Imagine you had woken up rather intoxicated somewhere, couldn't describe who you were, or—

Yeah, and yeah, all my fingerprints have been shaved off my hands and I have no DNA.

Couldn't identify you were Canadian, didn't have a raccoon on your head, they wouldn't know what to do.

Right.

Smashing Security, episode 322: When You Buy a Criminal's Phone and Paying for Social Media Scams with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 322. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, you and me this week.

Aren't you lucky, listeners? You just have the two of us all to yourselves.

Yeah.

All right. But before we kick off, let's thank this week's wonderful sponsors, Kolide, Bitwarden, and Outpost24. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

Your data. It's going, going, gone.

And I'm asking the question, who's going to pay for all these social media scams going forward? All this and much more coming up on this episode of Smashing Security.

Now, chum, your phone, your smartphone. Would you hand it over to me? Would you feel comfortable with that? Unlocked, would you come to me trawling through your phone, seeing all your messages?

I've given you my phone before unlocked. Yeah.

Okay. So I'd be able to see all your messages, what you've been saying about me, maybe.

Yeah, you could do searches on your name.

Go on.

Fucking asshole.

Do you even say my name or do you just say that shitbag?

That shitbag. What have you done this time? Jesus.

No, no. Well, you know, maybe private things as well. Maybe you've communicated with your loved one.

You know, you mentioned— Yeah, so that's still pretty vanilla.

Okay, okay, all right. Well, I'm not sure everyone would feel the same. A lot of people would think, oh, you know what? Some things should be a little bit private.

Yeah, but you're also a close friend, right?

Right.

You're not a stranger.

No.

You're not, you know, so it's not me just handing it to someone on the street, which I wouldn't do.

All right, okay. Well, picture the scene. Imagine that you are a criminal and you are being investigated by the cops. Well, I've been watching television. And— What? I know, I know, it's a shock, isn't it? Television is my Pick of the Week this week. It's a new device that's been— No, I've been watching television.

Have you? Television. Okay.

What I found out from television is that when you watch these documentaries about police investigations, the thing that they really, really want is your phone. They want to see who you've been messaging, who you've been calling, who's in your address book, who's in your social media circles. Your phone reveals so much about you and what you've been up to.

Well, I kind of get it because it's not the cops know you from Adam, right? So they're coming in this blind and they can at least get some kind of reference points of who might be in your life. I get it. If you can't talk for yourself, I suppose.

Who did you call on the night of the murder?

Yes.

Who have you been secretly chatting with, plotting something? You know, if you're—

Who's been receiving your poop emojis?

Yeah. Well, okay. That's one thing you could do. So the thing is this: if you're going to do something dodgy, here's my advice. I'd say ditch your phone. Stop using the phone. Just don't use a phone at all.

Here you go again, giving advice to ne'er-do-wells.

Well, in the 1970s, criminals managed just fine without mobile phones. So I don't see why today, which is only a few years after the 1970s, I don't see any reason whatsoever why criminals can't do just fine with a landline. They did fine, you could do fine. Everything's gonna be fine, right? And it's clear to me when I watch these documentaries on TV, you know, sort of fly-on-the-wall things, that the cops always say, have you got his phone? Have you looked at his phone yet? Well, the cops are completely bamboozled if the person doesn't have a phone that they can seize. It's almost they've forgotten all other ways to investigate. It's what are we gonna do? If we can't search the phone, what are we gonna do? What are we gonna do?

If I'd gotten in trouble in Portugal when I'd forgotten my phone when I went on holiday, right? They would've been, to use your word, bamboozled.

They would've been. They wouldn't have known who you were. Maybe you imagine you had woken up rather intoxicated somewhere, couldn't describe who you were, or you couldn't maybe speak.

And yeah, all my fingerprints have been shaved off my hands, and I have no DNA. What's to be, yeah. Yeah, one of those.

They couldn't identify you were Canadian. Didn't have a raccoon on your head, anything that. They wouldn't know what to do if they couldn't find a phone. So, my advice, once again, for the bad guys, get rid of your phones before you do anything naughty. But it does seem there's plenty of criminals out there who aren't taking my advice on how to get away with the perfect crime. So they are still using their phones.

'Cause they wanna be in comps.

Well, is it that, or is it that they're Instagramming and TikToking and they can't, you know, they're too addicted to the socials? You know, they're doing a funny dance over the victim, recording it onto video. I don't know what it is, but they're just addicted to their phones, just everybody else.

Okay.

And so, the police are seizing, as you can imagine, every day, countless numbers of smartphones. In the United States, for instance, oodles and oodles of smartphones are being seized every day. And the question is this: what do the cops do with these phones afterwards?

I don't know, but I'm wondering, once your phone is seized, can't you remotely wipe it?

Well, you can, but you're in cuffs and you're in the cell.

Oh yeah, you're in the tank.

Right?

Yeah.

Right. Yeah, yeah.

To use the parlance.

Right. And so someone else has got your phone and they're able to access it. And maybe you go through the criminal process or whatever, the cops have seized it, they found all these phones and they're thinking, what should we do with these phones? I'll tell you what they do in the United States. They auction them off. Right?

Not only have you been arrested your entire life— and let me guess, they don't wipe them first.

Absolutely correct. And this—

You're kidding me! This is the finding of researchers at University of Maryland. They went into some auctions. I'm going right now.

Who are apparently the largest auction house for police departments across the United States. The University of Maryland, they went to these online auctions, and they bought 228 smartphones as is, sight unseen, from this website. Average cost, $18 per phone. Oh my god! There you go. Forget eBay, right? Yeah. You can probably get yourself a real bargain here, right? So these researchers, they got their paws on 228 phones. And they thought, let's take a look at these phones.

Right.

Now, 60 of the phones, 60 of the 228, simply didn't work. There was no battery, the screen was broken, couldn't power them on. So they thought, forget these, too difficult.

So what, the criminals had them on themselves just to look cool, like they had phones, but they actually didn't?

It may not have been a phone which was actually on them. Sometimes the phone which is seized may be secreted wherever they were arrested or something. Exactly. Yeah, yeah, yeah.

Got you, got you.

And so they'd just be grabbed.

Right. And it's, oh no, that's just an old phone.

Hidden down the back of a shrubbery or down the sofa or something. And they say, oh no, nothing to do with me. But of course they would then get looked at. So 26% of the phones simply didn't work. The researchers thought, this is too hard, we're not gonna look at these.

That's 1 out of 4. That's not that high.

1 out of 4.

Yeah.

But 1 out of 4, 61 of these 228 were accessible. Most of them were unlocked. And the others had their credentials guessed.

Okay, obviously no one who's listening to this show was part of this, because you're all smarter than that.

Well, you say no one, Carole, but there is a list of the most popular PINs and swipe patterns which people use.

Can I guess what they are?

Well, you probably can. Yes.

Okay, okay, let me try. Okay, I'm gonna say 1234.

That would be a likely one.

9999.

Yeah, 2468.

Yeah.

And sometimes people choose things like their year of birth. So you're more likely to have a PIN code which is 19-something, for instance, than you are to have 62-something.

Mm.

There are lists of the most popular PINs. And so in 11 cases, these researchers in Maryland were able to guess the PINs. And then they were able to have a look to see what was on these phones. And according to the researchers, some of these were being used as a tool for identity theft.

Of course.

And as Brian Krebs reports, the researchers said that these should never have been auctioned at all because they could have allowed the new buyer to recommit the same crimes because these phones hadn't been wiped. They contained lots of identity information. They also contained every text message, every picture, every email, browser history.

There's an Apple MacBook Air Yeah. I'm not worried about a buyer being able to carry on with the crime so much. Although, I don't know who goes and buys phones from a police auction. I mean, that's a—

Well, everyone does. Everyone who listens to this podcast now is going there rather than going to eBay.

laptop here! There's 38 bids on it! Yeah, not only do you get a handset, but— wow.

A MacBook and everything else. Yeah. So there were significant amounts of data pertaining to crimes, including victims' data. And in some cases, something like a dozen of the phones had photographs of government-issued IDs and passports. Three of the phones belonged to sex workers and contained what is euphemistically called communications with clients. Well, I say euphemistically. I suppose they were communications.

Yes, because literally.

Some kind of intercourse was taking place between client and sex worker.

Conversation, right?

Yes. And one phone had the full credit files for 8 different people on it. They had pictures of stolen credit cards, all kinds of things. There was one phone which had a sticky note attached, right? A little Post-it note. It was a sticky note put there by the police, which contained the mobile device's PIN number, which they'd brute-forced. And on that phone there was all kinds of credit history information.

I'm not surprised at all. I kind of feel most sorry for their contacts.

Yes, why is that?

Well, in my contact list I have, you know, people's names, phone numbers, email addresses, postal addresses.

Do you have photos of the people as well? Because I have photos in my address book so I can remember who on earth this person is.

I have some people. I don't think— I don't know how that works. I think I probably only 5% have it. I don't go— I can't 'cause I really, I have narrowed my contact list down to essentials. That's my hot tip today, actually. Go through your contact list and get rid of the builder that you used 10 years ago and the ex-tax accountant and, you know, all the people that you used to care about in one group or another that you never have spoken to in the last 5 years. Just remove them. Right? You don't need them in your contact list. And that way you don't have, you know, if something happens, they're not impacted.

Presume you don't butt dial them either.

Anymore. Right. And I've done that many a time in the old days.

So the researchers went to Property Room and said, look, this doesn't appear very good. And Property Room responded by doing absolutely nothing. They said nothing at all. But—

Not even a shit emoji?

Not even a poop emoji.

Right.

They haven't learned Elon's trick of sending poop. But recently, Property Room has updated its guidance to suggest that maybe mobile phones should be wiped before being sold at auction. I mean, do you think? Do you think that'd be a good idea?

No, I can't even believe that they're willing to take on the liability. What's their liability, Property Room?

Well, I imagine under the terms and conditions, they're not accepting liability. Nothing to do with me, gov. Yeah, I mean, if you want to sell something, you bloody well make sure that it's wiped. So the auctions are continuing. The police apparently are now going to do a better job of wiping this data, but it does, it sounds a fairly easy way to maybe get some information which could help you in a crime, perhaps.

Well, and also in a time when you're trying to kind of build trust with authority figures, cops, this is not good. This just shows lack of care for, you know, not only those that are, that have been arrested, but everyone else that they know. I don't it. I don't it.

You don't it. You don't it. You don't it.

Lock your phones, kids. Use good passwords.

So are you going to be buying your next phone from propertyroom.com, do you think?

No.

I'm a little bit tempted. $18 or a MacBook, something that could be good. Carole, what's your story for us this week?

Well, I'm heading down the avenues of social media. I mean, I don't know how I live without it, Graham.

Well, you do live without it, don't you? I do.

I just don't know how I manage because this is where you get to commune without leaving your couch or even opening your mouth. That's probably the problem with me is I like to talk too much. Just finger tap on an emoji heart and that's all it takes just for people to feel the love. You can spy on friends, colleagues, find out what they're up to.

You've gotta be careful though, haven't you? 'Cause for instance, I've got no idea on how to use Instagram and someone I know posted an image up on Instagram and I thought, oh, what's that of? And I tried to zoom in on it, and I wasn't sure how. And so I sort of clicked on it, and before I knew it, I'd liked it. And that potentially was a little bit creepy that I liked it. Why would it be creepy? I don't know. Well, I don't know. I mean, you know, I sometimes feel a like isn't appropriate. You know, it's oh yeah, thumbs up, brilliant. You know, maybe your dog's died or something. You know, it just seems a little bit you want a different sort of sniff emoji or something.

Yeah, there's a lot of bells and whistles on the socials these days, isn't there?

It's complicated for people.

And you can do all kinds of stuff. You can apply for jobs, find a date, make a friend, donate to charity, buy tickets. I can't even think of something that you couldn't do on the socials. Can you?

Go rollercoastering.

Yes. Okay, you see, I wouldn't know because I don't hang out there. I would assume you could do that there.

Yeah, you probably can. You probably can.

And do you know how many people in the world use social medias?

How many people? What level of precision do you want me to—

Across all of them. Yeah. Just for fun.

13 billion.

No, 5 billion. 4.89 billion. I shouldn't even round up. We're talking billions here. So 4.89 billion social media users are estimated worldwide.

Oh, I see. So over half of the population of planet Earth.

More than half, yeah.

Human population. Yeah. Are on social media sites. Yes.

And this is 2.2 billion more than in 2017, which is an 80% jump in 5 years. This is according to UK Finance.

Is it just that people haven't worked out how to delete their MySpace account?

I doubt it.

They've just left it.

This is a huge, ginormous engagement rate, right? This is massive. And yet we know that surfing can get rough out there, what with people sharing things online quizzes that reveal too much personal information to ne'er-do-wells, or being duped by fake lovers who claim to be gaga for you. I mean, so gaga that they need to see you right now, so send me money so before my heart explodes. Or, you know, reeled in by a stand-in for a family member saying they're in danger abroad, you know, the mom and dad scam. And there's the poison ads, there's the fake accounts, and blah blah blah. It's a shit show out there. But how much is it costing us is the question. So UK Finance published a report issued late last week saying that Britain's lost £1.2 billion to fraud in 2022. This is the equivalent of £2,300 every minute, which, you know, I don't know.

Which we can ill afford to lose.

And UK Finance looked at how and where people were most likely to become a victim of scams, both in the real world and online.

Oh, right.

So first you have to understand just one weird nomenclature. It was for me, I learned that whilst I was doing this research. So they divide fraud into two categories, authorized and unauthorized. Have you heard about this?

Authorized fraud? What does that mean?

Right, so that's where you are duped, right? You are duped into paying money into a scammer's account or handing over a password. In other words, you take an action.

No, okay, so you were an active party, you were part of the fraud. You got tricked.

Yeah, you got tricked, you got duped, you got scammed. And you donated that information over. Whereas an unauthorized, you know, is where you're not involved at all. So maybe your credit card got stolen and purchases are being made on that card. You weren't involved.

Right.

So interestingly, when you suffer a bout of unauthorized fraud, this is where you're not involved, where you took no action. Bank and credit card companies in the UK are legally obliged to protect you from losses.

Yes, I knew that. Yes.

Whereas authorized fraud victims may find it much, much more difficult to get their money back.

Yeah.

So apparently 78%, so almost 80% of authorized fraud cases start online. And the vast majority of these, 3 out of 4, start on the socials. The second favorite approach is telecommunications, such as, you know, a phone call or a text message. And these don't happen nearly as often, but they tend to be higher-value targets according to UK Finance. So instead of being on the hook for £1,000 or a few hundred pounds, it might be more tens of thousands of pounds.

Yeah.

And get this, it might lead back to emails, you know, listeners who have decided to say poo-poo to that. UK Finance says only 2% of authorized fraud cases originate here. So that's changed a lot in my time doing this business. But the amount of fraud coming from the socials is getting some UK banks in a lather. So just last week, UK bank TSB called out Meta, this is the papa of Facebook, Instagram, and WhatsApp, saying that 80% of the fraud cases brought to them originated on one of these social platforms, one of the Meta social platforms. And of course, banks have been warning us about the dangers of social media scams for at least a decade, but apparently, TSB is one of the first banks to break cover and directly call on Meta to clean up its act.

So the likes of Facebook and Instagram, et cetera, they've got to clean up their act. Is there more that they should be doing?

Sorry, I felt I was on Radio 4 there or something. TSB say that Facebook Marketplace is the mega culprit here. So apparently Facebook Marketplace has exploded in popularity in recent years, probably after the pando. And sellers list goods and arrange a sale with potential buyers through Facebook's built-in messaging platform. That's how it works. But unlike other platforms eBay and Amazon, Facebook doesn't have its own payment platform, which means shoppers are often using bank transfers to send money directly. And this leaves them without protections offered by PayPal or credit card and debit cards where payments can be reversed if goods and services aren't delivered as advertised.

Okay. Right. I've never used Facebook Marketplace, but I do know people who've used it. I didn't realize that it has this drawback. No, me neither. Me neither. Yeah. The other one TSB points out is the mom and dad scams that are happening on WhatsApp. So they say the scam has jumped up 300% this year, which to me is not that surprising since it's pretty nascent as a tactic, right? Yeah.

And hearing all this TSB rant, giving out its fury publicly, I'm sure it's voicing the feeling that is felt across the whole banking sector.

Yeah.

Yeah. One of the spokespeople said for TSB said, at present, banks are solely responsible for reimbursement when customers unfortunately become victims of scams. But it is vital that all sectors are incentivized to invest in prevention.

How interesting. So Mark Zuckerberg, they're saying, needs to care a bit more about this and maybe care in the pocket. Yeah. Sounds a lot of money to me.

And that's not really a surprise, right? The banks want to split the fraud costs with the folk that make them possible. That makes sense to me. That are not doing enough to prevent scams on the sites are sitting there shoveling money into their gobs at breakneck speed. And it can be frustrating, I expect, for the financial community. Well, obviously Twitter's not shoveling money into its gob, but there you go. Thank you to its wonderful leader. Now, it seems that in the UK, at least some changes are afoot. So measures to protect people from internet scams will now be included in the proposed online safety laws. This is according to the UK government. Under a previous draft of the Online Safety Bill, platforms that hosted user-generated content would have a duty of care to protect users from fraud by other users. So the bill will require online platforms to protect users not just from user-generated scams, but also from prepaid fraudulent adverts, things like unlicensed financial promotions. Sounds a lot of money. So there's a lot of things like, hey, you can save money here, get a mortgage here. And there's fraudsters obviously impersonating legitimate businesses, so as well as ads for fake companies and all that jazz. And this change will affect the largest and most influential social media companies, right, and search engines out there. So Twitter, Facebook, Instagram, Google, all of them. And according to the bill, such platforms and search engines will need to put in place proportionate systems and processes to prevent the publication and/or hosting of fraudulent advertising on their services. And remove it when they're made aware of it. So that's an interesting line to me, made aware of it. So it's we don't know what we don't know. So I wonder if maybe social media users, and I want to know what you think of this, should be more diligent in kind of posting stuff saying this is suspicious, this is suspicious, rather than just ignoring it and moving on.

Right. And it's really difficult. I spend, I probably the social, I don't know if you call it a social media, but is YouTube social media? Whatever. I spend a lot of time on YouTube, not a lot, but that's probably where out of all the social medias, I probably spend my most time.

There's a lot of scams up on YouTube. Actually. It's crazy up there. Yeah.

But what does impact me is ads, you know, and a lot of these ads seem scammy as anything. But I haven't found a way to be able to say report this ad because of course the person who makes the video has just said, yeah, give me some ads and make them good in places like the UK, Canada, whatever. But they're not aware of what ads I'm being shown in my country, for example. All the ads are kind of tailored to the user. So how can the content provider be responsible? The person who's responsible is the social media provider, in my view.

It's complicated though, to test, to check all these things in advance and work out if they're illegal or whether they're suspicious and all the different territories which they have to look after.

100%. But they say, well, you know, we will remove it when we're made aware of it. So this is what I'm hearing now. And of course, this is still a proposed bill. It's not a passed bill. So we'll need to see what happens. But here I am hoping for social media sunshine and rainbows in no time at all. And I don't think that's wishful thinking on my part in any way.

Hey, did you hear the latest about the metaverse? Talking of Mark Zuckerberg, you know how he renamed his company Meta and he poured billions of dollars into developing this kind of virtual world thing where people have no legs and sort of bobble around and play. Apparently now they've realised that that's not going to be a big success. And he said, oh, you know, maybe I should be doing AI instead. And so it seems they've sunk all this money into the metaverse and now they've realised they're rather late on the whole AI bandwagon. Maybe you could use AI to check all these ads. Well, yeah, I think we all have a responsibility in real life and in digital worlds as well.

Right.

To highlight when things are going wrong or when some suspicious activity is going on. I think we should, you know, if you see And see if they're dodgy that way. If they invested all that money, just an idea, Mark. Yeah, just an idea, Marky Mark. something bad, then isn't it great if you have a little button where you can say, I think this is a bit dodgy. Please.

This week's sponsor, Outpost24, delivers smarter cyber risk management, making it easy to identify security gaps in your attack surface and prioritize the vulnerabilities that matter. With Outpost24, you get the most complete view of your attack surface and threats targeting your organization. Helping your security team understand what's real, what's dangerous, and what's important to fix in the environment right now. Application security, vulnerability management, cyber threat intelligence— they've got it all covered. They can even protect your remote workforce and critical data by blocking weak and almost already compromised passwords. Sign up for a free attack surface assessment from Outpost24. Get insights into exposed domains and web applications, ransoms, leaked credentials, and more. Sign up for your free attack surface assessment at smashingsecurity.com/outpost24. That's smashingsecurity.com/outpost24.

Now there's some big news from our sponsor Kolide. If you are an Okta user, they can get your entire fleet up to 100% compliant. How do they do that, you're asking yourself? Well, if a device isn't compliant, the user can't log in to your cloud apps until they fix the problem. It's that simple. Kolide patches one of the major holes in Zero Trust architecture, which is device compliance. Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date. Unsecured devices are logging into your company's apps because there's nothing there to stop them. Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta. The moment Kolide's agent detects a problem, it alerts the user and gives them instructions on how to fix it. If they don't fix the problem within a set time, they are blocked. Kolide means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Visit kolide.com/smashing to learn more or to book a demo. That's k-o-l-i-d-e.com/smashing.

Smashing Security listeners, did you know that Bitwarden is the only open-source, cross-platform password manager that can be used at home, on the go, or at work. Bitwarden's password manager securely stores credentials spanning across personal and business worlds. And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access. And it's easy to set up. It's easy to use. I honestly love Bitwarden. I use it at home, use it at work, use it on the go. Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user. Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

Week. Pick of the Week. Better not be.

Well, my pick of the week this week is not security related. My pick of the week this week is, oh, it's a milestone in video game history because last week, if you weren't aware, Nintendo released Legend of Zelda: Tears of the Kingdom. And I haven't played a second of it.

Oh, well, great. This is a great—

I have, however, watched my son play it for many hours.

And so you haven't actually— you've seen it. You just haven't had your hands on the controls.

And to be honest, even if I had the controls, I wouldn't really know what I was doing. I'd press the wrong things. And he seems to be doing jolly, jolly well in it indeed. This is the successor. It's the sequel to Breath of the Wild, which is possibly the greatest video game ever written. I'm not sure. There's a couple of others which probably are up there as candidates for that. But this really is an evolution of the game. If you've never played Legend of Zelda, it's a huge open world, 3D. You've got potions, you've got weapons, and you now have—

Every single listener has played Zelda or has heard of Zelda. No. Hi, Mom. You probably haven't played.

Well, you now have commands like Fuse and Ultrahand. And oh boy, those are fun. What you can now do is you can pick up wheels and platforms and fans and motors and rockets, and you can attach things to each other and make vehicles and career off the islands in the sky, or you can go down into the depths in the underworld beneath the land of Hyrule. All I can tell you is the game is enormous, incredibly detailed, and huge, huge fun just to watch. And so I'm recommending The Legend of Zelda: Tears of the Kingdom. Carole, your husband is a big fan of the Zelda games, isn't he?

He is. I think, Graham, and this is maybe a good time to talk about what happened last week with respect to Zelda. Yeah.

Okay.

Yeah.

I'm sorry about that. Yeah.

Oh no. This is the first time I've heard you say that, actually.

Well, it wasn't really my fault. It wasn't my fault.

Well, so Graham calls me and he's like, look, your husband loves Zelda. Why don't you buy it for him? He would love that so much. And I'm like, oh, maybe I should, because he has been really helpful recently. I'm doing this art show, he's been helping me loads. And I'm like, oh, but I can't because it's his account on the Nintendo Switch. It's his account that's connected to it, so he'll see that. And Graham's like, no, no, no, I know where you can get it, and you can even get a deal, £3 off, he says. That's right, go here, it's great, he says. So off I trot, I fill in the paperwork, I do all the stuff, I put in my account details, and I'm finding my little— here, I'm sending right now, Cluley, as we speak. And the buying process is not simple. And then I call Graham, I'm like, this isn't simple. It's kind of hanging. He's like, oh yeah, mine hung for a while.

It was simple for me. I managed it.

Yeah, you said to me, oh yeah, it hung for a few minutes. It hung for a few minutes.

Yeah, it took a few minutes.

Yeah.

I saved £3, so I was pleased.

Yeah. Okay, look, good. It was good for you. Okay? You totally created this entire drama in my life. So I get a screen, which I've just, I screenshot, I've just sent to Graham saying payment unsuccessful. So I'm like, goddamn, I'll have to go through this all again. I go through it again. Yet in my email, I have two, 5 minutes later, I got, hey, both are successful. You've bought Zelda now twice. And so I'm like, oh shit. I'm looking for support. See how I can get the money back. I'm like, what am I, a dweeb or idiot? So I finally get my husband involved, right? I'm like, dude, I was trying to get Zelda because you're great and you love Zelda. And he's like, oh my God, I bought it weeks ago. I bought it weeks ago.

I didn't tell you. He pre-ordered, didn't he?

Yes, he pre-ordered. So, God, I have two accounts going, right? Current market value in the UK is 60 quid, I think, 59.99.

Yeah, it's expensive.

I'm willing to sell them for 50 quid each. So any listeners that are interested, . They're untouched. I've got the codes. Don't hack my email, you fuckers. Thank you, Graham. Thank you so much. And well done, Carole, for listening to you once again.

I was just trying to do something nice for your husband.

Yeah, well, you didn't do anything nice. What happened? Your intentions and the reality did not work out. So I took a screenshot in case it wasn't me being a dick.

No, I'm sure you'll get your money back. Maybe.

Well, we'll see. Perhaps. Who knows? He's not even been able to start yet. There's been a lot on our plate. So that's the irony of the whole thing.

For sake.

Oh dear.

Okay, Carole, what's your pick of the week?

My pick of the week is a brand new piece of kit that I got so I could scan some artworks, right? And start making some high-quality prints available.

Mm-hmm.

But the problem I had in finding a scanner, 'cause I wanted to be able to at least A3, or that's a little bit bigger than legal size in the States. And normally you would go for a flatbed scanner and it's this big machine. It's huge.

Yeah, it'd take up a lot of room. Yeah.

And I have a very bijou household. So that wasn't really an option for me. So after some careful research, because I know fuck all about scanners, but I talked to people and learned stuff, I ended up getting the Fujitsu ScanSnap SV600. And what's cool about this is it's an overhead scanner, so it's a bit like a mini streetlight, right? And you place whatever you want underneath it and press a button. Presto. And you can get up to 600 DPI. It scans everything to PDF, which is a lossless format. So that means you can scale up images or information without losing resolution, which is important in art world.

Yeah.

It's super fast, so large scans will take 3 seconds. I've done 150 scans so far, so I've put it through its paces.

I want to picture this thing, okay? So you've got a little lamppost with a lamp on it that's looking down, and you put your art underneath.

Mm-hmm. And then you press a button and it goes— No, it opens up like a kind of space thing. It has lights underneath so it protects its lens, and it does a little— and it takes 3 seconds and then that's it, it's done. And it renders up on your computer and then you can do what you want with it.

That's very cool.

It gets cooler than that.

Oh, okay, go on.

Can scan a book and it has page turning detection. So say you had an old book that you wanted to get it digitized, you could literally just put it underneath this thing and you can turn the pages slowly, every 3 seconds you turn a page and it will record everything and get rid of all the page formations because it'll understand what you're doing.

Okay, that's very clever.

Yeah, and it can read everything. It has OCR technology, so it can actually— you can search it like a PDF document.

Yep, yep.

So very cool. The only downsides I've noticed is it's not great at picking up very light shades of blue, but that's something that you can adjust in post-production. So that's one of the things I found. And the other thing is the interface or the UI. Okay, so the software seems pretty robust, but it's not intuitive, and it took me a while to figure out its logic and how to build up setting scan and a profile and, you know, I don't know, it just had its own language, but I did it. So I did it. It took me a few days.

So Carole, you may not know that I have a ScanSnap as well from Fujitsu.

Do you?

I don't have the one. So what's the one you've got? The ScanSnap?

SV600.

Okay. That sounds very space age. I've got the iX500.

I didn't know that. We're not being sponsored by Fujitsu, although we're welcome to have conversations.

You can feed in A4 pages and it scans them double-sided, turns things into PDFs. It's really good for paperless office.

Yep.

OCRs things. It's brilliant. Works really well. But obviously yours is a more specialist requirement.

There you go. So if Graham's happy with his, you can have one just for documents.

Yeah.

Anyway, the best thing, despite being very powerful and able to scan super A3 images, it's not huge. So I can put it away in its box and not feel guilty about it taking up too much space. And that's very great.

And this must really help the carole.wtf empire, the business empire, because now you'll be able to sell prints more easily of your fabulous artwork.

I'm going to be the first rich artist. Well, you know, yeah, it's going to be great. Yeah, this is a real moneymaker. This is the way to go, guys. This is the way to go if you want to make dosh. No, but it's a really fun scanner, but it's not cheap.

How much does it cost?

£500. Yeah, it's about the same in the States, but I am happy with the purchase so far, and I think it'll make the ROI back as my plan. So Fujitsu ScanSnap SV600 is my pick of the week. Graham, you have the—

The Fujitsu ScanSnap iX500 is what I have. Yes, nice.

Rock and roll. There you go.

Hasn't this been a wonderful podcast? We've had terrific stories, we've had most excellent picks of the week. I think we should probably wrap it up. If you want to follow us, you can follow us on Twitter @SmashingSecurity, no G. Twitter allows us to have a G, and we also have a Mastodon account. Easiest way to find it is at smashingsecurity.com/mastodon. And don't forget to ensure you never miss another episode. Follow Smashing Security in the likes of Spotify, Apple Podcasts, and Overcast.

And big shout out to this episode's sponsor, to our sponsor, Kolide, Outpost, and Bitwarden, and of course to our wonderful Patreon community. It's thanks to them all that this show is free. And of course, as always, for episode show notes, sponsorship info, guest list, and the entire back catalog of more than 321 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye.

Bye.

Sounds like something from Star Trek, your scanner.

Yeah, it's pretty fucking cool.

I can imagine Dr. McCoy using it.

I'll send you a pic of it, it's quite cool. I've been able to knit paintings together that are too big to scan. So I've been able to kind of take two scans and then match them up, but they have to be super, you know, I've got to do it all super, you know, whatever. It's a big pain in the fucking ass, but I have been able to do it, which is kind of cool. Yeah, fantastic. Okay, rock and roll, man.

Stop recording.

Oh yeah, good, good, good. Let's do that.