Listen early, and ad-free!

315: Crypto hacker hijinks, government spyware, and Utah social media shocker

With , ,
March 30, 2023
Read the transcript

A cryptocurrency hack leads us down a maze of twisty little passages, Joe Biden's commercial spyware bill, and Utah gets tough on social media sites.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Register's Iain Thomson.

Warning: This podcast may contain nuts, adult themes, and rude language.

Episode links:

Sponsored by:

  • Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
  • Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Zero Trust for Okta. Watch a demo today!
  • hCaptcha - hCaptcha Enterprise is the leading Security ML platform. hCaptcha adapts to detect and block even the most sophisticated attacks, keeping you ahead of evolving threats.  Start your free trial today.

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!

FOLLOW US:

Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. Maybe we won't get people involved. Maybe we won't put a lot of effort into trying to identify who you were. Maybe in a few weeks' time we'll have left open that vulnerability.

CAROLE THERIAULT. We'll give you a job!

GRAHAM CLULEY. And you can have another go. Yes, so maybe you could work in our security team.

CAROLE THERIAULT. You can join our non-exec team.

GRAHAM CLULEY. We'll send you a t-shirt.

UNKNOWN. The delivery man might be wearing blue and have a pointed cap. Smashing Security, Episode 315: Crypto Hacker Hijinks, Government Spyware, and Utah Sophos. Social Media Shocker with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 315. My name's Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. And Carole, we're joined this week by who exactly?

CAROLE THERIAULT. By the wonderful Iain Thomson of The Register. Hello, sir.

IAIN THOMSON. Hello there. Good morning from— I would nearly say sunny California, but it's chucking down outside at the moment.

CAROLE THERIAULT. Yeah, I keep reading about horrific weather in California. Has it been wacky crazy for you?

IAIN THOMSON. It has been a very wet winter, but bring it on, say I. The reservoirs are filling up nicely. We've got snowpack, record snowpack in fact, in some areas. The only thing is it's sometimes a bit too snowy.

CAROLE THERIAULT. Not used to shoveling.

IAIN THOMSON. Well, no, I mean, obviously we don't get it down in the Bay Area, but I mean, a friend of mine drove up to Tahoe and they had to put snow, stop and put snow chains on, but there were people getting stranded in the Donner Pass and you'd think Donner Pass, you know, that name means something. It's like if there's a cafeteria along there, check your food.

CAROLE THERIAULT. Yeah, yeah, yeah, yeah.

GRAHAM CLULEY. Do they serve doner kebabs in the Donner Pass?

IAIN THOMSON. You cannot get a decent kebab over here for love nor money.

CAROLE THERIAULT. Well, before we kick off, let's thank this week's sponsors: Bitwarden, Kolide, and hCaptcha. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

GRAHAM CLULEY. I'm going to be telling a chaotic chronicle of crypto crime.

CAROLE THERIAULT. Oh, that's hard to say.

GRAHAM CLULEY. It is.

IAIN THOMSON. I'm just going to say, don't do that with a skinful. The Biden administration has kind of banned commercial spyware, but not really.

CAROLE THERIAULT. And I'm going to see what's shaking in Utah. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chums, chums, I've got a tale of cryptocurrency crime. I don't know if you are crypto investors. I somehow doubt that you are, but, you know, surprise me.

CAROLE THERIAULT. No.

IAIN THOMSON. Nope, haven't touched it.

CAROLE THERIAULT. I thought crypto was dead. Is crypto still.

GRAHAM CLULEY. No, no, no, no, no, no, no, no, no, no, no, no. Lots of people are very, very keen. Maybe there's a reason why some people are a little bit skeptical about it. I don't know, perhaps there is. A couple of weeks ago, hackers managed to steal, I think it's $197 million US worth of cryptocurrency from a lending platform called Euler Finance. Not that big a deal, $200 million. According to some records, the 26th largest crypto theft ever. There is—

CAROLE THERIAULT. Isn't that kind of shocking? We have to say, this is not real money. Can we agree on that?

GRAHAM CLULEY. Well, in some cases it's real money, isn't it?

IAIN THOMSON. I mean, if it's converted. But I mean, at the same time, it's kind of understandable this is happening because, to use the oft-misquoted quote from over here, that's where the money is.

GRAHAM CLULEY. Anyway, it does seem hackers managed to steal around $197 million worth of cryptocurrency from Euler Finance, and it sent its investors into a blind panic. Anyone who had their money hidden away over there, almost 100% of user deposits were found to be under the hacker's control.

And you hear these kind of stories all the time, don't you, of crypto firms losing the money or having suffered a vulnerability or wallets being emptied. It's every few days there'll be another one of these.

CAROLE THERIAULT. For the people who've lost the cash, it's a big effing deal, right?

GRAHAM CLULEY. Right. Yeah, it is a big deal. But normally when these stories happen, you hear about the theft and that's pretty much the end of the story. Maybe the company goes bust, but—

CAROLE THERIAULT. That's true.

GRAHAM CLULEY. You know, it's well, whatever happens to that, it's just replaced by another story of cryptocurrency theft. But no.

Not in this case. This wasn't the end of the story because a few days after the hack, Euler Finance sent out a message on the old blockchain saying that the hacker could keep 10% of the $200 million that they'd stolen if they would do them the pleasure of returning the rest of the money within 24 hours. So they said, look, we'll let you keep 10%. Please, please, pretty please.

CAROLE THERIAULT. Does that mean we won't report you and we won't get the cops involved if you do this?

GRAHAM CLULEY. I imagine they probably haven't identified this person. They have a means of speaking to them via the chain.

They can chat to them that way, send them encrypted messages, but they haven't really got a clue who did it, but they're just sort of saying, look, keep some of it, but give the rest back to us. Otherwise, we're done for.

CAROLE THERIAULT. Well, what would be the incentive for the criminal?

GRAHAM CLULEY. Well, maybe we won't get people involved. Maybe we won't put a lot of effort into trying to identify who you were. Maybe in a few weeks' time, we'll have left open that vulnerability.

CAROLE THERIAULT. We'll give you a job.

GRAHAM CLULEY. And you can have another go. Yes. So maybe you can work in our security team.

CAROLE THERIAULT. You can join our non-exec team.

GRAHAM CLULEY. We'll send you a t-shirt. You know, there's all kinds. The thing is, once you've got them to keep, you know, however much it was, $20 million worth, say, you just keep that for yourself.

They may say, look, you know, we'd like to tie a bow around it. We'd like to send you some merch. Could you give us your name and address? So we're doing it for this team.

CAROLE THERIAULT. There might be—

IAIN THOMSON. The delivery man might be wearing blue and have a pointed cap.

GRAHAM CLULEY. Anyway, that didn't happen. The money didn't get returned to them. And so 24 hours later, they publicly announced that they were launching a $1 million reward for information leading to the hacker's arrest.

CAROLE THERIAULT. This is Euler Finance.

GRAHAM CLULEY. This is Euler Finance who did this. And you'd normally expect that to be the end of the story.

But no, no, no, no, no. That wasn't the end of the story. It wasn't the last you ever heard of this, because last week another hacker, someone who'd been linked to a $500 million theft from another—

CAROLE THERIAULT. Chump change.

GRAHAM CLULEY. Another cryptocurrency firm called Ronin. He stole some private keys, he accessed their crypto funds, he made off with funds.

He joined the story because the Ronin hacker sent an encoded message along with a couple of bitcoin, ether cryptocurrency, to the Euler Finance hacker, saying to them, hey, look, I've got this message for you. You can decrypt it using this tool on GitHub, using your private key that controls the stolen Euler funds, right? He said, just to make sure it's— No. Just to make sure it's—

IAIN THOMSON. No.

CAROLE THERIAULT. It's like handing someone the key and say, okay, now you go to the castle and open the door.

GRAHAM CLULEY. About the dragon lying behind.

CAROLE THERIAULT. Yep, he's snoozing.

GRAHAM CLULEY. So security analysts were curious about it. So they saw this message and they checked out the GitHub repository for this encryption tool, and they saw that it contained a security vulnerability.

And the thought was that the Ronin hacker was trying to do a dirty, trying to phish the Euler hacker to get their private key and presumably—

IAIN THOMSON. Then steal the funds.

GRAHAM CLULEY. Steal the funds from them. So it's hacker versus hacker.

Meanwhile, Euler Finance is, "Hello?" Well, Euler Finance, who still want their money back—

CAROLE THERIAULT. Of course! Or 90% of it.

GRAHAM CLULEY. Do you know what they did? They told their hacker that he should be very careful about using that encryption tool.

They didn't want their hacker hacked.

CAROLE THERIAULT. But why do you groan, Iain? I mean, I probably wouldn't want two hackers having access to my data if I could try and avoid it.

IAIN THOMSON. No, but it's so convoluted and so, I mean—

GRAHAM CLULEY. It's ridiculous.

IAIN THOMSON. We talk about the rewards of sin, but I mean, these people are literally making millions out of this. So it's just, I find it incredibly frustrating that they couldn't have sorted their security out in the first place, but still, that's just me.

GRAHAM CLULEY. Well, that's crypto firms born out of nowhere, you know, within a few weeks they're up and running and their security is not well founded. So there is some weirdness going on in the relationship between the Euler hacker and the Ronin hacker, because there's some evidence that the Euler hacker had previously sent some cryptocurrency to the Ronin hacker.

So we don't really know what's going on here. Are they part of the same gang? Are they trolling us? Are they trying to catch each other out? Is this some kind of crazy false flag trying to get people looking in the wrong direction? It's mad, it's weird.

IAIN THOMSON. Kind of made me think about the Poly Network case. Do you remember that from a couple of years ago?

GRAHAM CLULEY. Oh, what happened there?

IAIN THOMSON. Well, basically it's a very similar scenario. Poly Network were just basically, they got their cryptocurrency hacked to the tune of $610 million.

And then they were passing this stuff backwards and forwards. This guy took all the money and then they sent him a message via the chain, as in this case, saying, look, return X amount of the funds and we will pay a bug bounty to you, a significant bug bounty.

GRAHAM CLULEY. Aha.

IAIN THOMSON. And declare that this was a white hat action, so the police won't be so interested. That really annoyed an awful lot of people, not only just at the FBI, but also in the security community.

It's just, right, can't retroactively say this is a white hat situation.

GRAHAM CLULEY. No.

CAROLE THERIAULT. Yeah, yeah, yeah.

IAIN THOMSON. So yeah, in the end all the funds got returned. And the hacker basically decided this was more trouble than it was worth.

Eventually, over the course of 15 days, returned all of the funds and Poly Network, coming back to my original point, started a bug bounty program. This one is offering $100,000 for any hits. So yeah, sort your security out, people, you know, get a bug bounty program in place.

GRAHAM CLULEY. So I thought at this point it would be the end of the story. I thought there'd be no more to this. But no, because in another twist in the tale, some of the hackers who claim to be involved in the Euler Finance exploit have recently been vowing to give detailed information about the other Euler hackers to Euler. So they sent out a message saying, well, look, hey, look, we've got detailed information about the hacker. "If you still are offering 10% of the bounty, we'll be prepared to give it to you." What, information on Ronin? Oh no, no, information, I understand it's coming back.

IAIN THOMSON. On the original hack, right?

GRAHAM CLULEY. Information on the original Euler Finance hacker.

CAROLE THERIAULT. Oh, okay, okay. So it's an inside leak.

GRAHAM CLULEY. Exactly, exactly. And there's another person as well claiming to be Euler exploiter number 3. And he's posted up an email address and asked Euler to contact them if they want the beans. So everyone's now— some of them are now saying they're uninterested in the bounty. Others are saying they are interested in the bounty. But there's all this information and people pointing in all different directions as to who this hacker could be. And you would think that that would be the end of the story. But no, no, no, no, no. Because now the original Euler hacker has been communicating with Euler Finance saying, "I had no intention of keeping what isn't ours. I want us to come to an agreement." And Euler Finance said, "Okay, look, let's talk in private about this. You know, you can contact us this way." Get offline. Yeah. Exactly. You know? And they've now had over $100 million worth of the stolen cryptocurrency returned to them.

CAROLE THERIAULT. Half the funds, yeah.

GRAHAM CLULEY. Half of the funds so far. And this guy, this hacker who's now calling himself Jacob, he's posting a message saying, "I don't think what I say will help me in any way, but I still want to say it. I fucked up." He says, "I didn't want to, but I messed with others' money, others' jobs, others' lives. I really fucked up. I'm sorry. I really didn't fucking mean all that. Forgive me, forgive me, forgive me." So far, as of this recording, $120 million has been returned.

CAROLE THERIAULT. What, 'cause no one will transfer more than $20 mil at a time?

IAIN THOMSON. Is that the problem?

GRAHAM CLULEY. Well, I don't know if you've ever tried. Sometimes.

CAROLE THERIAULT. Oh yeah, regularly I shift that kind of money.

GRAHAM CLULEY. Maybe there are some security checks in place, you know, making it more difficult to move large amounts of funds. Maybe this is as much of a nuisance for the criminals as it is for the rest of us when we try and move money around. I don't know. But for now, that is the end of the story.

CAROLE THERIAULT. Elon Musk is going, "Use my account, use my account." Yeah, yeah.

GRAHAM CLULEY. Although apparently Twitter's now worth half of what it was worth when he bought it.

IAIN THOMSON. Yes, or less, slightly less than half. But he does say that he believes that it'll be worth $250 billion. Bitcoin at some point in the future. But we know what Musk is like with deadlines and promises.

GRAHAM CLULEY. So cryptocurrency, have I convinced either of you to invest in crypto?

CAROLE THERIAULT. Yes, I'm going to do it right now.

GRAHAM CLULEY. Iain, what's your story for us this week?

IAIN THOMSON. Well, as I say, news from across the pond. President Biden issued an executive order on Monday, which goes by the snappy title of Executive Order on Prohibition on Use by the United States Government of Commercial Spyware That Poses Risk to National Security.

GRAHAM CLULEY. Snappy.

IAIN THOMSON. Yeah, snappy, but also slightly misleading. I mean, basically the executive order is saying that the US government can't use commercial spyware if it's determined that the spyware is either insecure or it's being run by a company that's hosted in a government which the US considers slightly dodgy, or if it's being used to spy, or if the company's products are being used to spy on US citizens.

Basically also government departments are going to have to draw up a list of where they've used this spyware, who they've used it against, and the rest of it. But it's the nationality and the sort of, you know, is it being used against US people ones, which I think this one falls down on because that's pretty much every commercial spyware vendor, I would have thought.

I mean, NSO Group might be able to get away with it. Israel is considered a friendly country over here at the moment, but you know, NSO stuff has also been used to spy on US citizens, so that would presumably take it off the list.

It just seems it's got so many holes running through it.

GRAHAM CLULEY. It seems weird. If it's commercial spyware, then surely someone will have used it against US citizens.

IAIN THOMSON. Exactly. I mean, you'd think it's utterly bonkers.

Also, this was slightly disturbing in that I'd always assumed that the NSA and you know, cyber control and that sort of thing, roll their own. They don't actually buy from commercial vendors. But it appears not. If they felt the need for this executive order, then someone's got to be using it.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. And did you say they also have to create a list of who they've used the spyware against?

IAIN THOMSON. No, they've got to create a list of which commercial spyware they've used. So they're not going to have to identify targets, right. But they are, it is gonna have to be assessed as to which departments are using this on a commercial spyware basis.

GRAHAM CLULEY. And are they gonna keep that list in a secure fashion so it doesn't fall into the wrong hands?

IAIN THOMSON. Well, I gotta say, when I read through this yesterday, my first thought was FOIA request, get it up there. Yeah, right.

CAROLE THERIAULT. I don't understand how anyone would know where their spyware actually comes from.

IAIN THOMSON. Well, I mean, it was commercial then, you know, NSO's based in Israel. We've got Gamma, I think it's Gamma International.

These companies keep changing their names on a regular basis. That was first based in the UK, and I think it's now in Italy. These companies, as I say, they change their name an awful lot. They move around an awful lot.

CAROLE THERIAULT. And locations. Exactly.

GRAHAM CLULEY. Would it be helpful if there was a law which insisted that commercial spyware, upon boot-up, upon starting your computer, played the national anthem of the spyware that was operating on your computer? That would—

CAROLE THERIAULT. It wouldn't be very good spying though.

IAIN THOMSON. I can say, I suppose so.

GRAHAM CLULEY. I suppose so. You're right, you're right.

IAIN THOMSON. I hadn't thought of that. It's why is my computer playing the Saudi Arabian national anthem?

Let's say, which— Oh no, I don't know if you're Formula 1 fans, but it was the Saudi Grand Prix last one, and they played the national anthem, and it was amateur hour. I mean, I don't know who they got to do this, but I mean, it looked sort of the local misfits who didn't know how to play instruments.

GRAHAM CLULEY. Just in case any members of the Saudi royal family are listening to the podcast today, we'd like to explain that those were the views of Iain Thomson, not of the hosts of the podcast.

IAIN THOMSON. I've spent a week there and I'm never going back, so thanks.

GRAHAM CLULEY. They'll come to you, they'll come to you, Iain.

CAROLE THERIAULT. And do you think people, these companies, just getting back to your story, do you think people know what spyware they have used in the past? Like they have their own list?

IAIN THOMSON. Yeah, I mean, presumably they've got invoices. This is the US government, they've got paperwork for everything.

CAROLE THERIAULT. And couldn't US government start using non-commercial spyware to do certain things just to bypass the law?

IAIN THOMSON. If they are, they're not going to tell us about it. I think it's one of these things where, you know, if you have to admit that it's there, then that's half the battle lost already. I mean, I have absolutely no doubt that they've got their own stuff.

GRAHAM CLULEY. Well, I suppose if they don't, if they can't buy commercial spyware to use, they can always ask their nephew Kevin or something. Maybe you could— you're good at computers, could you write us some spyware? 'Cause we need to spy on so-and-so for it. That would work.

IAIN THOMSON. I don't know, I think it would have worked a while back, but heuristics—

GRAHAM CLULEY. So your view is that this legislation is—

IAIN THOMSON. It's a lovely piece of PR. It may help, and frankly, I don't think the US government should be using commercial spyware, because there's a dual risk there. You know, it's you're trusting the spyware vendor to say, no, no, no, our code only spies on the people that you choose and doesn't have any backdoors in there to these highly sensitive government servers which we're running off. But that's just me. I'm sneaky.

CAROLE THERIAULT. Why would a government want to use it, do you think? Other than FBI and that kind of ring, would they use it for bossware? You know, does that fall into this?

IAIN THOMSON. Oh, I don't think, I wouldn't have thought so. I think this is basically for targeting intelligence targets.

GRAHAM CLULEY. Mm-hmm.

IAIN THOMSON. Maybe domestic. It gets tricky if they're actually looking at US citizens, but you'd need a warrant for that. But, you know, the courts are usually perfectly happy to pass those warrants out, even if they have to be got after the spying went on. There is a certain amount of delay that you can build into the process so that intelligence agencies can do the spying and then retroactively ask for permission, and it's usually granted.

GRAHAM CLULEY. So for the regular person in the street who might be worried that they're being spied on, whether it be by their government, another government, or, you know, Freddy next door, whoever it might be. It's the usual rules that apply. Keep your computer up to date with security patches. Patch against vulnerabilities. Be careful what you run on your computer. Run security software.

IAIN THOMSON. Don't run attachments.

CAROLE THERIAULT. Turn your machine off and unplug it from the internet.

GRAHAM CLULEY. Exactly. Put it in the fridge.

CAROLE THERIAULT. Mm-hmm.

IAIN THOMSON. Oh, no, microwave. Always the microwave. It really cleans out those chips. Ladies and gentlemen, that was a joke.

GRAHAM CLULEY. Carole, what have you got for us this week?

CAROLE THERIAULT. Well, interesting that you talked about legislation because, you know, I'm regularly advocating for more legislation around social media. You know, I'm always thinking these giants need to be forced to be more accountable for the actions, right? That's my view.

IAIN THOMSON. I would like to see some controls on it. I just don't see how they're going to be implemented. Honestly, social media is largely a bad thing, but it has its uses. I do find that the growth of TikTok to be particularly worrying, but still, that's another story.

CAROLE THERIAULT. No, but it's part of the social media family, isn't it? I'll introduce you to Spencer Cox. He's the current governor of Utah.

GRAHAM CLULEY. Mm-hmm.

CAROLE THERIAULT. And he describes himself as a centrist, moderate, liberal Republican.

IAIN THOMSON. Okay.

CAROLE THERIAULT. This is from Wikipedia. And this is a stance that has apparently earned him some critics, probably based more on the righty side. But his recent actions have afforded him a much different spotlight.

And for this story to have context, you kind of need to know a few things about Utah. One, it's kind of known as the home of Mormons—

IAIN THOMSON. Church of the Latter-day Saints, as they prefer to be called.

CAROLE THERIAULT. Oh, sorry. Okay, home of the Church of Latter-day Saints. And they make up a large proportion of people who live in Utah, and drinking is frowned upon in this church.

And maybe that's why the state has some of the most stringent alcohol laws in the land. Like, you can't drink until you're 21, no alcohol can be sold later than 1 AM under any circumstances, and beer sold at convenience stores, grocery stores is capped at 4%.

IAIN THOMSON. It used to be the case that if you wanted to go to a pub, you had to pay a $5 membership fee because it was only allowed in members clubs. Which, yeah, it's a very strange sight. Great skiing there.

GRAHAM CLULEY. I've never been there. I've never— is it good, Iain? Are you a fan of Utah?

IAIN THOMSON. Oh yeah. I mean, I've got relatives out there, so I— up in Park City, and it's literally Olympic-class skiing. They did have the Winter Olympics there, I think.

And it's an oddish sort of a place because it's very clean, there are very few homeless, but then you do go things like go to the Mormon shopping mall, which is just for Mormon shops. So had to go in there and look around. And the bookshop is, I mean, the science fiction section was just basically Orson Scott Card, 'cause he's the only, you know, really well-known Mormon writer or something. And it was just like, what the hell?

GRAHAM CLULEY. Okay.

CAROLE THERIAULT. Now Gov Cox has a bee in his bonnet about social media. He tweeted recently, more than once actually, that protecting young Utahns from harms of social media is one of our top priorities, exclamation point, he says. And he writes Utahns, so U-T-A-H-N-S.

IAIN THOMSON. Yep, it is a strange state.

CAROLE THERIAULT. Yeah, we all know that protect the kid messaging is nothing new in political campaigns, right? It often resonates well with exasperated parents and guardians.

So see what you make of this, because back in January, Gov. Cox held a press conference. And at this conference, he made many statements disparaging social media, things like, we know that social media causes harm. We know that social media can lead to cyberbullying. He said mental health was taking a beating and that social media platforms know this but are doing nothing.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. And I think, you know, I would agree with that. And certainly in my echo chamber, that's what I see, right?

GRAHAM CLULEY. Oh yeah. Yeah.

CAROLE THERIAULT. And I'm not on it, so I can't really, you know, say from a user point of view, but I stay off it because of those concerns. Gov Cox reportedly said that the situation requires action, and late last week, action was taken in the form of a sweeping social media bill.

And he says these are the first of their kind bills in the United States. That's huge, he says. So these two laws are collectively known as the Social Media Regulation Act, and they are to take effect on March 1st, 2024, so in less than a year. The first bill, SB 152, requires social media companies to verify the age of any Utah resident with an account on their services.

GRAHAM CLULEY. Okay, how are they going to do that?

CAROLE THERIAULT. Actually, that's still very nebulous. Listen to this. One of the stipulations is that under-18s will have to get permissions to sign up for an account. It's the first state law in the nation that will prohibit social media service from allowing users under 18 to have the accounts without explicit consent of their parent. But how do you do that without asking everyone their age?

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Now at the moment, under COPPA law, which is the child protection or privacy laws, you have to basically ask the user, "How old are you?" And if they say "I'm 56," then you have to believe them. That's fine. So this is going to demand people probably handing in proof of age, probably driver's licenses, passports.

IAIN THOMSON. Credit cards.

CAROLE THERIAULT. Credit cards.

IAIN THOMSON. And all this creates an enormous volume, vault of information, which is just what hackers are looking for.

CAROLE THERIAULT. Right. And it also creates a lot of legit information, which may be useful to social media companies because a lot of people spoof information there, don't they?

IAIN THOMSON. Oh, yes.

GRAHAM CLULEY. Yes, that's true.

CAROLE THERIAULT. As you can imagine, there's a lot of privacy advocates that are very much against this because they're saying, "Well, you're basically taking away the right to be anonymous online."

GRAHAM CLULEY. Yep.

CAROLE THERIAULT. Right. Also, part of this law is parents can see everything you post. So say they agree, they say, "Okay, you can have an account." Parents can see every post and message. What do you think about that? Because these are kids, these are people that are not considered adults.

GRAHAM CLULEY. Yes.

IAIN THOMSON. I mean, I do think there are some things parents shouldn't know about what their children get up to online, but I can see parents loving it, certainly.

CAROLE THERIAULT. No, but I'm thinking, you know, say five kids have diaries. I'm sure one or two parents are going to snoop and read it. And I'm sure the other three would never dream of doing that unless there was a mega problem.

IAIN THOMSON. Yeah. But as you said, "snoop," this is the essential side of it.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. I just think the kids aren't going to be happy with this. Surely what the kids will do is they'll have an older brother or sister in their early 20s and they'll say, "Can I borrow your ID? Because I want to create an Instagram account or whatever it may be."

CAROLE THERIAULT. Yeah. But maybe they'll do only one account per ID.

IAIN THOMSON. Yeah, could be.

GRAHAM CLULEY. Maybe, but I think there'd just be a flourishing black market for fake ID. I mean, it's not as though kids haven't got fake ID before to pretend to be older than they really are.

CAROLE THERIAULT. Yeah.

IAIN THOMSON. Very common over here, yes. It's one of these things where it's kind of like mice holding a vote to say, "Yes, make sure the cat has a bell around its neck. Now, how do we do it? We haven't worked that one out yet." It seems like one of those—it looks like a PR stunt. And there's also—I don't know if you're going to go on to this, Carole, but the curfew aspect.

CAROLE THERIAULT. Oh yeah, yeah. So that's the other one as part of SB 152, is that basically parents have to allow a kid if they want to do any social media between 10:30 PM and 6:30 AM, when Governor Cox thinks you probably should be in bed.

GRAHAM CLULEY. Oh, so you'll have to get your parents' permission to be on social media in the hours of darkness when all the satanic stuff happens on social media. Because of course, nothing bad happens during the day. It's only after 10 o'clock at night. Although I suppose it's more being done for them to get some sleep—is that the thought?

CAROLE THERIAULT. Yeah, but the bills are signed. Now, of course, lots can happen between a bill signing and the actualization of the law, which is, you know, again, March 1st next year. And there's no surprise that privacy advocates are pointing out the identity verification rules take away rights to use the services anonymously because you have to verify every user agent.

I don't know. Do you think we should have a right to be legally anonymous on social media?

IAIN THOMSON. A difficult one.

GRAHAM CLULEY. I think it'd be terrible to lose anonymity on the internet. There's lots of good stuff and resources people can use, people who have a very legitimate reason to remain private.

CAROLE THERIAULT. On social media sites as well, eh?

IAIN THOMSON. I think so. This is one of the things I liked about Twitter's verified accounts, was that they were at least somewhat verified. But, and we're kind of with Graham on this one, there is a need for anonymity, or even just a desire for anonymity.

CAROLE THERIAULT. Yeah.

IAIN THOMSON. The old advice I used to get from Guy Cuney was you never post anything online you couldn't cheerfully justify to your local newspaper. Anonymity's important, but also I think with the curfew, how is that going to be enforced? It'll be down to ISPs and they can't say, right, it's 10:31, let's switch off all the social media and YouTube.

CAROLE THERIAULT. Yeah, yeah, you're right.

IAIN THOMSON. Because people have got exceptions. So I'm not quite sure how that's going to work either.

GRAHAM CLULEY. This is why— this is what interests me about this is why is this guy actually doing this? It doesn't feel to me like he's actually going to come up with the answers as to how this will be implemented. It feels to me like he's saying, look, I'm going to do this first of all, because it's good for my image because the parents who are going to vote for me hopefully will be supportive of what I'm saying here is that social media is corrupting our kids, etc., etc.

CAROLE THERIAULT. I'm being tough on it.

GRAHAM CLULEY. The other thing is he's basically saying, yeah, not my problem. This is the law. This is the legislation. You social media companies, you work out how the hell you're going to implement this. And if you can't—

CAROLE THERIAULT. Yeah, he says he's going to work with them. Right. I think he's going to be asking them to come up with a solution.

GRAHAM CLULEY. And if they can't, what's going to happen? They're going to get fined or there's going to be some form of action against them, isn't there?

CAROLE THERIAULT. Tell me the second bill. I want to know if you think it's a sweetener for kids.

GRAHAM CLULEY. Okay.

CAROLE THERIAULT. Second bill, HB 311, requires social media companies to ensure that they are not designed to cause minors to become addicted to them. And it gives Utah minors the right to sue social media companies if they believe they've become addicted or otherwise somehow harmed by a social media platform they have an account on.

GRAHAM CLULEY. Well, this one I'm right behind. I love the idea of all these teenagers now suing the social media companies. Oh, well, I've become addicted to this TikTok nonsense.

IAIN THOMSON. Yeah.

GRAHAM CLULEY. It's going to cripple the social media companies if that's allowed, isn't it?

IAIN THOMSON. Well, I mean, a guy from us, Thom Claburn, who covered this for The Reg, he had a lovely line here. When it comes to suing, it's just like, whether letting parents sue social media platforms for ostensibly addicting their kids will improve adolescent mental health, or may these serve as a college funding option, remains to be seen.

GRAHAM CLULEY. Brilliant.

IAIN THOMSON. Keep tapping, Alice, we need 40 more instances of harm to cover your next 4 years at school.

CAROLE THERIAULT. Fantastic.

IAIN THOMSON. It's, but I mean, also it's gonna be easy enough to prove because the whole point of social media design is to pull you in and to make you use it more and more and more. That sort of builds into the fundamental essence of the platforms.

CAROLE THERIAULT. Well, understandably then, maybe they're saying, hey, you better take this seriously, otherwise we're going to prohibit kids from using it without parents saying okay. And they're not alone, right?

This is not the only state. Utah is the first one to pass it, but Arkansas legislation is looking to introduce a similar bill that would require social media networks to verify users' ages and obtain explicit parental consent for people under 18. There's one in Texas that's even more stringent. It would ban social media accounts for minors, period.

GRAHAM CLULEY. I've got a question. So they're doing this, right? So parents have to give the kids permission.

IAIN THOMSON. Mm-hmm.

GRAHAM CLULEY. When are we going to start implementing a system whereby the grown-up parents, the grandparents, have to ask permission, maybe from the kids, maybe from their own children, in order to go on social media? Shouldn't we have some more policing regarding the rest of us? Why aren't we all being protected?

IAIN THOMSON. You just want some of that sweet Facebook cash, don't you?

GRAHAM CLULEY. There's a lot of people who shouldn't be on social media who are reading all that nonsense all the time and could do with taking a break.

CAROLE THERIAULT. I agree, Graham. I agree.

IAIN THOMSON. Yes.

GRAHAM CLULEY. Why do you say Graham there?

CAROLE THERIAULT. Graham.

GRAHAM CLULEY. Was that pointed?

CAROLE THERIAULT. No, but yes, but no. This episode is sponsored by hCaptcha.

Are cyber threats negatively impacting your business? Unleash powerful fraud protection for your online properties with hCaptcha Enterprise, the leading security ML platform. hCaptcha adapts to detect and block even the most sophisticated attacks, keeping you ahead of evolving threats.

Whether your bad actors are human or automated, hCaptcha Private Learning is the solution. Easily combine your pre-blinded data with hCaptcha's thousands of signals to rapidly find fraud and abuse in real time.

hCaptcha's privacy-focused design works in every country, giving you worry-free compliance. Visit smashingsecurity.com/hcaptcha. That's h-c-a-p-t-c-h-a. To get started with a free trial today. And thanks to hCaptcha for sponsoring the show.

GRAHAM CLULEY. Our friends at Bitwarden have been busy this month adding some fab new features to their open-source password management solution. Now, did you know that you can log into Bitwarden using a secondary device instead of your master password?

Well, now you do. Logging in with a device is a passwordless approach to authentication.

It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval. With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden.

Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default.

And of course, existing accounts can also update themselves to the same level. These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers.

Learn more. Try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing.

CAROLE THERIAULT. Our sponsor Kolide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance. How? If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple. Kolide patches one of the major holes in zero trust architecture: device compliance. Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date.

Insecure devices are logging into your company's apps, but there's nothing there to stop them. Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta. The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked.

Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Want to learn more? Of course you do. Visit collide.com/smashing. That's collide.com/smashing. And thanks to Collide for sponsoring the show.

GRAHAM CLULEY. And welcome back. Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

IAIN THOMSON. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone choose something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily.

CAROLE THERIAULT. Better not be.

GRAHAM CLULEY. Well, two weeks ago I took you on a trip to Bollywood and I told you how wonderful a movie from 50 years ago, nearly 50 years ago, Sholay is. Now I'm not going back as far in time this time. I'm going back to last year. One of the most expensive Indian films ever made, according to The Guardian, one of the best films from any country, which was produced last year. So it's in their top 10 films of the year.

CAROLE THERIAULT. And it's called?

GRAHAM CLULEY. It is called— well, I'm not sure what it's called.

CAROLE THERIAULT. Oh.

GRAHAM CLULEY. I can tell you— because I don't know how to say it. It's 3 letters. It's RRR. So is that— Rrrr. Is it RRR or is it RRRR? I don't know.

CAROLE THERIAULT. I can't help you, Iain. Sorry.

GRAHAM CLULEY. But it's the letters RRR, and it is a fantastic action movie. It is set, it's an epic saga set in pre-independent India. So it's basically the Indians versus the British Raj. Once again, the British are the enemy, quite right too. Two Indian men on opposite sides of the political divide. One is working for British forces as a cop. The other one is trying to rescue a girl who's been kidnapped from his local village. And it is bonkers. It is as action-packed as any Hollywood movie you've seen in years.

CAROLE THERIAULT. The plot seems pretty straightforward though, no?

IAIN THOMSON. Sometimes the simplest plots are the best.

CAROLE THERIAULT. That's true. That's true.

GRAHAM CLULEY. These two guys start off as enemies, then become the very best of friends, and then become mortal enemies again. There's a lot of twists along the way. I don't want to give it away, because this movie lasts 3 hours.

CAROLE THERIAULT. Did you stay awake for the whole thing?

GRAHAM CLULEY. It's another long movie. I stayed awake, and there was even CGI. I even stayed awake during the enormous amount of CGI, because there's tigers and animals and crazy action scenes.

IAIN THOMSON. Yeah.

GRAHAM CLULEY. This must be the only film I've ever seen where someone is giving someone else a piggyback because he's hurt his feet. And the guy on top has got the machine guns and is shooting people left, right and center as he's being carried along on someone's piggyback.

And they're doing jumps and they're climbing up ladders again on piggyback from each other. It is nuts.

Now, there are a couple of grisly scenes which I think make it— there's a particularly unpleasant scene, not for kids, I'd say, which is a shame because otherwise this would have been great for kids. RRR gets my pick of the week.

Great movie. And it's on Netflix.

Did I say that? It's on Netflix.

You can watch it for free. Watch it tonight.

Go on. You'll enjoy it.

Iain, what's your pick of the week?

IAIN THOMSON. Well, actually, stumbled across this one last night, was giving it a reread. It's a book called He Died with a Falafel in His Hand by the Australian author John Birmingham.

Subtitle: Hilarious True Stories of House-Sharing Hell. And Terry Pratchett thought it was his book of the year when it came out.

And he has a lovely quote on the back. You'll read it with horrified amusement.

And if you've ever shared a flat, the occasional wince of recollection. Now, in this case, this is a guy who basically spent 10 years going from house share to house share in Northern Australia.

And some of the stories are just— I've stayed in some really grotty houses, but I have never seen a board put up in the bathroom with the longest pubic hair pulled out of the shower drain and a competition to see who could get the longest one. You know, it's that kind of descent into madness.

CAROLE THERIAULT. I think I can beat that.

IAIN THOMSON. Really?

CAROLE THERIAULT. I once stayed with a friend in an apartment, overnight, just one night. And there was a stain on the television.

A man stain on the television. A dried man stain on the television.

GRAHAM CLULEY. What?

CAROLE THERIAULT. Yes.

IAIN THOMSON. That's— Oh, good grief. That's just gross.

I mean, yeah, okay. Nothing quite that bad, but lots of stories.

One thing I'd forgotten about, apparently the Australians call weed or jazz cigarettes or whatever you want to call it, they call them cones. 'Cause they roll a big cone and then just, yeah, it's a very— an awful lot of drug-fuelled mayhem.

The title itself comes from a housemate who was crashing with them for a couple of days and went out for a falafel, came back, injected heroin, and died on the floor.

GRAHAM CLULEY. Oh.

IAIN THOMSON. And so he died with the falafel in his hand, became the title.

CAROLE THERIAULT. Cheery.

IAIN THOMSON. Cheery, but also it's one of those books, when I first bought it, I was reading it on the Underground, and it was one of the books that actually made you laugh out loud when you were reading it.

CAROLE THERIAULT. Oh, brilliant.

IAIN THOMSON. And I looked up, and there was a bloke staring at me. And he reached into his bag, and he pulled out a copy of the same book.

He was like, brilliant, isn't it?

GRAHAM CLULEY. You know?

CAROLE THERIAULT. Oh, that's a lovely moment.

GRAHAM CLULEY. And Iain, I've just looked it up on the internet. There's a movie version of it.

IAIN THOMSON. Really? No, I didn't know that.

GRAHAM CLULEY. There's an Australian comedy-drama film.

IAIN THOMSON. Oh, good lord. They'd have to either put a very heavy rating on that or tone it down a bit.

GRAHAM CLULEY. Came out 20 years ago, so you can go and check it out if you want. And a graphic novel version as well.

IAIN THOMSON. I don't think I want the graphic novel version, to be quite frank. Might be a bit too graphic.

GRAHAM CLULEY. Fantastic.

IAIN THOMSON. Excellent.

GRAHAM CLULEY. Carole, what's your pick of the week?

CAROLE THERIAULT. Well, my pick of the week should be Root Canal. 'Cause I had root canal yesterday. And let me tell you, a hell of a lot of nerve pain before. And actually I love root canal because I was in a lot of pain until I had the very expensive procedure, which has allowed me to talk today.

GRAHAM CLULEY. So you're all right now. You sound okay.

CAROLE THERIAULT. I sound great. I'm a little sore. I feel like someone sucker punched me in the jaw. But otherwise, however, I decided to instead select a single episode of a new series called Swarm, which I found streaming on Amazon Prime. Now here's the blurb. Swarm is an American satirical psychological horror thriller television series created by Janine Nabers and Donald Glover. And all I can say is holy freaking crapola. The end of the first episode is like capital D dark. And unpredictable and kind of nasty.

So, it's played by Dominique Fishback. She plays Dre, and you cannot take your eyes off her. She's an unusual, gripping lead. I loved her, loved her, loved her.

And she's this young, aimless girl, gaga for a pop star. When I say gaga, I mean she's totally obsessed. And this obsession leads her to take a dark turn, and then another darker turn, and then one that she'll never recover from.

And that's just episode 1!

IAIN THOMSON. Well, good grief.

CAROLE THERIAULT. It felt like a whole movie in itself. I'm nervous as hell about where it's gonna go next, so I haven't watched it in the last two nights.

GRAHAM CLULEY. What?

CAROLE THERIAULT. I'm not sure I can watch more, but I'm still recommending episode 1. Again, viewer caution, not for kids.

GRAHAM CLULEY. What's it called again, Carole?

CAROLE THERIAULT. Swarm. Swarm. Streaming on Amazon Prime. You've been warned. It's funny too. There are funny bits.

GRAHAM CLULEY. Okay.

IAIN THOMSON. I thought for a second you were gonna say The Swarm, the terrible Michael Caine film.

GRAHAM CLULEY. Oh, I remember seeing that at the cinema way back then.

IAIN THOMSON. It's hilariously bad. I mean, I know he was getting hit by the tax authorities left, right, and center, but—

GRAHAM CLULEY. Killer bees.

IAIN THOMSON. You know, when this sickly train dad comes up, "But the bees have always been our friends." And it's just like, oh God, Michael.

CAROLE THERIAULT. I remember that. I watched that as a kid and it scared the living shit out of me. I used to have nightmares.

GRAHAM CLULEY. Really?

CAROLE THERIAULT. They're coming up from South America through America, aren't they?

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. And I lived in Canada and I was petrified.

GRAHAM CLULEY. Yep.

CAROLE THERIAULT. I don't know how old I was. I'm sure it was under 10.

IAIN THOMSON. Well, there's a whole swath of films like that. If you ever get the chance, see Night of the Lepus, which is about rabbits hiding in an abandoned radioactive nuclear waste dump that suddenly turn giant and start biting people's heads off. It's just amazing. All I can assume is that in the pitch meeting for the film, everyone was doing a lot of cocaine.

CAROLE THERIAULT. Well, there you go. That's my pick of the week, Swarm, now streaming on Amazon Prime. Watch with caution.

GRAHAM CLULEY. Bonkers. Well, thank you very much, Carole and Iain. That just about wraps up the show for this week. Iain, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to find out what you're up to?

IAIN THOMSON. Best thing is theregister.com for our general stuff. And for at least the next week, I'll be on Twitter. That's Iain Thomson. Well, they're taking away my blue verified tag on April 1st. So I'm just kind of like, should I really still be supporting this site?

I don't know. It's all going a bit Pete Tong, to be honest.

GRAHAM CLULEY. I'm pleased they're taking away my verified tag. I don't want them mixing me up with the people who are paying for the verified, the mouth breathers. And you can follow us on Twitter @SmashingSecurity, no G nor any verified tick.

Twitter wouldn't allow us to have a G. Smashing Security also has a Mastodon account — find it at smashingsecurity.com/mastodon. And don't forget to ensure you never miss another episode: follow Smashing Security in your favorite podcast apps such as Spotify, Apple Podcasts, and Overcast.

CAROLE THERIAULT. And big massive shout out to this episode's sponsors: Bitwarden, Collab, Ride, and hCaptcha, and of course to our wonderful Patreon community. It's thanks to you all this show is free. For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 314 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye-bye, goodbye.

CAROLE THERIAULT. You know, Iain, you said that going Pete Tong.

IAIN THOMSON. Yeah, yeah.

CAROLE THERIAULT. So Pete Tong, he's a DJ in the UK for those, right? What, in the '80s?

IAIN THOMSON. He was '90s, still going. I saw him when he was over here last.

CAROLE THERIAULT. My, I don't know what I call it, aunt-in-law — she dated him.

IAIN THOMSON. Really?

GRAHAM CLULEY. Oh, wow.

CAROLE THERIAULT. She was his hottie for a bit when she was younger.

IAIN THOMSON. That's a celebrity shag you can boast about.

CAROLE THERIAULT. That's pretty close, I gotta say.

GRAHAM CLULEY. I had a girlfriend who, the previous person she shagged before me was... I've forgotten his name.

-- TRANSCRIPT ENDS --