Apparently, if Barbie were an actual woman, she'd have a 39-inch bust, a 16-inch waist, and 33-inch hips.

What's wrong with a woman wanting to get rid of a few ribs? What's your issue?

The issue is, Carole, that apparently people have worked out that she would only have room in her body for half a liver.

You never need the whole thing anyway, though. I mean, many people have less than half a liver.

Smashing Security, episode 270, Bearded Barbie, EDR Scams, and Hobbyist Crime Detectives with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 270. My name's Graham Cluley.

And I'm Carole Theriault.

And this week, we're joined by family favorite. It's, who else could it be? It's Maria Varmazis. Yay!

Family favorite. Hi! Not the returning family favorite.

Back on the pod again.

Hi, everybody.

So, Maria, anything you want to talk about that? Oh no, we want to keep it for your pick of the week teaser.

Yeah. Oh yeah, definitely your pick of the week.

Well, maybe we can just crack on then.

Yeah, why not?

Let's just skip straight to pick of the week. The rest of it nobody cares about.

Yeah, I'll thank this week's sponsors anyway: Kolide and Keeper Security. It's their generous support that help us give you this show for free. Now coming up on today's show, Graham, what do you got?

I'm going to be talking about Bearded Barbie.

Ooh, I like that. Okay, Maria, what about you?

The newest, hottest way to get your PII breached that you've never even heard of.

Ooh, and I'm going to do a sort of DNA dragnet. All this and much more coming up on this episode of Smashing Security.

Now, chums, do you remember in the 1960s, 1970s when we were children? When we were growing up, that you would play with Action Man. I think in North America, he was called G.I. Joe or—

Oh yeah, G.I. Joe's. Yeah. A lot of kids in the '80s had those too though.

G.I.

Joe.

I used to have a Million Dollar Man, Steve Austin, the Bionic Man in his red tracksuit with his bionic eye and his— I think he had two bionic legs, didn't he? Because if he only had one, he'd be running around in circles.

Did he have normal arms though?

Well, no, he definitely had a bionic arm as well. I'm pretty sure of that. We have the technology. We can rebuild him, all that. Well, of course, girls.

Women.

They had their own dolly, didn't they? They had Barbie, who apparently celebrated her 63rd birthday last month. Full name, Barbara Millicent Roberts.

She is looking fabulous.

Is she?

For 63.

The arches of her feet must be killing her. Heels all the time.

Well, I'm going to be doing a bit of body shaming when it comes to Barbie in a moment. Because—

All right, you're I'm sitting back and watching this.

Barbie, of course, famous for her on-off boyfriend Ken.

about to get

Yes, my niece is obsessed with them getting married and divorced.

Oh, well, yes, this is what I was reading on Wikipedia.

canceled. Good luck, Graham.

They split up in 2004, and it was only when Ken had a makeover in 2006 that kindled their relationship.

She was like, hello, bonjour Ken, loving the plastic surgery, dude.

Now literally, let's talk about Barbie and her boobs and all the rest of it.

What?

Why?

Apparently, if Barbie were an actual woman, she'd be 5 foot 9 inches tall, which is, you know, all right, quite tall, but you know, that's right. She'd have a 39-inch bust, a 16-inch waist, and 33-inch hips.

What's wrong with a woman wanting to get rid of a few ribs?

She sounds just me. I mean, you know, what's your issue? That's exactly— those are exactly my measurements.

The issue is, Carole, that apparently people have worked out that she would only have room in her body for half a liver.

Yeah, Maria and

You never need the whole thing anyway, though. I mean, many people have less than half a liver.

If only she weren't made of plastic.

She'd have a BMI of 16.24, which would make her anorexic. She's got children's feet.

I are gonna Poor athlete.

Yeah. Size 3. And—

Yeah, yeah.

And she has such top-heavy weight distribution, it would be impossible for her to walk normally. Apparently, she would have to walk on all fours.

eat popcorn. We're not— I suspect she also has ginormous eyes as well that probably take up brain space, were she human.

Yes, quite large eyes.

Yeah.

But what's particularly weird is her neck. It is twice as long as a normal woman's neck and much thinner. And it's been calculated that the chances of finding a single woman with the same naturally tall and thin neck Barbie is 1 in 4.3 billion.

Okay, well, there's at least one on the planet.

There's one on the planet. Yeah.

And I'm just, where are we around 6 million, 6 billion, something that? Funny. My art has a lot of long skinny necked women. I wonder if it's Barbie that did that to me.

Oh, fascinating.

And what impacts might you be having on fans of your art? People who go to carole.wtf and may begin to get some sort of body dysmorphia from thinking, why aren't I as gangly as Carole's art?

Just in the neck department.

Right.

Yeah. Yeah.

Now you might be asking yourselves, why is Graham talking about Barbie?

I am actively asking myself this entire segment. Why are we talking about Barbie?

10 minutes in, we still don't have a clue.

What? What? Okay. Yep.

It's because security researchers are now warning us about Barbie, or specifically bearded Barbie. You know, fancy that. It's no way to talk about Ken, is it? Barbie having a beard. Anyway, researchers at Cyber Reason say that a— Whoa, whoa. What? What?

Did you just make a vagina joke?

No, there wasn't a— No, that's not what a beard is, girl.

You know what a beard is, girl, right?

No.

Really?

Tell me, I don't know.

Oh, Graham, do you want to be the one to explain this?

When—

Yeah, go ahead.

Our listeners can look it up for themselves. I don't think—

No, I want to know.

A beard, a beard. So if you are of a homosexual persuasion, and you don't want other people knowing you're homosexual—

Perhaps because you are closeted, yes.

Yeah, but you know, perhaps for whatever reason, you didn't want your parents to know or whatever. You might have a beard, which is a person of the opposite sex who hangs out with you and pretends to be your partner. Is this right, Maria? Have I got this right?

Yep, yep.

So basically fool the parents.

Yeah, it was like you have a bestie, and when needed for like a school dance or when mom and dad are not sure of your persuasion, you bring bestie home and you pretend bestie is your girlfriend.

Ah, right.

Yeah, and that's your beard.

Yeah.

Okay.

I'm amazed you didn't know this one.

Today I learned.

Really? Oh, wow. All right.

They're very innocent north of the border, Maria.

Aren't we just?

Anyway, researchers at Cyber Reason, they say that a Hamas-backed hacking group known as APT C23, or sometimes also known as Mole Rats, they say they've been catfishing targets in Israel.

Do you think that was their address? Apartment C23?

Oh, damn!

We've given it away.

Go find apartment C23 and bust that door down! Flash grenades, boom!

Well, the gang have been targeting Israelis who work in defence, law enforcement, government agencies through fake Facebook profiles. According to the report, stolen images or AI-generated images of young attractive women have been created by the hackers as Facebook profiles engineered to appeal to Israel's government, police, and emergency services.

What? So what, cops are going, "Ooh, I'm looking for some hot women on Facebook, 'cause that's important." They're a little bit more proactive than that.

They're not just creating the profiles and waiting for someone to stumble across them.

Right, okay.

The profiles are actually actively maintained, not just with pictures of young, pulchritudinous, glossy, long-haired, lip-glistening—

Hold back up, back up, back up.

All right. What the heck was that? Why are you showing off? How many times did you practice pronouncing that before you got on the show?

Polkredoot—

Polkredoot—

Polkredootness.

Polkredootness. Polkredootness.

I'm not going there. Anyway, so, you know, these are women who—

Polkredootness.

They're looking very glamorous, right? They've probably got their own livers. They don't walk on all fours. And they're looking hot.

Who walks on all fours?

Barbie does. Barbie does.

Some people like that crawl. And then they have a little leash and maybe a little puppy mask. Oh, you don't know about these guys either?

Okay, I'm from the north.

Okay.

But the hackers don't just set up a bunch of fake profiles, as I was trying to explain to Carole. They actively maintain them, constantly interacting with many Israeli people, slowly gaining trust. They've been operating for months, appearing more authentic all the time. They join popular Israeli groups, they write posts in Hebrew, they're adding friends of their potential victims as friends of theirs on Facebook. So they look like they're hot, real people.

And do they go, "Ooh, I've just seen the new police stats, interesting," you know, to try and get— How are they targeting these particular groups?

They're hot, available young singles in your area.

Yeah, and they're gonna pop up as potential friends because they already made friends with your friends, and then maybe you message them and say, "Hey, like the uniform." Exactly.

I was just gonna say, isn't there a uniform dating app?

How would there not be if there's FarmersOnly.com?

Yeah, nice truncheon. You know, all that. And so—

As an American, I don't know what a truncheon is. I'll have to guess. Is that a gun?

Graham, can you explain?

A truncheon. Oh no, you wouldn't have one of those in America, would you?

No, we just kill people.

You just—

Yes.

Shouldn't laugh.

We just have a truncheon and a trusty whistle to stop the criminal in their tracks.

Oh, that's so cute.

Stop, I say! Would you mind? Anyway, after gaining their target's trust, the fake account, you know, after a while, after a bit of chit-chat, you know, after a bit of this and that, and they say, hey, maybe we could have a more private conversation.

In Hebrew, presumably.

Why don't you join me on WhatsApp? And now they know your mobile number, because you say, oh yeah, okay, let's have a more discreet conversation. As the conversation gets saucier and saucier, the suggestion is made that, well, maybe we should use a safer and more discreet messaging app. Like, oh, there's one on Android, they say. Like WinkChat. Let's use WinkChat. And bam, you've installed WinkChat. And oh dear, oh dear, oh dear. Because this in fact is the Volatile Venom malware. Who comes up with these names?

I've never heard of WinkChat. So this is an app just made for this? Or if you go and research it, it exists?

Well, they use a variety of disguises. So some of these may be legitimate apps. And others may be a case of go to a third-party website and download it from an unapproved source because we want to be really private. And once—

He's so revolting.

I heard that way too loud in my ears and okay, all right.

You bring this out in him. I don't know what to say. He's talking about truncheons and God knows what's going on.

Oh yeah.

I'm blushing.

So, once they've installed this piece of malware, your poor target, what's gonna happen to them? Well, they're gonna have their SMS messages read and stolen. The bad guys can take over the camera. They can steal files from the device, images, record audio, get into your social networks, basically everything. Cause all kinds of—

How do they have such low-level access?

Because you've allowed it, because you're so hot and horny, Carole, to have your safe, discreet chat with this pulchritudinous woman.

Again with the word.

It's a revolting word.

You've approved it to have access to absolutely everything. And away you go. And this is what's happening. And in some cases, the hackers may even say, oh, I've got a hot video of myself. Maybe I can share that with you. And they send you a RAR file and you may think, oh, how am I going to open this on my phone? I'll forward it to my Windows computer and unarchive it there.

There's so many red flags that have not gone up at this point.

Yes, but Maria—

It's because of the truncheons.

It's because of the truncheon. The truncheon gets in the way of thinking. I understand. It is a known phenomenon.

You too may have a large amount of self-restraint, but if you were working for Israeli law enforcement or defense or the government or something like that. Remember, these women are very pulchritudinous, right? They are.

It's because of the truncheon.

Where's the bell?

You know, there's going to come a point—

The expression beating a dead horse.

Let's keep it clean, please. That's the thing, you see, because you're thinking, I mustn't, I mustn't click, I mustn't click. But at the same time, she's really hot. I her hair. She's been chatting to me for a while.

She's supposed to be lovely.

I mean, well, it's just what is this, 1996?

What is this?

Is she going to send over a real player? I mean, what?

Real player? Oh, do you remember how painful that was?

Meet you on Yahoo!

Maybe the ICQ.

And the thing is, if you can't resist, your finger gets twitchy and eventually you think, oh, sod it, I'll just do it. I'll just risk it this once.

There's free porn on the internet, guys. Yes, but you don't need to open a RAR file.

Not of the woman who actually appears to you. That's the difference, isn't it? This is a woman who you've been chatting to for a while and appears to be real and appears to you.

And so you kind of say, look, rather than doing all this dirty, dirty stuff online, why don't we just meet up in a coffee shop? Look, you're talking to two people that run Sticky Pickles. We are experts in this kind of stuff.

I feel this should be our episode for tomorrow. This girl keeps sending me all these videos of herself, but they're in 1990s 'What do I do?' When the malware gets installed on their computers. It's eDonkey.

It of course steals lots of data, PDFs, Office files, image files, videos, images. It can even scoop up— So if you have a— Again, this is another throwback. I don't know if you have a CD-ROM drive. If you have an attached CD-ROM drive.

Attached CD-ROM. Oh my God.

The malware can scoop up the contents of that because apparently these people it's targeting may be exchanging information on CD-ROM because it's safer than email or electronically.

Okay.

Okay. You see? And so that's a way to get hold of the really juicy stuff from your target.

Oh my.

Graham, is that why you gave me a Billy Idol Best Hits Ever CD for my birthday? It's actually loaded up. I don't have a CD player, so it's still sitting wherever.

Oh. It is.

I'll return it to you.

Oh no, I'll see if I can get you a CD player on eBay. If it's less than £10, that can be yours for your birthday.

And do you plug that into your cell phone? What has—

No, this is on your— Have you been listening to this?

I'm just being obtuse. I'm just being obtuse.

Anyway.

I'm looking at my CD player right now.

Well done for Cyber Reason for taking apart this malware, finding out about these naughty girls, if they are girls.

No, they're not.

They're profiles.

Their profiles.

Stop being so sexist.

I'm not being sexist.

Well, naughty girls, you're just being kind of a perv.

Perv.

Alchritudinous.

I haven't looked it up yet.

Maria, what's your story for us this week?

So in the States, if you are in law enforcement and you want to get your hands on somebody's private information, usually you have to go through the courts. Yeah, that's, yeah, I think that's kind of a universal thing. And generally when the cops or the feds go to the court, they have to make a case in front of a judge for a warrant or search warrant or something like that, and the judge has to sign off on it. That's the proper way for this kind of thing to go. Yeah, but in some cases, law enforcement might go to a service provider with a warrant and say, we want to make a bulk request of a whole bunch of customer data. So we're not going after one person, we want to go after everybody who was in a certain location at a certain time, or everybody who has searched for a certain keyword or phrase within a certain time, and hoover everybody's information up. And that's one way that your information could get taken without really being under a court notice, right?

Yeah, yeah.

But there are also ways for law enforcement to get their hands on your info without going through the courts at all. So even worse than these two methods, right? So there's this little thing that I have recently learned about called an emergency data request, or EDR. Have you heard of this?

Emergency data requests, EDR.

It's as if someone's in danger, isn't it?

Yeah, law enforcement basically goes, this is a matter of urgent life or death. We need somebody's home address, phone number, known IP addresses, and forget all the paperwork.

Someone's life is in danger right now. Yeah, PDQ, PDQ.

Yeah. Yep. So the cops or the feds, all they have to do to submit an EDR to an ISP or phone provider is submit the request from an official email address, they're at lawenforcement.gov or whatever, and maybe attach a little PDF affidavit that says, yes, this is a totally legitimate real request. And that request goes to a special department, or a person usually, at the company in question. And that person knows that their job is to answer these requests as fast as possible.

Oh my God, okay, they better not have automated this.

So if you were the company in question receiving requests like this, you're basically being told if you don't hand over this customer data basically immediately, someone's gonna die. Someone's gonna die, literally life or death.

Yeah.

So generally they usually hand it right over because there's no time to check this. How would you check? You can't call them up and be, excuse me, is this a real request? You can't. You have to, you're presuming that the cops are standing outside somebody's door or something right now, just waiting for the information they need. So I know it's really shocking to hear this, but some folks with less than great intentions have figured out that if they have or gain or steal access to a legitimate-looking U.S. law enforcement email they basically have an easy button way to get information on someone that they're trying to bully or harass or even stalk.

Oh my goodness.

So there are tens of thousands of individual police departments all over the US. We're not centralized. We don't have one main centralized thing. So you don't need to hack the FBI to get a law enforcement email that's legit. You just need to get into the county sheriff or something. And not surprisingly, compromised law enforcement accounts, US law enforcement accounts, frequently appear for sale on the darkweb. So you don't even need skills to get such an email.

Okay, I think, yeah, I think I just need to understand exactly how it's working, 'cause I'm not getting it. 'Cause I'm a bit slow today, I guess. Today.

Okay, person with official-looking email sends email to an inbox at a company saying, "I need this customer's data right now, right now, right now, right now." And the company goes, "Okay."

"This is looking like it's coming from police department, blah, blah." Yeah, and they go, "Okay, here it is." Yeah, that's it.

Yeah, it's that easy. Right.

Okay, gotcha.

It's really not any more complicated than that. So, do you want to guess how much a law enforcement email account goes for on the darkweb in US dollars? I have no idea what the crypto amount would be, but—

I'm going to say $10K.

$10K. Graham, what about you?

I'm going to say $10.

It's somewhere in the middle, although closer to your guess, Graham. It's $150. So not much. So, one hacker posted a law enforcement email for sale on the darkweb with this little message: you can breach users and get private images from people on Snapchat, like nudes. Go hack your girlfriend or something, haha. You won't get the login for the account, but you'll basically obtain everything in the account if you play your cards right. I am not legally responsible if you mishandle this. This is very illegal and you will get raided if you don't use a VPN. You can also breach into the government systems for this, find lots of more private data, and sell it for way, way more.

Whoa. This is bad. So hang on, so I could pretend to be a policeman, I could contact Snapchat and say, it's a matter of life and death, I need to see this person's nudes. What would be the— what would be the—

No, I think you'd get— I think you'd get all of it.

You would probably get their all their PII, and then enough information that you could then log into their account and/or all their data. All of their data, probably.

Right.

So companies have been a little bit mum on exactly how much data they've handed over, but yes, a number of big tech firms have fallen for this. In the last few weeks, we found out that the chat giant Discord did hand over information about an 18-year-old user from Indiana. And then Bloomberg just reported a few days afterwards that both Apple and Meta— haha, I made this into a Facebook story— have fallen for this as well. So they won't say how many times, they won't say what they've handed over, who was affected, but basically Bloomberg says that yes, they've fallen this.

The thing is, is the company that is getting this request is basically faultless because they're, look, someone presented a valid EDR. What am I supposed to do? There's thousands and thousands and thousands of agencies that could get EDRs.

Yeah. Yep.

How the hell do I know? I think we need to get the blockchain involved.

That would fix this problem. Maybe if you could verify everything on the blockchain, blockchain, blockchain.

Graham, do you need some water or something?

Pulchritudinous.

Yes. It's so weird today.

I had water last week. We know what happened.

Yeah.

So, but this is a problem, Maria. How's this going to get fixed? Because obviously the people receiving these requests want to do the right thing and they want to help the authorities. How are they going to verify that a request is genuine or not?

I think watch this space, because this is basically like swatting on steroids. It's not great. And the only way to, if as a user to protect yourself from this is to not use services that ask for your PII, which is like good luck.

Good luck getting a mortgage, insurance.

So yeah, there's not much that you can do as a user aside from just don't exist or don't exist on the internet.

Can we not advise that people—

Good caveat there.

Yes.

You weren't actually advising all our listeners to kill themselves.

No, not usually anyway.

I jumped in, Graham. I jumped in.

I see this. Well done.

Well done.

Thanks. But what occurred to me is that we are definitely going to need a term for this. Right? Because we have things like phishing and whaling and smishing are all kind of ridiculous. So I don't know what we would call an attack like this when you impersonate a cop to use an EDR to get somebody's info. Any thoughts what we should call something like this?

I don't know, why don't we stay simple? EDRing.

It's not very catchy. No.

All right, well, I'll leave it to you then, Graham. You're so good at this.

Yes, Graham, what do you think we should call it?

Pulchritudinous? A wise one. A wise one. Apparently Graham's neighbor's kids call him King Graham the Great.

Oh, I'm sure that won't go straight to your head.

Yeah. Well, I tell them to.

Ah.

And they do.

I also insist on no eye contact. I've got them under control. Carole, what have you got for us this week?

Well, Maria, we are in sync. Mine also has cops and murders. Murders.

Yeah.

Okay. And are any of you guys like crime junkies? Like podcasts, documentaries, TV series, that kind of thing? Crime cop shows?

Not really.

No.

Sometimes a little bit, you know, Midsomer Murders, that kind of thing.

Forensic Files, Cluley?

Yeah, Forensic Files. Right?

That was pretty good. Okay.

Yes.

So, because I have a quiz, I'll be so out of my element. Yeah, you're gonna play blind, and Graham, you have a little bit of knowledge in this area. Okay.

Okay.

So between 2019 and 2020, the U.S. murder rate went A, up, B, down, or C, stayed the same?

2019 to 2020?

Yep, during the pandemic.

So, yep, I would think it went up because all those people staying at home and getting fed up with their partners.

I think it dropped.

Interesting. It rose massively. The largest, the largest single-year increase in more than a century, up 30%.

Wow. Good thing I stayed at home.

Yes. And they like you there. Now, question 2. What percentage do you guys think of murders get solved? So a quarter, half, three-quarters, or almost all?

I would say almost all.

You would say almost all? Okay.

I was thinking less than half, like a quarter.

So yeah, no, it would decline from 61% of murders that were solved in 2019 to 54%. So just over half are solved. And the thing is, it's hard to commit a physical crime like a murder without leaving DNA behind, right? It's pretty hard to do anything physically without shedding a bit of DNA about the place. And we know that DNA is a great tool to help nail a perp. Do you know what year DNA was first used in a criminal case? You want to take a bet on that?

I guess on that one, was it 1472?

Yes, correct, Graham! No, 1986 was when the first case was.

Yeah.

And, you know, it helps place suspects at a crime scene. It also enables forensic genealogists to solve cases that went cold decades ago. So we have the technology to extract DNA evidence. So why are there so many unsolved crimes? More than half go unsolved. Why would that be?

Well, the DNA testing labs are very busy, I would think, and there's probably a queue, and it costs money.

Yeah, yeah.

And you've also got to pay people to scoop up the DNA. You know, is it—

That was more of my thoughts. "Oh, they're dead."

Whatever. Yeah, exactly. They're not complaining.

Right. Another reason on this is the DNA testing behemoths, Ancestry and 23andMe, have largely resisted cops accessing their database. So, they've joined together and said, "No, no." Are they behind the murders? Are they behind the murders?

Is that why they're holding on to all that DNA information? "We don't want it leaking out and people finding out we were responsible."

So, this is someone who's committed 13 murders and dozens and dozens of rapes in California. The cold case went unsolved for decades. They had no idea who the perp was. Until the FBI decided in 2018 to use DNA evidence from a sexual assault to build out the perp's likely family tree, known as forensic genetic genealogy. And they uploaded it to this site called gedmatch.com. This is a free site for all to find biological relatives or to construct elaborate family trees.

This is GoFundMe for law,

And the idea was for the cops to comb through the consumer genetic databases to find the man's relatives, however distant, to try and triangulate his identity. And within 5 minutes of seeing the results, they apparently located a close relative amongst the million or so profiles in the database. And within 2 hours, they had a suspect who was soon arrested, a 72-year-old former cop. So you have this mountain of unsolved murders, you have little resources, you don't have any money to pay for them. They cost about $5,000 a pop to get the DNA tested to do that. Cop shops all around the country are picking and choosing which cases they're gonna invest in, right?

for justice. Oh, come on.

"This is one we can probably solve. This one we'll put on the shelf." And there's loads and loads of untested DNA stuff. So, what do you do now? To steal a catchphrase from Sticky Pickles, right? What do you do now? You've got the tech, and you've got the will, but you just don't have the resources or the money.

This is heartbreaking.

What you do is you say hello to what The New York Times are calling criminal philanthropists. Amateur detectives donating their time to sort through the search results, plus financial backers that are literally throwing money at the problem to pay the labs to process the DNA information. Because they are saying, "We've got it. We just need the money to process it." I would invite you guys to go visit this website, dnasolves.com.

And there's all kinds of groups sprouting up all over the place. There's this company called Othram, which is a purpose-built police DNA resource, right? It's receiving money from philanthropic donors all over the place. You have nonprofits called Season of Justice, which raised $250K through crowdfunding and so far has made grants towards 53 unsolved murders. You've got DNA Detectives on Facebook, helping strangers find unknown parents. So it's kind of complicated, right? Because it's kind of the public is throwing their time and cash at a problem, and you've got all these groups and nonprofits and organizations popping up to assist as a middle person. What issues are there?

Because they want your DNA in order to say the more DNA we have, the more that we can, you know, sort against it and find the real perps. We need lots of DNA to do that, so contribute it, give it away.

So yeah, so basically sort of accidentally snitch on a relative, you know, if they murdered somebody.

Well, without snitching. And in fact, if your brother or sister, for example, did it, yeah, then there'd be information on you, right? Even though you didn't decide to partake because you shared DNA.

Let's go out on a not-so-long limb here. Nobody in my family has murdered anybody. So seriously, good to know. Yeah, so I mean, I'm not— I'm why would I? I still don't understand why I would.

It's "Oh, do we ever have to do this again?" And you have to be able to match it to the But what if there was a cold case from 200 years ago? Okay, or maybe 25 years ago, and you know, it was a distant cousin. right person, right? Because you may have this DNA and go, "We know everything about the DNA, but we don't have

I don't really the idea of people having my DNA data.

Why, because they might get hacked?

Well, I know that some of these websites have been hacked in the past and DNA data has been stolen. But other than that, also, you don't know how it might be misused in the future.

a match." And maybe the person who's murdered, no one really ever liked them anyway.

If some evil regime comes into play governing our countries in the far-flung future, and they may decide, oh, well, we don't really want podcasters anymore. Can we round up anyone who's podcasted in the past or have genetic similarities to podcasting.

And there's not much regulation out there for this either, right? So there's companies snapping up these companies, 23andMe, I think, has just been bought.

DnaSolves?

Ancestry has also just been bought. There's lots of money going around in this area, and they're being bought by people that, you know, want to make a buck. Yeah, dnasolves.com.

Okay.

You know, it's going to take ages for regulation to catch up. So there's this little Wild West thing happening. And on the homepage, you'll see featured cases, right? And you will see they'll give you highlights of a case that they're trying to solve.

It's all these margins, gray area stuff. I get the need for the financial contributions as much as I'm just I hate that that's necessary, but I get it. That's what I thought. Okay. Yeah. it sucks, but I get it. But the— I just— why do you need my DNA for that?

Right? So you can go through this and you can kind of To your point, though, Maria, that you made earlier saying, I don't really this, there seems— and I know nothing of DNA evidence really, right? But I did see a number of reports and papers that were saying, look, there is nuance to interpreting DNA. go, oh, I really want to help a particular type of person.

Is it, Maria? Is it? Is it?

I hate that it exists.

So there is suggestion that there can be, you know, bias based on race or based on anything. That adds a little, you know, cloud to the— So you might just go and fund specific cases.

I understand that. So Uncle Bob may not be dodgy after all.

Yeah. No, it's not bad. I hate that it exists.

Well, exactly. And then you've put him in the clink just by, you know, swabbing your mouth and slapping it across.

But there should be another way. Yeah, is what you're saying. Yeah, Maria. So I don't think you should do it. Okay.

Wasn't, wasn't planning on it, but I just— it raises more questions than it answers, you know.

Because yeah, if it didn't exist at the moment, the argument would be, well, the cases will just sit and gather dust. And you know, you're not alone because people are sitting on the fence when it comes to DNA evidence being used.

Yes. Until we have enough money and resources

So in a Pew survey of more than 4,000 US adults, 48% said they were okay with DNA testing companies sharing customers' genetic data with police, a third said no way, and 18% were like, don't know.

to do it, which will be on Saint So many.

So a lot of people sitting on the fence, it seems to me. That'd be a prime place to scoop up some DNA then.

Go for it, go nuts.

Never's Day. So yeah, exactly.

It doesn't—

Okay. Just something to think about, folks.

I mean, I'm just looking I'm more— I'm still sore that I did an Ancestry thing years and years ago with my parents, and it's, oh, well. Yeah, this is— this one, it was new. at that big Contribute DNA Okay, I have not murdered anybody though, so as far as I know anyway. So I mean, if they're looking for, say, murderers, how does having my non-murderer DNA help them? I don't quite understand. My mom was very into it, and so it's, yep, now that's, that's out there. So I got burned by that, and, now it's all right, I be real careful with this stuff.

Because you might have a relative. Is that— isn't that the reason?

button and I'm—

Yeah, well, you could now go to, you know, you could go to a website and go see if you have long-lost relatives. GEDmatch.com. It might be Uncle Bob, right?

Yeah, Uncle Bob is Yeah, I think they've been hacked in the past.

There you go. Fun times.

Collide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack. Collide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Collide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates. You can try Kolide with all of its features on an unlimited number of devices for free for 14 days. a bit shifty. No credit card required. Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show. So imagine this scenario. You're out of the office unexpectedly and a colleague pings you because they need access to some system you have credentials for. Now, listeners would never send passwords over email or Slack, but what about your coworker? How many organizations out there are sending logins back and forth in plain text? Worse yet, how many just store all of their logins on a shared spreadsheet? We all know that human errors are the biggest threat to your organization's security, but did you know that weak or stolen passwords account for over 80% of all data breaches? There are tools out there that allow you to share credentials, set access permissions, and monitor the dark web for stolen logins. Keeper Security's enterprise password management platform does just that. Keeper locks down logins, payment cards, confidential documents, API keys, and database passwords in a patented zero-knowledge encrypted vault, and it takes less than an hour to deploy across your organization. Sign up for a Keeper free trial for your organization today and get a free 3-year personal plan VPN. So get started by visiting smashingsecurity.com/keepersecurity. That's smashingsecurity.com/keepersecurity. And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.

And you know that champagne, Moët Chandon? Champagne. Yeah, champagne. You know that, Kryll?

Did you see it, Maria?

Did you see it, Maria?

And you can follow us on Twitter at Smashing Security. And we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app. And maybe if you really like the show, you could tell someone about it or leave us a review.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

Well, my pick of the week this week is not security-related. I have sometimes been called into question on this podcast regarding my pronunciation of certain words.

Never, never.

Yes, I'm afraid so. I still haven't quite got over the caesia discussion, and there've been a few others over time. Now, I found a YouTube channel earlier today by a French chap, a winemaker. He says he's trained in Bordeaux or Bordeauxx. No! Based in France.

No, he's absolutely right. Bordeauxx.

That's right.

His name is Julien Miquel.

Okay.

Yes.

No, you don't actually, because did you know it is not pronounced "mo-ay"? Even though it looks like, because it's French, you don't pronounce the final T. No, "mo-ay." Yeah. No, no, no, no, no, no, no, mademoiselle. It is actually "mo-ette," because it's someone's name. And I think the chap was from Belgium or something. So it's actually "Moët et Chandon." There you go. If you're really poncy, then you know. This is just one of the fascinating facts which I found on this chap's YouTube channel, where he's made lots of videos explaining the pronunciation of words. And I quite like his voice.

Does he have a very strong French accent?

He has a slight French accent.

So his whole channel is about how he pronounces words?

Well, no, there's a lot about wine and that sort of guff as well, and I don't care about that. But yeah, it appears to me that his more popular videos are about how to pronounce words like Wednesday.

How do you pronounce Wednesday?

Let's listen to him explaining Wednesday right now. Okay, we are looking at how to pronounce this word as well as how to say the name of all seven days in a week. How do you go about pronouncing this one? Wednesday. You could simply, as you can see on your screen, spell it as W-E-N-Z-D-A-Y. Day, and then day. Wednesday. It's actually very easy.

There's everything on the internet. Wednesday.

Gorgeous.

He has a little charm about him, I think.

Yeah, interesting.

And it's a useful site because if you are like us, broadcasters, you want to be able to pronounce words correctly. And so you go to a Frenchman who will give you the advice. And that is why Julien Miquel's YouTube channel is my pick of the week.

Fascinating.

Wow.

Words fail you. Yeah.

You sound somewhat underwhelmed, Maria.

I'm just— there's everything on the internet. I'm just—

There's so much. Yeah.

No, no, let's hope my response to your pick of the week is a bit more positive than yours was to mine. So what have you got for us, Maria?

I would hope so. It's an appeal for money.

Good luck with that.

Yes. Yeah, it's a really great way to start on that. I'm doing in early August a 200-mile bike ride.

You're insane.

Across two days.

Oh my goodness.

Yeah, across two days. So August 6th and 7th, I'm doing what's called the Pan Mass Challenge and 100% everything that's donated goes towards cancer research at the Dana-Farber Cancer Institute. They do a lot of cancer research, especially for children's cancers. So basically I'm raising money for a cancer research fundraiser — child cancer, not just child cancer, but a lot of child cancers.

You had to play the cancer card though to get — so now I feel like a git in my build up to your pick of the week.

I've already decided that Smashing Security is going to give her $100.

Awesome.

That would be amazing. Thank you, because I have to raise $6,000.

All right, listeners, you've heard Maria. It's time to crack open those wallets if you can. If not, you can just send Maria good luck.

Yes, you can follow me on Strava or whatever, cheer me on as I'm training for this. That would be amazing.

But how do we donate money, Maria, to this cause? Okay, so I'll definitely give you the link to my PMC profile where you can donate. But if you're listening and just need to write down the link, bit.ly/MariaPMC, and it's all lowercase because it is case sensitive. So bit.ly/MariaPMC will take you to my fundraiser page.

You're incredible.

50 miles?

I don't even think Graham's electric car can drive that far.

I also have an electric car, but it can definitely go more than 50 miles. Yeah, you can see the log of all my training rides, and I'm working my way up to doing, you know, 100 in a day and then about 80 the next day.

So, okay, people have got to go to this: bit.ly/MariaPMC.

Yeah, all lowercase on the Maria.

All lowercase.

Isn't that crazy? Yeah, there you go.

If you work for a company that does corporate match, you can please do that too, because you've got plenty of time to do that. And because my ride's in early August 2022, so I would love your support. I'm very bad at fundraising, but I really want to raise money for this great cause.

You're an inspiration, Maria. 50 miles at the weekend, 200 miles in September.

In August.

In August.

In August. Yeah, yeah.

Sorry, he fell asleep.

That's okay.

All right, so yeah, the thing is, if I did the ride in August, I'd probably finish in September. That's the thing.

So honestly, that's what my worry is, that will also be my situation. That's why I'm training so hard, because I know I'm going to be one of the very, very last people to roll through the finish line because I'm very short, and I'm not that strong or fast a rider, but I'm training hard, so I'm not taking 15 hours to complete.

Maria, are you allowed to use an e-bike? Or does it have to be a real bike?

No, I think that goes against the spirit of the whole thing.

I won't tell.

You are gonna be knackered. And your legs and your poor bottom. What kind of saddle do you have? I have a Terry saddle, which makes amazing saddles specifically for women's anatomy, if you want to know. I will happily answer any cyclist nerd questions on Twitter. All right, the words we're learning this week: beard, Bianchi, Bianchi, Bianchi, like Bianchi Jagger.

It's a type of bike, Graham.

Oh, I see. Oh, okay. Carole, what's your pick of the week? Well, I went for a Netflix movie. Well, it should have been a series, but it's a beautiful stop-motion animation comedy horror drama for adults, and it's called— okay, what's it called? Oops, you made a big impression.

No, I suddenly thought it was called Home, but it's called The House. It came out in January.

Okay. I saw the preview for it, and I wanted to watch it, and I think I just was not in a good place for that at the time. So worth watching, though. It's so good. So, it features the voices of Mia Goth, Jarvis Cocker, Susan Wokoma, Helena Bonham Carter.

And is it just for adults, or would it be appropriate for younger people as well? No, not young people, no, but maybe tweenies. I don't know, there's going to be an age limit.

Yeah, I'll have to give it another shot because I tried watching it, I just— it was early January, so I was like, this is a little too dark for me.

It is dark, but it is dark, and it is horror-y, but it's also got some really cute bits. And Jarvis Cocker has a great voice, and he has a great character and attitude. I love the animation style. I thought it was just incredible, so I need to give it another shot. There you go. Super duper. Well, I think we've just about wrapped it up for this week.

bit.ly/MariaPMC or @mvarmazis on Twitter.

And huge thank you to this episode's sponsors, Collide, Keeper Security, and to our wonderful Patreon community.

You can talk to me there too.

It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 269 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye.

Bye. And I just remembered something. We didn't do— I didn't plug the thing where I said I'd wear a company's logo on my back if they gave me enough money.

So come on, Elon Musk. Come on, Geoff Bezos. Come on, Church of Scientology. Any of you want to sponsor? She doesn't care.

Some discretion will be used, but, you know, we can have that conversation. Let's put it that way.