Listen early, and ad-free!

106: Google Maps, Fed phishing, and Grinch bots

With , , ,
November 28, 2018
Read the transcript

How are scammers stealing your money through Google Maps? Why did the FBI create a fake FedEx website? And how are US senators hoping to stop Grinch bots ruining Christmas?

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by special guest Maria Varmazis.

And don't miss our special bonus interview about passwords with Rachael Stockton of LastPass, sponsors of this week's show.

Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Special Guests: Maria Varmazis and Rachael Stockton.

Sponsored By:

Support Smashing Security

Links:

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

CAROLE THERIAULT. Okay, how did they do it? I want to know how they did it.

GRAHAM CLULEY. Well, in the old days, Carole, the technique you could use is you could burgle people's houses and replace their telephone directories.

MARIA VARMAZIS. Oh, so simple! Print it up.

CAROLE THERIAULT. With one ad on page 396 having a different phone number.

MARIA VARMAZIS. The spine of the book correctly bends so that page just falls open. Hint hint!

UNKNOWN. Smashing Security, Episode 106: Google Maps, Fed Phishing, and Grinch Bots with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 106. My name is Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. Hello, Carole.

CAROLE THERIAULT. Hello, Mr. Cluley.

GRAHAM CLULEY. And by popular demand, we are joined by a frequent guest of the show, Maria Varmazis. Hello, Maria. Hello.

CAROLE THERIAULT. Konnichiwa, Maria.

MARIA VARMAZIS. Konnichiwa.

GRAHAM CLULEY. Hi. You've just returned, haven't you, from Japan?

MARIA VARMAZIS. Yes, I was in Japan for two weeks and then dealing with toddler jet lag fallout for the week after, so I'm just emerging from all that.

GRAHAM CLULEY. The worst.

MARIA VARMAZIS. Yeah.

CAROLE THERIAULT. You had too much fun.

MARIA VARMAZIS. Too much fun, so now we're gonna deal with screaming toddler for a week straight.

CAROLE THERIAULT. Well, don't worry, we will save you from that for at least an hour.

MARIA VARMAZIS. Oh yeah, just screaming adults now. Exactly. Yeah, great.

CAROLE THERIAULT. Now we have a glut of fab stories for you today, from how scammers are using Google Maps to steal money, how you nab phishers, and we'll even explain what the heck Grinch Bots are.

GRAHAM CLULEY. Mm.

CAROLE THERIAULT. But that's not all. We also have some brand new bonus content. You can listen to Graham and I get the lowdown on digital password safes in a fun tête-à-tête with Rachael from LastPass. This week's Smashing Security sponsor. Check them out at lastpass.com/smashing.

GRAHAM CLULEY. Tête-à-tête. Are you showing off again that you know French?

CAROLE THERIAULT. Oh, well, at least you recognized it was French.

GRAHAM CLULEY. Now, chaps, I want you to imagine that you are a bad guy.

MARIA VARMAZIS. Not hard.

GRAHAM CLULEY. Or a bad gal. And you want to trick people into giving you their bank account details, their PIN codes, their secret CVV codes, their inside leg measurement.

CAROLE THERIAULT. Normally you just say, can I have— can I see your card for a second?

MARIA VARMAZIS. I want to buy you something on Amazon. Give me your card for a second. Done.

GRAHAM CLULEY. Well, you might find that a little bit suspicious if a complete stranger did it, wouldn't you? I mean, how would you do it? How would you get those kind of details from a stranger?

MARIA VARMAZIS. I totally know how I'd do that.

GRAHAM CLULEY. Oh, do you?

CAROLE THERIAULT. I would pretend to be a server in a restaurant and I'd be like, oh, here's your bill. I see that you've left your card. Thank you very much. I'll bring— come back with the card machine.

MARIA VARMAZIS. That's more creative. I had something actually happen to me where the whole time I thought they were doing this to me where they're trying to steal my info. It was somebody, not a busker, but those charity folks that are always on the sidewalks that are asking for, you know, they're trying to flag you down and go, hey, do you have a second for Oxfam or whatever? And yeah, and I had one of them flag me down because I was, I guess I look nice and approachable and it was for Heifer International.

CAROLE THERIAULT. What's Heifer International?

MARIA VARMAZIS. Oh, you give them money and they give people in developing countries like oxen or sheep or goats or stuff so they can sustain themselves and make money and that kind of thing. Okay, charity. Yeah. So the whole time I'm just like, I don't know if this person actually works for this charity. I'm not really sure.

GRAHAM CLULEY. Are you a genuine heifer? You're thinking, are you a real heifer? Are you really a heifer?

MARIA VARMAZIS. You don't look like a cow to me. And then at the end they're like, please give us money, I need your, your info, your financial info. And I'm just like, oh, that could be getting really hurt right now. Yeah, yeah, just please 'Give us money for charity, I promise it's legit. You have no way of knowing whether I am or not.

CAROLE THERIAULT. I'm just a total stranger on the street asking for your info.' Well, they normally have ID in the UK at least, but at the same time, like, how would I know that's valid?

GRAHAM CLULEY. Yes, of course, anyone can print out some ID.

MARIA VARMAZIS. Just hold a clipboard and you look really official, right?

GRAHAM CLULEY. Well, look, this is all very interesting, but what you are describing are tricks where you come into physical contact with your target.

MARIA VARMAZIS. Yes.

GRAHAM CLULEY. And I would imagine many criminals are a little bit nervous about doing that because of the chances of getting punched on the nose or having the police come and grab them. So like to do it over the internet. And there's a variety of ways in which you could try and scam someone remotely. You could call them up pretending to be their bank, for instance, but they might get suspicious about that. It would be so much better and easier if you were a bad guy if the victim called you up. So you could email your intended victim pretending to be the bank and ask them very politely to call you. But again, there's so many scams out there. Some folks are likely to find that a little bit fishy as well, aren't they? You know, if you get an email out of the blue saying, oh, can you give us a phone call? There's a problem with your account. Call us on this number. You might be suspicious. So wouldn't it be great if it was the victim's idea to call you up in the first place, thinking that your phone number was the real number for the bank? Wouldn't that be ideal?

MARIA VARMAZIS. That's a long con. You got to admire that.

CAROLE THERIAULT. That's okay. How did they do it? I want to know how they did it.

GRAHAM CLULEY. Well, in the old days, Carole, the technique you could use is you could burgle people's houses and replace their telephone directories. And so in the telephone directory—

MARIA VARMAZIS. Oh, so simple! Print it up. Okay. You gotta be really comfortable with publishing software.

CAROLE THERIAULT. With one ad on page 396 having a different phone number.

MARIA VARMAZIS. The spine of the book correctly bends so that page just falls open. Hint, hint!

CAROLE THERIAULT. Very clever.

GRAHAM CLULEY. So you could produce fake telephone directories. But today, of course, no one uses a telephone directory today, do they?

MARIA VARMAZIS. Oh, I do.

GRAHAM CLULEY. Do you?

MARIA VARMAZIS. As a doorstop to put my monitor on. I get them every year. They don't stop coming. What am I supposed to do with them?

GRAHAM CLULEY. They've stopped producing them over here, I think, because the trees were beginning to complain about it.

MARIA VARMAZIS. Oh, we don't care about trees in America, have we?

GRAHAM CLULEY. Newsflash.

SPEAKER_03. Yep.

MARIA VARMAZIS. Yeah.

GRAHAM CLULEY. Well, today, the technique you could use is you could edit Google Maps. You see, a lot of people use Google to find out a bank's phone number rather than going to the bank's own website or, you know, I don't know, looking—

CAROLE THERIAULT. What, they use Google Maps instead of Google Search?

GRAHAM CLULEY. Well, the thing is, Carole, when you search for something on Google, you don't just get your regular search results. If you look for, for instance, a bank branch, it's quite likely that you will also get a result from Google Maps as one of your search results, which may give the opening times of that bank or restaurant or whatever it is, and the phone number as well.

CAROLE THERIAULT. Okay. Okay, I'm going in, I'm going in. All right, so I'm seeing your page at the moment. On the right-hand screen of your search result, you have a bunch of information about a bank, including a Google Map location finder.

GRAHAM CLULEY. Yeah. And including, I mean, it's got these little bit of metadata. So it's got the address, hours open, and the phone number as well. And an option to suggest an edit should any of that information be wrong. Now that's the thing. Google Maps in its wisdom allows folks to edit an organization's contact details. Now, presumably they're allowing users to generate their own content to try and make the information provided by Google search better.

CAROLE THERIAULT. Right.

GRAHAM CLULEY. But if the organization's phone number has been changed to that of a scammer, then the scammer is going to start getting phone calls which people intended to go to the real bank, aren't they? And so don't be surprised if you think you're ringing up your bank and you're being asked to confirm your password, your bank account, your credit card numbers, your birthday, your PIN, your CVV code.

CAROLE THERIAULT. Oh, come on. I think most people would be wise to the fact that you don't share your PIN number with anyone.

GRAHAM CLULEY. You would hope so, wouldn't you? But Social engineers can be awfully, awfully crafty. And there will be some people, maybe more vulnerable members of society, who might fall for exactly that. Oh, yes. Let's just blame people, shall we?

MARIA VARMAZIS. No, no, it's interesting.

CAROLE THERIAULT. No, no brains as well as people that are vulnerable could be duped by this.

MARIA VARMAZIS. Only stupid people get phished, right? Only stupid people.

GRAHAM CLULEY. Normally, Crow, you're the one who's Sticks up for the dolt heads, and I'm the mean guy.

MARIA VARMAZIS. And yeah, everything is topsy-turvy now after episode 100. I really don't know what's going on. What has happened?

GRAHAM CLULEY. Now, police in India, in Maharashtra. Oh my goodness.

MARIA VARMAZIS. Maharashtra.

CAROLE THERIAULT. Maharashtra.

GRAHAM CLULEY. Hello. Maharashtra. Absolutely right. They say they've had 3 complaints of exactly this happening in relation to the Bank of India in the last month alone. And so there's no real reason to believe it's hardly an epidemic.

MARIA VARMAZIS. Oh, Carole, this is poo poo to you too.

GRAHAM CLULEY. Just wait till your story comes round. All right.

MARIA VARMAZIS. I'm not saying all over that.

GRAHAM CLULEY. This is 3 complaints. How many people might have rung up and may have given information and may still not realize they weren't talking to the real bank? How many people may have rung up and found it suspicious and just hung up and didn't think to go and contact the police? But 3 people—

CAROLE THERIAULT. standing down, buddy, standing down.

GRAHAM CLULEY. And there's no reason to believe it might not be happening in other parts of the world too. It's unlikely to be purely an Indian problem, right?

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. So what should you do about this? Well, you can use the bank's official website to find the contact details of your local branch rather than necessarily relying on what your search engine gives you. And Google, for its part, says, well, you know, we allow people to suggest edits in order to keep the information up to date, but we do recognize there may occasionally be inaccuracies or naughty malicious edits suggested by them. And we do our best to fix these as soon as we're informed. So frankly, they're not doing anything. Now, this isn't the only problem we've seen with Google Maps. Do you remember there was this thing which used to exist called Map Maker, where you could plot your own paths around the world and walkways and things like that? I think it doesn't exist anymore, but one of the ways in which we saw that abused, if you remember, is people sort of painted paths onto Google. There was a famous one of the Android robot peeing onto the Apple logo.

CAROLE THERIAULT. Yes. So they were doing, yeah, they were doing kind of like sketches. They were doing sketches.

GRAHAM CLULEY. They were doing sketches. So it was like miles wide of this thing pissing on Steve Jobs's apple.

CAROLE THERIAULT. There was a big penis as well.

GRAHAM CLULEY. Well, I didn't spot that one at all, but—

MARIA VARMAZIS. The important details, the important details.

GRAHAM CLULEY. And there was once, Someone actually claimed to have opened a snowboarding shop at, in Pennsylvania Avenue, home of the White House, actually right in the middle of the White House. And they called it Edward's Snow Den.

CAROLE THERIAULT. Oh, get it?

GRAHAM CLULEY. Get it?

MARIA VARMAZIS. Get it?

CAROLE THERIAULT. That's so clever.

MARIA VARMAZIS. Oh my God.

CAROLE THERIAULT. How did they come up with that?

GRAHAM CLULEY. Edward's Snow Den. So, so I think, I think what we're really saying here is user-generated content can be a fantastic way to, to create obviously lots and lots of content, but you can't always rely upon it. And of course, Google's business relies so much upon information that other people are giving them. So be careful out there, folks.

MARIA VARMAZIS. It's frustrating if the map is legitimately wrong, though. Have you ever had to try and fix Google Maps when it lists something incorrectly, like legitimately wrong?

GRAHAM CLULEY. Oh, really hard.

MARIA VARMAZIS. It's super hard to get them to fix it.

GRAHAM CLULEY. What sort of mistake did they make in your experience?

MARIA VARMAZIS. So my parents' house is incorrectly listed. The address and the actual house are incorrect. So unfortunately, even emergency services nowadays seems to rely on Google Maps. So when an ambulance was called to my parents' house years ago, they couldn't find my parents' house. It was— and this was like two years ago.

GRAHAM CLULEY. It's not that they have an entry. It's not like says Maria's parents' house.

MARIA VARMAZIS. No, but like, you type in the address and then street address and the number does not align with the actual physical.

CAROLE THERIAULT. Yeah, it's a real problem.

MARIA VARMAZIS. Yeah. And I know that there's a problem for a lot of people saying like their home is listed incorrectly. People can't find them or businesses listed incorrectly, like the physical space and the map are not aligned. And trying to get Google to fix that is like freaking impossible.

GRAHAM CLULEY. You know what they need? You know what they need?

MARIA VARMAZIS. A guy in India.

GRAHAM CLULEY. They need past pick of the week. What3words.

MARIA VARMAZIS. Yes, that actually would be pretty, pretty helpful.

GRAHAM CLULEY. If only the world was using What3words.

MARIA VARMAZIS. Then there'd be no problems whatsoever.

GRAHAM CLULEY. They'd be able to find anything in the world, wouldn't they?

CAROLE THERIAULT. Next story, please.

GRAHAM CLULEY. Maria, what have you got for us this week?

MARIA VARMAZIS. I read a really interesting story in Motherboard just a few days ago about what the FBI has been up to. And they're always doing interesting things, aren't they? So, so who fishes the phishers? The FBI does, apparently. So Motherboard did a little digging. They uncovered some search warrants from 2017 and they found out that the FBI has started to create their own fake versions of websites to try and trap cybercriminals. So specifically in 2017, the FBI created their own version of a FedEx website to track down the origin and identity of cybercriminals that were basically phishing legitimate companies for huge sums of cash.

CAROLE THERIAULT. So they kind of created this fake online merchant system that fooled phishers into thinking they could legitimately—

MARIA VARMAZIS. I don't think it was as complicated as a merchant system. They didn't go down the entire rabbit hole. But let me, let me give you the setup here.

CAROLE THERIAULT. Sorry.

MARIA VARMAZIS. So, so basically the FBI was alerted to some criminals that were extorting a crane company in New York State. And apparently this crane company paid $82,000 to criminals and didn't realize it. And it's a little later for a bunch of birds. No, no, no, no, no. Construction cranes. Oh, man. Oh, I give that groaner one chuckle.

GRAHAM CLULEY. It's hashtag terrier jokes.

MARIA VARMAZIS. Yes, they make cranes. They make birds. It's a thing. So when the bird guys figured out they'd been extorted out of money, they called in the FBI, and the FBI just needed to figure out where these cybercriminals were located. And in order to do that, they kind of used some sort of phishy, P-H-I-S-H-Y, phishy-esque, sorry, I thought that was funny. Phishy-esque means to get a useful IP address out of the criminals. So what they did was they created an entirely fake FedEx website to scam the scammers. They sent it to the scammy guys, and they even had the website resolve as access denied. This website does not allow proxy connections to try and get the criminals to drop their proxy.

GRAHAM CLULEY. It's— I thought that bit was really clever.

MARIA VARMAZIS. Yeah.

GRAHAM CLULEY. I thought that was— so of course you can imagine how a website might say, oh, you're running a VPN or you're coming through a proxy. You can't access us for whatever reasons.

MARIA VARMAZIS. Yep.

CAROLE THERIAULT. Right, right.

GRAHAM CLULEY. But in this case, this website always said that.

MARIA VARMAZIS. Yep.

GRAHAM CLULEY. And so—

MARIA VARMAZIS. Like, no matter what, you got to drop your proxy. It's like, okay, well—

GRAHAM CLULEY. In the hope that the criminal would keep on trying and think eventually, oh, for goodness sake, I just want to access this page to find out when my payment is coming through.

MARIA VARMAZIS. Indeed.

GRAHAM CLULEY. That's the message they got. And of course, the web server logs were grabbing their information as they did that.

MARIA VARMAZIS. They were. But there were two search warrants for this specific case. So I'm guessing that that first tactic didn't work. But kudos to the FBI for trying. That's pretty clever. The second thing the FBI did to these same cybercriminals was send the crooks a malicious Word doc. Doesn't that sound familiar?

CAROLE THERIAULT. Like, what are we, 1995?

MARIA VARMAZIS. And yet, so this malicious Word doc had an image in it. So again, doesn't this all sound very, very familiar? It was a screenshot of a FedEx tracking payment for a sent payment. So the idea is you open up the Word doc, the image loads. I think we all know the yada, yada, yada. And then the image phones home saying, this is where I'm located, and the FBI nabs crooks. This is like 1997 tactics, but I'm guessing that it actually worked. I'm kind of amazed.

CAROLE THERIAULT. I guess you wouldn't even expect it because it's so old.

MARIA VARMAZIS. Well, do you think the criminals are expecting to get this kind of thing their way? I mean, they're the ones usually lobbying it out, but they're not expecting to get it, right?

GRAHAM CLULEY. The thing is, the criminal might be very careful when accessing a web page. So obviously this fake FedEx page didn't manage to fool them.

MARIA VARMAZIS. Yeah.

GRAHAM CLULEY. But they may be less careful when they've been emailed maybe a Word document and they subsequently, maybe hours and hours later, after they've done their surfing, they access the Word document and it tries to drag down an image at that point. Yeah, I think that's quite a sneaky trick for the feds to try. But I read the document which has been unearthed, the FBI search warrant, and there's some fascinating details in there as to what was going on. For instance, once the crane manufacturing company realized that they'd been defrauded and they brought the FBI in, And the scammers came back. So they initially took $82,000, and then they came back asking for a little more, please. Yes, an additional $138,000.

CAROLE THERIAULT. We hand out one tiny little payment, just a little bit.

GRAHAM CLULEY. Obviously, the company was now onto it. And so the FBI said to them, we'll stall them, stall them.

MARIA VARMAZIS. And so do a dance or something.

GRAHAM CLULEY. And so Margaret, her name was Margaret, who worked in the accounts department, she said, well, look, Well, what she wrote back to the scammer was, oh, you know, there's been a bit of a delay sorting out your check because the printer we use to print out checks which we send people is broken.

MARIA VARMAZIS. And that's very plausible. That's so plausible though.

GRAHAM CLULEY. And there's a part missing and we have to have it delivered. And the fraudster kept on emailing, still posing as the CEO. Surely this payment must be made by now. The printer should have been fixed. Please advise.

CAROLE THERIAULT. And then he was saying, please advise.

GRAHAM CLULEY. And then he was saying, I'm having trouble with the web link, you know, He didn't go into details as he explained it was the VPN proxy problem, but he said, "Oh, just give me the information. I don't need to go and visit the dark web." Oh, that's great. And poor old Margaret was saying, "Well, it works for me. I've tried it from my home computer." Oh, this is so great.

CAROLE THERIAULT. Good Margaret.

MARIA VARMAZIS. Good for you, Margaret. She's got a future in law enforcement.

GRAHAM CLULEY. So good for her for trying. But there are other fascinating details regarding this case.

MARIA VARMAZIS. Oh, I'm gonna have to do some deeper digging in that. That sounds pretty interesting.

GRAHAM CLULEY. Well, one of the things is that the checks, apparently, some of them were being mailed to this woman who, on behalf of a guy who she met on Match.com, was having some kind of relationship with, who claimed to be in Afghanistan a lot working for the army, but also had business interests in Australia. She was kind of getting the money, transferring it into his bank account, and then moving it into an Australian bank account.

MARIA VARMAZIS. There's a whole soap opera angle to the story. I had no idea. What?

GRAHAM CLULEY. And I think, I think that whole relationship had basically been set up by this guy who probably wasn't in Afghanistan. You've got to be kidding me. I wonder if he had multiple women around the place.

MARIA VARMAZIS. Oh Oh my God, there's a whole catfishing thing. Some really bored crook. This is like, I'm on the computer all day, might as well catfish some ladies. Wow.

SPEAKER_03. Okay, but I have a question.

CAROLE THERIAULT. I have a question.

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. What do you guys think about the feds using dodgy tactics like this? Like, should they try and stay within the realms of—

MARIA VARMAZIS. Is it dodgy?

GRAHAM CLULEY. Yeah, that's the thing. It wasn't a booby trap. Well, the Word document, for instance, it didn't contain malware. I think if it had contained some malicious code which had run on people's computers, and they were quite careful in the search warrant to say it's not going to do that, and we're not going to take screenshots of the computer or anything like that, we're simply gonna get the IP details and the browser details.

MARIA VARMAZIS. Yeah, the whole thing is that the feds don't wanna accidentally entrap an innocent party while doing this kind of thing.

CAROLE THERIAULT. They set up a phishing website.

MARIA VARMAZIS. Yeah, but all it did was grab someone's IP address.

GRAHAM CLULEY. They also made it a phishing website.

MARIA VARMAZIS. It's fishy, but not phishing.

CAROLE THERIAULT. Yes.

SPEAKER_03. Okay, fair, fair.

GRAHAM CLULEY. If anyone's going to complain, actually, I wondered what FedEx might have felt about it.

MARIA VARMAZIS. They have no comment. Yeah.

CAROLE THERIAULT. That means they are peed off.

MARIA VARMAZIS. That or they are actually involved and they can't comment because it's a law investigation and they're not allowed to. It could be either or.

GRAHAM CLULEY. I would think there's a security team at FedEx and one of their jobs will be looking out for phishy domains which get created and getting them shut down because it obviously damages their brand. But when there's a legitimate law enforcement reason to create one, Presumably they have to be involved so that they turn a blind eye to the cause.

CAROLE THERIAULT. It would feel quite gross if they were not involved.

MARIA VARMAZIS. I imagine that would be a problem if they weren't. I would love to hear the war stories from them on that, if that was ever leaked. That is interesting, isn't it? To divulge, that is neat. Well, the sort of key thing I wanted to convey after all, we went down that fascinating path though, I'm kind of amazed, was that this is kind of new for the FBI to be doing stuff like this for crooks that are basically just taking money, 'cause they've been doing stuff like this for child pornographers and violent guys for quite a while. So there was a story I covered a while ago about a guy who was sending bomb threats in the town I lived in, and the FBI did all sorts of cool stuff to track him down. But basically, as of the end of 2016, the US Justice Department amended what's called Rule 41, not Rule 34, Rule 41, which lets judges sign warrants for computers outside of their district. So now law enforcement in the United States can basically, and I use hack lightly here, hack a criminal's computer wherever they're located. It does not have to be in their jurisdiction. So we're going to see a lot more of this kind of stuff from now on, and that's probably the reason why Motherboard went after this 2017 story. We're going to be seeing a lot of this, so keep your ears tuned for that.

CAROLE THERIAULT. I know nothing of this, okay? I'll do some digging after the show.

MARIA VARMAZIS. Yeah, especially if there's a little catfishy angle. It's salacious.

GRAHAM CLULEY. It's fun.

MARIA VARMAZIS. All right, well.

GRAHAM CLULEY. It was right. I know, I was just reading this thing and I thought, "Cool, crap. There's all this stuff that Motherboard hasn't written about here. I'm really interested in this bit." The juicy bits.

MARIA VARMAZIS. Yeah, come on.

CAROLE THERIAULT. Buy the Daily Mail. Oh my goodness. Oh my.

GRAHAM CLULEY. Didn't want to go down there, did we? Crow, what's your story?

CAROLE THERIAULT. Well, now that the freight trains that are Thanksgiving and Black Friday have rumbled past, I say thank God, sayonara. I'm very sorry to say this, we have entered the realm of Christmas time.

MARIA VARMAZIS. Yay!

CAROLE THERIAULT. Yes, welcome, welcome, welcome Christmas time.

MARIA VARMAZIS. Do you know it's Christmas time at all?

CAROLE THERIAULT. Uh, but it seems to have turned into this expensive, stressful, and maniacally retail-esque time of the year, isn't it? And I feel for you parents out there I mean, I sometimes find it a bit overwhelming and tedious, but you guys have it so much worse. I mean, the list of stuff you guys have to do to feel like Christmas is successful is mind-blowing.

GRAHAM CLULEY. Just get over yourself.

CAROLE THERIAULT. Festivities, the cooking, the baking, school plays, festooning house with lights and trees and all this stuff. People even put up blow-up Christmas and Santas in their front gardens.

GRAHAM CLULEY. Oh, for goodness' sake.

CAROLE THERIAULT. And then there's the present buying, right? You parents are literally crazy in stores. And I'm— no offense, but OMG, right? Especially when there's a particular toy that everyone needs to get their hands on. Now, the toy earmarked this year for— to incite the Christmas crazies is this Fingerling. Have you guys seen this?

MARIA VARMAZIS. No, no, that sounds terrible. That's a kind of potato, isn't it? Okay, it is. That's what it is. It's a fingerling potato.

GRAHAM CLULEY. I remember the days when you would be given a potato for Christmas and you'd be told to be happy about it.

MARIA VARMAZIS. In the old country.

GRAHAM CLULEY. Exactly.

MARIA VARMAZIS. In your shoe, right? A potato in your shoe.

CAROLE THERIAULT. So this year is this fingerling. This is a plastic 5-inch tall baby monkey.

MARIA VARMAZIS. Okay?

CAROLE THERIAULT. Made by the company called WowWee. And these are not the words I would use to describe this grotesque, plasticky, interactive concoction that retails for about a tenner, and that's its sale price.

MARIA VARMAZIS. Oh, it's only a tenner for a 5-inch wriggling. Okay, that's—

CAROLE THERIAULT. do I sound like a Grinch here?

GRAHAM CLULEY. A Grinch? Yes. Crow, I can't believe— what's your problem with Christmas? What's your problem with kids having a little bit of fun with a 5-inch piece of plastic in the shape of a monkey? Well, I mean, really, Christmas is fantastic. You should love Christmas. I wish Christmas was every It'd be fun. We should do it more often because, you know, spread a little bit of joy. There's enough misery in the world, isn't there? Okay, come on.

CAROLE THERIAULT. Yeah, I just, I just did all that to intro my topic of Grinch Bots. Smooth, see?

GRAHAM CLULEY. Oh, what's a Grinch?

CAROLE THERIAULT. Ah, I thought you might ask. Well, let me tell you, it is definitely not in the spirit of Christmas unless your name is Scrooge. Grinch Bots, also known as Toy Bots, made headlines last Christmas. Now, these are bots bots that are used by resellers to hoover up all the inventory of hot ticket items like the Fingerling thingamajig, and then they try and resell them at extraordinarily inflated prices.

MARIA VARMAZIS. Oh, fuck those guys. That sucks, right?

CAROLE THERIAULT. So in other words, these resellers are using cyber Grinches to game the online.

MARIA VARMAZIS. Are these the guys that like buy the consoles every year, like this, the NES or the Super NES thing?

CAROLE THERIAULT. And exactly, isn't it the spirit of Christmas?

SPEAKER_03. High five!

CAROLE THERIAULT. Now, the thing is, these bots are super fast, like way, way faster than a person on a computer buying a present. You know, you peruse, you read a review, you shop around, then you put it in the cart. And when you finally get to buy it, the 100 or so they had in stock is poof, all gone.

MARIA VARMAZIS. Happy Christmas.

CAROLE THERIAULT. Yeah, exactly right. So a few senators are in the states. A few senators in the states are trying to stamp down on this shitty practice. This past Black Friday, you know, well-timed release from Senators Thom Udall, Richard Blumenthal, and Chuck Schumer, and U.S. Rep. Paul Tonko, they announced the introduction of the Stopping Grinch Bots Act of 2018. That's a bit of a mouthful. You try and say it.

MARIA VARMAZIS. What?

GRAHAM CLULEY. Stopping Grinch Bots Act of 2018.

MARIA VARMAZIS. The Stopping Grinch Bots Act, the SGBA. That's not a very good acronym.

CAROLE THERIAULT. It's a pretty descriptive title, right? Seeing as it's all about cracking down on Grinch Bots and stamping out the practice. So, uh, the U.S. Rep. Tonko said in a statement, the American people should be able to spend the holidays with their loved ones, not be forced to camp out at store openings and race against an automated buying algorithm just to get an affordable gift for their kids.

GRAHAM CLULEY. And, well, no one's forcing them to camp out, are You don't have to do that. You can just give your children a potato. Or, or one of my preferred methods, particularly if your child is quite young, maybe not going to school yet, is just lie about when Christmas is.

MARIA VARMAZIS. Because they don't know what day it is. Yeah, that's true.

CAROLE THERIAULT. If you think your average 6, 7, 8-year-old doesn't know it's Christmas.

GRAHAM CLULEY. Well, maybe 6 or 7, but under about 5, I think they haven't got a clue what even months or weeks are.

MARIA VARMAZIS. Yeah, but are you buying a 5-inch fingerling for a 3-year-old? No.

GRAHAM CLULEY. No, probably not.

CAROLE THERIAULT. Now it's funny, Graham, you say the whole thing about a potato because that was my idea. Like, why don't you parents get off the crazy buy buy buy Christmas train and make gifts instead for your little ones, right? Like a little felt book cover, or sew them some pants, or knit them some socks, or build them a birdhouse.

GRAHAM CLULEY. Spoken like a true non-parent who doesn't understand the look they would get from their child of of, how did I end up with this parent? What a load of rubbish this family is.

CAROLE THERIAULT. So then we come back to the fact that you guys are insane and you are going to be going crazy this Christmas time yet again and lining up to buy things like this Fingerling, Bobby.

GRAHAM CLULEY. We are insane. We bred. We've been taken to insanity by our children not letting us sleep, or through toddler jet lag on the way back from Japan, or whatever. Yes, of course we're insane. Just let us spend some money, right? And they will get 3 minutes amusement, at least out of the packaging of the box, if not the contents of the box. And that'll be it. But stop being such a Grinch at Christmas.

CAROLE THERIAULT. So, Graham, you remember you were talking about ticket bots earlier? Well, that was signed into law by Obama, a law called the Better Online Ticket Sales Act, or the BOTS Act, Maria, in 2016.

MARIA VARMAZIS. Oh, see, you got to have a good acronym. House of Cards taught me that. It's important.

CAROLE THERIAULT. Exactly.

GRAHAM CLULEY. Obama was Brilliant at the acronym. So I think that one we like.

CAROLE THERIAULT. So the SGBA—

MARIA VARMAZIS. tremendous—

CAROLE THERIAULT. would apply the structure of the BOTS Act to e-commerce sites. So basically it would take advantage of what they've already been able to do with that act, which is actually they seem to have stamped out on a lot of tickets.

MARIA VARMAZIS. What's next, though? Are they going to start disabling like eBay sniping going back to 1997 again? I mean, come on. EBay sniping is a proud tradition that I look forward to passing on to my daughter. I mean, come on, if eBay even exists when she starts using the internet.

CAROLE THERIAULT. So guys, if you find the present that your kids want is disappearing off the shelves, think about these Grinch bots and support, um, acts like this that are going to try and stop these greedy, um efforts from getting away.

GRAHAM CLULEY. No, no, no, no, no, don't think that. Instead, think about how miserable your childhood could have been if Carole was your mother and all she'd given you was a pair of sewn-up trousers or a raw potato and said, get on with it. There you go, happy solstice, enjoy your potato. Fantastic. Well, nice one, Carole. Nice one. Nice one. You're—

CAROLE THERIAULT. so me wanting to make something with love and care, you're turning into—

GRAHAM CLULEY. it's not going to be appreciated, Carole. It's not going to be appreciated. You're in cloud cuckoo land right now. It's absurd. And welcome back. And you join us on our favourite part of the show, the part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

MARIA VARMAZIS. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like. Doesn't have to be security-related necessarily.

CAROLE THERIAULT. Please don't be this week.

GRAHAM CLULEY. And mine is not security-related necessarily this week.

MARIA VARMAZIS. Necessarily.

GRAHAM CLULEY. Mine is, it is, it is not even celery, which is another gift which Crow would probably give people.

MARIA VARMAZIS. I would gladly take some celery.

GRAHAM CLULEY. As a present. Here's a piece of celery.

MARIA VARMAZIS. I need celery. I'm making a lot of soup lately and I need celery.

CAROLE THERIAULT. It's true.

GRAHAM CLULEY. Well, instead of celery, my pick of the week is the Internet Arcade. Which is run by our good friends at the archive.org, and they have a gallery of over 1,700 retro arcade games. Some of them for your computer, some of them might be for arcade, and you can play them online inside an emulator. Oh, and it's wonderful. This is what people need, Grill, not a potato or a stick of celery. They need something like this. And it also includes the greatest game ever written for Microsoft DOS? I'm sure you know what one I'm talking about.

MARIA VARMAZIS. Maybe Speak Teach's Typing?

GRAHAM CLULEY. No, not maybe Speak Teach's Typing. I am referring to Alley Cat.

CAROLE THERIAULT. Oh, come on.

GRAHAM CLULEY. Do you remember Alley Cat? Yes!

CAROLE THERIAULT. It's not a great game.

GRAHAM CLULEY. I'm sorry, Alley Cat is a great game. It is a great game, and it also has the greatest theme tune of any game ever. I love the theme tune of Alley Cat. It's a very entertaining game.

CAROLE THERIAULT. I will give you the theme tune. The game, entertaining?

GRAHAM CLULEY. Yes, I've spent many a long hour playing Alley Cat.

CAROLE THERIAULT. Well, that explains a lot.

GRAHAM CLULEY. Anyway, my pick of the week is the Internet Arcade. You don't have to play Alley Cat. There are other fine games there, including some maybe which yours truly may have written as well. But go and check out The Internet Arcade.

MARIA VARMAZIS. Productivity is gonna go to zero.

CAROLE THERIAULT. Nice curve promote there.

MARIA VARMAZIS. Yeah.

GRAHAM CLULEY. Maria, what's your pick of the week?

MARIA VARMAZIS. So my pick of the week is primarily a shout out to the team at NASA because they just landed something on Mars this week, which I think is just amazing.

GRAHAM CLULEY. Freaking awesome.

MARIA VARMAZIS. They haven't done that for a little while, and it's, I mean, harder than the moon landing, and yet nobody tunes into it anymore. Everyone's like, yeah, we're just on a different planet, no big deal. So they landed the InSight earlier this week on Mars, like flawlessly. And I quite enjoyed watching the process. I was watching the landing coverage with my mother, but of course there's no cameras following the InSight as it lands. So it's just people in Jet Propulsion Laboratory cheering. My mom's like, oh, this is really boring. When do we see it actually land on Mars? I'm like, we don't. There's no cameras. There's no cameras following it around. I mean, they're kind of, anyway. But yeah, so what my specific pick of the week pick is, is this awesome comic done by The Oatmeal, who you probably have heard of. I thought it was a fantastic example of how to get the world interested in the cool things that we're doing in space. So The Oatmeal did this great comic about what the InSight mission does, how it works, why it's important, why we're doing it, and it got a lot of people hyped about it. Frankly, it's got me hyped about it. I forgot it was even happening. So it's a really cool comic. It's very entertaining, extremely easy to understand why InSight was gonna and did land on Mars and what we're gonna learn from it. So it's a really fun thing, and I hope people enjoy it.

CAROLE THERIAULT. It's very beautiful. I'm just looking at it right now.

MARIA VARMAZIS. And honestly, if you go to the InSight Twitter account, it's twitter.com/NASAInSight right now, and I'm sure for a while there's a photo that Insight took from the surface of Mars that is just breathtaking. It's so, it's so—

GRAHAM CLULEY. wow.

CAROLE THERIAULT. We'll put that—

MARIA VARMAZIS. oh, I love it. It's amazing to think that's on another planet. I'm just so nerdy. It's so cool.

GRAHAM CLULEY. It's, it's a great comic strip, and you know, which is right that it's great, isn't it? Because what an incredible achievement to get something like that all the way to another planet and land it safely and then begin to have it send in information.

MARIA VARMAZIS. Complicated. It's super complicated. Imagine—

CAROLE THERIAULT. oh, I can't— that's the problem, I think. I think it's even too big for me to marvel at because it's just too crazy.

GRAHAM CLULEY. Like, I Kroll, you've done an Excel pivot table before, haven't you? You've done a pivot table.

MARIA VARMAZIS. You can read this comic and it explains it beautifully.

CAROLE THERIAULT. I got this.

MARIA VARMAZIS. Seriously, the comic will explain it really well. It's really easy to understand.

CAROLE THERIAULT. No, I'm not— yeah, I can read the comic. I was talking more about actually getting to Mars.

MARIA VARMAZIS. It's a marvel of human engineering, and I think there, kudos to NASA, right? I would agree with you there.

CAROLE THERIAULT. Definitely, definitely.

GRAHAM CLULEY. From that tremendous human achievement to Carole's suggestion of all of the things which she's seen in the last week, all of the things which she's encountered, everything she's read about.

CAROLE THERIAULT. You had a sneaky peek at my idea.

GRAHAM CLULEY. What have you got, Carole? What have you got for us?

SPEAKER_03. Well, clue.

CAROLE THERIAULT. This morning, yes, I, I messaged you with this Fast Company link about how someone was lamenting the loss of the iPhone head jack.

MARIA VARMAZIS. And so on board with that article. Yes. Yes. Right. Sorry. I'm really, really passionate about that too.

CAROLE THERIAULT. Yes, many of us, I was going to say, including me, can't get over it. And I think you voiced exactly my feelings inside, Maria. That's exactly how I feel. And so I therefore cater my little baby, my old headphone jack-sporting iPhone, right? Hoping it stays alive long enough for Apple to wake up and go, oh, wow, people do want a headphone jack. Anyway, I'm looking at Reddit and this poster, RushATGC, writes that they're a student and they had to come up with a cheap idea to be able to use headphones.

GRAHAM CLULEY. Nice.

CAROLE THERIAULT. Because the dual adapters are really expensive, right? They're heavy to carry and they're not that reliable, he says, or she says, we're not sure. So simple and cheap and very reliable solutions for phones without a headphone jack. You need your old wired headphones. You need a Bluetooth receiver. Okay, they go, they run for about $10, $15, and you need a 6-inch USB-C male to micro USB male cable. In other words, a USB cable, and that's it.

MARIA VARMAZIS. And that's it.

CAROLE THERIAULT. Okay, well, think about it though. You never run out of battery on Bluetooth receiver because you can charge it from the phone itself, right? Battery lasts 3 to 4 days in the receiver. That's a lot better than most Bluetooth headsets. Yeah, I know, I know. I'm not saying, I'm not saying this is better than having the old headphone jack back.

GRAHAM CLULEY. Sorry, Carole, I'm a bit confused. You got a bit technical for me, I'll be honest. So you've got regular headphones.

CAROLE THERIAULT. You've got regular earphones.

GRAHAM CLULEY. And they don't plug into the phone, they plug into—

CAROLE THERIAULT. Your Bluetooth receiver. So you would take your normal headphones, plug it into the Bluetooth receiver, the Bluetooth receiver interacts with your phone.

GRAHAM CLULEY. Oh, so the phone is sending the music or whatever, or hopefully a podcast, from your phone via Bluetooth to the Bluetooth receiver which is plugged into your earphones?

CAROLE THERIAULT. Yeah, now it's, it's kind of a workaround. It's a workaround. They're saying it's great because it's super cheap, it's super ultra lightweight. Like, if you look at the Bluetooth receiver, it's very small. It's an insane solution, but it costs just a few bucks, right?

GRAHAM CLULEY. It's not that insane. It sounds quite sensible to me.

CAROLE THERIAULT. And if you're a student, right, you don't have $150 lying around.

MARIA VARMAZIS. It's cheap.

GRAHAM CLULEY. And presumably if you are the owner of a car which still requires like a 3.5-inch, you know, a little wire, a millimeter wire to plug your phone in and you've now got something which you can't, you could do the same thing, couldn't you? So if you don't have a Bluetooth-enabled car, why don't you go and get one?

CAROLE THERIAULT. I'm going to get one. I never even thought about that. Thank you very much for the idea. See, this was a great pick of the week.

GRAHAM CLULEY. Not bad.

CAROLE THERIAULT. Yeah, I'll let you know how I get on.

MARIA VARMAZIS. It's completely free for me to complain about the lack of a headphone jack though. It's free to complain.

CAROLE THERIAULT. Honey, I'm with you 100%. I think Graham's on this bus as well. I hate it.

GRAHAM CLULEY. Oh, I'm not buying a phone which doesn't have a headphone jack. Me too. I care more about the headphone jack than I do about the home button disappearing.

CAROLE THERIAULT. That might be because we're addicted to podcasts.

GRAHAM CLULEY. But possibly. But, you know, I'm pretty annoyed about the fact that Touch ID has disappeared from modern iPhones. You have to use Face ID. But the lack of a headphone jack is even worse. What's going on at Apple? Why are they so obsessed with skinniness or whatever it is?

CAROLE THERIAULT. I think we know what happened at Apple.

MARIA VARMAZIS. It's all since Steve Jobs died. Really? Is that where we're from?

GRAHAM CLULEY. Yeah. I think that's where she's going. Well, that just about wraps it up for another week.

CAROLE THERIAULT. Not quite, Mr. Cleverley. We have special bonus content this week. We did a little cheeky interview with Rachael from LastPass. and we're gonna slot that in right here. She is hilarious. You'll see. Take a listen. And thank you once again to our wonderful sponsors, LastPass. This is a special interview with LastPass's Rachael Stockton. Welcome to the show, Rachael.

SPEAKER_03. Thank you so much for having me.

GRAHAM CLULEY. Now, we've brought you on board because LastPass, of course, are experts when it comes to subject of passwords. Are you an expert when it comes to passwords? Do you find your friends and family are always asking you for password advice?

SPEAKER_03. Yes. You know what? I think I am an expert on passwords. I've definitely moved on from my password years ago being my dog's name, which is a whole other podcast about my dog. But also, you know, I've been using password managers now for years, and that's helped me up my password game. Um, but one of my favorite things to do though, guys, and if we're ever at a party, I'm totally doing it to you, is going in and asking people just small talk, you know, hey, what was your first pet's name? What high school did you go to? And then turning around and guessing what their password is. So I'm also a little bit of a magician.

CAROLE THERIAULT. Has that worked? Have you ever actually caught people out doing that?

SPEAKER_03. Oh, totally. Really? Yeah, people want simple passwords. It's a huge challenge.

GRAHAM CLULEY. And I think the thing is, even if people aren't using those as their password, words anymore. They might be using those as their password reminder questions. You know, those security questions you get asked when you create accounts. So if someone wanted to break into your account, they might pretend to be you and say, oh yes, of course I remember the name of my first pet, or the first road I lived on, or my mother's maiden name.

SPEAKER_03. Yeah, definitely. You know, you find out somebody's first pet and maybe the year they were born, boom, you're into so many things right now.

CAROLE THERIAULT. Now, maybe we should get Rachael to tell us what she actually does with, at LastPass, Graham.

GRAHAM CLULEY. Yeah, what do you actually do? What? I mean, come on, it's just passwords. What is there actually to do?

SPEAKER_03. Oh my gosh, there's so much to do. So I focus on product marketing. And so what that means is really understanding what's happening out in the market. You know, what are people doing when it comes to passwords? Why are they still reusing passwords? Figuring out how we can move people to understand there are better solutions to keep them safer and trying to get that into their hands.

CAROLE THERIAULT. Do you think that password managers, like, does everyone know about that they exist, or do you think there's still a huge learning curve in actually introducing the whole concept to people?

SPEAKER_03. Question nails it. There is definitely still a huge learning curve to understand that there's a solution to one of the problems that sort of plagues everybody. Security. Everybody gets frustrated when they can't remember a password, so they write it down or they use something simple. And I think the majority of people out there don't realize that there are solutions out there that literally will do this for them. They'll remove all of that pain.

CAROLE THERIAULT. If you looked at a password, right? If someone gave you some password examples, would you be able to say that's a rubbish password or that's a great password?

SPEAKER_03. So in a way, yes. So for example, you know, you give me a simple dictionary word password, no, of course, But you give me this really complex password, if you're still using that in all of your applications, then that's a rubbish password. So it's not just the word, it's how you use it.

GRAHAM CLULEY. And how, of course, you reuse it. So you might have a really strong password, but if you're using it in more than one place.

SPEAKER_03. Exactly.

GRAHAM CLULEY. Can you explain what the danger is there for those people who haven't quite cottoned onto that one yet?

SPEAKER_03. Sure. You know, so if you're using the same password password in many different locations. So in your personal life, so let's say it's on your Facebook and your LinkedIn and all of your different retail accounts and your bank. When one of those gets breached, and I say when because we do know breaches are just going to happen, they're going to be able to get that information. And then what those hackers end up doing is they try those, that username and password on all of these other sites and they're able to access that. And I think thinking about it in your personal life and the impact of that is one thing. But what we have also found is that people are reusing the same password at home and work. Yeah. So people are able to find out more information about the passwords that they do have, and then they're actually able to take this to an enterprise level, right? And so by reusing passwords in your daily life and in your business life, your life, you're actually putting your business and company at risk too.

CAROLE THERIAULT. And do you think most people know that they should reuse, uh, or sorry, do you think people know that they should never reuse the same password? But they're probably thinking, okay, how am I supposed to remember unique passwords for each one?

SPEAKER_03. So we did this survey. So I love psychology. I love like the why behind stuff, like what's the catalyst that makes people do things.

CAROLE THERIAULT. Okay.

SPEAKER_03. And, um, and people are like, okay, you 72% are saying, "I understand password best practices." All right, great. But almost 60% are still using the same password. So, it's kind of like flossing. Like, we know, we know we should be flossing. We know it. We've been told it.

GRAHAM CLULEY. But it's so boring. Flossing is so tedious, isn't it?

SPEAKER_03. Oh, it's so tedious. And this dental survey, okay, so I know this is a little off topic, You guys don't eat mango enough.

CAROLE THERIAULT. That's all I'm saying.

SPEAKER_03. But so then this dental survey comes out, right? And they find out that only 30% of people actually floss every day.

CAROLE THERIAULT. Yeah.

SPEAKER_03. And I mean, no surprise. I mean, I don't have a dentist appointment in a week, so I'm going to floss like crazy for a week.

CAROLE THERIAULT. Make sure the gums stop bleeding.

SPEAKER_03. Yeah, it's the same thing. And it goes back to your initial question, to be honest, about do people understand that there is something that can help them with this? Being safe with your passwords can be really hard if you're you're trying to do it on your own. If you're trying to create that algorithm, if you're trying to keep track of it in Excel. But if you have some kind of solution that can generate it for you, save it for you, and fill it for you, my God, you know, that makes it so easy.

CAROLE THERIAULT. So this is a problem that impacts not just the at-home user, but also companies, right? It's on both sides.

SPEAKER_03. Yeah, definitely. It impacts both. And as I said, with password reuse, between business and personal, that really raises the, the, the bar to the impact your choices can be having on your organization.

GRAHAM CLULEY. So why would a company look for an enterprise password management solution rather than just rolling out a consumer version onto all of their computers?

SPEAKER_03. The big one that I say is control. When you're looking at an enterprise password management solution, really want to be able to set policies, ensure that people are managing passwords the way you want them to be able to do. And so if you have an enterprise solution, you're able to access those policies and apply them. You're also able to gain visibility. So you have a score that says this is how well my, my company is doing when it comes to their password. And that takes into account things like password reuse, password complexity, security, the use of two-factor authentication, which is a whole episode in and of itself.

GRAHAM CLULEY. Right.

MARIA VARMAZIS. Yeah.

SPEAKER_03. And so you're able to see, okay, here are the areas for improvement, and then target the departments or even the individuals to do that.

GRAHAM CLULEY. Oh, so you would be able to drill down through some sort of dashboard and say, okay, I don't know, for instance, the finance department seem to be reusing a lot of passwords rather than—

SPEAKER_03. Exactly.

GRAHAM CLULEY. Oh, right. And then you have to go there with a cricket bat, wallop them around the back of the head and give them some training.

SPEAKER_03. Well, I mean, of course, depending on the country, we might use baseball bats here, and I am from Boston, so it is about the Red Sox, but I'll go with you, Graham. I'll go with you with cricket.

GRAHAM CLULEY. I love the idea of password managers, and I think they're good for consumers and for businesses. But one of the responses I often get is people saying, oh, but hang on, how can you trust the password manager? You know, aren't you putting all your eggs in one basket? So you must hear that all the time. What's your response to that?

SPEAKER_03. Yeah, I think—

CAROLE THERIAULT. Yeah, Rachel.

GRAHAM CLULEY. Yeah, Rachel. Yeah. Come on then. You think you're hard enough?

SPEAKER_03. Yeah, it's true. I think that, you know, that we hear that all the time. And the key piece for, you know, our password manager and for a lot of the other ones out there too is we take this really very seriously. We have more than half a billion passwords that we have. We encrypt it, wrap it in aluminum foil, you know, put all sorts of bubble wrap around it, you know, making sure people can't get at it. But really the key there is that with a password manager, you're given a master password, something that you need to— only you need to have and you need to remember. And that is actually the secret key that unlocks it. Even the company that has the password manager, in our case LastPass, we can't get access to any of that information. It's just that master password.

CAROLE THERIAULT. This was going to be my million-dollar question. What happens if you forget your master password?

SPEAKER_03. You know what? In the enterprise, using those policies that I mentioned, that organization can help reset that. And if you're using two-factor authentication, you know, if you're an individual, then we're able to help reset that as well. But that's one of the biggest challenges still is you still have that one password that you need to remember. And you want it to be a good one.

CAROLE THERIAULT. Yeah, it's the kingdom.

SPEAKER_03. It is. But you know what, Carole? That's a really good point though. I think it's very important that when we're talking about password manager and we're talking about basically those keys to the kingdom that that one master password gives you is you have to be able to protect that with two-factor authentication.

GRAHAM CLULEY. Right.

SPEAKER_03. And there are, I mean, two-factor authentication has come a long way, baby. You know, we're not talking that you have to have a key fob hardware thing that you're carrying around with you. You all the time, you know, it can be, you can use our two-factor, you can use your Google Auth, you can use anything, but just use something.

GRAHAM CLULEY. Because everyone these days is carrying a mobile phone around with them anyway.

CAROLE THERIAULT. An authenticator.

MARIA VARMAZIS. Yeah.

GRAHAM CLULEY. Yeah. Which, which can obviously run an authentication app, whether it be yours or one of the other third-party ones out there, um, to do this, this kind of job.

SPEAKER_03. Definitely. There's really no reason not to.

CAROLE THERIAULT. So why are you guys better than the competition? There's got to be something. Come on.

GRAHAM CLULEY. Is there any competition, Carole?

SPEAKER_03. Yeah, I think, I think it's— there are a few things that we hear from our, you know, from our end users, um, as well as businesses that separates us. You know, I think the first thing really just comes down to it works. If you're using a password manager, you don't want it to— you go to a site and then it's not working. So this is tried true, and, and, you know, we've been around been around for years. So when you're signing up to use LastPass, you know that it's going to work on all the different sites that you're going to. So that's number one. I think number two is really the ease of which we're able to generate complex passwords for you. And so we take even the complexity out of figuring out what's a good enough password out of that equation.

CAROLE THERIAULT. I love that feature. I totally love that feature of being able to just choose a random password with lots of characters whether they're numbers or letters or even special characters and any length. It's a really great little feature.

GRAHAM CLULEY. Because if you had to rely on your imagination, Carole, or your puny human brain—

CAROLE THERIAULT. Was that my name that you tried to barf out there?

GRAHAM CLULEY. Sorry. Then you would struggle, wouldn't you? I mean, you would struggle if you had to come up with 15 different passwords or something for all those different accounts.

CAROLE THERIAULT. I would struggle coming up with them, let alone remembering them.

GRAHAM CLULEY. I've got some very good passwords, let me tell you. On the days before I I've actually found a piece of paper with some of my old passwords on it, because I very handily wrote them down back. Do you want to hear some of these? Some of these are quite clever, actually. Okay, so, um, let me in, obviously.

SPEAKER_03. That was your password?

CAROLE THERIAULT. Rachel, I'm sorry. I'm sorry.

SPEAKER_03. There was not even a please there. I mean, what do you think you're going to get?

GRAHAM CLULEY. I'm English. It's just like, you know, I feel like I have a God-given right to be allowed into the account. I am here. Let me So password 3, which I thought was quite clever because it wasn't password 1, and I thought hackers would give up after password 2, they'd move on. Password 3. Carole, have you got any— do you remember any of your old passwords?

CAROLE THERIAULT. No, I bet you're gonna say one of yours was like S3X, and how good is that?

MARIA VARMAZIS. Oh dear God.

CAROLE THERIAULT. Yeah, I now see what we're dealing with. Now, okay, so Rachael, Graham is getting on in years. I'm worried about a time when he actually has trouble even using a password manager. Do you recommend for those that do have trouble even with the simplest computer tasks to write them down or never?

SPEAKER_03. You know, I think that you're at risk if you write them down.

CAROLE THERIAULT. Yeah, I agree. I know it's so hard.

SPEAKER_03. I think it is really hard. And you know what I actually really do, and so I have my dad, he's awesome. Hey, Dad. And also has thrown more than one computer out, you know, off the table, so he can get frustrated. You know, I think the great thing about LastPass is it is intuitive, but sometimes, you know, it helps to have a helping hand. So, we have a lot of different videos, all of that to help people do that.

GRAHAM CLULEY. [Speaker:JAMES] I'm imagining in the enterprise environment, there are occasions when you do need to share a password with different people. Does LastPass give you an ability to easily do that? And is that something which could also be used to, for instance, look after elderly relatives who may have more difficulty handling different accounts and different passwords.

SPEAKER_03. Sharing is, on the business side, one of the primary reasons people actually start to look at password management. And when people think about sharing, they often think about sharing IT passwords or things along those lines, but it's happening all over—marketing departments sharing social media passwords, all sorts of tools. And think about what happens if that password is shared, you know, over email, gets in the wrong hands, and then somebody's Twitter account gets hacked. And so being able to share it ensures that number one, people have access. Number two, they still don't know what it is. But let's say that somebody leaves, you don't even have to change that password. You can keep it going because they've never known what it is.

GRAHAM CLULEY. Ah, right. So it's— you're sharing access somehow, right? Right, so, so it's the— it's LastPass itself running in, for instance, your browser on your desktop, which is filling in the password. You don't get to see it when you log into accounts, which means that you can't take it with you when you leave the company. And if you did want to reset the password, that would reset it for everybody.

SPEAKER_03. Yes, it would. So you mentioned sharing it among your family and among those elderly relatives. I think that's another Another use case we really see, another way people are using this. No offense, nobody get mad, but sharing that Netflix password. How many times are you getting that text or that phone call? Look how apt that was with that phone ringing.

CAROLE THERIAULT. You've got your own sound effects. I'm so sorry. That was me. That's me. Was that you, Carole?

GRAHAM CLULEY. Yes. I thought it was Rachael.

SPEAKER_03. No. I was doing my own sound effects, Graham. I'm good. I'm not that good, man.

CAROLE THERIAULT. She's got a cowbell. She's got all kinds of stuff. Wait, you just wait. You just wait.

SPEAKER_03. All right, so, um, so you asked about, uh, sharing when it comes to real people, not businesses, and that's another huge thing. I mean, first think about how many times you get texted or called for what is the Netflix password. And so you can share that now easily and don't have to get those calls. And also, if you're going to be grounding your and you don't want them to have it anymore, then you just change it and don't share it. So you get a lot of power that way.

CAROLE THERIAULT. I love that. Yeah. I've never thought about grounding in this day and age, but it must be really difficult, right? Just wait, Graham, a few years. We have to do that sort of stuff. How are you going to— now that's the way you do it.

GRAHAM CLULEY. My wife already grounds me. What are you talking about? I don't have to wait for my child to grow up.

CAROLE THERIAULT. But being able to share the password and being able to revoke the sharing when you need to do so is quite cool.

GRAHAM CLULEY. All hell is going to break out if that happens.

CAROLE THERIAULT. Well, who wears the trousers in your place?

GRAHAM CLULEY. Oh yeah, thank you very much.

CAROLE THERIAULT. Let's not go there. Now, Rachael, do you think, can you even envision a time when passwords will no longer be necessary?

SPEAKER_03. Yeah, you know, 'cause the fact is, in my, like, in my heart, I would love that to happen because I am lazy. Me. And I don't want to have to worry about passwords. And I want to be able to get access before I even know I want access. Right. So as an individual, that being said, we do need to be able to protect things that matter to us. And I think what we're probably looking at more now is less the concept of passwords going away, but more of it being, let's say, layered on. So being replaced by app, you know, by some sort of biometric access, which really in a way is another password and also has its pros and cons. I mean, you can't change your fingerprint. No. Yeah.

CAROLE THERIAULT. Do you feel that there's a preference for fingerprints or for facial ID?

SPEAKER_03. Ooh, ask me that a year ago. I would've definitely said fingerprints. Yeah. But I do think that, you know, as we look at those devices that we talked about, the phones that we literally will turn around if we have lost it and go back and be late to wherever we're going. As more and more of them are incorporating facial ID, I think you're going to see a preference there. The challenge is going to be ensuring that you have the same kind of ability to do that on your phone as you do your laptop, as you do your desktop, because what people want is they want consistency. They don't want to have to do different things on different devices.

CAROLE THERIAULT. So you're not worried, you've got a job for life basically with passwords is what you think in here?

SPEAKER_03. I think passwords and identity are going to be things that we are continually struggling with. So yeah, I'm pretty sure I have a job for life.

CAROLE THERIAULT. And you have a friend for life now. Did you enjoy being on the show?

SPEAKER_03. Oh, this is, yeah, this has been great. Friend for life, is that?

CAROLE THERIAULT. Well, I just, I think we're bud buds now, don't you think?

GRAHAM CLULEY. Oh, that's lovely, isn't it? Yeah.

CAROLE THERIAULT. Yeah, well, I was just thinking maybe Rachael would want to share her password now.

GRAHAM CLULEY. Yeah, yeah, yeah, you trust us, don't you?

SPEAKER_03. Yep, I'll send that to you right away, Carole.

CAROLE THERIAULT. Pinky swear, I'll share it with no one.

GRAHAM CLULEY. Well, there we go. You're lovely, Rachael. You're very easy to speak to. Oh, thank you so much.

SPEAKER_03. This is so fun.

GRAHAM CLULEY. Well, hey, Maria, what did you think of How was that? Wasn't that interesting to listen to Carole Theriault and me there speaking to Rachael Stockton at LastPass?

MARIA VARMAZIS. Yes, that was fascinating. Yes.

GRAHAM CLULEY. You didn't actually hear it, did you? No, I didn't. Well, on that bombshell, we really have just about wrapped it up for this week. If you want to follow us, you can follow us on Twitter @SmashingSecurity. Twitter wouldn't allow us to have a G. And Maria, folks, I'm sure would love to follow you as well. What's the best way to do that?

MARIA VARMAZIS. Yeah, on Twitter. Twitter wouldn't allow me to have a reasonable last name, so it's M-V-A-R-M-A-Z-I-S. Maria Varmazis. Find me on Twitter, I'm on there, you'll find me.

GRAHAM CLULEY. And if you want merchandise like t-shirts and Smashing Security mugs and stickers and things like that, go to smashingsecurity.com/store.

CAROLE THERIAULT. Thank you for listening each and every week. We are thrilled if you like what you hear, and if you want to help us grow so we can deliver more content, all you need to do is help us get the word out. So tell your friends, wax lyrical on social media, rate rate us in your podcast apps. All this stuff really, really helps.

GRAHAM CLULEY. Scroll the name Smashing Security in blood on your bedroom wall. Whatever you can do to get the name out there works for us. Please don't do that.

MARIA VARMAZIS. Okay. Tattoo? Maybe a Smashing Security tattoo?

GRAHAM CLULEY. No? Until next time, cheerio, bye-bye.

CAROLE THERIAULT. Bye everyone. Bye. Who's that from?

MARIA VARMAZIS. What's that from? Oh, it's a drag queen.

CAROLE THERIAULT. I'm thinking of like a cartoon character. Oh, it reminds me of Frasier. Janice? Was it Janice from Frasier or something?

GRAHAM CLULEY. Oh my God, wasn't she on Friends? Wasn't that Chandler's ex-wife or something? Why do I know? If only we knew someone who knew a lot about Friends. They don't listen to the show.

-- TRANSCRIPT ENDS --