This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

CAROLE THERIAULT. Yeah, what's your advice on this, Graham? What's your advice?

---

GRAHAM CLULEY. Don't be so dumb.

---

THOM LANGFORD. Don't be so dumb.

---

GRAHAM CLULEY. Stop being so stupid.

---

THOM LANGFORD. Just stop a minute. Yeah.

---

UNKNOWN. Smashing Security, episode 366, Money-Making Bots and Incognito Isn't Private, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 366. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And this week we're joined by, well, he's a podcast tart really. He's always appearing on them, isn't he? It's Thom Langford from the Host Unknown podcast. Hello, Thom.

---

THOM LANGFORD. Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.

---

GRAHAM CLULEY. I think you're joining us, aren't you?

---

THOM LANGFORD. Something like that. I just, as you probably noticed from the last show, I tend to just say that whenever I join a podcast, it seems to work so far.

---

CAROLE THERIAULT. Let's thank this week's wonderful sponsors, Kalyde, KiteWorks, and Vanta. It's their support that helps us give you this show for free. Now coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. Well, I'm going to be asking the big question, which is, is there really a zero-risk magic way to make a million dollars?

---

CAROLE THERIAULT. Hmm.

---

THOM LANGFORD. Okay.

---

CAROLE THERIAULT. And what about you, Thom?

---

THOM LANGFORD. Should be a short show because that's a no. Well, my story is, is there anything that isn't for sale nowadays?

---

CAROLE THERIAULT. And I'm going to be asking, whatever happened to do no evil? Hey Google. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, what if someone were to tell you, what if someone would come up to you and say, Hey, hey, hey. I could make you a millionaire. Just like that. Just like that. In an instant. I can make you a millionaire. What would you think to that?

---

CAROLE THERIAULT. Alright, go shoot.

---

GRAHAM CLULEY. Go.

---

CAROLE THERIAULT. Do it.

---

THOM LANGFORD. Yeah, crack on. No effort required.

---

GRAHAM CLULEY. Yeah.

---

THOM LANGFORD. This time next year, Rodney, we could be millionaires.

---

GRAHAM CLULEY. What if they told you that they were going to make a zero-risk, magic money-making bot that they guaranteed could turn investors into millionaires. Just give them a bit of money, they will make this bot, and it will just churn out the money. Sounds too good to be true, doesn't it? Sounds slightly implausible.

---

CAROLE THERIAULT. Well, it depends who's telling me, you know. If it's someone great like Elon Musk in a video that I might have seen on, you know, Twitter, or the, you know, I might believe it. I don't know.

---

GRAHAM CLULEY. Yeah, but if they dropped a certain word into the conversation, then you would believe it's true. Because if they were to mention the word cryptocurrency, now I'm sure you trust it. Now I'm sure you really think it's going to happen, don't you?

---

THOM LANGFORD. Well, I'm sold, you know, because my own history with crypto and bitcoin is, well, checkered at best. So yeah, absolutely.

---

CAROLE THERIAULT. Isn't bitcoin making a ton of money at the moment though? Isn't it on the up?

---

THOM LANGFORD. Oh yes, I sold my bitcoin about 3 weeks before it went from $7 to $42 a bitcoin or something like that. Anyway, it was— I was an idiot.

---

CAROLE THERIAULT. What an idiot. You don't know what the future is going to hold.

---

GRAHAM CLULEY. Well, all right.

---

THOM LANGFORD. I'm an impatient person then.

---

GRAHAM CLULEY. So what if I told you that the person behind this magic money-making scheme, his name is Robert Rob. Literally, his name is Rob Rob. Does that ring any alarm bells in your head? That there's someone called Rob Rob? It's a bit like being called Robin Banks.

---

THOM LANGFORD. Does he wear an eye mask and walk around in a stripy jumper?

---

CAROLE THERIAULT. Robbie Robbie Rob Rob.

---

GRAHAM CLULEY. And this chap, Robert Rob, has previously spent time in the clink for swindling millions from investors after he claimed that he had a fake gambling machine, which he was going to put into Las Vegas casinos. And he managed to trick millions out of people for that.

So he spent time in jail in the past. But you'd trust him, though, wouldn't you now?

Because now he's talking about cryptocurrency and a magic money-making scheme involving cryptocurrency. Well, Rob Rob has been arrested by the FBI.

---

THOM LANGFORD. No!

---

GRAHAM CLULEY. I know it's a shock, isn't it? Because he has allegedly been perpetrating a scheme that has netted so far over $1.5 million.

Because he said he was going to build— now, I'm going to try and avoid using too much technical language. There will inevitably be some things which zoom over your head, Thom.

Carole, you may be able to follow some of this. But so, okay, he wanted to build a magical thingamajig that traded crypto with guaranteed profits.

---

THOM LANGFORD. That was in his sales spiel, was it?

---

CAROLE THERIAULT. Is that a quote? Magical thingamajig?

---

GRAHAM CLULEY. It's maybe not a precise quote, but basically it's a magical thingamajig. This bot, he claimed, could predict what cryptocurrency people were going to buy and sell before they did it, and even hijack transactions.

And in this way, his bot would actually make the purchases itself and make millions for those people who funded the scheme to create the bot. So the bot is going to do all your investing for you, probably using AI, probably using the blockchain.

---

CAROLE THERIAULT. Exactly. I was just going to say he must have dropped the AI, AI, AI bit a bit.

---

GRAHAM CLULEY. You would, wouldn't you? The AI-O.

Yes, exactly. So this chap, Robert Rob, he allegedly posted on Telegram.

He said, "Poof, you're a millionaire." And he targeted people who he said had spare hundreds of thousands of dollars lying around.

So people like you, Thom, top podcasters, CISOs, those sort of people, lots and lots of money lying around.

---

CAROLE THERIAULT. Yeah, I typically carry that in my back pocket. You know, you never know.

---

GRAHAM CLULEY. You know, I use it to wipe my ass.

---

THOM LANGFORD. I thought this was a no-risk thing, therefore no money.

---

GRAHAM CLULEY. Oh, well, no, no, but just because you're putting money in, Thom, doesn't mean that there's any risk because you are guaranteed, you are guaranteed to have a huge return on your money according allegedly to Robert Rob. So he said that investors could become millionaires through a combination of this bot investment into cryptocurrency.

The cryptocurrency was called RAT, R-A-T, and a cryptocurrency token called NoRugs.

---

CAROLE THERIAULT. NoRugs?

---

GRAHAM CLULEY. Yeah, so you might be wondering why the reference to rugs? Well, that's because there have unfortunately been some scams involving cryptocurrency where the rug has been pulled from under people and where scammers have actually disappeared with people's money.

And so he wanted to reassure people that he wasn't that kind of person. By calling his token NoRugs.

---

THOM LANGFORD. Because the rug has already been pulled?

---

CAROLE THERIAULT. I love that he calls it though NoRugs with a Z, because he's obviously hip.

---

THOM LANGFORD. Yes, that's because he's down with the kids. Mm-hmm.

---

GRAHAM CLULEY. So Rob Rob, he told potential investors this was a capital-intensive prototype. That was— I love this one.

---

CAROLE THERIAULT. I don't even know what that means. Capital-intensive.

---

GRAHAM CLULEY. He said, well, that means you've got to put loads of money in, but it's going to cost a bit to create his prototype bot. But he said it was theoretically good enough to make everyone rich.

---

CAROLE THERIAULT. So he said this in what, a document or a video or what?

---

GRAHAM CLULEY. In his spiel, you know, the spiel that he was posting up on the socials, up on Telegram in front of investors. So I think we should take a moment to appreciate that beautiful phrasing, capital-intensive prototype that was theoretically good enough to make people rich.

---

CAROLE THERIAULT. Yeah, that's kind of an alarm bell thing for me. The theoretically good enough, that's a real—

---

GRAHAM CLULEY. Well, I'd say so. I'd say so. I think in our cynical sort of cybersecurity heads on, we would say that doesn't sound necessarily like it really is good enough.

You know, in theory it's good enough, but maybe not in practice. And the best thing about all of this is that Robert Robb, having got this money, having got $1.5 million, he's alleged by the FBI not to have actually bothered to build anything.

He didn't actually build a prototype.

---

THOM LANGFORD. Color me surprised.

---

GRAHAM CLULEY. Why sweat loads of coding software when you could, for instance, spend $204,000 buying a Swiss suite for the Denver Broncos if you were a big fan of theirs, or buying a brand new Jeep or a $20,000 vacation in the Bahamas. He's not even buying rugs.

What is wrong with this guy? There's no rugs being bought.

Well, the investors started getting restless and Rob, when challenged, he started playing the victim card. He says, oh, you know, I've had COVID, my safety's been threatened.

There's been some glitches on the exchange. There's people extorting me.

I've got problems with the family. There was always an excuse when investors were saying when are we going to see the outcome of all of our investment?

And once again, this is really a story of how common sense has been flung out of the window by people who are so desperate to get rich quick with cryptocurrency. I don't know, I don't want to call it dumb, but their gullibility really knows no bounds.

And this was all built on hype and little substance.

---

CAROLE THERIAULT. I don't know. It's not about gullibility.

It's about— no, I mean, surely Robbie Rob is the problem here. He's the greedy, greedy guy who's going around faking that he can help people, and a lot of people have gotten rich on crypto.

---

GRAHAM CLULEY. People get rich, but people don't get rich because of a magical money-making machine. They don't get rich with something which is theoretically—

---

CAROLE THERIAULT. I'm sure it wasn't called the magical money-making machine, you know.

---

THOM LANGFORD. It was theoretically good enough to be called a magical money-making machine.

---

CAROLE THERIAULT. Yeah, Graham.

---

GRAHAM CLULEY. So Robert's claimed on Twitter that he himself has been a past victim. And in fact, if you go and look on his Twitter account, I think he calls himself something like Poker Brat because he was obviously into casinos back in the day when he was scamming people with his casino machine.

And he's frequently warned his followers, look out for crypto scams anyway, which is kind of ironic, I think.

---

THOM LANGFORD. I think I've heard of this guy anyway. Didn't he then go on to Scotland and then open up a Willy Wonka experience?

---

GRAHAM CLULEY. Robbie McRub of the Clan McRub. Anyway, folks.

---

CAROLE THERIAULT. Yeah, what's your advice on this, Grim? What's your advice?

---

GRAHAM CLULEY. Don't be so dumb. Don't be so dumb.

Just don't be so stupid.

---

THOM LANGFORD. Just stop a minute. Yeah, ask yourself, is this too good to be true?

---

GRAHAM CLULEY. Stop investing in crypto. If you have invested in crypto, make sure that you sell while the price is high, Thom.

Don't sell where it's low.

---

THOM LANGFORD. Well, there is that too, yeah. But at least I made my own mistakes about my own investment strategy.

I didn't just rely on somebody saying, I'll do this for you and I'll make you loads of money.

---

GRAHAM CLULEY. And I can create a machine which can predict what other people are going to do with cryptocurrency and carry out a man-in-the-middle attack by intercepting the trades and doing it for them, which I'm sure is illegal anyway, right? Well, I don't know how it was meant to work, but it all sounds very, very peculiar.

---

THOM LANGFORD. Utter tosh.

---

GRAHAM CLULEY. So there you are. It's a shock story. I know it's going to leave many of our listeners completely dumbfounded that anything to do with cryptocurrency could end up being a bit of a scam.

---

CAROLE THERIAULT. Well, you've already called them dumb for getting involved, and now you're calling them dumbfounded when they realised. You're really being tough on our listeners, I think.

---

THOM LANGFORD. I'm not accusing our listeners of being dumb.

---

CAROLE THERIAULT. Good. I just wanted to make sure.

---

GRAHAM CLULEY. If any of our listeners have $100,000 to invest in a magical money-making machine, maybe they'd like to sponsor—

---

THOM LANGFORD. Host our own podcast!

---

GRAHAM CLULEY. Yes!

---

THOM LANGFORD. Sponsorship!

---

GRAHAM CLULEY. He's quicker than me, darn it! Thom, what have you got for us this week?

---

THOM LANGFORD. Well, it's a little bit of a rant, actually, but—

---

GRAHAM CLULEY. Oh, another one.

---

CAROLE THERIAULT. Fantastic.

---

THOM LANGFORD. I had a great story, but Carole stole it off me. She got there too quickly, but— I'm not really talking about the headline per se, but actually the underlying feeling.

So the headline, this is from Wired, it says Biden bans rival nations from buying sensitive US data. And at first glance, you think, well, good, you know, rival nations, you know, bad state actors, shouldn't be buying sensitive data.

But then when you look into it, what's actually happening is that he's putting in place a ban that stops the valid sale of personal, sensitive, and potentially confidential information to people that basically they don't want to. So capitalism is good until it's not, and we don't want it to go to certain people.

But what I'm really shocked about is by how much our personal data is sold. So the data they're talking about is, for instance, healthcare data.

So some of your most private details potentially are being sold, not just nationally, but internationally. And what Biden stopped doing, and it's a good thing on the whole, but it's kind of a bit closing the barn doors after the horse has bolted, is just stopping this sale to certain countries.

And that the brokers that sell this data have to do more homework to ensure that it's sold to the right people. And a tentative list given to reporters.

---

GRAHAM CLULEY. Oh, can we guess? Can we guess?

---

THOM LANGFORD. Yeah, go on, go on. Hang on, I'll tell you how many there are.

There's 1, 2, 3, 4, 5. There's 6 countries. How many can you get?

---

GRAHAM CLULEY. Okay, Carole, you try. You try one, Carole, then I'll try one.

---

CAROLE THERIAULT. Iran.

---

THOM LANGFORD. Yes.

---

GRAHAM CLULEY. China.

---

THOM LANGFORD. Yes.

---

CAROLE THERIAULT. I think it's called Jaina, isn't it?

---

GRAHAM CLULEY. That's the next guy and the previous guy.

---

CAROLE THERIAULT. Yeah.

---

THOM LANGFORD. Russia.

---

GRAHAM CLULEY. Russia, yes. 3 down, 3 to go.

---

THOM LANGFORD. North Korea.

---

GRAHAM CLULEY. Yes. The last 2 are less obvious until you actually, you know, until you say them, if you see what I mean.

Myanmar. No.

---

CAROLE THERIAULT. Hmm.

---

THOM LANGFORD. Right, this could get very dull for the listeners very quickly. Unless I jump in here.

---

CAROLE THERIAULT. Yeah, give us the first letter. C. Cambodia?

---

THOM LANGFORD. No.

---

CAROLE THERIAULT. Callus.

---

THOM LANGFORD. Well, it's where you get these cigars from.

---

GRAHAM CLULEY. Cuba, of course.

---

THOM LANGFORD. Cuba.

---

GRAHAM CLULEY. Cuba.

---

THOM LANGFORD. See? And the last one begins with a V. Venezuela. Exactly. Where the famous Monty Python beaver cheese comes from. The Venezuelan beaver cheese?

So, basically what they're saying is, you can't sell people's most sensitive and confidential of data to these 6 countries. And you're thinking, surely we shouldn't be selling this data to any countries. Yeah, not just these.

And it just occurs to me that I think we have reached the tipping point whereby our personal data is now no longer our data. It no longer belongs to us.

And I'm sure, you know, America is very often a little bit of a litmus test for this sort of stuff. And I'm sure, you know, there are European countries, certainly in the EU, are probably a little better protected than the US.

But on the whole, I think we are seeing exactly where things are going as regards how our personal data is gathered, stored, and subsequently treated, i.e., sold afterwards. And it's going to— it's just going to get worse.

But I honestly think it's— we're now at that position where we do not own our own data. Anymore.

So this is data that's been gathered by these huge organizations, hospitals, and, you know, well, that's, you know, obviously it's that they're private companies in the US, you know, rather than sort of national institutions. But, you know, that's how they're making money.

---

CAROLE THERIAULT. You know, I was just going to say Amazon, didn't they get access to healthcare info collected by the NHS? Well, there's a contract with the government.

---

THOM LANGFORD. Yes, that's right.

---

CAROLE THERIAULT. In 2019, government hands Amazon free access to NHS information.

---

GRAHAM CLULEY. Okay.

---

THOM LANGFORD. Well, yeah, there you go.

---

CAROLE THERIAULT. Amazon, they're really good. They're trustworthy and will take care of everything.

---

THOM LANGFORD. They're absolutely trustworthy. I think the way they handle everything from data to money is impeccable and beyond reproach.

Maybe, maybe we'll be proven wrong later on. So yeah, I think my whole point of this is I think we've lost, frankly.

It's very depressing. I think we've lost. And I think we're now going to be living in a society where our data is not our own.

---

CAROLE THERIAULT. Do you know what, though? I might argue that we are just the generation that is in the middle of the transition period. Yes. It might be very different for your kids or maybe even their kids, unfortunately.

---

THOM LANGFORD. But yeah, and it might be absolutely fine.

---

GRAHAM CLULEY. It is a moment of transition, but we're transitioning to the Matrix, Carole. We're going to all be stored in pods. That's what's going to be happening.

---

CAROLE THERIAULT. Can I—

---

THOM LANGFORD. Exactly.

---

GRAHAM CLULEY. Can I inject some sanity?

---

THOM LANGFORD. No, no.

---

CAROLE THERIAULT. If I'm in a pod, I just want to make sure I know who's next to me.

---

GRAHAM CLULEY. Oh, okay. I don't the idea of countries selling this data to other countries, but I don't really the idea of this data ending up in Mark Zuckerberg's pocket.

---

CAROLE THERIAULT. I don't the idea of this data going anywhere without my permission.

---

THOM LANGFORD. Exactly. But to Graham's point, maybe this is the new normal. Maybe actually future generations won't care and this is just how it is.

---

CAROLE THERIAULT. They will care. If we're listening to this in the future.

---

THOM LANGFORD. In the past, we didn't care about anything we couldn't see beyond the hill in the horizon, right? Our boundaries were far, far tighter and closer to us, whereas now our boundaries are, well, almost limitless as regards geographical boundaries.

Things will change. And everything, you know, business evolves and lifestyles and cultures, etc., evolve. But right now, I think it just sucks a little bit.

---

GRAHAM CLULEY. Oh, thank goodness you said that, Thom. I was thinking this isn't much of a rant. You're sounding very resigned to it all. I wanted some anger. I want some passion from you, Thom.

---

CAROLE THERIAULT. I've had enough. I've had enough of anger. Please don't.

---

THOM LANGFORD. Grrr.

---

GRAHAM CLULEY. Carole, what have you got for us this week?

---

CAROLE THERIAULT. I first would like to ask you to define what you think the word incognito means.

---

GRAHAM CLULEY. Ah, well, that's incognito. It's sort of like in disguise, isn't it? Or, you know, sort of so people can't identify you.

---

THOM LANGFORD. When I was a young man, there was a club called Cognito. And so when you were incognito, you happened to be in that club. Just saying.

---

CAROLE THERIAULT. Well, I looked it up just to make sure, right, that I could understand it appropriately. And it's having one's true identity concealed.

---

THOM LANGFORD. Yes. Right.

---

CAROLE THERIAULT. And avoiding being recognised by changing your name or your appearance. So if either of you guys used incognito mode in Chrome, I mean, it's been around for donkey's years. You must have used it at some point.

---

THOM LANGFORD. Only for about 2 minutes at a time.

---

GRAHAM CLULEY. Why is that?

---

THOM LANGFORD. I, what I needed doing was, didn't take long. Let me put it that way.

---

GRAHAM CLULEY. Oh, I see. So you sort of finished whatever it was you're doing quite quickly.

---

THOM LANGFORD. I finished off.

---

GRAHAM CLULEY. Yeah, you could turn off your privacy. I don't tend to use Chrome, so—

---

CAROLE THERIAULT. But even in the early days?

---

GRAHAM CLULEY. I guess I probably would have done, yeah.

---

THOM LANGFORD. But all browsers have a private mode, right? They all, all of them have a private—

---

CAROLE THERIAULT. I think Google was the first though, wasn't it?

---

THOM LANGFORD. It probably was. It wouldn't surprise me because Chrome, despite its origins, as it were, is one of the most advanced web browsers out there.

---

CAROLE THERIAULT. I have used it, but I wasn't— I was like, why do I use it? What do I use it for? And I was using it for things like, you know, buying presents for people and not wanting them to see it and all this kind of stuff. And I started looking around, on this request on Quora, from 2008. And the sender asks, why does my husband use incognito mode in his browser?

---

THOM LANGFORD. Because he's buying her presents.

---

CAROLE THERIAULT. And the responder writes, if you're security conscious, this is in 2008, if you're security conscious and you don't want to be tracked by anyone while you're surfing, private browsing incognito mode is a great way to do it. Or you can just presume he's surfing porn. That might be easier, right? So FNAF, FNAF, FNAF. But I would say that's most people's assumption.

---

THOM LANGFORD. Yeah.

---

CAROLE THERIAULT. That that's why you would use incognito mode. Perhaps maybe not the most computer or cyber savvy of us out there, but still.

---

THOM LANGFORD. I think that there are many valid uses for it, but I would imagine that 90% of cases are because they're surfing for certain contents they don't wish others to see.

---

GRAHAM CLULEY. Hang on, Thom, did you say 2 minutes? That's very impressive for a man of your vintage.

---

THOM LANGFORD. Well, yes, exactly. It's either 2 minutes or 4 days, one or the other, you know.

---

CAROLE THERIAULT. Now, at the time when this guy responded on Quora, he gave a screenshot saying, have you seen the start page for incognito mode? So when you select incognito mode on Chrome, at the time, it would provide this thing saying you're browsing privately. And it would say not saved. History, searches, cookies, and temporary files. And it says it does save downloads and bookmarks. And it does even give a private note saying, please note that your employer or your internet service provider can still track the pages you visit.

---

THOM LANGFORD. Okay?

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Okay. So fair enough. Now, unfortunately, it turns out that incognito mode in Chrome was found to be a little less private than the average user might have assumed based on this display screen. And people got kind of mad, so mad that they sued.

And this all began in June 2020, right, in Northern District of California. And the plaintiffs argued that Google's analytics, cookies, and apps let Alphabet, the parent company of Google, track the activities even when they set their Google Chrome browser to incognito mode and other browsers to private browsing mode.

The plaintiff said this turned Google into an unaccountable trove of information by letting companies learn about their friends, their hobbies, favorite foods, shopping habits, and potentially embarrassing things, right, Thom? That some things that take 2 minutes in your case that they seek out online.

---

GRAHAM CLULEY. I think you got some of those things in the wrong order, Carole. I think maybe the thing which Thom is doing in incognito mode, that probably should have begun the list.

Because that seems to be what most people are using incognito mode for rather than the other stuff.

---

CAROLE THERIAULT. How do you know that? They're incognito. Is that what you do?

---

GRAHAM CLULEY. I asked a friend at Google.

---

THOM LANGFORD. Yes, I was going to say Google told him, yeah.

---

CAROLE THERIAULT. They also allege that sites using Google Analytics or Ad Manager collected information from browsers in incognito mode, including web page content, device data, and IP addresses. They also accused Google of taking a Chrome user's private browsing activity and then associating it with their already existing user profiles.

---

THOM LANGFORD. What? Not even storing it separately.

---

CAROLE THERIAULT. Remember, "do no evil." That was their thing. Remember that? I miss those days.

---

GRAHAM CLULEY. So when Chrome was saying you are now browsing privately, what it actually meant was you're browsing privately, but not from us.

---

THOM LANGFORD. Yeah. Yeah.

---

CAROLE THERIAULT. So basically, while incognito mode lets users turn off data collection when using the Chrome browser, other Google tools used by websites such as ad tech scoop up all the data anyway, according to the suit.

---

GRAHAM CLULEY. Wow.

---

CAROLE THERIAULT. The lawsuit covered millions of Google users since the 1st of June, 2016, and sought at least $5,100,000 in damages per user for violation of federal wiretapping and California privacy laws.

---

GRAHAM CLULEY. You've got to admit, that is the most satisfying wank you're ever going to have in your life. If you're given— if you're going to be rewarded with thousands of dollars each time. Oh my goodness.

---

CAROLE THERIAULT. Violation. That's how you make a million dollars really quickly.

---

THOM LANGFORD. Not just any wank, a private wank.

---

CAROLE THERIAULT. Eventually, plaintiffs were basically asking for $5 billion in wonga payments from Google for its blatant naughtiness. Now, Google initially attempted to have the lawsuit dismissed by pointing to the message displayed when users turned on the Chrome incognito mode, that start page we talked about, that warns users saying their activity might still be visible to websites you visit, right?

Yeah, but the judge totally rejected this. And eventually, years later, okay, Google agreed to settle the lawsuit claiming it secretly tracked the internet use of people who thought they were doing their browsing privately.

---

GRAHAM CLULEY. Boy, oh boy.

---

CAROLE THERIAULT. So while the plaintiffs asked for this $5 billion in damages, the settlement includes no payment from Google. So instead, individuals will be able to pursue damages by filing their own complaints against Google in US state courts.

---

GRAHAM CLULEY. But they've already got their hands full. They've got no time to do that.

---

THOM LANGFORD. They have. They've got 23 hours and 58 minutes every day.

---

CAROLE THERIAULT. Both hands? About 50 people have already done so. But that's interesting, I think, that they have to do it privately. They're not doing it as a class action.

Anyway, as a result of this court case, Google will expunge billions of data records that reflect people's private browsing. This is according to the details that were made public Monday this week in a filing at San Francisco federal court.

---

GRAHAM CLULEY. Yeah, but too late, they've already sold it to Belgium or any countries which aren't on that list. It could be everywhere by now.

---

CAROLE THERIAULT. I know that. Listen to this. This is what Time wrote, and I'm not sure I feel comfortable with this.

It says Time reported that Google's agreement to retroactively delete user information is a significant concession as it forms the backbone of the company's lucrative advertising business, which depends on the quality of their attention. But boohoo Google is my view on that. They snuffle up all this data like a secret spy, and now they have to get rid of it all, and they're like, but what's gonna happen to our profits?

I don't feel very sorry for Google. But to your point, Graham, once it's sold, how do they get it back from the people they sold it to?

---

THOM LANGFORD. Well, just regather it through other means.

---

GRAHAM CLULEY. Or how do they know that they haven't already disseminated that information, that data, into other places inside Google?

---

THOM LANGFORD. Well, right, exactly.

---

GRAHAM CLULEY. It's all very well at the collection point, but what then happened to that data over the last X number of years?

---

THOM LANGFORD. Boy, you'd make a good auditor, Graham.

---

CAROLE THERIAULT. They also say that they've made several changes to the disclosure. So basically the information on that start page when you go to incognito mode will be slightly more informative as to the fact that you're actually not in incognito mode. It's just a trademark name.

---

THOM LANGFORD. Is he gonna have two pairs of eyes and then saying, "We're watching you." Yeah, at all times.

---

CAROLE THERIAULT. So we come back to that big question, what the blink is incognito mode for? So what would you use it for? I found a few suggestions on Forbes. I'm just gonna run it past you, see what you guys think.

---

GRAHAM CLULEY. It's to hide the evidence from your wife, it seems. That's the main thing.

---

THOM LANGFORD. Partner.

---

GRAHAM CLULEY. All right, partner, yes.

---

CAROLE THERIAULT. So they say maybe if you wanted to sign into multiple email accounts, you might do that. So it's a pain if you wanna check your personal inbox, but you're logged into another account. So instead of using a separate browser, which is what I probably would do, you could go into incognito mode.

---

THOM LANGFORD. Or even sign out and then sign in again.

---

GRAHAM CLULEY. Revolutionary, Thom.

---

CAROLE THERIAULT. Shopping for gifts. We talked about that one. Avoid autofill suggestions, which is interesting because that does get annoying.

---

THOM LANGFORD. Really? I don't know.

---

CAROLE THERIAULT. Yeah, I'm just asking.

---

THOM LANGFORD. Yeah.

---

CAROLE THERIAULT. What about booking travel? They say some travel companies keep track of what you're searching for and will increase prices the next time you visit the site if you use incognito mode. You don't have to worry about price gouging.

---

GRAHAM CLULEY. Oh yeah, I've heard that.

---

THOM LANGFORD. That's probably a fair one, yeah.

---

CAROLE THERIAULT. Getting out of your bubble. I think this is quite true if you're trying to look for new stuff. So I do this sometimes when I look for news stories, I might go into incognito mode just so it doesn't show me the same information that I might have seen before because it has me all, you know.

---

THOM LANGFORD. Ooh, do you know what? That had never occurred to me. Maybe if I'd switched on incognito when I was looking for the story after you stole this one from me before, I would've come up with another story, probably less depressing.

---

CAROLE THERIAULT. And the other one is viewing a site as an outsider so that, you know, obviously there's all these trackers and stuff. So maybe you want to see what it looks like without all the ads they tend to show you.

---

GRAHAM CLULEY. Yeah. Or if you're in web development and you're logged into your CMS, you may want to see what, you know, regular users would see on your website instead of what you see as a logged-in admin. I get that.

---

THOM LANGFORD. It's quite an edge case though, isn't it, for the average user? But it's a fair comment.

---

GRAHAM CLULEY. I think we're missing the big one, which is to hide— well, we've mentioned it. Yeah, to hide the browser history.

---

CAROLE THERIAULT. Bingo. So in short, incognito mode is not anonymous mode.

---

THOM LANGFORD. Or at least on Google anyway.

---

CAROLE THERIAULT. Yes, on Google anyway. Websites and services will still be able to track you and collect your data. And perhaps enabling the block third-party cookies setting might be more helpful to you. But God, do I miss the days of Do No Evil because I can understand. I wonder if they were forced to get rid of that.

---

THOM LANGFORD. I mean, you've got to think of the meeting they had where they said, you know, right, let's have a look at the company motto again. And they all look at it and there's silence around the boardroom. They go, should we get rid of this this year? No, we'll leave it for another year.

---

GRAHAM CLULEY. Nobody will notice. Legacy managed file transfer tools are dated. They lack the security that today's remote workforce demands. Companies that continue relying on outdated technology put their sensitive data at risk. Well, this podcast is sponsored by KiteWorks, who enable organizations to effectively manage risk in every send, share, receive, and save of sensitive content. To do that, they've created a platform that delivers content governance, compliance, and protection to customers, tracking, controlling, and securing sensitive content as it moves within, into, and out of organizations, all while ensuring regulatory compliance on all sensitive content communications. KiteWorks provides the industry's first private content network for protecting risky third-party communications with secure email, secure file sharing, secure mobile, secure web forms, managed file transfer, and governed SFTP servers. Visit kiteworks.com to get started today. That's KiteWorks.com and thanks to them for supporting the show.

---

CAROLE THERIAULT. Smashing Security is also sponsored by Vanta. Managing the requirements for modern security programs is increasingly challenging and time-consuming. Enter Vanta. Vanta gives you one place to centralize and scale your security program. Quickly access risk, streamline security reviews, and automate compliance for ISO 27001, SOC 2, and more. You can leverage Vanta's market-leading trust management platform to unify risk management and secure the trust of your customers. Plus, use Vanta AI to save time when completing security questionnaires. Smashing Security listeners, you get 20% off Vanta. All you lucky sausages have to do is visit vanta.com/smashing to claim your discount. That's V as in Victor, A-N-T-A, dot com slash smashing. And thanks to Vanta for sponsoring the show.

---

GRAHAM CLULEY. You've probably heard us talk about Kolide before, but did you know Kolide was just acquired by 1Password? Well, that's pretty big news since these two companies are leading the industry in creating security solutions that put users first. For over a year, Kolide Device Trust has helped companies with Okta ensure that only known and secure devices can access their data.

And that's what they're still doing but now as part of 1Password. So if you've got Okta and you've been meaning to check out Kolide, now's a great time.

Kolide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of. Plus, you can use Kolide on devices without MDM, your Linux fleet, contractor devices, and every BYOD phone and laptop in your company.

Now that Kolide is part of 1Password, it's only going to get better. Check it out at kolide.com/smashing to learn more and watch the demo today.

That's k-o-l-i-d-e.com/smashing. And thanks to them for supporting the show.

And welcome back, and you join us at our favorite part of the show, the part of the show that we call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

THOM LANGFORD. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app.

Whatever they like. It doesn't have to be security related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my Pick of the Week this week is not security related, but it's also not Pick of the Week. I'm afraid I've got a nitpick of the week, and I apologize to anyone who follows me on Twitter or LinkedIn who may already know about this.

---

CAROLE THERIAULT. I don't. I have no idea what you're talking about.

---

GRAHAM CLULEY. I know you don't.

---

THOM LANGFORD. You've been on the phone to me all weekend.

---

CAROLE THERIAULT. No, you're kidding me.

---

THOM LANGFORD. Oh my God.

---

GRAHAM CLULEY. I've had a bit of an issue. I've had a bit of an issue with a company called Amazon.

Because last week, beginning of last week, we decided to buy a phone for my partner, an iPhone 15. And a case.

And so for some reason or another, we went to Amazon and we got it on Amazon Prime.

---

CAROLE THERIAULT. Why did you not get it from Apple? Why didn't you do this? Why didn't you do that?

Look, I'm just asking a question.

---

THOM LANGFORD. I think someone may have said that to Graham already.

---

GRAHAM CLULEY. Look, no, we didn't do that because we wanted it delivered the next day. Okay.

And we wanted to be sure. And Amazon, we're with Amazon Prime and they're normally really, really good delivering things really quickly because they're just so amazing.

Amazon's awesome. So we thought, all right, let's just do this.

And if there's any problems, you know, we can send it back if you decide you don't like the iPhone, because she's currently an Android user.

---

THOM LANGFORD. What?

---

GRAHAM CLULEY. All right. So, so we did it, right?

Well, I know, I know. So, so I sat in my office overlooking my front door last Tuesday, waiting for it to be delivered.

And I was reassured because I've got a little video doorbell thing that goes bing bong and, you know, it records people who come here. I'd be able to hear the door going.

I also— Amazon had told me that my signature would be required to accept the delivery. And here's the thing.

Here's the thing. My doorbell didn't go.

My doorbell didn't record anyone at the door. I never gave my signature to anyone.

And I have not been given the iPhone, right? It wasn't delivered to me.

No big deal, you think. No big deal.

Just contact Amazon customer service and get yourself a refund or a replacement set, right?

---

CAROLE THERIAULT. Do you get an email saying Amazon guy's on his way?

---

GRAHAM CLULEY. Oh yes. Oh yes.

---

THOM LANGFORD. Oh yeah. You got that?

---

GRAHAM CLULEY. Yes. I got an email telling them that they were out for delivery. And then I also got an email telling me that they had delivered it.

And they told me that they had handed it to resident. And so obviously I went out my front door, had a little look around, nothing left out here. Obviously I hadn't signed for anything. Spoke to my neighbours. No, they hadn't received something.

And some of them are, you know, a bit old and doddery anyway, and they probably wouldn't know how to use an iPhone. But so, you know, I believe them. I thought, no, they haven't got it.

I haven't got it. I even looked in the bin because, you know, it's not unknown for Amazon delivery people to put things in the bin. Especially the day before rubbish day.

---

THOM LANGFORD. Or the day of.

---

GRAHAM CLULEY. Yes, exactly. So—

---

CAROLE THERIAULT. That never happens to me. But anyway, okay.

---

GRAHAM CLULEY. Oh, well, maybe you just live in a lovely neighbourhood, Carole. But that sort of thing does happen around these parts sometimes.

So I contacted Amazon customer support and they said to me, well, you have to wait 2 days before making a complaint because maybe it'll show up. So I waited 2 days and after 2 days I said again, can you please refund me or send a replacement? And they said, well, we're going to have to investigate this.

And that'll take up to 3 days. I thought, oh, it's a bit frustrating. All right. And they said, well, if you haven't received your refund by the end of March, let us know.

So I began to wait. Now, fortunately, I didn't have to wait 3 days to hear back from Amazon. Unfortunately, when I did hear back from Amazon, it wasn't good news because what they said to me was, we've investigated and you received the item.

It was delivered to you intact. And I said, oh no, I didn't. That's the polite version of what I said.

And they said, "We are not going to be issuing you a replacement or a refund because you did receive it and it was in good condition. We are unable to offer you any further assistance on this matter. We appreciate your business and hope to see you again soon." So Amazon tells me they're not going to reply to my emails anymore.

They tell me that there's no way to escalate it. In fact, they say to me that they've all been trained in how to deal with customer complaints, and so there is no point in escalating the issue any further.

---

THOM LANGFORD. Well, they haven't been trained very well, have they?

---

GRAHAM CLULEY. No, because I've got some ideas on how they can improve the customer experience. Yeah, give me my bloody iPhone or give me my money back, because they're basically saying I'm a liar, I'm a fraudster.

I'm not a fraudster. I'm lovely. Okay, so I'm really upset.

---

CAROLE THERIAULT. Surely, though, with a purchase of that value, the driver must take a picture of it being delivered at the proper address. Doesn't it?

---

GRAHAM CLULEY. Seemingly not, and seemingly they didn't also— so I've asked them, I've said, have you got a photograph? Have you got a signature? They're not answering my questions.

I've reported it to Thames Valley Police, I've investigated making a claim by the small claims court, and I made a little video about it because I thought I'm a bit annoyed and I don't think they should be allowed to say handed to resident when they haven't handed it to resident, and that is my nitpick of the week.

---

CAROLE THERIAULT. So are you going to buy from Apple from now on?

---

GRAHAM CLULEY. Directly from Apple? Maybe I should. Maybe I should.

---

THOM LANGFORD. Did you pay by credit card?

---

GRAHAM CLULEY. I paid with my business card, which is technically a debit. Now, you can do a thing called a chargeback on debit cards as well. But what I've been told by people who've done this in the past is Amazon sometimes, yes, you'll get your money back, but Amazon then blocks you from using their service anymore and not just their store, but all of their other services, which I think is pretty petty of them. So at the moment, I'm not requesting a chargeback through the card. I want this to get sorted the proper way, which should be through their customer service team.

---

THOM LANGFORD. Yeah.

---

CAROLE THERIAULT. I got a new phone last week.

---

GRAHAM CLULEY. Oh, yeah.

---

CAROLE THERIAULT. I bought it from the source.

---

GRAHAM CLULEY. Apple or?

---

CAROLE THERIAULT. Yeah.

---

THOM LANGFORD. Yeah. The Apple source.

---

CAROLE THERIAULT. I received it the very next day. Oh, and it's all a wonderfully perfect experience.

---

GRAHAM CLULEY. So, well, thank you very much for being so smug.

---

CAROLE THERIAULT. No, I'm not trying to be smug. I am just saying I've actually never had a problem with Apple delivery.

---

GRAHAM CLULEY. You say that you got an Apple phone delivered to you last week and mysteriously mine wasn't delivered. Is it, is it possible that you've got mine?

---

CAROLE THERIAULT. Yes, it's very possible. Yes.

---

GRAHAM CLULEY. Did you come round to my house and find a package? By the way, the video doorbell, no evidence of any delivery driver.

---

THOM LANGFORD. Carole's very sneaky like that.

---

CAROLE THERIAULT. I dressed as one of his bins.

---

GRAHAM CLULEY. She was incognito. Thom, what's your pick of the week?

---

THOM LANGFORD. I must admit, I've been watching loads of cool stuff on Netflix and all of those sorts of things. I've been playing with loads of cool new toys and whatever. But actually, the one I came down to was, well, it's Concorde. Basically, so any man, possibly a woman as well, but any man of a certain age has a very soft spot in their heart for Concorde, I think.

---

CAROLE THERIAULT. Well, because it looks like a cock.

---

THOM LANGFORD. Yes, the passion that people feel, that men feel for inanimate objects is often, you know, a little bit greater. And maybe, I don't know, I'm making this up and I'm starting to panic a little bit. But nonetheless—

---

GRAHAM CLULEY. Carole has a lot of passion for her husband and he's pretty inanimate in my experience. Hey, hey!

---

CAROLE THERIAULT. Sounds like that movie with the dead guy.

---

THOM LANGFORD. Oh, Weekend at Bernie's.

---

CAROLE THERIAULT. He's not a Weekend at Bernie's.

---

THOM LANGFORD. Anyway, so I remember growing up, it used to fly over my house in Southeast London twice a day because that was its route out and you always used to see it. I used to work in Heathrow and it would take off twice a day and it was the loudest thing ever. It was just wonderful.

I never got to fly on it, which is unfortunate. I did have an opportunity once, but I love Concorde. You know, I think it's a beautiful piece of engineering. It's amazing, you know, quite, you know, how accomplished it was and all that sort of good stuff.

So when the opportunity came for me to purchase a Lego model of Concorde, I jumped at the opportunity. And I have to say, it was one of the most fun builds I've ever done. It's huge. It's about, oh, maybe a metre in length, something like that.

---

CAROLE THERIAULT. A metre in length?

---

GRAHAM CLULEY. I'm looking at photographs of it now, Thom. It looks incredible.

---

THOM LANGFORD. It is. It's lovely.

---

CAROLE THERIAULT. Where do you put it? In your house?

---

THOM LANGFORD. Yeah.

---

CAROLE THERIAULT. But where does it go?

---

THOM LANGFORD. It's kind of squashed in somewhere. I've got a wall mount, but I haven't got enough wall to put it on yet. But it's, as I said, some of these larger complex models often, you know, because it's about 3,500-4,000 pieces, something like that, and they're quite small, you know, because it's quite a detailed model anyway, and some of the more complex ones actually get quite dull, you know, because you really lose track of what you're building, as it were.

But this one, you knew what everything was as you were building it. Brilliant techniques on there. The wings are what they call snot.

---

GRAHAM CLULEY. What?

---

THOM LANGFORD. A snot build, which is studs not on top.

---

GRAHAM CLULEY. Ah, so it's smooth on the top of the wings rather than that loop.

---

THOM LANGFORD. It's smooth because it uses the side of the studs and the way that's built up. So you've got this beautifully sort of smooth edge. The nose, the snoot droops, as it were.

---

GRAHAM CLULEY. Well, yes, that can happen, can't it?

---

THOM LANGFORD. Yes, it does. We know all about that. And landing gear goes up and down, the flaps. It's just beautiful. It's just a beautiful model. So I must say, Graham, anybody who's got a soft spot for Concorde, go for it.

---

GRAHAM CLULEY. I think it's a beautiful thing, Thom. I'm very jealous. I think it's a thing of beauty, and I love LEGO as well. I don't buy a lot of it because it's really rather expensive, but what a wonderful thing.

---

CAROLE THERIAULT. Cheaper than an iPhone, Graham.

---

THOM LANGFORD. Yeah, when you get your charge back, go and buy this.

---

GRAHAM CLULEY. Maybe I should. Fantastic. Carole, what's your pick of the week?

---

THOM LANGFORD. Right.

---

CAROLE THERIAULT. So it's Easter time at the moment, and I've had some friends visiting, and we were hanging out last night and we were talking, you know, just yabbering away. And we were talking about how annoying houses can be now because of all these machines we have that make all kinds of beeps and tweaks and stuff when they're finished working.

You know, you got the dishwasher that bleep bleep bleep and the microwave and the washing machine, the dryer. And my girlfriend was telling me, she was talking about how annoying it is that her washing machine, which is a Samsung, actually does a tune. She was talking about this tune. She goes, it goes on forever, this fucking tune. So if you put it on before you go to bed, it goes off at some point, right? At 2 in the morning, doing its thing. And I'm thinking, what tune? And she goes, oh, it's F. Schubert's Trout Quintet. And I'm thinking, what?

---

GRAHAM CLULEY. A trout quintet? Yes, trout quintet for trout.

---

CAROLE THERIAULT. Yes, that's exactly it.

---

GRAHAM CLULEY. They're playing it on a trout.

---

CAROLE THERIAULT. No, it is— for fuck's sake, Graham.

---

GRAHAM CLULEY. Sorry, am I just culturally—

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. Oh, okay, okay.

---

THOM LANGFORD. Culturally barren, right?

---

CAROLE THERIAULT. Yes, you're culturally barren. So, there's this 11-minute 8-bit song and she's trying to find the bit it does. And I said, look, don't worry, I will find someone on YouTube will have put up the exact 8-bit version that the washing machine does. And she's saying, no, they would not. That's so stupid. And I'm saying, oh no, look here, I found it. So we're listening to this and it goes on for about 30 seconds.

---

GRAHAM CLULEY. Oh, that's lovely. I'd love my washing machine to do that.

---

CAROLE THERIAULT. Would you? Would you? But I keep scrolling. I keep scrolling. And it turns out that there's a number of people trying to duet with their washing machines. Musicians of all caliber trying to post the renditions of their beloved washing machine along with their, in some cases, guitars or ukuleles, or what about a piano or drums?

---

GRAHAM CLULEY. Or pet trout?

---

CAROLE THERIAULT. Or a flipping harp that's the size of my Yeti? Or rock out with an electric guitar or a full fucking rock band? I'm not making this up. Not bad, right?

---

THOM LANGFORD. Some people have too much spare time. I'm just saying.

---

GRAHAM CLULEY. Says the guy who just made the Concorde Lego.

---

CAROLE THERIAULT. So I'm thinking this must have been a kind of microviral thing that might have happened during the pandemic.

---

THOM LANGFORD. No, still going on.

---

CAROLE THERIAULT. So there you go. My pick of the week is how wonderful people are by trying to take something very annoying, like an 8-bit music off a washing machine, and try to make it, I don't know, make it into a duet.

---

GRAHAM CLULEY. Excellent stuff, Carole. Episode 366.

---

THOM LANGFORD. When I heard you talking about household objects, well, white goods, et cetera, making beeping noises, it did remind me of the guy who turned his robot vacuum that every time it bumped into something, he got it to swear. So this thing was going around the house going, "Fuck! Ah! Shit!"

---

GRAHAM CLULEY. And on that note, we've pretty much wrapped up the show. Thom, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What is the best way for folks to do that?

---

THOM LANGFORD. Oh, why don't you go along to podcast.hostunknown.tv? That's always a good place to go.

---

GRAHAM CLULEY. Terrific. And you can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And all the mea culpas in the world to our episode sponsors, Vanta, Kolide, and KiteWorks. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 365 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

---

THOM LANGFORD. Bye. Stay secure, my friends.

---

GRAHAM CLULEY. Carole, why mea culpa to our sponsors? Mea culpa?

---

CAROLE THERIAULT. Oh, it means sorry, doesn't it?

---

GRAHAM CLULEY. Yes, it means sorry. Yeah, I mean, maybe that's accurate.

---

CAROLE THERIAULT. That's not what I meant to say at all. Let me just do that one more time.

---

GRAHAM CLULEY. No, I think it's great. I think it's great as you've done it.

---

THOM LANGFORD. I mean, it's just all the mea culpa in the world. What the fuck? I do not— I missed that entirely.

---

CAROLE THERIAULT. I don't know what just happened to my brain.

---

THOM LANGFORD. Me too.

-- TRANSCRIPT ENDS --