This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

GRAHAM CLULEY. I quite like getting ID checked. Does that happen often still, Graham?

---

CAROLE THERIAULT. Not often because I don't often buy alcohol because I don't drink but you feel that people think you're under 18?

---

GRAHAM. Well yeah, it has happened occasionally, yes, right. People have thought that I...

---

CAROLE. We all believe you. And the third is and talk to you.

---

GRAHAM. Smashing Security, episode 286. Hackers doxxed, Pornhub probs, and co-op security measures with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security, episode 286. My name's Graham Cluley.

And I'm Carole Theriault. And this week on the show, Carole, who are we joined by?

---

CAROLE. The glorious **MARIA VEMARSIS** is here with us. Hi, Maria.

---

MARIA VEMARSIS. Hi. Welcome. It's been a while.

It has. Good to talk to you both. Thanks for having me back on.

---

GRAHAM. Well, we had to have you on before we took our summer break because we're going to be taking a few weeks off. Don't panic, everybody. We're not going to be going forever. But this is our last show for a few weeks.

---

CAROLE. It's more than a few weeks. It's the month. We're right now. It's the 4th of August. We'll be back on the 1st of September. It's a month. It's going to be a glorious month.

---

MARIA. After you're done talking to me you're just like I can't do this anymore?

---

CAROLE. No no, we have to edit first and then get the show out. Oh okay. And then do some socials and then say sayonara for a month.

---

GRAHAM. So if you don't want to miss us make sure that you subscribe in your favorite podcast app. We'll always do that and then you definitely won't miss us when we return.

---

CAROLE. Now how about we thank this week's sponsors Bitwarden and Gigamon? It's their support that help us give you this show for free.

Now, coming up on today's show, Graham, what do you got?

---

GRAHAM. I'm going to be talking about doxxing.

---

CAROLE. Doxxing. Maria, what about you?

---

MARIA. A lawsuit that could change the internet forever.

---

CAROLE. Forever. Oh, my God. And we're hitting UK convenience stores. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM. Now chums, chums, I've got a question for you. Is it ever right to dox people?

---

CAROLE. Can you define dox? Yeah, what are we talking about?

---

GRAHAM. So by doxxing I mean releasing publicly or posting on Twitter someone's name, their address, the dates of birth, people who didn't want that sort of information made public, other personal information. Is that ever acceptable? Any, you know, any situations when it's all right to do that?

---

CAROLE. I feel like there's a trick question here. Yeah, I'm a little like, no. Obviously the answer is no, but you're saying ever, ever, and you're giving us 10 seconds to figure it out.

---

MARIA. Is there a gotcha in there?

---

GRAHAM. What if they are members of a ransomware gang that's attacked hospitals and businesses? Is it then all right to release publicly their names and addresses and dates of birth and send people around with torches and pitchforks?

---

CAROLE. It might be fine to tell the authorities, for example, Interpol or, you know, that kind of thing. But maybe I wouldn't. Yeah, no, I wouldn't.

---

GRAHAM. What if you feel that when you pass the information onto the authorities, it just goes into a black hole and, you know.

---

MARIA. Oh, it's time to take things into our own hands.

---

GRAHAM. Spam buckets and, yeah, you know, it's you just think, oh, for goodness sake, nothing's ever happening. We know who these people are. They're opening actively. We're not getting any information.

We need Batman.

---

MARIA. Yeah.

---

GRAHAM. Yeah. It's a bit of a grey area, isn't it, then? Because you begin to think, well, maybe it would be useful.

Anyway, there's been an interesting couple of interviews published on Vice and CyberScoop with a security researcher who goes by the name of... Now, you know what people are on the internet with their silly leet-speak names, changing threes to Es and As to Fours.

---

CAROLE. Excuse me, it's not silly. I'm sure the name Pancake was already used somewhere else.

---

GRAHAM. Is it Pancake or is it Pan-cak-3? Has he got a pan full of cack? Pan-cak-y. And there's been a number of Pan-cak-s already. Three, Pan-cak-y.

Yeah, I that. Pancake-3, yeah. Anyway, Pan-cak-3 or Pan-cake, I don't know. They haven't revealed their own identity for perhaps obvious reasons, but they've made it their mission to out hackers. And it's got them into something of a pickle.

Pancake3, who has a Twitter account called Pancake3Stack.

---

MARIA. Oh, it's Pancake. Yeah, PancakeStack.

---

GRAHAM. You think it's Pancake?

---

MARIA. Yes.

---

GRAHAM. All right, it probably is. They had their Twitter account suspended because they posted the name, the date of birth, the passport information of someone who they believe to be the developer of the Predator the Thief information stealer malware. So they posted this up.

---

CAROLE. On Twitter. So they shared it with the entire world, willy-nilly. That's right. Okay.

---

GRAHAM. Although they said this information is public anyway. You know, it's there. If you go looking for it, you may well find it yourself. But yeah, so they posted this up. And Twitter didn't it. Twitter suspended their account.

---

MARIA. Didn't think those leopards would eat their face, did they?

---

GRAHAM. What? Hello? You don't know about the leopards eating their face?

---

MARIA. No. Is this another meme?

---

CAROLE. Are you serious? You are the queen of memes.

---

MARIA. No. You're the queen of memes.

---

CAROLE. I love how I get mocked for my lack of digital marketing.

---

MARIA. No, I don't mind. I don't

---

MARIA. It's not a mock. It's my genuine surprise. I think I don't realize that the stuff I'm saying is that meme-y.

---

CAROLE. It may not be, listeners.

---

MARIA. It's the party of people, leopards eating people's face. You didn't think that consequence was going to come around and bite you in the butt. Oh, I see. It's not good to dox. And you thought if you doxed for good reasons, it'd be okay. But, you know, Twitter's like, you can't dox anybody eating your face.

---

GRAHAM. Okay. I understand. Sorry. So anyway, so they, I think I'm cruel. You can explain it to me later. So anyway, after this happened, one of Pancake3's followers, they said, if Twitter keep on suspending your account, why don't you go and create a newsletter on Substack? Maybe you can even monetize it at some point in the future. They can even publish what you like about the hackers up there. Twitter can't stop you. You can just link to the page on Substack maybe. And so they started doing that and they created a newsletter called Who's Behind the Keyboard? posting details of ransomware affiliates initial access brokers. They named two of the, do you remember in January the Russians arrested some of the REvil ransomware gang and everyone was a bit surprised by that because Russia historically had never really cared that much about stopping ransomware gangs. And then there was a thought well maybe they want the hackers on their side before they go and invade Ukraine perhaps. But anyway so this chap, well I don't know if it's a chap, Pancake3, whatever their gender may be. They posted some of the identities of these people in the REvil ransomware gang.

---

CAROLE. Along with their address, their postcode. So all of this information once again.

---

MARIA. And they're sure this information is really real? It's not just sort of, you know.

---

GRAHAM. Well, they think it is. They've done their analysis online. They've done some open source intelligence. They've checked out social media accounts. They found pictures of people hanging out in front of nice cars and smiling in front of a camera. Therefore, they must be a hacker. And they post the information. Now, that, perhaps unsurprisingly, as soon as that got reported in the media, Substack shut the newsletter down as well. So you won't be able to find the Who's Behind the Keyboard newsletter anymore.

It's been a bit of a nuisance, really.

---

MARIA. Talking about all these things that nobody can go and check out. This stuff once existed. You can't see it. Just believe us on this.

---

CAROLE. But did Julian Assange in his WikiLeaks heyday, he did this. He published identity of people and there was a lot of information that was very personal that was getting out via his route.

---

GRAHAM. But Julian Assange was running his own website, wasn't he? He was running his own website and presumably had some sort of bulletproof hosting and he didn't have people who were able to easily shut it down or he had sympathetic web hosts.

---

CAROLE. Yeah, and it's really worked out for him.

---

GRAHAM. Oh, yeah, yeah. He's having a fantastic time now. It's really, really going terribly well for him. So Pancake3, or Pancake if you've heard of, I've heard of Pancake3. They believe that posting the information can help point the authorities in the right direction. And they say that it's appealing to name names, even if the authorities in the hacker's home country, Russia, don't do anything about it.

---

CAROLE. I know, but you know, if you're a serious investigative journalist and you launch this huge article, you don't kind of go, and the guy lives at 265 Smith Street. Why not? Because they will probably get attacked or vilified or it puts them in danger. It's irresponsible.

---

MARIA. Is that in the public interest to know that information? That's the question, right?

---

GRAHAM. Well, it might put the shit up the bad guys. It might scare the willies out of them.

---

CAROLE. That's where it is, Graham. It might scare them. It can, though. It might scare them and think, oh, crumbs, maybe I should stop infecting hospitals and endangering lives.

---

GRAHAM. Or move. Or move house, yes, and someone else lives here.

---

MARIA. Or stop being a piece of shit criminal. I don't know.

---

GRAHAM. So they're thinking, well, maybe we'll take the gloves off. I don't know. According to Pancake3, people don't really like their real-life identity being posted on the internet, especially criminals, he said to reporters. Uncovering the person behind the keyboard, the person responsible for crimes, is my ultimate goal. I feel like too many of these people think they're invisible or invincible, but they're not. So my question to you is, is doxing really helpful to the authorities? Does it really help them? Or might it actually give the criminals a heads up? Because if you were investigating someone, if you did believe that you'd get some assistance from the local law enforcement, then maybe you don't want someone sounding off and naming names and addresses because it may cause them to flee or think, you know, I'll destroy some evidence.

---

CAROLE. You kind of intimated at the beginning of your story that Pancake or Pancake3 went to the authorities and didn't get a good response. Is that the fact in this?

---

GRAHAM. I don't know if that is the case, but certainly I have heard that said by security researchers in the past. They feel very frustrated.

---

CAROLE. Sure, but we don't know if that applies to this case.

---

MARIA. Right. So has anything actually happened as a result of this?

---

CAROLE. Well, I think it's also glad handing. Right. So if I decided to bring this information to the authorities and I got an automated response saying thank you for your submission and then nothing.

---

MARIA. We'll get to it never. Yeah. An

---

GRAHAM. expected item in checkout. Yes.

---

CAROLE. I would feel shortchanged. I feel like, look, I've done something big and I need a bit of a pat on the back or give me some information or something. But

---

MARIA. it doesn't actually help anything. It might make you feel good. Yeah, it means

---

CAROLE. I won't put on Twitter frustrated that no one's listening.

---

GRAHAM. You've got to be careful. Imagine that. Maybe I'm being a crazy conspiracist, but if I were a cyber criminal worried that the authorities might be on my tail, and I knew that if I gave the authorities some information, they would begin to give me a heads up. So, oh, yeah, we're getting really close to him. We're going to raid his house next Wednesday. I might actually submit some information about my gang in order to find out what they're doing.

I just

---

CAROLE. think you would say, come in for an interview. Let's hear everything you have to say. Thank you very much. We're taking this very seriously. We'll be in touch in three to six months. Watch this space. But that doesn't happen, is my point. So that's why.

Yeah, because this stuff can take years. It can take years. It may be, though, that Pancake never went down this route and just decided to go, these guys pissed me off. I have some information. Let's share it with the world and see what happens.

---

GRAHAM. And potentially they could have got it wrong and be sending people in the wrong direction, as you said. An innocent person could be victimized.

---

MARIA. Yeah. Does that ever happen with doxing? Never. Never. That never happens with doxing. Never have I heard of such a thing. The other

---

CAROLE. problem here is that Pancake might get doxxed in return because he's not messing with the…

---

GRAHAM. Well, this is a very interesting thing, Carole, because some of the cyber criminals have started responding to Pancake 3, and saying, we're not very happy with what you did. And you better watch out because unless you delete the information you've published, we're going to go after your family and friends. And we have the resources to find out who you are and make your life very difficult. And apparently Pancake3 has deleted some of his past posts.

---

CAROLE. And no one has got it. No one's copied and pasted that info anywhere. Of course not. There's no pastebin hanging around.

---

GRAHAM. Generally, I think we don't really want the amateurs publicly naming and shaming people, do you? Because it can go badly wrong, as we've all seen a hundred million times before. It's generally best left to the authorities. I don't think anyone should

---

CAROLE. shame, right? Who's anyone to shame? But anyway. Really? Shame can be useful sometimes. Shame. Shame.

---

GRAHAM. Pancake3, not the first person to dox criminals in 2017. And since 2017, a mysterious personal group known as the Intrusion Truth has been exposing the real identities of people behind Chinese hacking operations. Hacks that have stolen intellectual property from Western businesses and scientific institutions. And one of their most notorious pieces of doxing occurred after the US Department of Justice indicted someone. The US Department of Justice, they didn't publish the person's name. They just said MSS Officer 1. But Intrusion Truth believed it to be an individual called Ren Yun Tao. And after they announced that, someone created a Twitter account under the name Ren Yun Tao. And they sent a tweet to the security researchers trying to find them and identify them. And what they sent them was an image of Lionel Richie

---

CAROLE. singing, hello. Is it me you're looking for? I can see it in your eyes. Oh, never misses.

---

GRAHAM. Maria, what's your story for us this week?

---

MARIA. I want to talk about a lawsuit that some slight hyperbole, but maybe not really, could actually change the internet.

---

CAROLE. Okay, I'm really excited by this one.

---

MARIA. Yeah, it's going to be a little dark. I'm going to warn you, this is going to be a little dark. But just brace yourself, okay? Braced. So, I don't know if you've heard of this popular website. It's called Pornhub. Have you heard of it? Heard of it, never seen it. I

---

GRAHAM. find it very strange because I've never found the hubs of vehicles that sexually alluring. So I've never been tempted. It sounds like a niche fetish site for auto eroticists.

---

MARIA. Yeah. Oh, Pornhub caps. Okay. Yeah. Well, there's this one for humans. It's called Pornhub. Okay. I don't know if you're aware, but it relies on user generated content, stuff that people, videos that people upload themselves. They don't use actors or whatever versus people upload stuff to it.

So as with many user-generated content sites like YouTube or pick anything on the internet nowadays, they don't slash can't really moderate or monitor what's being uploaded. And in a revelation that probably surprises nobody, there are a lot of abuse videos being hosted on Pornhub and similar websites, including of children. Sorry, I told you this was going to get a little dark.

And many of these porn hosting websites, they're very adamant that they are zero tolerance for any kind of abuse content and that they've done all they can to put a stop to it. But alas, the problem continues.

So we're going to go back in time for a second to 2014. There's a reason for this. Sorry. As I told you, this is going to get a little dark, but then I'm going somewhere with this. Just hang on.

In 2014, a video of a 13 year old was uploaded to this site, and I'm going to be very general because I don't want to make everybody super sad. This video, she had a really hard time getting removed from Pornhub. She actually, after weeks of trying, ended up pretending to be her own mother in contacting Pornhub to be like, hey, this is exploitation material. It needs to be taken down. You would

---

GRAHAM. expect a website like Pornhub, if they're told something is of someone, you know, someone who's clearly underage that they'd be right onto that because I mean they are a big commercial business.

---

MARIA. Just take it down first and then review it instead of being like we'll get back to you.

---

GRAHAM. Or simply if anyone says something is illegal, we'll delete it immediately because it's not like they haven't got a hundred million other videos they can make money from.

---

CAROLE. True, sure, but then you also get into the waters of someone trying to effectively dock someone else's Pornhub career by saying there's lots of stuff there and if it's just automatically deleted.

---

GRAHAM. Well, yeah, maybe not automatic, but you would expect them to be quite quick to deal with that. Yeah, pretty quickly.

---

MARIA. So it took a couple of weeks for this young person's terrible video to come down, but not before it had nearly 3 million views. So fast forward years later, as you might imagine, the victim has gone through hell because of this. She's gone through unimaginable pain.

And all the while, while that video was online, the parent company of Pornhub, which is Montreal-based MindGeek, was making money from the ads it was serving against that video. So the victim has sued not only MindGeek, but also the payment card processors, in this case, Visa, saying that they've all made money from child abuse videos. That's an interesting approach.

Yes, because suing the parent company is one thing, but the payment card processor, that's the part where I was like, that is interesting. So I should note, this is an important little additional note, in 2020, a huge investigative story by the New York Times came out about Pornhub and how it doesn't do nearly enough to stop abuse content. And right after that story came out, I want to say it was December 2020, both Visa and MasterCard immediately cut off Pornhub. And suddenly, MindGeek pulled about 80% of its content. I

---

CAROLE. do remember that. Okay. Yeah, yeah, yeah. But can I just say

---

MARIA. 80% of its content gone almost overnight?

---

CAROLE. Which makes you just go, uh-oh, because obviously they just pulled everything that they weren't sure of. 80% though.

---

GRAHAM. I'm sure they've still got enough to keep people occupied.

---

MARIA. So are we clear on how MindGeek is making money off this stuff? They're serving ads. So this stuff is all free, but they have ads against it. It's the same

---

CAROLE. as a YouTube video, for instance, right? You watch a video, you've got ads that are plugged in there. The uploader has no control on what ads those are, but they get a cut and so does the provider.

---

GRAHAM. Is it that the people advertising are using Visa and MasterCard to pay Pornhub for their ads? Because I imagine the regular users, if we call it that, of Pornhub, they're not entering their credit card details, are they? Of course they are. Really?

---

CAROLE. What do you think they're putting in? What, are they giving them cash on the table, meeting cafes?

---

GRAHAM. I think most of it's free, isn't it? Isn't that the way the internet works? Right.

---

MARIA. So, yeah, there's ads that are making money, and those ads are then, yeah. So that's where the payment

---

GRAHAM. is coming from. It's not coming from viewers. It's coming from the advertisers.

---

MARIA. I wouldn't be surprised, and maybe some of our more sophisticated listeners, there's probably some sort of premium thing people can buy. Of course there is.

---

GRAHAM. Right. I'm just feigning ignorance, obviously. I know. Gold and platinum accounts. Okay, well, there you go.

---

MARIA. Listeners, now you know, in case you didn't know. But, yeah, it's mostly ads. Hope that fooled everyone. So when this lawsuit came up, the one against both MindGeek and Visa, Visa immediately sought to be dismissed from the suit. Just leave us out of this, they said. Surely they're not responsible for that abuse content and that by merely being the payment card processor they haven't conspired to support this awful stuff. Obviously, they don't want to support anything terrible like that.

---

CAROLE. We didn't know. We thought it was just legit stuff. Yeah.

---

MARIA. Yeah. And, you know, zero tolerance and, you know, and also surely you can't be asking us to police every single little thing that all of our merchants do. That would be impossible. And Visa said that any decision that allows them to be sued in this case would possibly change the payments industry as we know it, because it would be almost impossible for them to do their job if they're also required to police all the content that the merchants are trying to sell online.

---

CAROLE. No, but it's really interesting because how much cash are they making from illegal transactions is effectively the question, right?

---

MARIA. Well, they're saying none, obviously. And they're saying we don't know. We don't know. We don't know. And obviously, if we knew it was illegal, we wouldn't be supporting it.

---

CAROLE. Yeah, but we choose not to know. We're not doing anything to find out. In fact, we argue the fact that you even think we ought to.

---

MARIA. Yeah. So just this week, just a few days ago, actually, the judge in this case, and it's being tried in California, the judge disagreed with Visa and said that Visa can indeed be sued because they credibly knew that MindGeek websites were likely hosting abuse videos and yet continue to allow MindGeek to use them as a payments processor, or in other words, make money. So here's a little quote from the judge. I'll read that in my best judging voice. Visa lent to MindGeek a much needed tool its payment network with the alleged knowledge that there was a wealth of monetized child porn on MindGeek's websites it knowingly provided the tool used to complete the crime and one of the data points that the judge actually mentioned was that 2020 article when it came out, it said that basically since Visa immediately cut ties once there was some publicity shine on it then they probably knew a lot more than they were letting on.

So yeah. So organizations that fight human trafficking and child abuse online, this is a big win for them. They've been wanting to do this for a long time. This is a great thing. And the reason I don't think this is that much hyperbole is that this could have huge repercussions for not just pornography, but how liable are the payments processors for being used in any illegal activity? And how closely are they going to be looking at their merchants from now on for anything that could be possibly skirting the line, not just obviously very well, yeah,

---

CAROLE. I mean, I've never thought about this before. But it makes sense that these, you know, card payments, whilst you know, obviously, there's Bitcoin and stuff going on as well, I'm sure is used massively for all kinds of crap.

---

MARIA. Yeah. And there's still this judgment says that Visa can be sued. They haven't been successfully sued yet. So there hasn't been so who knows what could happen here. But if this goes through and Visa actually is, there's punitive charges against Visa that go through. I mean, we could start seeing things being really cut off online in terms of what kind of stuff is okay to be paid for with credit card and what isn't. I mean, I think you've covered this before, Carole, about sex workers online having a hard time. Maybe I'm imagining this. Yeah. And they've been saying for years they're consenting adults. You know, everything is above the board and they can't find a home online for their kind of stuff. And I'm not thinking it's just things that. It could be a whole swath of stuff that could be affected by this. So, yeah, I'm fascinated by this and would be very curious to see where it goes.

---

GRAHAM. Likely to keep the lawyers busy for years and years, I would think, before you can imagine lots of appeals and counter appeals. We have to remember this

---

CAROLE. was the 13 year old girl that was exploited who's bringing this forward. Right. as well. It's not just some you know, some guy trying to make a buck. She's older than that now. Of course she is. Yeah. But still, you know, she's

---

MARIA. coming at it from that angle. And I believe she's one of 34 plaintiffs, to be clear. So she's not the only one. Wow. Yeah. And of course, 34 is probably a drop in the bucket. So again, anything to slow down child abuse online is great. Someone at Visa

---

CAROLE. and MasterCard are loosening their ties right now. Yeah, yeah.

---

GRAHAM. Carole what have you got for us this week?

---

CAROLE. Okay we're starting with a scene. Okay Now you both have roles Graham your role comes in first. Right So you work in a convenience store in the UK. Maybe your local co-op. Right Maybe actually you could describe what a co-op is for Maria. Yeah. And, you know, listeners outside the UK, actually.

---

GRAHAM. Oh, a co-op is a supermarket, fairly sort of cheap and cheerful sort of supermarket. Small. Often quite small. That's right. Yeah. Not America. Oh, my goodness. I've been to American supermarkets. It's going to a whole different country, isn't it? You've got different time zones in some of them. It's absolutely bonkers. It's just everything stays. You can buy 900 toilet rolls at once. It's just-

We do our choices. It's true. We don't have that sort of insanity.

---

CAROLE. It's the place I tend to go to because they're open late often, right? So it's the place where, you know, at nine o'clock, you're about to make your last cup of tea of the evening. You have no milk. You're dash the co-op, get myself my milk, or I'll get cereal in the morning. We have co-ops here. They're very different

---

MARIA. From what you're describing. So co-ops here are usually very small, locally run often, like farmer market type things. Yeah, a cooperative. Yes. Yeah, yeah, yeah, yeah. So, okay. We have those too, but yeah.

---

GRAHAM. The origins of the co-op are similar to that. But yes. And

---

CAROLE. It's grown up over the years and become a kind of business. Anyway, Graham, you have the night shift at the co-op, right? Yes. You're on your own. And, you know, there's a few customers. You're ringing up a few purchases. You're stocking some shelves, you know, playing on your phone a bit. And then Maria, Hugh Maria, swaggers in.

---

MARIA. I swagger in. Yeah. You're wearing all black

---

CAROLE. Lycra, right? Oh, goodness. She's pointing something from her pocket, like her hands in her pocket, and she's pointing something and it looks sharp. And she says, listen carefully, give me all the money in the till plus an egg and cress sandwich. I love an egg and cress sandwich.

---

MARIA. I'm really hungry. I just rode 70 miles. I'm so hungry.

---

CAROLE. Do it now and there's no need to get stabbed. Just kind of pointing at the pokey thing in her pocket. Okay,

---

GRAHAM. So what do you do? So I'm worried it could be a gun. Which country are we in here? Are we in the UK? You're in

---

CAROLE. The UK. The co-op. You're in your local co-op. So it's a knife.

---

GRAHAM. It's not going to be a gun, no. It's probably a fire or something. Yes, a sharp pencil or something like that. A loaded finger, maybe.

---

MARIA. Something that I've whittled down into a point, yes. Yes.

---

GRAHAM. Yeah. Okay. So, well, you know, I'll tell you, well, you can have an egg and cress sandwich. That's fine. You can go to the checkout and sell a checkout. And she wants all the money in the till? All the money in the till. Well, okay, we've got £12.93 because it is the night shift. We haven't got very much in there. People pay by cards these days. Exactly. Yeah, exactly. Cashless society. I'm terribly sorry about this. I mean, we... Okay. But yes, I'd be nice. Is she a bit sexy? I mean, I know Maria is, but you sort of said that she's a bit va-va-voom, sort of all dressed in black.

---

CAROLE. You're worried for your life because of the pointy pencil. And you're worried about va-va-voom-ness.

---

MARIA. I think my Pornhub story has kind of influenced how this is going. I know. It's just so weird. I've just come

---

GRAHAM. To check out your tail and see how it works. Ka-ching. So uncomfortable right now.

---

MARIA. I know. Why did you do this, girl?

---

CAROLE. I'm talking about a freaking burglary in a convenience store. Okay? I did not add a layer of blah, blah, blah. Stranger things have happened. Okay, okay. Let's say one more. Maria comes in. Okay, this time she's with her badass gang of miscreants.

---

GRAHAM. No, no, I don't want anything with a group.

---

MARIA. A bunch of five-year-olds, yes.

---

CAROLE. They call themselves the wood lice because they can get in anywhere.

---

GRAHAM. They call themselves the wood lice? They might be able to get in anywhere, but if you turn them on their backs, they're useless. They just curl up. Is this like the Sharks and the Jets?

---

MARIA. Listen, my name's Maria, okay? Maria. It's going to happen. Okay.

---

GRAHAM. So, all right. So they've come in as a gang. They're clicking their fingers. Right. They're choreographed.

---

MARIA. They're amazing ballet dancers. I don't know how that happens.

---

CAROLE. And this gang, great. They're walking down an aisle and they're tossing things on the floor. Bang goes, you know, the Pantac sauces. Bang goes the Branston pickle. Right. And they're just acting like big toughies. Right. Okay. What do you do? You're working there all on your own.

---

GRAHAM. I'm now petrified because there's a group of them and they're going to do their ballet moves on me. They're going to do some modern dance. We're going to start

---

MARIA. Throwing you in the air and making you twirl. Yeah.

---

GRAHAM. They're going to do some Bernstein at me. So I'm like, you know, look, your group, please take whatever you want. Just leave me alone. Leave

---

CAROLE. Me alone. Get out. I'm closing my eyes. This is no longer sexy. Right. I brought it home. I made it real. Well, I know we've talked about this once before, but violence and abuse towards shopkeepers and staff remain on the rise in the UK. Numbers are not great. So the House Commons report published in June 2021 opens with this introduction. The last five years has seen a shocking rise in attacks on retail workers. The Association of Convenience Stores, the ACS, found that 89% of individuals working in local shops had experienced some form of abuse. Yeah. Yeah. 89%. That doesn't surprise me. It's horrible, isn't it? Yeah, it doesn't

---

MARIA. Surprise me at all. No.

---

CAROLE. That's nine out of ten.

---

GRAHAM. People are vile. I mean, that's obviously, it's not all going to be robberies and things, but yeah, people are rude and abusive.

---

MARIA. Especially the past few years. I don't know if that's happening in the UK, but over here it's been, I went to a Burger King for the first time in decades a couple weeks ago because I was on the road. And there was a sign at the cashier that they had clearly printed up themselves saying, you know, we're trying to do the best we can, we're really short staffed please do not yell at us or something like that. Yeah, god that was necessary that they had to print that. It's just so depressing so no it doesn't surprise me at all. No.

---

CAROLE. And in another report, this British retail group, they name the three primary triggers that cause this violent or abusive behavior. And it's basically encountering theft, so someone trying to steal from them. Age-restricted sales. So people, gangs of kids trying to get alcohol and intimidating the shopkeeper into giving it even though they're underage and can't prove that they're above age.

---

GRAHAM. I quite like getting ID checked. Does that happen often still, Graham?

Not often because I don't often buy alcohol because I don't drink.

You feel that people think you're under 18?

Well I didn't understand the question but yeah it has happened occasionally, yes. Right people have thought that I, well or at least they've made me produce some sort of evidence.

We all believe you.

---

CAROLE. And the third is intoxicant—

---

GRAHAM. Maybe they're just flattering me, maybe it's just part of the charm offensive by—

Oh we gotta—

---

MARIA. Do this for this guy otherwise he gets all sad, he looks a bit sad—

---

GRAHAM. And lonely, let's just do an age check on him.

---

CAROLE. Make him feel better. Yeah, okay. And the third, so we have encountering theft, age-restricted sales, and then it's intoxicated persons, right? So people coming in, pissed up to the gills, causing issues.

Yeah, dear me. According to the ACS, Association of Convenience Stores, there's been major investments in three areas. Can you guess what the three things they might put in to try and stop this kind of behavior?

Cameras. Yep. Cameras.

---

MARIA. Like ones that don't have a potato for resolution, yes.

---

GRAHAM. Some sort of physical division separating the worker from the customer.

---

CAROLE. Yes, that is in some places. It's a perspex glass, like a sheet. I'm not sure. Yeah. There's intruder alarms. So, of course, a lot of these thefts can happen after hours when there's not staff in there.

Alligators. Yes, or security staff. Obviously, yes. Alligators, yes.

But some convenience stores are taking a new approach and the privacy advocates at Big Brother's privacy campaign group are not happy. And it centers around the co-op, chain you've just been describing, Graham.

Now, the problem seems to be, according to the BBC, that the co-op is using facial identification systems called FaceWatch. Now, FaceWatch is not like Clearview AI, where it scans the face of everyone that walks in with the aim of identifying everyone against, you know, this big scraped database of all of us. Billions of people. Nor is it taking snaps and comparing it against convicted criminals or people, you know, robbers or known burglars and robbers that have been convicted of crimes.

---

GRAHAM. Can I guess what it's doing? Yes. Yes, you can.

Is it using some artificial intelligence to analyze whether your eyes might be too close together? Whether your eyebrows are too bushy or you look a bit, you know, you're wearing a—

What's wrong with bushy eyebrows?

Well, I've got bushy eyebrows, but I'm—

Exactly the problem.

---

CAROLE. Well, no, no, no, no. It's a little different than that. So it's interesting. So I want you to think about, is this a good thing or a bad thing? Okay.

So what they've done is they take a snap of everyone that walks into the store. Yeah. And then they match the identity against a select list of people that are known to the co-op as a person who has stolen from its shops or been violent. Okay. Okay.

So a spokesperson told the BBC it's a list of people for which the business had evidence of criminal or antisocial behavior. Oh, okay.

---

GRAHAM. Is that a bad thing? I mean, pubs and things, they might have a list to put you—you're banned. You can't come back here in the Queen Vic. You know, they might have a list of people who aren't allowed to come over the threshold. Surely co-op can say, well, I'm afraid you appear to be on our list of wrong-uns.

---

CAROLE. So you may not. But they're taking a picture of every single person that goes in, but arguably you might say that's what CCTV does as well. Yeah.

---

GRAHAM. Yeah. Although, is that all right? I don't know. You say, oh my goodness, now I'm sort of saying, yeah, yeah. It's because this slippery slope of us thinking that's acceptable all the time. Yeah.

---

MARIA. Do these people have social credits that we... Yeah. It's interesting.

---

CAROLE. So, you know, if Maria had entered your make-believe co-op, you know, the system would have taken a pic of her and then the system would have alerted you that you were dealing with someone who had caused problems before.

---

GRAHAM. I'd have saved it to my special folder.

---

CAROLE. Don't be gross.

What? You're the shop guy. You're the shop guy. And you know that Maria is in the shop and you know that she's a badass. You know that you don't want her there.

---

MARIA. You then have to go up... Wait, if I'm a badass, why do you not want me there?

---

CAROLE. Because you're going to ruin all the Branson pickle jars, right? And so you're then, Graham, to go up to her and say, can I help you? In a way to alert that you're aware of her presence in the shop. So you're putting yourself in danger. So I'm not sure how this helps individuals.

---

GRAHAM. I'm coming out from behind the Perspex screen. Unless I have a tannoy and say, would the Greek-looking girl in aisle four please know that?

---

CAROLE. With the sharp thing in my pocket. And how long do they keep all the pictures for of people? Do they just dump them right away? What if their database, is their database shared amongst many co-op places, right? Or is it just for that particular shop? So is there a central database? Is it protected? No.

---

GRAHAM. A lot of questions. Do you have the answers to these questions?

---

CAROLE. No. No, I do not.

---

GRAHAM. GIGAMON is the leading deep observability company. It offers a deep observability pipeline that harnesses actionable network-level intelligence to amplify the power of observability tools, enabling companies to conquer blind spots and overcome the threat of today's sophisticated ransomware attacks. Gigamon's latest report into the state of ransomware reveals how insider threats are evolving, what impact cyber insurance and blame culture are having on the cybersecurity industry, and why deep observability is the new frontier for tackling the ransomware crisis. So, what are you waiting for? Download the report today at www.gigamon.com slash smashing. That's www.gigamon.com slash smashing. And thanks to Gigamon for supporting the show.

---

CAROLE. Bitwarden is an open source cross-platform password manager trusted by millions of individuals, teams and organizations worldwide for secure password storage and sharing. Not only does Bitwarden offer enterprise-grade security, conducting regular third-party security audits, and is compliant with Privacy Shield, HIPAA, GDPR, CCPA, SOC 2, and SOC 3 security standards. This is pretty slick stuff. You can get started with a free trial of a Teams or Enterprise plan at bitwarden.com forward slash smashing. That's bitwarden.com forward slash smashing. Or you can try it for free across devices as an individual user. That's bitwarden.com forward slash smashing. And massive thank you to Bitwarden for sponsoring the show.

---

GRAHAM. And welcome back. And you join us at our favourite part of the show, the part of the show that we like to call Pick Of The Week. Pick Of The Week.

---

MARIA. Pick Of The Week. Pick Of The Week.

---

GRAHAM. Pick Of The Week is the part of the show where everyone chooses something that they like. It can be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. Doesn't have to be security-related necessarily. Better not be. Well, my Pick of the Week this week is not security-related. It's a bit sad. I mean, it's, you know, well, no, it's a Pick of the Week in honour of an amazing life and an amazing entertainer, because I am going to spend a couple of minutes just praising the tremendous, the fabulous, and the sadly now deceased, Bernard Cribbins.

Bernard Cribbins was an actor. He was in movies with Peter Sellers in the 60s. He was in some of the Carry On movies. He used to be a singer. He had a famous song called Right Said Fred back in the day, not to be confused with I'm Too Sexy and the things that happened with that duo. But anyway, we won't go into that. He was in The Railway Children, a terrific drama set in, was it Edwardian times of Jenny Agatha, which was a mainstay of British childhood. I loved it. And he was the voice of the Wombles. And if you are a fan of Fawlty Towers, and you remember the episode of The Hotel Inspectors, he had the tricky job, but he achieved it magnificently of actually upstaging John Cleese. He played a guest who actually sold spoons.

---

MARIA. Oh, my God. Okay, didn't realise that was him.

---

GRAHAM. Yeah, me neither. Oh, my God. That was Bernard Cribbins. More recently, if you are a genre fan of things like Doctor Who, you may remember that he played the character of Wilf. That's how I know him best. The grandfather of Donna Noble. And way back in the 60s, he was actually in a Doctor Who movie where it was the Daleks' invasion of Earth, 2150 AD.

Bernard Cribbins. Okay, I've reeled off a whole load of things. But to be honest, anyone over the age of 30, definitely in Britain, knows who Bernard Cribbins is. And he was magnificent. He was lovely. He was charming. He did kids' TV programmes. He used to do this show called Jackanory, where he'd read stories. I think he actually did more of them than anybody else. He was really prolific on that front. and he died at the age of 93. That's a pretty good run though.

---

MARIA. A good run, absolutely.

---

GRAHAM. But he was a charming fellow and it's been a tough old week or two in the world of genre TV because we also lost David Warner who was in The Omen and various Star Trek shows as well.

---

MARIA. David Warner was, yes, incredible.

---

GRAHAM. He was the chap. Was it how many lights are there?

---

MARIA. Yes, yes. My favorite thing about him in that episode, the Four Lights episode, is apparently he got the script a day or two before that episode. He basically just was reading off of cue cards for that entire episode and he still killed it playing against Patrick Stewart. I mean, how amazing are those two episodes? They're just fantastic.

---

GRAHAM. So I'm remembering both Bernard Cribbins and David Warner. I couldn't decide between them. I'll include some links in the show notes where you can read about both of them and the tremendous work which they did. And two great British institutions who've had an impact on the world and in the world of science fiction as well. So that is my pick of the week. Let's remember and raise a glass to Bernard Cribbins and David Warner. Maria, what's your pick of the week?

---

MARIA. So my pick of the week is space related. It's called Web Compare. Have you heard of this little thing called the James Webb Space Telescope?

---

GRAHAM. Tell us about it, Maria. What do you know about it?

---

MARIA. Well, it's this awesome telescope about a million miles from Earth. And it's taking some of the deepest, actually the deepest photos of space that have ever been taken. So it's basically traveling back in time. They are absolutely amazing. If you don't care a lick about space, it's basically we're going back to look at the beginning of time and space itself with some of these photos. They're absolutely insane.

---

CAROLE. Unbelievable. You look at them and you think, nah, come on. You think it's a piece of art, don't you, really?

---

MARIA. No, it's all real data. So if you don't know anything about space stuff and you're just like, well, what is the big deal about this new telescope? Why was it in the news a few weeks ago? Who cares? Go to webbcompare.com, webbcompare, webb as two b's.

And it does a, you can swipe through, see what the Hubble telescope photos were back in the 90s and then swipe and you can see what Webb is showing us. And this is a project by John Christensen. This was his little pet project. It's amazing what he did.

Some of y'all might know I was actually at NASA a couple of weeks ago.

---

CAROLE. You were?

---

MARIA. I was there. I got to go to be at NASA Goddard Center. I was in the room. It was one of the best experiences of my life. And when I was in the room when a lot of the NASA scientists saw these images for the first time as well and to hear them go wow and then oh that's a galaxy that's a galaxy there these images are beautiful but they're also real data and we're seeing all sorts of stuff that we didn't know was there before.

And that this website webb compare if you don't care anything about space you just want to look at pretty pictures that's the one to go to it's just fantastic.

---

GRAHAM. It is brilliant. And Maria, it's amazing that you actually got to be there as well. This extraordinary moment in history, really. Was it because you've been a guest on the Smashing Security podcast that you managed to get an invite? Is that how it happened?

---

MARIA. I did drop a few names and they said, we love the show. So, you know, they rolled on the red carpet for me. It was an amazing experience. And the Webb Telescope is an international effort. And it's just amazing to see what humanity can achieve when we all work together.

---

GRAHAM. Fantastic. I've just had a look at the website and the images are quite astonishing.

---

MARIA. And there's actually a new image that was dropped an hour ago of something called the Cartwheel Nebula. So that might be added to this website anytime soon, maybe by the time this episode comes out. So more new gorgeous images coming out and they all just are going to blow your mind.

---

CAROLE. No, it's absolutely amazing. Definitely worth a look. Amazing.

---

GRAHAM. Carole, what's your pick of the week? The last pick of the week before we take our summer break?

---

CAROLE. Well, my pick of the week this week is Maria. Our Maria. She did not mention it yet, but she is about to do the Pan Mass Challenge. A two-day, 200-mile bike ride all in aid of fighting cancer, particularly those that affect children. And this is all for the Dana-Farber Institute. Over to you, Maria. Tell us about it.

---

MARIA. Oh, thank you, Carole. This Pan Mass Challenge is a big bike ride, but it's a fundraiser, really. And 100% of everything I fundraise goes towards cancer research. So the Dana-Farber Cancer Institute does a lot of its research, not just for pediatric cancers, but also for really rare cancers. So a lot of the cancers that are very deadly that maybe don't get as much attention.

This is what they're studying and the pan mass challenge has raised over half a billion dollars because it was founded way back in 1980. It's the largest fundraiser in the United States and it is also one of the most successful in the world in terms of how much money it has raised and largest in the United States of any fundraiser.

My goodness. It's huge. And it's sad because I know many people who have been riding this for decades, and the hope was that it wouldn't be necessary anymore. Because that's really the hope is that we don't have to keep doing this to raise money. But as long as it's needed and as long as these funds help, and it does, this raises I think 60% of the Dana-Farber Cancer Institute's yearly budget. So, it's a massive, massive amount of money. There's a whole page on the PMC website where you can see just exactly what cancer research has been funded by the PMC and what a real difference it has made.

---

CAROLE. It's an amazing cause and you are trying to fundraise for it, which is amazing. Now, we did talk about this on a previous show and many Smashing listeners got involved and donated money and you are so close to your goal. So how much left do you have?

---

MARIA. I would love to get $600 more. And I have to give a huge thank you to Smashing Security listeners because after the last time we mentioned it I can say this very confidently I raised most of my money from Smashing Security listeners. You guys so and it's not that people are necessarily giving humongous amounts of money it was a lot of small donations but it really adds up so I'm so grateful.

---

CAROLE. And there's probably a few of them out there that heard the last episode and were oh I've got to do this but then the kids started barking or something. As they do. And, you know, you just couldn't, you know, and you just forgot about it because there's 8 billion other things you got to worry about. So if you listen to the show and you're thinking, yeah, I like Maria, I got to do this. And, you know, you should help her get out to her goal because 200 miles.

---

GRAHAM. So what's the link? What's the link if we want to donate, Maria?

---

MARIA. The link is bit.ly slash Maria PMC, all lowercase. You can also go to pmc.org and look for Maria Vemarsis. You can search for a ride or you can find me that way too. But yeah, I have until October 1st to raise funds. Even though the ride is August 6th and 7th, they give us a little time after the ride to continue to raise money.

So if you're hearing this and you're like, oh, she's done the ride already, I'm still raising money. So I would love to just get 600 more bucks to get me to my finish line. Let's smash that goal, listeners.

That would be amazing. And I'm so, so, so grateful to you both for letting me talk about this and to our listeners who've been so generous. It means a lot to me.

---

CAROLE. Well, we support you. Guys, you know where to go. Say it one more time, Maria.

---

MARIA. Bit.ly slash Maria PMC, all lowercase. And you start your ride when? August 6th at about 5:30 in the morning.

---

CAROLE. Okay, everyone pray for her. Everyone pray for Maria. Please pray that the weather's good and it's not too hot and there's no thunderstorms. I'll be watching.

---

GRAHAM. Should be fun. May your buttocks not be raw at the end of that.

---

CAROLE. That's what Graham's worried about.

---

MARIA. It's the least of my worries. Heat exhaustion is my big worry.

---

GRAHAM. Keep hydrated.

---

MARIA. Yeah, I had to run in with that. Yeah, I almost fainted from heat exhaustion two weeks ago on a training ride.

---

GRAHAM. Oh my goodness. People, listen to the woman. You've got to support her. She's killing herself. Bit.ly slash Maria PMC. Go on. We love you. Well, good luck with your ride, Maria.

---

MARIA. Thank you.

---

GRAHAM. And to everyone else participating in such a worthy cause. And that just about wraps up the podcast for this week and until we return in early September. Maria, I'm sure lots of our listeners would love to follow you online, find out how you got on the race.

---

MARIA. It's a ride, not a race.

---

GRAHAM. Oh, yes. You're not trying to win it.

---

MARIA. No, no. I will be one of the slowest riders, to be clear. I'm not very fast.

---

GRAHAM. What's the best way for folks to find out how you got on?

---

MARIA. Yeah, follow me on Twitter at mvarmasis, M-V-A-R-M-A-Z-I-S. I'll try to live tweet as much as I can at my rest stops.

---

GRAHAM. Don't crash, don't crash.

---

MARIA. No, no, not while I'm riding, but there are rest stops. So I'll be like, hey, I'm alive, thumbs up.

---

GRAHAM. And you can follow us on Twitter at SmashSecurity, no G, Twitter and Mastodon. And we also have a SmashSecurity subreddit. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favourite podcast apps such as Apple Podcasts, Spotify and Google Podcasts.

---

CAROLE. And a huge, huge shout out to this episode's sponsors Bitwarden and Gigamon and to our wonderful Patreon community and to you too listeners. It's thanks to all of you that this show is free. For episode show notes, sponsorship information, guest lists and the entire back catalogue for more than 284 episodes, you won't get bored, check out smashingsecurity.com.

---

GRAHAM. Until next time, cheerio bye bye bye see you soon.

---

MARIA. Bye and have a lovely holiday.

---

CAROLE. I have champagne in the fridge.

---

MARIA. You've earned a nice break. Enjoy it.

---

CAROLE. I can't drink it till tomorrow until the show is done.

---

MARIA. Oh, you're so close. Fantastic. Maria, don't die.

---

GRAHAM. I won't die. I've been training for it for eight months now. So I'm pretty confident I can cross the finish line. Thank you. Yeah. It's going to be the hardest thing I've ever physically done.

---

CAROLE. Just recall childbirth.

---

MARIA. It's different. I don't know. It feels different. Different muscles being used.

-- TRANSCRIPT ENDS --