Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing

So what should I say?

Let’s say, say, looking forward to this week’s Smashing Security podcast.

With my co-host.

Or my special guest, Dave Bittner.

Stand down, Dave.

Thank you. Sorry. I got ahead of myself.

Smashing Security, Episode 462: LinkedIn is Spying on You, and You Agreed to Nothing, with Graham Cluley and special guest Dave Bittner. Hello, hello, and welcome to Smashing Security, Episode 462. My name is Graham Cluley.

And I’m Dave Bittner.

Dave Bittner from the CyberWire, back on the podcast again. We can’t get you away from a microphone, can we?

I know, I’m like a terrible rash and difficult to get rid of.

Do you ever feel like, you know, I’ve had enough of this, it’s time to hang up my spurs? Well, I suppose they’re not spurs, are they?

Time to hang up my XLR cables.

My XLR cables, yeah.

Not so much that, but I will tell you there are times when I smash my head against the desk and say, I need a vacation. I need a break. I need to get away from the bad news.

Yeah. I mean, I find it tough doing one podcast a week, but you do about 89 a week.

I do. I do. I have to learn how to navigate it so it doesn’t take too hard a toll on you emotionally, but I’m, you know, I’m mostly there, but there are days, Graham, there are days.

Well, we certainly do appreciate you coming on the Smashing Security podcast today. And before we kick off, let’s thank this week’s wonderful sponsors, Meta, ESET, and Vanta. We’ll be hearing more about them later on in the podcast. This week on Smashing Security. We won’t be talking about how hackers working for the Russian government broke into thousands of home routers to steal passwords. You’ll hear no discussion of how tourists traveling to Hong Kong have been warned that it’s now a criminal offense to refuse to hand over to police the passwords for all your personal devices. And we won’t even mention how after authorities cracked down on the use of Telegram, WhatsApp, and VPNs, Russian citizens have switched to using two other apps for instant message and video call, including in some cases smart cat feeders. So Dave, what are you going to be talking about this week?

I’m talking about some wealthy California crypto holders who are being targeted in wrench attacks.

And I’m going to be shining a light on how LinkedIn is shining a light on its users. All this and much more coming up on this episode of Smashing Security. Well, before we kick off, we’ve just got a moment to thank one of this episode’s sponsors, ESET. Now, there’s no shortage of cybersecurity vendors claiming to be the best, of course, but ESET is one of the few that’s proven it for 30 years. Research has always been at the core of what ESET does. Their threat intelligence teams are actively tracking APT groups and ransomware affiliates and publishing findings that the security community actually reads and references. That’s not a marketing line — that’s 30 years of doing the work. And here’s what makes it interesting: 3 decades of research means that ESET has built up global telemetry that most vendors simply don’t have access to. They combine that telemetry with AI-native technology and human expertise, and that’s what powers both their products and their MDR service. Real intelligence behind the protection, not just pattern matching. 110 million users worldwide trust ESET with their endpoints, cloud, email, and mobile devices. That number doesn’t happen by accident. So why don’t you check them out right now? Go to smashingsecurity.com/ESET. That’s smashingsecurity.com/ESET. And thanks to ESET for supporting the show. Now, chums, LinkedIn. Don’t you love it? I love it. Oh boy, it’s great.

If by love you mean hate and do everything in my power to avoid it, then yes, I love it.

Oh, Dave, it’s a wonderful service. It’s a fantastic place — it’s a platform where people I’ve never met can endorse me for skills that I don’t have.

Right? Have you ever been told you are excellent at being an astronaut? You know, brain surgeon? Absolutely. Yes, he’s fully qualified for that.

Good news, we got the perfect job for you.

Belly dancer. Oh yes, sirree.

But you know what I love the most about LinkedIn is the humility. The humility that everyone shows up there.

You know, because no one’s afraid to be a little bit vulnerable on LinkedIn these days, are they? They’re all sharing the lessons they’ve learned on life’s journey, often from their failures. Maybe they’ve been made redundant and they started up a company and now they’ve succeeded and they’re encouraging others. They’re saying, look, I was a failure too, just like you, but now I am magnificent. Or they’ll give you a humble brag about stepping on an orange — there’ll be some lesson they’ve learned in life and they’ll post about it and link to it. I find those heartwarming. Don’t you? Don’t you love those?

Oh, for sure. I can’t get enough of them. It’s a highlight of my day. Go on.

You know what? I think it’s great because there’s not a site out there that is more unintentionally entertaining than LinkedIn. Seeing what people are posting, it’s a good old guffaw. So I go there every day.

Well, I was recently turned on to a Reddit group.

Actually, Maria Varmazis told me about — there’s a Reddit group called LinkedIn Lunatics.

I’ve been there. In fact, I think I’ve been included in it before.

Okay, well, it’s just very entertaining.

Yes, I did make an appearance up there and I got a certain amount of abuse about a humble brag. Didn’t involve stepping on an orange, but clearly I’d showed a little bit too much humility or been self-promoting too much. Well, see, that would grab my attention, actually.

You would be tempted by that, wouldn’t you?

Yes, I would. That fish would work on me.

Now, one thing is clear, LinkedIn is a deeply strange corner of the internet. And this week, it got that little bit stranger because a German privacy group— and you always have to worry when a privacy group is German, they’re serious about their privacy. They are called Fairlinked, and they’ve published what they’re calling the Browsergate Report. And you always know you’re in trouble, don’t you, when there’s a gate involved?

Oh, absolutely.

You know, ever since 1972, 2, I think it was.

I often wondered, no, what if there was a scandal involving something like the Brandenburg Gate? Would you then have Brandenburg Gate Gate?

Or perhaps a scandal involving Bill Gates.

Bill Gates Gate. You know, yes. Maybe that’s the defence to prevent there being a scandal about you is to change your surname to Gate beforehand. Anyway, Browsergate reveals that every single time you open LinkedIn in a Chrome-based browser, the LinkedIn platform will quietly inject a little bit of JavaScript into your session. And that little bit of JavaScript, well, I say it’s little, is 2.7 megabytes, David, 2.7 megabytes of JavaScript.

Well, by today’s standards, that’s nothing.

That’s barely anything, is it? And that, that what it does is starts scanning your browser for over 6,000 specific installed extensions. Hmm. So it’s looking for all kinds of information about what you are running on your computer within your browser while you’re on LinkedIn. It also harvests your CPU core count, your available memory, your screen resolution, your battery status, your time zone, your language settings. And this isn’t once per visit to LinkedIn. This is every single click that you make. Hmm. So you click on someone’s profile and it’s going to send a fingerprint, a unique, pretty much unique fingerprint with all these different indicators regarding your computer.

Or if you ignore a connection request from someone you met at a conference a few years ago, again, it will send a fingerprint or If you spend 4 minutes reading a post about 3 things the Navy SEALs taught me about inbox zero, it’s going to— it’s going to send your fingerprint. And none of this, none of this is mentioned anywhere in LinkedIn’s privacy policy, which is absolutely fine.

No, absolutely fine and dandy, isn’t it? It’s brilliant.

No worries. No worries.

No worries at all. So 6,000 extensions is looking nice. I think I’ve got 6,000. And what are these extensions? Well, it turns out they’re language and grammar extensions. So if you have a tool which helps you translate LinkedIn posts, for instance, it will pick that up or a grammar extension, something to make you look more eloquent on LinkedIn. If you’re using a tax tool, if you— oh, also extensions designed for people with ADHD or dyslexic users, because there are dyslexic extensions you can put on your browser which change the font to make it easier to read, for instance. There are tools that notify users— oh, this was an odd one— tools that notify users of Islamic prayer times.

Oh, that’s not at all problematic.

Who would be interested in that, I wonder?

No, no. What could possibly— history has told us what could possibly go wrong with tracking people based on their religion.

And there are also extensions that could indicate your politics. I don’t know quite what they do. Maybe they change your wallpaper to a particular flag or put a color scheme on your laptop. I’m not sure. But anyway, many of these aren’t scraping tools. These are personal tools. They could reveal deeply private information about you and your health and your faith or your neurology. And that’s not really what you want LinkedIn to be secretly cataloging, is it?

No, I would not expect this of them, although I have to say these days nothing surprises me anymore. Right. And it’s dangerous information because that is linked to your real name, right?

That’s right.

You’ve got your real name and your employer and your job title, etc. So this isn’t by any means anonymous browsing data. You are logged in LinkedIn. LinkedIn knows exactly who you are.

And it’s also going to know if, for instance, you’re secretly looking for work and it will be logging that against your profile on the very website that your boss uses, because this list includes over 500 job search tools.

So if you have those tools installed, when you go on LinkedIn, it knows about it. It knows you’re looking for a job. Well, your current employer has an account as well. So LinkedIn internally apparently calls this a spectroscopy. Spectroscopy? Is that it? It sounds like a colonoscopy.

I think that’s right. That’s the tool that chemists use to tell the elements, right? Yeah. Isn’t it shining a light or a very bright light and determining something? Yeah.

Didn’t you have some sort of high-profile figure who strongly believed in shining a bright light inside your body in order to kill COVID? Oh, that’s not Stalin. All that. Yeah. Anyways, apparently back in 2017, which is around about the time LinkedIn introduced this feature, so it’s only really been uncovered now. Back then, LinkedIn was scanning for 38 extensions, which feels well, maybe that’s all right.

Because maybe these were extensions which were scraping information, maybe people’s personal information off LinkedIn. They may want to stop that from happening. By 2024, it had gone from 38 extensions to 461, which is still a lot, but you could perhaps argue there are 461 ways to scrape LinkedIn. I’ll be honest with you, I actually have an extension in my browser which does take information from LinkedIn, right? So I have a CRM for customers and things and people who contact me asking me to do work for them and things. And it’s useful sometimes just to collect information about, you know, who are they, what’s their job title, what’s their contact details if we connected and things.

And so I’ve got this little button which I can press which does take it from their profile and add it to my CRM and it saves me some time. So, you know, I do kind of do this now. I don’t know if LinkedIn don’t like that I’ve got this little tool.

You’re not doing it at scale.

No, no, no. I’m doing it maybe once or twice a week. Right. Anyway, they’ve now gone from 38 to 461 banned extensions, or rather logged extensions. Now it’s 6,000. I looked this morning, it’s 6,222.

But who’s counting?

Well, it’s the German privacy guys who are counting. So LinkedIn have been asked about this. And what they’ve said is the claims made are plainly wrong. And they say that while at the same time not denying that they do have a list of 6,000 extensions. They haven’t denied any of that. They’ve only tried to discount the intention behind it. So they say the scanning is purely to identify extensions that scrape data in violation of their terms of service. Again, I don’t know what that has to do with Muslim prayer times.

They say they don’t use the data to infer anything sensitive about their users. And they say that this report from these German guys should be taken with, you know, a pinch of salt. In fact, they say that the person behind the report had their account banned by LinkedIn for scraping in the past. And apparently a German court denied their injunction request against the platform. So there is some beef between the researchers and LinkedIn.

So this is all sour grapes according to LinkedIn?

Well, that’s what they’re kind of claiming. But I think it’s possible that the person who discovered this, maybe they were behaving badly at some point, right? But it’s also entirely possible that the thing they discovered is still a problem. And those two things are not mutually exclusive. So if someone with a speeding ticket tells you that your house is on fire, you should probably still check. Is it a bit warm in here?

Right, right.

Rather than just say, no, no, no, you’ve got a speeding ticket. I don’t know. Anyway, what can you do about this problem? Well, the obvious thing to do is either not go to LinkedIn or use a different browser. So if you use Firefox, you’re largely protected. The way its extensions work don’t expose the same identifiers that Chrome does. Similarly, Brave, that blocks tracking endpoints by default. Safari users largely in the clear as well. But if you’re on Chrome or Edge, Edge of course is a Chrome-based browser, you are being scanned every time you visit and there’s no setting to stop them from doing it. And LinkedIn is not being upfront about what it is doing. So regulators have been informed. We’ll have to see if anything comes from this, but it’s not great, is it?

It’s not great. And I wonder, how does this come up against GDPR over in your neck of the woods?

Yes, well, I think this German privacy guy has lodged a GDPR complaint with the regulators, so we’ll have to see. It does sound like the guys at LinkedIn are rather scooping up a bit too much information.

What do you make of this, though? Do you think it’s just browser fingerprinting that’s kind of spun out of control, or do you think there’s more to it than that?

I don’t think it’s necessarily being done with malicious intent. How can I be in this industry so long and be so naive to think that it won’t be used for advertising purposes or surveillance.

What even counts as malicious intent anymore, right?

What even counts? That’s true. That is very true. Now, you mentioned to me about LinkedIn earlier because I’m a user of this very cool browser. I don’t use Google. I use Kagi. And they introduced this new feature and you reminded me earlier about this. They’ve got this translator thing, haven’t they?

Where, you know, you have Google Translate, you can translate between languages, but now with Kagi, you can translate something into LinkedIn speak.

Have you had a go at this?

Oh, I have. Why don’t you type something in here and we’ll see how it translates. This is great fun.

So what should I say?

Let’s say, looking forward to this week’s Smashing Security podcast with my co-host, my co-host or my special guest, Dave Bittner.

Stand down, Dave.

Thank you.

I got ahead of myself, you know.

It’s done a little translation into LinkedIn. So it starts off, of course, with an emoji. So I’ve got a rocket emoji. Thrilled to announce— come on, British, I’m never thrilled— that I’ll be joined by the one and only Dave Bittner on this week’s episode of the Smashing Security podcast. Microphone emoji. Can’t wait to dive deep into the latest in cybersecurity. You won’t want to miss this conversation. #cybersecurity, #infosec, #podcast, #networking, #thoughtleadership. Oh, I can change my excitement level. I can go for high energy with more emojis and hype.

That’s right. And you can puke hashtags as well.

Well, we’ve got time right now to chat about one of our sponsors this week, Vanta.

Oh yes, my favorites. What do they do again?

They stop you running your entire security program out of a spreadsheet, Joe.

That seems aimed at me personally, Graham.

Well, it is a little bit, yes. But you know how most companies have to prove they’re secure to customers or auditors and regulators, and the whole thing involves chasing down evidence, filling in questionnaires and forms, updating the same spreadsheet cells over and over again.

Over and over again. It sounds utterly soul-destroying.

Yeah. Well, Vanta automates all of that.

Automates it? How?

Well, their trust management platform keeps a continuous eye on your systems. It pulls everything into one place and keeps you audit-ready around the clock. So no more staring at the ceiling at 2 AM wondering whether you’ve got the right controls in place or whether one of your suppliers has been breached.

The stuff of nightmares.

Yeah, it would be, wouldn’t it? But this Vanta solution uses AI as well, and it’s the useful kind— flagging risks, collecting evidence, slotting into the tools your team already uses so you move faster, scale without the headaches, and perhaps actually get some sleep. Go to vanta.com/smashing to find out more.

That’s vanta.com/smashing. And thanks to Vanta for supporting the show.

Dave, what’s your story for us this week?

Well, Graham, I am talking about life imitating art. And by art, I mean the classic XKCD comic, which I’m sure you are familiar with.

This is the comic with the little stickmen, isn’t it?

It is, yeah. The comic with the little stick men generally talking about tech and occasionally cybersecurity. And I have to say, the first time I saw this particular comic, it had indeed been printed out and stuck to a bulletin board in a break room. That was the first time I saw it, but I’ve seen it dozens of times afterwards. I thought perhaps the two of us could reenact this for our listeners before I dig into the story here.

So I will narrate and also I will be one of the characters and you can be the other characters.

It starts off, we’ve got these two stick figures. One of them is holding a laptop in front of the other one, and it’s described as a crypto nerd’s imagination. And the person says, “His laptop’s encrypted. Let’s build a multimillion-dollar cluster to crack it.” Ah, no good. It’s—

What’s that say? It’s too small for me to read. Hang on, I have to increase the size of it. No good. It’s 4096-bit RSA. Blast!

Our evil plan is foiled. And then the next frame says, what would actually happen? His laptop’s encrypted. Drug him and hit him with his $5 wrench until he tells us the password.

Got it. And that is so true, isn’t it? You know, we put all these technological things in place in order to protect our passwords or protect our bitcoin wallets, but basically some good old-fashioned violence really does the trick.

It really does. And I think that’s part of why this is such a classic cartoon and why it resonates with the community, because I think particularly in cybersecurity, so often people go for the technologically irresistible solution to a problem when the more practical solution may be what’s really needed, in this case, a $5 wrench that you can whack someone with until they give you the information you want. So my story comes from KTLA, which is one of the local TV affiliates in California.

Right. Picture this. You’re at home minding your own business. I ordered pizza here.

Well, you didn’t order pizza. I’m still not going to say no. I’m happy. Go on, have it.

All right. Free pizza.

So last year, back in November in San Francisco, someone went and opened their door and that annoying knock turned into a $13 million crypto robbery.

So attackers who were posing as delivery drivers, they forced their way into this person’s home. They tied the victim up, threatened to cut off his fingers.

And then spent about an hour extracting passwords before walking away with bitcoin and Ethereum. And evidently this wasn’t a one-off. They said there were similar delivery driver ruses in San Jose and Sunnyvale and Los Angeles. So kind of seemingly California-based for the moment or focused.

And in some cases, the investigators think that the suspects have first compromised victims’ DoorDash or Uber Eats accounts to learn where they lived. So they’re not just showing up randomly. They shopped a target list first. Now, there are suspects here. So law enforcement has tracked down some people and arrested them that they allege have done these dastardly deeds. But I’m wondering about what you make of this, this whole idea that if you have a big cache of cryptocurrency, someone might show up and threaten or even perform physical violence against you.

It’s horrifying, isn’t it? And I mean, even if some of these chaps have been arrested or apprehended, it’s so easy to imagine that other people may copy this approach. It’s just horrendous that this could happen. I guess the only answer really is you’ve got to keep really quiet about the fact that you’ve got a great big hoard of bitcoin or Ethereum somewhere, you know. Yeah, you can’t go around showing off about it.

Right. That was my next question is, is how did the bad guys come to know that this person in particular, or these people that they targeted, had large caches of cryptocurrency so they could go after them? Do you think it may have been as simple as somebody just bragging about their success?

It might have been that. I mean, first of all, if you’ve got millions and millions of cryptocurrency, chances are that you’re not going to be living in a shed somewhere, are you? You’re going to be living somewhere nice.

Right. True.

So they may have, first of all, cut out the likely candidates of people they’re going to target because of that.

But I have certainly seen, I mean, I get phishing emails every single day sent to an email address, which I used when I once purchased a hardware bitcoin wallet kind of thing. Right. One of those hardware keys.

And it pretends to come from that particular company, and they’re all nonsense, right? I can spot them, but I’m sure there are people who would be fooled by it. So they know that my email address is somehow connected with cryptocurrency. Now, as it is, they don’t know I’ve only got $5 worth of cryptocurrency rather than $5 million. But that information combined with, oh, look, he’s got a really flash car, or, oh my goodness, you know, he keeps on going on these macho podcasts talking about his bitcoin billions or whatever it may be, could lead to specific people being targeted. But it is a problem which actually, you know, it goes beyond the bitcoin wallets. It goes into all areas of life, doesn’t it? You know, if you have passwords or if you have things protecting important data to you, you can have all the technology in the world defending you. And organized criminals can think, well, if it’s too hard to hack him, maybe we’ll take an axe and try and hack him or threaten to hack him or hack his fingers off. Of course you’re going to tell them. It’s horrific.

It is. You know, my eyes were opened to this whole sort of thing. Not long ago, I was having a conversation with Chris Pearson, who’s the CEO of a company called Black Cloak, and their specialty is executive protection online. But part of what they do is physical protection where people need bodyguards. And yeah, evidently, if you are a high-wealth person or a person of enough importance in the business world, kidnappings still happen and you have to be protected. He also shared with me that you get to a certain level and you’re prohibited from driving your own car by your board of directors because it’s considered too much of a hazard to the company. So you are required to have a personal driver.

I’ve been prohibited by my wife, but I think that’s for the general public’s protection rather than mine.

Yes, of course.

Of course.

Slightly different circumstances, but same results, I suppose.

Okey-dokey. A little bit of time now to talk about Meta, who are one of our sponsors this week.

What does this one do?

They set up your office network so you don’t have to.

That’s it?

Yeah, well, pretty much. Yeah, that’s it. You know when you move into a new office and suddenly you’re juggling ISPs and floor plans and hardware and configuration? It basically becomes a second job, doesn’t it?

Yes, I know this one. It’s when the contractor turns up on the wrong day or at the wrong address and tries to install the wrong thing.

That’s the one, yeah. Well, Meta’s entire pitch is, what if that just wasn’t your problem?

Ugh. I’m listening.

So you hand them a physical address and a floor plan, and they sort out the ISP, they design the network, they show up on site, they rack their own hardware.

Their own hardware, not reselling someone else’s kit?

Yep, their own hardware, and they get the whole thing up and running.

But what if I like being put on hold for 45 minutes to listen to pan flute music?

Well, tough luck, Joe. Tough luck. And once you’re up and running, you get one dashboard, monitoring, management, security, VLANs, firewall, DNS security, SD-WAN, the whole caboodle.

So full visibility with none of the legwork.

Yep, that’s exactly it. And it’s sold through a subscription model, so there’s no nasty surprises. There’s even a hardware buyback program if you’ve already got kit from another vendor.

Ah, that’s rather civilized.

Isn’t it just? So head over to meter.com/smashing to find out more, that’s meter.com/smashing.

And thanks to Meter for supporting the show.

And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they’ve read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn’t have to be security-related necessarily.

Better not be.

Ah, well, my pick of the week this week is not security-related. My pick of the week, well, it actually relates to a previous pick of the week.

Because a few months ago, I think I was on a podcast with Tricia Howard and I was raving about how someone had taken one of the missing episodes of Doctor Who and they had reanimated it. Incredible. Such a piece of work they’d put together animating this lost piece of television which no longer existed in the BBC archives, had not been seen for over 50 years. And I said, this is brilliant. This is my pick of the week. Well, what do you know? That missing episode has now been found.

Putting that man’s two years of work into the animation. Oh, oh, completely different. It’s still very good what he did, but Film Is Fabulous found not one, but two missing episodes of Doctor Who from 1965. Episodes of, this was particularly exciting, The Daleks’ Master Plan. Space vessel 111, touchdown completed. Excellent, I will await our guest here. Daleks! One of the greatest Doctor Who stories of all time. So it was originally 12 episodes long, and there were only, I think, 3 or 4 which had been found. Now we are up to— I really should know this. I think we’re up to 5 episodes in total now is what exists. It was found in the collection of a guy who was collecting films, wasn’t interested in Doctor Who. He was collecting films about trains and canal boats, and he’s sadly deceased. But there was a huge collection of films, and Film Is Fabulous, this charity, came in and said, look, we can help catalogue this. And they happened to find these old missing Doctor Who episodes, which are now on BBC iPlayer. I watched them over the weekend. They are wonderful. This is so much better than modern Doctor Who. And it has been an absolute delight. In fact, I had some listeners to the podcast contact me and say, Graham, Graham, when this was announced, Graham, you— and I said, yes, I know, I know. I’m going to wait until they’re actually available to watch before I talk about them on the podcast.

I can tell you’re excited, David. I am excited.

I’m happy for you.

Oh, bless you.

Have you done any sort of A/B comparison between the reproduction and the original to see how close the person actually got?

To be honest, a lot of the special effects work in his one is far superior to what the BBC was doing in 1965.

Sure, sure.

I mean, he was tremendous with what he managed to achieve. So I haven’t directly compared them. I think that would be a little bit unfair. There is another guy out there who’s been recreating all of the Doctor Who episodes using AI, and they are just as horrendous as you can probably imagine. Yeah, so you don’t really want those. So the real thing is obviously the best of all and what we’ve really been excited about. So I thought there must be some geeky listeners out there, particularly maybe in Britain and Australia who are really into Doctor Who, who will be very excited about this.

I’ll share one of the reasons that I never got into Doctor Who when it was airing here in the US. It would air on our local PBS stations. And this is perhaps the most geeky, nerdy reason in the world for someone to not get into Doctor Who.

And that is the frame rate. Doctor Who’s 25 frames per second. Yes. And so they had to do conversions to make it work here because our video runs just about 30 frames a second. And we can handle 24 by using a, you know, 2:3 pulldown, all that good stuff. But 25 is a little weird. And so it was running at a different speed and it just looked off. So when I was flipping through the channels and I would see, you know, give up, give yourself up, give yourself up, you know, whatever the Daleks said. It just looked weird to me and I kept on flipping past. Now, I did not flip past Benny Hill, so—

Oh, Dave, you should have done. Dave, what’s your pick of the week? And don’t say Benny Hill.

No, it’s not Benny Hill. Well, Graham, this is just for you. Oh, this came across my feed probably about a month ago now. And I thought to myself, oh, perfect. I will save this for the next time I’m on Smashing Security and Graham will enjoy this. We’re talking about chess today. So one of your favorite things.

I’ve spoken about Doctor Who. Now we’re doing chess. That basically is my entire repertoire. You know that.

So all we need is a briefcase. So do you remember back in the ’80s and I’d say early ’90s, places like Radio Shack had electronic chess sets that you could buy.

Did you have one?

Well, yes.

Of course you did. He asks rhetorically. Perhaps a better question is how many did you have?

I still have one now. But no, I used to go to our department store. This would have been in the early ’80s. I used to go to the department store and I’d spend an afternoon before I owned one, play in them. Yeah. Because that was my way of having fun as a teenager.

Right. Young man, young man, are you going to purchase anything? We’re going to have to ask you to leave.

But no, there’s been a wide variety of chess computers.

I do have an alarming number of both chess boards and a couple of electronic chess sets around the house as well.

Well, then you surely remember that the most magical ones of all back in that day were the ones that could move the pieces robotically, right?

I mean, this was magical. And I’ve included a link to a video of one of those old-school versions. And it’s fun to watch partly just because of the mechanical noises. It sounds like the old computer in the original Star Trek series, you know, where it’s working. Bang, bang. You know, there’s magnets under the board and it’s sliding pieces around.

Yeah, that’s how they worked. It would be a—typically it’d be a magnet under the board, wouldn’t it? Be sort of dragging pieces, but it would have to drag other pieces to the side to, for instance, let the knight go through the pawns. And you would think this is very clever how they’ve made this. Yeah.

So there is a YouTube channel that I frequent. It’s called Techmoan. And it is probably, I’d label it as being nostalgia gadgetry. So I enjoy watching it for the old boomboxes and Walkmans and CD players and all that sort of the stuff that you and I grew up with and lusted after but weren’t able to afford in our teen years. This person goes back and looks at that stuff. But in this case, he was looking at an updated version of one of these robotic chess-playing kits. And this one actually uses a robotic arm to play against you, which I think is a little more advanced and more fun than the old magnetic versions.

This is a bit like one of those car manufacturing assembly lines, isn’t it? If you imagine one of those playing checkers on a slightly smaller scale. Yeah. So it’s picking up the pieces with a magnet, it looks like, and dropping them down again.

I wonder if you try to cheat or something, will it grab your wrist?

Or if you beat it, would that arm just sweep across the table and send all the pieces smashing to the ground? Yes.

Grab you by the throat. I was gonna ask you, is it just dispiriting because you spend all this time trying to come up with the perfect move and you put it in and the computer just responds and goes, nope.

Yeah, it is. And that’s why you want to handicap the computer. And obviously with chess programs, you can choose different levels or it can even introduce deliberate mistakes. So if you went to a site like chess.com or lichess.org, and you started playing as a beginner, it would deliberately play bad moves to try and make things easier for you or not the best move to give you a chance, because otherwise it would really be no fun at all. But in the case of this robot, you want to handicap that as well. You’d actually want to tie its hand behind its back or something, wouldn’t you?

That’s right. That’s right. I’m glad you enjoyed this. It struck me as being right up your alley.

It’s very cute.

So the chess computer and the Techmoan YouTube channel combined are my pick of the week. And thank you very much, Dave. That just about wraps up the show for this week. Just go to our website, which is thecyberwire.com.

And of course, Smashing Security is up on social media. You can find it on LastPass, Sophos, LastPass, and BlueSky. And you can find me, Graham Cluley. Yep, you’ve guessed it, on LinkedIn. And don’t forget to ensure that you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts. Episode show notes, sponsorship info, guest lists, and the entire back catalog of over 460 episodes. Check out smashingsecurity.com. Until next time, cheerio, bye-bye.

You’ve been listening to Smashing Security with me, Graham Cluley. I’m grateful to what LinkedIn calls the one and only Dave Bittner for joining us. This episode sponsors ESET, Vanta, and Meta, and also to the following. Yep, please make some noise for Willy B, who’s certainly a very confident nickname, and we respect it enormously. Jonathan Haddock, who sounds like a character in a Victorian novel about a fishmonger with a dark secret. John Morris. Eisenberg. We can’t actually be completely certain that Eisenberg is here, because observing them changes everything. William Sabados. Karen Reynolds. Matt Weir. Jamie Forster, Panda Bear, see, not a real name. Yeah, here we are reading it out on a podcast. And Robert Martin. Thank you all so much. You are the backbone of this show. We’re very grateful indeed because those are just a few members of Smashing Security Plus, which means that they get their episodes ad-free and earlier than the general public. And they can also have their names be mercilessly mocked at the end of the show. So if that’s the kind of thing that you fancy happening to you, all you have to do is sign up for Smashing Security Plus. Just head over to smashingsecurity.com/plus for all of the details and become a patron of the podcast. But you can support us in other ways if you’re short of a few bob. And when in fact you can do it completely for free. Subscribe, leave a 5-star review. Most importantly of all, tell your friends about Smashing Security. And encourage them to listen to it. In fact, grab their phones and just subscribe to the podcast without the— oh, hang on, I didn’t actually recommend that you do that. Maybe ask their permission before you do that. That’d be wise. But regardless, every little bit helps and it really does make all the effort worthwhile. And thank you to you for tuning in, and I hope you tune in to next week’s episode as well. Until then, cheerio, bye-bye.