The man who hacked the UK National Lottery didn't end up a winner, Japanese Love hotel booking tool suffers a data breach, and just what is 23andMe planning to do with your DNA?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Thom Langford.
Visit https://www.smashingsecurity.com/161 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Thom Langford.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Cyber criminal jailed over National Lottery hack — National Crime Agency.
- Man who hacked National Lottery for just £5 is jailed for nine months — Hot for Security.
- Booking data stolen from Japanese short-time love hotel booking service HappyHotel — SiliconANGLE.
- 23andMe Licenses Drug Compound to Spanish Drugmaker Almirall — Bloomberg.
- Big Data and the End of Painful, Invasive Medical Procedures — Wired.
- How 23andMe Won Back the Right to Foretell Your Diseases — Wired.
- Privacy policy — 23andMe.
- Turbo Boost Switcher for macOS.
- Embarrassed patients can now send photos of genitals to doc for STI checks — The Sun.
- Messiah trailer — YouTube.
- Messiah — Netflix.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. The question I wonder throughout the series is whether the Messiah figure is a con artist or not, right? And they play on it, like they revealed that when he was a boy, he entertained people with magic on the streets.
GRAHAM CLULEY. As I remember, in one of the parables, Jesus does saw a woman in half. That was one of the tricks he pulled off in the New Testament.
THOM LANGFORD. Did he then get one of those big hula hoops, run it round her?
UNKNOWN. Smashing Security, episode 161. Love, Lucky Dips, and 23andMe with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 161. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Hello, Carole.
CAROLE THERIAULT. Hi, Graham.
GRAHAM CLULEY. Strange. And we're joined today by a special guest. We have someone who's never been on the show before, shockingly enough. It is Thom Langford. Hello, Thom.
THOM LANGFORD. Well, hello. It's funny you should say never been on the show before because I'm really pleased to be on this enormous augural episode, I have to say. So, so honored to be on this very first Graham Cluley Smashing Security. Carole— I can't even pronounce her surname. You know, to be on the very first one. Theriault.
CAROLE THERIAULT. Yes, like Ontario without the O-N, you see.
THOM LANGFORD. Got you. But yeah, to be on the very first one is such an honor and privilege.
GRAHAM CLULEY. Now, Thom, I'm sure lots of people do know who you are, but for those people who don't, Who are you? Why should we care? And is it true you're the sole founder of Host Unknown?
THOM LANGFORD. Well, let me answer those in reverse order. Yes, I am the sole founder of Host Unknown. There is only one. You can ask all three of us and we all agree. And who I am, I'm ex-CISO. It's a bit like when people leave the army, they like to retain their titles, you know, because it makes—
GRAHAM CLULEY. You're like a Vietnam vet.
THOM LANGFORD. Yeah, exactly. It makes them feel self-important. You know, I've left the army 20 years ago, but you can call me Colonel.
CAROLE THERIAULT. I work 3 hours a day now, but I used to really work hard.
THOM LANGFORD. Yeah, that's right. That's right. So, so I used to work hard. I'm rather proud of the fact that I managed to double the average tenure of a CISO by staying there for just over 4 years. But the last year I set up by myself, own consultancy, blah, blah, blah, TL2 Security, been doing that this last year. It's been more fun and harder work than I expected. And I'm looking forward to another year of it, to be honest with you.
CAROLE THERIAULT. Huzzah!
GRAHAM CLULEY. Fantastic. Carole, what is coming up on today's show?
CAROLE THERIAULT. Well, first, thanks to this week's sponsor, LastPass. Its support helps us give you this show for free. Now, on today's show, Graham tells us how a National Lottery hacker got his just desserts. Thom is visiting the shadier, and dare I say, seedier side of the Japanese love hotel business. And I'm going to coin a new buzzword, DNA mining. Let's see if it sticks. All this and oh, so much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, I think all of us from time to time have had a little dream, haven't we? We've thought, wouldn't it be wonderful to be a millionaire? Oh, it'd be fantastic. Imagine the bling, the fast cars, the loose women, the pedolos in the south of France. Wouldn't you enjoy that? It'd be terrific.
CAROLE THERIAULT. I have never been driven by that, actually, I don't think.
THOM LANGFORD. What, by pedolo?
CAROLE THERIAULT. I love a pedalo, but I don't think I need to be a millionaire to have one or to use one, right?
GRAHAM CLULEY. In the south of France with loose women and fast cars and blue and gold. Not interested. Not interested in that.
THOM LANGFORD. Yeah, you can get that TV show anywhere anyway.
GRAHAM CLULEY. Well, lots of people, lots of people would like to achieve it. And if we wanted to, let's just imagine, Carole, just imagine for the purposes of a podcast, which is what we're putting together today, that we did want to be millionaires. And let's decide that the way in which we're going to do it, the three of us, of us are going to hack into a website.
CAROLE THERIAULT. You, me, and Thom. All right.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Excellent.
THOM LANGFORD. Okay, good. Good luck with that.
CAROLE THERIAULT. Yeah.
THOM LANGFORD. Certainly with me on your team.
GRAHAM CLULEY. I'll be—
CAROLE THERIAULT. yeah, I'm on team duty.
GRAHAM CLULEY. Now, some people say it's not that hard to crack into a website because lots of people use the same passwords, right? If you grab a username and password from one data breach, You can then apply that to unlock accounts on other websites, right? Simple technique. You don't have to be a mastermind, Carole. Good news.
CAROLE THERIAULT. Many people don't even have passwords in place. So, you know, there's that.
THOM LANGFORD. I think even I could hire somebody to do that for me.
GRAHAM CLULEY. Now, that's all very well, but what happens if you don't know who is using the same password? So if you've got the results of a data breach and you're thinking, well, I'm going to hack into some of these people's accounts, you've still got to work out who is using the same password on different sites. Otherwise you're wasting time. And so there are tools out there. There's a tool called Sentry MBA, for instance.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. A hacking tool that's been around for a few years, which helps with credential stuffing attacks. In other words, they scoop up a whole long list of usernames and passwords, and then they will use that list to try and log into a particular website.
CAROLE THERIAULT. Okay. So say, for example, my email address was in this list and my password, my favorite animal is a cat. Right?
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Are you saying they would try and use that password just to see if I'm using the same password on multiple sites?
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Okay. Gotcha. Gotcha.
GRAHAM CLULEY. Now there are ways of stopping credential stuffing if you are running the website. For instance, you could spot multiple attempts to access from the same IP address.
THOM LANGFORD. Mm-hmm.
GRAHAM CLULEY. So if you are seeing somebody who's basically spraying a website trying to log into lots of different account names, lots of different account users using lots of passwords and they're coming from the same computer, you can say, hmm, A bit suspicious that. I don't think that's probably what we want to go on. Now, that's a good technique to build into your website, a good protection method.
CAROLE THERIAULT. It's like a behavioral algorithm or something, right?
GRAHAM CLULEY. In a way, yes, because it's not a normal human behavior to act like that, is it?
CAROLE THERIAULT. Mm-hmm.
THOM LANGFORD. And also, if you come from different countries, for instance, or different time zones, it'll spot that as a, hang on, you've been logging in from London for the last 6 years and now you're coming in from Moscow.
CAROLE THERIAULT. How dare you go on holiday?
THOM LANGFORD. Yeah, well, there is that too.
GRAHAM CLULEY. Why is Thom trying to come in from Bangkok? When normally he's from Bermondsey, that kind of thing.
THOM LANGFORD. Yeah, that's right.
GRAHAM CLULEY. Now, tools like Sentry MBA, they try to get round that by using proxies to attempt to log into accounts. So rather than being the same IP address each time, they might log in from lots of different ones. So you don't see this sort of— this— all of these attacks coming from the same place. And again, all of this is configurable with hacking tools like Sentry MBA, which make it so much easier. So we've got the tool, guys, to hack into the website.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Let's hack into the website of the UK National Lottery, run by an outfit called Camelot in Great Britain.
CAROLE THERIAULT. That would seem quite difficult to do, no?
GRAHAM CLULEY. Well, it's not that you're necessarily going to hack into the millions and millions which they have control over. You're going to hack into different user accounts. And that actually is what happened in late 2016. There was a guy in Notting Hill.
THOM LANGFORD. You know what the thing I like about this podcast is it's so timely. The news comes in.
CAROLE THERIAULT. Tell me about it.
THOM LANGFORD. It's like it happened yesterday.
GRAHAM CLULEY. Well, there was this chap in Notting Hill, not Hugh Grant or— oh, fuck, fuck, shit. What? No, none of that. His name was Anwar Batson.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And what he did was he downloaded that hacking tool, the Sentry MBA, and he joined a WhatsApp group devoted to hacking. And he used an alias. The alias was Rose Gold.
THOM LANGFORD. Ooh.
GRAHAM CLULEY. And in that WhatsApp group, he met a couple of other fellas, and he produced for them a configuration file to run the hacking tool against the National Lottery website. So the configuration tool basically customizes the tool specifically for this particular attack. And he wrote up a deal with them, He said, look, what we'll do is we will split the proceeds of any money which you make from hacking into those accounts.
CAROLE THERIAULT. 2016 and all the details.
GRAHAM CLULEY. Yeah, yeah, yeah. We're gonna come up to date because— and so it was in November 2016, National Lottery warned players that around 26,500 accounts had been accessed and they forced a password reset. And this really had repercussions on the National Lottery. Camelot, who run the lottery, they say they spent £230,000 quid investigating the attacks, tightening up their security. They say 250 customers closed their accounts as a result of the bad publicity.
CAROLE THERIAULT. I don't even understand what a National Lottery account would give you. What, do you put money in every month to play? Is that how it works?
THOM LANGFORD. You can do.
GRAHAM CLULEY. I think so, yeah.
THOM LANGFORD. You put your payment details in there.
GRAHAM CLULEY. Yeah.
THOM LANGFORD. So, or you can have your card details in there, so it takes money out every month to pay for your lucky dip.
CAROLE THERIAULT. Right, right.
THOM LANGFORD. Every single week on the same numbers or whatever. So yeah, it's a financial transaction website.
CAROLE THERIAULT. Right. Okay.
GRAHAM CLULEY. And Camelot also paid out tens of thousands because they were planning to have a staff training event and it had to be postponed in the wake of the hack because everyone was required to sort of, you know, deal with the consequences of the hack and the repercussions. And so they lost about £40,000 that way as well. Anyway, Batson was arrested in May 2017. Look, I'm almost getting up to date, by the National Crime Agency. And initially he denied he was involved in the attack. He said, oh no, he said, oh no, my devices, my computer, my smartphone has been cloned. There's a bunch of guys online, they're trolling me. Do you say trolling or trolling? Trolling sounds like something they do in Norway, you know, people pretending to be rogues. No, that's not me. People are pretty— but NCA officers, they examined his devices, they found conversations between Rose Gold and others on WhatsApp where they discuss the hacking, the buying, the selling of usernames and passwords and so more.
CAROLE THERIAULT. I think that's the thing I find most surprising is that they trusted WhatsApp because back in 2016, I don't think they had end-to-end encryption. So it seems like a weird channel to me.
THOM LANGFORD. I thought they were one of the first to bring that on. I don't know when they did it, but I think they were one of the first.
CAROLE THERIAULT. I may be wrong on that.
GRAHAM CLULEY. Yeah, I don't know. I've never really used WhatsApp, so I'm not, and it certainly has end-to-end encryption now, doesn't it?
CAROLE THERIAULT. Yeah, well, yeah, it has for a number of years, but yeah.
GRAHAM CLULEY. You're painting a very dull picture of yourself.
THOM LANGFORD. Yourself, Graham. You don't do the lottery. You're not on WhatsApp. You're going to tell us next you're not on Facebook. Yeah.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. As if. Come on. Seriously, Thom. So Batson, he kept on claiming that he wasn't Rose Gold, but the officers who were searching his house found all these clothes which were addressed to someone who was calling himself Rose Gold.
CAROLE THERIAULT. It's always the little things, right?
GRAHAM CLULEY. It is the little things.
THOM LANGFORD. Criminal mastermind.
GRAHAM CLULEY. Let's tell you. There's another little quirk in the story as well. When he was defending himself, defence team, they were in court at the end of last year and they were asked to produce character references to say, look, he's, you know, although he's been a very naughty boy, it's not his normal behaviour and he's very good. And the judge was looking at these character references and he said, these aren't really character references in relation to him committing a crime. In fact, what he'd put forward were actually references from a previous employer to someone when he was applying for a job. And so he gave this to the court and the judge was saying, you can't just hand in these as character references, because we all know that people lie on those things anyway, or quite often write them themselves.
THOM LANGFORD. I probably would have done that.
CAROLE THERIAULT. I've been on— No, but I'm glad you've saved me from the embarrassment should I ever find myself in this situation, because I would get like a, you know, a client saying, "She's great." Well, I think being on time and the ability to make good tea does not necessarily count as a character, you know, reference, you know.
GRAHAM CLULEY. Maybe on the tea, as long as it's not a suspicious colour, but, you know, So Batson ended up being convicted in relation to the hack of one particular National Lottery account. He gave the username and password of a lottery player, a certain Dr. Iain Bentley, to one of his accomplices, who stole the entire contents of the account. And he— they stole a grand total of £13. And Batson split £5. Are you kidding me? No, I'm not kidding you.
CAROLE THERIAULT. And that's how much he made out of doing all this?
GRAHAM CLULEY. He made £5.
CAROLE THERIAULT. He made a fiver.
GRAHAM CLULEY. He made £5, which has now resulted in him getting a 9-month sentence in jail. So all I can say is that if you're finding London house prices rather expensive and can't afford to rent anywhere, just £5 will get you 9 months in Her Majesty's Prison. Free food, you don't have to pay for that.
THOM LANGFORD. Plenty of evening fun in the cells.
GRAHAM CLULEY. I think that's what they call a lucky dip, actually, Thom. All right, enough, enough. Thom, what is your story for us this week? Please keep it clean, no smuttiness.
THOM LANGFORD. Well, I do have a little bit of sinness, but A very good friend of mine put me onto this story, so I won't claim credit for finding it, but there is a hotel brand in Japan called Happy Hotels. I'm keen to know what their tagline is, because they're actually a love hotel chain.
CAROLE THERIAULT. So what is a love hotel?
GRAHAM CLULEY. Yes, Thom, tell us. What is a love hotel, Thom?
THOM LANGFORD. It's a hotel one makes beautiful love to a woman in, I guess. Oh. It exists.
GRAHAM CLULEY. I didn't know it existed.
CAROLE THERIAULT. So gender-specific.
THOM LANGFORD. Wow, okay. This is very true.
GRAHAM CLULEY. 'Cause love is made by a man to a woman. It's never a woman to a man or a woman to a woman or any other combination. It's good to know where you stand on this, Thom.
THOM LANGFORD. Hey, I only go from personal experience. Okay, so we're two—
GRAHAM CLULEY. Or more. Humans.
THOM LANGFORD. Two people now.
GRAHAM CLULEY. Or more. Humans. A number of people.
THOM LANGFORD. Humans and/or others, maybe quadrupeds. What about self-love? Selfless.
GRAHAM CLULEY. I don't think you need to book a hotel room for that, Chris.
THOM LANGFORD. You just need a lock on the toilet door.
GRAHAM CLULEY. Just need an office at the bottom of the garden.
CAROLE THERIAULT. That'll do. Yeah.
THOM LANGFORD. Is that— works for you, right? In your new love office.
CAROLE THERIAULT. Oh, we digress.
GRAHAM CLULEY. Anyway, keep on track.
THOM LANGFORD. Anyway, anyway, since Graham picked me up on my gender-specific non-inclusive speech.
CAROLE THERIAULT. Actually, what does that mean, Ben?
THOM LANGFORD. So Happy Hotels is a love hotel where you take— you can hire a room— stop you gossiping— hire a room for a few hours or a night without interacting with any hotel employees. So there's no awkward glances.
CAROLE THERIAULT. Just the surveillance cameras.
THOM LANGFORD. Just the surveillance cameras. Well, I don't know, maybe not. Anyway, it feels like this is the entire story in and of itself. However, they've been hacked and the customer detail, including email address, birth dates, gender— see, it is important— phone numbers, login address, credit card info, all of which is compromised.
CAROLE THERIAULT. And that's, that's got to be embarrassing because I'm guessing many people who frequent these love hotels might be doing so without the thumbs up from their maybe everyday partner, or—
GRAHAM CLULEY. oh, I see, right?
CAROLE THERIAULT. So it's a bit like the Ashley Madison fiasco.
THOM LANGFORD. Well, well, precisely. And the thing, the thing about this is You know, all joking aside, you know, and all the sort of, you know, let's stick our sort of morals and ethics where the sun don't shine here because it's all really important. There's nothing wrong. All that aside, actually, there is a very human cost. We saw with the Ashley Madison breach that there were very real consequences. I believe there was two suicides as a result of the information coming out, etc. You know, what seems like a— I was going to say, you know, a harmless criminal act, if you will. But, you know, what seems like a, you know, a stick-up effectively in the old-fashioned terms of give us, give us your money. And it wasn't— oh, Graham, you've got a filthy mind. But someone else is saying it, you know, it's not just an exchange of money or even give us some money and we'll give you your details back or whatever. But there are real other implications to this that that result in a lot of pain and death.
GRAHAM CLULEY. Because with Ashley Madison, there were even blackmailers, weren't there, who went through the database, they wrote letters and sent emails threatening to tell people's spouses, and I guess potentially this could happen with the Love Hotel breach as well.
THOM LANGFORD. Yeah, exactly, exactly. And I think a lot of people will respond to these kinds of stories, and even these kinds of allegations, you know, about the after-effects, saying, well, people shouldn't be doing this sort of thing anyway, you know, it's immoral, it's unethical, they're hurting their spouses, significant others, etc. But actually, that's the old victim blaming coming out. We should be focusing on this as a criminal act. It should be treated as a criminal act.
CAROLE THERIAULT. What, going to the love hotel?
GRAHAM CLULEY. No, the hack, he means.
THOM LANGFORD. But the actual hack should be just seen as a criminal act, end of story. It doesn't matter the circumstances.
CAROLE THERIAULT. Absolutely.
THOM LANGFORD. And even, you know, the police, the law enforcement agencies, they don't view it like that. You know, at least I'd like I'd like to think so. So, you know, us shouting from the peanut stands, as it were, we need to sort of focus more on the criminal act rather than the people that were affected.
CAROLE THERIAULT. Unfortunately, it doesn't make as good media story, right? People love covering the drama of people whose lives are being shattered. Now, I might, Thom, want to revisit my argument of places for self-love, because surely that would be an argument that you could use with your loved one at home. Saying, look, I needed a few hours to myself.
GRAHAM CLULEY. A few hours? You don't need a few, you need about 18 seconds. What are you talking about?
CAROLE THERIAULT. Well, maybe you take a nap afterwards.
THOM LANGFORD. Oh, I see.
GRAHAM CLULEY. Right?
CAROLE THERIAULT. Like, you know?
THOM LANGFORD. Absolutely.
CAROLE THERIAULT. And maybe—
THOM LANGFORD. Often I can't even make it to the door of the hotel, so.
CAROLE THERIAULT. Look, so anyone out there may want to kind of visit that argument.
GRAHAM CLULEY. Right. So you're suggesting if anyone's being blackmailed for going to a love hotel, say that you would just go in there for a Tommy Tank, Exactly.
CAROLE THERIAULT. Or whatever.
THOM LANGFORD. Tommy tank.
CAROLE THERIAULT. And you went on your own and that's that. And what's— there's nothing to it.
GRAHAM CLULEY. And to think people say we never offered advice on this podcast.
THOM LANGFORD. I think that's good consumer advice.
GRAHAM CLULEY. Carole, what's your story for us this week?
CAROLE THERIAULT. Okay, well, we're talking DNA tests.
GRAHAM CLULEY. Oh, it's all sort of connected.
THOM LANGFORD. That's, that's what they did in the hotel afterwards.
CAROLE THERIAULT. I'm gonna focus on 23andMe for this story, but I think many of the points will apply to other corporations in the DNA snarfling field. According to Bloomberg, more than 10 million customers have taken 23andMe DNA tests.
GRAHAM CLULEY. So this is, this is this deal where you sort of spit into a, or whatever, into a test tube, you send it off to 23andMe, and they'll analyze it and come back with some—
CAROLE THERIAULT. Yeah, we're gonna go visit their website in one second, actually.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. So yeah. Do you know anyone who's done this kind of stuff, either of you?
GRAHAM CLULEY. Uh, yes, I do.
CAROLE THERIAULT. And did they learn anything?
GRAHAM CLULEY. I haven't done it myself.
CAROLE THERIAULT. Um, no one called you up and said, my dad's not my dad!
GRAHAM CLULEY. It's not the Jeremy Kyle Show.
THOM LANGFORD. There's a few subreddits on that subject. I have to say, there's loads of them that come in about that sort of thing. But I mean, I've not done it myself. I would be fascinated to find out about it because I'm kind of slightly alien. Well, yes, to a certain extent. I really like the idea that most— the average Briton is a real sort of mongrel of genetics, given that our whole history, you know, we've been invaded, invaded by the by the Vikings, by the French, by the Germans, by the— well, just about everybody.
GRAHAM CLULEY. When I look at you, Thom, I see a little bit of Attila the Hun. I have to be honest.
THOM LANGFORD. Yeah, I like to think so.
CAROLE THERIAULT. Now why don't you guys go visit the site actually?
GRAHAM CLULEY. Okay, what's the URL?
CAROLE THERIAULT. So you go to 23andme.com.
GRAHAM CLULEY. The number 23andme.com.
CAROLE THERIAULT. Yeah, that's right. Yeah, and take a look around. And what I'm looking for is maybe you guys just take a little sniff around. It's not too complex a website. And just let me know what you think the top-level messages are on the site.
GRAHAM CLULEY. So I'm sort of seeing that it'll help me exercise more. It'll make me healthier because I know my body better and I'll know if I've got any nasty genetics, which might give me health problems in the future. That's sort of message I'm getting.
THOM LANGFORD. Mine's, mine's just taken me to a register your kit page.
CAROLE THERIAULT. Oh, interesting.
THOM LANGFORD. It's very interesting. So I might have to try that again, but.
CAROLE THERIAULT. Yeah. So from what I saw on the site, right, effectively they seem to be selling 3 services. One is like Health and Ancestry, another one called Ancestry and Traits for $99. This is US. Or you have VIP Health for a whopping $499. Now what's interesting is 23andMe does research and through this research has been able to create an antibody and it has agreed to license this antibody to a Spanish drug maker. Called Admiral SA.
GRAHAM CLULEY. All right, and what's this antibody do?
CAROLE THERIAULT. So this antibody is developed to treat inflammatory diseases such as lupus or Crohn's disease, right? Very unpleasant. Yes, nasty.
GRAHAM CLULEY. I had an inflammation once actually when I was in Japan in a hotel, but it went away after a few seconds. Yes, that's right.
CAROLE THERIAULT. So Admiral now have the rights to develop and commercialise a drug for worldwide use. Certainly, it seems that the VPs at 23andMe are thrilled, right? One of them was quoted saying, "This is a seminal moment for 23andMe. We have now gone from database to discovery to developing a drug." I'm making up my own jokes now.
GRAHAM CLULEY. Okay, carry on.
CAROLE THERIAULT. I missed it.
THOM LANGFORD. Oh, no, I heard it too, Graham.
GRAHAM CLULEY. Yeah, yeah, let's move on, Carole. Don't worry, none of the listeners will have caught it. Yeah, as it were.
THOM LANGFORD. So Spider-Man, isn't it?
CAROLE THERIAULT. I feel like I'm out of the joke loop. Seminal. Yes. Okay, good, good. Excellent, excellent. Well done. I can— yes, good.
THOM LANGFORD. Okay, so how old do you feel now, Graham? Because I feel like I'm about to die.
CAROLE THERIAULT. So, so this deal is a big deal, okay? Because 23andMe are in the business of providing you, right, personal insight into your genetic history should you decide to spit in a tube. But it's also in the business of using that trove of genetic material to create antibodies that it can eventually turn into drugs, or allow to be turned into drugs by drug companies. Now, just as a, for what it's worth, back in 2018, GlaxoSmithKline purchased a $300 million stake in 23andMe. And this allows the pharmaceutical giant to use the trove of genetic data to develop new drugs. So I'm looking at all this and I want to talk to you guys about it and noodle about it because something doesn't sit right with me.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. So 23andMe is a private US-based company. And on their website that you've looked at, it presents a nice clean image saying spit in a tube, we'll analyze it and we'll give you the info that, and all the predictions for an agreed price. And maybe as a user, you might be presented with a statement at some point that says something along the lines of, I agree to let 23andMe use this information for medical research. Now, to me, medical research means we are doing work to improve this service we provide to you, our customer, right? Like better predictions, better analysis. I don't think most people think it means that 23andMe are going to partner with the likes of GlaxoSmithKline and Almirall to make some serious moolah from an antibody developed from your raw genetic data.
THOM LANGFORD. I mean, I think it's a good thing overall. I mean, there's plenty of pitfalls, but I think overall it's a good thing. It's like crowdsourcing, right? You know, you're getting a whole bunch of information, lots, lots of information from a lot of people that allows you to do stuff. Now, I think you're right that probably people don't know it's going to be used to create drugs. But I do remember a few podcasts ago, Carole, you were talking about the Fitbit and Google thing and how you would— the shareholder scheme, as it were, of 'Here's my data. I need to get some, some of that money that you're selling the company for.' It could be a similar thing if you're a contributor to 23andMe and your genetic material has been used to help create a life-saving drug. Maybe you become a shareholder in that drug.
CAROLE THERIAULT. You know what, I think that's a really great idea. So I, I've made a little play on what we could do here too. So I love that you've said that.
GRAHAM CLULEY. Love it.
CAROLE THERIAULT. Yeah. So I think what bugs me though is not whether it's good or not good. Again, you know how you said earlier in your story, put your morals in your back pocket or where the sun don't shine? Let's do that with this one as well. My concern is the website's basically saying, we have a very clear transaction here. Spit in a tube, I'm going to give you some information. I'm arguing that that's not where they're actually getting their money. Their money is coming from these big drug deals that they're going to make. I'm going to put forward the term DNA mining, for big profits. And maybe there ought to be regulations in place to protect, you know, the primary shareholder of that genetic data, right? Which is, who's that? That's me or you, whoever. I mean, there's not even a bloody thank you or a whiff of compensation to all the people whose DNA has been used to make, you know, mucho dinero for 23andMe. Not only is there no thank you, if you go look at the current, the company's current policy, right, that's on their website, They ask you to agree to a waiver of property rights. So, quote, "You acquire no rights in any research or commercial products that may be developed by 23andMe or its collaborating partners. You specifically understand that you will not receive compensation for any research or commercial products that include a result from your genetic information or self-reported information." So that's not very nice.
GRAHAM CLULEY. But people do have the option not to, not to spit in the tube, right? And not to share their information.
CAROLE THERIAULT. I understand that, but I wish that argument was made much more clearly, much more more upfront on the website. Because once you've spat in the tube—
THOM LANGFORD. Unless they make it more, the whole model transparent and it's like $25 and we'll give you the full, you know, the full test and the full report, etc. But your data will be used for medical research or $500 and we'll destroy your samples once they've been reported. Yeah, that would, that would make more sense.
GRAHAM CLULEY. This is what makes me nervous is that we got these huge multinational companies now who are gathering humongous databases of people's genetic DNA information. And who knows how that data might be used in the future or might be abused. And people are just sort of willingly handing it over. I certainly wouldn't be comfortable if someone were to scrape up some of my saliva, if I spluttered during a presentation at a conference and sent it off to someone's database.
CAROLE THERIAULT. I'll throw out your water bottle for you, Mr. Cluley.
THOM LANGFORD. Think how much money we could make with an army of Clueleys.
GRAHAM CLULEY. Oh, just if they were to grab the, you know, a few loose hairs from my eyebrows and try and clone— you know, it's just horrendous enough as it is. I feel uncomfortable about these things, although there's clearly amazing medical advances which could potentially be made. I'm not sure we're quite ready and whether we've thought through all the implications of these things.
CAROLE THERIAULT. All is not lost, right? So 23andMe do seem to have some good privacy pages, and they say you can delete everything and your DNA by deleting your account on the site. So look it up in your own country, in your own jurisdictions. They do have pages on GDPR and all that, so it may be different for different places.
GRAHAM CLULEY. Some great bedtime reading.
CAROLE THERIAULT. But I would compare this approach, 23andMe's approach, to the National Institutes of Health, so NIH, right? And they have this project called All of Us, PASS, which aims to collect the data from at least 1 million Americans in an effort to further medical research and discovery. And this to me seems a much better approach because it's— everyone's informed as to why they're collecting this information, what the point is. So transparency, to your point, Thom, transparency. It's all about transparency. We need more of it, you know. Otherwise, how are you going to get our heads around this crazy-ass world?
THOM LANGFORD. Wise, sage words.
GRAHAM CLULEY. Boom, boom.
CAROLE THERIAULT. Exactly. Hey, Graham.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. There are people out there with companies a little bit bigger than ours, and one of the issues that they face is visibility and oversight. And when it comes to cybersecurity, that is super important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass Enterprise. They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier. Plus, you can even use LastPass single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashingsecurity. Let me try that again, folks. Check it out at lastpass.com/smashingsecurity.
THOM LANGFORD. Smashing.
CAROLE THERIAULT. Perfect.
GRAHAM CLULEY. Do you want to make it more conversational? I don't know.
CAROLE THERIAULT. I think that sounded great.
GRAHAM CLULEY. And welcome back. Can you join us on our favourite part of the show? The part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
THOM LANGFORD. Pick of the Week. Pick of the Week. Pick of the Week. There you go. You can have that for free.
CAROLE THERIAULT. Thanks.
GRAHAM CLULEY. Thanks, Terry. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
CAROLE THERIAULT. Yeah, just like my story.
GRAHAM CLULEY. Well, my Pick of the Week this week is not security-related.
CAROLE THERIAULT. Good.
GRAHAM CLULEY. But it is technology-related.
THOM LANGFORD. Okay.
GRAHAM CLULEY. Because, well, let me paint a picture for you. Right now, I am speaking to you from my love shack at the bottom of the garden, and it's very, very windy outside, and I don't know I don't know whether the wind is being picked up by my microphone or not, but it's certainly pretty noisy in here.
CAROLE THERIAULT. What's that, Cluley?
GRAHAM CLULEY. Now, I'm not using my laptop to record this right now, right? I'm using a desktop computer, which thankfully is quite quiet. But if I was using my MacBook Pro, it wouldn't be unusual for it to start going— and the fan to start up. The problem with a laptop with the fan going crazy is that it obviously runs down the battery. And also, that's not the only thing which can run down the battery pretty quickly. Also, my MacBook Pro has something called a Turbo Boost mode, right, which Apple have turned on by default, right? They just enabled it to get maximum CPU. And it's not as though my computer needs maximum CPU all the time. I don't really need the maximum power, and if I can turn off Turbo Boost, my CPU won't get so hot and the fan won't come on. And this is the brilliant bit. I am now running a program called Turbo Boost Switcher, and what it does is it means my MacBook Pro is now cooler, not just to look at, but cooler in temperature, and my battery is lasting up to 25% longer.
THOM LANGFORD. Ooh!
GRAHAM CLULEY. And it's a really clever program. If you actually buy the professional— if you actually buy— there's a free version, but if you buy the real thing, which is what I've bought for about $9, it's got some nice features. Like, for instance, if it works out that you're on battery and not plugged in, it will automatically disable Turbo Boost, right, to preserve more battery.
CAROLE THERIAULT. I mean, you did warn me that I would like this. I do!
GRAHAM CLULEY. And if, for instance, um, If the fan— so I've also programmed it. I said, if the fan starts going flipping crazy and my computer gets really hot, even if I'm plugged in, then turn off turbo boost. And you can even say to it, look, you can have turbo boost running when you run these particular applications. So if you've got something which is really CPU intensive, you can run the turbo boost then, but when you're not running that application, turn it off. Hmm. So you get the performance you want when you want it.
CAROLE THERIAULT. This is a serious ad, Ben.
GRAHAM CLULEY. Well, should be sponsored, shouldn't they?
CAROLE THERIAULT. So, Graham, while you were doing your bit here, I happened to look at my battery and it was at 9% on my laptop because I'm not doing this recording from home.
GRAHAM CLULEY. Oh, you're not plugged in?
CAROLE THERIAULT. I was, but the plug I was using obviously wasn't working. So that's why you may have heard me crash around. I'm sure we'll mute that for the listeners. But that's why I crashed around during your story because I was going, oh no, oh no, we might lose everything.
GRAHAM CLULEY. There you go.
CAROLE THERIAULT. So there you go. Okay. I'm interested.
GRAHAM CLULEY. So Turbo Boost Switcher, links in the show notes. And that is my pick of the week. Nice.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Thom, what's your pick of the week?
THOM LANGFORD. Nothing so practical, but we've all heard about unsolicited dick pics.
CAROLE THERIAULT. What is up with you with the love hotels and the dick pics? He's coming in strong on his first inaugural visit to Smashing Security.
THOM LANGFORD. Graham's gotta have a hobby.
GRAHAM CLULEY. I don't think any dick pic is actually solicited, surely. No one actually wants to see your penis, Thom.
THOM LANGFORD. Well, you say that. You say that. There is an STD clinic that has started a service where if you don't want to see a doctor, a real person. You can send them a picture of your old chap. Oh, for goodness' sake. And it's all of its— in all of its STD glory. And they will diagnose it for you. The picture gets sent to a, inverted commas, private inbox. And they will diagnose visually. So, gents, if you want to send a dick pic pick but don't like the idea of it being unsolicited, you can just go to this STD clinic and just send away, and they actually won't mind. You know, all they'll say is, you're all clear.
CAROLE THERIAULT. Okay, I have a number of questions here.
THOM LANGFORD. Okay, I don't see— it's such a simple story, come on, you know.
CAROLE THERIAULT. Thom, it's great. Okay, Thom, does this only work for people with penises, or can people with, you know, sporting the vagine Can they take part in this as well?
THOM LANGFORD. With the bobs and vagines? I'm not entirely sure. I would have to find out. I'm, you know, my earlier faux pas, I'm not going to be gender specific in this case. So I imagine that maybe there is some— maybe that's a service to come, you know, soliciting vagine pics.
GRAHAM CLULEY. Crow, crow, just Can't we just go on to your pick of the week? I mean, really? This is just—
THOM LANGFORD. Because my thought was, how many times do you send a dick pic before they say, "Please stop.
GRAHAM CLULEY. There's nothing wrong with you." Other than the fact you're sending dick pics.
CAROLE THERIAULT. Maybe it'll get people off the streets. Maybe it'll do a service to all the women who get unwanted dick pics, now that there's an outlet for them to send it to.
THOM LANGFORD. Yeah, yeah. I mean, maybe that becomes a service in and of itself.
CAROLE THERIAULT. Exactly.
THOM LANGFORD. You could actually subscribe to a service that allows you to send dick pics.
GRAHAM CLULEY. Are we still talking about this?
THOM LANGFORD. Are we seriously still talking about this?
GRAHAM CLULEY. Can we just move on?
THOM LANGFORD. The unsolicited solicited dick pic service, £9.99 a month for up to 50 unsolicited dick pics that you can send.
CAROLE THERIAULT. Send to Thom Langford at—
THOM LANGFORD. Whoa!
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Crow, what's your pic of the week? Quick.
CAROLE THERIAULT. Well, from dicks to messiahs. Not the Messiah, but season 1 of the Netflix series called Messiah. Now, have any of you seen it?
GRAHAM CLULEY. I haven't seen—
THOM LANGFORD. I've seen the trailer. Yeah.
GRAHAM CLULEY. And I read an article in The Guardian or some such, which was rather critical of the program.
CAROLE THERIAULT. Interesting.
THOM LANGFORD. Wasn't it swing enough?
CAROLE THERIAULT. So this is like a 10-parter Netflix series. And we basically follow someone who emerges as a kind of cult-like figure. Like some see him as messianic, others like the CIA see him as a grave disruptor. Right?
GRAHAM CLULEY. And a grave disruptor.
CAROLE THERIAULT. No, not a grave disruptor.
GRAHAM CLULEY. Oh, okay, right, I understand.
CAROLE THERIAULT. The story is compelling, okay? But critics are all muddled on this. Some are calling it cumbersome and bland— seriously, two words I would not use to describe the show at all, it was anything but— and others saying the show showed that, you know, us humans are simply hardwired for hope. I don't know, but the question I wonder throughout the series is whether the Messiah figure is a con artist or not, right? That's basically the— that's the thing.
GRAHAM CLULEY. That's the whole hook, right?
CAROLE THERIAULT. That's the hook, right? And they play on it. Like, they revealed that when he was a boy, he entertained people with magic on the streets. They kind of allude to maybe him being a con artist, but then he does something quite special, and you're thinking, wow, how did he do that?
GRAHAM CLULEY. As I remember, in one of the parables, Jesus does saw a woman in half. That was one of the tricks he pulled off in the New Testament.
THOM LANGFORD. Did he then get one of those big hula hoops and run it around it?
CAROLE THERIAULT. But you know, it's weird because of the times we are living in, it somehow feels like dangerous and brave storytelling to be talking about something, you know, that's religiously based, culturally based, and all that. So I don't know, somehow I kind of— to me it gives it a bit of artistic integrity because it has, you know, some Guts.
GRAHAM CLULEY. Have you watched some of it? Have you watched it?
CAROLE THERIAULT. I've watched it all. Oh, yeah, I've watched the whole first series.
GRAHAM CLULEY. That's my question, right?
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Is a second— is there going to be a second series, and do we have to wait 2,000 years for it to come back?
THOM LANGFORD. Have you been waiting the last 52 minutes to say just that one line?
CAROLE THERIAULT. Um, look, it's not perfect, right? But I think it's a smart person's kind of mystery thriller. You know, and it lets you talk if you watch it with someone, right? It will certainly lead to conversations. I don't know, these are like highly divisive topics, but somehow bubble-wrapped in the context of a Netflix story, you can kind of talk about them more easily, I think. So I think that's kind of a cool thing.
THOM LANGFORD. I'm gonna watch it with my Lord and Savior Jesus Christ.
CAROLE THERIAULT. I mean, who knows, maybe these are the kind of shows we need to all fuck, you know, calm the fuck down a bit, you know, be nice to one another.
THOM LANGFORD. Yeah, Messiah, calm the fuck down.
GRAHAM CLULEY. And on that slightly sacrilegious note, it just about wraps it up for this week. Thom, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
THOM LANGFORD. So you can go to my Twitter, which is @ThomLangford. That's Thom with an H after the T, or my website ThomLangford.com. Thom with an H after the T.
CAROLE THERIAULT. That's where it's all going down.
GRAHAM CLULEY. And you can follow us on Twitter @SmashInSecurity, no G, Twitter won't allow us to have a G. And you can carry on the discussion on Reddit as well. So go and check out our Smashing Security subreddit.
CAROLE THERIAULT. And a huge thank you to all of you for pointing your ears our way, supporting us on Patreon, and giving us swoon-worthy reviews. Also a big shout out to this week's Smashing Security sponsor, LastPass. Its support helps us give you the show for free. Check out Smashing Security smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, au revoir, bye-bye, sayonara, whatever.
CAROLE THERIAULT. Yeah, I don't think whatever is—
GRAHAM CLULEY. Whatever. Do you know any Japanese from your trips to the love hotels?
THOM LANGFORD. Yeah, one room please, one hour.
CAROLE THERIAULT. You guys, smarty.
THOM LANGFORD. Is it Carole or Carole? I'm sorry.
CAROLE THERIAULT. Honestly, it's Carole Theriault. So Carole Theriault tends to go—
THOM LANGFORD. So we just got to say it with a French accent. Exactly, which is quite difficult. Yeah.
GRAHAM CLULEY. 20 years. 20 years I've known you, Carole. And you've never told me that before, how to say your name.
CAROLE THERIAULT. Really?
THOM LANGFORD. You've never said that you've been mispronouncing her name all this time.
GRAHAM CLULEY. Yeah, I've never mentioned that once.
CAROLE THERIAULT. Not once, never in one show. Never ever. You're right.
-- TRANSCRIPT ENDS --