A scam involving restaurant bookings at The Ritz is suitably sophisticated, the second wave of UK coronavirus testing apps, and we take a look at one of the biggest studies ever into the scourge of robocalls.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by BBC technology correspondent Rory Cellan-Jones.
Visit https://www.smashingsecurity.com/192 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Rory Cellan-Jones.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Tech Tent podcast — BBC World Service.
- Sir Frederick Barclay releases footage of alleged Ritz bugging — The Guardian.
- Tea at the Ritz soured by credit card scammers — BBC News.
- Tweet from The Ritz London.
- Coronavirus: England's contact-tracing app gets green light for trial — BBC News.
- Coronavirus: England's contact tracing app trial gets under way — BBC News.
- A simple telephony honeypot received 1.5 million robocalls across 11 months — ZDNet.
- Who's Calling? Characterizing Robocalls through Audio and Metadata Analysis — USENIX.
- Pick of the Week archive — Smashing Security.
- 13 Minutes to the Moon — BBC World Service.
- Borrasca — QCODE.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Hello, beautiful people. I just want to give a quick shout out to our scintillatingly incredible Patreon supporters. These are the people that help us make the show, and we are so grateful. This week, high tens go to Matt Cotton, William Sabados, Brian Berry, Justin Dale, Marcus Serraro, Christoph Goossens, Kylie Higginson, Tim Davis, MG Lee, and Jason Polk. Thank you all. You guys rock. If you want to join this amazing community of people, you know what to do. Visit smashingsecurity.com/patreon. Now let's get this show on the road.
GRAHAM CLULEY. If you remember the Queen Mother, how could anyone forget the Queen Mother? She used to go to the Ritz and her favorite song they'd play on the piano. Or can you guess what her favourite song was on the piano that she'd like to play there?
RORY CELLAN-JONES. A Nightingale Sang in Berkeley Square?
GRAHAM CLULEY. It was actually The Ace of Spades by Motorhead. Sorry, Rory.
UNKNOWN. Smashing Security, episode 192: Ritz and Robocalls with Rory, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 192. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And Carole, we are joined this week by someone who's new to the show, but not new to our eyes and ears, because he is everywhere in the world of technology. And he has been for many, many years. It is the BBC's technology correspondent, Rory Cellan-Jones.
CAROLE THERIAULT. The illustrious Rory. Thank you for coming on the show. It's very exciting.
RORY CELLAN-JONES. You're making me feel old. Years and years.
GRAHAM CLULEY. So many years.
CAROLE THERIAULT. Graham just needs a companion.
RORY CELLAN-JONES. Yeah. Well, I have been talking to you, Graham, for years and years and years. You have been my go-to guy on cybersecurity.
GRAHAM CLULEY. Me and Alan Woodward.
RORY CELLAN-JONES. Yeah.
GRAHAM CLULEY. We have to get him on the show sometime.
RORY CELLAN-JONES. The prof. Yeah, he's a good guy.
GRAHAM CLULEY. So Rory, how's it all been treating you? How's it— what's it like being a technology correspondent in the era of a global pandemic? How's that changed your life?
RORY CELLAN-JONES. It's been extraordinary. We— I worked out the other day before I went for a short break at the beginning of August that we had done 18 consecutive editions of my weekly program Tech Tent in lockdown from my attic, which is where I am now, staring out. There's a cheeky fox that walks along the back wall from time to time, so there's plenty of entertainment here. Yeah, we've managed to make it work. I, like everybody, have spent most of the time on Zoom, which I'm beginning to curse. We seem to have more FaceTime, my colleagues and I, than we do in real life. I see more of them now than I ever do, and I'm bored with their kitchens.
CAROLE THERIAULT. Do you do video calls all the time, never audio?
RORY CELLAN-JONES. All the time. All the time.
CAROLE THERIAULT. That's— God, that means you have to shower every morning and everything.
RORY CELLAN-JONES. I'm not entirely sure that that's happening with some of my colleagues.
GRAHAM CLULEY. We'll name names later. Carole, what's coming up on the show this week?
CAROLE THERIAULT. Well, first, thanks to this week's sponsor, LastPass. Its support helps us give you this show for free. Now, coming up on today's show, Graham will share a tip or two on how to avoid scams at fancy schmancy eateries. Rory gives us the latest on the UK COVID tracing app. And I share some US-based robocall research and explain why the legislation needs work. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. [MUSIC] [Speaker:GRAHAM CLULEY] Now, chums, chums, the Ritz in Piccadilly, London. Have you ever been there? One of the most prestigious hotels in the world. Have you, Griff?
CAROLE THERIAULT. I have. I was there once with someone much more senior than I in terms of corporate— not in terms of age, but in terms of seniority, when I worked in a corporation.
GRAHAM CLULEY. He took you out for a sandwich, did he?
CAROLE THERIAULT. He did, actually. Club sandwich. £18 it cost.
GRAHAM CLULEY. Rory, I imagine it's your regular.
RORY CELLAN-JONES. I'm just trying to work it out. I think I once went to a wedding lunch with some rather lovely American friends there. But I've been waiting for years to be taken for tea at the Ritz. Of course, The thing that happens at the Ritz these days is you get bugged, at least if you're the owner. There's been a huge row, isn't there, between the various wings of the Barclay brothers?
GRAHAM CLULEY. Yes. Yes, it's them who own it. They also own the Telegraph, don't they? But they've fallen out with each other.
RORY CELLAN-JONES. My advice is look in the plant pots, because there is almost always a bug there these days.
CAROLE THERIAULT. There's always an update in Private Eye on them.
RORY CELLAN-JONES. Yeah.
GRAHAM CLULEY. Well, it's quite swanky. I don't think I've ever been in the Ritz. I once tried to get into the Ritz, but I wasn't wearing a tie or was wearing the wrong trousers or something. It wasn't that you were shirtless.
CAROLE THERIAULT. List or something in London.
GRAHAM CLULEY. No, no, no, it wasn't that.
CAROLE THERIAULT. It's a bit hot outside.
GRAHAM CLULEY. It wasn't that I'd been eating a kebab late at night. I was sort of rolling down Piccadilly, so I'll go in there. No, it wasn't anything like that. But it's quite a swanky establishment. You shouldn't confuse it with Ritz crackers, right? Don't think that— it's completely different. I think there sometimes have been some—
CAROLE THERIAULT. They're pretty classy crackers, Ritz crackers.
GRAHAM CLULEY. I'm not so sure they are, actually, Carole. It's different from that. But most of us probably will never stay there. Some might, if they're really lucky, book tea at the Ritz, which Rory has just alluded to, for a special occasion. The Smashing Security Christmas party, for instance. Carole, are you in charge of that?
CAROLE THERIAULT. What, we can digitally go? Fantastic.
GRAHAM CLULEY. Maybe we'll be able to go for real, you know, if we take a hermetically sealed suit or something.
CAROLE THERIAULT. Oh, I doubt it. My brother-in-law said to me, Christmas is going to be the worst. Everyone's going to be indoors, they're going to not follow protocol, and everyone's going to be sick in January. That was our Sunday phone call.
GRAHAM CLULEY. Well, I suspect— charming— I suspect most of us around the world, they probably know it from that movie Notting Hill. Not that the Ritz is in Notting Hill, but Hugh Grant impresses Julia Roberts at the end of the movie at a press conference. She falls in love with him. He plays the wrong version of She. Why it isn't the Charles Aznavour version, I don't know, because that is one of the greatest songs of all time. The Elvis Costello version is clearly deficient. That's the version that they chose to play. Most of us know the Ritz from that. But what we've come to learn, and that thanks to a report I have to say on this on this newbie startup, this news organisation called the BBC Brewery. I don't know if you've heard of it. Yeah.
RORY CELLAN-JONES. A report by my colleague Chris Fox.
GRAHAM CLULEY. There you are, the wonderful Chris Fox. I'm never sure how many Xs he should have at the end of his name. It's up for debate.
RORY CELLAN-JONES. Sometimes he has two.
GRAHAM CLULEY. He has reported about a scam which is alarmingly convincing and has been targeting diners at the Ritz.
CAROLE THERIAULT. Okay, could it fool me, do you think?
GRAHAM CLULEY. Well, maybe. No, actually, you're very cynical, Crow, and you're very sceptical. Especially about your personal— That's very good description of me. Okay, let's be kinder. You're very careful about your personal information. You're the only person I know who actually reads privacy policies and terms and conditions.
CAROLE THERIAULT. I bet Rory does.
RORY CELLAN-JONES. No.
GRAHAM CLULEY. Who's got time for it?
RORY CELLAN-JONES. Exactly.
GRAHAM CLULEY. Well, what happened was this. So there are folks out there who are making bookings at the Ritz restaurant. You know, they're not put off by the tales of pot plants being bugged. And they're doing this online, or maybe they're doing it by phone. Of course, it gets popular at the Ritz. You may have to book it weeks and weeks in advance. You can't just show up like I tried to without a tie. And so you do it somewhere ahead. And then, a day or two before your booking, you get a phone call. Mm-hmm. From the Ritz reservations department.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And you know it's the Ritz reservations department, because they say it's the Ritz reservations department, right? And that's—
CAROLE THERIAULT. That would fool me. That'd be it. Yeah, well, it would. It would, because it's the day before your restaurant. You're expecting it, and fancy restaurants do that. So that's nothing out of the ordinary.
GRAHAM CLULEY. But even if, even if you were a little bit surprised that they were ringing you, you might check the number that they're ringing on. And what you find when you look at your mobile phone or whatever, caller ID, is that the number matches.
CAROLE THERIAULT. Interesting.
GRAHAM CLULEY. It is the Ritz. Mm-hmm. And they go further to make this call even more convincing. They confirm your restaurant booking details. You know, they say, Smashing Security, Christmas Eve, table 25,000, whatever it is that we've booked, you know, cheese sandwiches.
CAROLE THERIAULT. Everyone's RSVP'd. It's going to be amazing.
GRAHAM CLULEY. We're going to bring all the listeners. That's right, by the way, everybody, you're all invited.
RORY CELLAN-JONES. This sounds like Curmudgeon Mayo's cruise. Do you listen to Curmudgeon Mayo?
GRAHAM CLULEY. No. Are they having a cruise?
RORY CELLAN-JONES. They have a cruise every year, and their entire listenership gets invited. So you've been outdone.
CAROLE THERIAULT. Well, I don't know if I'd want to be on a cruise during a pandemic. It's not gone down well for many of them.
GRAHAM CLULEY. Hasn't Carnival just suffered a data breach as well? So maybe— it's quite an idea though. We could hire a pedalo or two, Carole, and get our listeners— bring the listeners of Tech Tent with us.
RORY CELLAN-JONES. Definitely.
GRAHAM CLULEY. So they confirm all those details, and you think, wow, this really is the Ritz. And then they say, look, "to make the booking, we just need to confirm some details.
CAROLE THERIAULT. We just need to confirm your credit card details." Yeah, you see, I might fall for that too, because that does happen, especially in fancy pants restaurants. They sometimes want like £100 down to make sure that you're going to show up.
GRAHAM CLULEY. Right. And you know, it's the Ritz, it's posh, and posh people obviously don't scam people.
CAROLE THERIAULT. £18 club sandwiches, right?
RORY CELLAN-JONES. Yeah. Posh people aren't going to bilk you, are they?
CAROLE THERIAULT. No. It had egg in it. What kind of club sandwich is that anyway?
GRAHAM CLULEY. Well, the scammers have now got your card details. And what do these scammers do, having stolen the credit card details from people who dine at the Ritz? They take those credit card details and they spend thousands of pounds with those credit card details at Argos.
RORY CELLAN-JONES. What? Argos?
CAROLE THERIAULT. Oh boy. The no-longer-catalogue catalogue company. Do you know that they've stopped their catalogue?
GRAHAM CLULEY. Have they stopped their catalogue, have they?
CAROLE THERIAULT. And I've read somewhere online you can find all their catalogues since 1974. Someone has put them all up, so you can actually go back and see what was available at the early days.
GRAHAM CLULEY. I think for our listeners overseas, we should explain what Argos is, because we had a certain reaction to that.
CAROLE THERIAULT. It's a bit like a less posh L.L.Bean.
GRAHAM CLULEY. I think it's more like communist Russia before the fall of the Iron Curtain.
CAROLE THERIAULT. Oh, stop it! That sounds racist.
GRAHAM CLULEY. No, it is, because you go to an Argos and you're told, "Please go to till A, B, or C," and you queue there.
RORY CELLAN-JONES. Yes, that's what you do at L.L.
CAROLE THERIAULT. Bean as well.
RORY CELLAN-JONES. Yeah, it's, it's a, it's, it's actually quite an innovative— I know what you're talking about. It's a bit, in a funny kind of way, a bit like Foyles Bookshop in a very different context. Many, many years ago, when you went to the venerable Foyles Bookshop on the Charing Cross Road, you, and you bought a book, you had to, you know, you couldn't just buy it. You had to go and go to till C and wait for somebody to handcraft it for you, virtually.
GRAHAM CLULEY. It's true, foils is an extraordinary experience. Anyway, as the BBC, as the venerable BBC reports, if the bank spotted that suspicious Argos transaction, thought, you don't normally spend £1,000 at Argos.
CAROLE THERIAULT. How many pools do you need, sir?
GRAHAM CLULEY. The scammer phones the victim up again, this time pretending to be from their bank. And what they do is they say, someone's just tried to use your credit card at Argos. 'We're gonna cancel the transaction. Can you just read out the security code?' Oh. 'Which you've just been sent on your mobile phone to make sure we're talking to the right person.' It's pretty sneaky. It's sneaky.
CAROLE THERIAULT. One thing I didn't get is how are these miscreants getting my phone number in the first place?
RORY CELLAN-JONES. That is the $64,000 question, isn't it?
CAROLE THERIAULT. Yeah.
RORY CELLAN-JONES. Because this data was presumably stored by the Ritz when people rang up and booked in the first place.
GRAHAM CLULEY. So who knows how the Ritz is storing that information? Are they putting it down on little pieces of paper and sticking it to the wall? Have they got an Excel spreadsheet? Have they got some properly authenticated and carefully password-protected database?
CAROLE THERIAULT. So seriously, you don't know?
RORY CELLAN-JONES. You don't know?
GRAHAM CLULEY. No, we don't know.
CAROLE THERIAULT. Oh, so you don't know? Okay, I didn't realise.
GRAHAM CLULEY. They have admitted that they know they've suffered some kind of data breach involving their reservations department.
CAROLE THERIAULT. Insider job, anyone?
GRAHAM CLULEY. Well, that's a possibility as well, isn't it? Well, it could be someone on the inside who could be doing it. Or so we don't really know. But it's, it's quite sneaky. Now, one of the potential victims of this told the BBC that this whole thing happened to them, but they were able to dumbfound the scammer. And the way in which they did it is they said they asked, they asked their caller specific questions about the hotel's facilities. Which the scammer wasn't able to answer.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. So I don't know what they would have been. I don't know if they were deliberately trying to trip up the scammer or whether they were saying—
CAROLE THERIAULT. Please remind me how many toilets you have available on the first floor. And ice machines, those exist?
GRAHAM CLULEY. Is the loo paper double quilted or will I be using the neck of a swan?
CAROLE THERIAULT. Are the utensils actually silver or just silver-plated?
RORY CELLAN-JONES. Is it the 1927 Sauternes? Or the 1935?
CAROLE THERIAULT. I cannot have my chilled grapes with anything else.
GRAHAM CLULEY. Now, I went to the Ritz website trying to find out some trivia. Okay. So that I was ready in case I got one of these calls. There's not very interesting trivia. There is one about the Queen Mum. If you remember the Queen Mother, she used to regularly dine at the Ritz.
CAROLE THERIAULT. How could anyone forget the Queen Mother?
RORY CELLAN-JONES. My God.
GRAHAM CLULEY. Well, no, she used to go to the Ritz and her favourite song they'd play on the piano— Well, can you guess what her favourite song was on the piano that she'd like to play there?
RORY CELLAN-JONES. A Nightingale Sang in Berkeley Square?
GRAHAM CLULEY. It was actually the Ace of Spades by Motorhead. Sorry, Rory. Yes, it was a Nightingale sang in Berkeley Square. You're quite right. Anyway, so—
CAROLE THERIAULT. I can't even believe you know the Ace of Spades from Motorhead. Did your son introduce you to them?
GRAHAM CLULEY. What are you saying about me, Carole? It's Motorhead, John.
CAROLE THERIAULT. Graham seems outside your echo chamber.
GRAHAM CLULEY. So we are warning people, whether you are booking a lunch or a tea at the Ritz or anywhere else, be wary of calls where they ask you to confirm your credit card details or your account details.
CAROLE THERIAULT. Oh, thanks, Graham. That's really useful.
GRAHAM CLULEY. 'Watch out for caller ID.' Alright, don't be so sarcastic. No, but what are you supposed to do?
CAROLE THERIAULT. So say you have made a booking at one of these fancy restaurants and say they do call you to confirm.
RORY CELLAN-JONES. Yeah, but they're not going to ask you to confirm your credit card details, are they?
GRAHAM CLULEY. And the Ritz have confirmed that.
CAROLE THERIAULT. Well, that's happened to me. Okay.
GRAHAM CLULEY. The Ritz have said that they won't ask you to do that once you've given them to them. And furthermore, be aware that just because a phone call says it comes from a number, caller ID spoofing is very much within the capabilities of criminals.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. So, don't do it. And another piece of advice is, if you do get a scam call, hang up the phone and preferably use a different phone to then call your bank or whoever it is, using a number on their legitimate website or on the back of your bank card instead. Sometimes people have hung up the phone and then picked up the same phone, and they haven't realised they're still connected. To the bad guys.
CAROLE THERIAULT. What, the guy just changes his voice and goes, "Hello! This is your Barclays Bank!" Oh God.
GRAHAM CLULEY. Rory, what have you got for us this week?
RORY CELLAN-JONES. What I've got is the tortuous saga of the UK's attempts to lead the world in contact tracing via a Bluetooth app. So I first got involved in this. I got a phone call in late March from someone who I'll only describe as a very senior figure in the UK tech community. This person said to me, could I help this team? They seem to have some idea that I had to explain that eventually I was a journalist. I was very interested in the story, but I wasn't going to actually be part of the team anyway that was doing this incredibly secret and important mission that could save hundreds of thousands of lives. So I said, well, I'm not entirely sure that I'm going to be a consultant, which is what they wanted me to be. But I could be a journalist and you can tell me everything. And so I— they kind of put me in touch with the people doing this app. And then the saga unrolled, as we'll all remember over the months as the NHS in England, the digital division, NHSX, tried to create this app. And what has interested me about this in particular is the row over privacy and how that's gone. Because if you remember with this saga, they were originally going to build an app that was on what's called a centralized basis. There would be some data collected by the NHS centrally, not of your location, but of your contacts with other phones. Because the way this thing works, it uses the Bluetooth on your phone and it detects whether you're, in theory, within 2 meters of somebody else who's also running the app, and it stores that data. And then when one of, one of you reports that you've got the virus, the others get an alert saying, hey, you need to self-isolate.
GRAHAM CLULEY. Right.
RORY CELLAN-JONES. Very quickly, privacy campaigners here and around the world began to say, just a minute, this is very Big Brother. And eventually there was an alternative system produced by Google and Apple. They weren't producing apps, they produced an API, basically a toolkit for apps, but they had to be decentralized apps where the data would all be stored on the individual smartphones and the matching would only take place between the smartphones, nothing collected centrally. Um, and That is the path that just about everybody, including the NHS in England, has now gone down.
GRAHAM CLULEY. So the NHS in England now has an app which follows the Google and Apple model?
RORY CELLAN-JONES. Yeah, so we had this big crisis in June where, having said we're very confident in our centralized app, which didn't have the full cooperation of Apple in particular, which was key because making Bluetooth work in the background on phones is a bit of a nightmare. Apple weren't really being helpful. The NHS reckoned it had found a workaround. Then they announced in June it wasn't good enough, the workaround. So they were going back to the drawing board with a decentralized app, which would fit with Apple and Google. And all the privacy— this is what I find interesting— all the privacy campaigners said, ah, we told you, Show, you should have done that from the start.
GRAHAM CLULEY. I think we're guilty of that. I think we were saying that on the podcast.
CAROLE THERIAULT. Yeah, but we also watched Germany go through the exact similar paces about two months earlier.
RORY CELLAN-JONES. Exactly. Well, about a month earlier. So Germany had this huge debate. Obviously, Germany, incredibly privacy-focused, and went decentralized and got their app out. And now, just last week, we have got a decentralized app, which again, is being tested in the Isle of Wight and is sitting on my phone right here. I've had access to it.
GRAHAM CLULEY. Is there a problem in so much as they're testing it on the Isle of Wight? Because I've been to the Isle of Wight and most people— well, maybe this is an exaggeration— a lot of people who live on the Isle of Wight probably don't know how to install apps onto their phones because of their demographic.
RORY CELLAN-JONES. I think that's exaggerated.
CAROLE THERIAULT. Is Graham exaggerating?
RORY CELLAN-JONES. Yeah. The one thing they did pretty well with, frankly, is getting something like 50,000 out of— 55,000 out of 140,000 people downloading. Right.
GRAHAM CLULEY. A third pickup, yeah.
RORY CELLAN-JONES. Actually, as a percentage of the population, isn't too bad. And they're also going to be testing it in the London Borough of Newham, you know, a very dense inner city place separately. There are two big questions here. First of all, did we get too excited about privacy? Because there's a debate here. As this was rolling out, the very same people who were saying this is a real attack on privacy, this sort of centralized app, were also saying And why can't we be more like South Korea? Sometimes the very same people, they've done really well.
CAROLE THERIAULT. Oh, I know, I've heard that argument. I think it's insane. Yeah.
RORY CELLAN-JONES. And the point is that South Korea didn't use a Bluetooth contact tracing app. They used vast amounts of quite intrusive data. Every single credit card transaction, people's movements, your mortgage information, insurance information, everything. Yeah. And they, they then published it online. Citizen 1234 left his, left this building, went to this restaurant, did this, did that. Meanwhile, here in the UK, we were having this debate where we said we're worried about anonymized contact data being in the hands of the NHS, but at the very same time, we are being ordered to stay at home. We were having our freedom curtailed that way. So there was a bit of a debate there. And the other side of the debate is Who were the arbiters of what was allowed in the final analysis of these decentralized apps? Apple and Google. So Apple and Google ended up saying, hey, can you just use ours, please? Yeah, well, yeah, but also Apple and Google were deciding what the balance between privacy and public good should be. And the other huge question is Bluetooth contact tracing apps are a brilliant idea, but they're just an idea and nobody knows whether they work.
CAROLE THERIAULT. So I have, so I have one thing that I have to say. This virus is global and an NHS contact and trace app is very geographically decided, like many apps around the world, and that's kind of a problem. I kind of like the idea that Apple and Google, two competitors, got together to put something together that actually everyone could potentially use. Because when we start traveling again, it might be good to have that information and not have to kind of go, oh, what's your app do? My app, what's your app?
RORY CELLAN-JONES. Yeah, that still means that you've got to share a database, not of people's contacts, but of who's tested positive. Because otherwise, you know, if I go to Germany with my app and somebody I meet tests positive in Germany, how is that information going to get to my app and therefore me? Only if the UK and Germany share a database of people who've tested positive. So there are always potential privacy snafus.
GRAHAM CLULEY. I think you raise an interesting question here, which is about this balance between, you know, sure, yes, us privacy wonks, and you know, that's obviously the direction which I'm sort of coming from. We have a particular viewpoint, but at the same time, there's a pandemic going on, Graham, and lots of people are dying. And maybe you should give up something, just like you've given up some of your personal freedom. You're staying at home, you're not going out to the cinema, doing crazy things like that because of this to help other people. Maybe you should give a little bit away as well.
CAROLE THERIAULT. It's a bit different. Yeah, yeah.
RORY CELLAN-JONES. And can I come back to this thing of do these damn things work at all? Well, right, exactly. So Germany and Switzerland, a few weeks ago I got in touch with both of them to say, how's it going? Uh, and they basically said we haven't got a clue. They know how many people have downloaded, but they had no data, they said, because of the decentralized nature of the app on how many people had been alerted and then decided to go in quarantine because of this. The other point, though, is that for Germany, it didn't matter too much. The UK started down this path with absolutely zero in the way of contact tracing operations, manual contact tracing operations. So they got far too excited, the UK government, about the potential of technology. They were starry-eyed about it. We know that Matt Hancock built his own app a few years ago to some amusement. He was, you know, tap dancing on the table in Downing Street saying this app's going to change the world. And it was quite notable last week, not a peep out of him as the second version was released.
CAROLE THERIAULT. App?
RORY CELLAN-JONES. What app? What? What app? Yeah, yeah. So whereas Germany, Germany had a very efficient regionally based contact tracing system, manual contact tracing system, people ring you up in place. So this, it doesn't matter frankly if it doesn't work very well. It's an optional extra. It's a nice to have rather than a must have.
CAROLE THERIAULT. Do you know what the pickup of the app is in Germany? Like, is it like a third of the population or more?
RORY CELLAN-JONES. Last time I saw figures that was about 15, 16 million out of about 80 million. And that's the other thing. When this idea came forward originally, people said you're going to need 60% of the population for it to be worthwhile. I think they could work in very select and play a useful role in very select sort of areas. So people commuting into a city, if you've got lots of people who use the tube every day, because that's what it's doing. The only thing it does better than a human being is detect people that you don't know, frankly. You sit next to somebody on the bus. When you get the positive test a few days later, and they say, who were you sitting next to? I don't know. Whereas the app might be able to tell you. So if you could get discrete populations like that to do it, it could play a part. But I think there was a huge amount of tech utopianism, not just here, but around the world, about ways smartphones are going to be the solution to all of this, and they're really not.
GRAHAM CLULEY. I think it's a little bit more nuanced than purely the privacy brigade who are up in arms about the centralized approach. And for instance, one of the issues I had with the centralized approach was one of perception. You talk about the need for lots of people to install the app. If there was the perception that privacy wasn't being taken seriously, compared to maybe other countries, that would prevent people from doing it.
RORY CELLAN-JONES. That's a real chicken and egg thing though, isn't it? What you're saying is if privacy campaigners made enough fuss about it, that would put people off.
GRAHAM CLULEY. Hmm. I think the fact Dido Harding was running things was putting some people off, given her background as well. That seemed a very strange choice to me if they wanted to instill confidence.
RORY CELLAN-JONES. I think the interesting thing about Dido Harding is that My suspicion is that she came in to run this manual tracing operation, looked at this app and said, "What's that about? Why are we doing that?" I think she was the one that basically kiboshed it.
CAROLE THERIAULT. Ah, that's interesting.
GRAHAM CLULEY. Rory, Rory, was Dido the tech bigwig?
RORY CELLAN-JONES. No, no, she wasn't actually. Shucks.
GRAHAM CLULEY. I was trying to work it out.
CAROLE THERIAULT. That was subtle, Graham.
GRAHAM CLULEY. It was good.
RORY CELLAN-JONES. You're very subtle. I'm going to reveal all my sources are on this podcast, which is heard around the world by all the most influential people.
GRAHAM CLULEY. Carole, what have you got for us this week?
CAROLE THERIAULT. Okay, well, we're going to the land of robocalls. We all hate them. I mean, everyone in the world must hate them. We're not as inundated by these as much as our US counterparts, are we? Like, it was bad a few years ago, maybe 5 years ago here. In the UK?
GRAHAM CLULEY. I don't think I've ever had a robocall.
RORY CELLAN-JONES. Oh really? I've had a zillion of them.
GRAHAM CLULEY. What do you mean by a robocall?
RORY CELLAN-JONES. Have you ever been in an accident that wasn't your fault, Graham?
GRAHAM CLULEY. Yes!
RORY CELLAN-JONES. Can I just briefly interrupt here to tell you this?
GRAHAM CLULEY. That's exactly it.
CAROLE THERIAULT. Do you have a Microsoft problem? You know?
RORY CELLAN-JONES. Oh yeah.
GRAHAM CLULEY. I don't get those. I don't get these calls.
CAROLE THERIAULT. You've never had them?
RORY CELLAN-JONES. I get them on my mobile, which is extraordinary. Yes. Because one's landline quickly becomes solely for spam calls. I did— I've got so— annoyed with the constant call from the robot saying, have you ever been in an accident that was not your fault? That once I played along and I started crying, I said, it was not my fault. And it cut. I think the machine exploded eventually.
CAROLE THERIAULT. Okay, so what advice do you give? Because these guys I'm going to talk about have done some research, and it'll just be interesting to know before I start, what kind of normal advice would you give to people? So say I called you up and said, I'm getting scourged by this this number keeps calling me, these people keep calling me, and they're selling me stuff.
GRAHAM CLULEY. Is there not a do not call list or something, which maybe I signed up for years and years ago? Or contact your phone provider and say, what's all this about?
CAROLE THERIAULT. Okay.
RORY CELLAN-JONES. You can get your calls screened. I mean, the serious side of this is I got an elderly relative who was scammed by some of these people, and we did then put a call screening system in front so that, you know, it would be a bit more difficult.
CAROLE THERIAULT. I used to, you know, block the numbers. You know, if his number kept calling, I'd block it.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And you'd, like, never answer one, right? Like, the idea was just do not answer because then what was it? It was like you're confirming that you're a real, live character.
GRAHAM CLULEY. The only people who regularly call me up are the Ritz reservations department. I'm very happy to deal with them.
RORY CELLAN-JONES. I did, Ben, some years, and it used to drive my wife up the wall. Deliberately stringing them along. I mean, not the robocalls, but the Microsoft service centers. And I did have a guy on the phone for 30 minutes with my Windows PC and then revealed that it was a Mac, actually. And he shouted at me, you've been wasting my time.
GRAHAM CLULEY. When I think of all the tech PRs who are probably trying to get the ear of Rory Cellan-Jones and all they had to do pretend to be a Microsoft support engineer.
CAROLE THERIAULT. Just try and scam them.
RORY CELLAN-JONES. Yes, exactly. That is the way.
CAROLE THERIAULT. So there's this paper by these researchers at North Carolina State University. They presented at a recent security conference last week. And this is apparently the first large-scale longitudinal analysis of unsolicited calls to basically a US honeypot. And the paper is called Who's Calling, link in the show notes, etc., etc. So they set up over 66,000 phone lines, right? Ran them for about 11 months. And this is starting March last year. So 11 months, 66,000 phone, active phone numbers. Okay, all of these were clean. I mean, like, they were never made public, the numbers were never made public by any source. How many calls do you think these guys received?
GRAHAM CLULEY. 66,000. So what, each, each one or altogether?
CAROLE THERIAULT. All together.
GRAHAM CLULEY. Over how long? How many months?
CAROLE THERIAULT. 11.
GRAHAM CLULEY. Oh, crumbs. Okay, I'm just gonna do some maths. I'm gonna say 5 million.
CAROLE THERIAULT. No, I think it's—
GRAHAM CLULEY. Have I ruined it? Yeah, it's okay.
CAROLE THERIAULT. I'm gonna say 5,000. It's quite funny.
RORY CELLAN-JONES. 27.
CAROLE THERIAULT. No, 1.48 million were raised.
GRAHAM CLULEY. Oh, wow. Oh, wow. Oh my goodness. That's much more than I—
RORY CELLAN-JONES. That's a big number.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. So my—
CAROLE THERIAULT. I was gonna end this piece by saying, yeah, not many calls per number. We're set to something like about 22 per phone number during that time. But I still think it's worthwhile research because there's some interesting findings, which I will share with you now. So they basically had these 66,000 phones and 3,000 randomly selected phones would answer calls while the other ones rejected calls. And from this, they were able to get 145,000 call recordings. And with that, they were able to kind of figure out how campaigns worked, what could be done about them. As you guys know, most robocalls are designed to be answered, right? And they normally last less than a minute, about 48 seconds I think was the average. And they're often focused on things like, at the moment actually, there's been a bit of a rise on health insurance and COVID tests, which is doing the robocalls in the States.
RORY CELLAN-JONES. Surprise, surprise.
CAROLE THERIAULT. Now, there are two types of call. This is a little quiz for you. The two types of calls, robocalls, that are not intended to be answered. Do you guys know what they are?
GRAHAM CLULEY. Not intended to be answered? Mm-hmm. Are they ones telling you to vote for a particular person, so they leave the message on your answer machine, or?
CAROLE THERIAULT. One is voicemail scam, but it works really interestingly, right? So the idea, basically, inject the recording into the voice box rather than trying to get the person to listen to it in real time. But this is how they do it. They will place two simultaneous calls to the target. So that the second call finds the line busy and is redirected to voicemail. And as soon as that second call is connected, first one is disconnected, often before it rings. So it doesn't get any further.
GRAHAM CLULEY. So why do they do that? Why do they want it to be a voicemail rather than a real one?
CAROLE THERIAULT. It may just be to get the message out or because they don't want to call back.
RORY CELLAN-JONES. At some stage, you might actually listen to your voicemail and take it more seriously.
GRAHAM CLULEY. Yes. Whereas a phone call arrives who knows what time and it's irritating because it's interrupting you. Whereas a voicemail, you choose when to listen to it, if at all.
CAROLE THERIAULT. Yeah, we actually— here's another possibility. It's similar to the wangiri scams. Have you heard that word? I had never heard of it. Okay, and so apparently it's from a Japanese word which basically means one ring, right? So effectively, they call a number once, hang up. Ah, so wangiri. Yeah, once I— I never heard the term before. So these calls are effectively free for the perp to make because the incomplete call attempts are not billable. However, the victim sees the missed call, and many victims will attempt to return the call and get charged at premium rates. So that may be what's happening with the voicemail scams as well. Call us back on this number, and it's a premium rate number.
GRAHAM CLULEY. So I, I think this may be the only kind of robocall I do get, because I do occasionally get calls from like Albania and bizarre countries which then hang up. And I would imagine some people would think, oh, someone called me.
CAROLE THERIAULT. Oh yeah, you're such an international super tech star, you're thinking, my God, that must be My friends, I might call them.
GRAHAM CLULEY. So I just block those numbers so they hopefully don't irritate me.
CAROLE THERIAULT. Right, yeah. Okay, interesting that you block the numbers. Interesting, interesting. Okay, so just a few highlights. Robo traffic came in surges. These storms, which basically were abnormally large number of unsolicited calls, were done in a day. And these occurred frequently. And I think we used to see that even with spam campaigns in the old days, right? You'd see this huge surge and then it would drop off. So short, it's like short burst, well-organized campaigns. But not all the calls during these storms were from robocallers. A significant chunk were from real people. And these, remember, these numbers were never given out. Can you think of how that would happen?
GRAHAM CLULEY. Are they starting at 00000 and working their way up or what?
CAROLE THERIAULT. No, the spammers are using some of their numbers as caller ID spoofing. Remember you were talking about that in your section? So they would steal the numbers from the honeypot, use them as a caller ID spoof. The person would then call back the honeypot to complain or to, you know, find out what was going on. Unbelievable.
GRAHAM CLULEY. Fascinating.
CAROLE THERIAULT. I know. When do you think robocallers are most active?
RORY CELLAN-JONES. Early evening.
CAROLE THERIAULT. They had a very definite pattern.
GRAHAM CLULEY. Yeah, when people are at home.
CAROLE THERIAULT. That's what I would have thought. And apparently they're just like us. They need to get the kids to have dinner and go to bed, and they have weekends off. So 90% of the unsolicited phone calls are made during weekdays. And 80% during local working hours. So that's why a lot of things are about students or the elderly, insurance. They think they're targeting the people that might be more vulnerable or financially, you know, less stable. Does answering a robocall mean you're likely to get more calls? So this is something that regulatory agencies recommend all the time, and these guys decided to find out. So the researchers declined every unsolicited robocall every unsolicited received call on 3,000 numbers for 6 weeks, and then they answered every single one for another 6 weeks. And answering the call didn't seem to impact the frequency of calls at all. Isn't that interesting? Because I've always thought that. I always thought, oh God, now I'm like, I've been had. You know, they've got me. They're going to share my number and say, live one here.
RORY CELLAN-JONES. But it shows they're dumb, doesn't it? Much better strategy.
CAROLE THERIAULT. It's like, why are you missing a trick here, dudes? Yeah. So they're pimping, uh, on these calls, they're pimping all kinds of, uh, stuff, but mostly was Social Security scams, Google search promotion services, which means they must be going after small businesses.
RORY CELLAN-JONES. What you really want to know from this, which they, they can't know, is, is what the, the rate of return is.
CAROLE THERIAULT. Yeah, totally.
RORY CELLAN-JONES. You know, what are the economics of it? Uh, obviously the, the robot makes a huge difference, but they must they need to do some A/B testing between robot and real person because the robot is much more economical, but presumably hardly anybody falls for it.
CAROLE THERIAULT. Yeah. Well, the clincher here, this is what I found most surprising. OK, so regulatory changes made by the FCC in 2017 authorized the telecom operators to block calls which seem to come from unassigned or unallocated or invalid phone numbers. And it also allowed providers to maintain a do-not-originate list to block calls from certain numbers. But these changes didn't address the scenarios where legitimate numbers were used to spoof the caller ID, or where the caller ID wasn't spoofed at all. And they go on to say that out of the 1.5 million calls they received to their honeypot, only 50,000 could have been outright blocked by providers. So 3% would have been blocked.
RORY CELLAN-JONES. So it's not working very well.
CAROLE THERIAULT. Yeah, and that's a real nightmare. It's like, to your point on your story, Rory, right? There's a bleeding pandemic on. This is the time where you really want, like contact and tracers really want people to answer the phone.
RORY CELLAN-JONES. Yeah, good point.
CAROLE THERIAULT. And it would be nice if we could trust that rather than going, I don't know this number, block, block, block.
GRAHAM CLULEY. These youngsters these days, they don't use the phone anyway, do they? I think most, more and more people are avoiding voice chatting and are preferring to WhatsApp or Facebook message.
CAROLE THERIAULT. Oh yeah, that's safe.
GRAHAM CLULEY. Well, I'm not saying they are.
CAROLE THERIAULT. You trust everything on those.
GRAHAM CLULEY. Isn't instant messaging what all the All the kids are doing these days?
RORY CELLAN-JONES. It is. I mean, seriously is.
CAROLE THERIAULT. This is a fun conversation. Tell me about the kids.
RORY CELLAN-JONES. Guys, we do need a analysis of what happens when contact races do call people up.
CAROLE THERIAULT. Yeah, totally.
RORY CELLAN-JONES. Whether people under 30 actually answer the phone at all.
CAROLE THERIAULT. Yeah, yeah.
GRAHAM CLULEY. Anyway, there you go.
CAROLE THERIAULT. So that's the latest on robocalls. It's quite an interesting paper. And there are links in the show notes if you want to read more about Hey, you IT security guys out there, I know that you have a tough job. If you want increased security without impacting productivity, if you want to secure every entry point to your business, if you want to unify access and authentication, then check out LastPass. They have the tools to make your life easier. Learn more at Smashing Security smashingsecurity.com/lastpass. Oh, and the rest of you out there, don't freak out. There's a free password manager for home use. Check it out at smashingsecurity.com/lastpass.
GRAHAM CLULEY. And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
RORY CELLAN-JONES. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. And my pick of the week is not— Well, some of it's security-related and some of it isn't.
CAROLE THERIAULT. Oh.
GRAHAM CLULEY. This is a very, very special pick of the week.
CAROLE THERIAULT. Oh, okay.
GRAHAM CLULEY. This is what I believe is known as a meta pick of the week, because this pick of the week is a pick of the week about pick of the week. We have had from time to time listeners say to us, have you got a list of all of your picks of the week? Because we remember you once spoke about a shoelace website and now we can't find out what episode that's in or whatever, or we can't find the link. Well, thanks to some of our glorious listeners, and I'm going to thank some of them now, John Bettinarty Ward, Nathan, Pale Skinny Swede, and Shahid.
CAROLE THERIAULT. You guys rock. Yeah.
GRAHAM CLULEY. They have helped us put together a pick of the week archive.
RORY CELLAN-JONES. Is it a wiki? A wiki picky?
GRAHAM CLULEY. It's not a— Oh, that would've been so good. Where were you when we were building this? We did it via GitHub in the end, but the link you can find at smashingsecurity.com/pickoftheweek, and we list all of our picks of the week with the links and to each individual episode. So if you want to find out if Carole was right when she accused me—
CAROLE THERIAULT. Yeah, I was just gonna say, you can now prove me right.
GRAHAM CLULEY. Yeah, no, I'm afraid I'm gonna prove you wrong. I have not repeated any of my picks of the week. They have all been unique. And we will be adding this week's Pick of the Week to smashingsecurity.com/pickoftheweek as well. So that is my Pick of the Week, which is all about Pick of the Week.
CAROLE THERIAULT. What an amazing community we've got.
GRAHAM CLULEY. They are fantastic.
CAROLE THERIAULT. Very cool.
GRAHAM CLULEY. Rory, what is your Pick of the Week?
RORY CELLAN-JONES. Well, I've done a last-minute swerve. I was going to choose a book. I'm now going to choose a podcast.
GRAHAM CLULEY. Is it a podcast you're on?
RORY CELLAN-JONES. Rory? It's not actually. Amazingly— do, by the way, get the Tech Tent podcast. It is like this but shorter. And I'm going to choose Series 2 of 13 Minutes to the Moon. Did either of you hear Series 1 of 13 Minutes to the Moon?
GRAHAM CLULEY. I did, yes.
RORY CELLAN-JONES. 13 Minutes to the Moon was an excellent podcast about Apollo 11. And it was, I think, 30 minutes was the time between the, the lunar module leaving the command module and it landing on the moon. And I'm so old, I do remember the landing on the moon. But Series 2 is actually better in my mind. It's about Apollo 13.
GRAHAM CLULEY. Oh, wow.
RORY CELLAN-JONES. And it is just a brilliant listen. So Apollo 13, the disastrous mission where they had an explosion halfway to the moon and then had to somehow save the ship and bring it home. You probably have seen the movie with Thom Hanks.
CAROLE THERIAULT. No, I can't stand Thom Hanks.
GRAHAM CLULEY. I'm not allowed to watch any movies with Thom Hanks in.
CAROLE THERIAULT. Wait, that's one thing Graham and I share, a dislike for Thom Hanks.
RORY CELLAN-JONES. Isn't that interesting?
GRAHAM CLULEY. Oh really? Yeah, yeah, and it's directed by Carl Sagan.
RORY CELLAN-JONES. I don't know that we could be friends anymore.
GRAHAM CLULEY. Oh, he's just— anyway, but I remember as a child, I'm not quite as old as you to remember the moon landing, but I do remember as a child listening to a radio documentary at school. They played us a radio documentary or something about the Apollo 30, and I have been gripped ever since. What an incredible story and what a perfect tale to tell in podcast form. So this will be really good.
RORY CELLAN-JONES. Yeah, and what's more, it's not just an incredible drama with brilliant access presented by a guy called Kevin Fong, who's not only a space nut, who's worked briefly at NASA as a medic— he's a medic who's involved in the fight against COVID-19. And rather interestingly, at the end he dedicates the whole series to people in the health service who've been fighting COVID-19. And that is because partly, it reads to me, this podcast, as a kind of manager, almost a management, a crisis management manual. They should be teaching it at Harvard Business School, because you get to hear about these extraordinary decisions that had to be made. I'm just going to give you one example. So The flight director is this legendary figure, Gene Kranz, I think. And he, you know, is the coolest dude you can imagine. The thing blows up and they're in total crisis. They're 2.5 hours into the crisis. He's got to make all these extraordinary decisions which will keep these guys alive. And he's coming to the end of his shift because they do not work work 24 hours a day, obviously, and somebody else is due to take over. So what does he do? Yeah, he lets the guy take over because he trusts him. Uh, and it's a real lesson about trust in a team. And you can't work if the guy in charge says, listen, I'm, I'm in charge solely, the rest of you just do what I say.
GRAHAM CLULEY. Yeah.
RORY CELLAN-JONES. So there are all sorts of lessons like that throughout, throughout the series.
GRAHAM CLULEY. It could also be that he just didn't want them dying on his watch and said, well, I do know—
RORY CELLAN-JONES. That is cruel. That is cruel.
GRAHAM CLULEY. This is a BBC podcast, isn't it?
RORY CELLAN-JONES. It does happen to be a BBC podcast, yeah.
GRAHAM CLULEY. There have been some incredible ones which have been coming out the BBC lately, so it's highly recommended. Excellent. Carole, what's your pick of the week?
CAROLE THERIAULT. Well, mine is also a podcast, but for a different type of audience. Mine's an audio drama, and that's not something you like, Graham, but something that I do. So this One is brand new, or new-ish. It came out in May. That's fairly new. And it concluded in July. So all the episodes are out. And it's called Baraska. And it was a narrative podcast written by Rebecca Klingel and starring Cole Sprouse. So I'm just going to give you the gist. No spoilers, I promise, I promise. But basically, you've got this guy, Sam Walker, and his sister and his folks moved to this town called Driskin, Missouri. And there he befriends two kids called Kyle and Kimber, Sam's sister Whitney disappears a few months later. And, you know, he wonders what happens to her, but her dad just asserts that she's left. But then more girls seem to be disappearing, and the young trio take it upon themselves to find out what's going on in this strange mining town. And it's very cute, it's very spooky, it's got good dialogue and pace. It's a bit like Stranger Things, a bit, right? If you like that, this will be up your street. Um, so yes, it's like talking to myself.
GRAHAM CLULEY. Well, no, no, I'm— I don't know, I haven't heard it, I can't comment on it.
CAROLE THERIAULT. Uh, isn't that what we do every single show? Didn't you just do that with Rory's podcast?
RORY CELLAN-JONES. Well, I like Stranger Things, so I'm going to tune into this.
CAROLE THERIAULT. Excellent. I think you'll like it, Rory.
GRAHAM CLULEY. Well, no, I haven't seen Stranger Things either. Thom Hanks isn't even in that, as far as I know. I mean, it's not— by the way, I, I do watch the Toy Story movies. I'm all right with those for Thom Hanks's involvement. They're okay.
RORY CELLAN-JONES. Why?
CAROLE THERIAULT. Because you don't have to see his face.
GRAHAM CLULEY. And there was also that one of The Post. Did you see The Post?
RORY CELLAN-JONES. Oh, The Post is a great—
GRAHAM CLULEY. it was an excellent movie. And only halfway through did I realize, oh, that's Thom Hanks. Hanks, and I actually really enjoyed it. So there you are. So I'm not completely anti-Hanks.
CAROLE THERIAULT. Traitor. If you like the sound of Brasca, you can get it wherever you get your podcasts.
GRAHAM CLULEY. Cool. Well, that just about wraps it up for this week. Rory, thank you so much for coming on the show. I'm sure lots of our listeners would love to follow you online and indeed check out the Tech Tent podcast. What's the best way for folks to stalk you online and find out what up to?
RORY CELLAN-JONES. Well, I'm a Twitterholic. I've got a slightly unusual handle, @Ruskin147. You will find me there a lot. You'll find me on the BBC website, and if you Google Tech Tent, it goes out every Friday, but the podcast is available late afternoon Friday.
GRAHAM CLULEY. Marvelous. And you can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G. And we also have a Reddit subreddit. Just look for Smashing Security up there. And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app such as Apple Podcasts, Spotify, or Pocket Casts.
CAROLE THERIAULT. And socially distant hugs to you for listening, supporting the show, and sharing our work with your entourage. Also, high five to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio, bye-bye.
RORY CELLAN-JONES. Bye.
GRAHAM CLULEY. Marvellous. Thank you so much, Rory. That was wonderful.
RORY CELLAN-JONES. Now, is that okay?
GRAHAM CLULEY. That was terrific.
CAROLE THERIAULT. No, we have to go again, right from the beginning. I'm kidding. You were great.
-- TRANSCRIPT ENDS --