United States Customs and Border Protection had sensitive data stolen, but the hackers didn't have to breach its network. Apple has ambitious plans to make iPhone users safer online. And trolls are using Twitter lists to target their victims.
All this and much much more is discussed in the latest edition of the MULTI-AWARD-WINNING "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by special guest Maria Varmazis.
Visit https://www.smashingsecurity.com/132 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Maria Varmazis.
Sponsored By:
- Edgewise Networks: Edgewise is the industry's first zero-trust segmentation platform. It’s simple to use interface lets you stops data breaches by allowing only verified software to communicate within your cloud or data centre. Edgewise's data-centric approach makes micro-segmentation simpler and more secure.
- Learn more and get a free trial at edgewise.net.
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Smashing Security named the Best Security Podcast — Graham Cluley.
- U.S. Customs and Border Protection says photos of travelers into and out of the country were recently taken in a data breach — Washington Post.
- Maker of US border's license-plate scanning tech ransacked by hacker, blueprints and files dumped online — The Register.
- US border cops confirm: Maker of America's license-plate, driver recognition tech hacked, camera images swiped — The Register.
- Tweet from Sam Soffes.
- Apple previews iOS 13 — Apple.
- Sign In with Apple human user interface guidelines — Apple.
- How trolls use Twitter lists to target and harass other users — CNBC.
- Trolls get tricky on Twitter with targeted harassment lists — Kim Komando.
- 10 hours worth of the original Firestorm TV series (Japanese, with English subtitles) — YouTube.
- Gerry Anderson’s Firestorm Exclusive FULL Minisode — YouTube.
- Gerry Anderson's Firestorm — A brand new science fiction series from the creator of Thunderbirds (or, more precisely, his son).
- AITA — Reddit.
- Ecosia - the search engine that plants trees.
- Ecosia privacy policy and the data it collects.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Okay, so let's see if we get this right. So this is like me. So I get a job with the government.
MARIA VARMAZIS. I'd like to see that happen.
CAROLE THERIAULT. I get a job with them. What are you talking about? I'm an angel.
MARIA VARMAZIS. No, but that would make you terrible for that job.
UNKNOWN. Smashing Security, episode 132: CBP Cyber Attack. Ransomware, an iPhone privacy boost, and Twitter list abuse with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 132. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And we're joined this week by the ever-popular Maria Varmazis. Hello, Maria.
MARIA VARMAZIS. Hi! Yay!
CAROLE THERIAULT. Fans go wild!
MARIA VARMAZIS. Oh my God, that's awkward. I'm always happy to be here. Thank you for having me.
GRAHAM CLULEY. Well, we're delighted to have you back on the show because it is something of a mini celebration today because—
CAROLE THERIAULT. not that many.
MARIA VARMAZIS. I say yay for you both. Non-sarcastic applause.
GRAHAM CLULEY. Because if you haven't been following us on Twitter or Reddit, first of all, where have you been? But secondly, you may have missed the news, right? We had big news last week, didn't we, Carole, when we were up in London? We did.
CAROLE THERIAULT. We won best cybersecurity podcast at a Blogger Awards that's affiliated with the Infosecurity Show. Pretty exciting.
GRAHAM CLULEY. Basically, it's a flipping big deal. This is like getting a Tony or an Emmy Emmy or an Oscar. Exactly. One of those. And we now are the proud owner of our second best podcast trophy. Carole, I believe you're going to keep this one in your lavatory at home. Is that right? Not actually in the lavatory.
MARIA VARMAZIS. For what purpose?
CAROLE THERIAULT. No, it will be nowhere near the lavatory. That would be a horrific place to put an award.
GRAHAM CLULEY. But what we need to do is we need to thank everybody who voted for us. Thank you very much if you did that. Thank you for listening to the show. And for choosing us. You voted, Maria Varmazis?
MARIA VARMAZIS. Yeah, I did, I sure did.
GRAHAM CLULEY. Anyway, enough of the self-congratulation.
CAROLE THERIAULT. Well, it's not self-congratulations. We're saying thank you to everyone who helped us get where we are now. That includes listeners, sponsors, people who voted. You all rock.
GRAHAM CLULEY. Absolutely. What's coming up on this week's show, Carole?
CAROLE THERIAULT. Well, thanks to this week's sponsors, LastPass and Edgewise. Their support helps us give you this show for free. Now put your hot cuppas down, folks. We don't want any spillages during this episode of Smashing Security. Graham checks in with US borders to find out exactly what the hackers got away with. Maria heads to the Apple Grove, delving into all things iOS 13. And last but very much not least, I look at a new way Twitter trolls might be targeting folks. All this and more coming up on this episode of Smashing Security.
GRAHAM CLULEY. I want to talk to you about the United States Customs and Border Protection force, the CBP.
MARIA VARMAZIS. Oh yes.
GRAHAM CLULEY. They are the largest federal law enforcement agency at the Department of Homeland Security. And of course, they're doing a very important job. They're stopping unauthorized immigrants from entering the United States of America. And in the absence of a huge, huge, beautiful wall, it's up to the CBP to police the border with Canada, preventing Winnebagos crammed full of lumberjacks from entering the country illegally. I'm sure you appreciate that, don't you, Maria?
MARIA VARMAZIS. You mean the Americans trying to go into Canada, right?
GRAHAM CLULEY. I'm not sure which way it works. But, you know, basically there's a lot of Canadians trying to sneak in. They've got harmful imports, maple syrup, universal healthcare, gun control, all those sort of things.
MARIA VARMAZIS. Weed. Yeah, weed.
GRAHAM CLULEY. Now, it's quite possible that CBP also keep an eye on The United States have other borders as well, but we never hear about those. Anyway, they are in the news this week for a security screw-up.
MARIA VARMAZIS. What?
GRAHAM CLULEY. Because—
MARIA VARMAZIS. No.
GRAHAM CLULEY. Yes. It's hard to believe. It's hard to believe a government agency have messed up when it comes to security. Not because they allowed some Canadian bacon to be snuck over the border.
CAROLE THERIAULT. Very cute, Graham.
GRAHAM CLULEY. But instead, because they have been careless with their data, or so it appears.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Now, Customs and Border Protection, they have confirmed publicly that hackers stole the photographs of travelers and vehicle license plates traveling in and out of the United States.
CAROLE THERIAULT. Oh.
GRAHAM CLULEY. Now, you're probably imagining that the hackers broke into the government computers or something like that, but—
CAROLE THERIAULT. Yeah, right. Into the network where they have a cache of images or something.
GRAHAM CLULEY. Not at all.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. The CBP's personal security, their actual organisational security, their network wasn't infiltrated by hackers.
CAROLE THERIAULT. Bravo.
GRAHAM CLULEY. Instead, it appears that a subcontracting company working for the CBP copied the photos of travellers and licence plates onto its own computers.
MARIA VARMAZIS. No!
GRAHAM CLULEY. Which was in violation of policies and without the knowledge or authorisation of the CBP.
CAROLE THERIAULT. Oof.
GRAHAM CLULEY. And that subcontractor then suffered a malicious cyberattack.
CAROLE THERIAULT. Okay, so let's see if we get this right. So this is like me. So I get a job with the government, with the CBP.
GRAHAM CLULEY. Yes.
MARIA VARMAZIS. I'd like to see that happen.
CAROLE THERIAULT. I get a job with them. What are you talking about? I'm an angel.
MARIA VARMAZIS. No, but that would make you terrible for the job.
GRAHAM CLULEY. Yes, yes. You're not qualified, girl.
MARIA VARMAZIS. I'd be like, come on in, guys. Have you been to the United States?
CAROLE THERIAULT. Come on in.
MARIA VARMAZIS. Everyone's welcome. Let's have a party.
CAROLE THERIAULT. I know. Okay, right. Okay, so I get a job kind of manning the borders, and I'm a consultant for the CBP, right?
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. And I'm taking pictures of all this stuff for the CBP, but as well as giving them, I keep a copy secretly and put it on my own network at home, which does not have the right protections in place to protect me from said cyberattack.
GRAHAM CLULEY. It's a bit like that, or it's a bit like if you posted it up on Pinterest or your Tumblr, pictures you were taking at work.
MARIA VARMAZIS. Or it's like if you had sensitive data at your job and then you copied it to your personal laptop and then you lose your laptop in a cafe. Right. I have never I'm sure you haven't.
CAROLE THERIAULT. I have never copied a phone number over and sent it to my personal Gmail.
MARIA VARMAZIS. Never, ever. No one's ever done homework on the weekend, you know. No, and lost it in a taxi.
GRAHAM CLULEY. The reality is this is something which happens all the time, right? People take their work home or they send it to their Gmail or Yahoo account or they copy it onto their laptop because they want to do some extra work. In this case, this subcontractor, we don't know exactly why they did it, but according to the CBP, less than 100,000 people have been affected, and it was a few specific lanes at a single land border over a period of a month and a half. So passports and other travel documentation weren't compromised, and it appears that air travelers aren't included in the haul.
MARIA VARMAZIS. Just your faces are compromised, that's all. Right, yeah.
CAROLE THERIAULT. Okay, is it possible that it's just one bad apple in this subcontracting unit that did it, if it's a few specific lanes at a particular land border?
GRAHAM CLULEY. It's a bit of mystery as to why this happened. And it's possible that they were taking the data maybe to, maybe to do some troubleshooting, or maybe they needed a sample of data because they were wanting to analyze pictures and see whether their analysis would work better. And they obviously couldn't do that on a government computer without permission. They're thinking, oh, we've got access to this data, we're able to see it, let's hoover it up.
CAROLE THERIAULT. Yeah, hoover the data and let's see what we can do.
MARIA VARMAZIS. So this is not a supply chain attack where somebody compromises a subcontractor and then pivots into the main network. This is somebody messed up policy-wise. So that's a—
GRAHAM CLULEY. Yeah, it appears the hackers never managed to gain access to the CBP actual network. So it was just the subcontractor, but obviously the implication is kind of the same.
CAROLE THERIAULT. Exactly. Yeah.
GRAHAM CLULEY. And this is the issue is whether subcontractors working for your organization are treating your data securely and if their security is as good as yours. And it's hard to know. I mean, everyone's going to say and rubber stamp it and say they're doing a good job, aren't they?
CAROLE THERIAULT. Are they? Are they gonna say that? Oh yeah, I suppose if they want the contract.
GRAHAM CLULEY. If they want the contract, or they may be completely unaware. They may think, yes, of course we take security seriously.
MARIA VARMAZIS. Yes, can you imagine them going, to be honest, I'm doing a terrible job with my security. Just be real.
CAROLE THERIAULT. Look, I'm the IT guy and I have no idea what I'm doing.
MARIA VARMAZIS. All cards on the table, I'm shit. But like—
CAROLE THERIAULT. Can I have the job?
MARIA VARMAZIS. Please give me money, yeah.
GRAHAM CLULEY. Now the CBP hasn't named the subcontracting company that was actually hacked. Presumably they want to save it some embarrassment. However, the cat might have been let out of the bag.
CAROLE THERIAULT. Meow.
GRAHAM CLULEY. Very good.
MARIA VARMAZIS. Thank you.
GRAHAM CLULEY. You see, there's only one US government contractor which provides license plate reading technology at the US's land borders.
CAROLE THERIAULT. Okay, so hardly an investigative journalist job here.
MARIA VARMAZIS. Real gumshoe work. Yeah, okay.
GRAHAM CLULEY. And that particular contractor is a Tennessee-based company by the name of Perceptix. And basically their technology says, well, look, we can recognize cars and their drivers from camera footage, right? All very cool if you want to do that kind of thing. Now, when the CBP shared its press statement regarding the security breach, they sent to journalists at the Washington Post a Word document. And although they didn't name in their statement the contractor in that Word document, they did send the Word document with a file name, which included the name Perceptix.
MARIA VARMAZIS. What?
GRAHAM CLULEY. Which did rather let the cat out of the bag. So you can put one and one together and easily make two.
CAROLE THERIAULT. Well, it may It may be that they did that on purpose as well.
MARIA VARMAZIS. Yeah, we're not saying, but we're kind of saying.
GRAHAM CLULEY. Oh, I see. You're like, we don't want to name them, but actually we're really pissed with them.
CAROLE THERIAULT. Oops.
MARIA VARMAZIS. Yeah, cruel. You know what I'm like, oh, oops, I dropped this. Hope nobody sees that. Yeah, exactly.
GRAHAM CLULEY. Now, to add to the intrigue, just a couple of weeks ago, the Register was contacted by someone who called themselves Boris Bullet Dodger.
CAROLE THERIAULT. Nice.
MARIA VARMAZIS. Subtle. Okay. Yep.
GRAHAM CLULEY. Now, Mr. Bullet Dodger, he shared with The Register evidence that suggested hackers had made available on the darkweb hundreds of gigabytes of data seemingly snarfed up from Perceptic servers, including databases, spreadsheets, HR records, business plans, financial figures, personal information, and yes, thousands and thousands of images of what appeared to be license plate captures. That happened a couple of weeks ago.
CAROLE THERIAULT. Hmm.
GRAHAM CLULEY. That's not the only data though that they actually managed to snarfle up from Perceptics Network, because they also took a few MP3 files from users' desktops, including—
MARIA VARMAZIS. This is the best part.
GRAHAM CLULEY. Including Superstition by Stevie Wonder, a variety of AC/DC and Cat Stevens songs.
MARIA VARMAZIS. I'm thunderstruck.
GRAHAM CLULEY. And— very good. And Wannabe by the Spice Girls.
MARIA VARMAZIS. Oh yeah. That's my jam.
CAROLE THERIAULT. Do you think they just hoovered up everything and that came along, or do you think those were individually selected.
GRAHAM CLULEY. It looks like somebody completely owned the Perceptics network.
MARIA VARMAZIS. If you wanna own Perceptics, you gotta get with my friends.
GRAHAM CLULEY. Now you definitely wouldn't want that falling into the wrong hands. But no, but there's clearly a significant amount of sensitive information here which has fallen into the hands of hackers about the monitoring of US borders. And that's pretty embarrassing, isn't it? So the important thing to remember is this, right? The US government contractor, which may or may not have been Perceptics, they didn't have permission to move the data to their own systems.
MARIA VARMAZIS. Right.
GRAHAM CLULEY. Maybe they did it for testing purposes or troubleshooting, we don't know, but it probably wasn't done with malicious intent. But the point is they didn't seek authorization and lo and behold, their security was insufficient.
MARIA VARMAZIS. Surprise.
GRAHAM CLULEY. And the CBP would never have given them permission to do this because obviously it would have been quite sensitive and they don't like to bring themselves into controversy, do they? They don't like to have people pointing a finger at them.
MARIA VARMAZIS. So basically an American government agency and their American subcontractor messed up and compromised the info of non-Americans. Most likely a lot of people who are not American, that somehow seems about right.
CAROLE THERIAULT. Well, they have all yours after the Equifax.
MARIA VARMAZIS. Oh yeah, that's like not even— every American's got their info, like forget it.
GRAHAM CLULEY. Yeah, exactly. Why worry, right?
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Everyone can join the party now. Just go to America. Finally. Fantastic.
CAROLE THERIAULT. Everyone's invited, let's go.
GRAHAM CLULEY. Maria, what's your story for us this week?
MARIA VARMAZIS. As we mentioned at the top of the show, I'm going to be talking about Apple and iOS 13, which was recommended to me by a number of folks on Twitter. So thanks Twitter netizens, I was kind of feeling lazy and didn't know what I wanted to cover this week, so I appreciate the tip from everyone. The iOS 13 beta is currently in developer-only beta, but it'll be in public beta later this summer. And iOS 13 is the new upcoming version of Apple's iOS for your iPhone.
CAROLE THERIAULT. Yes, quite exciting.
MARIA VARMAZIS. They always roll out some interesting new features, and I don't want this to be just a rehash of the Apple press release. Like, there's, there's some interesting stuff here, so I wanted to call out two specific security and privacy features that Apple's announcing, 'cause there's some stuff there we should dig into.
GRAHAM CLULEY. Okay, sounds good.
MARIA VARMAZIS. Okay, so first, Apple's going to be slapping greedy apps that want all your location data all the damn time. So up until now, up until iOS 12, you can set location data to be shared with an app either always, while the app is in use, or never. Yeah, right. So they're now gonna be rolling out a new option that says location sharing, allow it just once. So basically, hey, you app, you need to ask me every damn time you want to use my location. I'm pretty sure that Android users have had that option for a while. I'm pretty sure. Don't quote me on that one, but that's a great option. I think I would definitely be using it a lot.
CAROLE THERIAULT. But I kind of already do that, but in a much more manual way, right? So I have it all off on most apps all the time, right? And then I'm like, oh yeah, okay, now I'm using this map app to get from A to B, so I'll turn on location data for the length of my journey and then turn it off at the other end. But you do have to remember to turn it off You have to check your phone a lot. It tends to be— when I go to the loo, I just check my settings.
MARIA VARMAZIS. Well, it's a very productive time for your poo time, you know, whatever. Yeah.
GRAHAM CLULEY. But that's quite interesting, Carole. So if you turn it on, it doesn't— other than the bit about going to the loo, but if it doesn't turn itself off at the end, so if you allow it just once, Maria, to say, yes, you can use it during this session, when does it turn off?
MARIA VARMAZIS. That's a great question. I can't tell you specifically. I have not been able to use the public beta yet. It's not out. Okay.
CAROLE THERIAULT. Anyone out there listening who's used this and checked it out, please tweet us and let us know.
GRAHAM CLULEY. Okay.
MARIA VARMAZIS. Yeah, I think some of our listeners have the developer beta access, which I don't have yet. So if they know, I'd love to know that.
CAROLE THERIAULT. Awesome.
MARIA VARMAZIS. I agree, Carole. I do the same thing. Everything is off, and then if it really nags me, I might turn it on, and I have to remember to turn it off again, which is annoying. Doable. Annoying but doable.
CAROLE THERIAULT. Yeah, there's something I want to complain about at some point. I'll do it later, but I have an Apple thing I really want to complain about.
MARIA VARMAZIS. Yeah, that sounds good. That sounds good. Yeah, so as part of this In addition, Apple will also show you the location data that your app is receiving. So quite literally, they will put the locations, like coordinates, on a map on a screen and say, hey, this is literally all the data this app is getting from you about where you are. Do you still want them to have this?
CAROLE THERIAULT. I love this so much because this is actually translating what it means that when they say hoovering up your location data, you see how exact it is, like within a few feet.
MARIA VARMAZIS. They're right. Yeah, it's like you might be thinking they know generally, like maybe what state I live in, but no. For example, I saw somebody tweeting about this because they had developer beta access. This person's name is Sam Sophos. I probably mispronounced his last name. Sorry. And he tweeted what that actually looks like on the iOS 13 beta. And he got a notification about his Google Nest thermostat saying it's been using his location in the background. And then the map shows all these light and dark circles over all the coordinates, basically all over all of San Francisco. It's like block by half block by half block.
GRAHAM CLULEY. Well, hang on. Why is his thermostat traveling across San Francisco?
MARIA VARMAZIS. Right, like why does his thermostat, yeah, why?
CAROLE THERIAULT. Because it's his phone.
MARIA VARMAZIS. It's connected to your phone.
GRAHAM CLULEY. Yeah. Oh, I see.
MARIA VARMAZIS. Yeah, his Nest thermostat knows where he lives, as another Twitter user said, where he lives, where he works, his favorite restaurant, his gym, where he shops. Like, why does your thermostat need that information?
CAROLE THERIAULT. Why is that needed? And not just Nest, right? That's Google services. So like all your location data is being, yeah. And why exactly, Graham? Good question.
MARIA VARMAZIS. Why? Wait, and that's the question that I think Apple's trying to get its general users to start asking itself is going, wait, why do you need that? Actually, maybe I'll turn that off.
GRAHAM CLULEY. I mean, the only thing I can think of is maybe if you were in a different time zone, so it may collect time zone data if you wanted to control your thermostat back at home through WhatsApp.
MARIA VARMAZIS. Are we really defending this?
GRAHAM CLULEY. No, I'm not. I'm just struggling to understand why it would even be interested in that data.
MARIA VARMAZIS. Because they can. I think it's just because if you're going to offer it up, they'll be like, I'll take it.
CAROLE THERIAULT. Yeah.
MARIA VARMAZIS. All right.
CAROLE THERIAULT. And you know, yeah, Google has shown itself to have such restraint when it comes to our information and private —And let's be real, it's not just Google.
MARIA VARMAZIS. Any app developer, they're like, I'll just take your data. I'm not going to protect it, as we well know. I'll just grab it and hoard it like I'm a squirrel with lots of acorns, and I'll figure out what to do with it later.
CAROLE THERIAULT. You are like a squirrel right now. I need a snack. I need your old Pocky face.
MARIA VARMAZIS. Yeah, the data. And just a little footnote to the Apple location data thing, they're going to also apply these limits to apps that also try to sniff out location via Wi-Fi and Bluetooth, like those guys that try to circumvent those location sharing permissions by figuring it out through Wi-Fi and Bluetooth. They're tamping down on that as well. So, I don't know the technical details. This is what they've said, but I think some of our listeners may know, and when I get my hands on the public beta, I will try that out for myself. So, that's location data. That's iOS 13's location data update. Now, let's get to what I think is the even juicier bit. I'm curious to hear what you think. So, as many listeners know, I am basically contractually obligated to mention Facebook every time I'm on the show. So, I'm—
GRAHAM CLULEY. But not in a positive way. Not in a positive way. It's not like they're paying you.
MARIA VARMAZIS. No, they are definitely not paying me. I mean, they're very free to. They've got a lot of money. No, they're not paying. So tell us, what—
GRAHAM CLULEY. so this single sign-in from Apple.
MARIA VARMAZIS. Yeah, so they are entering the third-party sign-in game directly in competition with Facebook and Google, and they are requiring it. So all developers who are making or updating their apps for iOS 13 were told in writing, if you offer third-party sign-in for your app, you must put in Apple's third-party sign-in option as well. You don't have to put it first, but it has to be there. So it's a requirement. And the reason that Apple's Apple's offering is different from what Facebook and Google are offering is that instead of offering up your personal details on a silver platter for that app or website service, you can actually ask Apple to sign you up and sign you in with essentially anonymized data.
CAROLE THERIAULT. I've been thinking about this thing from Apple. Yeah. Like they can hide your own email address and get you in without providing any personal information to the third party.
MARIA VARMAZIS. Right. So Facebook, if you use Facebook or Google's third-party sign-in, it'll give the app developer not just your name and your email, but they'll they'll pass along any other data that they've got on you that the app developer wants. Right. Apple says, I'm taking their word for it right now because I can't dispute it, Apple says they will only give the name and email, nothing else about you. Apple will not track you on the phone either, so it won't have any data on you. That's just what they say anyway. And Carole, as you mentioned, you can actually ask Apple to basically sign you up for that service with a burner email. So Apple will generate a random email address that forwards to your real email, So the app guys don't get your real email and you can just disable that burner email at any time if the app starts spamming you. So like if you've been using 10 Minute Mail for years to get around, uh, app signups, this sort of allows you to streamline that process.
GRAHAM CLULEY. And the beauty of this, of course, is that those email addresses are going to be unique, just like your password should be unique. And so it'd be difficult for the app developers to, or, or big tech companies to begin to piece together a, a picture of who you are based purely on your username.
CAROLE THERIAULT. Right. It's a serious game changer, I think. Also, because I use a lot of Apple products for the last, whatever, 10, 15 years, they basically know everything about me already. So I'm in bed with this. I like this. I trust them. I use their services. I buy their very expensive products. Love some of them, like others.
GRAHAM CLULEY. But because you're actually paying them quite a lot of money, Carole, for that hardware and for that software, they have less interest in collecting a huge amount of personal information about you.
MARIA VARMAZIS. Right. They've got a lot of—
GRAHAM CLULEY. Compared to some of the other tech companies.
CAROLE THERIAULT. Yeah. Hey, you know what I admire? They could be also doing that, right? They could be charging an arm and a leg for their tech and also collecting and selling off my data. Yeah. But they've chosen not to. So in this day and age where everyone's making money through data hoovering and data reprocessing. And ads and ads and ads. They are really playing a really big differentiator game. And I think it's excellent. Yeah.
MARIA VARMAZIS. I think it's really exciting. It's sort of the luxurification of privacy. So as long as you can afford to— I mean, I'm not saying that you can't get privacy outside of an Apple product, but Apple is making it part of their differentiator that, hey, we make privacy even easier for you as long as you can afford our products and are always locked into buying our products. We'll give you this as part of the overall experience.
GRAHAM CLULEY. One of the things I like about this, and of course we'll have to wait until it all rolls out properly so we all get a copy of it and make sure that it works properly. But from the sound of things, this could address that issue, which we so commonly see about where a website is hacked. And the hackers then have your username or your email address and your password, and they use that password with that email address against all manner of other online accounts. Yes. With this, because each username is unique, they won't be able to use that username to break into your Gmail or your Amazon or anything else. Right.
MARIA VARMAZIS. Credential reuse is basically taken away here. So that's a differentiator from Facebook and Google as well. You don't have that unique username.
CAROLE THERIAULT. Are you saying it makes hacking exponentially harder?
MARIA VARMAZIS. It, it, It, I think it honestly, as you said, it's a game, it's a potential game changer. I'm trying not to sound like I'm working for Apple PR, but there is a lot here that's like making privacy easier, basically circumventing the whole begging and pleading for people to use unique passwords, you know, that, you know, keep an eye on when their credentials get pwned. Are the options that we'd given people were take care of all this kind of manually and figure it out for yourself. Or if you want to use something a little easier, like, like a third-party sign-in with Facebook or Google, be okay with divvying up all your private info and giving that away. And now there's like this nice other option. Where you can actually maintain what sounds like a pretty good sense of privacy and not give away all this demographic info. Like, that's pretty fantastic. The other thing with this whole third-party sign-in is that to use it, you have to have 2FA enabled. You have to have two-factor authentication enabled. So if you are not okay with Apple owning your biometrics in some way with Face ID or Touch ID, you won't be able to use this. But that's the factor that it uses to authenticate you. So, exciting if you're trying to adopt two-factor authenticating, a little, mm.
CAROLE THERIAULT. Oh, so you can't authenticate with a password, is what you're saying?
MARIA VARMAZIS. Correct. You have to use Face or Touch ID as your second factor.
CAROLE THERIAULT. Oh, you see, that's interesting. I don't like that. Yeah.
MARIA VARMAZIS. And I, that one I haven't seen mentioned many places. It's like, oh, it uses two-factor authentication. I'm like, great. That's awesome. But that specifically is Face or Touch ID, or at least that's what it sounds like right now when I was reading through the documentation.
GRAHAM CLULEY. Although of course, maybe that will encourage people who leave their phones permanently unlocked to enable Face or Touch ID to actually—
CAROLE THERIAULT. But why can't it be a password too?
MARIA VARMAZIS. Well, it's not a two-factor in that case, right? It's got to be not just something you— Well, it could be a second password as well.
GRAHAM CLULEY. It feels to me like I have to say, I'm going to be optimistic about this because there are gazillions of people out there who are using Apple devices who may very well begin to use this feature when they sign up for sites. And I have some more trust at the moment, I think, that Apple is going to get it right than the typical human being would in terms of choosing their email address and password.
CAROLE THERIAULT. Yeah, or Google or Facebook, who've had 10 years to work on this and have basically just let us down.
MARIA VARMAZIS. Yeah. As I said earlier, I'm a little like, uh, about the idea of privacy being a luxury that you have to buy into from Apple. But there are ways to do this on your own, but it's just a lot harder.
CAROLE THERIAULT. Lots of great things, though, come into the world and they're expensive at first, like solar panels.
MARIA VARMAZIS. Yeah. I hope this inspires others to follow in this example. I mean, I really do. And I mean, the way it's— Apple is selling this to its developers, who I'm sure are kind of like, eh, about this whole thing about getting less data, is that Apple's saying, hey, if you're getting this anonymized, uh, user info from us, you can be sure that it's an actual real user trying to sign into you as opposed to some spammer. So that's how they're angling it. Yeah. I don't know if that tracks, but that's what they're saying. Watch the space. Yeah. All right. So what was your complaint about?
GRAHAM CLULEY. I think, yes, you have a complaint about Apple that you want to share with everybody.
CAROLE THERIAULT. Oh, yeah. Well, my complaint has to do with Bluetooth. Yes. Right. So I don't use Bluetooth headphones very often. When I connect, when I need to use Bluetooth, like I do with my location sharing, I like to turn it on and I like to turn it off, right? So my normal protocol would be to have Bluetooth off by default and then I would turn it on. It seems as though every time I turn it off, it says, oh, okay, we'll keep it turned off for 24 hours, then turn it back on for you tomorrow.
MARIA VARMAZIS. Yeah, it's annoying.
CAROLE THERIAULT. And there's no way you can get out of that.
MARIA VARMAZIS. I hate that. Yeah, I hate that it decides that it's gonna turn itself back on for you. Yes. It drives me crazy. Well, hang on.
GRAHAM CLULEY. How are you turning it off?
CAROLE THERIAULT. What do you mean how I'm turning it off?
GRAHAM CLULEY. How do you turn it on and off?
CAROLE THERIAULT. Well, I turn it off probably normally using the little swipe up screen, whatever that's called. Ah, right.
GRAHAM CLULEY. See, that's the mistake.
CAROLE THERIAULT. Is that my problem? That's your problem.
GRAHAM CLULEY. If you do it that way, you're right. It does kind of say, oh, well, we'll just temporarily do this. I think if you go through settings, then it will permanently turn it off.
CAROLE THERIAULT. All right. I'll check it out.
MARIA VARMAZIS. Yeah, we'll try that. I think that sounds right to me as well. It seems it shouldn't be buried like that.
GRAHAM CLULEY. Just call me an Apple genius.
CAROLE THERIAULT. Well, I'm not until I try it, until I use it. I think you'll find— I'll wait. I'll wait till I find it.
GRAHAM CLULEY. Pretty sure it's going to work.
CAROLE THERIAULT. I need proof. I need proof.
GRAHAM CLULEY. Pretty sure.
CAROLE THERIAULT. Pretty sure it's going to work out. Take his word for it.
GRAHAM CLULEY. Carole, what have you got for us this week?
CAROLE THERIAULT. OK, Twitter. We're talking Twitter now. Both of you, Graham and Maria, you're both avid Twitter users. And I wanted us to analyze the guts of this CNBC article and see what you guys think. So aside from following specific people and reading, liking, or replying to their tweets, you can also create lists of accounts that you want to follow.
MARIA VARMAZIS. Yes. Yes. That's right.
CAROLE THERIAULT. Right? So a Twitter list is basically, for those who don't know, is a list curated by you or by someone else. You can create your own list to subscribe to certain accounts. Lists that are created by others. You can actually subscribe to other people's lists so you can save yourself the work, I guess. So for example, if Graham was following infosecbods, I could follow his list if it was public and, and, you know, basically hoover up all the data that you get. Yes.
MARIA VARMAZIS. Yep.
CAROLE THERIAULT. And you can also see a list timeline. So you can see a stream of tweets from the accounts that are actually on that list alone. Yeah.
MARIA VARMAZIS. It's like a recommendation that you curate, right? Right. These are people that are worth listening to.
GRAHAM CLULEY. I find it very handy, actually. I'm not sure how people manage to use Twitter without lists. Because if you follow any number of people, a certain number of people, it's impossible to keep track of it all. So I sort of have a list which is "don't miss." So people who I definitely want to see every sort of tweet from those small number of people there. And then I have my timeline. I might have a Doctor Who list, a chess list, and other things which I'm interested in.
CAROLE THERIAULT. Well, this might be why you're much more interested in Twitter than I am, because I have no lists.
MARIA VARMAZIS. Oh, right. Oh, wow. Yeah, you're missing out on an actually decent feature.
CAROLE THERIAULT. Yeah. Well, am I? Because listen to this.
MARIA VARMAZIS. Dun, dun, dun.
CAROLE THERIAULT. Did I set you up for that? So according to a CNBC article published this week, a few people have complained about suddenly receiving a barrage of hateful tweets, almost like someone has put a bullseye on their Twitter back.
GRAHAM CLULEY. Oh no, this would never ever happen on Twitter.
MARIA VARMAZIS. People would never send harassment on Twitter.
GRAHAM CLULEY. No one would be mean on Twitter.
MARIA VARMAZIS. This is nonsense. Fake news.
CAROLE THERIAULT. But it seems as though these trolls were coming out of nowhere and suddenly accusing them of all sorts of stuff that they didn't necessarily believe or support. So they're getting all these awful tweets and they decide to do some digging and they're kind of trying to go, what the heck is going on here? And they discovered something rather interesting. And it seems that Twitter lists is the culprit. Okay. Interesting. Okay. So while Twitter lists are normally a cool, useful thing, some users have figured out how to use Twitter lists to troll people. And here's how it works. Works. It turns out that the victim Twitter accounts are being added to questionable lists, lists that seem solely created to maybe embarrass the owner of that Twitter account or to call trolls into action to fire hateful and bullish tweets at the targeted victim. Okay. We're talking lists here with names like Black Racists.
GRAHAM CLULEY. Oh. So yeah. So you, for instance, Carole, you might be added to a list called Apple Fans or something. Something. And Maria, you'd be like, deep space nine dweebs. No, no, no.
CAROLE THERIAULT. It'd be more like I would be added to a list called Apple fans suck.
GRAHAM CLULEY. Oh, I see. Or I see shills. Yes. Or something like that.
MARIA VARMAZIS. Oh, shills. OMG. Yes.
CAROLE THERIAULT. For example, Graham, you might create a list called my favorite people where Maria and I would be featured very highly there. Maria, yeah. And just like you could create a list like that, a troll could create a list of so-called enemies. Right. And distribute that list across forums or chat rooms or Twitter itself as a call to action to attack the specific user.
GRAHAM CLULEY. Ah, I see. So they create a list of people they want to attack and then they share it with their evil buddies, whether on Twitter or elsewhere.
CAROLE THERIAULT. Yes.
MARIA VARMAZIS. Attack my pretties! Attack! Can I be a hipster for a second and say this doesn't surprise me at all? Because— no, for real, I'm going to be a total like—
CAROLE THERIAULT. I'm just laughing at you.
MARIA VARMAZIS. Hipster. No, like, I was doing that before it was cool. No, like, people— but people have been coordinating attacks like that through DMs on Twitter, like, for ages. Like, this is a well-known thing, is they'll use DMs and people will be like, okay, there's— here's this tweet from this politician that we decided we don't like, whatever aisle side you're on, whatever. And then, like, they'll blast it to a group of people in DMs, and then it's like, go, go, army, sick 'em! And then they'll go after them. So this sounds like it's sort of like an extension of that. It makes it maybe a little more public.
CAROLE THERIAULT. Yeah. Um, and apparently the current way that the people who report— who were reported in the article from CNBC handle it is they basically on a monthly basis or weekly basis go and check. And this is where I want you guys to confirm this is possible, right? They go and check where they're listed. So where are their Twitter usernames listed? Okay. And if the list seems troublesome or worrisome based on the fact that maybe there's no followers or the name's outrageous they remove or delete themselves from said Twitter list. Psst, listeners, okay, I make a bit of a boo-boo here. These people aren't able to delete themselves from said lists, but what they can do is block the creator of the list and block all the followers of that list, and in that way can kind of control the stem of misinformation and attack. Now watch Graham actually figure this out. Own.
GRAHAM CLULEY. I don't see an option for that. I think maybe what you could do is you could block the person who owns the list. But if their buddies are also using that list, that doesn't block them, does it?
MARIA VARMAZIS. Yeah, maybe they're using like a blockchain or something, but still, this is—
GRAHAM CLULEY. Don't mention blockchain.
MARIA VARMAZIS. Oh, sorry.
CAROLE THERIAULT. Okay, so what is Twitter doing about it? Not much, say a number of reports. So trolls misuse this basic function as they misuse other functions on Twitter. And they say it's the responsibility of the individual user to report the, you know, the problem to Twitter and allow Twitter to make their move. Now, there seems to be a bit of a weird loophole here, because if a user reports a troll for abuse, the troll might counter-report in a massive way by getting all their friends to do the same. So counter-report the victim in retaliation. Yeah, that does happen. So for example, I report Maria to Twitter saying, God, Maria is so annoying, and then Maria and all her buddies and all her Smashing Security fans all attack me saying, no, she's outrageous.
GRAHAM CLULEY. Yeah, she refuses to use an Oxford comma.
MARIA VARMAZIS. I just forget sometimes.
CAROLE THERIAULT. Um, and, and thanks to algorithmic logic, if a user gets enough reports it's enough for Twitter to indiscriminately suspend an account.
MARIA VARMAZIS. Yeah, it's the vagaries of Twitter support. Yeah, exactly. According to a lot of just completely anecdotal anecdota, when I see a lot of Twitter got it wrong kind of support stuff, it seems like it's not super hard to game it. Yeah. And use it against somebody in a retaliatory way. You see that a lot on Twitter, especially in the political spheres. It's interesting, which is why I stay out of that world on Twitter for the most part.
CAROLE THERIAULT. They say the best advice is not to attract the attention of trolls, but that in itself—
MARIA VARMAZIS. You don't exist.
CAROLE THERIAULT. Yeah, and that itself is quite difficult in this day and age where everyone wants to have a YouTube channel and, you know, a social media presence and wants to have a point of view that matters and the world got mad.
MARIA VARMAZIS. Yeah, I never want a YouTube channel, so whatever. Don't put me in front of a camera.
GRAHAM CLULEY. Okay, thanks. I wonder if there's also an issue here, because if you're looking at the lists which you've been put on, if that list was given a benign name like, oh, really cool cybersecurity guys— Graham's the best, something like that— or something like that, you may think, oh, well, I obviously have no problem with that. But it could actually be used for something unpleasant, couldn't it? Yep. Or renamed maybe at some point.
CAROLE THERIAULT. And I think because you're in a list, there is a sense that you've okayed your belonging there. You haven't, it has nothing to do with you, but somehow—
GRAHAM CLULEY. Well, that's interesting as well, isn't it? Because people might see that you are on the Neo-Nazi list, for instance. It's like, no, I didn't want to join that club.
CAROLE THERIAULT. I think that's the issue with the idea of being on a list. I think it's embarrassing to some people because the club might be something they agree with at all or be a contentious point or a socially manipulative point.
MARIA VARMAZIS. If it doesn't exist already, Twitter needs to implement a way for people to easily remove themselves from lists, just kind of like how there was for a while on Facebook. Oh God, I can't believe I mentioned it again. People could add you to a group you didn't want to be a part of without your permission. That was a thing for a while.
GRAHAM CLULEY. My guess is that you have to block the person who created the list.
MARIA VARMAZIS. That sounds about right.
CAROLE THERIAULT. So what, you block the person that created the list and therefore they can't add you to a list?
GRAHAM CLULEY. Or maybe your existence on that particular list vaporises because they can no longer follow you.
MARIA VARMAZIS. That seems plausible.
CAROLE THERIAULT. That's my guess. Anyway, anyone can confirm it.
GRAHAM CLULEY. We're all ears. That's right. Lots of feedback from the listeners we're asking for this week.
MARIA VARMAZIS. Please be kind.
GRAHAM CLULEY. So, Crowe, imagine a hacker has gained access to one of the computers inside your organization. Dun dun dun. And of course they're going to take advantage of any flat networks and ineffective security controls to try and move laterally towards their intended targets, which is going to be all that juicy data your company collects. Gotcha. Yep. Right. Now, traditional solutions, they often find it difficult to reliably distinguish between legitimate software accessing that data and unapproved applications.
CAROLE THERIAULT. Yeah. Okay. Yeah, yeah, yeah.
GRAHAM CLULEY. Right. And that's where our sponsor comes in this week. Edgewise is the industry's first zero-trust segmentation platform. Okay. It has a simple-to-use interface which lets you stop data breaches by allowing only verified software to communicate within your cloud or data center. Cloudver. Yeah, really smart. In a nutshell, Edgewise's data-centric approach makes micro-segmentation simpler and more secure. Okay, I wanna learn more. Well, that's easy. All you have to do is go to edgewise.net and request a trial of their one-click microsegmentation. Oh, awesome. Boom.
CAROLE THERIAULT. Hey Graham. Yes. There are people out there with companies a little bit bigger than ours, and one of the issues that they face is visibility and oversight. And when it comes to cybersecurity, that is super important. Important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass Enterprise. They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier. Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashingsecurity. Let me try that again, folks. Check it out at lastpass.com/smashingsecurity.
GRAHAM CLULEY. Perfect. Do you want to make it more conversational? I don't know. I think that sounded great. And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week. Pick of the Week.
MARIA VARMAZIS. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily. Better not be. And my pick of the week this week is not security related. You'll be very pleased to hear, Carole. Super pleased. Now, way back in 2003, an anime— is it anime? Is that how you say it? An anime show called Firestorm hit TV screens in Japan.
MARIA VARMAZIS. We're talking anime on this podcast? I'm so here for it.
GRAHAM CLULEY. Hang on. This is just the buildup to my pick of the week. Oh, okay. Never mind. And this Japanese TV show, no one would really have cared about it apart from the fact that one of its creators was Gerry Anderson, who in the '60s, of course, was famous, and '70s, was famous for such classics as Thunderbirds, Captain Scarlet, and UFO and Space: 1999. Now, this Firestorm TV show never really caught fire. —but, and so it's no more, little more than a curiosity for most of us. But wait, because Gerry Anderson's son, Jamie Anderson, he has picked up his late father's mantle and he is rebooting Firestorm in the style of classic puppets-based Thunderbirds.
CAROLE THERIAULT. Oh, that's where it comes from, because you're a big Thunderbirds fan.
GRAHAM CLULEY. I'm a big fan of the Gerry Anderson stuff. I was kind of going, I'm surprised Surprised, Anime Too.
CAROLE THERIAULT. I was surprised.
MARIA VARMAZIS. I was like, I mean, I'm excited, but I didn't think y'all— yeah, okay. Yeah.
GRAHAM CLULEY. So if you go and check out faststormhq.com, or I'll also put into the show nuts— show nuts— show notes a link to the YouTube trailer, a 10-minute mini episode, you will see the puppets are back. Whoa. But unlike in the 1960s, you're not going to see any strings. It is filmed in ultra marionation, even better than supermarionation, which they used to use. Real sets, miniatures, practical effects, and it looks wonderful. It really is bringing back that Gerry Anderson magic. Currently it's only a 10-minute minisode, but it looks like they're going to produce— oh, it looks pretty slick though. Oh yeah, go a couple minutes in.
CAROLE THERIAULT. I hope they haven't lost too much of the puppeteering. You know, it's such a difficult balance when you do digital puppeteering.
GRAHAM CLULEY. Go a couple of minutes into the episode and you'll see some of the characters, and you'll see they, they really are Yeah, but I'm also seeing like James Bond style explosions here. You know, the original Thunderbirds and Captain Scarlet were full of action as well. There was all sorts of explosions. Yeah, but I'm seeing tinfoil sets.
MARIA VARMAZIS. So, you know, it's not pretty cool stuff.
GRAHAM CLULEY. And there you are. Well, I wanted to throw us back to some classic sci-fi TV in this week when sadly Paul Darrow, Avon from Blake's Seven, passed away. Away, who was a real hero for all of us. Have you seen Blake 7, Maria?
MARIA VARMAZIS. I have not. And I have not. You're just missing out, guys. Anyway, it's a name I'm familiar with.
GRAHAM CLULEY. I've just not seen it though. FirestormHQ.com is my pick of the week. Go and check it out.
MARIA VARMAZIS. Maria, what's your pick of the week? So I have a pick of the week, but I want to mention while we've been recording this episode, Nintendo just announced they're making a sequel to Breath of the Wild for the Switch. Yeah. Stop everything. I knew you would, because I literally had to suppress that sound I saw my Twitter feed explode with everyone going, "Oh my God!" So it's in development. So I feel like that should be my pick of the week. But there's nothing yet. So I'm just like, that's just an announcement. My actual pick of the week is a subreddit that I've become somewhat addicted to. And it is r/AITA. Oh, I love it.
CAROLE THERIAULT. I love it. I'm a total fan.
GRAHAM CLULEY. What does AITA stand for? It's something you should know.
MARIA VARMAZIS. It is. It's a question.
AITA. Am I the asshole? So this is a subreddit where people ask the question, am I the asshole in this situation? And they then write out a situation they've been in, some sort of moral quandary where somebody gets mad at somebody else or there's some sort of fallout or just a general sense of malaise.
CAROLE THERIAULT. And then he kicks them in the butt and goes, am I the asshole? Was it wrong of me to do that?
MARIA VARMAZIS. Was it wrong of me to, you know, spit on their face or whatever. I don't know. So they ask the question and then the commenters weigh in. No, you're not the asshole. There's no asshole in the situation. Yes, you're the asshole. And it's— it's really— it's such a great fun read. And, uh, if you—
GRAHAM CLULEY. the— and so you're basically polling the internet to find out, do most people think you're being an asshole?
MARIA VARMAZIS. My favorites are when people in the comments completely disagree if the person is or isn't an asshole. And it's just like, it gets real heated. And you know, you've got people all over the world weighing in on these moral quandaries, and sometimes it's like social issues. Yeah. Should I give you one?
CAROLE THERIAULT. Should I give you one?
MARIA VARMAZIS. Yeah, go for it. I love how Carole likes my Pick of the Week.
CAROLE THERIAULT. Oh, I love it. I'm a total addict. I love this subreddit. Am I the asshole for wanting a salary as a SAHM, Graham?
GRAHAM CLULEY. Sorry, a salary as a what?
MARIA VARMAZIS. Am I the asshole for wanting a salary as a stay-at-home mom?
CAROLE THERIAULT. SAHM, stay-at-home mom.
GRAHAM CLULEY. I didn't know what that was.
CAROLE THERIAULT. I'm teaching you, I'm teaching you the low hand. Okay, so that's like the title, and then basically they're like, sorry guys, I just need to know if I'm the asshole. I want money for being a stay-at-home mom because it's a lot of freaking work.
GRAHAM CLULEY. Not salary from a company, presumably, but salary from maybe the breadwinner in there. And then people are going, you're the asshole.
CAROLE THERIAULT. Other people are saying, you're not the asshole.
MARIA VARMAZIS. And, uh, and they justify it. They write out whole explanations about why they think this. So So it's not just like a yes or no. It's like, yes, you're an asshole because— no, you're an asshole.
CAROLE THERIAULT. Yeah, it's a great time waster.
MARIA VARMAZIS. I love it. It really is.
CAROLE THERIAULT. So that was high five, Maria.
GRAHAM CLULEY. Cool. I'll go and check it out. Thanks.
MARIA VARMAZIS. That's my pick of the week. I am not an asshole. You're definitely not an asshole. I try not to be an asshole.
GRAHAM CLULEY. Me too. Well, let's see how Carole does with her pick of the week.
CAROLE THERIAULT. Do you try not being an asshole, Graham? I don't try.
GRAHAM CLULEY. I mean, it's just like genetic, right?
CAROLE THERIAULT. Natural. Just comes to you naturally.
GRAHAM CLULEY. Yeah, exactly. So I thought— What do you mean? Right.
CAROLE THERIAULT. Today, my pick of the week is all about trees. I know I'm Canadian, so I have a special relationship with trees.
GRAHAM CLULEY. So your pick of the week is trees. Are we talking Reddit's definition of trees?
CAROLE THERIAULT. Look, we all agree though, trees are really important, right? Yes. It's the biggest plant on the planet, gives us all the oxygen stuff and stores carbon and stabilizes the soil. And if you don't believe any of this, go Read Harari's Homo sapiens. Very educational.
MARIA VARMAZIS. I did not know about trees.
CAROLE THERIAULT. There's a search engine that I discovered called Ecosia, E-C-O-S-I-A. Ah, nice. And Ecosia says that it uses 80% of its profits to plant trees. Right. And they claim to have planted millions of trees since 2009 all around the globe. Now I did a little digging, you know, 'cause you know me with these new things, I'm like, hmm, right? Yeah, yeah. So they're funded through advertising. So the idea is use the search engine, they get sponsors that sponsor on their site, uh, they don't share any data with them. Um, I've been using the engine now for about 3 days just to see. I found it— the search is pretty competent. It's not as super slick as maybe the big boys, but it certainly is holding its own so far. It's got a social business model. So what's kind of cool is it has a lot of strong transparency. For example, you can see a breakdown of all their, um, financial reports and where their money goes, how they spend their money internally and how they split out the profits and spend the profits.
MARIA VARMAZIS. I don't know.
CAROLE THERIAULT. I think it's kind of cool.
MARIA VARMAZIS. This just, I'm going to be really dumb right now. This is not one of those things where it's built actually on top of like a Google, like the Google search technology.
CAROLE THERIAULT. I don't think that's a dumb question because I was trying to find that just before we started recording. I'm thinking they didn't build their own search engines, so they must be using the technology from someone else. And my initial— Oh, it's powered by Bing.
MARIA VARMAZIS. Bing. It says it's powered by Bing. Okay. And I thought, oh, that must be it.
CAROLE THERIAULT. Okay. So they're, yeah. So they're built on Bing. There you go.
MARIA VARMAZIS. There are a lot of websites that do stuff like this. That's really interesting that this one does something ecological. I've seen some that do sort of a similar, put a, not a filter, but yeah, I guess a filter over search results. And it's like a kid-friendly search engine. And they try to make sure that schools only use that kid-friendly search engine, but it's really powered by Google in the backend. So this is a Bing version. That's cool.
GRAHAM CLULEY. I think it is cool. Well, Carole, at least hopefully some trees are being grown as a result of your browsing, maybe. Maybe they are. Okay. Well, I've never heard of it before. Interesting one to investigate a little bit more deeply, maybe. And on that curious turn, it's time to wrap up the show. Maria, I'm sure lots of our listeners would love to follow you online and put you on their Twitter lists. What is the best way for folks to do that?
MARIA VARMAZIS. Nice lists only, please. Yeah. I'm @MariaVarmazis. @mvarmazis, M. Varmazis, it's my name. And, uh, it's a Twitter. And if you are on infosec.exchange via Mastodon, I am @maria. So much easier on that.
GRAHAM CLULEY. And you can follow us on Twitter at Smashing Security, no G. Twitter won't allow us to have a G. And we're also on Reddit. Go and find us there after you've spent some time on the Am I the Arsehole subreddit. You can go pop over to Smashing Security. On Reddit as well.
CAROLE THERIAULT. Huge thank you to sponsors LastPass and Edgewise. Their support helps us give you the show for free, so be sure to check out their offers. And thank you, lovely listeners. Check out smashingsecurity.com for past episodes, sponsorship details, info on how to get in touch with us. Until next time, cheerio, bye-bye, later, bye-bye, bye-bye, guys.
MARIA VARMAZIS. In-game with iOS 13. And this is directly in competition with Facebook and Google. So all app developers were told for iOS— oh, fuck. Everything all right?
CAROLE THERIAULT. Yeah, I'm just telling a recording, right?
MARIA VARMAZIS. Hi, Carole's mom.
GRAHAM CLULEY. Is that Facebook's marketing department wanting to make an offer to Maria?
MARIA VARMAZIS. Oh, they're telling me, please stop talking about us, actively hurting us. Yeah, nothing else is. Yeah, literally just me. Yeah. Yeah.
CAROLE THERIAULT. It's nothing to do with me, says Zuck. I'm great. You're the problem. Yep.
GRAHAM CLULEY. Do you think they were listening in?
MARIA VARMAZIS. Maybe they were. Of course they were.
GRAHAM CLULEY. Well, Maria still uses Facebook. So tell us what— so this single sign-in from Apple. Yeah.
MARIA VARMAZIS. So they are entering the third-party sign-in game.
-- TRANSCRIPT ENDS --