This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

---

DAVID MCCLELLAND. Sorry to dive in here, guys, but I just feel as though I might be missing something. I know I've not been able to listen to the last couple of Smashing Security.

---

GRAHAM CLULEY. What?

---

ROBOT. But Penelope, who is that? Have I missed something? Smashing Security, episode 139. Capital One hacked, iMessage flaws, and anonymity. Smashing Security, my ass, with Carole Penelope Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 139. My name is Graham Cluley.

---

CAROLE THERIAULT. Namaste, I'm Carole Theriault.

---

GRAHAM CLULEY. What?

---

CAROLE THERIAULT. Namaste? I just got back from yin yoga. I don't think I felt this relaxed in, I don't know, a decade.

---

GRAHAM CLULEY. It's like you're unrecognizable, Carole.

---

CAROLE THERIAULT. Oh, really?

---

GRAHAM CLULEY. I seem to remember a while ago you decided that you wanted to be a little less cat-handed and less like a drunken giraffe. And you said that you were going to run rather than be clumsy, you're going to be your alter ego, Penelope. Is that what you're trying to do today?

---

CAROLE THERIAULT. Do you know what? Thanks to my yin yoga, I haven't risen to that. So why don't we introduce our guest?

---

GRAHAM CLULEY. All right.

---

CAROLE THERIAULT. Oh, there's a little edge in my voice already. A little salt there.

---

GRAHAM CLULEY. We are joined this week by a super return guest. It's Mr. David McClelland. Hello, David.

---

DAVID MCCLELLAND. Hola, hola. ¿Qué tal?

---

GRAHAM CLULEY. Oh, muy bien, gracias.

---

DAVID MCCLELLAND. Oh, very good.

---

GRAHAM CLULEY. Where have you been? As if we can't tell.

---

DAVID MCCLELLAND. Well, yes. You know, there's a bit of an irony to the whole thing Normally when we talk about going on holiday or travelling abroad, it's to escape the British summer. It's because it's the cold we're trying to run away from. But it was only 28 degrees by the coast in Catalonia last week. Positively chilly compared to, what was it, 38 degrees or something you had here in the UK?

---

CAROLE THERIAULT. It was really, really insane. Like, we don't have air conditioning here. Most of us do not have air conditioning. I think last week's episode is really all about the heat. We didn't stop talking about it.

---

GRAHAM CLULEY. One of our rules when we started the podcast was we're never going to discuss the weather.

---

DAVID MCCLELLAND. And I think we discussed it about 4 more times last week.

---

CAROLE THERIAULT. Yeah, that's true. That's true.

---

DAVID MCCLELLAND. Well, I was very grateful to be by the water last week, but unfortunately my iPhone X took an unexpected dip in the Mediterranean. And it turns out that that's not cool.

---

CAROLE THERIAULT. I thought they were waterproof or water splashproof or something.

---

GRAHAM CLULEY. That's why they don't have a headphone socket, right?

---

DAVID MCCLELLAND. Yeah, right. So you start peeling away beneath the surface on the water resistance claims that Apple makes. And then you start looking at the warranty and the guarantee, and you realise that yes, while it claims IP67 dust and water resistance. If there is any water damage detected within the phone, then that is not a warranty fix.

---

CAROLE THERIAULT. David, I'm hearing a lot of frustration in your voice. Maybe you need to take up some yin yoga. Like, telling you, man.

---

DAVID MCCLELLAND. I tell you what, when the Apple genius this afternoon said, "That's gonna be £550, please," I could have done with some yoga there. And the frustrating thing is—

---

CAROLE THERIAULT. You should have jumped into a tree pose. You'd have felt so much better.

---

DAVID MCCLELLAND. This phone is what, 18 months old, 19 months old? Apple is going to announce its iPhone 11 or whatever they call it in 6, 7 weeks' time. I'm not gonna splash out on a refurbished almost 2-year-old phone right now. So I'm slumming it on Android for the next few weeks. I tell you what, I'm finding it tough because the rest of my family are on iOS. It's like I've been cast out from the family bosom. I'm missing out on group chats, losing my Apple Music and all of the apps that we use. I've got real fear of missing out from my family right now.

---

CAROLE THERIAULT. FOMO, come on, dude.

---

GRAHAM CLULEY. Were you not tempted to say to the Apple genius, do you not know who I am? I'm from Ripoff Britain. We will get Angela Rippon and Gloria Hunniford and Julia Somerville onto this unless you sort me out right now with a replacement.

---

DAVID MCCLELLAND. So look, this might not be the last that we hear of this particular story, but these things take time. So watch this space. But in the meantime—

---

CAROLE THERIAULT. Oh, we got an exclusive, kids.

---

DAVID MCCLELLAND. I am iOS-less for now.

---

CAROLE THERIAULT. Well, okay, we'll still put up with you for the length of the show.

---

GRAHAM CLULEY. Thanks. Carole, what else have we got coming up in the show this week?

---

CAROLE THERIAULT. Well, first, shout out to this week's sponsors, LastPass and MetaCompliance. Their support helps us give you this show for free. And on today's show, Graham, yet another data breach gets nitpicked by you. David is yakking about malicious iMessages because he's using an Android, and I'm chatting about data anonymization. I promise it won't be boring. All this and heaps more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. We'll be the judge of that. Hey!

---

CAROLE THERIAULT. I mean, namaste. Namaste. I'm staying cool. I'm staying cool.

---

GRAHAM CLULEY. Stay Penelope. Now, chaps, chaps, as Carole has just said, it's been another day and there's been another data breach, a big one. This time, a breach has impacted customers of the financial services firm, one of the top 10 banks in America, Capital One, and any consumer or small business who's applied to take out a credit card with them in the last 14 years may well have had their personal details hacked.

---

CAROLE THERIAULT. Wow, 14 years.

---

GRAHAM CLULEY. So this breach saw personal details of around about 100 million individuals in the United States and approximately 6 million in Canada as well. Whoa, hold the phone. Yes, exactly. That's the bit you care about, eh? Stolen from a cloud-based data server, one of those Amazon buckets. And they grabbed names, addresses, phone numbers, email addresses, dates of birth, income. Some also had their credit scores and payment history and things like that taken. And in the worst cases, there were roundabout 140,000 Social Security numbers, which is obviously a big pain point.

---

CAROLE THERIAULT. You know, they keep on getting stolen, don't they?

---

GRAHAM CLULEY. Well, yeah, but fast hack, they already got stolen, so— Well, yes, darkweb hackers have already got those, I suppose. People are probably going, "Ah, plus échange." And 80,000 bank account numbers linked to accounts, they were swiped in the States with a further 4 million social insurance numbers in Canada. Who knew that Canada even had 4 million people in it?

---

CAROLE THERIAULT. Oi!

---

GRAHAM CLULEY. Well, I don't know. How many people are there in Canada?

---

DAVID MCCLELLAND. 30 million.

---

GRAHAM CLULEY. Oh really?

---

DAVID MCCLELLAND. Yeah.

---

GRAHAM CLULEY. Oh, there you are. You're doing very well. Well done. Keep on bridging. I'm impressed with you. Now, the first that Capital One knew about this breach, was when its little bug bounty hotline, or rather its email address, received a message from a member of the public tipping them off that some of their data had been leaked and published on GitHub. And they basically gave Capital One the link and said, "I think you might want to check this out." So GitHub went to the link where indeed there were samples of this stolen data, and the account was in the name of someone. It wasn't in the name of like, you know, Black Skull or Phantom Menace, or, you know, sort of typical—

---

CAROLE THERIAULT. It was Graham Cluley.

---

GRAHAM CLULEY. No, no, it wasn't me. It wasn't me. Hey, watch it. No, not me. Instead, it was in the name of Paige Adele Thompson.

---

CAROLE THERIAULT. Can I just interrupt for a second? Do you not feel at this point that big companies should be aware that Amazon clouds need to be protected? I just, I can't believe that this is still happening.

---

GRAHAM CLULEY. Oh, well, we don't know exactly how they got access to it. So it's not necessarily the case that this was an Amazon bucket which had been left open. There is some suggestion that there may have been a vulnerability, maybe in a web application firewall or some other software which—

---

CAROLE THERIAULT. I apologize. You see, there I was jumping to a conclusion and I'm just—

---

GRAHAM CLULEY. You don't need to apologize at all. You are right. There has been a big security problem with web buckets being left open and for anyone to access, but it's not necessarily the case that this is what happened on this occasion. But as I said, the account name, the GitHub name was in the name of Paige Adele Thompson. And that GitHub account also had a CV and resume on it.

---

CAROLE THERIAULT. Oh, this is like, what was the virus?

---

GRAHAM CLULEY. You are thinking of a virus, a word macro virus from the past.

---

CAROLE THERIAULT. Love Letter.

---

GRAHAM CLULEY. No, well, it wasn't the Love Letter. It was written by an associate of the person who wrote the Love Letter. It's a word macro virus called Michael B. And that was written by Michael Bowen, which included his CV.

---

CAROLE THERIAULT. That's right, yeah.

---

DAVID MCCLELLAND. Good knowledge. Good history knowledge there, Graham. I like that.

---

GRAHAM CLULEY. I'll tell you what it did actually. It's one of my favorite viruses because it's one of my dumbest virus writer stories ever. What he would do is at the end of the month, he would print out his entire CV asking for a job, including his name and address and phone number.

---

CAROLE THERIAULT. In the payload?

---

GRAHAM CLULEY. Yes, that's right. And he said, if you don't give me a job, I'm going to release another virus. So it is similar.

---

CAROLE THERIAULT. Somehow it didn't work for him. I don't know.

---

DAVID MCCLELLAND. I don't know.

---

GRAHAM CLULEY. It is similar. It is similar to that. But anyway, this had a CV and resume on it for a certain Paige A. Thompson.

---

CAROLE THERIAULT. Okay.

---

DAVID MCCLELLAND. Interesting.

---

GRAHAM CLULEY. Including, of course, her employment history. Which said that her last previous employment was at Amazon working on the web business.

---

DAVID MCCLELLAND. Oh, here we go, here we go.

---

GRAHAM CLULEY. Between May 2015 and September 2016. So it's a while ago, but interestingly, she had been working at Amazon in Seattle. Now, CVs, of course, just like with Michael Boone, also include people's addresses and phone numbers, and this one was no exception. So it wasn't that hard for the FBI to know whose door they should knock on. And so they knocked on the door of 33-year-old Paige Thompson in South Seattle.

---

CAROLE THERIAULT. I don't know if that is the norm anymore to have addresses and phone numbers. I think now you might have a Google phone number if you were in the States, for example, that's not tied to your address, and you would present yourself because of privacy issues. You don't want to put all that stuff on a piece of paper that's going to end up God knows where.

---

GRAHAM CLULEY. But they need some way of contacting you. Oh, you think so? They just put an email address?

---

CAROLE THERIAULT. Well, no, they can use a Google phone number, right? Which is not tied to your house or to your mobile.

---

GRAHAM CLULEY. Oh, good tip, Carole. Well, you know, to be honest, it's been, I don't know, 30 years since I applied for a job.

---

CAROLE THERIAULT. Yeah, quite, quite. So I just love your CVs, of course, tend to include.

---

GRAHAM CLULEY. A curriculum vitae, of course, is normally wrapped around the leg of a pigeon. Anyway, did I say knocked on her door? Did I say the FBI did that? It isn't quite as simple as that. And I'll include a link in the show notes. And I've shared with you both Oh my word. And an image here. You will see that the knocking on the door was more in the form of a SWAT team coming around with rifles.

---

CAROLE THERIAULT. With full army gear, like camouflage army gear. What were they gonna do, hide behind the pot plants?

---

GRAHAM CLULEY. They've got a database, everybody. We've gotta take this seriously.

---

CAROLE THERIAULT. Crawling across the grass, pretending to be imperceptible? Oh my God, this is insane. Where is this?

---

GRAHAM CLULEY. This is in Seattle.

---

CAROLE THERIAULT. Okay, so not like a place where, you know, middle of nowhere, where people are bored, where the military's been sitting there doing nothing for the last 3 years. Maybe, well, maybe, I don't know, maybe Seattle.

---

GRAHAM CLULEY. Well, police searched the house, which Page shares with a number of other people, and they seized drives, which contained files that referenced—

---

CAROLE THERIAULT. Not driveways, but—

---

GRAHAM CLULEY. Amazon. No, for God's sake.

---

CAROLE THERIAULT. Sorry.

---

GRAHAM CLULEY. Seriously, is that the best you can do after an hour of yoga? That kind of gag? Oh, you're not rising to it today, are you? You are being Penelope. This is amazing. Wow, it's a whole different crowd. Anyway, so they seized some thumb drives and they had files on them related to Capital One and Amazon and also her online alias, Erratic, where she'd been posting on Twitter and on other things. Oh, but this is the interesting thing, and it may explain why the police were so well-armored and had all these guns and things. Because she wasn't the only person of interest in the house. She shares a house with a few other people. And when the police were searching it, they found 20 firearms.

---

CAROLE THERIAULT. Okay, whoa, whoa, whoa. Is this Murder, She Wrote? I feel like you've just tricked us. You didn't mention that they had interests of people and that there were guns involved. I just— sorry, I'm rising. I'm rising to it.

---

GRAHAM CLULEY. Well, they discovered assault-style rifles, handguns, scopes, grips, ammunition in another bedroom belonging to the chap who actually owns the house, a 66-year-old. 6-year-old called Park Kwon. And apparently he has previous regarding weapons. And in the 1980s, I think it was, he was actually indicted. He got into some trouble with some co-conspirators about a failed contract killing where a truck bomb was made out of dynamite.

---

DAVID MCCLELLAND. Oh, wow.

---

CAROLE THERIAULT. Okay. I just want you to remember that you started with a Capital One breach.

---

GRAHAM CLULEY. Anyway, so maybe, maybe the authorities saw that he was also present in the property.

---

CAROLE THERIAULT. I now understand why they Dressed that way.

---

GRAHAM CLULEY. Yeah. So I don't know. I'm just guessing. I'm just making the link. I don't know. I don't know, Kowal. I don't know what's going on here in the States.

---

CAROLE THERIAULT. I'm sorry, people.

---

GRAHAM CLULEY. But even if Thompson hadn't posted her resume online, there were plenty of other clues. You know, she didn't really act like an elite hacker.

---

CAROLE THERIAULT. She didn't have any good— she didn't have good OPSEC.

---

GRAHAM CLULEY. No. And there's plenty of details in the indictment. For instance, remember that Capital One was informed by a member of the public. About the data being on that public GitHub. Well, it turns out that they may have been a friend, maybe not so much anymore, of Paige Thompson slash the hacker known as Erratic.

---

CAROLE THERIAULT. I think that's probably normally the way it's— people get dubbed in.

---

GRAHAM CLULEY. Yeah. And there'd been private direct messages exchanged on Twitter. There'd been a Slack group where they'd been having all kinds of conversations, and Erratic had been talking about other companies as well, which may have been plundered in the past. So The arrest has only just happened this week. On Thursday, which is the day when this podcast will be released, Paige Thompson will be appearing in court. She's been charged with a single count of computer fraud, faces possibly a maximum penalty of 5 years in prison and a $250,000 fine.

---

CAROLE THERIAULT. Yeah, but that's kind of chump change for everything, like 5 years considering that some people go in for—

---

GRAHAM CLULEY. Well, we'll have to see. I mean, I'm sure they're still gathering evidence and putting their case together on this one.

---

CAROLE THERIAULT. I mean, how many people again have been impacted, we think?

---

GRAHAM CLULEY. 106 million. Okay, so yeah, 5 years, no biggie.

---

CAROLE THERIAULT. You're right.

---

DAVID MCCLELLAND. But this is data going back how many years ago? But it's credit card application data. So the stuff that you are using to apply for a credit card and so on. Why are they keeping that data so far back?

---

GRAHAM CLULEY. Absolutely.

---

DAVID MCCLELLAND. I mean, do they need to? Is that a regulatory compliance thing there? Or actually, are they just being too—

---

CAROLE THERIAULT. Greedy? Well, yeah. So they can sell the data?

---

DAVID MCCLELLAND. Perhaps, exactly.

---

CAROLE THERIAULT. Just wait for my story, I tell you.

---

DAVID MCCLELLAND. Oh, okay. But that increases their attack surface, doesn't it?

---

GRAHAM CLULEY. It really does. I think there is this huge problem of toxic data. Many organizations probably want to think, what is the minimum amount of data we can keep on our clients and our contacts and people who— 'cause some of those people won't have been given credit cards. They won't have become customers of Capital One.

---

CAROLE THERIAULT. Exactly, so they didn't get any of the spoils.

---

GRAHAM CLULEY. And yet that data has obviously now been snarfed up. Now, Capital One say, they have apologized by the way, they say that they believe the data hasn't been exploited. They don't think it's been disseminated either, but frankly, how would they know? The fact, however, that this woman was arrested quite quickly, although the original breach looked like it happened a few months ago, does suggest that maybe it hasn't actually been used in some fashion, but we'll have to follow the case to see what happens. Now, I'll tell you something astonishing though. The news of this breach has only happened as we're recording within the last 24 hours, but already the first class action suit has been filed.

---

DAVID MCCLELLAND. Really?

---

CAROLE THERIAULT. Already?

---

GRAHAM CLULEY. Someone has already He put it together and said, "We want millions out of Capital One because of this data breach." And you almost think that these class action suits must be prepared in advance with a gap for the companies to move. Do you know what though?

---

CAROLE THERIAULT. I suspect that, you know, many, let's say 5 or 6 different companies do exactly the same thing. You want to be first out of the gate.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. So I can understand people moving quickly.

---

GRAHAM CLULEY. I guess so. But Capital One has apologized.

---

CAROLE THERIAULT. Oh, well, that's fine then. Let's move on.

---

GRAHAM CLULEY. I think they're also offering credit monitoring, But my thinking is, yeah, but with so many breaches that have happened, Carole, hasn't everybody, sorry, Penelope, hasn't everybody already got half a dozen credit monitoring subscriptions going on already in the States? Because chances are this isn't the only place where your data has been breached.

---

CAROLE THERIAULT. Yeah, yeah, so don't worry about it. Put your feet up and away you go, listen to a podcast.

---

GRAHAM CLULEY. Yeah, well, that's not a bad idea.

---

DAVID MCCLELLAND. Sorry to dive in here, guys, but I just feel as though I might be missing something. I know I've not been able to listen to the last couple of Smashing Security is because I don't have my podcast app anymore, 'cause it doesn't work on bloody Android. But Penelope? Who is that? Have I missed something?

---

GRAHAM CLULEY. Oh, sorry, sorry. Yes, Penelope is Carole's alter ego.

---

CAROLE THERIAULT. Well, she was, I don't know, 15 years ago.

---

GRAHAM CLULEY. Yes. If you can imagine Carole not walking into something, not tipping over a glass of water over a keyboard.

---

DAVID MCCLELLAND. So Penelope is a less sweary Carole?

---

CAROLE THERIAULT. She's just gentler.

---

GRAHAM CLULEY. Is there any other kind? Probably a less swearing girl, I'm not sure.

---

DAVID MCCLELLAND. Okay, okay.

---

CAROLE THERIAULT. Yeah, but she's more refined. She's refined.

---

GRAHAM CLULEY. David, what's your story this week?

---

DAVID MCCLELLAND. Well, you know, I remember the days, don't we all, when iPhones were simple and safe.

---

CAROLE THERIAULT. He's lamenting it.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. He's got that little bit of his brain that's throbbing because he misses his iPhone so much.

---

DAVID MCCLELLAND. It's still there. It's still there. You know, once upon a time you could give your mum an iPad or an iPhone and you know, she'd be sheltered from all the bad stuff that was happening on the internet. Those days, alas, are long gone, it would seem. And over the last few days, iPhone users, which I guess doesn't include me anymore, may have noticed that they've been encouraged to update their iOS operating system. Why? Well, because apart from one or two new features, it fixes what Leo Keelyan from the BBC News Online website called A Fistful of Flaws in Apple's iMessage App. Good work, Leo. So these were some vulnerabilities that were identified by bug hunters from none other than Google. Oh, who I suddenly feel a lot closer to now.

---

CAROLE THERIAULT. Your buddies, my buddies at Google.

---

DAVID MCCLELLAND. I know. And so the researchers at Google, they helpfully published details of these exploits, including examples of the code to create these malicious iMessages. Uh, there 6 potential hacks in Apple's over-the-top iMessage service, and they are what's called interactionless, which basically means that the victims of the attack, the people who are receiving the message, don't have to do anything really to have their messages exploited. Just receive one of these weaponized messages and open it. Literally, as soon as you receive this message and your phone opens it, then that's the point at which bad guys could potentially perform some remote code execution run some dodgy stuff on your phone, and even read some files from your device. Now, what I should say is that these disclosures were all done very responsibly by Google's Project Zero team. They let Apple know about the exploits, and there's a kind of statutory 90-day period in which Apple has to develop some patches to fix the vulnerabilities before Google went public with it. It's a bit embarrassing for Apple, but I think it's better that Google finds it than somebody with fewer scruples.

---

GRAHAM CLULEY. Well, yes, yes, I agree. And I think Google have done very well here. I mean, I think it's fantastic actually that Google have fixed every single vulnerability in the Android operating system so that they're now able to spend time finding flaws in their biggest competitor. I think it's really well done them because Android's perfect.

---

DAVID MCCLELLAND. So I'm grateful for them I feel a lot better about that now you've said that, actually.

---

CAROLE THERIAULT. You know I'm an Apple girl, right? So maybe that's why I'm getting twitchy. But while you're reading this, I keep wanting to go point out that it is potential. It is potential. So they found potential vulnerabilities that could have been hacked.

---

DAVID MCCLELLAND. Yes. And these are proof of concept exploits.

---

CAROLE THERIAULT. Exactly. So of course, Google's Project Zero team are flexing its muscles, saying, aren't we smart?

---

DAVID MCCLELLAND. Yeah, exactly.

---

GRAHAM CLULEY. They are. But they've written the code which demonstrates this. And published it, which demonstrates that this could be possible. Yeah, so it's important people update to iOS 12.4 to protect against this.

---

DAVID MCCLELLAND. Exactly. Now, it was ZDNet, or ZDNet if you're in the US, which broke the story. And what it did, apart from basically reporting what I've just spoken about, it went and spoke to some exploit vendors and bug marketplaces, and they valued these exploits in total at up to $24 million. Wow. Yeah, that's an awful lot of money. And you know, that's how much some, and I'm doing the big rabbit's ears, security firms might be willing to pay in order that they could then package up those exploits and sell them on to, well, who knows? And that's the really scary thing about the whole black market.

---

CAROLE THERIAULT. Do we know that Apple has a bug bounty program?

---

GRAHAM CLULEY. I'm not sure.

---

DAVID MCCLELLAND. I don't know the answer to that. Doesn't seem like a very Apple thing to do, how you describe it, you know, to go out and say, hey, we've got a bug, you know, apple.com/bug-bounty. Doesn't feel—

---

CAROLE THERIAULT. Ransomware don't like to be told what to do.

---

GRAHAM CLULEY. I've just searched.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. I've just searched. Yes, Apple do have a bug bounty program and they can offer, I think their top prize on offer is about $200,000.

---

CAROLE THERIAULT. So that's a little bit nicer than what I've seen from Google. I think Google's was $30,000.

---

GRAHAM CLULEY. It can go all the way down to $25,000. $5,000 as well. It just depends on the severity of the bug.

---

CAROLE THERIAULT. I wonder if Google collect the money.

---

GRAHAM CLULEY. Well, I wonder.

---

CAROLE THERIAULT. Wouldn't that be a nice twist in the tail? And here's your invoice. Thank you very much.

---

GRAHAM CLULEY. But you're quite right, David. I mean, these sort of exploits would be very attractive to the NSA, GCHQ, FSB, etc., Mossad. You know, they would all love to scoop up this kind of thing in order to spy on others.

---

DAVID MCCLELLAND. And we've had some very high-profile, some pretty horrible cases over the last 12, 18 months or so where allegedly smartphones have been bugged, you know, remote access trojans, whatever, running on devices and horrible things have been happening when these kind of exploits fall into the wrong hands. So like I say, good work Google by disclosing this safely to Apple. Apple developing for all except one of the vulnerabilities, and I understand that in iOS 12.4, uh, it failed to fix one of the vulnerabilities, and Google has withheld disclosing the code and how that exploit works. So hopefully that will also be patched in the next few weeks. But something that's happening next week, one of the researchers, Natalie Silvanovic, who found these exploits, is actually talking about this at Black Hat in Las Vegas, which is the big security conference that takes place there every year. And she'll be spilling the beans on even more potential ways in which iOS devices can be attacked, including visual voicemail and so on. So there's a lot more to the iOS attack surface there, including these interactionless vulnerabilities, which are so highly prized.

---

CAROLE THERIAULT. I haven't heard that term before, interactionless. It's not easy to say. Interactionless.

---

GRAHAM CLULEY. Maybe if Penelope tried, she'd be able to handle it quite smoothly.

---

CAROLE THERIAULT. Keep working at it, Graham Cluley.

---

GRAHAM CLULEY. Carole, what's your story for us this week?

---

CAROLE THERIAULT. So data anonymization sounds pretty dull, doesn't it? And I get it. But it's an important factor that helps us feel secure when we share identifying information, right? So say you have rickets, or say you were the victim of a milkshake attack, or say you suddenly found yourself broke or bankrupt because your partner spent all your cash, right? You don't want any old Joe Schmo finding out about that stuff because it's private.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. And you want to manage who knows and who doesn't know. So you might decide to tell the docs all the details but stay stum at work. And you know what, I don't even care who you are, whatever your deal is, there is something private or embarrassing about you on a cloud system somewhere.

---

DAVID MCCLELLAND. Okay.

---

CAROLE THERIAULT. You know, something that you'd very much prefer that no average Joe found out about. I mean, remember, Clue, when you had c— problems and you went to the doctors and you got it checked out and then you got the for the dick because she was fucking while she was assessing your anatomy. Okay, don't worry, I'm gonna beep all this out. I'll beep all this out. Okay? But my point is—

---

GRAHAM CLULEY. It was a medical situation and I could—

---

CAROLE THERIAULT. But my point is the fucking problems are on record somewhere, right? But you, like everyone else, you're probably not worried about this kind of thing because you know about data anonymization, right? And this is where information is sanitized. And it's all designed to protect the privacy of the individual.

---

GRAHAM CLULEY. Can I just check, you're not planning to put that out on our Patreon, are you, as bonus content uncensored? I don't really want those stories. Namaste.

---

CAROLE THERIAULT. Do some yin yoga. You'll feel so much better. Now, it is either in the process of encrypting or removing PII from these datasets, right? So that's what we mean by making it anonymous or anonymizing the data. Like in the context of medical data, you would take out all the information that protects the patient from being identified by someone. So, another medical professional, another hospital might be viewing this dataset, and they don't need to know who you are.

---

GRAHAM CLULEY. They don't need to know your name, your address, your date of birth, your National Insurance number.

---

CAROLE THERIAULT. Exactly. They don't need to know any of that stuff, right? In order to make an assessment or to look at the data and make a call on it.

---

GRAHAM CLULEY. They wouldn't even need to know your weight. They might need to know, you know, might need to know sort of, well, what they might need to know within a, within a band or something. They don't need to know precisely to the pound.

---

CAROLE THERIAULT. It might depend on what they're working on.

---

GRAHAM CLULEY. Yeah, yeah, sure.

---

CAROLE THERIAULT. And like when you go see your doctor, your accountant, or a lawyer, or bank manager, whoever you hang out with, Graham, they may need to deanonymize that data in order to assess your specific case. And this is what deanonymization is, is the reverse of the same process. It's where you cross-reference this anonymized data with another related data source, and then you can re-identify the anonymous data person.

---

GRAHAM CLULEY. Okay. Yeah. All right.

---

CAROLE THERIAULT. It's kind of complicated. But as a side note, you might remember that GDPR brought in this kind of nerdy term called pseudo-anonymization.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. And this is what— this is another term for it. So this is where you can kind of basically decrypt anonymized data or whatever, not decrypt, but reverse engineer. Ransomware anonymized data to find out who a person is. Now, one last edu point here before we get into my story. It's a big, long segue, long segue.

---

GRAHAM CLULEY. Yeah. A lot of foundation here.

---

CAROLE THERIAULT. It's important.

---

GRAHAM CLULEY. Yep. Okay. Yep. I mean, I'm glad you include that bit about my shit. So that was really helpful. Yeah.

---

DAVID MCCLELLAND. Yeah.

---

GRAHAM CLULEY. I'm glad that got in there.

---

CAROLE THERIAULT. No problem.

---

GRAHAM CLULEY. That was important.

---

CAROLE THERIAULT. Namaste. No, that was important.

---

GRAHAM CLULEY. That was important.

---

CAROLE THERIAULT. So here's a really important point. Anonymized data is not controlled like data which has personal identifiable information in it. Anonymized data can and is regularly bought and sold without violating any privacy laws. And the idea is that this useful info doesn't infringe on individual privacy and therefore doesn't fall under that law. So we're all with me? Am I sounding like I knit with a single needle or am I making sense right now?

---

GRAHAM CLULEY. No, I understand. Yeah.

---

DAVID MCCLELLAND. And that's a really important point, that last point you make, Carole. I think that's the crux of this, isn't it?

---

CAROLE THERIAULT. Yes, it is. So imagine my surprise When on a beautiful Sunday morning, I'm perusing my news feeds and I see an article in New York Times entitled, "Your data were anonymized? These scientists can still identify you." Right? Now, before we get into it, I have a real problem with the word data being pluralized like that. Do you?

---

DAVID MCCLELLAND. If you are a scientist, if you come from a scientific background, then data is a plural. I've had this argument. Yeah, yeah, totally. Definitely. 'Datum' is the singular, 'data' is the plural. And if you come from that academic background, that is still very much enforced, dare I say.

---

GRAHAM CLULEY. I would argue it's the failing New York Times at this point. I find it quite offensive. It just seems wrong to me.

---

CAROLE THERIAULT. I find it offensive too. It's like I can see data as like the universe, you know? And there's a lot of components inside the universe, right? But we see the universe as a singular concept.

---

GRAHAM CLULEY. Just so long as it's not data, that's the most important thing.

---

CAROLE THERIAULT. So here's the upshot of the article. In any case, anonymized datasets often include scores of so-called attributes, right? These are characteristics about an individual or a household. You might remember that massive Experian-Alteryx cyber whoopsie from 2017, where the credit firm left the personal info of a whopping 120 million US households open on an Amazon bucket. That means basically that if any of us knew the URL, we could just type it in and go and visit, and we would be able to see the addresses and the ethnicities and the interests and the hobbies, the incomes and the mortgage details and yada, yada, yada of 120 million households in the US. In the Experian case, there were 248 different attributes or data points for each household. So fast forward to the article, scientists at Imperial College London and Université Catholique de Louvain in Belgium Excuse me. Excusez-moi, monsieur.

---

DAVID MCCLELLAND. No, no, no.

---

CAROLE THERIAULT. Okay. They published that they devised an algorithm that can identify 99.98% of Americans from almost any available dataset, dataset, with as few as 15 attributes. So imagine you've got a wealth of attributes, but just let's use Experian that has 250 roughly. You could take any of those 15 and I'd be able to go, I know who you are within a 99.98 percentile.

---

GRAHAM CLULEY. Which means that there would only be 2 out of every 10,000 who you couldn't do it to. 2 people out of every 10,000.

---

CAROLE THERIAULT. I don't even know if you're right, but let's just hope you are.

---

GRAHAM CLULEY. Let's hope I am.

---

CAROLE THERIAULT. The researcher said, quote, our results suggest that even heavily sampled anonymized datasets are unlikely to satisfy the modern standards of anonymization set forth by GDPR and seriously challenge the technical and legal adequacy of the de-identification release and forget model.

---

GRAHAM CLULEY. It sounds horrendous.

---

CAROLE THERIAULT. There's more. I'd like to know if you guys think this is surprising. The scientists posted the software code online for anyone to see and use.

---

GRAHAM CLULEY. Yeah, well, that's what researchers do, don't they? Like, show off, say, aren't we clever? Never mind the implications.

---

CAROLE THERIAULT. Ordinarily, I would argue that when they discover a security flaw, they alert the vendor, government agency, whoever is hosting the data. But because there are mountains and mountains of anonymized data circling worldwide, Dr. De Montjoie.

---

GRAHAM CLULEY. Which university is he at? Could you just remind me?

---

CAROLE THERIAULT. That's in Belgium. He says, well, everyone's at risk, so we had to put out the code. So I have a lot of issues with that. I kind of understand, but at the same time, we know about the experience and many, many, many other hacks where all these datasets have been taken, stolen, And he's just made the job of those people much easier to search and use that and identify people.

---

GRAHAM CLULEY. Yes, but I mean, I— Yeah, it's a bit of a quandary, this one, isn't it? Because if they simply said it, "Look, we have this ability," then it does kind of disappear from the headlines almost instantly, doesn't it? And get forgotten, and it's yesterday's news. Whereas if you release a tool, that does have the potential for others to try it out and raise the alarm again and again and again. And don't forget that every disaster movie begins It begins with a scientist being ignored. And somehow we need to have them listened to sometimes with this and other important issues.

---

CAROLE THERIAULT. So an argument I heard in favor, right, and this is still, you know, I recommend everyone reads this article in the New York Times, but an argument they make in there is that other scientists like to double-check facts and figures, right? So by having the code, you can do Yes, that's true. So I can understand that restricting access to the code is challenging. But at the same time, on the other side, you're also impinging on someone's privacy by letting anyone do this.

---

GRAHAM CLULEY. So maybe if the scientists were only to share it with other people they had confirmed to be scientists— are they wearing a white coat? Do they have a great big forehead and an egghead?

---

CAROLE THERIAULT. This is why I'm so glad we do this podcast together, because sometimes you're just so smart.

---

GRAHAM CLULEY. Oh, thank you very much.

---

CAROLE THERIAULT. You don't have to restrict access to everybody, but you want to control it. So you might say, hey, look, if you prove that to me that you're a scientist or that you have good intentions or you're going to further the cause in a good, healthy, ethical, moral way, then rock and roll. Here you go.

---

GRAHAM CLULEY. Here's the URL. We've put it on an Amazon bucket. We've given it a good password.

---

CAROLE THERIAULT. Anyone can get it. Don't share it. Don't, please don't share it with anyone.

---

GRAHAM CLULEY. Password 123. There you go.

---

CAROLE THERIAULT. So, yeah, so I don't think it was the right decision to make the code available anybody to fuck around with. And I agree with you, they probably did it for the headlines, and that's probably why I'm talking about it. But, um, yeah, what do you think, David?

---

DAVID MCCLELLAND. Actually, where my head was, I was just thinking of a sidebar to the power of deanonymization, and it reminded me when you were talking at the beginning in particular about a story that I saw last week, I think it was, while I was on holiday. I don't know if you saw it too, but basically the Russian intelligence agency, the FSB, was the victim of a data breach.

---

GRAHAM CLULEY. Oh, bless them.

---

DAVID MCCLELLAND. You saw that the researchers who got hold of the data saw some of the internal projects that the Russian secret service had been working on, and one of them talked about de-anonymizing users of the Tor browser. So Tor obviously is, you know, the Onion Router. It's the way, a very, very secure, safe way that users are anonymized when they're visiting all kinds of places on the, on the clear web and on the darkweb. Darkweb. Um, and the ability potentially to de-anonymize users who are using Tor is really, really scary for so many reasons.

---

CAROLE THERIAULT. I think maybe something is right in GDPR. Maybe we shouldn't call it anonymization because it's not— it is pseudo-anonymization. It's a much better word. It's more accurate because you think you're hidden, but all this information is floating. I mean, clue, the mere fact that I referenced thingy, right? Your little issue.

---

GRAHAM CLULEY. I think that's the third or fourth time you've done it now. Yes.

---

CAROLE THERIAULT. Obviously I'll bleep it out in the final production, but it will forever live somewhere in the raw audio file on a big ginormous data cloud somewhere. And now I feel bad because I've exposed you.

---

DAVID MCCLELLAND. I mean, I didn't.

---

CAROLE THERIAULT. Well, yeah, you know what I mean.

---

GRAHAM CLULEY. You don't feel as bad as Dr. You examined me. I'm sure she's still probably having nightmares.

---

CAROLE THERIAULT. Hey Graham. Yes, there are people out there with companies a little bit bigger than ours, and one of the issues that they face is visibility and oversight. And when it comes to cybersecurity, that is super important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass Enterprise. They offer centralized admin oversight and control shared access and automated user management. All this stuff makes your life easier. Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at Smashing Security— no, at— check it out at lastpass.com/smashing. We also are sponsored by MetaCompliance. Now, MetaCompliance reduce cybersecurity risk by providing a platform for training.

---

GRAHAM CLULEY. Yeah, they do online training. They've gamified it. It's animated e-learning, teaches you and your staff all about the risks of phishing and other threats which may impact them inside business.

---

CAROLE THERIAULT. And best thing, it's not boring.

---

GRAHAM CLULEY. No, not boring at all. You learn everything. GDPR, malware, data security, password safety. You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/metacompliance.

---

CAROLE THERIAULT. On with the show.

---

GRAHAM CLULEY. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

DAVID MCCLELLAND. Pick of the Week.

---

CAROLE THERIAULT. He's such a professional.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. App whatever they wish. It doesn't have to be security-related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. And my pick of the week this week is not security-related. It is something we've mentioned on the podcast before, although I don't believe it has been anybody's pick of the week. It is a game for the Nintendo Switch. It is the game for the Nintendo Switch. Everybody knows it. It's Legend of Zelda: Breath of the Wild. An extraordinary, incredible game, possibly the greatest game game ever written. Absolutely unbelievable. And the reason why it's my pick of the week this week is that my son, when we first got a Switch, we got it with Breath of the Wild. He's 8 years old and he started playing Zelda and he was enjoying it. He got a reasonable way through it, but just in the last week, because it's the summer holidays, he decided to start again from scratch. And basically that's what he's done the entire summer holidays so far.

---

CAROLE THERIAULT. While you've been working, you've had a nice little Switch babysitter.

---

GRAHAM CLULEY. Exactly. And he's nearly finished it. He is so close now to killing Ganon. It's unbelievable.

---

CAROLE THERIAULT. You know, I've played that game and I think I played that game with you, Clue, when I was still in my 20s.

---

GRAHAM CLULEY. Well, we played earlier versions of Legend of Zelda. Yes, obviously.

---

CAROLE THERIAULT. Sorry.

---

GRAHAM CLULEY. Of course. Obviously. We played Ocarina of Time, I think.

---

CAROLE THERIAULT. Ocarina of Time.

---

GRAHAM CLULEY. Which was an— which probably was the greatest game at the time. And there've been others like Wind Waker and Majora's Mask and— That's the only one I played.

---

CAROLE THERIAULT. Yeah. Breath of the Wild.

---

GRAHAM CLULEY. It has just taken it to a whole other level. So I thought, you know, if you've got a Switch and if you bought Legend of Zelda when you bought your Switch, why not give it another go? Because I'm just astonished how huge this game is and how detailed and how much darn fun it is. On those rare moments I've walked into the sitting room and seen how far he's got, it's truly amazed me.

---

CAROLE THERIAULT. Do you know what I think is amazing? I think it's so great how you find these little known things that no one's ever heard of and you just bring them to the surface on the show and help people find out about things. It's great.

---

GRAHAM CLULEY. Sweet. That's a bit snarky for Penelope, to be honest, Carole, to say that.

---

CAROLE THERIAULT. It was definitely a sweet voice though.

---

GRAHAM CLULEY. Yeah, well, I don't think that's enough. I think it's the content as well as the delivery which matters.

---

CAROLE THERIAULT. Oh, you're managing me.

---

GRAHAM CLULEY. David, what's your pick of the week?

---

DAVID MCCLELLAND. Well, I don't know if you read or listened to the official Steve Jobs autobiography—

---

GRAHAM CLULEY. Yes.

---

DAVID MCCLELLAND. Not autobiography, biography, written by Walter Isaacson all the way back in 2011.

---

CAROLE THERIAULT. I still haven't read it. Isn't that awful?

---

GRAHAM CLULEY. I should totally read it. It was really good.

---

DAVID MCCLELLAND. It is an epic tome. It's the best part of 600 pages, and the audiobook is just a little bit over 25 hours long.

---

CAROLE THERIAULT. So, long road trip. You were going to Spain and listening to it?

---

GRAHAM CLULEY. He was rowing to Spain.

---

DAVID MCCLELLAND. I think, I mean, if you haven't listened to it or read it, whether you're on the Apple or the Android side of the fence, or both like I am, then it's a fascinating insight into the mind of one of the most influential creative technologists of that era. Now, Walter Isaacson's follow-up book to the Steve Jobs book is called The Innovators: How a Group of Inventors, Hackers, Geniuses, and Geeks Created the Digital Revolution. It's quite a long title, but I think it kind of says what it does on the inside, really. It takes a big look at the digital revolution, not through the eyes of a single person. And that's the key thing here, because so So many books focus on Bill Gates. Well, actually, there isn't a decent biography of Bill Gates, and I've been looking for one. If anyone knows of one, then please do let me know, because I've not been able to find one yet. But obviously, there's the Steve Jobs book, there's stuff about Alan Turing and Ada Lovelace and so on, and Larry Page. But there isn't anything that talks about the role of collaboration, of innovation, how different people actually work together to create these big innovations. Because obviously, Steve didn't make the iPhone on his own, and Bill Gates didn't make Microsoft on his own. But I know I know, but you could be forgiven for thinking that that is the case from, you know, the snippets that we get and, you know, the kind of journalistic abbreviations that we use. So this book looks at our major breakthroughs all the way back to Charles Babbage and Ada Lovelace, all the way through Alan Turing and John von Neumann, Bill Gates and Paul Allen. It's the creation story of each one of the movements that they founded, and it goes all the way up more or less to present day. It finishes about 2014 or so. But it covers the birth of Google, the birth of Microsoft, the birth of Apple, and all the way through to Jimmy Wales and Wikipedia as well. I finished this a couple of weeks ago, just before I went on holiday, and I know it's a good book because I want to listen to it again straight away as a bit of a history geek, as a bit of a tech history geek. Though I didn't realize quite how many holes there were in my knowledge. So I cannot recommend this book highly enough.

---

CAROLE THERIAULT. I've just put it into my, my bucket, so There you go.

---

DAVID MCCLELLAND. There we go.

---

CAROLE THERIAULT. Your sales pitch worked.

---

DAVID MCCLELLAND. Fantastic. The Innovators by Walter Isaacson. Go and read or listen to it now.

---

GRAHAM CLULEY. Sounds like a great Pick of the Week. Thank you very much, David. Carole, what's your Pick of the Week?

---

CAROLE THERIAULT. Well, I'm starting with a question.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. What knowledge do each of you possess that might save your life one day, or my life if you tell me?

---

DAVID MCCLELLAND. Don't forget your towel.

---

CAROLE THERIAULT. Okay. Graham, you have any?

---

GRAHAM CLULEY. You put me on the spot here.

---

CAROLE THERIAULT. Okay, I'll carry on. And, and you, if you come up with one, you let me know.

---

GRAHAM CLULEY. Yeah, well, I'll let you know as you're choking or flapping around on the floor. I'll say, no, Carole, don't worry, it'll come to me in a moment. What I'm supposed to do. Don't worry, it'll come to me.

---

CAROLE THERIAULT. I know that one. Okay, so basically my pick of the week this week is an Ask Reddit article article, right? So AskReddit is a subreddit, and the article is called "What Knowledge Might Save Your Life One Day," right? And this is one of those clickbaity titles that occasionally I might fall for at 8:30 in the morning while I'm sucking back my first coffee of the day. And I clicked on it, and what a treasure trove.

---

GRAHAM CLULEY. Check it out.

---

CAROLE THERIAULT. Now, the thing is, is I knew a few of them, and the ones I knew, I was like, yeah, I agree, good advice, right? And the ones I didn't know sounded like good advice, but it could really not good advice. Like one of them, here's one, right? If you're ever charged by a moose, get behind a tree. They have about a 10-inch blind spot and they'll lose you.

---

GRAHAM CLULEY. That actually is excellent advice.

---

CAROLE THERIAULT. If it's true.

---

GRAHAM CLULEY. Oh, I'm sure it's true. It's on Reddit, Crow. It's on the internet. But the other thing is about the moose's blind spot, it's also well worth bearing in mind if you're ever on a motorbike and overtaking a moose, right? To know about their blind spot as well. So make sure to be careful with that.

---

CAROLE THERIAULT. Okay, here is one I thought was quite good, right? If you fall into cold open water, resist the urge to swim and try to float.

---

GRAHAM CLULEY. Oh, I know this one, yes.

---

CAROLE THERIAULT. Until the onset of panic subsides.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Once you've got your breathing under control— now, as a lifeguard, and I can say this is absolutely 100% true, and I have actually had to save people before in rough waters and currents.

---

GRAHAM CLULEY. Because people panic, don't they? And they're flapping around.

---

CAROLE THERIAULT. You almost want to punch them in the head so they stop trying to grab you and drown you. In those situations. It can be really scary as a lifeguard.

---

GRAHAM CLULEY. And they've had the shock— sorry, Carole, I know you're a lifeguard, but let me speak. They've had the shock. They've had the shock of falling into the cold water as well.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Which is obviously— so the thing to do is be like Penelope, right? Is to be calm, be serene. Namaste it out.

---

CAROLE THERIAULT. Yeah, do a little startle fish.

---

GRAHAM CLULEY. Namaste.

---

CAROLE THERIAULT. Yep.

---

GRAHAM CLULEY. And then once you've just got your composure, then start swimming to safety.

---

CAROLE THERIAULT. Now, listen to this, right? On this thread, so I looked at this this morning, this morning. And I just looked before the show, and when the last time I looked, there were over 30,000 comments on this thread. Okay.

---

GRAHAM CLULEY. Oh my goodness.

---

CAROLE THERIAULT. So a lot of people, that's a lot of life advice. It's a ton of life advice. So check it out. It's on Ask Reddit, and I'll put the link in the Smashing Security website show notes.

---

GRAHAM CLULEY. Wouldn't it be good if we could get this as an audiobook?

---

CAROLE THERIAULT. Well, don't worry. I've already thought about that. I was thinking, who owns this content? Couldn't I just slap this into a little book for Christmas, make it available to everybody, choose my favourites, as curated by Carole Theriault.

---

GRAHAM CLULEY. Just have a little legally saying you haven't actually tested anything.

---

CAROLE THERIAULT. Yeah, TM Carole Theriault. Nice.

---

GRAHAM CLULEY. All right, good. Well, Carole, on that life-saving note, I think we've just about wrapped up the show this week.

---

CAROLE THERIAULT. We have.

---

GRAHAM CLULEY. David, thank you so much for joining us once again. I'm sure lots of our listeners would love to follow you online. What's the best way to do that?

---

DAVID MCCLELLAND. It is probably on Twitter @DavidMcClelland, all the L's, all the C's, and a few vowels chucked in for good measure. But I'm sure I'm sure you will mention me on the @SmashingSecurity Twitter as well this week. So follow me there.

---

GRAHAM CLULEY. There we go. And yes, you can follow us on Twitter @SmashInSecurity, no G. Twitter allows to have a G. We have a G everywhere else, but not on Twitter, including on Reddit where we've got an active community as well. And if you want to support the show, you can also go to our Patreon page.

---

CAROLE THERIAULT. Yeah, and huge thank you to this week's Smashing Security sponsors, LastPass and MetaCompliance. Clients. Their support helps us give you this show for free, so be sure to check out their offers. As always, virtual hugs to you all, you wonderful listeners, and welcome to our brand new Patreon subscribers. My screen's frozen, so I don't know what else I say.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye everybody, adios! Hasta luego.

-- TRANSCRIPT ENDS --