Listen early, and ad-free!

264: Hacked car chargers, Telegram sextortionists, and secret bossware

With , ,
March 2, 2022
Read the transcript

Why might Russian EV chargers be displaying an anti-Putin message? Why are Telegram groups sharing sharing explicit images of women without their consent? And who is watching you in the workplace?

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Jessica Barker.

Visit https://www.smashingsecurity.com/264 to check out this episode’s show notes and episode links.

Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Special Guest: Jessica Barker.

Sponsored By:

Support Smashing Security

Links:

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. So, clearly it's a popular phrase. I thought it was just on the football terraces where they go, Putin is a dickhead, Putin is a dickhead, but it goes further than that.

CAROLE THERIAULT. A good Russian accent, by the way.

GRAHAM. Smashing Security, Episode 264, Hacked Car Chargers, Telegram Extortionists, and Secret Bossware, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 264. My name's Graham Cluley.

CAROLE. 264, Graham. Oh, my God. And I'm Carole Theriault.

GRAHAM. And this week we're joined by a special guest, someone who hasn't been on the show for a while, but we're delighted to have her back. It's Jessica Barker. Hi, Jess.

JESSICA BARKER. Hello. Hello. Hello. Hi, Jess. Glad to have you on the show. Oh, I'm delighted to be back. Thank you.

GRAHAM. Now, has anything happened in the news since we last put out an episode? Anything grabbing the headlines? Nothing good. Oh, my word. Yeah. Yeah.

CAROLE. Yeah. We were thinking, oh, please, pandemic, just end so we can get back to normal. I know.

JESSICA. Right? We were thinking this is going to be the year 2022.

CAROLE. Actually, we thought that in 2021. We did. And 2020 and 2019.

JESSICA. Got a feeling we'll be thinking in 2023.

GRAHAM. Yeah. Every year it's, you think you've seen it all? Here's something else. So obviously we're all concerned terribly concerned about the ghastly events going on in Ukraine and although we're not going to be talking about that too much in today's episode we do know that lots of people want to do their bit to help and there's not that much many of us can do when we're far away. So we're going to put a link in the show notes with details on how you can make donations and you can provide support if you want to for the people of Ukraine who are obviously going through a horrendous, horrendous experience.

CAROLE. Yeah, I mean, yeah, it's just, it's unbelievable. It blows my mind. Yeah, absolutely.

GRAHAM. Anyway, although we're not there in person, we're there in spirit. And Carole, what have we got coming up on this week's show?

CAROLE. Well, first, let's say thank you to this week's sponsor, Collide. Its support helped us give you this show for free. Now, coming up on today's show, Graham, what do you got?

GRAHAM. I'm going to be charging about the countryside. OK.

CAROLE. And what about you, Jess? I'll be talking about the trouble with Telegram. And I'm going to be talking about what happens if bossware gets it wrong. All this and much more coming up on this episode of Smashing Security.

GRAHAM. Now chums, have either of you ever enjoyed motoring along the M11 motorway?

JESSICA. Yeah, enjoy is a loaded word there Graham.

GRAHAM. I'm not talking about the M11 which runs between London and Cambridge but the motorway that runs for 425 miles between Moscow and St. Petersburg in Russia.

CAROLE. No. You ever done that, Jess? I've never ever been in Russia, actually. No. No.

GRAHAM. Nor me. Nor me. And possibly we'll never get invited now.

CAROLE. We're all talking out of our asses. Excellent.

GRAHAM. Well, the M11 in Russia is over 400 miles long, joins Moscow and St. Petersburg, speed limit of 93 miles per hour which seems quite racy to me. It's cut the typical journey time from the capital to St. Petersburg from nine hours down to five and a half hours.

CAROLE. Why? Because the road is more direct and people can drive faster.

GRAHAM. It's more direct, you can drive faster. It's not a conveyor belt for cars.

CAROLE. No, no. Or a great big slingshot.

JESSICA. That would open up some interesting security discussions. Wouldn't it?

GRAHAM. Now, I drive an electric car.

Oh, la-di-da. And my electric car would not be able to make that entire journey. I'd have to recharge it at least once.

JESSICA. We're electric car buddies, Graham. Oh, you too, eh? Yeah.

See, we are so right on, aren't we, Carole?

CAROLE. I'm more right on than you guys. My car is about 15 years old, so I win on that front. I don't know if I win for the environment, but, you know.

GRAHAM. Well, I'd have to schedule my stops quite carefully in order to make that journey. And I would have to pull into a service station. I'd have to top up on some electrons. You know, maybe we could stop, stretch our legs at the filling station. Kids can play around in the playground. No, no, no, Carole. You don't. What? No.

CAROLE. You're in Russia. No, not even in Russia.

You don't drink vodka. Well, I suppose you could if you're a passenger. But not if you're driving, right? Right.

GRAHAM. But it's all quite high tech from what I've read, I have this morning been researching the service stations on the M11 in Russia. And you can order foods and be beeped wirelessly when your grub is ready. So you can stay in your car as you're charging it. It's all kind of, you know, high tech. You're, wow, don't we have this here? Well, exactly. Wouldn't that be wonderful? You know, at the moment, it's all knickknacks and quavers and things.

Pick and mix is about as good as it gets. You know, if you're lucky.

CAROLE. Can I ask a question to both of you? So both of you. So when you go get your car charged, when you're plugged in and, you know, hoovering up the electrons, as you say, can you then just get out of the car, lock it and go to your shopping or?

Yes. Oh, yeah. Oh, right. That is something I wondered before I had one.

JESSICA. Yeah, but you can. You can just leave it, pop off to the shops.

GRAHAM. You can. But what I've noticed is that someone else can then come up to the charger and say stop, can't they? They can press the stop button to stop it charging.

CAROLE. And that would be very bad form. It would be. To take it from you, to steal it from you or something. Well, yes. It's like I used to go to the laundrette and people would take your wet laundry out of the dryer and put theirs in.

JESSICA. Drove me nuts. Oh, yeah. Very bad form. But I suppose as well, some people might just do it for the lols. You know? Run down and turn everyone's car on.

GRAHAM. So there you are. The journey is the destination. What a wonderful experience. You're loving this. You're embracing the Russian countryside, you're enjoying that special time sat next to your partner for 45 minutes while you charge up your car, could be longer.

CAROLE. Your finger getting aches from scrolling your phone, exactly.

GRAHAM. But alas, sometimes I don't know if you found this Jess, sometimes the electric vehicle charger isn't working properly. Oh, very frustrating. You find a charger and it's free and this isn't just a British experience, that happens around the world. So I found a video on Facebook where this chap goes up to an EV charger on the M11 motorway in Russia only to be greeted with an error message. It says "cool service, no plugs available on this charger." And if he waits a few more seconds, that's not that odd an error message, right? But if you wait a few more seconds it begins to show different messages in Russian, saying "what glory to Ukraine, glory to the heroes, Putin is a dickhead, and death to the enemy." As Motherboard Vice points out, this "Putin is a dickhead" slogan became really popular amongst Ukrainians following Russia's annexation of Crimea back in 2014.

JESSICA. Well, also, there is a star, I believe, called "Putin is a dickhead," named in 2014 by Ukrainian astronomers.

GRAHAM. They found a star. What shall we call this star? "Putin is a dickhead." So clearly it's a popular phrase. I thought it was just on the football terraces where they go, "Putin is a dickhead, Putin is a dickhead." But it goes further than that. A good Russian accent, by the way. So what do we know? What have we found out from this story? Well, we found out that electric vehicle chargers on the M11 aren't working. And it's possible someone isn't a huge fan of Vladimir Putin. And then it turned out there's a bit more to it than that. Because the Russian energy company, which operates these electric chargers, they posted a message on Facebook apologizing for what they described as the external interference on their chargers. They said, "We have made the choice to suspend operations on our chargers on the M11 in Russia."

CAROLE. Oh, my God. Supply chain issue. Exactly.

JESSICA. Yeah. So this is the company that makes the chargers. Is that right?

GRAHAM. Well, it's the company which operates them.

CAROLE. That operates them. Okay. Many different companies make it all happen.

GRAHAM. Well, yes, there's a variety of different companies. So according to Rossetti, which sounds like a circus. It sounds like a circus family to me, the Rossettis.

CAROLE. It's a very, very common Italian surname. But anyway.

GRAHAM. Well, yeah, but this is a Russian energy company and they've called themselves Rossetti anyway. Maybe they have a sideline in electrical vehicle charges. Who knows? But according to them, they purchased the chargers in 2020 from another Russian company called Gazelprom. And what they hadn't realized at the time was that Gazelprom was actually sourcing all of its components from a Ukrainian company called Auto Enterprise. So another company provided all the bits, and all Gazelprom did was they screwed them together with a screwdriver and said, "Here you go, here's your electric charger." But they weren't actually responsible for the software or any of the technology inside.

CAROLE. Graham, that's how most of the world operates now.

GRAHAM. Well, yes, and that is why most of the world has a supply chain problem or security concerns about this. Because Auto Enterprise, the Ukrainian company which actually made all the bits, they had left a little backdoor in one of the components, which gave them remote access via the internet to the electric vehicle chargers. Now, I'm not saying they're the ones who planted the "Putin is a dickhead" messages on all of those Russian EV chargers. But it's certainly something worthy of investigation.

CAROLE. Again, though, I would say that happens much more regularly than maybe you're intimating because loads of people that build either code or some kind of service to fit into some other gizmo will want to have a backdoor so they can go in and fix their problems.

GRAHAM. That's right. And so if you're buying technology and components from other companies to build your device, you want to do your due diligence to make sure that you've got some kind of control over those in case your provider or supplier goes rogue and begins to interfere in a way which is perhaps suboptimal to your business.

Third-party pen testing, right, Jess?

JESSICA. Exactly. You need to check out these issues, supply chain issues.

GRAHAM. Or just stick to running circus tents. That's what Rossetti should do. They say they're going to reflash the EV chargers before bringing them back online again, but maybe they need to get the old lion tamer costume out again and do some of that instead.

CAROLE. And the dust bunnies roll on by.

JESSICA. Is that your official advice there Graham?

GRAHAM. My official advice, that is the best advice of all, is just get out of the energy. I mean the thing is there's not very much money in Russia at the moment anyway, is there? Because I read a story that you know the game Roblox, you know kids are crazy about it. It's a bit like Minecraft on acid.

So there's an in-game currency called Robux. And apparently Robux has a better exchange rate right now with the US dollar than the Russian ruble. So you're better off having your money in Robux than in rubles. Jess, what have you got for us this week?

JESSICA. Well, I am talking about the messaging platform Telegram that has been hitting the headlines for all the wrong reasons recently. And this has been rumbling on for a while, but in February the BBC published an investigation of Telegram and it highlights a huge problem on the platform with groups sharing explicit images of women without their consent.

Oh God, I know. And so this is really frustrating, infuriating, depressing story.

GRAHAM. Hang on. So this is groups of people. This isn't individuals who are just sending it from one to another. This is sort of like a group of maybe 20 or 100 or I don't know how many people.

JESSICA. This is tens of thousands.

GRAHAM. Oh, really? Yeah.

JESSICA. Oh, my goodness. It is a huge problem on the platform. And the BBC have done a really good job of unpicking it and telling some of the stories of the women and showing just the extent of the problem with Telegram.

So one woman who shares her story in this investigation describes how a nude photo of herself was shared, but not just the photo, also details of her social media accounts. So links through to her social media accounts and her phone number. So she is then contacted by men who seemingly think that she has posted the photo herself, even though it was obviously shared without her consent or her knowledge.

CAROLE. Was it obvious, though, from someone in the group? You're right. Yeah.

JESSICA. Yeah, I say obvious as in obvious as I'm describing it now and the fact that she's in investigation. But in the group, who knows? I don't know how it was presented.

GRAHAM. Hang on, hang on, hang on, hang on. If you're joining a group with hundreds of other men where they're sharing lots of photos, I think you're going to probably assume.

CAROLE. She's saying it doesn't look like it's her sharing the picture? It's obfuscated, no? Yeah.

JESSICA. That's what I read between the lines was that that is how it seems like, so she basically shared this photo with one person, one other person. Right. Presumably someone she was in a relationship with. And then it turns up in this group.

And from what I read, it's not totally clear. There was an interview with her. It seems like the person who posted it basically was pretending to be her.

GRAHAM. Oh my goodness.

JESSICA. And kind of saying, here's my social media. Here's my phone number. So then people are contacting her, I say people, men, are contacting her saying, hey, can I have more photos? And making lots of other comments. And this photo is in a group with 18,000 members.

GRAHAM. Oh my gosh.

JESSICA. The BBC then uncovered just what of a global problem this is with such groups found in over 20 countries engaging in this image-based sexual abuse. And some cases actually involve women who either they or their families are basically being blackmailed to silence their activism.

Jesus. One woman from Azerbaijan, she claims that her husband shared an intimate video of them hiding his face, but showing hers, and basically then used that to threaten her family to try and silence her brother, who is an activist.

CAROLE. But why wouldn't the family just go, well, it's your wife, dude? Right. So, yeah. So, you know, shock horror. You guys have an intimate relationship.

GRAHAM. But I think really screwed up isn't it.

JESSICA. You just wonder what on earth possesses someone to do that.

CAROLE. I can see so many even young adults being in a relationship for a few years with the man or the woman they're gonna marry for sure and you know having a bit of fun with videos and snaps. And then it all ends horribly and what someone then goes and posts that picture for other guys to gawk at with the Facebook, with the details to contact them. Yeah. It's revenge porn in the highest order.

GRAHAM. If they've got your social media details, it's not going to be that difficult for someone quite possibly to locate where you live and where you work and contact your relatives, all sorts.

JESSICA. I did a fair bit of digging into this this morning. There was one case where a woman, you're absolutely right, her address, one case where a woman's CV was uploaded alongside so many pictures of her and, you know, personal details, contact details.

CAROLE. I mean, it would kill your work if you had a LinkedIn link there.

GRAHAM. That would ruin the sex appeal, though, wouldn't it? Having a LinkedIn URL or a CV. Depends what you're into. That's a pretty weird fetish, to be honest.

JESSICA. And it depends what kind of LinkedIn posts, you know. Is it the, I get up at 4am and meditate? The secret to being a great professional.

GRAHAM. This is horrible.

JESSICA. It's horrendous. Luckily, our outrage is shared by of course many, many others. And actually I read a really interesting news article where the Serbian government and police have been cracking down on this, a particular group or groups in Serbia doing the same, sharing these non-consensual images.

And it seems like it came to the attention of law enforcement because people on social media were tweeting about it and posting about it. So some really active Twitter users with high follower accounts highlighted these groups and police investigations actually went from there.

CAROLE. So it turns out influencers really do own the cops. Yeah, it's true, right?

GRAHAM. If you were a member of one of these Telegram groups, it's pretty indefensible, isn't it? If your name is listed there as being an active user of that group. I don't know though.

CAROLE. Graham, it might be that you're there because you think women are going on there to share pictures. Like there's loads of those on Reddit. Like there's tons of groups.

JESSICA. And with OnlyFans, you know, there's loads of people on OnlyFans using it because they want to.

CAROLE. You don't know if it's the woman doing it or the woman's being basically slut-shamed.

GRAHAM. Is OnlyFans really that popular? I've got an account up there and no one has subscribed to my posts at all.

Really? No one?

No, absolutely no. Maybe I should promote it a bit more on the podcast. I don't know.

JESSICA. I read about a woman today who quit university because her OnlyFans were so popular. And the headline was that she was making like, I don't know, 90,000 pounds a month as a giant on OnlyFans.

GRAHAM. What do you mean as a giant? She's eight foot tall?

JESSICA. Yeah, yeah, she's definitely not a giant.

GRAHAM. Hang on, she pretends to be a giant? What? She stands next to wendy houses or something? What does she do?

JESSICA. Well, it's actually even better. So it turns out most of the content that she was putting up probably wasn't popular because they were asking her to be a giant, but other things.

But there was at least one person who had a giant fetish and asked her for a picture of her as a giant. So she put her phone on the floor, angled it so that she was really tall, and then stood on a Lego figure which was meant to be the person requesting this.

Fun times, fun times, fun times. Very popular, making her a lot of money.

GRAHAM. So he mistook the Lego figure as a real person somehow?

JESSICA. I think sort of saw it as himself. I'm so sorry, Jess.

GRAHAM. He's just, you know. If I wanted to pretend to be a giant, I could just take a photo with my sort of just cropped off at the top.

CAROLE. We look forward to seeing it on Twitter. A picture of you on your OnlyFans, Graham. If you could just cross-pollinate that to Twitter, thanks.

GRAHAM. So this is really good. So what's Telegram doing about this?

Telegram, which, by the way, is a Russian messaging service, isn't it? But who knows if Telegram will still be available in the next few weeks, whether it'll be taken off app stores and the like.

JESSICA. This is a very good point. Oh, my cat has just come to join us. Can I just mute?

GRAHAM. Is it a giant cat? Can you hear roar?

JESSICA. I'm back. Sorry, minus the cat.

So Telegram could certainly be doing more about this. Obviously, they have a sort of libertarian ethos, so they are very light on moderation compared to many platforms.

They have taken some action on some of the groups, but really, it was basically when the BBC got in touch and said, we are the BBC doing an investigation into this, that they took some of the groups down. Before then, when the BBC was just doing their investigation and obviously posing as users, they were reporting a lot of this stuff.

They reported 100 of the images and basically all of them stayed.

CAROLE. Do you know a trick that a good friend of the show once used is to complain about copyright infringement as opposed to a sexual pornographic image being put up on your behalf? Because they fear liability like nobody else.

JESSICA. I have heard the same. And I just think, what kind of world are we living in?

CAROLE. Fucked up one, Jess.

JESSICA. When copyright liability is more powerful than this is abusive.

GRAHAM. I might get a copyright symbol stamped on my buttock, maybe, tattooed on, just in case any of my pictures leak out.

JESSICA. I've got quite an image now, Graham. Quite an image.

GRAHAM. Carole, what is your story for us this week?

CAROLE. You know that saying, just because you're paranoid doesn't mean nobody's watching you? Oh, yeah.

GRAHAM. Yeah, I'm worried what you're going to tell us now, Carole.

CAROLE. Well, first we have to remember the Post Office scandal. Sure you remember that?

GRAHAM. Yeah.

CAROLE. And right now it's kind of preeminent because the inquiry is happening now. But for our listeners who don't know, I'm just going to give a tiny recap.

So between 2000 and 2014, the UK Post Office prosecuted hundreds of branch managers, an average of one a week, based on information from recently installed computer systems. And the problem was that the accounting software, which was called Horizon, turned out to be faulty in some cases, meaning that accounts were not adding up.

But of course, programs never make mistakes. And the big bosses basically believed the numbers.

GRAHAM. They believed the software, didn't they? And as I recall, lots of people who ran post offices, they were charged and accused of sort of embezzling funds and fraud and they protested their innocence.

CAROLE. Exactly right. So some people that had worked there for 40 years without a jot of trouble were suddenly being treated like criminals. So more than 700 branch managers were given criminal convictions when Horizon made it look as though money was missing from the post office.

Some went to prison following convictions for false accounting and theft. Many were financially ruined because they were taking their own money to try and make up the losses. Absolute scandal.

It has been described as one of the most widespread miscarriages of justice in UK history. So after 20 years, campaigners won a legal battle to have their cases reconsidered.

And Monday this week, we saw the post office scandal public inquiry kickoff, where victims of the scandal will start giving evidence as part of a public inquiry on the horizon scandal. Now, what's interesting is the Trades Union Congress, known as the TUC in the UK, the people in the know, we call it Tuck.

GRAHAM. No, we call it the TUC. We don't call it Tuck. We don't. We really don't.

CAROLE. I was just trying to get our American friends to. So they're using this public inquiry as an opportunity to discuss the increased surveillance tech that's being secreted into workplaces to monitor employees without their consent.

And by surveillance, I mean monitoring emails, files, webcams on work computers, tracking when and how much a worker is typing, calls being made, movements made by the worker with trackable devices. And we colloquially call this bossware.

Now, the TUC say workplace surveillance tech really took off during the pandemic as employers obviously transferred to remote forms of work. And we've talked about Bossware before on the show.

And the TUC did a poll and found that the majority of workers, so they polled over 3,000 workers, and 60% said they thought they were being watched. Now, that in itself is a problem, right?

Because if your employer doesn't tell you that they are using some of this technology in order to monitor your workplace and you, you might get that I'm being watched feeling, but you might also put it down to your own paranoia because you haven't been told.

GRAHAM. It'd be horrible, wouldn't it?

JESSICA. If you don't know, and you might think you're being watched and you're not, or...

CAROLE. Maybe your boss comes on and goes, so cheese sandwiches, they're delicious. And you're like, how does she know I like cheese sandwich?

So the TUC go on to say that the creeping role of AI and tech-driven workplace surveillance is now spreading beyond the gig economy. A way to look at this is surveillance has benefits because it'll have things like greater organizational efficiencies.

There are fewer disputes as well that can be unresolved because you'll be like, well, here, we're checking the tapes. We can prove that X happened as opposed to Y.

But there's some huge cost to employees that work in this environment. And at a time where people are reporting more anxiety, more stress, less faith in politics and technology, we may be heading for a kind of labor storm.

JESSICA. And what's tricky is, as I understand it, obviously the technology has moved way faster than the legislation. What's within the rights of an organization, especially as you say, when we're now in this place of more remote working, moving to more hybrid working, the technology is in people's homes.

If your webcam is being surveilled by your boss and you're working in a one-bedroom flat or a studio flat, then what does that mean?

CAROLE. And get this, I found this so scary. So the FT talked about this as well, and they reported about a swathe of new technology products that have come on the market in recent years, many of which promise to use artificial intelligence to manage, score, and monitor companies' employees.

So there's this company called Coworker.org. It's a worker organizing platform, and they've compiled a database of more than 550 products, and about 30% of these 550 products emerged between 2020 and 2021, while the rest were developed between 2018 and 2020.

GRAHAM. So, there must be a lot of demand for these. It's big money. A lot of people are jumping into the market.

JESSICA. And well, then you wonder, what technology is being produced? Is it being rushed out? What safeguards are being put in place? Is it being properly tested by your friendly security company.

CAROLE. Very well said, Jess, because they're referring to this as little tech, because a lot of these companies are tiny and the impact that they're having is much bigger than this little tech because they're growing at a clip. One would say unsustainable growth.

Now, the rationale for many of these products is to protect employees' health and safety, right? There are temperature checkers, for example, cameras that monitor whether workers are keeping two meters apart.

But others promise to measure productivity or maintain an employer's data security in a world where work is obviously shifted from the office to the house or the home but there's so many of these products guys so one of them that they talk about in the FT remote desk for example promises to help managers create an office-like environment through continuous webcam monitoring to ensure employees' identity and ensure productivity in a remote workspace. Holy crap!

GRAHAM. Aren't there better ways to measure whether someone is being productive? Looking at the work that they do.

Exactly. Isn't there something better rather than just watching people to see if they're picking their nose or whether they're playing with their cat or whatever or watching Jeremy Kyle on ITV? There must be better ways than this.

JESSICA. It's like the technology equivalent of a boss making sure that someone's doing busy work, like that they're at their desk or that they look like they're at their desk. You know, you leave your coat on the chair while you go for a two hour lunch.

CAROLE. Prepare to have a collective gasp here. OK, so they carry on saying webcam monitoring detects suspicious expressions, gestures or behavior of a remote agent and can, quote, capture eating and drinking and flag them as violations if food and drink at your desk is prohibited by company policy.

There's another product. Okay, it says it uses machine learning methods that detect employee deviance in retail stores. Like what? So they're hanging out with their buddies or what? Like using lipstick?

GRAHAM. But you can imagine if you were working in a retail store that there's a rule like you can't drink beer or something behind the till. You know, it's unprofessional and you should wait until you're on your break or something. And so they might be monitoring something like that.

JESSICA. Without telling their employees. And it's just such an odd phrase, isn't it? So undefined as to what they're looking for. What happened to just good old fashioned management? You know, create a nice environment, keep an eye on people, make sure people are okay.

CAROLE. You wouldn't want to work in a company like this, right? Like, I mean, I'm now, I have my own company. We all have our own companies now, don't we? So we have that kind of freedom, I guess, to say we wouldn't sign to this.

But do you think it might be worthwhile if someone was getting a new job, for example, if one of our listeners is about to go to a job interview, you know, when they go, and do you have any questions for us? Should they kind of go, yeah, I just like to know a little bit about what your company policy is on surveillance technology for health?

GRAHAM. That's going to wave so many red flags.

CAROLE. Well, no, but maybe you could word it properly, for health and safety reasons.

GRAHAM. Even so, I think people will just worry that if you're asking such a question, it will make people think, oh, clearly you're someone we do need to watch. We've obviously had incidents before.

JESSICA. It's so difficult, isn't it? I think I would be asking to look at the policies and try and understand.

CAROLE. It must be in the small print, right? Yeah. And this is the thing I was thinking because I've worked at a company where, you know, whatever you join, you sign the contract, you read it, you're like, yeah, yeah, yeah. But there's this clause in the contract that says, oh, by the way, this may be amended, this contract, in future, and you're agreeing to any future amendments. Literally.

And I actually put a bit of a stink about that, going, are you insane? But I ended up getting strong-armed to just sign it or get out. Wow. This was a long time ago, but I wonder if that's how they cover. So one thing you could do if you're an employee and you want to know, maybe go ask to see the current version of the contract, rather than relying on the printed out version you might have in your home folder.

GRAHAM. Wow. I've got maybe a slightly different view about this, because I'm thinking about how to monetize my OnlyFans account. Right. Should I, okay, I'm putting this out for not for you two maybe because I maybe I've decided you wouldn't be interested, but are there any listeners out there who would be interested in paying me 10 pounds a month in order to have a live stream of me at my desk from say 9 till 4:30 each day? Is that of interest?

CAROLE. Are you planning to stay at your desk the whole time and not go to the loo?

GRAHAM. I'm regularly going to wander off and, oh well.

CAROLE. Then no, I'm not interested. I want to see you squirm. I want to see you just suffer for those seven and a half hours.

JESSICA. Is there a no food and drink policy with Smashing Security?

GRAHAM. Definitely not. Definitely not. If you saw my desk, the crumbs, the detritus.

JESSICA. So is that part of the pitch? We'll get to see you.

GRAHAM. Exactly. There will be people who have a fetish, just as they may have a fetish for giant women, they will have a fetish for untidy desks, somewhat overweight, middle-aged men sat at a computer working. I'm just saying.

CAROLE. Yeah, you know, and I celebrate that because at least you're saying I'm happy to be surveilled. It's the secret surveillance, in my view, that's nasty business. I don't think employers, right? I think they should just be candid about their bossware if they must use it and say why.

GRAHAM. I probably would forget it was there.

CAROLE. I probably would. That's what your fans who want to watch you at your desk eating your cheese sandwich hope for. Exactly. That's part of the pitch. When you start nose picking and then they start taking screen grabs and then putting it on Telegram.

GRAHAM. Collide sends employees important, timely and relevant security recommendations for Linux, Mac and Windows devices right inside Slack. Collide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.

So instead of frustrating your employees, Collide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com slash collide at smashingsecurity.com slash K-O-L-I-D-E.

Enter your email when prompted and you will receive a free Collide goodie bag after your trial activates. You can try Collide with all of its features on an unlimited number of devices for free for 14 days, no credit card required.

Try it out at smashingsecurity.com slash Collide at smashingsecurity.com slash K-O-L-I-D-E and thanks to Collide for supporting the show. And welcome back.

And you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.

JESSICA. Pick of the Week is

GRAHAM. the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security related necessarily.

CAROLE. It better not be. Last week's was.

GRAHAM. My pick of the week this week is not security related. Excellent. I'm a bit of a fan of some Miles Davis music. Some of it's a bit weird and crazy.

CAROLE. I'm shocked to hear that.

GRAHAM. Yeah, some of it's a bit nuts. Some of it is all right. Well, maybe you would like to listen to kindofbloop.com, which is where... Kind of Bloop?

Yeah, not Kind of Blue, which of course was a classic album in the 1950s from Miles Davis. Kind of Bloop is an 8-bit chiptune tribute to Miles Davis's legendary jazz album.

CAROLE. Oh my God.

GRAHAM. Which you can listen to track by track. In fact, why don't we listen to some of it right now?

CAROLE. Oh I hate it. Yeah, I mean I hear it, I hear the tracks, I hear the real tracks but I think I prefer it on... yes but don't

GRAHAM. you appreciate the craft which has gone into creating this work? I mean this is obviously a different type of work of art. It may not be better than the original, but I still think it's something to be admired.

CAROLE. Do you know what? Do you know where it would be amazing? It would be amazing in a kind of cool retro game. Right? In a jazz club.

GRAHAM. Now you're talking.

CAROLE. And this is going on in the background. Right? Like jazz

JESSICA. craft. Like jazz craft. Yeah. I could listen to a few seconds and then I feel a migraine threatening. I'm not going to lie. But the absolute genius of the name, I think it came from the name. They came up with Kind of Bloop and it went from there, is what I think.

CAROLE. And I love that they explain it as their strap line and a bit tribute to Miles Davis, Kind of Blue. Like anyone who listens to Miles Davis would be like, yes, thanks.

GRAHAM. Anyway, for some people, maybe this could be their entry point into Miles Davis. Maybe this will be the first Miles Davis you've ever heard. And then you will go and check out some of his original work and you will enjoy that as well.

JESSICA. Oh, that's a treat. I've turned

GRAHAM. it around now. Thank you very much. And so Kind of Bloop is my pick of the week. Jess, what's your pick of the week?

JESSICA. My pick of the week is Space Force Season 2. Have either of you seen Space Force?

CAROLE. Yes, I have. I have. I don't know if I've watched Season 2 yet, but I've definitely watched the first season.

JESSICA. So, season one. So, this is, Graham, I don't know if you've seen Space Force.

GRAHAM. I've seen a bit of series one. Yes, it's a comedy show, isn't it?

JESSICA. It is. It's a Netflix comedy, which I thought maybe, you know, we could all do with this week. It is starring Steve Carell and John Malkovich. And it's about a new branch of the US armed forces tasked with putting American boots on the moon in the next few years.

So season one got kind of tepid reviews. So you may have watched, as you said, Graham, you may have watched a bit of season one and maybe it didn't capture you.

Did it not capture you, Graham? You didn't like it.

GRAHAM. I wasn't crazy on it. It was all right.

JESSICA. I loved it.

CAROLE. Me too. I rather liked season one.

JESSICA. You have a sense of humor. I always felt like it had more potential, but I really liked it. Very lighthearted, great characters, a fun, quirky show.

And season two is where it really gets into its groove. It's kind of funny and silly. It's got a little bit more emotion to it this season.

And I would say if you're a fan of the American office, it's by the same creators and it is very much worth giving a go for something lighthearted. But the show is maybe not helping the PR efforts of the real US Space Force.

I don't know what they think of the show, but I did recently read an article on military.com.

CAROLE. Where you hang out normally?

JESSICA. Yeah, it's where I read it every day.

GRAHAM. Wasn't there some kind of legal dispute between the real Space Force and the Netflix show as to who owned the name?

JESSICA. I think there was. I mean, it's interesting. There's a new season of Space Force, so Netflix may have...

CAROLE. We know who won.

JESSICA. Yeah, maybe they

CAROLE. had talks and decided just to have a peaceful resolution about it all.

JESSICA. Maybe, maybe, but I don't know how they'll be feeling after this latest incident where a Space Force officer was at an airport with his spouse trying to prove that Space Force is a real unit, a real branch of the military to get a benefit. You know, a military benefit that the officer was due because they are in service.

And despite showing their ID, despite bringing up the official website on the internet, this member of the airline staff still thought like, well, no, this is just a Netflix show.

GRAHAM. Yes. You see, I never thought about that. That's a very good point, Jess.

It all ended well. A supervisor stepped in who obviously knew.

CAROLE. I read more news than I watch Netflix. I can help.

JESSICA. Exactly. And that's my pick of the week.

GRAHAM. Brilliant. Cool. Carole, what's your pick of the week?

CAROLE. Well, you know, we're all stressed, anxious, worried, right? So I'm going to suggest something to calm everybody down as much as you can.

GRAHAM. It's yoga. Calm the fuck down, everybody.

CAROLE. It's calm the fuck down yoga because I know a lot of people think yoga is just for hippie hipsters.

GRAHAM. Oh, I like yoga. I'm not a hippie hipster.

JESSICA. I love a bit of yoga.

CAROLE. Okay, well, there we go. So, see, three out of three, guys. So, listeners, join the club, right?

Even if you're a gym bunny or a sports player or whatever, make time for this. What do you guys like about it?

GRAHAM. I like lying down and having a good old sleep. I just like the stillness and not having to do very much, not very distracted.

I mean, seriously, I do. I like the serenity of it all.

CAROLE. So you're doing some yin yoga, I'm guessing. Most restorative and very, yeah.

GRAHAM. I don't know about yoga. I don't like having to do a lot of work with yoga. I like to take it easy.

JESSICA. I used to go to a yoga class in those days where I went to things in real life. And they would give you a blanket at the end.

CAROLE. Yes, when you have your shavasana, you get all cozy. Oh, lovely.

Those were the days? So I had to, you know, I've been doing yoga for years now, and I wanted to try YouTube videos because there are so many of them. But the problem is the sheer amount of choice makes it impossible to know where to start.

GRAHAM. There are cowboys doing yoga with ankle spurs.

CAROLE. But, you know, you'll get someone who's an Olympian gymnast doing a yoga sequence. And it's glorious to watch. But there's no way in heck that you could ever try and match that.

JESSICA. I have to say, though, a cowboy doing yoga, that's an OnlyFans that I think would be quite popular.

GRAHAM. There we go. That's what you need to do. I'll get the chaps on.

CAROLE. Exactly. Oh, my God. Crikey.

So in the – oh, God, stop it. I'm picturing everything you're saying.

In the show notes, I will put five vetted by me yoga channels. All of them have hundreds of different videos from all levels. Some of them have 30-day challenges.

So if you're just starting, they have some that are for people that are pregnant. They have some that have none with wrists.

So if you have a lot of RSI issues, you can do stuff without, you know, hurting your wrist. So basically, it's a great short list curated by me.

And I hope you enjoy it.

GRAHAM. And this is for anyone, isn't it? This is for man or woman, fat or thin. This is just, yeah.

CAROLE. The big trick about yoga is you do it with your breath. So if you actually can't breathe because you're huffing and puffing, you're doing too much.

GRAHAM. Oh, I thought you said breasts. Sorry.

CAROLE. No, breath. And nothing to do with boobs. Sorry, I just... Or movies that are brave.

Anyway, so the channels are all there. I'm just going to name them very quickly. So anyone who's sitting there and can't go look at the show notes, you have Yoga with Cassandra, Five Parks Yoga, Yoga Upload with Maris Allward, and my personal current favorite, Two Birds Yoga.

So there you go. That is my pick of the week.

JESSICA. I love that. I find with yoga, sometimes I feel, oh I can't be bothered but I never regret doing yoga. I always feel better for it.

GRAHAM. There you go. Well we've brought a little bit of serenity to the end of this podcast and then we've just about wrapped up the show.

Jess I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

JESSICA. Oh I would love people to do that. You can find me on Twitter at dr jessica barker. Also check out the Cygenta website. You might want to have a look at our blog, cygenta.co.uk.

And if you want to find out about my book, Confident Cybersecurity, check out confidentcyber.com.

GRAHAM. Terrific. And you can follow us on Twitter at Smashing Security, and we've also got a Smashing Security subreddit. And don't forget to make sure you never miss another episode. Follow Smashing Security in your favourite podcast apps, such as Apple Podcasts, Overcast, and Spotify.

CAROLE. And massive shout out to this episode's amazing sponsor, Collide, and to our wonderful Patreon community. It's thanks to them all this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalogue of more than 264 episodes, check out smashingsecurity.com.

GRAHAM. Until next time, cheerio. Bye-bye. Bye. Bye. Okay so onlyfans.com create, is it called a channel? Let's see.

CAROLE. I thought you already had one, Cluley.

GRAHAM. Well I think it's time for me to create, I—

CAROLE. I have your logo already drawn. I've literally just drawn a Sharpie line across an A4 sheet so—

JESSICA. Don't forget the copyright symbol. Exactly, exactly. TM.

-- TRANSCRIPT ENDS --