This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

---

CAROLE THERIAULT. And he put it back in his bag and then he carried on with his class.

---

ROBOT. And we all looked at each other, just like slack-jawed, thinking, "This is the biggest moron I've ever met in my life." Smashing Security, Episode 227: Phishing Foul Up, Twitter Tip Jar, and Facebook's Apple Fury, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 227. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And we're joined this week by a returning guest. It's Ray [REDACTED]. Hello, Ray. [Ray [REDACTED]]: Hello there. How are you today?

---

CAROLE THERIAULT. Hi, Ray. Bring some sunshine to our lives. I think Graham and I are a little bit, we're a little bit frazzled today. [Ray [REDACTED]]: I don't know why. Oh, really?

---

CAROLE THERIAULT. Aren't we, Graham? Yeah.

---

GRAHAM CLULEY. Yeah, I feel that way a little bit.

---

CAROLE THERIAULT. Yeah. How about you, Ray? What's going on in your neck of the woods? You just filing your nails? [Ray [REDACTED]]: No, not absolutely not. We are having a fantastic time. It's all optimism and hope and happiness here. And in the United States, everything seems to be dandy. This is the best week of the entire pandemic.

---

GRAHAM CLULEY. I heard there's a little trouble on the East Coast of the United States, something to do with oil or something. What's going on? [Ray [REDACTED]]: Oh, yes. Oh, yes. I think one of the ransomware groups made a little bit of a boo-boo and accidentally picked the wrong target and is now trying to do a PR campaign to clean it up a little bit. And it's also causing ripple effects across the economy, including our petrol prices.

---

CAROLE THERIAULT. You guys don't even know what expensive petrol is. [Ray [REDACTED]]: That's correct.

---

CAROLE THERIAULT. Yeah, so everyone's in shock and we're all sitting there going, yeah, welcome to the real world, dudes. [Ray [REDACTED]]: Yeah, well, we like our cheap gas and we like to use that all the time, but it's surging to like $4 and $5 a gallon, which is not a liter, by the way, a gallon.

---

CAROLE THERIAULT. Let's thank this week's sponsors: 1Password, 1Login, and Skiff. Their support helps us give you this show for free. Now coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. Oh, I've got a fantastic way of incentivizing your staff and making them really, really happy.

---

CAROLE THERIAULT. Okay, I can't wait to hear. And Ray, what about you? [Ray [REDACTED]]: I've got a story about Paddington Bear and payments.

---

CAROLE THERIAULT. And I'm gonna welcome us all to the Apple anti-tracking revolution. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, life's been pretty hard. Hasn't it, under COVID? People are living under enormous anxiety and strain. Here in the UK at least, there is some sunlight beginning to dawn. Boris Johnson has told us that from next Monday, we are welcome to have casual sex and one-night stands once again.

---

CAROLE THERIAULT. He did not. He did not.

---

GRAHAM CLULEY. It's not just for him, Carole. He's saying that those rules now apply for everybody.

---

CAROLE THERIAULT. Has he been looking a little bit pent up? Has he been looking a little bit, you know, a little bit more awkward than normal? [Ray [REDACTED]]: Do we count that as a jab?

---

CAROLE THERIAULT. I've had 12 jabs since Monday.

---

GRAHAM CLULEY. Steady. But yes, no, we're allowed to hang out at other people's houses overnight and hug and all these other things as well. But of course, you know, the serious side to these things: countless people have tragically died, businesses have been ruined, jobs lost. Some of us have managed to cling on to our jobs, but some of us may have found ourselves having to take on new responsibilities to cover for workmates. Who've left the company.

---

CAROLE THERIAULT. Sure, yeah, it's been a shit show.

---

GRAHAM CLULEY. Yeah, it has.

---

CAROLE THERIAULT. I know, I think we all know that, though. Just so you know, it's been a global pandemic.

---

GRAHAM CLULEY. Yeah, okay, we're all aware. I mean, there are ways of cheering ourselves up. One way I came across the other day was to stop referring to it as lockdown and start referring to it as Locky D. Lame. What do you mean lame? Lame. Locky D. Not to be confused with locker.d, of course, a ransomware attack. But yeah, you know, people have been providing services, not just the emergency services, public services, public transport, such as those who work on public transport, like the employees of the West Midlands Trains organisation here in the UK. Now, there we had a company which wanted to say thank you to its staff. And what's a great way of incentivising staff when they've been working hard? [Ray [REDACTED]]: Oh, gifts!

---

GRAHAM CLULEY. Gifts! Bonuses! [Ray [REDACTED]]: Moolah!

---

GRAHAM CLULEY. Wonga! Exactly! Moolah! Exactly! So, You can imagine how they felt when they received an email from their big, big boss.

---

CAROLE THERIAULT. Okay, I'm closing my eyes. Can you read it to us, right?

---

GRAHAM CLULEY. Of course I can.

---

CAROLE THERIAULT. Okay, I'm closing my eyes. I'm listening. [Ray [REDACTED]]: Eyes closed.

---

CAROLE THERIAULT. I don't know why closed eyes helps with the radio, but anyway. [Ray [REDACTED]]: Dear all.

---

GRAHAM CLULEY. Actually, this is the West Midlands, so maybe I should do a Brummie accent. Or will that be considered offensive? I'm not sure. For our Brummie listeners. Okay, I'll just do it as though I've got a blocked up nose. Dear Lul, thank you for your hard work. We realize that a huge strain was placed upon a large number of our workforce as a result of COVID-19.

---

CAROLE THERIAULT. Yeah, kind, kind.

---

GRAHAM CLULEY. Okay, they notice. Yeah, yeah, kind. This has not been easy for any of us. We would like to offer you a one-off payment to say thank you for all your hard work over the past 12 months.

---

CAROLE THERIAULT. Oh, what's it going to be, like £5 or something?

---

GRAHAM CLULEY. 'Please visit the following link with a personal message from Julian Edwards, as well as information on your one-off payment.' Who's Julian Edwards? He's the CEO. He's the boss, right, of West Midlands Trains.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. 'Again, many thanks for your hard work. Hope this gift will inspire you to keep up the good work.' A lovely, positive message to send out to staff.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. And of course, people clicked on the link, didn't they?

---

CAROLE THERIAULT. Oh, I'm thinking actually, okay, so in my head, you know, with my security hat on, I'm thinking, okay, odd they didn't put the amount in the email, But maybe they're worried it's gonna leak out and it's different for different people. This sounds interesting. Let's go sneak around and see what's going on. I imagine I might do that. [Ray [REDACTED]]: Sure.

---

GRAHAM CLULEY. Yeah, you would anticipate that maybe it'd be different amounts for different people depending on their length of service, or, you know, it could be. So maybe you have to enter your details when you get to this link. So of course, people clicked on the link, and because this is a cybersecurity-related podcast, you've probably already guessed.

---

CAROLE THERIAULT. Oh, don't give it away.

---

GRAHAM CLULEY. All was not quite as it seemed.

---

CAROLE THERIAULT. Oh no, what happened?

---

GRAHAM CLULEY. Because what happened next was they then got emails saying, "Dear [REDACTED]." Oh, what did I do? What did I do? Do you work for the West Midlands train system? I'm not sure. [Ray [REDACTED]]: Not that I'm aware of, but I would have clicked the link just to see if I got more than the next guy.

---

CAROLE THERIAULT. Yeah, right.

---

GRAHAM CLULEY. So the email said, "I'm writing to you to update you on the outcome of the recent phishing simulation test performed by IT." Oh, damn.

---

CAROLE THERIAULT. That's nasty.

---

GRAHAM CLULEY. Basically saying, "You made a mistake. You were enticed into clicking on a link. It was the promise of thanks and financial reward which convinced you to provide your details." Do you know what my view is on this?

---

CAROLE THERIAULT. You know what I would reply?

---

GRAHAM CLULEY. What?

---

CAROLE THERIAULT. "Fuck you very much." That is what I would reply. [Ray [REDACTED]]: You can't say that. You can't say that.

---

CAROLE THERIAULT. Yes, I can. I can. I am gonna say it again. "Fuck you very much." That's what I would reply to the boss, and I would walk the fuck outta there. After— oh, okay. I'm a little angry.

---

GRAHAM CLULEY. So obviously, they weren't actually giving money to people.

---

CAROLE THERIAULT. People's family have died!

---

GRAHAM CLULEY. And people are skint.

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. And people have been having a really hard time, and they've been working maybe more hours than normal. [Ray [REDACTED]]: Sure.

---

CAROLE THERIAULT. Stressed out to hell.

---

GRAHAM CLULEY. They had this prize dangled in front of them. Do you know what it reminds me of?

---

CAROLE THERIAULT. I know exactly what it reminds you of, Graham.

---

GRAHAM CLULEY. We used to work at a company, which we won't name here, but it's not hard to work out. And there had been a number of redundancies in our department, and we were quite upset. And then the new boss flew in to try and reassure us, and we were thinking, what have you done? You've got rid of all these people. We're going to have to do their work for them. You're a [MASKED]. You got rid of the wrong people.

---

CAROLE THERIAULT. We were all a little salty.

---

GRAHAM CLULEY. We were all a bit salty in the meeting room.

---

CAROLE THERIAULT. We were very salty.

---

GRAHAM CLULEY. And this boss stood at the front with his man bag, And he reached into his man bag and he said, I want to tell you something. He said, I want to tell you something. The other day, the CEO, he invited all of our senior managers into a room and he gave us all a prize. He said, he gave us all a brand new iPad. And this was in the days when getting an iPad was a big deal, right? Most people didn't have an iPad.

---

CAROLE THERIAULT. Huge, huge. They were brand new.

---

GRAHAM CLULEY. And he said, you know what I'm going to do? I'm gonna give each and every one of you— and I thought, oh my goodness, I thought he's gonna turn me too.

---

CAROLE THERIAULT. We were like, [MASKED] off, it's gonna be over.

---

GRAHAM CLULEY. He's gonna give each and every one of us an iPad, and then we won't care about the people who've left.

---

CAROLE THERIAULT. And it was right before Christmas. It was right before Christmas.

---

GRAHAM CLULEY. Yeah, but if you had an iPad, you thought, I can put that on eBay, this sounds awesome. You thought, I don't care about Tony and all the other people in the major— I don't care about them anymore, I'm getting iPad. So he carried on. "I'm gonna give each and every one of you a chance to win." And I think, "Oh, okay." He's only gonna offer us one iPad.

---

CAROLE THERIAULT. That makes sense. That's the way this works, yeah.

---

GRAHAM CLULEY. One iPad between 25 of us. But I still think I've got a chance. I've got a chance for an iPad.

---

CAROLE THERIAULT. I love that you were thinking about yourself, probably the highest-paid person in the department, other than the fucking VP. So, you know, yeah, let's go.

---

GRAHAM CLULEY. "I'm gonna give each and every one of you a chance." to win this iPad. And then he said, this is no word of a lie, he said, only joking, I'm gonna give it to my kids.

---

CAROLE THERIAULT. And he put it back in his bag and then he carried on with his class.

---

GRAHAM CLULEY. And we all looked at each other just like slack-jawed thinking, this is the biggest moron I have ever met in my life. Why has he said this? Why did he dangle this opportunity in front of us and then just rip it away from us. Well, that is what West Midlands Trains have done. They've sent this email saying, we're going to give you something lovely, and then they said, nah, nah, nah, nah, nah, that was actually a phishing test. And I thought, what an amazing, extraordinary way to disincentivize your staff.

---

CAROLE THERIAULT. Thank you. So my reaction was perfectly appropriate in your mind?

---

GRAHAM CLULEY. I think you were absolutely right.

---

CAROLE THERIAULT. Ray, are you on board on the crawl train of responses on this one, or? [Ray [REDACTED]]: Well, so, I mean, here's the deal. This concept, this idea about what kind of phishing simulations can you use, this is a very, very contentious debate on InfoSec Twitter. Like, this is all like going back to the GoDaddy days from last December. People have argued, is it— can you, for example, send an email saying, here's your COVID-19 results, okay, as a phishing exercise? Or in America, can you say that there's been a school shooting at your kid's school, right? Because people would immediately click those, right?

---

CAROLE THERIAULT. What?

---

GRAHAM CLULEY. What? No!

---

CAROLE THERIAULT. Who's debating this?

---

GRAHAM CLULEY. Can I echo what Carole's saying there? That is a definite and absolute no. No, you can never do that. [Ray [REDACTED]]: But so the same thing, right? What happens is, and by the way, about two-thirds of InfoSec Twitter says no, you cannot do this. There are lines you cannot cross, right? Lisa Forte says, you know, we are the good guys and all phishing exercises need to be ethical and appropriate, period. There's no, you can't do anything like this. You can't take away people's iPads. You can't talk to them with an iPad, right? Leslie Carhart had pointed out that everybody thinks when they first get a phishing internal exercise. Oh, I can get them, I can get them, I can get them. But that's a problem of the, the toxic culture of thinking the user is the weakest link. I mean, we're trying to educate people. Now, by the way, I would have fallen for the phish that you just mentioned. I would have totally fallen for it, 100%. Um, but we're trying to educate groups. And also, when something happens, you're gonna need these people to be on your side. You're gonna need them during an incident response. You don't want them hating you right out of the gate, which is what Leslie pointed out.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Absolutely. I completely agree. So I think the correct thing might have been to say, you have failed the phishing test or whatever, but you know what? We are actually going to give you a bonus. There should have been something like that.

---

CAROLE THERIAULT. Well, maybe they will now. There's a bit of a fuss being made on Smashing Security. [Ray [REDACTED]]: Oh, they'll give them 5 quid. They'll give them 5 quid for sure.

---

CAROLE THERIAULT. Oh yeah, that, that, that's like the worst.

---

GRAHAM CLULEY. It's not just the podcast here, Carole, where we're creating a fuss. The Transport, Salaried and Staffs Association Union have described this as crass and reprehensible.

---

CAROLE THERIAULT. Yeah, I agree with them.

---

GRAHAM CLULEY. They've pointed out that one worker on the train system up there in the West Midlands has actually died from COVID-19. Others have fallen ill with the illness. They think it's cynical and shocking. They're almost threatening to go on strike.

---

CAROLE THERIAULT. Okay, pivot, pivot, pivot, pivot, pivot. Whoever in this department, the IT department, that okayed this fish simulation. [Ray [REDACTED]]: It was an intern.

---

GRAHAM CLULEY. SolarWinds 123.

---

CAROLE THERIAULT. No, but that's gross. If it was an intern, shame on them, right? If it was an intern, shame on them. [Ray [REDACTED]]: Blame the intern.

---

GRAHAM CLULEY. Well, the alternative point of view is, of course, these sort of crass techniques could be easily used by phishing people. I mean, maybe that is a more likely phish to receive than some bland one coming from—

---

CAROLE THERIAULT. Oh, you know what? Actually, this is a really good point. Maybe we should start simulating people showing up at people's doors with a gun. Right, just so that they know what it feels like. Yeah, yeah, let's just do it. Let's just do it randomly to everybody just so that they can feel what it's like to feel true terror in their bones, just so that when it really happens they know what to do. Good idea. I like— [Ray [REDACTED]]: so I'm very surprised. I'm very surprised with a unionized workforce that nobody thought to talk to someone from the union beforehand, because you can really run afoul of unions and they can they can tend to hit back.

---

CAROLE THERIAULT. Yeah, well, I imagine they will. So, yeah.

---

GRAHAM CLULEY. Well, a spokesperson for the train company, they're basically not apologizing. They're saying this is just the sort of thing a criminal organization would have done. Thankfully, it was an exercise without the consequences of a real attack. [Ray [REDACTED]]: And we take security very seriously.

---

GRAHAM CLULEY. They do. They do say they take security very seriously as well. Well, I can offer my, It's rather exclusive, to be honest. My patented way to never fall for any phishing tests run by your IT team. Are you ready for this?

---

CAROLE THERIAULT. What? Don't read email?

---

GRAHAM CLULEY. Exactly. [Ray [REDACTED]]: Work for me.

---

GRAHAM CLULEY. I've watched you for years, Carole Theriault, using this technique of never opening emails, never responding to anything, never clicking on anything when you're asked to.

---

CAROLE THERIAULT. Unless you call me, I won't do it.

---

GRAHAM CLULEY. You wait for people to come around to your desk and say, for goodness' sake, why haven't you replied to an email? And go, oh really? What have I got to It's true. So Ray, Ray, what have you got for us this week? [Ray [REDACTED]]: Okay, I want to talk to you a little bit about Twitter. So Twitter has a history of rolling out innovations and enhancements that the users were already using, right? So putting an @reply, the retweet, even the hashtag, these were things that the users were using and then Twitter kind of embraced them and made them part of the product, right?

---

CAROLE THERIAULT. And took credit. Yeah. [Ray [REDACTED]]: Yeah, for sure, for sure. And along those same lines, uh, Twitter has just rolled out something that they call Twitter Tip Jar, which allows users to tip creators, uh, with a variety of payment options. You can do it over Bandcamp, Cash App, Patreon, PayPal, and Venmo. Okay. And what Twitter does is it basically facilitates the tip directly to the user, but Twitter's not taking a cut. It's not taking a percentage. It's just, it's just basically doing that link.

---

CAROLE THERIAULT. So, okay, can I make sure I understand? So like, you know, I'm a budding artist, right? So let's say I put out an art piece on Twitter with what, with a cash request, like saying, who wants to buy this thing? [Ray [REDACTED]]: You just post your, your artwork or your poem or your joke, right? And people just decide they want to tip you a dollar or a quid or maybe $2 or whatever. It's very small micropayment, like a hat tip, for sure. And users were already doing this using tip bots and cryptocurrencies and even Dogecoin, by the way. This is the only use for Dogecoin, I think, uh, where you could just send people micropayments and just, it would just kind of go over, uh, to that. And also if somebody had a viral tweet that went mega viral, they would often put their Cash App address. Hey, listen, I'm a starving student, send this to here, or whatever, right? Okay, so Twitter rolls this out and they tie it to Bandcamp, Cash App, Patreon, PayPal, and Venmo. Okay, and just to give you an idea, Venmo has about 40 million users, Cash App has about 30 million, Patreon has about 6 million, and PayPal has 360 million. So PayPal's the winner.

---

GRAHAM CLULEY. I haven't heard of some of these. Obviously I've heard of PayPal and Patreon. Venmo, I've heard of Venmo. Venmo I've only recently heard of because I heard congressmen hire hookers or something from them. [Ray [REDACTED]]: Correct, correct. That's the famous hooker one. And Bandcamp is to support musicians. Oh yes, like independent musicians and very, very popular. The best one, by the way, by far is Patreon. I encourage everybody to go to Patreon. It's a good way to support your favorite podcast. But anyway, um, okay, so back to this. So PayPal has 360 million users, okay?

---

CAROLE THERIAULT. Right. [Ray [REDACTED]]: And PayPal is the Paddington Bear of payment services. Their heart might be in the right place, but they're constantly getting into trouble. They're always making security faux pas, so to speak, around things like multifactor authentication, data leakage, API abuse.

---

GRAHAM CLULEY. Leaving the taps on in the bath and it overflowing and going down the stairs, that kind of thing. [Ray [REDACTED]]: Yeah. So PayPal was— is the largest one of all. And people that abuse PayPal know ways to basically harass people, get other people's accounts frozen and everything else. So Twitter announces that you can do this tip jar. And again, they're rolling it out so that the creators have it. Anyone can tip, but only certain people can receive tips, including creators, journalists, experts and nonprofit organizations. Okay.

---

GRAHAM CLULEY. Oh, so they haven't rolled out the ability to collect tips to every account at the moment is what you're saying? [Ray [REDACTED]]: Correct.

---

GRAHAM CLULEY. It's just— [Ray [REDACTED]]: correct.

---

GRAHAM CLULEY. Special people, creative people. [Ray [REDACTED]]: Correct.

---

GRAHAM CLULEY. Right. [Ray [REDACTED]]: Okay. Within minutes of even hearing about this, uh, Rachel Toback, who is the CEO of SocialProof, immediately found a flaw in the system, which is you can tip a complete stranger, and if you leave everything the default settings, which people just click, click, click, click, you get their physical home address. Their home address.

---

CAROLE THERIAULT. You're freaking kidding me. Oh my God.

---

GRAHAM CLULEY. This is by PayPal. [Ray [REDACTED]]: Correct. And the reason that they do that is because by default PayPal thinks it's a product or a service.

---

GRAHAM CLULEY. Right. [Ray [REDACTED]]: You have to have a mailing address or something like that. So, and then not long after that, a former FTC chief technologist named Ashkan Sultani found that you could also reveal their user's email address, even if no transaction took place whatsoever. Now, there is a way that you can hide this if you go in and change it from goods and services to friends and family. But just like everything else, you know, the vast majority if people aren't going to remember to do that. And is it really friends and family if I send Carole Theriault $2 for her beautiful artwork that I saw on Twitter? I'm not sure about that. So this blows up, okay? And where else does it blow up but on Twitter? And it sparks this huge debate with people like Brian Krebs and Marcus Hutchins, famous for the WannaCry fix, saying that there's a ton of ways that people can use fraudulent credit cards to harass or shut you down. So this has basically become a PR nightmare for PayPal. But Twitter, on the other hand, uh, takes the high road immediately and thanks Rachel Toback and says, this is a good catch, we appreciate it. We can't control the revealing of the addresses on PayPal side, but we will add a warning for people giving tips on PayPal so that they are always aware of this. So this has been the— this has been the big controversy of this week.

---

CAROLE THERIAULT. The guru again snaps his fingers and it shall be. Interesting. [Ray [REDACTED]]: A very tenuous connection to Paddington Bear, by the way. Very, very tenuous connection.

---

GRAHAM CLULEY. Yeah, nothing about marmalade sandwiches, sadly. Um, so let me understand what's happened right now. So by using this technique, people who were receiving tips would receive your address, but now Twitter is gonna give you some sort of warning that PayPal will pass on your address unless you mark this as a friends and family transaction. Is that right? [Ray [REDACTED]]: Well, we don't know what PayPal is gonna do yet because typically when they fix issues, they do it silently. Like in the past when they, when there was a multifactor workaround, they just suddenly did it very quietly. But the problem is data leakage. It could be an email address, it could be a physical address. There are things you can do on disputes where by default, if you use a MasterCard on dispute, both parties can see each other's PII, right? So that's another, that's another kind of a hole that's there. So most likely PayPal will take some steps to adjust this because they want to be in the lead on the Twitter tip jar. So yeah, of course, um, but we don't know exactly what they will do. In the meantime, just like a packet of cigarettes, there'll be a big warning that says your data is being leaked or, or be aware of the fact of this, which nobody will probably read, and people will continue to leak their data.

---

GRAHAM CLULEY. So what worries me most about this is not people's addresses being leaked to people who they want to tip, but this other side of it, which you said that, uh, Krebs and Hutchins found, which was that you could actually find out someone's email address if you began to send them a tip but didn't go through with it. Is that right? Is that what was happening? [Ray [REDACTED]]: Correct, correct. And you don't even have to send them anything. Yeah. And in addition to that, if they want to harass you without you knowing that they're doing it, they can take that email address and associate it with criminal activity, and PayPal will often just shut you down and suspend your account. Like, if they see your name in the darkweb, that will happen like just pretty much without any trial or any kind of a jury.

---

CAROLE THERIAULT. You know, Ray, my takeaway from your story is, uh, don't use PayPal.

---

GRAHAM CLULEY. Yeah, get a Venmo account. Yeah, Matt Gaetz, I hate to break it to you, but PayPal owns Venmo.

---

CAROLE THERIAULT. Oh, oh my God.

---

GRAHAM CLULEY. Carole, what have you got for us this week?

---

CAROLE THERIAULT. Okay, first a question. Do you either of you think people today are aware of how insidiously they are tracked via devices, or do you think it's— I'm in— we're, you know, we're in our little echo chamber and we're talking to each other constantly about it and they don't really hear it at all?

---

GRAHAM CLULEY. Oh, no way. [Ray [REDACTED]]: Nobody knows. No.

---

GRAHAM CLULEY. Yeah, most people have heard rumblings about it, but it's kind of It's gone in one ear and out the other, I think, and people go, la la la, they kind of forget about it.

---

CAROLE THERIAULT. Should we— let's start off my little section actually with an activity. So if you guys get— you guys are both iPhone users? I don't give that information out publicly, but if you are, okay, can you check your iPhone? I want you to think of an app in your head, just an app that you use regularly. And I want you to go to the App Store, and I want you to search for it. [Ray [REDACTED]]: Okay, got it. I'm gonna do PayPal.

---

CAROLE THERIAULT. Listeners, actually, you should be doing this too. If you're sitting there not doing anything dangerous like driving or, you know, I don't know, chopping something.

---

GRAHAM CLULEY. Can I just say that being a professional podcaster, my phone is turned off and I now have to wait about 2 minutes.

---

CAROLE THERIAULT. Oh, well, mine's not. I just put it on silent like a normal person. Okay, well, Graham, you let us know when you get there. Okay, have you found something? [Ray [REDACTED]]: Oh, yes. I went to PayPal's because we're beating up on them today. Okay. And there is a list of things that they are collecting and linking to me. And probably about 6 of these I would not be expected. So purchases, locations, financial info, contact info. That's fine. User content, browsing history, search history, identifier. Why do they need any of that?

---

CAROLE THERIAULT. Yeah. Why do they need to know that you're going to the Candy Crush website all the time? I agree. So on any app page now on the iPhone App Store, you can scroll down inside an app description and you will find an app privacy section. And then in there, it's gonna be listed what kind of stuff is going on. And this is the result of a promise that Apple made about a year ago saying that it was gonna start taking privacy more seriously. iPhone, iPad, and Apple TV apps now required to request users' permission to track users' activity for data collection and ad targeting purposes. In other words, they need to tell you and you need to say, yeah, I'm fine with that in order for apps to be able to collect that data. That's basically the shorthand of it. [Ray [REDACTED]]: Is it all or nothing? Can I, can I give them a couple things and not the rest of them?

---

CAROLE THERIAULT. Well, you can, of course you can. Of course you can. So they're kind of giving you a bit more power as to what you, the user, as to what you're okay with and what you're not okay.

---

GRAHAM CLULEY. All right. [Ray [REDACTED]]: Oh, brilliant. Brilliant. That's perfect.

---

CAROLE THERIAULT. Now, some companies like Facebook are fuming. They say it'll radically impact their bottom line. They're so awash with cash, I very much doubt anyone working there knows what their bottom line actually is. But Facebook went so far as to take out a full-page newspaper ad. Maybe you saw this, one of you, Ray, maybe, claiming that the change would not just hurt Facebook, but would destroy small businesses around the world.

---

GRAHAM CLULEY. That's who they care about. They care about small business. [Ray [REDACTED]]: Small businesses. Small businesses. Yes, it's correct. They said every mom and pop, every mom and pop dry cleaner will be out of business if we can't slurp your data.

---

CAROLE THERIAULT. Exactly. So it started off with, we're standing up to Apple for small businesses everywhere, right? And it was like, you know, kind of FT style color pink background kind of thing to look really serious. No pictures, nobody sitting there making friends, none of that stuff they normally use. It was like a serious message. Message. Now, shortly after, the Apple CEO Tim Cook attended a data privacy conference and he delivered a speech that harshly criticized Facebook's business model. And the thing is, the thing is, the worldwide global mobile advertising industry is worth $189 billion. So it's not chump change. Yeah, it's a lot of wonga, isn't it?

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Now, all this, all this is all revolving around changes that Apple made to its Identifier for Advertisers, what's called IDFA. That's the shorthand. And until now, apps have been able to rely on Apple's IDFA to track users for targeting and advertising purposes. So if Graham, for example, had done a few searches on cupcakes—

---

GRAHAM CLULEY. Just a few.

---

CAROLE THERIAULT. —flirting around on Facebook and going cupcakes, cupcakes, looking for cupcakes, and he might start seeing ads for cupcakes when he's on searching the web or in different apps. This has all happened since iOS 14.5 came out, so that's about a month ago. But there are 14 categories of data that Apple have stipulated that they need to alert to. Okay. Kind of complicated for the developers as well. They need to go through everything that they collect and go, is this a purchases or does this fit into contact info? Is this a search history or is this a location issue or is this financial?

---

GRAHAM CLULEY. So you are saying it's a bit of a nuisance for the app developers to categorize what exactly their apps are collecting, is that right? Or what? —what they're trying to do.

---

CAROLE THERIAULT. Well, they're certainly feeling the pain because until now they've had carte blanche. They've had nobody interfering at all. So they've paved the road with gold. And they were sitting there with their big straws, snarfling, snarfling, snarfling all your stuff. And no one was the wiser. [Ray [REDACTED]]: And if you think about it, Facebook was actually asking you if they could use Bluetooth. But they weren't telling you that they were using Bluetooth to see who you were around when you were using your credit card, which is not anonymized data. They can actually extrapolate that. And so now they knew where you were, whether you checked in, if there were other Facebook users nearby. I mean, it is a very slippery slope, right? And I don't even want to bring up the other stuff like Cambridge Analytica and all that, but yeah, 13 out of 14 on the— you said there's 14, right?

---

GRAHAM CLULEY. It's not about that. It's not about that. It's about the ma and pa laundrettes. It's about the little dry cleaners. Yeah, it's about the dry cleaners. It's not about— shush, shush, shush, shush. [Ray [REDACTED]]: So, Carole, my PayPal one, they want 13 They want 13 of the 14 categories. You see, the only one they don't want, the only one they don't want, is— or the one that they say data is not linked to you, they still probably want it. Data is not linked to you is diagnostics, which is the only one I would really want to give them.

---

CAROLE THERIAULT. Yeah, your phone diagnosis, we don't give a [MASKED]. We don't want to give it. Exactly.

---

GRAHAM CLULEY. Let it crash. We don't care about improving our app, making it less buggy. [Ray [REDACTED]]: So they have my contacts, they have my user content, they have my search history. I mean, I don't even want my wife to have my search history.

---

CAROLE THERIAULT. Yeah, by the end of this section, you may want to take it off your phone. So, so this is all app tracking transparency. That's how Apple is referring to this. Now, Thorin, an editor at The New York Times, he does product reviews for a site like Wirecutter. He looked into the app tracking disclosures of 250 iPhone apps. Okay, now these apps included the top apps of 2020, popular games, browsers, weather apps, streaming video apps, photography apps, Notes app, dating apps, shopping apps, news apps, health and fitness So basically—

---

GRAHAM CLULEY. He sounds like a fun guy to have at a party. I agree.

---

CAROLE THERIAULT. I would love to have him at a party. I'd be— I'll sit next to him. I'll be like, tell me everything. I love privacy stuff. Do you read Ts and Cs too? Oh my God. Okay, so main findings, main findings, okay. Weather apps share tons of data about you. For sure. I don't think most people would assume that. They would just think it's gonna have my location 'cause it needs to know my location. Yeah, location. What other information do they collect about you? Why don't you just go on your phone, Graham, and just—

---

GRAHAM CLULEY. Oh, for God's sake, Carole, I turned it off again. I thought you were done with that. What's wrong with you? Well, I didn't know you were going to ask me again. Ray, can you look in your weather app? [Ray [REDACTED]]: Yes, I actually did know that about weather apps and fart apps. The apps that just generate fart noises, they also ask for a lot of data from you because they're free. They're free. Like F-A-R-T? Yeah, they're free. Oh yes, when the App Store first opened, they were all free. All the rage. You could make fart noises on your phone.

---

CAROLE THERIAULT. Have people lost the human ability to do it themselves, or—

---

GRAHAM CLULEY. Well, it's like, I don't need an app to make a fart noise. [Ray [REDACTED]]: Oh, you should have a whole folder of them. You need a whole folder. But they were free, okay? They were free and they didn't have ads. Yeah. And there's an old expression on the internet that if you're not paying for the product, you are the product, right? Right. So the fart apps were tracking everything. They wanted to know everything about where you were and everything, all of your taps and everything else. Else. And actually, the Android versions of them, you know, in many cases were even like exfiltrating data as well, um, on that side.

---

CAROLE THERIAULT. So other ones that they said were shopping, exercising, moving news, and dating apps are also big into tracking. So what you can do, listeners, go check if you have those apps on your phone and see what they're taking from you. Um, other findings were that of the 250 of the apps that they looked at, 60% had a data used to track you label, basically having to have a label by Apple because they fit into one of those 14 data tracking categories that they've set out. Of those that were tracking you, most of them was for advertising, 70%. Is that surprising? Not at all to me. No. But 20% use contact info. And that really bugs me because if you think of the information, all the addresses you have in your phone, business friends, family, and that someone can just go in there and snuffle it up and know exactly who your contacts are is outrageous to me. [Ray [REDACTED]]: Well, the contact thing is particularly bad because the people that are in your contacts never gave their consent. Right! So like, if I have tons and tons of notes about them, like their children's names, kids' names and birthdays, and when we last met and all that other stuff, that other person never said, "Oh, you can give this to the weather app," right? I mean, that consent issue is a little bit fuzzy. And I mean, I've even had issues with Signal about this because Signal wants your full contact database as well as Clubhouse. I mean, almost every app that ever asked for contacts, I generally want to either give them dummy contacts or none.

---

CAROLE THERIAULT. Now, remember Facebook was making, throwing its toys out of the pram and putting out the ads and making big dramas about this whole new 14.5 app tracking?

---

GRAHAM CLULEY. If you mean they were sticking up for the little guy, Crowe, yes, I do remember that. [Ray [REDACTED]]: Yes. They protest too much.

---

CAROLE THERIAULT. So do you guys want to guess how many people chose to opt out of tracking since the arrival and the adoption of 14.5, which was about a month ago? That's the— [Ray [REDACTED]]: Oh, it's got to be at least half. It's got to be half.

---

CAROLE THERIAULT. Half. I have worldwide data. This is from Flurry. This is owned by Verizon. Okay. So Flurry Analytics. So Graham, higher, lower?

---

GRAHAM CLULEY. Oh, I'm going to say a bit higher. Bit higher. Three-quarters. Than half? Yes. Yes. Okay. All right.

---

CAROLE THERIAULT. 87 out of 100 opted out worldwide and 96 out of 100 in the US. So only 4 people out of every 100 people said, I don't mind being tracked or have not said, yeah, yeah, I don't care. I don't wanna know.

---

GRAHAM CLULEY. Just go, let's go. Will no one care for the dry cleaners? Is it just Mark Zuckerberg who is standing up for them?

---

CAROLE THERIAULT. Now let's say you guys don't wanna be tracked, okay? You guys don't wanna be tracked. This is how you disable tracking on your iPhone or iPad.

---

GRAHAM CLULEY. Oh, tell me, tell me, how do I do it?

---

CAROLE THERIAULT. Now you can do a universal no tracking. Like for example, if you had a kid's phone or my phone, you might go, I don't want anyone to track me. I want them to, I don't even wanna know about it. So you can go to settings and you then scroll all the way down that ginormous list to privacy, which is in the section that starts with general and ends with privacy. And then scroll in there to the second one and it says tracking and little yellow icon. And then you can, turn off allow apps to request to track. And what that means is it tells all apps, these people do not wanna be tracked anywhere anyhow, so don't even bother asking them. Don't even ask them. They don't wanna know.

---

GRAHAM CLULEY. It's not gonna happen.

---

CAROLE THERIAULT. This is my kind of thing. We talked about, I don't read email. I wouldn't want, you know, this is my kind of thing. Right. [Ray [REDACTED]]: I am curious about Facebook because I actually thought Facebook was making way too big of a deal about this and they should have just let it blow over. But hearing 96% of the people said, No, I could see why Facebook is in real, real trouble. And I would think Google would be upset too. I mean, their entire model is about tracking behaviors.

---

CAROLE THERIAULT. Yeah, it's about secretly snarfling incredible amounts of private user data is their business model. And boo [MASKED] hoo hoo that it's getting hit in the chops because they were taking advantage of an unwitting audience. I'm really pissed today. Yeah, yeah. [Ray [REDACTED]]: So the classic story on the iPhone was the apps that asked to access your pictures. Okay, you would think, oh yeah, I've got to give it access to my pictures because I might want to share a picture. You might be giving them access to all of your pictures rather than just—

---

CAROLE THERIAULT. in most cases you are. Yeah. [Ray [REDACTED]]: So most people would be like, then— so now I have noticed now you can say just the recent ones, or just the, just the current ones, or allow— ask me every time. Time, which I think, ask me every time, is probably, as annoying as that might be, I think that's probably the right answer.

---

GRAHAM CLULEY. It would be good if you could say something like, just the ones which don't have people's faces in, or just selfies, or maybe, you know, other parts of your body. [Ray [REDACTED]]: None of the nudes. None of the nudes.

---

GRAHAM CLULEY. Exactly. Pixelate my pickle. End-to-end encryption isn't just for messengers. You use Signal to chat in private, but what about your documents? Skiff is the first collaboration platform built for privacy from the ground up. Every document, note, and idea you write is end-to-end encrypted and completely private. Only you and your trusted collaborators can see what you've created. Unlike Google Docs, Evernote, or Notion, no one else, not even Skiff, ever has access. Skiff is offering listeners of Smashing Security early access. Sign up for Skiff's beta at skiff.org/smashing. That's S-K-I-F-F dot org slash smashing.

---

CAROLE THERIAULT. According to the OneLogin I Am Okay mental health survey, more than 77% of technology leaders have said that their work-related stress increased due to the COVID-19 pandemic. In today's work-from-anywhere era, CISOs and IT executives work tirelessly to make sure the organization's information assets and technologies are properly protected. And this increased pressure has led to deteriorating mental health, addiction issues, and even suicidal thoughts and tendencies. 1Login's message: you are not alone. Smashing Security listeners are invited to attend their live event event on Wednesday, May 26th for free. It's called Keeping the Mind Clear and the Company Secure. Learn more at smashingsecurity.com/1loginiamokay. That's smashingsecurity.com/1loginiamokay. And thanks to 1Login for supporting the show.

---

GRAHAM CLULEY. Introduce your family to better online security and safer browsing habits with 1Password. 1Password doesn't just make it easy and safe to share passwords with your loved ones. You can also save logins, documents, credit cards, and more. Sharing's made simple. Keep personal logins private and easily share access to what they need. And you can recover 1Password access for family members so they never get locked out. Find out more and try 1Password for free for 14 days at 1password.com. And welcome back, and you join us on our favorite favorite part of the show, the part of the show that we like to call Pick of the Week. [Ray [REDACTED]]: Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily. Better not be. Well, my Pick of the Week this week is not security-related. I love podcasts. No, really? And I—

---

CAROLE THERIAULT. yes, and he blows our mind every week, this man, I swear.

---

GRAHAM CLULEY. I listen to podcasts on different topics, and I was having a little look in my favorite podcast app, which is Overcast, and I noticed that I am subscribed to just under 30 different podcasts about the Beatles. What? Not all—

---

CAROLE THERIAULT. wait a minute, how That's impressive.

---

GRAHAM CLULEY. How do you do that? Now, if that seems crazy, if that seems crazy, I'm subscribed to 36 different Doctor Who podcasts. [Ray [REDACTED]]: That's too many. So—

---

CAROLE THERIAULT. But you probably listen to 3 of them, right?

---

GRAHAM CLULEY. Well, I— there are some which I would— some I listen to, like, religiously. It's like, oh, I've got to listen to that. Others I just like to have around. Some aren't active anymore, but, you know, there's quite a lot of them. I do love the Beatles, right? I'm obsessed with the Beatles, and there are 2 podcasts. I'm actually a bit confused because because I think it started as one podcast and seems to have split up into two different podcasts. It has, uh, an overlap in the hosts. So I'm gonna, I'm gonna recommend both of them. There's a podcast called One Sweet Dream. Mm-hmm. [Ray [REDACTED]]: One Sweet Dream.

---

GRAHAM CLULEY. And another podcast called Another Kind of Mind. And they're very similar. I'm not really totally clear about the relationship. Hosted by Diana Erickson and Phoebe Lord. And they talk about Lennon and McCartney. McCartney in particular. And what makes these podcasts so interesting to me is that they're approaching the whole, uh, relationship between these two leading— obviously the two main songwriters in the Beatles— with a very different way from the way in which I've read many books in the past and many of the other podcasts I listen to as well. And the way they describe it is they say, look, we're approaching this from the viewpoint of some emotional intelligence. They're looking at what people say and what they do, but trying to understand how people may have responded to different things which were said. Thought-provoking and different podcasts— well, I say podcasts, a couple of podcasts. And I found it very interesting. I don't agree with everything, but I don't—

---

CAROLE THERIAULT. Can you tell us something you learned? Just give us something you learned.

---

GRAHAM CLULEY. Well, no, I can. I just don't know. It just may be a bit boring and go a bit too— There we go.

---

CAROLE THERIAULT. I think that we have our answer on this.

---

GRAHAM CLULEY. No, because you might need to go a little bit too deeply into the dynamic of the relationship to truly understand it. But fundamentally, what Lennon really needed was a big hug. These two podcasts do take a very different view on the Beatles from others I've listened to, and it's quite refreshing. So they're called One Sweet Dream and Another Kind of Mind, and don't slag them off till you've tried them out. I've been told. Okay. Ray, what's your pick of the week? [Ray [REDACTED]]: Well, you know, Graham and Carole Well, economists are always trying to figure out if there are unique indicators of an economy recovering, right? They look at things like diaper rash, because apparently diaper rash goes down when people are more confident in the economy because they change their kids' diapers more often rather than trying to stretch them. What we're really interested in for this particular topic is the UK and specifically London. How is it doing reopening? Now, before I tell you this about this index, I have to ask you this question as an American. American, because as Americans, when we go to London, we often go to this place, but none of us know how to say it correctly. Is it pronounced— all right, Pret-a-Manger?

---

GRAHAM CLULEY. Yes, yes it is. Yes, yes, you should definitely carry on. Okay, how do you say that? [Ray [REDACTED]]: How do you say that?

---

CAROLE THERIAULT. How do you pronounce that? It's Mange. Mange. I think yours is better. I I like it. [Ray [REDACTED]]: Okay.

---

CAROLE THERIAULT. You know what it, do you wanna know what it means? 'Cause it means something. Sure. Prêt à manger is to eat, so it's ready to eat. [Ray [REDACTED]]: Ah, ready to eat, yeah. So Bloomberg has compiled an index that looks at ready to eat or prêt à manger and basically compares sandwich, croissant, and coffee sales prior to COVID beginning. Baseline was the week before the schools opened and then calculates a percentage towards recovery of each area of London that you can actually see how people are recovering and how often are they going to Pret à Manger, right? Yeah, I love it. Now, this is not a perfect way to judge it. It's great. But you can look at things like the suburbs. You can look at Yorkshire versus London City or Manchester or whatever those are and see how many people are recovering and going back to the Pret à Manger. And the airports seems to be the last place that people go. No, the airports are, are, are sagging quite a bit.

---

CAROLE THERIAULT. Yeah, the sandwiches are going to be 4 days old, so be like— [Ray [REDACTED]]: well, fair enough. They don't actually say what they're ordering or whatever, but the London suburbs is almost 86% now. So that is— that means that a lot of people are venturing out, and a lot of those people are venturing out and getting coffee and croissants. So that is the prêt-à-manger, or if you're American, prêt-à-manger index. And by watching it over time, you can see London getting back to normality.

---

GRAHAM CLULEY. And you said, you said that Yorkshire was top of the list, is that right? [Ray [REDACTED]]: I said Yorkshire, didn't I say Yorkshire?

---

CAROLE THERIAULT. Yes, of course you did. Of course you did. [Ray [REDACTED]]: I get to pronounce things, I get to mispronounce things as much as I want.

---

CAROLE THERIAULT. You can do whatever you want, Ray, you're gorgeous.

---

GRAHAM CLULEY. Yeah, you're fine, you're fine. [Ray [REDACTED]]: Okay, I'll talk about Edinburgh. Crow, what's your pick of the week?

---

CAROLE THERIAULT. Okay, I'm going to give you a little culture. So my pick of the week, I have to introduce you to one of my favorite artists. Artists first. So this is Félix Vallotton. Okay, there's another French name for you. Well, Swiss name. He was born mid-19th century, and he's basically considered the innovator of woodcut. Okay, this is where you kind of like cut wood and make an image, kind of like lino cuts, that kind of thing. He made over 120 of these woodcuts through his career, but he is said to have felt he achieved perfection in terms of woodcuts when he did this one series called Intimités, or intimacies.

---

GRAHAM CLULEY. Oh, are these sort of like pervy woodcuts?

---

CAROLE THERIAULT. Well, you're going to see them in a second, so you'll be able to tell me. So there are 10 prints illustrating the age-old power struggle between men and women. And once he did these, he moved on to painting after this. He was just like, I've hit the Mecca. I'm like, I'm now the Shangri-La of woodcut. And now I don't need to do it anymore. I'm gonna become a painter. And if you get a chance to check out his paintings, I've put links in the show notes. I think they're beautiful and amazing. So I was doing some online research on this guy, and I came across this app called Unframed VR. Now they've developed an experience where viewers can be immersed into a work of art. What? Yeah, so you're gonna see this in a second. So they've done a number of these different artists, but they've also done one on Félix Vallotton's intimacy woodcuts. And I'm going to just show you what it is. This is on YouTube. Now it's a video. I'm starting you in 32 seconds because it's obviously really slow and sensuous. Guess, right? We don't have a lot of time for that stuff on this show. So here's the link. Now, what's cool about it is if you guys watch this, click on the link, and if you watch it, you can actually scan around like you're kind of in the middle of the, of the work. Oh yeah. And you can start spinning it around you and looking up and down so that you can see the line of cuts from it. You know, the wood cuts from totally different perspective. Oh, wow. You're completely immersed. It's kind of cool, huh? [Ray [REDACTED]]: Let me put on my Oculus. So let me put on my Oculus. Hold on, hold on a second. Let me put on my Oculus. Tracing my curves. It's in motion too. It's moving as well. Yeah.

---

CAROLE THERIAULT. As gently as your hands on my body.

---

GRAHAM CLULEY. Here I'm immersed so I can move around inside. I am properly immersed in the woodcut. I've got wood. Oh God. Philistine. No, it is lovely. It looks lovely.

---

CAROLE THERIAULT. So you can see it on YouTube first if you want to take a look at it. But the app is called Unframed VR, and this is a way that you can experience artworks in a brand new way. And it's quite exciting. So yeah, that's my pick of the week.

---

GRAHAM CLULEY. Awesome. Fantastic. Marvelous. Well, that just about wraps it up for this week. Ray, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that? Chat? [Ray [REDACTED]]: Well, they can find me on Twitter by going to @Ray [REDACTED]. I just recently joined Darknet Diaries as well.

---

GRAHAM CLULEY. Oh, cool. And you can follow us on Twitter @SmashInSecurity, no G, Twitter doesn't allow us to have a G, and also on the Smashing Security subreddit. And don't forget, if you want to ensure that you never miss another episode, follow Smashing Security in your favorite podcast apps such as Overcast, Spotify, and Google Podcasts.

---

CAROLE THERIAULT. Thanks to this episode's sponsors, 1Password, Ransomware, Skiff, and 1Login, and to our wonderful Patreon community. It's thanks to them all that this show is free. Episode show notes, sponsorship information, guest list, and the entire back catalog of more than 226 episodes. Check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time. Cheerio. Bye-bye.

---

CAROLE THERIAULT. Bye-bye. [Ray [REDACTED]]: Bye-bye.

---

CAROLE THERIAULT. Hey, Carole Theriault here. So just to highlight a few new reviews that came in. Huge thank you to Pater Furfur, who wrote, interesting topics, brilliant guests, witty humor, a must-listen since the beginnings in 2016. Greeting from Germany. Germany. Well, greetings from the UK and thank you. And also from Mr. Ergo, changing the world for the better with a laugh. It mostly only takes a few seconds until my first laugh. I'm fairly new to the podcast and I'm already addicted to the show. They've managed to give you the latest updates but keep it light and understandable for non-security professionals. And they are just hilarious with each other. Well, it's called bickertainment, right? And we're masters at it. Thank you guys for these and all the other reviews we got. And please keep them coming. They just make the show so much more fun to do. Plus, I get to do this little segment, which I kinda like. See you guys next week.

-- TRANSCRIPT ENDS --