And at no point during the setup of the camera does the software throw up any kind of alert that says, "Oh, by the way, we're going to be sharing your exact location—" "With everybody!" "Along with footage of everywhere you go, inside your garage, your kid's school, the porn shop you frequent, the medical clinic where you get your antibiotics, the address of your secret lover, and so on." Smashing Security, Episode 97: Dashcam Surveillance, Robocall Plague, and Zoho. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 97. My name is Graham Cluley.

I'm Carole Theriault.

Hi, Carole, how are you?

I'm very well, thank you. In the deep dark England, it's very cold and windy today.

Oh, bless you. Yeah, well, I'm in Seville in Spain where it's just a mere 38 degrees Celsius. Oh la la, or oh leh. Yes, no, ooh la la, yes indeed. And I think we may have heard a little murmur in there from our special guest today. It's another David. Not just a guest, a colleague now.

A colleague? What do you mean? Hey buddy, hey.

Hey sweetie baby pussycat. What? How are you?

David Bittner, star of the CyberWire, the Daily, and Hacking Humans. And I'm now doing some correspondence for them.

Oh, yes. We opened a UK bureau. Yeah. Headed up by Carole Theriault. That's right.

That's right. That is correct.

How long has this been going on between you two? You know, a while.

It's nice of you to introduce us, Graham.

So you've got more than one podcast now, Carole. You're titling yourself Graham and Dave's. Flooding out. Well, I hope this recording goes okay because you are, I think you're the fifth David we've had in a row. We've had David Egg, David Bisson, David McClelland. David Bisson blew up last week.

Will I make it to the end of the episode? Yeah, because I've checked the weather. There are no tornadoes or thunderstorms.

Florence had her way with us last week.

That, yeah, boy, did she. And so yes, I'm hoping I've got a backup recording rolling here, so even if we get disconnected, I'll just keep going on my own and you can splice it together later. Such a darn professional.

You see, Carole, there's a lot you could learn. I hope you learn every day with my new buddy.

Oh, new buddy.

My new bud bud, David. What about your old bud bud? What about your mate here? What about your old cocker? Right? Sponsors, please.

MetaCompliance, the security e-learning experts. Make learning best practice engaging, and fun. Through stories, realistic scenarios, the MetaCompliance guys provide animated e-learning and even games phishing drills to test your knowledge. Plus, these guys get passwords, they get GDPR, they get security, and they've won awards for security awareness. Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance and entering the code SMASHING. That's smashingsecurity.com/metacompliance.

I want to know whether you chaps have ever heard of Zoho. Carole, have you ever heard of Zoho?

No, is it some weird version of Zorro?

No, no, neither is it the rather seedy part of London where the naughty ladies take their clothes off. Not seedy, Zoho's great! Well, okay, it's alright these days, isn't it? But it had a reputation back in the day. Zoho, they're perhaps not as well known as they should be, but they've got over 30 million users. They are an Indian company who provide all manner of services. Okay, let me explain. So, you know Google Apps for Business, also known as G Suite, which gives you PowerPoint and Word documents and collaboration and email and all that kind of jazz. Well, you don't have to buy all of that from Google. You can go to a company like Zoho who have all of that as well. They provide online email, presentation software, word processing, spreadsheets, project management, invoicing, CRM. The list goes on and on and on and on and on. And they're pretty big. They're no small fry. Yeah, well, they're servicing an entire country.

If your country was Canada, 30 million people. Yeah, well, I suppose so.

You have that many people, do you?

How many? We're very big.

Yeah, so I've heard. So they have over 5,000 staff worldwide. They've been recognized by the likes of Forbes for being a big cheese. They're a pretty big deal. But this week, Zoho's main website, zoho.com, went down. And you can imagine its users were not happy. And when a website disappears from the internet, everyone panics. You know, has there been a breach? Has Zoho been hacked?

Especially if this is the services you require for your day-to-day job, right? Oh yeah, people were fuming.

Yeah, this is your online docs and all your presentations and spreadsheets and— People couldn't access their email, they couldn't access their customer databases. It's pretty darn big deal, right? Now, the reason why they went down was not because of a cybersecurity incident directly. They had been taken down by their very own domain registrar, the people who helped them set up zoho.com in the first place, a company called Tieranet. Okay. Oops. Yes, oops indeed. Tieranet said that they had received repeated complaints that criminals were using Zoho's email service, and thus indirectly the Zoho.com domain, to send out phishing emails. Who would have thought criminals would do something so dastardly as that?

So they just said, oh, we're going to take it offline, we're not going to reach out and say, hey guys, because that never happens on Gmail.

Yeah, never, never happens on Gmail.

No, no, no, no. Every criminal knows that they must not abuse Yahoo or Hotmail, right? None of those free email services. No, exactly. They would never, never ever do anything like that. They only ever use Zoho. But yeah, you're right, you wouldn't expect your domain registrar to take you down. Normally what happens is they contact the abuse department of the webmail company and say, look, we think you've got some dodgy folks there who are up to no good. Can you zap their accounts? But now the downtime obviously impacted small business owners around the world. So when the website went down, Zoho obviously thought, this is a bit of a problem. Our customers are— Our customers are revolting, you know, they're causing— yeah, yeah, yeah, unhappy. So they tried to reach out to Tieranet. So they contacted Tieranet's tech support department and go, WTF, guys?

Yeah, exactly.

And the tech support department said, well, you should have responded to our emails. We told you that there were phishing emails and spam being sent from your account. And they're, well, hang on a minute. They said, look, we're Zoho. Can we speak to your bosses, please?

Because we have 30 million users here that are freaking out.

Yes, we really need to bring our website back, and they refused to put them in touch with the bosses at TierraNet. So Zoho took matters into their own hands. The CEO of Zoho, a chap by the name of Sridhar Vembu—

Right, said beautifully, I'm sure— beautifully.

He tweeted out a message saying, can anyone on Twitter help us? We want to contact TierraNet's executives, but their support department won't let us get through to them. And he included a screenshot of their name. So he basically sort of went to the About Us page. These are the people we're trying to track down, you know, here are their photographs. If you've got any information, if you see them in a bar or something, let them know we really need to sort this out. Little doxing never hurt anybody. So TierraNet's support department wouldn't listen to Zoho, and they were just telling them point blank, you know, send an email to the legal department. They're refusing to escalate to their supervisors. Oh my lordy, this is a nightmare. How many complaints do you think TierraNet had made to Zoho about nasty stuff coming from their domain? How many do you think?

In order for them to take down the entire operation?

30 million users? Yes. Okay.

It's going to have to be in the thousands, but you're probably going to tell us it's in the hundreds or something. It's actually—

It's actually 3 phishing emails. Shut up. There'd be 3 complaints over the course of 2 months, 2 of which— 2 of which Zoho said it had addressed immediately and another one was under investigation. And that was enough to bring down the entire site and impact 30 million customers. Can you imagine if that had happened to Google or Outlook.com? Or can you even imagine the likes of Bill Gates or whoever runs Microsoft these days taking over his Twitter account and saying, hey, we need a little bit of help here, guys. We're trying to contact somebody. You know, it's—

You know what? I smell a rat.

You know, 3 phishing complaints. TierraNet are claiming that it was an automated system, so it was actually a computer which

I smell a rat. Yeah.

maybe was programmed with an inappropriate algorithm, whereas a little bit of human involvement may actually have said, you know what,

I mean, that's a big deal to take something off. 30 million strong online business service site for 3 phishing—

maybe that's a little bit rash, but they didn't want to talk to anyone.

Well, yes.

That wasn't a robot. No, that wasn't a robot, was it?

That said, "F off, sorry, la la la la la la, we can't hear you." Well, everyone's learned a valuable lesson and had a good laugh.

Well, we've had a good laugh, but poor old Zoho's CEO, he was tweeting out really nerdy instructions for people as to how to change their DNS settings on Android and Mac and Windows. Oh, good for him though. Well, good for him, yes, but what an embarrassing situation to be in. And I suspect they're not going to use TierraNet anymore.

I was just going to say, I have an idea for them. Move on.

Well, and but I mean, seriously, what an interesting lesson in the types of relationships you need to have with your third-party suppliers.

Or what not to have, actually.

Well, yeah, but this is a conversation I suppose on the one hand it's not a conversation you imagined ever needing to have. But, you know, your incident response plan should have gone through these possibilities, and I don't know, it just seems like a conversation that could have happened beforehand. Hey everybody, how are you handling phishing complaints? And I was thinking, how many milliseconds, how many nanoseconds does it take Google to have three phishing complaints?

Oh my goodness, over their system.

Can you imagine? I mean, well, he—

They have moved their domain to another registrar now, and I believe they're using DNS services maybe from Cloudflare, which replicate more quickly so they can come back better. And hopefully they'll be supported. I kind of feel quite sorry for them if at least their telling of the story is accurate. It's not the best advert for Tieranet, is it?

I know, but it's quite a good one, I think, for Zoho. If he's out there, you know, updating manual DNS entries for specific devices.

Yes, but if it was your business, which was down for 24 hours because of this, I wonder how— Oh, yeah. Drama, drama, you know, it's bad.

But, you know, he's going to recover. It's not like he's given birth or anything.

I think people do recover from giving birth, Carole.

I'm just saying it's not as hard as that.

It does take about 25 years, but you do eventually recover, mostly when they move out. Not of the womb, out of the house. Dave, what's your story for us this week?

Well, I have a question for both of you. Do either of you make use of a dashcam?

No.

No, no, no, no, no. I'm not Snapchatting myself as I'm driving down the road or anything like that.

I mean, there are reasons to do it, though. I think you get lower insurance if you have one. That's a big deal here in the UK.

Yeah, I am in the process of exploring what car I'm going to buy next. And one of the things I am definitely going to install is a dashcam.

Oh, why? Why do you want one? I'm just curious.

Well, I think as traffic has gotten more congested around here, there's more very wacky, strange situations that I've witnessed, and I think it'd be good to have a backup, a recording of what happens.

But, Carole, no, that's really good news. That's exactly what you want.

If you're in an accident, a dashcam will show what happened, and so it's a small investment.

You want absolutely anyone in the world, you know, whether it be an assassin, Vladimir

And that is exactly what this gent named Tim Woodruff reached out to Graham and I, and a couple of other people on Twitter. Carole, I don't think you were on that list of people who got reached out to.

Putin, you want everyone, my mother-in-law, exactly where you are at all times.

No, it's okay, I had a holiday, it's fine.

Yeah, it's all right, okay, it is interesting. You guys do all the hard lifting, everyone knows that. Me and my buddy Graham got reached out to by this gent named Tim Woodruff, who had recently bought himself a Tesla Model X. Oh, that's right, that's the one with the doors that go up in the air. That's pretty cool.

Yeah, he deserves everything he gets, if you want my opinion. That's a little bit too flashy. Who does he think he is, Batman?

I mean, what a— jealous, jealous.

Calm down, calm down. Maybe he is, I don't know. But Tim was in an accident with his Model X. Someone hit him and he got the runaround from the insurance company. So afterwards, he decided he was going to install a dashcam after he got his Model X fixed. So he went back to the Tesla dealer and he asked if they had any recommendations and they suggested the products from a company named Blackvue. And vue is spelled V-U-E. And one of the things that these dashcams bragged about is that they are cloud ready. And that sounds good, right? I mean— Sounds so advanced and futuristic.

Right, exactly.

The only thing better is if they were on the blockchain. Now, so Tim gets this dashcam, and he had worked in cybersecurity as a pen tester, so he's tuned into things privacy settings on IoT devices this dashcam. And what Tim discovered is that the default settings of this dashcam model shares your exact GPS location publicly on a map. Publicly, that anyone can view. That's the default. Yes, the default.

You guys didn't tell me. I didn't get prepared for a depressing show.

But it gets even better. Okay. And by better, I mean horrifyingly worse.

Okay, I have my head in my hands.

The BlackVue camera also defaults to share the video footage from your front and rear-facing cameras live on the internet in the clear publicly to anyone who wants to view it.

Is this an error? Or is this— Well, this—

This is what's called cloud-ready, Carole. This is—

I'm such a geek. I'm what did the agreement say? Did the agreement say it was going to do this? Did he sign this away?

Well, these are the default settings. And at no point during the setup of the camera does the software throw up any kind of alert that says, oh, by the way, we're going to be sharing your exact location along with footage of everywhere you go, inside your garage, your kids' school, the porn shop you frequent, the medical clinic where you get your antibiotics, the address of your secret lover, and so on. So it's fair to say that most users of these cameras had no idea that their location and live video footage was being shared in real time over the internet to anyone who wanted to view them. Now Tim is a good guy. He is a model citizen. Is he? And he, well, by all accounts. Okay. Yes. So he reached out to BlackVue before going public. He reached out to BlackVue, gave them a week to respond. Right. And they did not respond. So at that point, he reached out to me and Graham and some other people. Graham and me. Carole.

Not you though, Carole. Not you. Carole, you can't say Graham and I. It was Graham and David. That's right. Just to point out. Carole, how do you spell pedantic?

Why are you both—

Why are you ganging up on me, guys?

Jeez. Fair weather. So after a week or so of hearing nothing, he went public, and when he went public and reached out to people, that got their attention. Oh. As it so often does. And they responded only by saying their security teams are investigating the issue.

It sounds it's already been investigated, mate. Well— Go on the cloud. Find out what's going on.

So we'll share a link to— Can we look at that and see if it's still live?

Can you check a feed? Can we find out the feed for the CEO of BlackVue? They should just— that should just be live streaming.

I'd love to see the inside of his garage.

Right, right. Or garage. That's right. Get a beer from the fridge. Now I'm curious, how do you— do you think that making this the default settings, does this collide with GDPR?

Well, that's an interesting point.

I guess it does.

Does it extend to your car? To your smart car?

I would think so. It's your personal location and why wouldn't it? So David, are you getting one of these BlackVue ones to put in your car?

No, I'm probably going to go with a different brand.

Send me the link.

This has dissuaded me.

I will probably go with a different brand when the time comes, but it'll be interesting to see how the folks at BlackVue respond if they have any meaningful response. But in the meantime, you can check out the video that Tim made. There's a link to it. He made a YouTube video demonstrating exactly how this works, and it's a bit of an eye-opener.

But it's so difficult, isn't it? Because you can buy one of these things and you've got no idea at the time of purchase whether it's going to be careless with your privacy. Or you've really got to buy one of these things and hope that you have the pen test skills to find the vulnerability yourself, or that some Internet Spod has already done it for you.

Well, and isn't that what GDPR is supposed to help with?

Now, David, are you going to say thank you, Tim, because he basically did all your work for you this week? Thank—

Yes, thank you, Tim, for basically doing all of my work for me this week. I appreciate it. And thanks for reaching out to me and Graham about this.

You know, I'm actually grateful he didn't reach out to me because I don't have to do something about it. I just want to send people sad faces and hearts and going, "Yay." No, you didn't want to go to prom anyway. Baby.

Carole, what have you got for us?

Okay, I want you guys to imagine yourselves enjoying a perfect Sunday morning. Okay? You're totally rested. Family's off somewhere. You've got the whole morning to yourself. Graham, you've got a huge breakfast in front of you, right? You've got a chess game or three in progress. David, you probably have a compilation of top show tunes 1985 on the shuffle.

Oh, you know me so well.

And then, and then this happens. Please call immediately on our department number 202.

470-2565. My chess game is ruined. My practice.

All musical theater soundtracks ruined.

Robocalls are very annoying, and those of you stateside would be right if you've noticed an uptick in the number of robocalls you've been receiving. Oh yeah. According to recent stats from YouMail, August apparently hit an all-time high of monthly robocalls. So guess how many? Guess how many robocalls were made in the month?

Is it, I don't know, 10 million?

4.2 billion. Billion with a B? With a B.

So how many people are there in America?

124 million people apparently received these 4.2 billion calls. It's basically— I worked it out because I do the math around here— 13 calls per person.

One per month. So one every other day, more or less. Yeah. That sounds about right. Yeah. You're joking. Really, David, is that what you get? That's— yes, that is. That is what I get.

Yes, that is about right. But here's the thing. You— I don't answer the phone if it's not someone already in my directory.

I am so glad you said that because we're going to address that in this piece.

Can't your government do something about this?

I don't think

I don't think I get one call like this every 6 months.

I ever— kind

No, I know, I agree. I don't get very many either.

Doesn't seem to be a problem here in the good old United Kingdom.

We did have a problem though on landlines for a while. Did you? Yeah, but I don't really pay attention to my landline anymore.

of busy right now.

All right, okay, right. Oh, that's why you're not returning. That's the only reason.

It's funny, she always calls me right back.

Oh, you're so flippy-floppy. I've lost interest. You know what? Tier 2. Oh, I see. Tier 2. So there's been a steady increase in the number of robocalls since January 2018. Any guesses as to why you think that might be?

Are the robocalls political in nature? Is it because they have these midterm elections coming up? That's my guess.

No, because that wouldn't be steady. That would be a very sharp climb.

Is it an increase in reality TV shows where you have to ring in to vote and they're trying to get you to trick you into— no, this is terrible. I don't know, Carole, surprise me.

It's because people like Dave Bittner don't answer their phones anymore, causing the dialers to place more calls in their efforts to get through.

Dave? Yes, I'm the problem. Well, on that bombshell and that admission—

Blame Dave, blame Dave, blame Dave. Yep. Now there is a problem with this. I mean, if you think about it, what if, say, I was being verbally assaulted by a very long-winded, boring person and I tried—

My Sunday just got a little better—

And I tried to call you to save me, but my phone was dead. So I borrow said boring person's phone and surreptitiously call you, only for you to do what? Ignore the call. That sucks, man. What kind of friend are you?

Well, leave a message. That's the thing. If it's someone who I want to talk to, they will leave a message. I will listen to that message, and then I will call them right back. But I'm not going to answer right away.

Oh, maybe that's my problem. Yeah, see, I don't like listening to phone messages at all.

Personally, I have a thing on my landline. I don't have this on my smartphone. But I have this thing on my landline where it actually sends me an email with the transcript of the voicemail, and the voicemail is attached as an MP3.

That's very cool. I do that as well.

That's much cooler than listening to the message. So I rarely listen to the actual messages, but I'm much happier reading them.

I have mine set up with Google Voice, and in fact my landline doesn't even—

We don't have that outside the US.

Of course. But my landline phone doesn't even ring in my house anymore because we don't use it for anything other than legacy.

I think mine does ring, but I've turned all the ringers off because they bugged me.

I digress.

No, we all digress. Okay, so I wanted to look into what's legal with robocalls and what's illegal. Sadly, the rules are a little bit unclear. So if I understand them all correctly, mobile calls from political campaigns or debt collectors and charities were not allowed without prior consent. This was an Obama-era rule. However, earlier this year, a U.S. federal appeals court overturned some of this ruling.

Of course they did, stating that the law was too broad.

The judge cited that the law could be applied to an innocent individual like me, for instance, inviting a new friend, or an ex-new friend, aka Dave Bittner, to a party without his prior consent, saying, "Yes, do email me," I would be in breach of this law the way it was written. So, all this to say that the rules, it seems, that controlled robocalls have been a bit lax.

Sorry, that's a terrible comparison to make, which that judge has made. Yes, well— Comparing a communication with one which might be organizational, that's a bit like spam, isn't it? It's like, there are rules in place if a business sends you an email and they don't have permission, and that can be spam. But if you make a personal communication, then it's like, well, that's all right.

It may have been in the wording that was selected in the law that left this loophole and meant that his hands were tied in this situation. Now, is it— now the question here is, is it ironic that our beloved FCC chairman and net neutrality slayer Ajit Pai praised this decision, right? This appeals decision. Bless him. When just a few months earlier he said combating unlawful robocalls and malicious caller ID spoofing was his top consumer protection priority. Maybe it's not because he's chosen his words really carefully there. You see, he says he's focused on unlawful robocalls. And of course, if the law is hazy—

Oh, the crafty bugger—

What can he do about that problem? He's totally blameless, right? Of course.

Either he's been really sneaky, Carole, or you're being really paranoid or sarcastic.

Now, there must be then good news regarding the spammy illegal malicious robocalls and ID spoofing, right? Because that's what he said was his real focus. And sadly, that ain't looking rosy either. First Orion put out some new research that predicted that nearly half, 50%, of all US mobile traffic will be scam calls by 2019. Now, God knows what the big robo scams will be next year in 2019, but currently the most popular robo scam. Can you tell me what it is, Dave, actually, being US-based?

Based on the robocalls you get every other day? Unless you're lying. I'll pick up for you, Carole.

Well, I would say that it's law enforcement calls. This is Sheriff So-and-So from such-and-such a place.

Couple of thoughts about this.

We have a warrant out for your arrest. Oh, that may not be a robocall. I actually know someone who is an attorney who for a while was making several hundred dollars a month off of people robocalling him because he kept a log next to his phone. He would say, "Who is this?" and he'd keep a log who it was from. And he would say, "Please don't call me again." And if they called him again, he would log that and then he would send them a letter that said, "You have violated this rule. The fee is, the fine is $600. I will take you to small claims court."

I hope you're not ignoring those, Dave. I don't think those are robocalls.

I'm sorry, somebody's knocking at my door. I better— I'll be right back.

Takes a certain personality that, Dave, it does. And this person had that.

So apparently the most popular by far is the 0% interest rate scams involving problems with a credit card you probably don't own or, you know, forgiving one's student debt or something like that. And another hot scam technique that is being used is the local presence dialing.

I'm curious, you said this was a friend of yours?

That's what it was called. It's a term I learned just today. Acquaintance is probably a better word. Acquaintance, okay. Yeah, yeah. This is where a number effectively pretends to be from a local number. But I've seen this tactic before. Say Mrs. Cluley is calling. Stuck on it by a roadside, right? So basically, people are 4 times more likely to pick up a call if it's a local one as opposed to a, you know, 800 number or a distance call.

She can still text. It doesn't block texts from coming through.

Yeah, she just called me back, please.

Yeah. Yeah. Yeah. That certainly seems true.

Yeah. So there's real incentive for roboscammers to invest in this. And I was looking at sites that basically say, isn't this cool? You'll get so much more hits on your robodialing if you just use this local presence service. Cool. So here's what you can do, right? None of this is perfect. There's no silver bullets here.

Yeah, splish splash, there I am with my rubber ducky having fun.

Subscribe to the Do Not Call Registry, right? This may stop robocalls before they begin. If you are on the registry, it's illegal for many robocallers to call you. However, this doesn't help block robocallers that don't care or outside the jurisdiction. Now, you can block unknown or frequent callers, right? So, Graham, you said we haven't talked in a while. What I've done is you can block specific people on your actual device, right? So then they just don't get through, right?

You know, here's another little bit of not completely unrelated information. My 11-year-old recently asked me, he said, Dad, why when you finish a phone call do you say you're going to hang up? Think about it.

There are apps out there. Now, I haven't used any of these personally, but three that I came across that kept cropping up were Hiya, YouMail, and First Orion. They all provide services to help control unwanted calls. File a complaint to your state rep, right? These are the people— they need evidence. They need their jurisdiction to say we really support trying to tackle this problem and hang up, right? Don't give away any information, especially if it's a recording, right? Because a lot of scammers are just trying to trick you into finding out that you are a live target, right?

Kids don't know. They don't know that that's what you used to do was hang the handset on the wall.

Oh, you see, I'm too old. I'm in your camp. I didn't even understand that. So if they don't know, if they don't hear anything, so when people are going to now pick up phones, not say anything, wait, it's going to be so— phone calls are going to change completely. And yes, remember to listen to your message. So if I ever call you about someone boring, Graham. Someone will pick up. Yay!

He's never seen anyone do that. Right.

He's never realized we hung them like coats.

Exactly. Exactly. Isn't that interesting?

That's very interesting. It's the perfect time to go to our wonderful sponsors.

Hey, Carole. Hey, Carole. It's a little micro one. I like to keep it close to me.

Did you listen to my little bit about MetaCompliance and their e-learning? Oh, yeah.

It's my Leatherman Micra. And this is my tiny little multi-tool. I heard that earlier in the show. Yeah. Did you? Yeah. You have a multi-tool? I have a multi-tool.

Okay.

You haven't even realized I've been carrying this around with me for years, Carole. What do you use it for?

Well, have you signed up yet?

Well, no, I've been doing the podcast, Carole. I haven't had time to sign up for it, have I?

Well, women know how to multitask. Surely you can get a move on and sign up. We get 10% off. Just go to smashingsecurity.com. You should know that website. Slash MetaCompliance and enter the code smashing with a G.

Smashingsecurity.com/MetaCompliance. Enter the code smashing. Terrific. With a G. Cool. And welcome back. And you join us at our favourite time of the show. It's part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app.

Or a sandwich.

I don't think anyone has ever chosen a sandwich so far. But maybe this week. This is how it starts.

This is— okay, trust me.

Show's not over yet.

Buckle up your seatbelts. The important thing is the filling of the sandwich should not be security-related necessarily.

It can be. Definitely not be.

It can be, but it shouldn't be. Now, my pick of the week is, it's a little tiny little thing. It's only 2.5 inches long.

Oh, do we have to talk about that?

I don't even think I— if someone asked me, does Graham know how to use a screwdriver, I would be like, maybe.

Yes, I've used the screwdriver. I most usually use the scissors to cut things, but there are other facilities. A bottle opener. Well, I don't really drink bottled drinks. But anyway, but so it goes. So for anyone who doesn't understand, it's a tiny, tiny little multi-tool, goes on your keychain. It's got spring-action scissors, very good scissors, a knife, screwdriver, bottle opener. Useful if you got to a certain age where you find it hard to unpack items because they're all sort of wrapped up in that really tough plastic. You need the Leatherman Micra. Now, Carole, I've taken it on trips with us. We've been through airports, and I have taken the Micra onto planes with me, and I've not had it taken off me yet.

All police officers, please be warned.

So you probably shouldn't take it on a plane with you, but I've done it multiple times without being stopped, and it's a handy little thing, and I keep it in my pocket, and there you go. Handy little thing. And I thought, you know what?

Is that how you get your thrills, putting us all at risk?

I'm not putting you at risk. I'm putting myself at risk that I might have to buy a new one if they chuck it in the bucket, if they spot it.

But I will admit, I will admit to owning one of these myself.

Wow. Thank you. David, why aren't we friends rather than you and Carole? Well, we were friends. Why? We like the whole show tunes thing, you know. It's true.

We both have an affection for chess. Yours is the game, mine is the musical.

Why don't we segue with the musical interlude?

5, 6, 7, 8. What's your pick of the week? My pick of the week is a YouTube channel. This is called Techmoan. Moan like M-O-A-N.

Is there any other kind of moan?

That's a good point, actually. I guess there is a tech as in T-E-C-H, right? Moan as in M-O-A-N.

YouTube as in U followed by tube. No, not you. Y-O-U. All right, so this is a delightfully nerdy channel that reviews the best and the worst of new and old consumer technology. And what I find particularly fun is he takes nostalgic trips back to look at the things, the devices that we grew up with, things like Walkmans and boomboxes and VCRs. Telephones you have to actually hang up.

Exactly, exactly. And he sprinkles in there handy tips and things. He's a delightful— he's a Brit, which of course I find charming. That's probably not a plus for you. And it's great fun. And also, he ends some of his episodes with puppets. He's got puppets. And I love puppets. Who doesn't love puppets?

I love a good puppet. Not in a fervent sort of way.

Yeah. So he's got puppets. So check it out. It's called— there's a link here. It's Techmoan. Lots of different content there. And it's something that I enjoy watching. Yeah, that is my pick of the week.

Well, I kind of feel like you've ripped me off because I have a YouTube channel too.

Oh, how do you spell that?

So my pick of the week is not security related. Good. And it comes from the Guild of Ambiance.

It sounds like a religious cult of some kind.

It's not. These guys, well, I hope it's not. These guys build soundscapes that transport you into a new world.

Totally not a cult.

And as a lot of us work from home, why not change it up a little, right?

Definitely not a cult. Nothing about this sounds cult-like at all.

It's such a cult. It's definitely a cult. Okay, I need you guys to do something for me, okay? I need you guys to click on this link, okay, but close your eyes when you click on it.

Well, then how am I gonna click on it?

How am I going to click on it if my eyes are closed?

Click on the link, then close your eyes and listen. And I want you to tell me, where are you? What— where do you think you are from the soundscape?

I'm scared. I'm scared.

Wow. All right, well, this is something. I'm underwater. Rumblings at sea.

Is it the bottom of my stomach? It's my digestion system.

I'm on the Pirates of the Caribbean ride at Disneyland. Oh, good one. Candles.

A galley. You're on a pirate ship. Now, if you go to their full list, YouTube channel, you will see they do all kinds. They do like campfires or dungeons or a storm or near a waterfall.

What kind of dungeon?

Well, they're like a kind of spooky Halloween one, right?

Oh, okay. Okay. Whatever.

Now, I think this is great fun. Okay. It just occurred to me. It just occurred to me. Maybe that means I need to get out a bit more if I'm trying to make weird fantasy noises around my office.

That's only just to catch you. We do a podcast, Carole. Of course we need to get out more. Episode 97.

I haven't left the house since this first episode.

You're not just doing this podcast, you're doing podcasts with Dave as well.

Anyone else need a podcast, get in touch.

And when you do leave the house, don't forget to take your Leatherman Micra with you. I don't need one of those.

Oh, all right. My birthday soon. We'll see what happens. I've already got—

I already know what I'm getting. Right, pals? Maybe Leatherman could sponsor next week's show. That'd be good, wouldn't it? On that bombshell, I think we've just about wrapped it up. We have to— Dave, if people want to hear more of your dulcet tones and what you get up to, what's the best way that they can do?

Well, Graham, they can just go visit thecyberwire.com and they can find everything I do there.

A home away from home.

Yay. And you know who— you know what's really special? Carole is there now sometimes too.

Ah, she is as well. And if you want to follow us, you can follow us on Twitter at Smashing Security, no G, Twitter wouldn't allow us to have a G. And you can also, it's a good idea to follow us on Twitter because you find out about special voucher codes and save money on our online store where you can grab t-shirts and stickers and mugs. All you have to do is go to smashingsecurity.com/store. Thank you for tuning in. If you like the show, tell your friends. Yes.

Shout out to everyone who wrote a review last week. We got lots of them and they were lovely and they made me smile. So thank you to everyone.

And you can check out past episodes at SmashingSecurity.com as well. Until next time, cheerio. Bye-bye. Bye-bye.

Maybe I should have asked them to review us on Cyberwire instead. No, I really like Cyberwire and Carole, and she's great.

Yes, this new correspondent.

Mm-hmm. Okay, now can you give us a show tune, Mr. Dave?

The corn is as high as an elephant's eye. And it looks like it's climbing clear up to the sky. Everyone: Oh, what a beautiful morning. Oh, what a beautiful day.

I've got a beautiful family.

Everything's going my way.

All right, okay, I'm gonna stop recording. Perfect.