 billion. And this is double from 2020 when the cinemas were all shut. But it's still way low compared to 2019.

Yeah, but the streaming services made a fortune though, didn't they?

The streaming services made a fortune. Exactly. Not the cinema going, right? So Stacy Spikes's solution here was revealed at this launch this past week, that MoviePass will now be a subscription system that incorporates virtual credits that can be spent on movie tickets. Okay. So you still have a fee to pay. It's still a subscription service. You're paying whatever it is a month. They haven't said what price yet, but there's a kind of built-in app reward system. And there's tiered plans, et cetera, et cetera. But using Web3, using some blockchain tech, MoviePass will also allow members to trade and transfer these credits. The idea is that they don't want to be tied to just one movie theater. They want to be ubiquitous across the entire industry. So customers, theater studios will be able to trade and everything, even NFTs. We're gonna, I'm not even going into the NFT world in here, so ignore all that. Now, this is the thing that has everyone's knickers in a twist. MoviePass will also incorporate another feature enabled by Web3 tech that allows users to pick up extra credit if they watch advertisements.

Adverts at the cinema.

Okay. Between us, us three.

Huddle.

Huddle. It's unclear to me if this is actually a movie theater experience or a home streaming service. So I've been having, I've read a number of articles on this and I am unclear. I think it's all going to be done on the phone.

It would have to be for the eye tracking, right? Exactly. But I was a little concerned that the ad stuff would happen on the phone.

Okay.

So when I say watch advertisements, I don't mean play advertising, right? I don't mean oh, the ad's coming and you go make a cup of tea. I mean, you have to watch it with your actual eyeballs. And they will monitor this with very clever tech to track your eyeballs. If you look away, the ad will pause.

Now, if you have a glass eye, could you take it out and put it on a stick.

Like Columbo.

And then go and make a cup of tea.

Couldn't you do that with eyeballs, ping pong balls, and a bit of paint? I'm a good artist. I could probably start a new business.

This is Web3. I think it's a little bit more complicated than that, Carole. But—

Could you not? I mean, I was thinking along similar lines. I was thinking, surely someone is going to come up with an app which simulates eyes watching something.

Or a video. Yeah, you record your face on a loop. Yeah.

You have one phone which is playing a video and you shove your other phone in front of it.

Yeah.

And you just make money. Doesn't that work?

You could have deepfakes of yourself watching, just sitting there paying attention and blinking occasionally.

Yes.

Now, of course, the ads, because they're being played on your phone, are specifically tailored to you. So of huge interest to you, Thom, right? They'll all be about Lego and stuff.

And stuff.

You know me so well, Carole. It's like you're peering into my very soul with that statement.

So there we are at Thom's funeral. Carole's been asked to give a speech about, oh, Thom was a fascinating chap. He was into Lego.

Yeah.

And stuff.

Now, obviously, we can see why this is interesting to MoviePass. It's an interesting pitch because I can see them now going, "Hey, ad guys, I can guarantee eyeballs. Like, eyeballs happening and watching your ads. So I'm gonna ask for a higher price to place those ads." Plus, we're unclear at this stage how the app will actually track you. So if it has the same tracking behavior as the previous MoviePass technology. Also, what are they doing with all the facial recognition tech and images? Are they only doing that whilst the ads are playing or during the movie as well?

Carole, I don't think they even care about the facial recognition because they want to say to the advertisers, oh yeah, it really worked well. We had an amazing—

But if they were, I'm just saying, if they're corporate whores, they're gonna be, "Hey, and we can also collect all this data because you never know, might be useful one day." As long as it's very clear upfront that this is what they're doing and this is how they're handling your data and what they're gonna sell and what they're not gonna sell and all that sort of thing. If people want to go for this, then great. It reminds me of that Black Mirror episode where you're on an exercise bike and you have to cycle and exercise in order to earn points to live, and you go up the social scale and things like that. It's the same principle as that. You actually, you've got to move your eyes backwards and forwards over an advert of some description in order to earn credits, in order to get free stuff. Now, if that's the best way, or the easiest way, or the cheapest way that you can get access to the media that you want then so be it. Go in there with your eyes open, don't close them because otherwise you won't get anything, but go in there with your eyes open and reap the benefits. For me personally, I wouldn't do it because I can't bear adverts like that.

That's a bold decision. Well, you can't bear an advert watching you watch it? I know. I did it with

That's right.

Oh, because you just basically said, hey dudes, you think this is a good idea, go do it.

No, I didn't say that.

No, I know you said that, but you're saying to other people— my eyes squished so I couldn't read everything.

Hey, I know I'm saying, as long as you are aware that this is what you're doing, my risk model is not their risk model. It's very different. I said I My risk model is actually, I'd rather pay for a service that gives me this without adverts rather than not pay for it. But they may either not wish to pay for it or not be able to pay for it. wouldn't do it.

Oh, they're still paying. They're still paying. They're just getting extra credits that they can use within the MoviePass environment, right?

You are getting paid for it. You are getting stuff ostensibly for free.

And the algorithm, the ad algorithm will never get it wrong anyway, right?

Kolide sends employees important, timely, and relevant security recommendations to their Linux, Mac, and Windows devices right inside Slack. Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.

They're never going to show alcoholics people clinking glasses of Chablis or showing a fast food ad to someone trying to eat more healthily.

Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.

No, exactly. Exactly.

You can try Kolide with all of its features on an unlimited number of devices for free for 14 days, no credit card required. Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide.

And this targeted ad thing has never really worked. Let's face it.

And thanks to Kolide for supporting the show. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

It's like you go online and you order a mattress, something you're supposed to buy every, what, 7 years, I think it is. And then for the next sort of 6 months, all you get is adverts for mattresses.

My hope though, what would make me feel a little bit better about all this, even though I don't like the model, is if they had a bounty program to get the best techies out there to hammer the system to expose any holes before customers are lured into using this service. That would be—

You mean they're not doing that already?

Well, are you surprised?

One would hope that they make this rock solid because otherwise you're going to get Priti Patel and Nadine Dorries onto them.

So when I was researching this, right, of course the freaking Daily Mail covered the story. Now I didn't really take any tidbits from them in the story I've done, but I did look at the commentators and there was one that I thought I would share with us all.

You went into

And took a shower afterwards.

It was fuzzy. Yeah. So this Had to Comment, that's the name, wrote, I've never paid to watch a movie nor bought music or attended concerts.

the Daily Mail comment section?

Why? I refuse to fund alcohol and drug addictions of today's so-called celebs and stars or contribute towards their rehab and their divorces or towards their excessive spending habits. Such as the shoes and clothes they wear once, the many cars they rarely ever drive, and the many homes they buy that they never live in. I can't justify any of that when there are so many people in this world with nothing. That's why I've never paid, and it's for those same reasons that I never will. So, you know, the world's fine.

That's why I visit the Daily Mail website and regularly go down the sidebar of shame to read about Kim Kardashian. Do you know, if that was a comment from, I don't know, Socialist Worker or Hippies Are Us, maybe they don't have a TV and a radio or anything like that and they just knit their own yogurt and play their own songs or something. But given it's on the Daily Mail on a website, I'm thinking that person has got a TV and probably a Netflix subscription and probably listens to a lot of music either on the radio or downloaded illegally from the internet. So, now I need a shower.

Come on, it's funny.

It is funny.

Very funny.

In a very depressing way. Although it's probably just a Russian troll, let's face it.

Baramundi offer unified endpoint management from a single platform. Think of it as an all-in-one solution, consolidated endpoint management under a single interface. For example, with Baramundi JOBS, you can control and monitor all tasks in the management suite, including software deployment, automation, and operating system installation. Baramundi also offer vulnerability detection and patch management, so you're ready to deploy updates and patches from Microsoft, ransomware, malware, and third-party applications. And you can centrally manage any number of devices no matter where they're located. And that means you can distribute all the necessary updates to smartphones, tablets, notebooks. Excited to check it out? Well, we don't blame you. Our pals at Baramundi are offering Smashing Security listeners a 30-day full version free trial. Check it out at baramundi.com/smashingsecurity. That's baramundi.com/smashing.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily. Oh, yeah, it varies.

Better not be.

Well, my pick of the week this week is technological. Now, Thom, I know you love a good gadget. It changes. So I've seen Let me explain to you a problem we've been having behind the scenes at Smashing Security. Because ever since, probably about, I don't know, 18 months ago when I went to live in the middle of a sheep farm without a proper internet connection, we've had a slight challenge recording the show. it between about 20 and 40. So I don't have broadband down a wire. I've been on 4G LTE. I've had antennas outside my house and it's been up, it's been down. It's been problematical.

Did you replace the printer that your antenna was sat on? Because that may well have been blocking some of the signal.

It was like a leaning tower of Pisa to try and get my antenna as high as possible.

A leaning tower of Canon, more like.

Well, Carole, you've handled the situation very well. You've barely mentioned to me that we've—

Yeah.

So I did some research into alternatives. Are there any alternatives at all? And I was chatting with friend of the show, Professor Alan Woodward.

And yeah, and with the speed of Microsoft dealing with the macro problem—

I have now invested in a solution, which I hope is going to work. I'm speaking to you right now via a low Earth orbit satellite.

Is that basically the equivalent of getting the string wet between the two cans?

It is. We've got— there are no toucans involved. Pigeons, maybe. I have got a Starlink dish in my back garden.

Oh.

Which is beaming up to a satellite, and then beam— that's then beaming down to Earth somewhere which has an internet connection.

Which tech juggernaut gets the cash for that purchase?

This is the slight problem, because it is, of course, part of Elon Musk's empire.

Do you not like Elon then?

No.

Why not? I mean, not that I particularly—

He's more popular than Graham, so, you know.

He got his blue tick before Graham did.

He just seems a bit of a twat.

Yeah. Yeah.

But hey, he makes great tech.

Most visionaries and entrepreneurs are.

Well, possibly they are, but he seems particularly weird. And—

Yes, I'm not a fan either. How much did it set you back, Lou?

It's quite expensive. Dish itself, it's a little rectangular dish that costs, I think it's about £499. And my broadband bill as it is, will be £89 per month.

Wowzer.

So it's quite a lot of money, but it is designed for people who can't get reliable internet connection any other way. I'm getting, well, I've had up to 300 megabits per second down, which is brilliant.

And I've had a fiber speed.

Yeah.

Yeah.

And I've had up to 30 or 40 going up. My ping is low and I haven't had any outages and it's going really, really well.

It's very, very But I do see from the images that are in the show notes, I do see that by paying for Starlink has meant you couldn't upgrade your phone. slowish. It's 39, isn't it?

Why? Why is that?

Because you've got an iPhone SE from 2020.

Yes? Well, an iPhone SE is the best iPhone there is.

No, it isn't.

Yes, it is.

What are you talking about?

The iPhone SE is the best phone Apple's ever made.

Why is that?

Because it's a sensible size rather than being a clown shoe or having stupid cameras sticking out the back, which you don't need.

This is from a man with very small hands. Yep.

Yes.

I don't like all those big stupid— I mean, I don't need a camera. You know, stop giving me a better, better camera. I don't need a better camera. Thom, what's your pick

Why do you not need a better camera?

Why would I need a better camera for?

To take better photos.

Of what?

Stuff! Family!

of the week? Friends! I don't need gazillion megapixels. It's not required. It's good enough.

Your future descendants will not thank you as they look at the equivalent of a 500K GIF of your photo.

They don't want to see all the plaque on my teeth or the hair coming out of my nostrils. You know, they don't need details like that.

Graham, stop biting, stop biting. It's fine.

Oh, you're right. Don't feed the troll.

Exactly.

So there it is. That is my pick of the week so far. I'm very, very happy of it. Go and investigate it yourself. Starlink.

Hallelujah, I say. You know, in a blink of an eye, you sorted the problem.

Very good. I'm really impressed by this. Although I did see that a whole bunch of his Starlink satellites came crashing down to Earth the other day after a geomagnetic storm.

They did, didn't they? Yeah.

Don't worry, your $400 will help fix that.

Yeah, exactly. So my pick of the week is, well, something that many people may describe as a guilty pleasure, but actually, frankly, I don't feel guilty about it.

Uh-oh.

This was, yeah, it's not that kind of guilty pleasure. And I was reminded of it, or rather it was front of mind, because unfortunately the other day I had to go to a funeral of my second cousin. And I was chatting to his brother and we were reminiscing about our times when we were when I was about 8 or 9 and they were sort of early teens. And these two got me into a number of things. So for instance, Pink Floyd. They introduced me to Pink Floyd on vinyl, etc., etc. They also introduced me to a fairly new comic. We're talking late '70s here, new comic called 2000 AD, and this year is its 45th anniversary.

Amazing.

2000 AD. These guys had, well, they call it progs for program because it was all sci-fi, but prog 1, 2, and 3, they had those 3 progs, 3 times over. Now, those 3—

Hang on a minute, what are you talking about? You're talking about what is a prog? Oh, a comic.

Yeah, comic. So one sort of comic. So they had Progs 1, 2, and 3, and they had those 3 times over. Now, those 3 comics in reasonable condition, not even mint condition, today are worth about £3,000, £4,000. Very, very good. The thing, you know, why am I talking about this? Well, I still read this comic today. But it has launched many, many careers and has supported many, many careers. And I've got some examples here. So have you watched 300, the film 300?

No.

No.

Great. Have you watched V for Vendetta? No.

No. What? Have you watched Watchmen? No.

Yeah, I saw that.

Yeah. Have you watched Kick-Ass?

Yes.

No.

Have you watched Wanted?

No.

Don't know.

Okay, what about, have you heard of Judge Dredd?

Yes.

Yes. There you go, okay. All of this—

Adrienne!

Adrienne! We don't talk about that Judge Dredd. So, Alan Moore was the writer of 300, V for Vendetta, Watchmen. Watchmen is in the Times Top 100 books to read before you die. The only graphic novel in that top 100 list.

Well, that's why I haven't read it.

Well, exactly, because you haven't died yet.

Yeah, I'm in no rush.

But it also was turned into a big film by Zack Snyder and a TV series as well as that. Dave Gibbons was artist for that. Garth Ennis, the writer of The Boys. Mark Millar, who wrote Wanted, Kick-Ass, Jupiter's Legacy, Super Crooks, which is on Netflix now, is a very good show. Judge Dredd was a character that was created and drawn by Carlos Azcárraga and Strontium Dog. That was a character that was frankly murdered by Sylvester Stallone, was immortalized by Karl Urban in Dredd, and is soon to be a Netflix series called Mega City One.

Oh cool.

Rogue Trooper, another character soon to be directed in film form by Duncan Jones. Duncan Jones is David Bowie's son, and he's the director of Moon, Mute, Source Code, World of Warcraft. So very, very talented, very forward-looking director. All of these people and all these characters were effectively springboarded into today's media content that we consume. But you've watched stuff like this, that has been written or heavily influenced by these people. Batman stuff, anything that's got any kind of action to it is inspired by a lot of these people. And if you'd like to know more about this, there's a documentary called Future Shock: The Story of 2000 AD. There's a link in the show notes. Thoroughly recommend it. It's fascinating because it's also a sociopolitical reflection because what the comic does is it really does hold up a mirror to society at the time. So not only is it forward-looking and ahead of its time, it's topical, it's satirical, it's dark, it's humorous, it's playful, it's hard-hitting.

So I've never read 2000 AD, but I do know about some of these things and I do know it's very highly regarded and it is meant to be very good. It's just never been my particular bag, but—

No, absolutely not. But what they also have is the Rebellion, who own 2000 AD, they also have a Treasury of British Comics group.

They do.

Bringing back a lot of the old school comics that kind of went out of print. So Scream, Misty, The 13th Floor.

The Trigon Empire.

They do that. Trigon Empire.

Which I, yeah, that's right. I always call them Trigon. Are you sure it's Trigon?

It's Trigon. From Look and Learn, right?

That's right. It's an old Pick of the Week of mine. And I think Rebellion are based in Oxford.

Yes.

So there you are. Another link to Smashing Security.

So yeah, there you go. But check it out. 2000 AD, there's an app. You can get weekly comics and a monthly Judge Dredd and lots of stories, lots of books you can buy online. Watch the film, strongly suggest it. I don't get paid for any of these endorsements.

No, you obviously love it. See, that's why it's great having guests on with their own pick of the weeks, right?

Yeah.

It's great. It's fantastic.

It's great. Let's see if you can match it, Carole, with your pick of the week.

Yeah, I'm not sure. Okay, my pick of the week. So this past weekend, I was at a mini family event in a kind of I don't know what you call it, a manor house.

Oh, right.

Yeah, I know, a bit la-di-da. Exactly.

Were you upstairs or downstairs? Just asking.

A bit personal.

No idea what that even means. And the house has been in the family for generations, and there was loads of evidence with art, everything, furniture, everything. So it got me to thinking about how dinner parties would have been held in this house, and then I was thinking, oh, I wonder what the etiquette was at the time. So I found this Good Housekeeping article from a few years ago, and it lists 100 or so expected behaviors that today may or may not fly. So I think that the link is in the show notes if you guys want to take a look. And it's just one of those irritating slideshow things.

I'm looking right now. Ladies, you should smile when talking on the telephone.

I know.

There was one, shake hands at elbow level. So make sure your hand's at a right angle when you shake.

A host always serves the meat.

Please. What kind of party are you at?

See, I learned from these places. You know, the posh places, you have people serving you. The really posh places, you have a butler who brings around the food and you serve yourself, which is kind of a little bit back to front.

It's funny, yeah.

So the posher the place, you'll serve yourself from the butler.

There's this one from the '60s that says, "Avoid dead fish hands." What does that—

Fish don't have hands. What does that mean?

In the '50s and '60s, there were a lot of dos and don'ts for a woman to follow, including how to position her arms. This instructional guide, a woman is advised not to let her hands hang straight to her sides, as it detracts from her silhouette. Just. There's one: refrain from impure thoughts, especially if pregnant.

Was a bit late.

Men should enter dark rooms first.

Right?

Slightly sinister. What's that about?

Well, it's protecting the ladies. Oh, I see. I always have a cigarette on hand.

That's aged a bit, huh?

Don't cough into your right hand. Is that because that's the one you wipe your bum with?

No, that's the wrong— What?

Okay, I think we should call it a quiz.

Don't you have a swan for that purpose? That's what you use a swan's neck for.

That's true. With the toilet paper I've got, it's more like swan vester.

Link in the show notes, Good Housekeeping article if you want to read about wacky dos and don'ts. Very handy. Very handy.

You can catch me on Twitter @ThomLangford. That's Thom with an H because they would let me have the I'm also at ThomLangford.com, and you can also catch the other best infosec podcast, Host Unknown, at HostUnknown.tv.

Fantastic. And you can follow us on Twitter @SmashingSecurity, no G, Twitter must have a G. And we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app.

Starstep.

And of course, shiny shout out to our episode sponsors, Kolide and Barramundi, and to our wonderful Patreon supporters. Thanks to all of you. This show is free. For episodes, show notes, sponsorship information, guest lists, and the entire back catalog of more than 261 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye.

Bye. Goodbye.

Short and sweet this week.

Was it short and sweet? Been going for an hour. Oh, oh, sarcasm, right.

Well, who talked forever?

Not me.

25 years, I think he was, wasn't it?

In, yeah. In 1993, have you ever heard of a macro, Thom Langford? Carole Theriault? Well, let me tell you what a macro did.