Hacked roadside billboards are in the news again, so it felt like a good time to take a look back on some of the more notable incidents that have caught the media’s attention in the past…
January 2009
No, you don’t have to worry about a botnet bombarding you. It’s zombies in Austin, Texas, you have to watch out for.
“ZOMBIES AHEAD”
May 2012
Practical jokers meddled with a a road sign to warn drivers of an invasion from Skaro’s much-feared tin pepperpots:
“WARNING DALEKS AHEAD”
January 2015
It’s a new year, but mischief-makers have quickly forgotten their resolution not to f**k around with road signs.
Need a New Year resolution, maybe? "Read a f'n book" says #DTLA electronic street sign pic.twitter.com/3iJhOsDg3X
— Daina Beth Solomon (@dainabethcita) January 9, 2015
At least they’re encouraging literacy…
May 2015
Hackers remotely attacked an electronic billboard display to show the obscene Goatse image (Don’t Google it. If you don’t know what Goatse is, consider yourself lucky. You’ve been warned.) to motorists and passers-by in the affluent uptown Buckhead district of Atlanta.
August 2017
Naughty Welsh hackers meddled with a billboard on Cardiff’s main shopping street, to display swastikas, far-right images, and Big Brother.
As Carole Theriault discussed on an episode of the “Smashing Security” podcast, the hackers seized control of the digital advertising display after stealing its TeamViewer login credentials and locking out its genuine operator.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hey, it's Graham here. Just before we begin the show, just wanted to say that we had a bit of a problem recording this one.
In the first few minutes of the podcast, Maria, who's our special guest, her audio is slightly defective. Please bear with it. We had some technical problems.
We even had a power cut during the course of the recording. Her bad audio only lasts maybe 3 or 4 minutes, and after that, everything should be good.
And we still think it's worth putting out. So bear with it and enjoy the show.
In the first few minutes of the podcast, Maria, who's our special guest, her audio is slightly defective. Please bear with it. We had some technical problems.
We even had a power cut during the course of the recording. Her bad audio only lasts maybe 3 or 4 minutes, and after that, everything should be good.
And we still think it's worth putting out. So bear with it and enjoy the show.
Smashing Security is supported by Recorded Future, the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical, open, and dark web sources to give organizations unmatched insight into emerging threats.
Sign up for the free daily threat intelligence update at recordedfuture.com/intel. That's recordedfuture.com/intel.
Sign up for the free daily threat intelligence update at recordedfuture.com/intel. That's recordedfuture.com/intel.
Smashing Security. Episode 36: Flash, Clunk, Flush and Hacking Security Researchers with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, number 36. Indeed, my name is Graham Cluley, and I'm joined by my good buddy and co-host, Carole Theriault.
Hello, Carole, how are you?
Hello, Carole, how are you?
I'm good. I just wish I was 36 again, actually.
That was some time ago, wasn't it? Back in the '90s.
It's going to be one of those.
It's one of those.
It's going to be one of those. And as you've just heard, we are joined by a special guest today, and it is Maria Varmazis, information security and technology blogger. Hello, Maria.
Welcome to the show.
Welcome to the show.
Hi, great. Thank you so much.
Maria, I am so glad. We never have enough women on this show, and I am thrilled to bits that you're here.
Thank you for joining, because I know you have recently had a baby, so you're not getting a lot of sleep these days, are you?
Thank you for joining, because I know you have recently had a baby, so you're not getting a lot of sleep these days, are you?
I'm about as sleep deprived as most people in our industry.
When you say recently, do you mean this morning or what?
No, no, heavens no. No, no, 3 months ago. So I just came off maternity leave about a week ago, so I'm dusting off everything going, what the heck happened? I just want to cry.
Happened the day I was in the hospital. It was amazing. So, oh wow, the nurses were going, I think something happened and I'm gonna have to change all my passwords again.
And they're wheeling in my baby in the bassinet and I'm going, oh my God, I can't get away from this anywhere.
Happened the day I was in the hospital. It was amazing. So, oh wow, the nurses were going, I think something happened and I'm gonna have to change all my passwords again.
And they're wheeling in my baby in the bassinet and I'm going, oh my God, I can't get away from this anywhere.
Well, thank heavens you weren't having it in the British NHS because that could really have been a problem, couldn't it? Anyway, thank you for coming on the show.
And I agree with Carole, we need more women on this show. In fact, we've had shamefully few. Well, obviously there's been you, Carole.
And I agree with Carole, we need more women on this show. In fact, we've had shamefully few. Well, obviously there's been you, Carole.
Yeah, you're represented most every week.
But you don't count at all is what we're saying.
She doesn't count? No.
You two cancel each other out and you become a gender-neutral thing. I don't know.
Now, listen, guys. Each of us is going to choose something which has tickled our security nostrils over the last week and got our attention.
My story this week is, well, let me start off by saying this. What do you think is a security researcher's biggest nightmare? What do you think would really terrify them?
My story this week is, well, let me start off by saying this. What do you think is a security researcher's biggest nightmare? What do you think would really terrify them?
Running out of booze.
Booze, yeah.
Being hacked.
Being hacked, meeting a member of the opposite sex. All of those sort of things definitely are a concern for those of us in the infosecurity world.
But Carole, you have put your finger on it.
Because a senior threat analyst at Mandiant, which is of course a division of security firm FireEye, was hacked in what appears to have been a revenge attack.
Now, I'm not gonna name him because he's probably embarrassed enough as it is and is worried that his future career prospects are scorched.
But he was targeted by hackers as part of a campaign which they're calling #leaktheanalyst. And a bunch of hackers who call themselves Hey Maria, you're a bit geeky.
You'll be able to handle this. 31337.
But Carole, you have put your finger on it.
Because a senior threat analyst at Mandiant, which is of course a division of security firm FireEye, was hacked in what appears to have been a revenge attack.
Now, I'm not gonna name him because he's probably embarrassed enough as it is and is worried that his future career prospects are scorched.
But he was targeted by hackers as part of a campaign which they're calling #leaktheanalyst. And a bunch of hackers who call themselves Hey Maria, you're a bit geeky.
You'll be able to handle this. 31337.
OMG!
Which I think is meant to mean elite. It's a bunch of elite hackers.
It's like 1996 all over. I know.
I think this dates the hackers. This dates the hacker operation.
A little bit. Yeah, mid-30s.
They've given away some information about themselves there.
Anyway, they took information from this Israeli researcher And they made it available for anyone to download from the net.
It's still available to download, including his email archive, megabytes and megabytes of that, passwords, contacts database, details of private communications with potential recruiters.
Slightly awkward, isn't it? Cloud drives, his calendar.
Anyway, they took information from this Israeli researcher And they made it available for anyone to download from the net.
It's still available to download, including his email archive, megabytes and megabytes of that, passwords, contacts database, details of private communications with potential recruiters.
Slightly awkward, isn't it? Cloud drives, his calendar.
It's got to be kind of dull though, right?
Dull?
Yeah. I mean, the guy's just emailing, saying, I'll be home for dinner. And yes, boss, I'll get that for you right away.
Yes. Who's getting donuts for tomorrow's meeting?
Oh, can I have a job with recruiters? I mean, it's not, you know.
Well, no, it could be fairly juicy if you were talking about a particular hacking campaign or a piece of malware.
And if you were the hacker who was being analyzed by this analyst, that may be useful.
Furthermore, you may be able to find communications as they claim to have done about some of their clients and the situations that they found themselves in.
They even managed to track the poor guy's location because his, I said poor guy, he really was, because he had a Microsoft Surface and it was being geotracked.
And so they were able to pinpoint where in Israel he was from day to day.
And to add insult to injury, the hackers even defaced their victim's LinkedIn page, replacing his picture with a photograph of a hairy bottom.
And if you were the hacker who was being analyzed by this analyst, that may be useful.
Furthermore, you may be able to find communications as they claim to have done about some of their clients and the situations that they found themselves in.
They even managed to track the poor guy's location because his, I said poor guy, he really was, because he had a Microsoft Surface and it was being geotracked.
And so they were able to pinpoint where in Israel he was from day to day.
And to add insult to injury, the hackers even defaced their victim's LinkedIn page, replacing his picture with a photograph of a hairy bottom.
Sorry, what?
A hairy— bottom.
Did you see this picture?
I have seen it, yes.
Do you think it is her student?
Can I see it?
Maria?
I haven't seen it. I'm curious.
Link's in the show notes.
Link's in the show notes. Noted.
And they described him— You know, normally where you have your job title is, you know, information security expert or something like that.
What they wrote was, asshole fucked up analyst at fucked up Mandiant.
What they wrote was, asshole fucked up analyst at fucked up Mandiant.
I have no idea.
Now, the profile has since been deleted, perhaps understandably. He's decided to remove his LinkedIn presence, but not very good, really, is it?
And so the bad guys, they posted up on Pastebin and they provided a link where you could download all of this data, which they'd grabbed in the screenshots and the evidence that the accounts had been compromised.
And they posted their little manifesto. And they said, for a long time, we, the— get ready, Maria— 31337 hackers—
And so the bad guys, they posted up on Pastebin and they provided a link where you could download all of this data, which they'd grabbed in the screenshots and the evidence that the accounts had been compromised.
And they posted their little manifesto. And they said, for a long time, we, the— get ready, Maria— 31337 hackers—
OMG!
Tried to avoid these fancy ass analysts whom trying to track— it's not great grammar, to be honest— whom trying to trace our attack footprints back to us and prove they are better than us.
In the #leaktheanalyst operation, we say, fuck the consequence. Let's track them on Facebook, LinkedIn, Twitter, etc.
In the #leaktheanalyst operation, we say, fuck the consequence. Let's track them on Facebook, LinkedIn, Twitter, etc.
That's very famous.
Let's go after everything they've got. Let's go after their countries. That's a bit bold.
Their tiny speakers.
Let's turn into tweeters. Yes, very good. Let's trash their reputation in the field.
If during your stealth operation you pwned an analyst, target him and leak his personal and professional data.
If during your stealth operation you pwned an analyst, target him and leak his personal and professional data.
Oh, hey.
So basically they're declaring war on the good guys.
Yeah, but the girls are safe. It's personal. It's his personal and professional data. So we're cool.
There are no female analysts. Yeah, well, or we're all safe because they don't know we're there.
We might be the next doxing.
Hackers are sexist?
No!
I would never dare.
Well, now, if you were to peruse the documents which they've now leaked from this guy's computer, it appears—
It's like reading someone's diary.
Why would you do that?
Really?
Well, in preparation for this podcast, perhaps. But I didn't— Am I the only one with a moral fibre? Listen, I didn't look through his emails, right? I didn't do that.
But there were certain—
But there were certain—
Oh, well, good for you.
There were certain documents and presentations related to some Mandiant/FireEye customers, such as the Israeli Defense Force.
Oh!
And those have been leaked out as a consequence of the hack. Right? No?
Okay, so I take back what I said earlier. I, yes, I was assuming perhaps it was his personal email archive, but of course it wasn't. So yes.
Customer data, yikes.
Ooh.
Yeah. Now, the hackers say that they have hacked Mandiant's internal network and they've compromised client data and that they might, 'Leak that in the future.' Yeah.
That seems weird that you'd say that beforehand if you did actually have it.
I know. I'm a bit suspicious. Because you think, well, why haven't they leaked it already?
If they want to cause embarrassment, if they want to give this guy some pain and get him in trouble, you probably would have done that as well, wouldn't you?
If they want to cause embarrassment, if they want to give this guy some pain and get him in trouble, you probably would have done that as well, wouldn't you?
Unless they're wanting ransom.
Well, they don't seem to have asked for anything like that. It appears to be more a sort of personal attack in a way. They just don't like their stuff being researched.
I would think someone who has the capability to target somebody and was in an internal network would actually lie low and see how much they can get away with.
Yeah.
I mean, just see how long it takes for them to be discovered on the network, you know.
And we don't know how long they were— they did compromise this guy's account.
Certainly from the geo data where they were tracking his lovely old Microsoft Surface, it does appear that that may go back some time.
I don't know if that's an archive which is available to anyone, you know, whenever they log in, but it does appear that there was some old information in there.
The obvious danger is, has client data been compromised? FireEye have issued a statement.
They've told Gizmodo, "We're aware of the report." So they basically confirmed that the hack has happened.
"We're investigating, we've taken steps to limit exposure, but there's currently no evidence that any corporate systems at the company have been compromised." They say, "Customer data, keeping that secure is a top priority.
And to date, they've only confirmed the exposure of business documents related to two separate customers in Israel." One imagines one of those is the IDF.
And they've addressed the situation with those customers directly. That's an awkward phone call to make, isn't it? Oh yeah, we might have doxxed—
Certainly from the geo data where they were tracking his lovely old Microsoft Surface, it does appear that that may go back some time.
I don't know if that's an archive which is available to anyone, you know, whenever they log in, but it does appear that there was some old information in there.
The obvious danger is, has client data been compromised? FireEye have issued a statement.
They've told Gizmodo, "We're aware of the report." So they basically confirmed that the hack has happened.
"We're investigating, we've taken steps to limit exposure, but there's currently no evidence that any corporate systems at the company have been compromised." They say, "Customer data, keeping that secure is a top priority.
And to date, they've only confirmed the exposure of business documents related to two separate customers in Israel." One imagines one of those is the IDF.
And they've addressed the situation with those customers directly. That's an awkward phone call to make, isn't it? Oh yeah, we might have doxxed—
How do you start? Hi.
On my short list of people to not piss off, the IDF is definitely one of them.
You're right.
Oh my goodness.
So what are the morals from this, folks?
Get off the internet. Just delete everything and go home.
Bury your head in the sand, right?
And also, schadenfreude is a dangerous thing.
It is. And anyone can be vulnerable, right?
I think none of us can imagine that just because of our jobs or our roles or the fact that we're working in security 24/7, that somehow we couldn't be targeted.
The truth is that everyone makes mistakes.
I remember years and years ago, I was working at a security company and they were holding an antivirus conference and experts from all around the world were bringing in their presentation from rival firms.
And one of these guys gave me a floppy disk there, that's dated me.
And he said, "Here's my presentation." I said, "Thank you very much." I shoved it in my computer 'cause it was my job to collate everyone's presentation.
And the antivirus on my computer went zoop, zoop, zoop because it contained a virus on the floppy disk.
I think none of us can imagine that just because of our jobs or our roles or the fact that we're working in security 24/7, that somehow we couldn't be targeted.
The truth is that everyone makes mistakes.
I remember years and years ago, I was working at a security company and they were holding an antivirus conference and experts from all around the world were bringing in their presentation from rival firms.
And one of these guys gave me a floppy disk there, that's dated me.
And he said, "Here's my presentation." I said, "Thank you very much." I shoved it in my computer 'cause it was my job to collate everyone's presentation.
And the antivirus on my computer went zoop, zoop, zoop because it contained a virus on the floppy disk.
Was it the Morris worm? How far back are we going with this?
How dare you? How dare you? But I had to go back sheepishly to this antivirus expert and say, "Um, your peer has given me a virus." A fairly well-known name in the industry.
And the truth is that he'd been using exactly the same computer to analyze viruses as he'd been using to write his presentation. And, you know, so people make mistakes.
And the truth is that he'd been using exactly the same computer to analyze viruses as he'd been using to write his presentation. And, you know, so people make mistakes.
I don't think that's the stake here though. I don't think that's what's going on here.
No, no. I think what may have happened here, from the examination, 'cause one of the things which fell out of this were passwords.
And it does appear that this particular guy may have been reusing passwords.
It's possible that his password leaked out from the old LinkedIn data breach, but also that he had a formula for passwords.
You know how sometimes people think, well, you know, I will have different passwords, but what I'll have is I'll have a sort of base word, a base password, and then I'll add on the first two letters of the domain or something like that.
And it does appear that this particular guy may have been reusing passwords.
It's possible that his password leaked out from the old LinkedIn data breach, but also that he had a formula for passwords.
You know how sometimes people think, well, you know, I will have different passwords, but what I'll have is I'll have a sort of base word, a base password, and then I'll add on the first two letters of the domain or something like that.
Graham, you and I years ago wrote a video about how to— recommending people do that. I don't know if you remember.
I remember.
Yeah, we did. Yes, yes, we did. And you're the star of the show and I'm behind the camera.
Links in the show notes. That video doesn't say that. The video we have is one where we say, make up a random sentence and take the first letter of every word.
That's what the video is.
That's what the video is.
Okay. Okay.
It was a while ago. We'll go watch it, but I have a feeling you may be wrong. Anyway, I don't remember.
We digress.
We digress.
We digress.
Yes.
Settle the fight.
Anyway, even the advice we gave in that old video doesn't really scale for the number of passwords which you need today. You know, my advice is use a—
Exactly. No, I agree.
Use a password manager to remember your passwords, to keep them secure, and to generate passwords as well.
So many people use their own personal mental cipher thinking nobody can ever crack this. But I mean, come on.
As you were saying, with all the passwords we need nowadays, there's no way you can make that even sane. So yes, please.
As you were saying, with all the passwords we need nowadays, there's no way you can make that even sane. So yes, please.
But on the other hand, though, a lot of people don't trust password managers. There's a lot of doubt in putting, storing stuff in the cloud and trusting a third party to do it.
You don't have to use a cloud-based password manager though. You can use a local one.
You don't have to use a cloud-based password manager though. You can use a local one.
Yeah. I mean, I like cloud-based ones. I personally use one, but I completely get that there are problems with them for sure. And people understandably are skeptical.
But there are also problems with storing your passwords locally on your computer. You know, it's—
There's no perfect solution.
Right. That's the thing, isn't it? So anyway, this guy, looking at some of his passwords, he works at Mandiant, which is a FireEye company.
Some of the passwords have the word fire in them. You think, seriously, guy, you know, are you doing this?
But hey, all security researchers out there, make sure that you're practicing what you preach.
Some of the passwords have the word fire in them. You think, seriously, guy, you know, are you doing this?
But hey, all security researchers out there, make sure that you're practicing what you preach.
Yeah, and I think actually it's an idea that many people just assume that they will not be targeted.
And I think that's, you know, that's a fairly likely probability you won't be targeted if you're just— but, you know, in this industry and with this LeakTheAnalyst operation, I wonder what your advice would be, Graham, for other analysts out there?
Are you saying literally just make sure your passwords are good and strong and unique?
And I think that's, you know, that's a fairly likely probability you won't be targeted if you're just— but, you know, in this industry and with this LeakTheAnalyst operation, I wonder what your advice would be, Graham, for other analysts out there?
Are you saying literally just make sure your passwords are good and strong and unique?
Well, and have layered security and enable two-factor authentication and all the— I mean, we have, for instance, talked in the past about different ways in which you can protect your email account.
All the variety— we'll link to a past podcast in the show notes. Oh my word, we've got a lot of show links today, haven't we?
But we'll put some of those things in where you can learn some of the techniques which you can use to harden the security, to better protect yourself from these kind of attacks.
Ultimately, I'm afraid it's your brain, isn't it?
It's your mouse finger which might be clicking or making a mistake, or it's your decision as to whether you are going to choose a strong password or a weak one.
And I think some people think, oh, because I'm a bit nerdy, somehow I don't have to worry so much as my auntie Jean.
All the variety— we'll link to a past podcast in the show notes. Oh my word, we've got a lot of show links today, haven't we?
But we'll put some of those things in where you can learn some of the techniques which you can use to harden the security, to better protect yourself from these kind of attacks.
Ultimately, I'm afraid it's your brain, isn't it?
It's your mouse finger which might be clicking or making a mistake, or it's your decision as to whether you are going to choose a strong password or a weak one.
And I think some people think, oh, because I'm a bit nerdy, somehow I don't have to worry so much as my auntie Jean.
I know someone exactly who's very savvy in security, and they insist on using the word password as their password.
Really?
How did you know?
Advertises it.
When did I tell you that? Just kidding.
But yeah, and I think it's an arrogance of, I'll never be targeted. Give me a break.
Wow.
So everyone's a target, even if you're not a security analyst.
I mean, not to be completely tinfoil hatty, but you know, it's having worked at security companies before, you know, even the marketing intern can be a target.
And you know, definitely people who are high visibility targets like an analyst know that they really need to practice what they preach. But that goes all the way down, doesn't it?
I mean, not to be completely tinfoil hatty, but you know, it's having worked at security companies before, you know, even the marketing intern can be a target.
And you know, definitely people who are high visibility targets like an analyst know that they really need to practice what they preach. But that goes all the way down, doesn't it?
So well, yeah, and this is a good wake-up call for everybody who may have been a bit lax as of late on their own personal security whilst they're sitting there telling everyone else how to behave, right?
Maria, what have you got for us this week?
Well, to paraphrase from Monty Python, Flash, it's not dead yet. I'm not gonna even try and make a dead parrot joke, but there we go.
So as many of us have heard, and no doubt many of our listeners would know, Flash is finally going to kick the bucket.
Adobe announced in 2020, since supposedly is expiration date for the much maligned plugin and video player and interactive thingamajigger.
However, I mean, what else do you want to call Flash? Attack vector. There is an ongoing effort from at least one web developer on GitHub to keep Flash alive. Why?
And that is the reaction of many people around the internet.
So as many of us have heard, and no doubt many of our listeners would know, Flash is finally going to kick the bucket.
Adobe announced in 2020, since supposedly is expiration date for the much maligned plugin and video player and interactive thingamajigger.
However, I mean, what else do you want to call Flash? Attack vector. There is an ongoing effort from at least one web developer on GitHub to keep Flash alive. Why?
And that is the reaction of many people around the internet.
Okay.
So the petition from web developer Juha Lindstedt, I hope I didn't mispronounce his name, says open sourcing Flash and the Shockwave spec would be a good solution to keep Flash and Shockwave projects alive safely for archive reasons.
Don't know how, but that's the beauty of open source. You never know what will come up after you go open source. Hooray. All right.
So the reaction of much of the security community is paraphrased beautifully by Carole's reaction. Please just let Flash die already. It is due to die in 2020.
That's not nearly soon enough, but let's make this happen.
Don't know how, but that's the beauty of open source. You never know what will come up after you go open source. Hooray. All right.
So the reaction of much of the security community is paraphrased beautifully by Carole's reaction. Please just let Flash die already. It is due to die in 2020.
That's not nearly soon enough, but let's make this happen.
Put us out of our misery by putting it out of its misery.
Amen to that.
And just in case people want some stats from a lovely Gizmodo article quoting, I believe, our sponsor Recorded Future, they ranked Adobe Flash Player as the most frequently exploited product in 2015, comprising 8 of the top 10 vulns leveraged by exploit kits and noted the existence of over 100 exploit kits and known vulns.
So yeah, it's a problem.
And just in case people want some stats from a lovely Gizmodo article quoting, I believe, our sponsor Recorded Future, they ranked Adobe Flash Player as the most frequently exploited product in 2015, comprising 8 of the top 10 vulns leveraged by exploit kits and noted the existence of over 100 exploit kits and known vulns.
So yeah, it's a problem.
8 out of 10.
Yeah. It's a, did better on tests than I am. So there we go. So boom, boom. So I mean, I've gone back and forth in my head on this whole thing because I love open source projects.
I worked with a lot of the guys on Metasploit, which is a very wonderful open source project.
And I've seen firsthand how wonderful the open source community is and what amazing things they can do. But open source is of course a double-edged sword.
You open up that source code to the world and there's a real possibility that a lot of people are not going to be working out of the goodness of their heart to fix Flash.
And they're just going to go to town and find all sorts of problems that they couldn't find before.
So we're going to have an even more vulnerable Flash, if that is even a thing that you can imagine. It is quite a target.
I worked with a lot of the guys on Metasploit, which is a very wonderful open source project.
And I've seen firsthand how wonderful the open source community is and what amazing things they can do. But open source is of course a double-edged sword.
You open up that source code to the world and there's a real possibility that a lot of people are not going to be working out of the goodness of their heart to fix Flash.
And they're just going to go to town and find all sorts of problems that they couldn't find before.
So we're going to have an even more vulnerable Flash, if that is even a thing that you can imagine. It is quite a target.
Yeah, I know. I'm just, I don't know. I kind of, I kind of like the archival reason. I like that.
I think that does make some sense that people should be able to research this information and see how it was working.
I think that does make some sense that people should be able to research this information and see how it was working.
Specifically Zombocom and Homestar Runner and Egon's World. Yeah. And Newgrounds. Good games, right?
I'm quite nostalgic about a lot of those retro kind of computer things. It would be a shame. Hey, I've got an idea. Could we, hey, look, huddle up, right?
Good guys.
Get together, right? Because how about we open source Flash?
And so all the hackers and the bad guys, the malicious hackers, can spend lots of time and continue spending lots of time exploiting Flash, but the rest of us agree not to ever use it.
Because the danger of closing down Flash is that the bad guys will then put all of their attentions on exploiting something we are using.
But if we just keep it there and they don't hear that we're not actually using it, yeah, because they're all idiots.
And so all the hackers and the bad guys, the malicious hackers, can spend lots of time and continue spending lots of time exploiting Flash, but the rest of us agree not to ever use it.
Because the danger of closing down Flash is that the bad guys will then put all of their attentions on exploiting something we are using.
But if we just keep it there and they don't hear that we're not actually using it, yeah, because they're all idiots.
Brilliant.
Yeah, I'm sure this will work with no problems at all, right?
Good.
Yeah, it's perfect.
So basically, how many people use Flash now though?
Maybe everybody. Yeah, still, because it's everywhere, because too many websites still have a tiny, yeah, teeny wincy little bit of them.
Literally everyone who watches hentai stuff on the internet. Yeah, Flash. So those guys can be really pissed when it goes away. I'm just saying.
Well, it's like, how much warning do you need? I mean, we've known it's going to, you know, it's the longest death in history.
Quite the death rattle for Flash.
You know, it's taking longer to die than XP.
Yeah, it's taking way too long in my opinion and many other people's opinions.
However, as the petition says, you never know what could come up after you go open source, exclamation point. And I mean, okay, fair enough.
It could become more secure with more eyeballs on it.
In theory, that is possible, but you know, open source projects are not always necessarily known for continuing after a certain point, you know, having a lot of support.
People tend to drop them. And I don't know how interesting this is as a problem for a lot of people.
I mean, Flash has been around for forever, but that said, what do we do when Flash goes away? What do you do with all those Homestar Runner videos?
And it's not just videos, I should say. It's really the interactive content, the stuff you click on, because videos are not really the problem. It's the interactive stuff.
And there are a lot of people who've attempted to solve this problem, basically making interactive videos from early 2000s workable.
But since the Flash backend is closed, you can't really do much with it. So there really hasn't been a good solution and there's really no viable alternative right now.
So that is actually a legitimate issue if there's stuff that you want to still use once Flash goes away.
However, as the petition says, you never know what could come up after you go open source, exclamation point. And I mean, okay, fair enough.
It could become more secure with more eyeballs on it.
In theory, that is possible, but you know, open source projects are not always necessarily known for continuing after a certain point, you know, having a lot of support.
People tend to drop them. And I don't know how interesting this is as a problem for a lot of people.
I mean, Flash has been around for forever, but that said, what do we do when Flash goes away? What do you do with all those Homestar Runner videos?
And it's not just videos, I should say. It's really the interactive content, the stuff you click on, because videos are not really the problem. It's the interactive stuff.
And there are a lot of people who've attempted to solve this problem, basically making interactive videos from early 2000s workable.
But since the Flash backend is closed, you can't really do much with it. So there really hasn't been a good solution and there's really no viable alternative right now.
So that is actually a legitimate issue if there's stuff that you want to still use once Flash goes away.
So one thing that I've seen suggested is that the browser plugin of Flash is killed off.
That's completely zapped because that's obviously the most common attack vector, but maybe there could be an open source desktop player instead.
And so if you had something which you really wanted to run to check it out, you still could, but the exposure is greatly reduced.
That's completely zapped because that's obviously the most common attack vector, but maybe there could be an open source desktop player instead.
And so if you had something which you really wanted to run to check it out, you still could, but the exposure is greatly reduced.
That does sound like a good solution to me.
It would be a program which you have running on your desktop and you load a file into it. You say, this is the Flash file which I want to run.
Right. Yeah.
Something like that.
Yeah, if you're an internet archivist and those people do exist and you really want to access that eBaum's World thing from, you know, the stick figure fighting game from 2002, you can.
And you know, and that way we don't lose all that ephemera from the early 2000s, really.
And you know, and that way we don't lose all that ephemera from the early 2000s, really.
And I also like the idea, I think I'm a little less cynical about open source and I think, yeah, sure.
There's a few bad apples out there, but I think, you know, you don't know what'll come up and it could be amazing. They could actually make it much, much more secure and usable.
There's a few bad apples out there, but I think, you know, you don't know what'll come up and it could be amazing. They could actually make it much, much more secure and usable.
Absolutely possible. That's the thing. It is a complete unknown. I mean, it really could happen and that would actually be kind of exciting.
However, I mean, as I said, I kind of go back and forth on this one because I can see their point of view.
But one thing I'm thinking is that what's going to happen if we open source Flash is we're going to have kind of a shambling zombie form of Flash after 2020.
And people are going to go, well, okay, so Flash isn't officially supported anymore, but there's an open source version.
So I'm not going to actually get rid of it on my website because technically there's a viable option. When really we need to be telling people, stop using it.
For the love of God, why are you still doing this?
However, I mean, as I said, I kind of go back and forth on this one because I can see their point of view.
But one thing I'm thinking is that what's going to happen if we open source Flash is we're going to have kind of a shambling zombie form of Flash after 2020.
And people are going to go, well, okay, so Flash isn't officially supported anymore, but there's an open source version.
So I'm not going to actually get rid of it on my website because technically there's a viable option. When really we need to be telling people, stop using it.
For the love of God, why are you still doing this?
I can save $30 grand by not updating my system and carry on using Flash and just change it to this new open source version.
Correct. And that's not an outcome we want to see, at least those of us in the security world.
Okay guys, I'm gonna put you in the hot seat, right? Should we kill Flash or not? Thumbs up or thumbs down? Come on, are we gonna save it?
I'm giving a thumbs up or thumbs down, but you can't see 'cause I'm over the microphone. No.
I think you're not giving us the option of kill it for everyday users, but throw it into the open source community to see what they can do with it.
But is that actually— That's not killing it. It's not dead yet. Maybe getting better.
I like this open source desktop player thing, which will mean that people will still have to update their websites and fix their websites and stop being reliant on Flash.
But the exposure is reduced in the browser, which is the primary attack vector.
But the exposure is reduced in the browser, which is the primary attack vector.
Why wouldn't they just say to download it? They would just say, go download this tool.
Are people going to do that? I mean, we're talking about reducing the attack surface, right? If we get rid of the Flash browser plugin that definitely needs to go.
I don't think anyone's really fighting for that. I mean, maybe they are, but I certainly am not. That certainly won't mitigate the issue.
I don't think anyone's really fighting for that. I mean, maybe they are, but I certainly am not. That certainly won't mitigate the issue.
And does interactive ads— actually, this is a question I don't even know the answer to. Interactive ads in videos, right? So are they all Flash reliant as we know, right now?
Because that was probably what's causing the big delay in them being wiped out.
Because that was probably what's causing the big delay in them being wiped out.
I imagine a lot of them are not. I mean, to me, the thing that has killed off Flash in a lot of websites right now is mobile. There's a lot of mobile devices no longer support Flash.
So that has done a lot for killing Flash more than anything else. I doubt that those are Flash-based.
I'm sure there are in some corners of the world, but I imagine many of them have moved to HTML5 or other options.
I mean, do we still see the mortgage ads with the dancing person where you punch the number? I mean, that sounds like 10 years ago.
But I mean, there are other problems with ads that we could probably do 50 shows on that alone.
So that has done a lot for killing Flash more than anything else. I doubt that those are Flash-based.
I'm sure there are in some corners of the world, but I imagine many of them have moved to HTML5 or other options.
I mean, do we still see the mortgage ads with the dancing person where you punch the number? I mean, that sounds like 10 years ago.
But I mean, there are other problems with ads that we could probably do 50 shows on that alone.
Yeah, yeah, yeah, yeah.
Right, enough chat. I've decided we're gonna kill it. Flash is gonna die. There you go. Someone had to make a decision.
Okay, it rests in peace.
It's in room 101.
Pull the lever. Clunk, flash. Clunk, flash, actually.
Bye, Flash.
Boom, boom. Oh dear. Carole, take us away from this madness. Give us a totally sane topic to chat about today.
Well, I'm going to talk about hacked billboards.
So today, Wednesday, the day of recording, we've seen reports of a giant billboard in Wales' capital, Cardiff, its main shopping street. It's been hacked.
So the billboard seems to have been accessed by a hacker via remote control, and then they took control of the screen to display rather shocking images to the shoppers of Cardiff.
So today, Wednesday, the day of recording, we've seen reports of a giant billboard in Wales' capital, Cardiff, its main shopping street. It's been hacked.
So the billboard seems to have been accessed by a hacker via remote control, and then they took control of the screen to display rather shocking images to the shoppers of Cardiff.
Right, yeah.
Okay, now this has only just happened.
There's not a lot of info right now that's just come out at the time of recording, but a message posted by an anonymous user on the community site 4chan— okay, I'm putting little marks around community site 4chan.
There's not a lot of info right now that's just come out at the time of recording, but a message posted by an anonymous user on the community site 4chan— okay, I'm putting little marks around community site 4chan.
Paragon of internet citizenry.
Anyway, now this was posted late Monday evening, and it read, I live in Cardiff, Wales, UK.
Earlier today I was walking to work and looked up at a giant 300-foot TV screen on the side of the building. That's what he says. 300 feet. I think—
Earlier today I was walking to work and looked up at a giant 300-foot TV screen on the side of the building. That's what he says. 300 feet. I think—
I'm surprised they've got 30-inch TVs in Wales.
Wait, that's where they filmed Doctor Who, right?
So it is. Yeah.
Yes, that's ridiculously high. That is like 100 meters.
300 feet must be a mistake. I don't think we can rely upon this person, but anyway, carry on.
Yes, yes, yes, yes, yes.
Okay, so a big—
Let's— we're going to replace that with big TV screen on the side of the building.
I noticed that TeamViewer was running in the background and I took a photo of the username and password. I just tried remote controlling it and it worked!
What should I use this for considering that it's probably unattended all night long?
I noticed that TeamViewer was running in the background and I took a photo of the username and password. I just tried remote controlling it and it worked!
What should I use this for considering that it's probably unattended all night long?
All night long, Lionel Richie.
Yeah, that's his—
All night long. I put up that video, that's the obvious thing. There's the answer.
That's what, yeah.
So there were many suggestions, some were as mildly funny as yours was and some were truly distasteful.
What a surprise.
They included swastikas and the sign saying, "Big Brother is watching you," and a warning, "This is a Sharia-controlled zone, no alcohol, no gambling, no porn," and a kind of peppy Donald Trump mashup thing.
Any Rickroll suggestions?
Not that I saw.
That's disappointing.
So, you know, we've seen this before. This is not the first time a billboard has been hacked.
I think last May, Liverpool One shopping center has a screen, it got hacked, and it was hacked with a rather helpful message saying, "We suggest you improve your Smashing Security.
Sincerely, your friendly neighborhood hackers."
I think last May, Liverpool One shopping center has a screen, it got hacked, and it was hacked with a rather helpful message saying, "We suggest you improve your Smashing Security.
Sincerely, your friendly neighborhood hackers."
That's nice.
Yeah. In April, a giant LED screen in a busy Delhi metro station started streaming Pornhub clips.
And in March, Mexico City digital board located near one of the busy roads showed porn for a few minutes. And probably the worst one was the 2015 Atlanta billboard.
Remember, it was in a really swanky neighborhood in Atlanta, and it displayed goatse.
And in March, Mexico City digital board located near one of the busy roads showed porn for a few minutes. And probably the worst one was the 2015 Atlanta billboard.
Remember, it was in a really swanky neighborhood in Atlanta, and it displayed goatse.
Oh, God.
Well, any listener who doesn't know what I'm talking about, you are a very lucky human being. Do not go and research this.
Don't Google.
Do not think this is a double bluff.
There won't be links in the show notes.
There will not be any links in the show notes.
Very quick way to get blacklisted.
Actually, I don't think that is my favorite. My favorite, remember, it was like late 2000s and there was like zombies ahead. It was in Austin. It was construction signs in Austin.
Zombies ahead.
Movies ahead. And yeah, there was something. Yeah, I love that.
Signs are very easy to hack. Yeah.
Yeah. There was another one saying Dalek invasion. I liked that one because obviously fantastic.
The reason I wanted to talk about this was to kind of crowbar in some security chatter about TeamViewer.
Now TeamViewer, for those who don't know, is a tool that allows people to remotely access computers and desktops and allows for file sharing and all these things.
And they're used to, in some cases, to display messages on, you know, people use them when they're doing presentations to share screens.
But people also use them for these big digital screens.
So TeamViewer, many of us in the industry would say, it's been designed to be easy to use, not necessarily very strongly secure.
And there is a great article that I found from, and it was published last year, but it was published from How to Geek.
And it has loads and loads of little tips on how you can make your TeamViewer instance much more secure.
Now, a few big ones that we can share is make sure you exit TeamViewer when it's not in use. Don't just leave it hanging around, you know, turned on but silent.
Use obviously strong passwords, and there is gonna be a link in the show notes for how to do that, right, Graham? Sure thing.
Now TeamViewer, for those who don't know, is a tool that allows people to remotely access computers and desktops and allows for file sharing and all these things.
And they're used to, in some cases, to display messages on, you know, people use them when they're doing presentations to share screens.
But people also use them for these big digital screens.
So TeamViewer, many of us in the industry would say, it's been designed to be easy to use, not necessarily very strongly secure.
And there is a great article that I found from, and it was published last year, but it was published from How to Geek.
And it has loads and loads of little tips on how you can make your TeamViewer instance much more secure.
Now, a few big ones that we can share is make sure you exit TeamViewer when it's not in use. Don't just leave it hanging around, you know, turned on but silent.
Use obviously strong passwords, and there is gonna be a link in the show notes for how to do that, right, Graham? Sure thing.
Dusting that one off.
Yeah, yeah, there'll be 800. Good luck finding any of the links.
Turn on two-factor authentication for TeamViewer, and I was just talking to my other half, and he didn't even know that two-factor authentication existed for TeamViewer.
That may be something that's less known.
Turn on two-factor authentication for TeamViewer, and I was just talking to my other half, and he didn't even know that two-factor authentication existed for TeamViewer.
That may be something that's less known.
Divorce him.
Yes, that would be a good reason.
Strong measures.
Why are you leaving him? Because—
And of course, make sure it's updated. You know, obviously, I think that's less— You know, I think most people would make sure of that now.
But just as a little reminder, let's do that because we're going to be relying on digital screens much more. I mean, I think the end of the poster is near, right?
But just as a little reminder, let's do that because we're going to be relying on digital screens much more. I mean, I think the end of the poster is near, right?
Right. But so sort of devil's advocate on this one. Yeah. The folks setting up these giant screens, they don't give an F about any of this stuff generally, is my guess.
Well, until they get— until they have their big boss coming down them going, what the hell?
Yeah, but these aren't these the guys that usually are up there on the billboards, the old pasteboard guy? I don't know, I'm just thinking, you were mentioning the Austin sign hack.
Yeah, I mean, do you know how to hack those? You literally just walk up to them and open the panel in the back with a flathead screwdriver, and there you go. That's how you get out.
Yeah, I mean, do you know how to hack those? You literally just walk up to them and open the panel in the back with a flathead screwdriver, and there you go. That's how you get out.
That's the construction sign ones.
Yeah, yeah, that's for the road signs, but I think the advertising billboards are a little bit more complicated than that, aren't they? Or are they not?
Well, I don't think you can go up to them as much. Well, maybe you can.
Maybe you can. Yeah, usually there's a ladder. I mean, is it really that hard? I don't know. I mean, so I'm just thinking, so exit TeamViewer fully when you're not using it.
Maybe there should be a way for TeamViewer to self-time out on some sort of application like this.
Maybe there should be a way for TeamViewer to self-time out on some sort of application like this.
Absolutely.
Yeah, like assuming that the person's gonna know to do that. I don't know, that seems like a giant leap to me.
There's another one about making sure it doesn't start up when you basically boot up Windows either, right? So don't just have it auto-start along with Windows.
So yeah, I mean, I'm not saying TeamViewer is responsible for all these things, but these remote access tools need to be properly configured in order to try and stem the flow of attacks like this because they seem to be growing.
You know, it's quite fun for a young hacker to be able to hack something that's so, you know.
So yeah, I mean, I'm not saying TeamViewer is responsible for all these things, but these remote access tools need to be properly configured in order to try and stem the flow of attacks like this because they seem to be growing.
You know, it's quite fun for a young hacker to be able to hack something that's so, you know.
Yeah, and don't display your TeamViewer username and password on the billboard, right? Don't have that popping up on the screen.
That must happen because you're sharing your screen, right? And I was thinking about that, like, how do you—
How does that happen?
Yeah, how do you turn that off and how do you manage that? They may not even be aware that that's happening.
Well, it's like when you have a press conference and you have the Wi-Fi username and password behind the reporter kind of thing, like, come on.
Yeah, I don't know.
That's just bad password hygiene, bad overall hygiene.
I suppose it is. Well, guys, I think it's time to find out who's sponsoring the show this week. Let's find out who the sponsor is.
Graham, who's our sponsor this week?
Our sponsor is Recorded Future. You know them, they're cool, they do all kinds of cool things. Like?
They look on the web, they look on the dark web, they peruse the internet in its darkest corners, and they work out what are the new emerging threats and vulnerabilities from the world of hacking and cybersecurity.
And then they bundle it all up, they wrap it up in a beautiful ribbon and send it to you in a free email.
They look on the web, they look on the dark web, they peruse the internet in its darkest corners, and they work out what are the new emerging threats and vulnerabilities from the world of hacking and cybersecurity.
And then they bundle it all up, they wrap it up in a beautiful ribbon and send it to you in a free email.
If you want to be ahead of the game, I guess you get their free daily email.
Of course you do. But first of all, you've got to sign up for it, otherwise they won't know to send it to you. They're not that clever. Go to recordedfuture.com/intel.
And thanks to Recorded Future for supporting the show. Smashing, and welcome back to the show. And in this segment, we are going to choose our picks of the week.
Yes, our pick of the week could be a funny story, a book we've read, a TV show, movie, record, an app.
And thanks to Recorded Future for supporting the show. Smashing, and welcome back to the show. And in this segment, we are going to choose our picks of the week.
Yes, our pick of the week could be a funny story, a book we've read, a TV show, movie, record, an app.
I think we should have a choice of pick of the week and tip of the week. I do think we should maybe pick tip.
Pick the tip. Tip to pick.
Yeah, sometimes people can give good tips. Sometimes there's a good pick.
That's what she said. I have to say, Maria, I thought having a woman on the show would actually raise the tone a little bit. And I'm not sure that's happened.
Why would that happen?
Who gave you that idea? Graham, you know me.
I thought we would get out of the locker room and it would just be a little bit classy.
Listen, Trump's president, anything is possible now. You know, kidding. Anyway.
Pick of the week, pick of the week.
Pick of the week. Maria, could you say, "Pick of the week"? Ah, excellent.
There you go.
Very keen.
Yes.
So I've just got a quick one for you all. There is a podcast, it's ridiculously popular. I mean, it's—
Yeah, if you listen to podcasts, you've heard of this podcast, but you— Yeah, it's a good one.
It's Reply All from the guys at Gimlet Media, which is a great weekly podcast. I think they do it most weeks, and it's all about the weirdness of the internet and things like that.
And their latest episode, which we'll link to in the show notes, is all about tech support scammers.
Now, when I saw it was about tech support scammers, I thought, okay, they're going to do the usual thing where a scammer calls them up and they keep them on the phone for ages and it gets more and more ridiculous.
But no, they've been rather more inventive than that. It's almost brilliant. It's a great episode.
And their latest episode, which we'll link to in the show notes, is all about tech support scammers.
Now, when I saw it was about tech support scammers, I thought, okay, they're going to do the usual thing where a scammer calls them up and they keep them on the phone for ages and it gets more and more ridiculous.
But no, they've been rather more inventive than that. It's almost brilliant. It's a great episode.
And so what do they do?
Well, I don't want to give too much away because it's rather beautiful, but basically they almost form a relationship with the scammer.
You know, it's like they're calling up regularly for chats and—
You know, it's like they're calling up regularly for chats and—
But they also do a bit of journo-ness, right? So they go and do a bit of digging and they find out lots of information, which is quite interesting.
They find out more about this particular company which is doing the scams and the people who are working there.
And it ends on something of a cliffhanger, which will make you want to tune in, I think, to the next episode, which hasn't been released at the time of recording, but I'm looking forward to it to find out what happens next.
But I would recommend it.
And it ends on something of a cliffhanger, which will make you want to tune in, I think, to the next episode, which hasn't been released at the time of recording, but I'm looking forward to it to find out what happens next.
But I would recommend it.
Yeah, I agree. Total hat tip for that. I loved it as well.
Go and check out Reply All, and the episode is called Long Distance. And as I said, we will have a link in the show notes. Got a lot of those this week.
Yeah, it's the mot du jour.
So Maria, what's your pick of the week?
Pick of the week.
My pick of the week is speaking of cliffhangers. It's a fascinating documentary I saw a few weeks ago while in the throes of newborn haze. It's the documentary called Tickled.
Because I heard you guys talking about the Red Pill documentary a few weeks ago, and I'm just, Graham loved that one.
Because I heard you guys talking about the Red Pill documentary a few weeks ago, and I'm just, Graham loved that one.
Loved it.
Hard pass on that one for me. Just, just frankly, no thanks. I'm on Reddit too much. I know what that's about. No thanks, pass.
But the documentary called Tickled, which is all about, quote, competitive endurance tickling, is, as the tagline says, not what you think.
And Carole and Graham, you both have seen it, I believe, so you can back me up on this.
But the documentary called Tickled, which is all about, quote, competitive endurance tickling, is, as the tagline says, not what you think.
And Carole and Graham, you both have seen it, I believe, so you can back me up on this.
It's a great documentary. You recommended it to me, Carole.
Yeah, I watched it maybe a few months ago off Netflix, and I called Graham the next day in the morning saying, you must watch this, you must watch this, you must watch this.
And I forced them to watch it that night just because I thought it was that good.
And I forced them to watch it that night just because I thought it was that good.
Did you get Graham to watch it?
No, just kidding. But that's the thing. I never thought tickling could be dirty, but you know, it's not in the way you think. Not in the way. Yeah, at all.
You think it's a sex thing, and it is, but it's not. And that's not what this is. No, I just gave it away, but it's not crazy people. Some super crazy people.
And it's kind of dark and sad, and there's really no conclusion to the main documentary, which is a little frustrating because you're, you're dark and sad maybe, but also I sort of, you know, curl up on a Friday night with a bowl of popcorn.
And it's kind of dark and sad, and there's really no conclusion to the main documentary, which is a little frustrating because you're, you're dark and sad maybe, but also I sort of, you know, curl up on a Friday night with a bowl of popcorn.
I think it's delicious, delicious TV. I love documentaries like that.
Carole has an endless appetite for dark and sad, is what we're saying.
And popcorn.
And popcorn. Stuff in her face. Bit of darkness, bit of sadness, bit of popcorn.
Delicious. Have you seen the follow-up documentary called The Tickle King?
No.
Okay, so this is— you have to— I'm giving you walking orders. Go watch The Tickle King because that's the follow-up.
Basically, when they started airing the Tickle documentary at film festivals, a lot of the guys in the documentary started showing up and real-life trolling these events. Yes.
And it's all this drama and it's kind of— so yeah, if the Tickle documentary is not enough for you, which it's, you know, it might not be, you know, if as fascinating as it is, go watch The Tickle King afterwards.
Back to back, it's awesome. Really fascinating. And yeah, great, great watch.
Basically, when they started airing the Tickle documentary at film festivals, a lot of the guys in the documentary started showing up and real-life trolling these events. Yes.
And it's all this drama and it's kind of— so yeah, if the Tickle documentary is not enough for you, which it's, you know, it might not be, you know, if as fascinating as it is, go watch The Tickle King afterwards.
Back to back, it's awesome. Really fascinating. And yeah, great, great watch.
Sounds good, I'll check it out. Thank you very much.
No problem. And it's not the red pill.
Girl, what's your pick of the week?
So mine, mine's a bit weird because I did this pick because of its weird factor. I mean, this is just too weird. So this is a Tokyo-based artistic design studio called We+.
Now, the reason I wanted to use this, the reason I to bring this, I was talking about screens earlier, so this is all about screens as well.
And what they've done is they've developed a clock that is actually a kind of digital screen, but it represents a human face.
Basically, the way that that face is looking or moving its mouth is supposed to indicate what time—
Now, the reason I wanted to use this, the reason I to bring this, I was talking about screens earlier, so this is all about screens as well.
And what they've done is they've developed a clock that is actually a kind of digital screen, but it represents a human face.
Basically, the way that that face is looking or moving its mouth is supposed to indicate what time—
So this is a shock dummy face or something?
No, no, okay, look, look, let me look. I want you guys to watch the video, okay? There's a little promo video, it's on Mashable. Just watch this and you'll see what I mean.
Okay, all right, let's watch it.
Let's go click it.
Now do you see how do they—
No, nope, I'm noping out of this. No, no thank you. That's enough internet for me today.
So let me explain to listeners.
So basically, say for example it was 10 to 2, you would have to have your left eye kind of facing upwards and left and your right eye facing upwards and right. Right?
And how do you do that? So they took— they have 3 different face clocks which you can choose from that are available.
And then they did movies of the faces moving their eyes in, you know, around the clock face. And then they of course mirrored two together to try and get the difference.
So basically, say for example it was 10 to 2, you would have to have your left eye kind of facing upwards and left and your right eye facing upwards and right. Right?
And how do you do that? So they took— they have 3 different face clocks which you can choose from that are available.
And then they did movies of the faces moving their eyes in, you know, around the clock face. And then they of course mirrored two together to try and get the difference.
It's—
The thing was, okay, okay, and there's some, you know, blah blah about how this is important, about how time controls our lives, that I just thought was just snooze fest.
No, it's just, you know, sometimes just come on. However, I have to say, I would people to go look at it just to see if they actually can tell the time quickly.
So I think there's, there's a game in here, right? Just stop the video and say what time is it?
No, it's just, you know, sometimes just come on. However, I have to say, I would people to go look at it just to see if they actually can tell the time quickly.
So I think there's, there's a game in here, right? Just stop the video and say what time is it?
I haven't seen— I cannot recognise this. I mean, you've explained to me how it works with the eyes moving. I can't read the times on any of these.
It's just a human whose brain has been replaced with a goldfish and they're going pop, pop, pop. And it's just really disconcerting. And I don't want to tell time with that.
Who would want one of these?
And their eyes are all bug-eyed and stuff. I'm not okay with it.
See, I have a number of cool clocks in my house that, Graham, you have a problem with because you feel that they're—
You have one particularly bad clock, which is absurd in every fashion and not very easy to— But actually, is it easier to tell the time from than this?
Yes, and I think better looking as well. I think I'd find it creepy.
It's a bit like, you know those paintings in haunted houses where they follow you, the eyes follow you, Scooby-Doo style.
It's a bit like, you know those paintings in haunted houses where they follow you, the eyes follow you, Scooby-Doo style.
You take the mask off and it's Mr. Weekends.
So go be weird. If any one of you want a top pick for being weirded out, go check out this little product and video on Mashable.
That's my top clock that you have. Then you can't just use that.
Okay, so my clock is where the hand don't move, the hand stays steady, and there's a cog that turns around the hand, and the cog has the face on it.
So the 1, 2, 3, 4, 5, and it kind of chugs along on a cog and it turns. And as it goes, you can tell what time it is.
So the 1, 2, 3, 4, 5, and it kind of chugs along on a cog and it turns. And as it goes, you can tell what time it is.
Does it have a cog?
I hope you're following this at home, folks.
I heard cog 4 times.
This mental picture that's being drawn up. Carole, is it possible you've got a link we could put in the show notes?
Yes, let's add them to the show notes.
Or just take a photograph and chuck it up on the internet somewhere and people can see that.
Put it on the tweeter link.
I think that just about wraps it up. It's been quite a show. We've had a few interruptions. Hopefully they didn't crop up in the edit too much. We had a power cut at one point.
That was very exciting. But we've made it to the end. Thank you so much, Maria, for joining us.
That was very exciting. But we've made it to the end. Thank you so much, Maria, for joining us.
Oh, my pleasure. Thanks for having me.
It's been wonderful.
You were great.
She's been super, hasn't she?
Yep.
Thank you at home for tuning in. And if you like the show, or if you've got some—
Carole, you were great too.
Yeah, yeah.
If you—
No, I was great.
Do you want to say I was great?
Because you're not. Right. Well, on that note.
Just kidding. We love you a little, maybe.
If you've got any comments to make on the show, go sign ransomware like iTunes, where you can leave us some feedback. Just remember to click the 5-star button while you're doing it.
Whether it's good feedback or negative feedback, we don't care. Just 5 stars, 5 stars.
Go to www.smashingsecurity.com and you can follow us on Twitter @smashingsecurity, no G on Twitter.
Whether it's good feedback or negative feedback, we don't care. Just 5 stars, 5 stars.
Go to www.smashingsecurity.com and you can follow us on Twitter @smashingsecurity, no G on Twitter.
And thanks as always for listening.
Yeah. Until next time.
Toodaloo.
Bye-bye.
Bye.
Okay, bye.
Thanks for making us laugh, Maria.
Oh, no problem.
Yeah, because I'm not funny. Graham's not very funny.
Yeah.
Oh, that was so much fun!
Oh wow, fun!
Oh gosh, I just dropped something on the floor.
September 2019
It’s not all zombies and porn, sometimes road sign hackers can comment on topical political news stories.
Oh those naughty roadsign hackers… https://t.co/FaXdGm4uOB
— Graham Cluley ???? @ (@gcluley) September 27, 2019
“IMPEACH THE BASTARD”
September 2019
And, back to porn again…
Drivers on the interstate in Auburn Hills, Michigan, were greeted by an eyebrow-raising sight: a pornographic movie featuring adult actresses Xev Bellringer and Princess Leia (with a possible bit part played by an unidentified gentleman).
I'm flattered, but keep your eyes on the road and both hands on the steering wheel! Get off at the next exit, if you must ;) https://t.co/gcfOU8q7Ik
— xev_bellringer (@xev_bellringer) September 30, 2019
Police posted video footage of two suspects breaking into a shed containing the computer which was controlling the billboard.
We discussed the whole sordid affair with the type of gravitas it rightly deserves on an episode of the “Smashing Security” podcast.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
So they were shaking hands is what I'm understanding. Very vigorously.
Agreeing to something else, I think.
Vigorously welcoming each other. Apparently the video lasted for a full 20 minutes. That would give you RSI, wouldn't it? Smashing Security, episode 148.
Billboard boobs, face forensics, and Alexa Ransomware Gets Way Too Personal with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 148.
My name is Graham Cluley.
Billboard boobs, face forensics, and Alexa Ransomware Gets Way Too Personal with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 148.
My name is Graham Cluley.
And I'm Carole Theriault.
And this week, Carole, we are joined by a terribly popular returning guest. It's Maria Varmazis. Yes, I know.
Yay. Yeah.
Hello, Maria.
Hey, Maria. It's been a while.
It has.
Hello.
It's very early in the morning for you. Tell me you have a cup of tea in front of you or something.
I do, and it's in my Swear Trek mug.
Oh yeah.
Swear Trek mug.
Yeah. Oh yeah. One of my very first picks of the week. But I ended up buying a mug from them 'cause I love them so much. So it felt apropos.
Apropos.
Apropos, totes apropos.
I have a Bob Ross mug.
Oh.
And I think someone put it in the dishwasher and it's starting to peel off because when you put hot drink in it, his painting comes alive. Oh. Yeah, it's cool.
But it can't take the heat. All right, interesting.
Yeah, can't take, well, it can't take the dishwasher.
All right, this has been Mug Talks, brought to you by Smashing Security.
Carole Theriault, tell us what have we got coming up on the show this week.
Thanks to this week's sponsors, LastPass and Immersive Lab. Their support helps us give you this show for free.
Now on today's show, Graham gives us an SFW look at a porn incident along an American highway.
Maria muses on the latest in the deepfake, cheapfake space, and I'll investigate whether Amazon really is finally taking our privacy concerns seriously.
All this and loads more coming up on this episode of Smashing Security.
Now on today's show, Graham gives us an SFW look at a porn incident along an American highway.
Maria muses on the latest in the deepfake, cheapfake space, and I'll investigate whether Amazon really is finally taking our privacy concerns seriously.
All this and loads more coming up on this episode of Smashing Security.
Now, fellows, fellows, do you remember what you were doing? I'm not allowed to say chaps.
No, no, no.
Do you remember, do you remember what you were doing in 1994?
Yeah, having a great time.
I'll remind you of a few things which were happening back then. Nancy Kerrigan got walloped on the knee. The ice skater got walloped on the knee.
Huge, huge in my world.
That was huge in my world as well. It was massive.
Nancy Kerrigan was from where I'm from around here. So it was big local news. That was all I heard about. Yep.
Of course, her arch rival, Tonya Harding, her ex-husband was the one who did it. There's a great movie about it.
That movie was good. Yeah. Yeah.
Great movie.
Netscape Navigator was released.
Oh, bless it. That's the best way to be online.
RIP.
Some superb movies came out like The Shawshank Redemption, The Flintstones with John Goodman, and of course, Maria, Star Trek Generations.
Oh yeah.
Was that the movie?
It's the one where Picard and Kirk meet up. I remember seeing that one.
Malcolm McDowell is a bad guy, isn't he?
Yeah, it was weird. It's not a great movie.
It's not a good movie.
It's not. It's not.
Most of the Star Trek movies, it's kind of—
Is that the one where Kirk dies? Is that where Kirk— Spoilers.
Yeah, it is. Yeah.
1994, dudes. Alright.
And O.J. Simpson, he fled the police in his white Ford Bronco.
Yeah, another huge thing.
Oh my God.
Was that one of the first live tracking? There was helicopters following. It was a big deal when that happened.
Yes.
It was bonkers.
The miniseries they just did about O.J., they— American Crime Story or something? Fantastic. Really good. That's my pick of the week.
There you go. Now it all— Hey, wait, wait, wait. Now it all seems so innocent, doesn't it? All those years ago.
But it was also the year when a dangerous and pernicious ad campaign appeared on roadside billboards, putting drivers in peril.
But it was also the year when a dangerous and pernicious ad campaign appeared on roadside billboards, putting drivers in peril.
Okay.
Yes, it was a serious road traffic incident. Well, here in the UK at least, there was a campaign which featured Czech supermodel Eva Herzigova.
Mm-hmm.
And it was very controversial, much to the delight of the PR people working for Wonderbra, which is what she was advertising.
There was a famous advert of Eva Herzigova looking down at her, and it was accompanied by the words—
There was a famous advert of Eva Herzigova looking down at her, and it was accompanied by the words—
Looking—
Sorry, sorry. Looking down at her what? I'm sorry.
What, you can't say boobs? You know, what's the embarrassing bit there, Graham?
She was looking— Anyway, it was accompanied by the words, "Hello, boys." Now, I never quite understood whether she was saying hello, boys, to her boobs.
I don't think any woman that I've ever met would do that. So I don't think there was a problem there.
No, they're always ladies. They're never men. That's kind of rule number one.
But they do look kind of a couple of bald-headed men, don't they? It could almost be a couple of cards there. Maybe, yes, I suppose so.
This is getting really perverted.
Now, Eva Herzigova, she is not the only person to strip down to their undies for a roadside ad. You may remember, of course, David Beckham advertising Armani underwear.
There he was reclining as though he was having a sandwich. I don't know where he kept his cheese and pickle, but there he was enjoying himself.
There he was reclining as though he was having a sandwich. I don't know where he kept his cheese and pickle, but there he was enjoying himself.
You had fun pulling the story together, didn't you?
Oh yes. Google image search. But if we were to believe the tabloids, there were road accidents galore, traffic jams, utter chaos as men ogled the billboard boobage while others—
Right, because they're hot. They're sexy pictures. And so what, people were ogling them?
And Eva Herzigova? Yes, she's, she's, you know.
Oh yeah, David Beckham. I'm sure no one looked at that and had a bit of a drool.
People were averting their eyes, if anything, concentrating more on the road.
Yeah. Now it may not surprise you to know there are public safety rules about roadside adverts.
I have been looking these up in the UK and elsewhere, which means I looked it up in the UK and assumed elsewhere as well. Your advert can be banned.
I have been looking these up in the UK and elsewhere, which means I looked it up in the UK and assumed elsewhere as well. Your advert can be banned.
Always going the extra mile, eh, Clue?
Your advert can be banned for being distracting or confusing if it puts vehicles or pedestrians in jeopardy. And this was the allegation about the Hello Boys advert.
But of course, ads have moved on in the last, I don't know, 25, 30 years, haven't they?
You know, the old days of spaffing some wallpaper paste up on a billboard and slapping up the advert, they've long gone by because it's now all digital ads.
And some of them are video ads as well, and video images alongside the roads, which seems to me like a crazy situation.
But of course, ads have moved on in the last, I don't know, 25, 30 years, haven't they?
You know, the old days of spaffing some wallpaper paste up on a billboard and slapping up the advert, they've long gone by because it's now all digital ads.
And some of them are video ads as well, and video images alongside the roads, which seems to me like a crazy situation.
You can get them on the side of buses.
Really? Yeah. What is the— why would you? It just seems crazy. I mean, how distracting would that be, a moving image while you're trying to drive a car?
Oh yeah, I'm used to this now. They're kind of everywhere here.
Well, last Saturday night, the police department at Auburn Hills, Michigan began to receive phone calls. Michigan. Yes. How do you say it?
Michigan.
Michigan.
Michigan.
No.
Michigan.
Yes, exactly like that. Perfect. Well done.
Yes.
I had this argument at home the other day about, you know, those lizardy reptile things. Iguana with the funny ears.
Iguanas?
You say iguana, do you?
How on earth else do you say it?
Oh, I've obviously been getting it wrong then. I've been saying iguana.
Do you say gee-you-uh-tar?
English is such a fucked up language, honestly. Nobody can get this right.
All right, well, welcome to Not Graham Week here on Smashing Security.
Anyway, so the police in Auburn Hills Michigan, began to receive phone calls from motorists because they were calling to say that an electronic billboard on the interstate was displaying a rather unorthodox video.
Now, this video was—
Anyway, so the police in Auburn Hills Michigan, began to receive phone calls from motorists because they were calling to say that an electronic billboard on the interstate was displaying a rather unorthodox video.
Now, this video was—
So you mean unreligious?
No, no, no. Not Greek Orthodox. That's not what I'm talking about. The video was of a couple of young ladies with at least part of a gentleman as well. And—
What was it, his hand?
There wasn't much talking going on.
Perhaps.
Well, I don't know. I haven't seen the video.
Are you talking porn here?
Possibly, yes.
Oh God. So they were shaking hands is what I'm understanding. Very vigorously.
Right, yes.
Agreeing with each other.
Shaking something else, I think.
Vigorously welcoming each other. Apparently the video lasted for a full 20 minutes.
Wow.
That would give you RSI, wouldn't it? Something like that. It's quite impressive, that, these professionals.
Anyway, now you won't be surprised to hear that this video was somewhat distracting, but what surprises me is that some of the drivers who saw this, they responded by instantly leaping into action.
Anyway, now you won't be surprised to hear that this video was somewhat distracting, but what surprises me is that some of the drivers who saw this, they responded by instantly leaping into action.
Yeah.
By grabbing their camera phones and recording their videos of the video being played on the billboard as they were driving down the interstate and uploading it to the internet.
We begin with a shocking distraction for drivers along I-75, a pornographic video playing on a giant billboard.
We are blurring out the explicit portion of the video, but this is what drivers saw near M-59 in Auburn Hills last night.
And 7 Action News reporter Jen Schanz, she spoke to the driver who took that video.
And 7 Action News reporter Jen Schanz, she spoke to the driver who took that video.
I kind of almost got in an accident.
That's because Dr. Justin Camo was distracted by this on his way home from dinner Saturday night. He was traveling on I-75 North near M-59 East in Auburn Hills.
Came across the billboard and it was something unusual. Saw two girls, you know, lesbian porn. I assume someone hacked it right away.
I kind of seen that billboard always having, you know, the user going through the desktop and making sure the proper billboards are up.
So it's one of those digital things that's easy to get hacked.
So the newspapers and the internet sites, they got hold of these videos of the footage that had been played for about 20 minutes.
And as Motherboard reports, the porn aficionados on Reddit—
I kind of seen that billboard always having, you know, the user going through the desktop and making sure the proper billboards are up.
So it's one of those digital things that's easy to get hacked.
So the newspapers and the internet sites, they got hold of these videos of the footage that had been played for about 20 minutes.
And as Motherboard reports, the porn aficionados on Reddit—
Do people call themselves that?
I'm sure they do.
I'm a porn aficionado. That'd be a great business card.
Well, they, if you pardon the expression, they put their heads together and they identified the actresses concerned as Zev Bellringer and Princess Leia. Wait. What? Hmm.
Now, I've done a little bit of research into these two. I've done some Googling.
Now, I've done a little bit of research into these two. I've done some Googling.
I'm sure you enjoyed that research.
Now, first of all, Maria, I'm not claiming that you're one of these, but do you know who's—
I'm definitely not.
Do you know who Zev Bellringer is?
Oh yes, he's a buddy of mine. Yeah.
According to IMDb, this particular Zev Bellringer has appeared in well-known movies such as A Hard Situation.
Of course.
I've Had Bigger.
It's a bad Monty Python sketch. Yeah.
And Bratty Sisters Converted to Sexbots. Now—
Oh, I've watched that one.
I can't tell you.
I've lived it, Carole.
She has a lot of entries on IMDb, and I had to go down a long way to find 3 that I felt comfortable repeating on the podcast, can I tell you? Because a lot of them—
On this family podcast.
Exactly. You can't even say the word boobs, so I'm not surprised.
Princess Leia, meanwhile, doesn't really have an IMDb entry other than the one for Carrie Fisher. Right.
And we're definitely not talking about her, right?
No, no, no.
Not Star Wars. No. Okay.
Well, I was thinking Star Whores perhaps could have been it.
Oh!
If I was hiring her. But anyway, what happened was the guys at Motherboard actually approached these porn actresses for comment about their video appearing on the motorway.
I love that.
I love that.
Oh my Lord.
I was very impressed with Princess Leia, who said that she was shocked on hearing the news, very relieved to hear that no one was hurt.
And she said, "It is my sincere hope that this will open a larger public discussion regarding the safety of electronic billboards." Bravo.
And she said, "It is my sincere hope that this will open a larger public discussion regarding the safety of electronic billboards." Bravo.
All right.
That's a little more sobering than I expected.
I know. She can't be that much fun, can she?
Yeah, she could have worked it a bit to kind of go, "Hey, you can buy the movies on Amazon still. They're available.
$2.99." Zev Bellringer, meanwhile, she tweeted that she was flattered by all the attention, but keep your eyes on the road and both hands on the steering wheel.
I think there was some concerned there could have been people messing around with their stick shifts. Anyway, the thing is that this is all, of course, quite serious.
I think there was some concerned there could have been people messing around with their stick shifts. Anyway, the thing is that this is all, of course, quite serious.
What?
You don't know, enjoying these?
Well, it's just, just fucking. Sorry, but God. Keep going, dude, it's great.
I'm just composing myself.
He's like, I got 20 more. And then the segment is only halfway over.
Now, this is no giggling matter, as you probably noticed. There's nothing amusing here. No. If you thought there might be.
Serious business, obviously.
The police obviously have said that this is pretty serious stuff.
They have got some CCTV footage of two people breaking into a shed under the billboard, hacking into the computer, putting porn onto the digital billboard.
Apparently it was a 3-foot by 3-foot shack hidden behind some shrubbery. So they went behind the bushes and uploaded the video there.
They have got some CCTV footage of two people breaking into a shed under the billboard, hacking into the computer, putting porn onto the digital billboard.
Apparently it was a 3-foot by 3-foot shack hidden behind some shrubbery. So they went behind the bushes and uploaded the video there.
To the love shack, if you will.
Baby.
Indeed. And this has made it quite a serious offence.
Sorry, can I ask a question?
Yes.
So you started off talking about 1994. This video, was that filmed then? Was that when it came out?
No, no, no. The point was about destruction on the roadside, which began back with Eva — sorry, could someone—
So this is a recent movie?
I don't know, Carole. I haven't actually watched the movie or carbon dated it or anything. Well, yeah, IMDb is one thing. When did the film come out?
I don't know when the film came out.
I don't know when the film came out.
Do you call it a film? Is that what it is?
A film? Yes, yes.
A film?
Anyway, messages, lessons to learn. Don't have default passwords. Don't have no passwords at all.
Quite often, the computers running these billboards or road signs are very poorly secured. And they're poorly secured in terms of physical security as well.
They may not even be locked up.
Quite often, the computers running these billboards or road signs are very poorly secured. And they're poorly secured in terms of physical security as well.
They may not even be locked up.
You've just given every teen something to do on a bored Saturday night now.
No, I don't.
Oh, it is known, Carole. Come on, everybody knows this.
Everyone knows.
You think everyone knows this?
Oh yeah. Oh, for sure.
And I'm not suggesting anyone play with anything, Carole. That would be completely out of order.
No.
But there have been a number of instances in the past.
Signs have been hacked, display messages "zombie invasion," "the Daleks are coming," "impeach the bastard," I saw over the weekend.
Signs have been hacked, display messages "zombie invasion," "the Daleks are coming," "impeach the bastard," I saw over the weekend.
Yep.
These sort of things, they're not big or clever. And it can actually end up being a serious felony because you're breaking into a building and the cops may well come and grab you.
I'm not sure this latest porn film was big or clever either. I don't know how big or— well, I don't— Anyway, so there you go. Princess Leia.
I think just keep your eyes on the road, right? And why do we have these kind of adverts on the roadside anyway? It seems terribly, terribly distracting.
I'm not sure this latest porn film was big or clever either. I don't know how big or— well, I don't— Anyway, so there you go. Princess Leia.
I think just keep your eyes on the road, right? And why do we have these kind of adverts on the roadside anyway? It seems terribly, terribly distracting.
I agree. I hate them.
Hate them. Well, let's stop them. Let's stop them right now.
Vermont doesn't have any.
Okay, I know. Every time you go by one, just close your eyes.
Yes. Drive fast. Good idea.
Okay, excellent.
Problem solved.
Maria, what's your story for us this week?
So from porn to deepfakes, which is also porn related, I suppose.
Yeah. Quite often.
I'm actually doing a follow-up to the first time when I came on the show and talked about deepfakes, which was a year and a half ago, I think we said.
February 2018.
Not that long ago in the grand scheme of things.
But I just remember when I brought it up, it was like, hey, this brand new thing called deepfakes, they're using it to fix Carrie Fisher's face on the latest movie posthumously.
And, you know, it's wild that this technology exists somewhere in the ether and maybe one day we'll be using it for more nefarious purposes. But that's surely a long, long way away.
And I'm laughing because I kind of can't believe it, how in such a short amount of time we went from that brand new implausibility to holy shit, it's a real, very easy thing to do and it's an actual problem already.
But I just remember when I brought it up, it was like, hey, this brand new thing called deepfakes, they're using it to fix Carrie Fisher's face on the latest movie posthumously.
And, you know, it's wild that this technology exists somewhere in the ether and maybe one day we'll be using it for more nefarious purposes. But that's surely a long, long way away.
And I'm laughing because I kind of can't believe it, how in such a short amount of time we went from that brand new implausibility to holy shit, it's a real, very easy thing to do and it's an actual problem already.
So I think you were right on the crest of the wave. You were reporting on this just as the deepfake porn problem first emerged on Reddit, weren't you?
Yeah. And I had only heard about it through my sci-fi fandom circles, basically talking about how they fixed the Star Wars movie.
Yeah.
I hadn't read about it at all through— I hate using that phrase— mainstream media about the potential political implications just yet, because that was very sci-fi.
Nobody really cared yet. So we're already there a year and a half later. So I guess what I just wanted to talk about for this segment was an update to all of this.
So in that year and a half, we are already at the point where organizations and companies are stepping up and saying this is a huge problem for us and our platforms already.
So for one example, multiple companies and organizations formed the Deepfakes Detection Challenge. Which is actually starting this month, October 2019.
And here's their mission statement. And again, remember, this is in response to a problem that started a year and a half ago.
When new forms of misinformation emerge, we need new efforts to combat them.
New technologies deepfakes, where realistic AI-generated videos show real people doing and saying fictional things, are a huge technical challenge.
Deepfake technologies are rapidly evolving and are getting incredibly hard to detect.
Adversaries creating fake content and the platforms finding it are competing in something comparable to a high-stakes, fast-moving chess game.
No single organization can— Yeah, I thought you'd be interested. No single organization can solve this on their own. Now Graham's really into it.
That's why we are working together on an ongoing initiative. So who are these companies?
Nobody really cared yet. So we're already there a year and a half later. So I guess what I just wanted to talk about for this segment was an update to all of this.
So in that year and a half, we are already at the point where organizations and companies are stepping up and saying this is a huge problem for us and our platforms already.
So for one example, multiple companies and organizations formed the Deepfakes Detection Challenge. Which is actually starting this month, October 2019.
And here's their mission statement. And again, remember, this is in response to a problem that started a year and a half ago.
When new forms of misinformation emerge, we need new efforts to combat them.
New technologies deepfakes, where realistic AI-generated videos show real people doing and saying fictional things, are a huge technical challenge.
Deepfake technologies are rapidly evolving and are getting incredibly hard to detect.
Adversaries creating fake content and the platforms finding it are competing in something comparable to a high-stakes, fast-moving chess game.
No single organization can— Yeah, I thought you'd be interested. No single organization can solve this on their own. Now Graham's really into it.
That's why we are working together on an ongoing initiative. So who are these companies?
Yeah, I was just going to say, who's part of this?
So far, it's companies Microsoft and my obligatory mention of Facebook.
Yes.
No, these medium-sized companies, medium, tiny, little tiny companies.
And the Partnership on AI, which is this big coalition of a lot of leading tech universities Oxford University, Cornell, MIT, a whole bunch of others.
And in fact, Facebook is on its own ponying up a mere $10 million towards this project.
So I don't know if that means they're actually taking it all that seriously because that seems a drop in the bucket for Facebook.
And in fact, Facebook is on its own ponying up a mere $10 million towards this project.
So I don't know if that means they're actually taking it all that seriously because that seems a drop in the bucket for Facebook.
But it is still a consortium of people that hopefully will come up with something better than if there was nothing at all.
That's true.
That's the hope. That's true.
And at the same time as this is going on, there's also another initiative going on via researchers at Google.
So they just came out with this new custom dataset of faces and face swaps that they made in this project called FaceForensics++.
And they actually put it on GitHub, so you can poke around a little bit.
Google basically hired a bunch of actors and with the actors' knowing consent, they made a bunch of face swaps with these actors using four popular deepfake makers, which is Deepfakes, Face2Face, FaceSwap, and Neural Textures.
So we've got four of these makers, again, year and a half, can't believe it.
So they just came out with this new custom dataset of faces and face swaps that they made in this project called FaceForensics++.
And they actually put it on GitHub, so you can poke around a little bit.
Google basically hired a bunch of actors and with the actors' knowing consent, they made a bunch of face swaps with these actors using four popular deepfake makers, which is Deepfakes, Face2Face, FaceSwap, and Neural Textures.
So we've got four of these makers, again, year and a half, can't believe it.
So these are tools which are used to make deepfake videos.
Correct.
And there's four big ones. There's probably more than four, but those are the four known big ones.
And so they did the face swapping with these actors that they paid and they swapped them onto over 1,000 videos that they easily sourced on YouTube.
And then the idea was that they just made this brand new dataset so they could help reverse engineer how deepfakes are made and smarten up their own AI so they can better detect deepfakes.
So, right, yeah.
And so they did the face swapping with these actors that they paid and they swapped them onto over 1,000 videos that they easily sourced on YouTube.
And then the idea was that they just made this brand new dataset so they could help reverse engineer how deepfakes are made and smarten up their own AI so they can better detect deepfakes.
So, right, yeah.
So it's kind of trying to build something and then test it.
Correct.
And this is a playground that they can test it in. Correct.
Yeah. Okay, cool.
Yeah.
I mean, to me it makes sense that orgs Google, which owns YouTube and Facebook, which, you know, is Facebook, are working furiously to get ahead of deepfakes.
I mean, the ethical issues aside, right, about why deepfakes are a problem — hopefully that's obvious — but when they're gonna have all these credibility issues where you're gonna have fake videos running rampant on all their platforms.
If they can't detect it, people are gonna go, I can't trust anything that's on YouTube or Facebook, so I'm logging off. Which actually might be great.
I mean, the ethical issues aside, right, about why deepfakes are a problem — hopefully that's obvious — but when they're gonna have all these credibility issues where you're gonna have fake videos running rampant on all their platforms.
If they can't detect it, people are gonna go, I can't trust anything that's on YouTube or Facebook, so I'm logging off. Which actually might be great.
Yes, fantastic.
So we should just let them do that. It didn't seem at first any of these companies were taking this all that seriously.
It seems maybe they thought it was gonna be a niche hobbyist thing, or maybe just relegated to the world of porn, and who cares about that?
But then we saw just a few months ago, some deepfakes that an artist made of Mark Zuckerberg announcing his plans for world domination.
It seems maybe they thought it was gonna be a niche hobbyist thing, or maybe just relegated to the world of porn, and who cares about that?
But then we saw just a few months ago, some deepfakes that an artist made of Mark Zuckerberg announcing his plans for world domination.
I think that was actually a real video, wasn't it?
That was, yeah, it was behind the scenes. It wasn't supposed to go live, right.
And then there was another one of supposedly drunken slurring Nancy Pelosi, and that one went viral on Facebook, yeah.
And then there was another one of supposedly drunken slurring Nancy Pelosi, and that one went viral on Facebook, yeah.
Oh yeah, we talked about that on the show, I think. Yeah.
Yeah.
Yeah.
And then, so Facebook had said they weren't gonna get involved with this sort of thing, but once those started going viral, they realized they needed to and they started taking those down.
And I don't know if it was Nancy Pelosi or the Zuck video that was just too much egg on their face, but.
And I don't know if it was Nancy Pelosi or the Zuck video that was just too much egg on their face, but.
You know, when you're speaking, I'm thinking, you know, they've actually impacted some pretty big players, haven't they?
Nancy Pelosi — I'm sure she's okay, something needs to be done. You know, Obama was hit with it, I'm sure Trump has, right?
Nancy Pelosi — I'm sure she's okay, something needs to be done. You know, Obama was hit with it, I'm sure Trump has, right?
Oh, everybody at this point, yeah.
So that would have— I'm wondering if that kind of kickstarted this consortium.
But the problem with these consortiums is it can— it sounds good that you're creating one and you're working on this, but the proof's in the pudding.
It's what actually gets agreed and pushed out, right, as a standard that is important.
And that sometimes can take consortiums years to get, you know, to agree and to decide on the wording.
It's a lawyer's nightmare or field day, depending on what kind of lawyer you are.
But the problem with these consortiums is it can— it sounds good that you're creating one and you're working on this, but the proof's in the pudding.
It's what actually gets agreed and pushed out, right, as a standard that is important.
And that sometimes can take consortiums years to get, you know, to agree and to decide on the wording.
It's a lawyer's nightmare or field day, depending on what kind of lawyer you are.
It's just alarming because we are already in very much a heated arms race situation.
These orgs are, if they're trying to get in front of this problem, they have to move extremely quickly.
And yes, I was just reading a story last night about the proliferation of child pornography and how platforms like Facebook are completely failing at taking the stuff down in a prompt way.
So I'm thinking if they can't even prioritize child abuse images, how on earth are they going to get ahead of things like deepfakes?
I mean, and it's not going to be just big names that are going to get affected.
I mean, people are talking about revenge porn videos being made, people being angry at their ex-boyfriend or girlfriend making a deepfake of them on porn videos.
It could potentially affect anyone. I'm actually honestly shocked that deepfakes haven't come up yet in the current US election, impeachment, etc., etc., a whole news cycle.
These orgs are, if they're trying to get in front of this problem, they have to move extremely quickly.
And yes, I was just reading a story last night about the proliferation of child pornography and how platforms like Facebook are completely failing at taking the stuff down in a prompt way.
So I'm thinking if they can't even prioritize child abuse images, how on earth are they going to get ahead of things like deepfakes?
I mean, and it's not going to be just big names that are going to get affected.
I mean, people are talking about revenge porn videos being made, people being angry at their ex-boyfriend or girlfriend making a deepfake of them on porn videos.
It could potentially affect anyone. I'm actually honestly shocked that deepfakes haven't come up yet in the current US election, impeachment, etc., etc., a whole news cycle.
I think the thing is they couldn't make a video which was more outrageous than the truth.
Yay, happy story. So glad I'm on the show today.
Just like you told us in February 2018 that deepfakes were coming, it was the end of civilization as we know it.
You're going, told you.
I'm moving to a cabin in rural Maine and just cutting myself off from society. And so when societal collapse does happen, I'll be okay.
Graham We should create a deepfake of her so she can come on the show regularly.
Oh, Carole, what's your story for us this week?
So I wanted to look into a recent Amazon event. This was held at their HQ in Seattle, last week. I don't know if you guys seen pictures of Amazon's HQ.
I have not. I imagine it's a big square or sort of rectangular cardboard box, with some brightly colored tape up the side.
No. Oh, it's a biodome, isn't it?
Oh, is it?
Yeah, yeah, yeah.
Yes, it's a biodome. And I guess that's what billions and billions of profits gets you, right? A pretty swanky—
Especially when you don't pay enough taxes on it. Hey-oh!
So Amazon had unveiled at this event a number of new devices and talked more seriously than ever about privacy.
And this is funny because last year Amazon actually made zero mentions of privacy features during its 80-minute unveiling. At the same event.
Actually, I seem to remember privacy was discussed pretty seriously when Bezos was papped stepping out on the then Miss Bezos.
And this is funny because last year Amazon actually made zero mentions of privacy features during its 80-minute unveiling. At the same event.
Actually, I seem to remember privacy was discussed pretty seriously when Bezos was papped stepping out on the then Miss Bezos.
Oh, when his private photos leaked out and things of his.
But Amazon, the company, haven't waded very deeply into these privacy waters.
Anyway, according to CNET, within the first 5 minutes of Amazon's product launch event, hardware chief David Limp— Odd name.
Anyway, according to CNET, within the first 5 minutes of Amazon's product launch event, hardware chief David Limp— Odd name.
It's Limp, actually. Is it? No, I have no idea.
Is it a pronounced limp?
So hardware chief David Limp, his voice took a really serious tone just 5 minutes into the event, right? And he's head of development, right, at Amazon.
Now, he also said, this Amazon head of hardware during this launch event, privacy, so this is quoting, privacy is absolutely foundational everything we do in and around Alexa.
Now, he also said, this Amazon head of hardware during this launch event, privacy, so this is quoting, privacy is absolutely foundational everything we do in and around Alexa.
Bullshit.
Oh, very funny you say that word.
I do not have a smart speaker anywhere in my house, so Alexa is not reporting me to Amazon HQ right now.
Well, so what has been highlighted as new privacy features for the device's assistant?
From now on, I'm going to call it Al, right, just because otherwise the beeping is going to get annoying in the piece.
Okay, so there's a new auto-delete feature letting the users of Al's voice recordings, letting them delete voice recordings on a rolling 3-month or 18-month basis.
Now Recode reports that Amazon will not give you the option to automatically delete your voice data.
Amazon also announced that users can now ask the speaker, "blah blah, tell me what you heard," or "Al, why did you do that?" And these queries are meant to increase transparency.
I can't help but wonder though, some of the answers must be just like, "because," or "don't worry your pretty little head about it," or something to that effect, because what are they going to explain the ins and outs of every reason?
From now on, I'm going to call it Al, right, just because otherwise the beeping is going to get annoying in the piece.
Okay, so there's a new auto-delete feature letting the users of Al's voice recordings, letting them delete voice recordings on a rolling 3-month or 18-month basis.
Now Recode reports that Amazon will not give you the option to automatically delete your voice data.
Amazon also announced that users can now ask the speaker, "blah blah, tell me what you heard," or "Al, why did you do that?" And these queries are meant to increase transparency.
I can't help but wonder though, some of the answers must be just like, "because," or "don't worry your pretty little head about it," or something to that effect, because what are they going to explain the ins and outs of every reason?
Or it's going to be like, "I am refining my algorithm." Well, that was really helpful.
Yes, exactly. Amazon is also letting customers opt out of human reviews of voice recordings. Now note I said opt out, not opt in.
And Apple, you might remember when we talked about a few weeks ago, actually have done it the other way around, so turning it off by default and then you turn it on and they hope you will.
Now, Amazon's two new Echo Show smart displays, right? They introduced even privacy shutters on their cameras. You know, that thing that you can buy for 50p?
And Apple, you might remember when we talked about a few weeks ago, actually have done it the other way around, so turning it off by default and then you turn it on and they hope you will.
Now, Amazon's two new Echo Show smart displays, right? They introduced even privacy shutters on their cameras. You know, that thing that you can buy for 50p?
If that.
Or 10 cents.
Or a Post-it note.
They've thrown those in.
Oh, wow.
That's very generous of them, isn't it? Little webcam cover. Wow.
This may all smell rather rosy, but I tell you, there is a faint whiff of something a little sketchy in the air.
So let me show you the new Amazon gizmos and services that are on offer. So number one, an Alexa-enabled eyewear called Echo Frames.
Now these glasses pair with your Android phone and can read out notification, make calls, play audio.
Do you feel like we've been here before with some other, you know, big tech giant?
And you can play music and podcasts and you can ask Alexa for rundowns of your calendar, blah, blah, blah.
Okay, you can always obviously do some shopping, right, because that's always there.
So let me show you the new Amazon gizmos and services that are on offer. So number one, an Alexa-enabled eyewear called Echo Frames.
Now these glasses pair with your Android phone and can read out notification, make calls, play audio.
Do you feel like we've been here before with some other, you know, big tech giant?
And you can play music and podcasts and you can ask Alexa for rundowns of your calendar, blah, blah, blah.
Okay, you can always obviously do some shopping, right, because that's always there.
Exactly.
You might go, "hey, remember, I need to buy some bananas." There's the Al wireless earbuds, so at any time you can say the name Al, the Al wake word, and the familiar chimes will tinkle tinkle in your ears.
I don't want anybody tinkling in my ears.
It's not your kind of thing.
I think Zev Bellringer actually has a video where there's some ear tinkling going on.
Yeah, probably.
There's also, this is the craziest one, an Alexa-enabled ring for your finger called an Echo Loop.
No, I don't want any of this.
They've taken a whole Echo speaker and they've put it into the ring. Now, can we talk about the logistics of this, please? How is your finger anywhere near your flipping ear?
So hang on, so they've—
Didn't we do this?
Why wouldn't you create an earring? They put a speaker in your ring?
Yes.
Is what you're saying?
So Alexa's with you all the time.
No, I mean, didn't we try this with Google Glass and we all decided that that was the dorkiest, dumbest thing? Why are we doing this again?
Yes, I'm expecting Bezos and co. are going, "Hey, maybe their timing was wrong. It's a good idea." No.
I'm reminded a little bit, if you've read Hitchhiker's Guide to the Galaxy, do you remember the Golgafrincham thing where they put all the people they didn't really need, the telephone sanitizers, into the B ark and sent them off to another planet?
And I'm wondering if all of these Amazon devices with all these daft speakers involved, they're just to identify the people who are utterly useless in society and aren't required actually, because they're arsing around with this kind of technology.
And it's like, oh, you're wearing one of those, are you? Thank you very much. Take the door on the left. I just, why, who, what?
And I'm wondering if all of these Amazon devices with all these daft speakers involved, they're just to identify the people who are utterly useless in society and aren't required actually, because they're arsing around with this kind of technology.
And it's like, oh, you're wearing one of those, are you? Thank you very much. Take the door on the left. I just, why, who, what?
Yeah, so exactly. I think the question is why would Amazon want this?
You can do it technologically, but should you do it? Yeah.
Yeah. Does anyone really need it?
No.
Well, no, no, no, but that's it, right? They're making you forget how you've ever lived without it before. Think of us 30-year-olds who actually remember life before mobiles.
I mean, how did we live? How did we live?
I bet most of us, if we left the house for 2 minutes without the phone, they might go, "Forgot my phone, even though I'm just going to the shops, I better run home and grab it." I still wipe my own ass, but I wonder in 20 years' time—
I mean, how did we live? How did we live?
I bet most of us, if we left the house for 2 minutes without the phone, they might go, "Forgot my phone, even though I'm just going to the shops, I better run home and grab it." I still wipe my own ass, but I wonder in 20 years' time—
Well, congratulations. I know. Well, I don't—
That's wonderful to hear.
I don't always do it perfectly.
Because you are getting on in age, and we were getting a little nervous about that.
I wonder in 20 years' time whether young people will think, oh, that's extraordinary that you do that. Why don't you get your Alexa to do it for you?
Yeah.
Well, I mean, they have those bidet attachment thingies. Those have been around for a long time.
Right. And then you could have the little ring there, which has Echo embedded inside it and off it goes.
I mean, Amazon desperately obviously want to sell their kit. Right. Fair enough. You know, so all these little gizmos go for $130, $150, $180 a pop. US. I know. I agree.
People with a lot more money than sense, I guess.
And they're building, they're getting it from both sides, 'cause they're also building the people's constant use of these devices, which of course then allows them to listen and collect as much audio recordings as possible to win the so-called AI game and come out on top, ahead of Google, ahead of Apple, ahead of Facebook.
Right, the organizations are winning the AI game. Everybody else loses.
Right, so in other words, they wanna kick Google in the googlies, Apple in the ass, Facebook in the—
It's not just me doing puns this week.
And the freaking apple right in the peach.
So my question is, yes, does this need for a billion of us to feedback tons of audio requests, some legit and some of them are mistakes.
We've seen that all in the press over the last few months. How does this square with so-called personal privacy?
We've seen that all in the press over the last few months. How does this square with so-called personal privacy?
I mean.
And remember, Amazon are the providers of facial recognition technology called Amazon Rekognition with a K, which they provide to law enforcement and businesses.
With a K?
Yeah. R-E-K-O-G.
If you ever need evidence that someone is a twat, it's spelling something incorrectly deliberately. It's Toys R Us. They annoy me as well.
Yep.
Or Print 4 U. Yep. But Rekognition with a K, that's just— See, I would just refuse on principle.
Well, don't worry, I don't think you're their target market for purchase.
I don't think I am.
So listen, there's even more, right? At the Seattle Amazon event, they also announced this product called Amazon Sidewalk. Have you heard about this?
No.
This is a new wireless protocol that links smart objects and Eero. This is a Wi-Fi router that Amazon acquired recently, and now it sells for home use, right?
So it's a Wi-Fi router or router.
So it's a Wi-Fi router or router.
Okay.
Now Sidewalk will use this proliferation of Eero devices to build a mesh network or a wireless network where each device communicates with one another.
And the idea is that all the devices will work together to transmit data across the network, spanning large, broad geographical areas.
So for example, according to Amazon's own announcement, the company found that placing 700 devices across LA was enough to cover the entire metropolitan area of the city.
And the idea is that all the devices will work together to transmit data across the network, spanning large, broad geographical areas.
So for example, according to Amazon's own announcement, the company found that placing 700 devices across LA was enough to cover the entire metropolitan area of the city.
Oh, I'm sure police departments are going to love this.
It gets even more delicious if you're ready.
So even if you do not use Amazon wireless networks in your own home or join any of the Wi-Fi networks when you go out, the mesh network could enable Amazon to get data about the location of your devices.
According to Business Insider— and tell me, guys, because you guys are geekier than me in this area— owners of Wi-Fi networks track what devices are nearby, and even if those devices don't sign onto the network, just a smartphone can, it can detect nearby networks without signing on.
So even if you do not use Amazon wireless networks in your own home or join any of the Wi-Fi networks when you go out, the mesh network could enable Amazon to get data about the location of your devices.
According to Business Insider— and tell me, guys, because you guys are geekier than me in this area— owners of Wi-Fi networks track what devices are nearby, and even if those devices don't sign onto the network, just a smartphone can, it can detect nearby networks without signing on.
Okay. Yep.
It'll be able to detect your phone.
So if you've used that device to download an Amazon app or log into your Amazon account, the company could pair that MAC address with your user profile.
So if you've used that device to download an Amazon app or log into your Amazon account, the company could pair that MAC address with your user profile.
Jesus.
So basically, it is the opposite of respecting your privacy, this mesh concept. And this geographic data is really important for Amazon's future.
It helps build user profiles and it helps targeted advertisements. Right. And that's a seriously growing business for them.
It helps build user profiles and it helps targeted advertisements. Right. And that's a seriously growing business for them.
Yeah.
I'm just trying to imagine explaining this to the general public and explaining how to opt out of something like this, if that's even possible, because I'm wrapping my mind around— I don't want that for myself.
I imagine opting out of that's going to be a pain in the ass, but how do I explain this to my mom?
I'm just trying to imagine explaining this to the general public and explaining how to opt out of something like this, if that's even possible, because I'm wrapping my mind around— I don't want that for myself.
I imagine opting out of that's going to be a pain in the ass, but how do I explain this to my mom?
Yeah.
Oh, wow.
I mean, I don't even know how.
And there are other telecoms. I mean, I remember that BT, British Telecom, they have something called BT Wi-Fi.
So lots of people's home routers are available as a sort of mesh network.
So they sort of boast that, oh, we have 5 million hotspots up and down the UK because it's residential Wi-Fi, which you can log into. Effectively.
I've just done a search on their online map, and there are 211 BT Wi-Fi hotspots near me. I mean, within a walk of 3 minutes.
So lots of people's home routers are available as a sort of mesh network.
So they sort of boast that, oh, we have 5 million hotspots up and down the UK because it's residential Wi-Fi, which you can log into. Effectively.
I've just done a search on their online map, and there are 211 BT Wi-Fi hotspots near me. I mean, within a walk of 3 minutes.
Oh, wow.
So they know every time you go for a walk, right?
Well, I don't connect to it, but yeah.
But doesn't matter. I don't think it matters. That's what I'm wondering. I'm wondering if BT's doing a similar thing.
So the idea here is even if you're not connected to it, they can actually see you walk by because your phone's going, oh, there's a Wi-Fi hotspot.
So the idea here is even if you're not connected to it, they can actually see you walk by because your phone's going, oh, there's a Wi-Fi hotspot.
You can't even hide in your own home anymore. There's no—
I mean—
Well, there is.
Just get rid of your phone. Isn't it amazing how it's become such heroin that despite all these concerns, we just can't get rid of them?
So anyway, all this to say that I cannot tell you how thrilled to the gills I am about Amazon's privacy announcements. And what did the head of software development say again?
Privacy is absolutely foundational to everything we do in and around Alexa. And to your exact words, I think I'll wager to call that a big fat stinking bullshit.
So anyway, all this to say that I cannot tell you how thrilled to the gills I am about Amazon's privacy announcements. And what did the head of software development say again?
Privacy is absolutely foundational to everything we do in and around Alexa. And to your exact words, I think I'll wager to call that a big fat stinking bullshit.
Yeah, it's important to them so they know how to avoid it.
Can I point out that at the beginning of the show I had a lovely, heartwarming, life-affirming story about a porn video. Life-affirming.
What's firming?
Don't you love a win-win situation? Imagine if you could have both enterprise-wide password management with single sign-on. What is single sign-on? Well, Graham, let me dazzle you.
Single sign-on is designed to connect employees to high-priority apps, all without needing the user to log in at every single hurdle.
Now, by combining these two services, our friends at LastPass may have just revolutionized security at the enterprise level. Learn more at lastpass.com/smashing.
Single sign-on is designed to connect employees to high-priority apps, all without needing the user to log in at every single hurdle.
Now, by combining these two services, our friends at LastPass may have just revolutionized security at the enterprise level. Learn more at lastpass.com/smashing.
You don't need to say the forward slash. So you've got an IT security team, but you want to turn them into security superstars.
How can you best provide each employee with the opportunity to upskill themselves?
Immersive Labs provides a cloud-based system, meaning it's available 24 hours a day, whenever is convenient for them to learn.
It provides hands-on experience with tools, technology, and even sandboxed malware. The platform provides story-based threat simulations.
It lets teams enhance their skills while stopping an online banking breach or the hack of industrial control systems. Lots of fun to be had there.
Check out Immersive Labs' skills development platform to drive down your organization's cyber risk while reducing training costs. Check them out at immersive-labs.com/lite.
Welcome back and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
How can you best provide each employee with the opportunity to upskill themselves?
Immersive Labs provides a cloud-based system, meaning it's available 24 hours a day, whenever is convenient for them to learn.
It provides hands-on experience with tools, technology, and even sandboxed malware. The platform provides story-based threat simulations.
It lets teams enhance their skills while stopping an online banking breach or the hack of industrial control systems. Lots of fun to be had there.
Check out Immersive Labs' skills development platform to drive down your organization's cyber risk while reducing training costs. Check them out at immersive-labs.com/lite.
Welcome back and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week?
Week of the Pick?
Oi!
Just too early for Maria.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Better not be.
Now, my Pick of the Week in some ways, Carole, actually follows on rather nicely with your previous story.
Oh, really?
About how these big ugly technology companies are scooping up our personal information, maybe without us realizing.
Sounds pretty security-related.
Well, yes, it is a bit security-related. It doesn't have to be. It's not that it shouldn't be.
No, no, you don't get to decide.
It doesn't have to be.
Remember? It's cooperative.
It doesn't have to be security-related. Anyway, my pick of the week is a website called Google.
Ooh, tell me more.
Yeah, right. Okay. Now, I don't use the Google search engine, okay, because for obvious reasons. But I checked out a page on the Google site today, google.com/history.
And I was curious. I thought, I don't use Google as a search engine. I thought, I wonder what they've been capturing about me.
And I've chucked in a couple of screenshots here of what I saw for on my particular account.
And what I found was that from about a year ago, there were a number of search requests made, not using the traditional Google search engine, but using the voice-activated one.
So I think what was happening here was that maybe I was driving or traveling or something like that, and I might have gone into, maybe on my mobile phone, I might have accessed the app or something, or the site, and rather than type anything, I've actually said, "Who is the greatest chess player of all time?" Or, "Is Donald Trump the worst president in American history?" And other questions like this.
And it's not only recorded those requests, which I see at google.com/history, but it's also recorded my actual voice saying them.
And I was curious. I thought, I don't use Google as a search engine. I thought, I wonder what they've been capturing about me.
And I've chucked in a couple of screenshots here of what I saw for on my particular account.
And what I found was that from about a year ago, there were a number of search requests made, not using the traditional Google search engine, but using the voice-activated one.
So I think what was happening here was that maybe I was driving or traveling or something like that, and I might have gone into, maybe on my mobile phone, I might have accessed the app or something, or the site, and rather than type anything, I've actually said, "Who is the greatest chess player of all time?" Or, "Is Donald Trump the worst president in American history?" And other questions like this.
And it's not only recorded those requests, which I see at google.com/history, but it's also recorded my actual voice saying them.
Excellent. Deepfake fodder. Fantastic.
So I am— if I go to google.com/history, I'm able to replay these old messages. So I found that my wife had used my phone.
And she'd ask questions like, when was Rubik's Cube invented? What's the difference between red lights and blue lights on an ambulance?
And she'd ask questions like, when was Rubik's Cube invented? What's the difference between red lights and blue lights on an ambulance?
Colour?
And how old is Ann Robinson from The Weakest Link?
Oh, very important questions.
Very important questions.
What's the difference between the red lights and the blue lights on an ambulance?
When was Rubik's Cube invented? What is 3,000 kilometers in miles? Who is playing in Wimbledon's men's final 2018?
Anyway, I was a bit surprised by this because I thought I'd mostly been living a Google-free life, and somehow these have been recorded from over 18 months ago.
Now obviously I can zap them so I think I did this recently.
Anyway, I was a bit surprised by this because I thought I'd mostly been living a Google-free life, and somehow these have been recorded from over 18 months ago.
Now obviously I can zap them so I think I did this recently.
I don't know where I got the idea to do this, but I just looked at our— I went to the page, the Google History page, and I went to activity controls and all mine are turned off, although it has captured lots of YouTube things that I have done.
Right.
But it's only I can see this data. Is that what you had set up as well?
Yes, it says that only I'm able to see this, it says. But even so, I'm just a little bit disturbed that all these recordings of me have been kept.
Well, you can dump them. There is a little trash bin there.
Well, yes, but I think people forget this. I forget, I'm sort of privacy conscious. I wasn't aware that I'm using the search engine.
Google collects information on you.
Yes, I know.
We've talked about that just today.
My Pick of the Week is go to google.com/history and you might get a nasty surprise and make sure your settings are set properly and that everything is deleted if you wish it to be deleted.
I think it's very privacy related, but I think it's important, so you can have it.
Oh, Carole, one of them is, who is Bob Ross?
Ah, so you didn't know.
You must have mentioned. So on July 13th, 2018, I was trying to find that out. Or what's the time in Mauritius?
Can you believe that, Maria? He learned who Bob Ross was last year.
It's part of the cultural DNA over there.
I knew when I saw him, then I thought, oh yeah, I've seen that guy before from the Hair Bear Bunch. Anyway, Maria, what's your pick of the week?
My pick of the week is something I just discovered a few days ago. And the premise is this. It's a lovely day in the village. And you are a horrible goose.
Okay.
And it is called Untitled Goose Game. And the whole idea is that you're an asshole goose and you go and do asshole goose things.
Oh, well, Graham, have you played this? Did you help consult on the game?
Actually, Carole, I was playing this with my son this weekend, actually, on the Nintendo Switch.
So this is hot. This is hot to trot right now.
This is a huge game right now. It's a fun game.
Oh, yeah?
Yes.
Oh, maybe I'll come over and play.
It's one of the most downloaded games. It's beating out some of the hugest titles right now on Switch. But it's all— yeah, I said beating out, sorry.
But it's on— it's also available for Steam on the PC and Mac, so you don't have to be a Switch player. So basically it's super fun. It's very easy.
Very young children can play it, and you can honk and steal things. Yeah, you basically can just go around honking at people, which is just super fun.
But you can go around and steal things and, you know, just wreak asshole goose havoc everywhere, and it's just— it's super funny.
But it's on— it's also available for Steam on the PC and Mac, so you don't have to be a Switch player. So basically it's super fun. It's very easy.
Very young children can play it, and you can honk and steal things. Yeah, you basically can just go around honking at people, which is just super fun.
But you can go around and steal things and, you know, just wreak asshole goose havoc everywhere, and it's just— it's super funny.
You steal things from behind people's backs and you dress up statues in brassiers and spectacles and just cause a nuisance generally. Like geese do, I suppose.
Yes, it's super funny. And I think they should come out with a patch where it's not just a regular white goose, but it's a Canada goose, and then you shit everywhere.
That would be my— that would be my recommend— listen!
That would be my— that would be my recommend— listen!
She speaks the truth.
It's not Canadian racism, it's just a fact about Canada goose.
Well, kind of feels like gooseism, Canada gooseism. It does, actually.
Well, it is. I am very anti-Canada goose.
Wow, you heard it here, folks.
Listen, I am. I'll go on record about that. They shit everywhere.
So do babies.
Should they go back to their own country?
Babies eventually stop shitting everywhere. Canada geese don't.
Well, I'm respectfully disagreeing with you.
So your pick of the week is the Untitled Goose Game, and you're—
Yes, it's at goose.game is the website, actually, so you can check it out. You check out a little video of it. It's extremely— it's kind of twee. It's pretty funny.
Don't you love that someone wrote a game rather than the normal sort of rubbish you get as video games. It's just an imaginative idea, and it is silly and fun. I like it too.
It's the game we need right now for these troubled times.
This is what's going to heal us and unite us, isn't it?
It's true. It is. Carole, we're all going to come together over Untitled Goose Game.
Peace on Earth.
Oh shit.
Carole, what's your pick of the week?
So my pick of the week this week is a website, more specifically a website that's a dictionary for Cockney rhyming slang.
Blimey, governor.
I know, and I thought we'd play a bit of a game, right? I thought I would give you some Cockney rhyming slang examples and you could tell me what you think it might be.
Oh, I'm gonna fail this so hard. No, no, no, no.
So first, let me just give you a quick explanation about how it works, right, so people can play at home as well.
It started up, and they think around 1840, and it's a kind of humorous slang that was used by Cockneys who live in East End of London.
And it was probably first used as a kind of language to disguise what was being said so that passersby wouldn't know.
So, for example, if you didn't want your customers to know that you were going to lower your prices in 10 minutes, you could say it in Cockney rhyming slang.
It started up, and they think around 1840, and it's a kind of humorous slang that was used by Cockneys who live in East End of London.
And it was probably first used as a kind of language to disguise what was being said so that passersby wouldn't know.
So, for example, if you didn't want your customers to know that you were going to lower your prices in 10 minutes, you could say it in Cockney rhyming slang.
Okay.
It's a way also to talk, you know, without the earwigging officers.
And the way it works is the phrase rhymes with the thing which you're trying to say.
For example, the word look you would say butcher's hook.
So the second word— there's always normally two words involved— and the second word rhymes with the word you want to use.
So the second word— there's always normally two words involved— and the second word rhymes with the word you want to use.
But the first word is basically irrelevant kind of thing, or just padding?
No, because that becomes the key word, right? So because what you would do is get rid of hooks, you'd say, oh, take a butcher's at that.
Yes, exactly.
And butcher's would mean butcher's hook. Hook rhymes with look, and that means take a look at this.
And if they said butcher's hook, that would be too obvious. But you say you take a butcher's.
Yeah, that kind of makes sense.
Okay.
Okay, come on, let's have a go. Let's have a go. Maybe Maria has a first go, right? And then Graham can jump in.
Yes, it's true. Yeah, you're gonna be good at this.
Okay, so number one. There's three of them in here. Okay.
Okay.
On your loaf, you have a barnet or maybe even a syrup.
Oh, for fuck's sake. There's no way. No, I have no idea what any of that means.
Okay, I'll give you the full rhyming cockney slang for each one, okay?
I think I know most of that one.
Oh, do you?
Yeah, I think I understand that.
Can you do it with all the full rhyming slangs before you translate it?
There's one of them I'm not sure about, but I can definitely do two of them.
On your loaf of—
Loaf of bread.
You have a Barnet—
Yeah, I know what that—
Fair.
Oh, okay. Barnet Fair. Okay, yeah.
Yep. Or maybe a syrup of—
Syrup of figs. Yeah.
So Graham, can you translate that?
So what it means is on your head, you either have hair or a wig.
See, on your head rhymes with bread. Fair rhymes with hair.
So you say on your loaf, you've got a barnet or you've got your syrup.
Okay. You took me there. It's still completely incomprehensible to me, but okay.
Mary Poppins.
No, no, no. It's better.
Now you know. Okay, now you know that loaf is head, right? So your loaf sits on your Gregory Peck, which sits on your naughty holders.
Okay, so neck and shoulders. Gotcha.
But I—
Okay, good. But see, even the phrases syrup of figs is not a phrase I would ever— that's not a thing.
Not faced constipation in your life yet? Yes. Okay, last one, last one, last one. Male or female, we've all got a bottle and glass at the back with which we can have a thom tit.
Oh, Carole, that's smutty. Please, can we please raise the tone on this podcast?
I think I can guess what that one is.
I didn't say anything about Ethan Hunt.
Whoa, whoa, whoa. I think let's just stop right there. Let's stop right there. Carole, shush.
Fair enough, fair enough.
We're talking to Maria now. You can put your rhyming slang away.
How dare you after your initial story.
Hang on, you can actually tell us where is this website? Is that in the show notes? Are you going to tell us where it is?
Yes, it's in the show notes, but it's called cockneyrhymingslang.co.uk.
Okay. All right. So Maria, hello, Maria. Hi.
Hi. Yeah.
Now I'm sure— let's be civilised. I'm sure lots of our listeners would love to follow you online, what's the best way for folks to do that?
I'm still on Twitter for some incomprehensible reason. So my handle is @mvarmazis. No, no, no, no XYZ. No XYZ. It sounds like it, but no.
And I'm also on infosec.exchange if you are a Mastodon user. And my handle is simply @maria. So I'm squatting on that one.
And I'm also on infosec.exchange if you are a Mastodon user. And my handle is simply @maria. So I'm squatting on that one.
Yeah. And you can follow us on Twitter @SmashingSecurity. No G. Twitter won't allow us to have a G. And you can also join us to discuss the show on Reddit.
We're at smashingsecurity.com/reddit, or just search on Reddit for Smashing Security and you'll find us.
We're at smashingsecurity.com/reddit, or just search on Reddit for Smashing Security and you'll find us.
Once again, thanks to this week's Smashing Security sponsors, Immersive Labs and LastPass. Their amazing support helps us give you the show for free.
And thank you to all the people that listen to us and view us or support us on Patreon. We love you. Everything you do is magic.
And of course, check us out on smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
And thank you to all the people that listen to us and view us or support us on Patreon. We love you. Everything you do is magic.
And of course, check us out on smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
Mwah! Mwah!
Until next time, cheerio, bye-bye!
Ta-ta!
See ya! Quite smutty this week.
Oh yeah, just see who's smutty. Mr. Cluley.
Yeah. Yeah, not me this time. Not me.
Although lists like this can be amusing, we shouldn’t ignore that there’s a serious side to this.
Hacked electronic billboards and road signs can be a huge distraction for motorists, and it’s easy to imagine how an accident could occur which might result in a driver or pedestrian being injured… or worse.
I’m sure most of these roadside defacements are being done with mischief in mind, exploiting default passwords, a lack of multi-factor authentication, poorly-maintained systems, and sloppy security (sometimes it’s poor computer security, sometimes physical, not uncommonly it’s both).
In short, if you hack a road sign or electronic billboard you might gain the attention of the media but you’re not proving that you have done anything “clever” or “novel”. There are rarely leet hacking skills on show in such attacks, and no-one who knows anything about security is going to be remotely impressed.
Nonetheless, because you may be putting public safety at risk, don’t be surprised if law enforcement officers fail to see the funny side of your roadside prank.
