Sean Kelly didn't know that the robot could speak to him. So he said, hello, Sean, I'm watching you. It was able to say, take me to your leader. Smashing Security, episode 388, Vacuum Cleaner Voyeur and Pepperoni Packed Blocks Payout with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 388. My name's Graham Cluley.

And I'm Carole Theriault.

Hello, Carole.

Hello, Graham. Well, you're having trouble.

We discussed before we hit the record button that you were just going to say—

No, no, you, that's not true. We didn't discuss it. You just said, do this. And I just thought, no. All right.

Okay. Well, what do you want to do?

Well, I just want to see how you were.

I'm all right.

You have a big trip coming up. A little stressed, maybe?

Well, by the time people are hearing this, I will be either in the States or on my way back from the States. I'm making a lightning visit to the Rochester Security Summit where I'm giving a keynote. Be very, very exciting.

Yes, Rochester.

Yeah, not Rochester in England. This is Rochester, New York State.

Well, I'm sure there's going to be a welcoming parade for you.

Then I'm off to Oslo, then I'm off to Stockholm. Never stops.

Stop showing off.

I'm not showing off. Well, okay, I am a bit.

Yeah, you are.

Okay.

Let's kick the show off, shall we? But first, let's thank this week's wonderful sponsors, 1Password, Vanta, and SentinelOne. Now, coming up in today's show, Graham, what do you got?

I'm gonna be explaining how security can really suck.

And I'm gonna talk about how a pizza can screw everything up. All this and much more coming up on this episode of Smashing Security.

Now, chums, I want to take you by the hand and drag you halfway around the world to Brisbane, Australia.

That's a long handhold.

It's a long way to hold the hand. It may get a little bit clammy. You can let go if you wish, anyway.

Yeah, it's post-COVID now. We don't really hold hands. That's not— that doesn't— we don't do that.

No, you didn't hold hands during COVID I hope. Now you are allowed to hold hands again, I believe. Anyway, wash your hands, everybody. Sean Kelly is a chap down there in Brisbane, Australia. He's a dad. He's got a lot on his plate. He's got—

Mm-hmm.

Twin toddlers.

Oh, maybe he does have a lot on his plate. That's not easy.

A 5-month-old baby.

Mm-hmm.

A job. And a wife. What's a guy to do? What's a guy to do in that situation?

Yeah.

His house must be an utter tip, full of baby vomit and drool and smelly nappies, and then there's the kids to think about as well. Oh, it must be absolutely horrific. And what would any sane man do in such a situation? Well, what would your sane man do in that sort of situation? Carole, what do you think? Well, you could get a cleaner. That's one way. Yes, you could get a cleaner. Or you could do what the typical man does, which is spend a ton of cash on a robot vacuum cleaner.

Yes, a Roomba.

Other makes are available.

Yes, of course there are.

Other makes, yes. But yeah, I suppose Roomba is the Hoover. It's become the generic term.

The Kleenex.

Yes. So, you've done what most Australians do really is they just throw money at a problem, hope it goes away. The more money, the more tech you can introduce into your life, the better. He spent $2,500 Australian dollars, which is approximately $1,600 US dollars.

I know somebody that bought a sweater once for $1,000.

A $1,000 sweater.

A $1,000 sweater. You know them too.

What was it made out of?

I don't know, some kind of very fancy wool, probably alpaca or something.

Jeepers.

Anyway, $1,600.

Yes, huge amount. He must have felt pretty confident that he'd made a good choice because he'd bought a top—

Oh, he's loaded.

Well, he'd bought a top-of-the-line vacuum cleaner, the Ecovacs Deebot X2. Sounds professional. It does, doesn't it? And you think, oh, you know, as I've got their top model, it's going to be super secure. And for months and months he was using it. He had the little app on his smartphone. He was loving it, scuttling around, you know, obeying his every command.

How dull do you have to be to sit around and watch your vacuum on your phone clean your house? Room 9, 99% done.

I can kind of identify with that.

Oh, you'd love that.

I can imagine checking in with it, yeah. I would attach some googly eyes to it. I just want to give it a bit of a personality, a bit like one of those Henry the Hoover things. I'd want it to be cute.

You wanna put a little mop on the top to see if it looks like it's got hair? What, get a cleaner?

Yeah, and I would worry that it gets stuck under the piano or, you know, all the time. I would care for it. Because I don't have a cat, I don't have a dog, Carole. So I'd worry—

Yeah, so why not love your vacuum? Okay.

Why not? Why not? So months and months he was using this. Everything seemed fine until he got contacted by a reporter from ABC News.

Mm-hmm.

In Australia.

Australia.

Who asked if he wanted to take part in a little experiment.

Okay. I don't know. I think this would be a scam right away. I'd be like, what do you mean?

Oh no, this is— There's no criminals in Australia, Carole. There's no— Hang on a minute.

No, but—

Hang on a minute.

It's kind of weird that the media calls you up out of the blue and says, hey, you're randomly selected. It's not the '80s.

Well, they had somehow determined that he had one of these robot vacuums.

Right, right, right.

And they said to him, you know, it's got a security flaw in it. Which means that anyone can see and hear your every move via the robot vacuum. A hacker could seize control of its video camera and microphone, so it can see you in your pajamas.

Okay.

Or worse.

So if I were the vacuum owner, I'd be like, "Could or has?" There's a big difference.

Well, that's the experiment, isn't it? That's the thing, isn't it? Is this theoretical or not? I mean, I have to ask, why does a robot vacuum even need a camera and a microphone?

So you can tell it off and it can respond and thank you for the advice?

Do you think that's what it is?

No, I have no idea.

You think it's voice activated?

So yeah, so you can probably go, "Go to bed." Because your girlfriend's come over, right? And it's busily vacuuming the bathroom.

Make yourself scarce. Yes.

Go home.

That's what you do. If your girlfriend's coming over, you tidy up your house. And then when she arrives, you say, "I'm sorry it's such a mess." Because your girlfriend will see all the mess which you haven't noticed when you did your tidy up. So similarly, if you have a robot vacuum cleaner, you set it to work for 8 hours, and then you will say to the person coming round for the date or whatever, you say, I'm so sorry, I haven't had time to clear up. Although you have cleared up because she will see mess. And so that's sort of, you know, there's a level of mess that you know.

I don't even know what you're talking about. I have no idea. I just right now I want to know, has this happened? Because that's very mortifying because you've had this for months and months in your house. You've been strutting around naked, presumably having a few rows with your other half. You know, dealing with screaming babies everywhere, kids. How does he have young babies and the thing hasn't been jammed with, you know, some kind of food product?

Like pacifiers or all that goo they eat. Yeah, I mean, you know, babies make a lot of mess. But you need to know, is this a serious problem? Am I going to have to wear a balaclava while I go around the house? Am I going to have to invest in a dustpan and brush?

Maybe you can get your money back.

Yes. Maybe you can. Well, this flaw was not just theoretical. It had actually been exploited by an independent security researcher called Denis Geese, or Geese. I'm not sure. His hobby is hunting for flaws in robot vacuums. That's what he likes to do.

I love that.

He loves to have a little meddle and a fiddle with a vacuum. And he's looking for security holes. He's looking for ways to meddle around with them. And he discovered a method to remotely exploit all of Ecovacs' robots, not just the vacuum cleaners, but also they do lawn mowers as well.

What?

Yes.

That's much more scary.

It's a similar technology.

Because it's got blades. Yeah, but it doesn't— it has blades, right? It's not just a suction to pick up little dust and stuff and wrappers and whatever else. It has blades that cut grass.

Yes.

You wouldn't want that hunting your cat down.

But I think most people don't go sunbathing in the back garden, do they, when there's a robot lawnmower going across the grass, do they? I mean, you kind of hear it coming, I would think.

It depends how big your garden is, I imagine.

La-di-da.

You could have your headphones on, your noise-cancelling headphones.

I suppose. It's a very good point. I think ABC News have investigated the wrong thing. Because they concentrated on the DEEBOT X2. When they should have got the lawnmower instead. Okay, so this Geese guy, I'm gonna call him Geese.

Okay.

This Geese guy discovered a way to exploit these robots, including the vacuum cleaners via Bluetooth, gaining access to sensitive information, functionalities. Oh, including the onboard camera and microphone.

Bluetooth, Bluetooth.

Ah, I knew you'd say that. What's your problem?

Okay.

No, no, no, no, well—

Don't you need to be within a very small range?

Interesting, isn't it?

I don't know what happened to you.

Interesting. I thought you'd fall into my little bear trap there. Yes, normally— that's the thing, isn't it, with Bluetooth? Normally you think it's hard enough for me to connect my Bluetooth headphones with my Bluetooth laptop when I'm sat 2 feet away from it.

Exactly.

How's a hacker going to connect to my robot vacuum cleaner? Is a hacker going to get underneath my sofa?

Exactly.

How are they gonna do it?

Right.

Turns out they could do it.

Bluetooth extender?

No, no, no.

Okay. Daisy chain Bluetooth?

No, no, no, no, no.

Okay.

You're gonna find out.

I was guessing.

Oh yeah, well, no, it's good. So it's a problem, as you're gonna find out, because they don't have to be in the same room or even in the same office or home.

Oh my gosh.

Let me tell you. When they eventually decided to do this test, this experiment, the wife— remember I mentioned the wife earlier— the wife said, no, you're not doing this with ABC News. You're not doing this in our house. The place is a tip. We're not having the cameras in here. No way are we doing this. Plus the privacy concerns. You can take your robot vacuum cleaner, you nerd, to your office in downtown, and they can do the experiment there. Because in Sean Kelly's office, they've got a little office kitchen. So he took his robot there. And that is on the 4th floor, right?

Okay.

Of a tower block.

Yep.

And the reporter who was doing the hacking was over the other side of the street at ground level in a park.

Jesus.

And he was able to gain Bluetooth connectivity with this vacuum cleaner. I mean, that's pretty impressive.

What can you do with the vacuum once you've taken control? Vacuum nonstop?

Well, you can do—

I'm just trying to think of the world-ending scenario.

Well, the main thing I think, Carole, is the privacy angle of taking over the camera and the microphone.

Oh, of course. It's vacuuming all night. I can't sleep!

This— yeah, it's a denial of sleep attack. This researcher even said he could brick the robot, which is pretty much how any robot vacuum responds when it encounters a stray sock anyway. But he could, you know, completely clog it up and stop it.

Ah.

So, this Geese chap, let's go back to him, right? He found this vulnerability in these Ecovacs robots.

Yeah, yeah, yeah.

And in the vacuum cleaner. He told Ecovacs responsibly.

Yep, as you're supposed to.

About the vulnerability in December 2023.

Okay.

And by this August, still hadn't been dealt with. They didn't respond to him. And so he decided, well, I'm going off to Vegas, I'm going to this hacking convention, I'm gonna talk about it there. He didn't share too many details, 'cause he knew the security hole still hadn't been addressed. But that's how ABC News found out about it. And they contacted this researcher. And with Sean Kelly's permission, they hacked his robot vacuum.

Live on air!

Well, I don't—

It's just very funny. I just think a lawnmower would've gotten a bit more headlines. I just really think.

So they were able to view shocking footage of Sean Kelly making a cup of coffee in his office kitchen on the fourth floor of this tower block. But they were also able to speak to him. Sean Kelly didn't know that the robot could speak to him. So it was able to say, "Hello, Sean. I'm watching you."

It did.

Which freaked him out.

Imagine with your vacuum with the googly eyes. Yes! Take me to your leader. Wouldn't you—

Of course you would.

Yeah, you probably would.

You would be frightened. Because you're thinking, "This is the singularity."

This is all the AI coming to life. Or who's on the other side of it also is maybe the big question. Exactly. This is Terminator 2: Judgment Day.

So, initially, Ecovacs said, "Look, this isn't a problem." They said this requires specialized hacking tools. It requires physical access to the device. An ABC News reporter said, no, it doesn't. We're just a TV news reporter. All I needed was a smartphone. And now Ecovacs are taking it a bit more seriously. Now, you may be thinking, well, why didn't this Sean Kelly guy check to see if his vacuum was certified for good security? Has it got one of these sort of kite marks? There are regulators around the world saying this device has reached this cybersecurity standard. You know, these testing standards that exist. Have you heard of these, Carole, in various industries?

I have heard of them. Some of them happen to be very, very, you know, on board. But I didn't know there was any mandated certification that were required with these devices. I suppose it depends on which jurisdiction you're in.

I think more and more of these are actually becoming part of— In Germany, there's an organisation called TÜV. Have you ever heard of TÜV?

Mm-hmm.

TÜV, umlaut V. And they certified that this Ecovacs Deebot X2 met standard ETSI EN 303645. And the standard is being adopted by, for instance, Australia's cybersecurity strategy. There are organizations around the world and regulators are saying, if you're getting IoT devices, they have to meet certain standards. Now, look out for these certifications. And most home robotics companies, including Ecovacs and the Roombas and the Xiaomis and the iRobots of this world, they routinely have products certified to that standard. And many countries say require it as a baseline requirement, but it seems it's possible to get certified. Someone made a boo-boo. Well, who's certifying the certifiers? Because if Germany's TÜV have given it their stamp of approval, and they're saying, "We are confident," this is what they said, they said, "We're confident our tests met all the aspects of this standard." Right? Right, so it doesn't mean nothing can hack this or no one can break this. This is the problem, the standards aren't actually doing the job because the consumer—

Well, in this very, very, very niche example of a rogue vacuum cleaner with a Bluetooth, I don't know how the Bluetooth worked from across the park. I don't get that, but—

Well, I think maybe it was good weather or something. Who knows? Who knows how it happened? But anyway, it happened. So it can happen. And by the way, the Bluetooth was only for the initial compromise, and once that was done, the researcher in Germany was able to see everything which was going on and hear everything and send it further commands. So it was only for the initial compromise that you had to be within maybe 60 feet or whatever it was. So I think for consumers, it means the cybersecurity standards are failing. Clearly the standards are insufficient because there are oodles of vulnerabilities which are being found in these devices and yet they're still carrying these kind of checkmarks.

"Oh. Well, I'll have my husband call you later." Well, poor old Sean Kelly.

He hasn't thrown out his robot vacuum cleaner.

Just put a bit of tape and— He's waiting for the update. Apparently a security update's gonna be pushed out in November. And for now, he's just tossing a little dishcloth over it. What about the sound thing? He's not thought about that?

Maybe he's just putting on some good old-fashioned Australian rock. Those poor kids. Drown it out. Oh well, they're Australian kids. They'll be fine. Carole, what's your story for us this week?

So this is the story of Georgia and John McGinty. Oh, yes. So it's January 2022, and George and John, a New Jersey couple, and they're packing for a ski trip, which they're gonna go on with their 12-year-old daughter. You know, this is just after the holidays, and these guys are gonna go hit the slopes. So everyone is madly packing for the slopes. Lovely. You know, bring the goggles, the zinc cream, the hot shots, the sunnies, all the stuff. And that's when their daughter, watching her folks dash about the house, says something to the effect of, "Mom, Dad, I'm starving! Can we order pizza? There's no food in the house."

For God's sake.

So Mum's okay, of course, yes, yes. And tosses over her phone and tells her to hit up the Uber, right? And buy a pie.

What? You don't call Uber for a pie. Well, a pizza pie. You call Uber for a lift.

Yeah, but no, no, Uber does Uber Eats. What do you?

Oh, it's just Just Eat and Deliveroo.

Just Eats, DoorDash, all that stuff. Yeah. Oh, okay.

Okay. Okay. So there's an Uber food delivery service. Okay.

Well, it makes sense, right? There are already people in the car. Why not?

Does it mean that people, when they catch an Uber on a journey, they can smell Chinese food which is in the boot?

Yeah, someone's got some kimchi and someone's got some spaghetti. There's a burger and you get to have all that. Right. But I do think it's probably a pretty normal experience with your tween, right? If you are running around busy, dinner's late, they're hungry, you might throw them a phone and just order something. Anyhow, family go skiing and no one gets injured despite it being quite a dangerous sport. Thank goodness. It's not as dangerous as riding this particular Uber car in New Jersey on a cold March evening. Because this is a few months after the pizza. The McGintys have gone out for dinner. Yes. And Georgia orders an Uber home, right? And they're nattering in the backseat of the Uber, and bam! The driver T-bones another car while they're in the backseat.

A T-bone steak? Well— Is this an Uber Eats car, or was this just— Plain Uber taxi crash.

I don't know if that's a good joke to have at this stage, because when you hit a car dead on a T— That's not good.

Okay, so the taxi, the Uber taxi crashes into another Truth. It depends on how much of a maniac the taxi driver is.

Oh, you might put it on surreptitiously if they start driving too fast?

car and it— Oh, I definitely have. Yeah. When I think, what the— 'bloody hell is this guy doing?' Yes, I have.

Okay, but not as a matter of course, right?

Probably not.

And I think that's probably fairly normal. Of course, I think it must be a legal requirement. Yeah. Do. Yeah. Okay, from now on, because this was a bad accident. I couldn't find information actually that specified whether the McGintys were wearing seatbelts or not, but the injuries are so bad, whatever, draw your own conclusion. But Ms. McGinty, 51, fractures in the spine and ribs among other injuries, unable to work for over a year. Oh, wow. And Mr. McGinty, 58, experienced fractured sternum, serious breaks in his left arm and wrist, has not fully regained use of his wrist. And they say, not surprisingly, that the incident had devastating impact on their health, emotional stability, finances, and the ability to care for their 12-year-old daughter. Right. Yeah. So months go by, and the healing phase has taken its sweet, sweet time. And this may have given the McGintys time to noodle out and process this whole accident. You know, what happened? It's almost a full year now after the incident. February 2023, we're now. So the duo come up with a plan. Let's just sue Uber, right? It was their driver, the Uber driver that crashed and caused the injuries. And Uber has liability insurance for this type of thing.

So they're suing And presumably there may be medical bills and things as well. for the harm

Operations and, you know, physiotherapy. It's weird, isn't it?

Because here in England, you'd never think of suing. You'd think, oh well, I'll just get on then. But I guess in America, everyone sues everyone. that's been done to them.

I don't know. You don't? Depends how bad. I mean, what if you were in an Uber, you know, with your mum or son or daughter or something and someone happens to die? The driver was a bit tired. Oh, he was a little drunk. Oh, well.

There he was making pasta in the front seat while he's driving along.

Yes! He had a toaster oven under the side.

He had his George Foreman grill.

So the McGintys hit the New Jersey court seeking compensation for their extensive injuries. Right. The amount wasn't disclosed, but I imagine it was a pretty sum. Yeah, yeah. And Uber rather than agree to all this, filed a motion to compel arbitration. And this would mean that the McGintys wouldn't get their day in court. They would have to go into a meeting room and do this all privately. And Uber said that the reason that the McGintys had to do this was that they had already agreed to Uber's terms and services. Right. When the daughter ordered that pizza, what Uber are claiming is when she signed and said, "Yeah, yeah, yeah, terms and conditions, I just want a pizza," they pre-agreed to arbitration in any case they would undertake with Uber. No.

And the McGintys are like, "What does pizza have to do with a cab journey?" So the Uber conglomerate, the huge Uber organization rather than just the division which brings you chicken wings?

Exactly. And the McGintys are like, "What does pizza have to do with a cab journey?" Well, it's all under, as you say, all under the Uber flag. So Uber is trying to enforce a binding arbitration clause. And the problem is the McGintys are saying, we did not agree to that directly. You know, prove it. And in fact, my daughter did it. So what are you doing? Yeah.

Yeah, it was the daughter. Well, so they're saying, yeah. If they were to go to arbitration with Uber's lawyers, and Uber said, well, we'll offer you this much. Couldn't they just have said, well, no, we'd like a bit more, please? Couldn't they just have carried on arguing until the amount got to the amount which they want?

I will explain why that is a bit more painful than it sounds. Uber appeals, right? Says, look, you know, we had this thing. And the lower court, New Jersey lower court, thinks about it. And by November, so 10 months after they kicked off this whole thing, the lower court decides in favour of the McGintys, denying Uber's motion to compel arbitration. And the lower court cites that Uber failed to clearly or unambiguously inform the user of the waiver to the right to pursue claims in a digital forum.

Quite a brave thing for the lower court to do because they're never going to get Uber Eats delivering them any pizza after making a decision like that.

Did anyone spit in this?

Did anyone spit in this? Yeah, exactly. Yeah, seems to have some special different kind of topping on this one.

Yeah. Yeah, so woohoo for the McGintys, right?

Woohoo! Very good. But wait, U-turn!

It was only a temporary victory because Uber did not like this ruling and hit the appeals court, who ended up reversing the lower court's decision and sided with Uber, saying that Uber's Ts and Cs were valid and enforceable. So the McGintys are now back in arbitration, and that's when I was wondering, why is that so bad? What do the courts have that arbitration doesn't? So according to this site, law.inc, forced arbitration clauses are powerful tools companies use to limit the legal exposure and public accountability. No media. There's way heavier limitations on evidence gathering. So they would not be able to compel as much information from Uber's side as they would in a court of law. They're much more restricted appeal options if they don't like the decision. So I don't think you can just take it to court if it doesn't work out your way. And in arbitration, you have to share the fees. So if they're exorbitant, Uber's unlikely to bat an eyelid while the McGintys might have to remortgage. And typically, from what I read, arbitration firms are already pre-selected inside the Ts and Cs. So imagine if they're super expensive or, you know, obviously they're getting paid by Uber, so. Yeah. Now you may wonder what other companies might have this type of clause in their Ts and Cs.

And what you're going to tell me is all of them.

Well, I asked Perplexity.ai to give me a list, right? And it went through and it said Amazon, Apple, Google, PayPal, Netflix, DoorDash, Airbnb. So think about it, to your point, right? You rent a house where you're spied upon by a vacuum. Right. And maybe the vacuum or the lawnmower murders someone in your party and you can't take them to court.

Presumably, you can't even use the hacked vacuum cleaner camera feed to have footage of the murder taking place.

The arbitrator will be like, nope, we don't want to look at that. So the big questions according to Law Inc., which I thought were interesting. So can minors legally agree to terms of service? So the validity of a minor's acceptance of a contract is a complex issue, it says, and it depends on various factors. But one of the things that will be brought up is, as the mum allowed the daughter to use the account, it could get murky. Crashes head on to another car. Exactly.

Because it was her, it was the mum's phone and it was the mum's login, presumably. Yep. And she gave permission.

Okay, that's bad. But see, that's very scary because loads of parents hand their phones over to their kids to do stuff.

And we need to get our kids to sign a legal document before grabbing our phones, holding them legally responsible for any upcoming legal fees and any other damages which may occur.

Now, the question I have for you at this stage is, do you wear seatbelts in cabs and in Ubers?

The kids are going to have to pay it. They can be the ones who are bankrupted. Now, but there is maybe a silver lining here to this story, okay? Because this is not the first case of this ilk. This is why we should always use disposable email addresses when signing up for some of these services. So we should have different email addresses for every service so they can't think, hang on a minute, this person suing us here, 7 years ago, he had a week-long trial.

Damages, for extensive injuries, compensation.

Of XYZ product. That's a really good suggestion, I think. I didn't think of that. I think that's brilliant.

Well, thank you very much.

That's me. There is a silver lining here because there's been a backlash and Disney has backed down, and now the matter can be heard in court. So that has interesting potential effects for this Uber case.

Do you think they backed down because of the bad publicity? Yes. You know what, this— yeah, right. So that's what we have to do. We have to create a big stink about this Uber and Uber Eats nonsense. Yeah.

Go fart in Ubers. Everyone go make a big stink. Go do that. Follow, follow Graham's advice and parp in Ubers.

Whether you're starting or scaling your company's security program, demonstrating top-notch security practices and establishing trust is more important than ever. Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust. Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Get $1,000 off Vanta when you go to vanta.com/smashing. That's vanta.com/smashing for $1,000 off. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well, 1Password has an answer to this question, and it's called Extended Access Management. 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch. Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show. Support for today's podcast comes from SentinelOne, which secures and protects every aspect of your cloud in real time. Discover all your assets and deploy AI-powered protection to shield your cloud from build time to runtime. On top of that, SentinelOne offers threat hunting, visibility, and remote administration tools to manage and protect any IoT devices connected to your network. Looking for a cloud-native application protection platform? SentinelOne is your ultimate CNAPP solution. Go to smashingsecurity.com/sentinelone for more information and a free demo. See what a flexible, cost-effective, and resilient cloud security platform can do for your organization with SentinelOne. That's smashingsecurity.com/sentinelone. And welcome back, and you join us at our favorite part of the show, the part of the show that we to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, my Pick of the Week this week is not security related. Good. My Pick of the Week is a TV show that I've just recently started watching. I haven't seen all of it yet, but it's quite good. And I thought, oh, this is quite good. And I might be a couple of years behind the curve. Maybe other people have been watching it for a while. You definitely are not that. I would say decades. The TV show is called Sherwood. Have you seen Sherwood, Carole?

It was a big deal. It was a big deal. And there are people who continue to hold a lot of animosity because of that strike. Oh, I've read this. I've read that that's true. Yeah, they infiltrated. I think it was a Telegraph podcast all about that. It was really interesting. That's right. There was a division, I believe, inside the Met Police who were joining different political groups undercover. Their wives didn't know. Like, their legit wives. It's awful. So, it's quite good. Really good acting, some intrigue there. I'm just watching Series 1. There's already a Series 2, which has just come out, I think. Very good. I'll add it to my list.

Thank you very much. What's your pick of the week?

My pick of the week, Graham, is cake. It's cake.

Sorry? What, just the concept of cake?

Well, no, not the concept of cake. But are you a cake fan generally? Cake, take it or leave it? Love cake, hate cake? Cake it or leave it. Well, some cakes are better than others. I like a lemon cake. Coffee cake, I like. Oh, I have no idea. I don't even know what that is.

Some crazy animal. Oh, it's delicious. But you know, there's some cakes that are very sweet and gooey icing, lots of layers, sprinkles, candies. That's not my thing at all. Oh, are you?

Graham, you could make these. You could make this for your wonderful partner.

Yeah, we're both trying to, well, you know, we're just trying to be a bit healthier at the moment. Are these healthy cakes?

Yes, there's a chocolate Guinness cake. Delicious. There's a banana, chocolate banana bread cake.

Right. Yum. Yeah, that sounds healthy.

And carrot cake.

Oh, well, carrots. There can't be anything— Yeah, carrots must be healthy. Right. Yeah. Okay. All right.

Just have very thin slice. Yeah. Thin slice. Anyway, so cake, 'cause cake is great and sometimes you need cake and I needed cake and I had cake and I loved my cake. So that's my pick of the week.

Cake. Next week, Carole's pick of the week will be something like oxygen. I mean, is the standard of pick of the week deteriorating? I have to wonder.

Ah, how dare you? I have great ones.

Anyway, excellent. Thank you, Carole. I look forward to hearing from listeners how great your cake is. Exactly.

Thank you, listeners. I know you're on my side.

And that just about wraps up the show for this week. You can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G. And don't forget, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

And thank you to our wonderful sponsors, SentinelOne, 1Password, and Vanta. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 387 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye.

Why would they have taken the vacuum and not the lawnmower? Because they didn't want injury. The reporter didn't want to have any injuries.

Maybe they didn't have it. This is downtown Brisbane. Maybe they don't have gardens. Maybe they don't have lawns. It's Australia, it's practically a desert.

Oh, that's true. Maybe it would be hard to find someone with a lawnmower. Okay, maybe they're not available in Australia, the lawnmower one.

Maybe not, maybe not. Have you said bye yet? I said cheerio, bye-bye. Bye! Good.