Ring, the Amazon-owned company that makes absurdly-popular video doorbells and security cameras, has admitted that it has fired four members of staff after they viewed customers’ videos without authorisation.
The admission came in a letter sent to US Senators who back in November asked a variety of questions about Ring’s security practices in light of rising concerns.
In its response, Ring said that over the last four years it has received “four complaints or inquiries regarding a team member’s access to Ring video data,” and that staff had been fired as a result:
Although each of the individuals involved in these incidents was authorized to view video data, the attempted access to that data exceeded what was necessary for their job functions. In each instance, once Ring was made aware of the alleged conduct, Ring promptly investigated the incident, and after determining that the individual violated company policy, terminated the individual. In addition to taking swift action to investigate and take appropriate disciplinary action in each of these cases, Ring has taken multiple actions to limit such data access to a smaller number of team members. Ring periodically reviews the access privileges it grants to its team members to verify that they have a continuing need for access to customer information for the purpose of maintaining and improving the customer experience.
Recently, as we discussed on the latest episode of the “Smashing Security” podcast, there have been a number of concerning articles in the media, detailing how the cameras have been broken into by hackers, amid claims that Amazon Ring “isn’t even good at pretending to care about your privacy and safety.”
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
You can place them around the outside of your house and also within your own house as a baby monitor or a nanny cam or whatever you want.
In the bathroom. Yeah.
Yeah. If you want to watch your own family in the bathroom. Yeah. You can do that. And a lot of people said, you know what? That sounds great. They want to do that.
Gives a whole new meaning to livestream, doesn't it? Oh. Smashing Security, episode 160: Snafus, MS Word, Amazon Ring, and TikTok with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 160. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 160. My name's Graham Cluley.
And I'm Carole Theriault.
And it's a brand new year of Smashing Security, Carole.
Yes, it's a brand new decade and a brand new year.
Is it? Is it a new decade?
It is 2020.
Oh, is it?
Yes.
Year zero counts.
I don't know. Some people say it has to be 2021.
Yeah, there are.
Okay.
It's not hard.
Maria Varmazis, our guest this week. Any opinions on this?
No.
Very sensible.
I just, it's so pedantic. I just don't. Exactly. I can't bring myself to care.
Quite right too. Carole, what have we got coming up on the show this week?
First, let's thank this week's sponsor, LastPass. Its support helps us give you this show for free. Now, Graham tells us how Microsoft could be your downfall if you're up to no good.
Maria is ringing in the new year with some Amazon home surveillance nightmares. And I'm tiptoeing into the world of TikTok to see what all the fuss is about.
All this and loads more coming up on this episode of Smashing Security.
Maria is ringing in the new year with some Amazon home surveillance nightmares. And I'm tiptoeing into the world of TikTok to see what all the fuss is about.
All this and loads more coming up on this episode of Smashing Security.
Now, chums, chums.
Friends.
Well, yes, probably.
Pals, frenemies.
Acquaintances. Fellow podders. I want to talk to you. We've worked at big companies, right?
I haven't ever worked for a company which has tens of thousands of employees, but I've worked for fairly big companies.
I haven't ever worked for a company which has tens of thousands of employees, but I've worked for fairly big companies.
I know, we used to work for Nortel. That's pretty big.
Did you? Oh, well, yeah, absolutely. And big companies, sometimes there's a chance that one of your staff colleagues might actually be a bit crooked as well.
And that really is the essence of what I want to talk to you about today with a tale of Rakuten. You know Rakuten? They're a Japanese ecommerce company.
They've got offices around the world, sponsors of the Golden State Warriors basketball team and Barcelona's football team, tens and tens of thousands of employees.
And that really is the essence of what I want to talk to you about today with a tale of Rakuten. You know Rakuten? They're a Japanese ecommerce company.
They've got offices around the world, sponsors of the Golden State Warriors basketball team and Barcelona's football team, tens and tens of thousands of employees.
Oh, there you go. Today I learned.
Oh yeah, they're quite a big deal. And they've got offices all around the world, of course.
And there's a chance that some of them may be a little bit crook, but of course, let's not be too negative. I think new year, new way of viewing things right.
People can also be a great line of defense inside a company, spotting suspicious behaviors and activities.
And there's a chance that some of them may be a little bit crook, but of course, let's not be too negative. I think new year, new way of viewing things right.
People can also be a great line of defense inside a company, spotting suspicious behaviors and activities.
Insider threats, if you will.
Yeah. Are you saying that the bigger the company, the more likely you might have someone who's up to no good?
Well, I think it's almost inevitable, isn't it? Right.
Well, yes. Okay.
Or is it smaller companies have people who think they can get away with stuff? I don't know.
I actually don't know.
Well, we've talked before about this threat known as business email compromise, where baddies will send in bogus invoices to companies posing as suppliers or partners and then tricking firms into paying out sometimes millions and millions of dollars, right?
That's a big problem. We've spoken about it. Different companies have suffered from that in the past.
Well, we've talked before about this threat known as business email compromise, where baddies will send in bogus invoices to companies posing as suppliers or partners and then tricking firms into paying out sometimes millions and millions of dollars, right?
That's a big problem. We've spoken about it. Different companies have suffered from that in the past.
And some of these attacks are really, really sophisticated. You know, we've gone through them and you're like, wow, I probably might have fallen for that one.
They can be very convincing.
And I think there are some technological defenses you can put in place, but ultimately, it's all down to the humans, it's all down to the staff inside your organization to hopefully spot when something a bit dodgy is going on.
And the star of our story today is a chap called Hashem Kabej.
And I think there are some technological defenses you can put in place, but ultimately, it's all down to the humans, it's all down to the staff inside your organization to hopefully spot when something a bit dodgy is going on.
And the star of our story today is a chap called Hashem Kabej.
Okay.
And he joined the New York offices of Rackten as a Director of Operations in May 2015, eventually went on to become Senior Vice President of Tech Ops and Engineering.
Oh, a nice happy ending there.
Yeah, well, I—
That's— Oh, okay.
President of TOE. Yeah.
Yes. Tech Ops and engineering too.
VPN.
Yeah, I know that 'cause I was able to look him up on LinkedIn and see a lovely picture of his smiling face up there and sparkling career history.
Around 4 months after he was hired by Rackten, Hashem Kabej received an invoice claiming to come from a supplier called Interactive Systems.
Around 4 months after he was hired by Rackten, Hashem Kabej received an invoice claiming to come from a supplier called Interactive Systems.
Okay.
And the invoice asked for payment for some firewall systems. Which they were gonna put onto their network and plug in to protect the company.
And Kabej took a good look at the invoice and he thought, well, everything here seems to be in order.
And the invoice related to the purchase of two firewall devices and it referenced their model numbers and serial numbers of firewalls that had been installed in the offices.
And so he asked Rackten's finance team to pay the supply. Thought, yep, go and pay this company Interactive Systems for this work.
And Kabej took a good look at the invoice and he thought, well, everything here seems to be in order.
And the invoice related to the purchase of two firewall devices and it referenced their model numbers and serial numbers of firewalls that had been installed in the offices.
And so he asked Rackten's finance team to pay the supply. Thought, yep, go and pay this company Interactive Systems for this work.
Surely, okay, well, can I have a question here? So, Mr. Kabej is the president of tech ops and engineering.
Senior vice president, yes.
Oh, sorry, he's the senior VP and he— He's the Mike Pence of ransomware security.
Yeah, yeah, and he sees an invoice for two firewalls to be installed in his offices and he goes, okay, fine, but doesn't know about them.
And I guess that's normal for a big company, probably.
Yeah, yeah, and he sees an invoice for two firewalls to be installed in his offices and he goes, okay, fine, but doesn't know about them.
And I guess that's normal for a big company, probably.
No, no, he's approved it. He said, yep, yep, this is all good. There's nothing wrong. Carole, you're being suspicious. There's nothing to be suspicious of.
This is just a normal story of administration and nothing's gone wrong.
This is just a normal story of administration and nothing's gone wrong.
It had numbers on it that are official and things.
Serial numbers. There's nothing suspicious here.
And over the next 4 years or so, Interactive Systems sent a further 52 invoices for services and tech hardware to Rackten's marketing offices in New York.
Each one, addressed specifically to Hashem Kabej, and he would approve them, and Interactive Systems would get paid.
And over the next 4 years or so, Interactive Systems sent a further 52 invoices for services and tech hardware to Rackten's marketing offices in New York.
Each one, addressed specifically to Hashem Kabej, and he would approve them, and Interactive Systems would get paid.
La-dee-da, sounds great.
Well, there was a slight fly in the ointment, Maria. It wasn't really that great.
What?
Because, because, yes, it would be a rather dull story otherwise. Yes, shock horror. Because Interactive Systems never provided any services to Rackten.
Get out!
And it never supplied any firewalls or servers.
Scoundrels.
And yet it was paid over the 4 years a total of over $4.5 million of your American dollars.
Wow.
By Rakuten.
You've got to wonder about who's looking at the finances here if $4.5 million was siphoned off.
That's like a one-bedroom apartment in New York. I mean, I don't know.
Yeah, this is a really big company, Kroll, and they're spending money left, right, and center.
And here it is, the senior Mike Pence of So what you're saying basically is if you can write a very competent invoice, you are likely to get paid. Well, by big companies.
Maybe you want to hear a little bit more about what was occurring.
Okay. Okay.
I was going to say, does that track with your experience in freelancing at all? No. Because it doesn't with mine.
Now, you may think it seems odd that Kabej never noticed that this company was being paid, which never supplied the hardware and services to his department.
And what's particularly odd is that some of Rack10 staff who worked in the data center said they had no recollection of any new firewalls being delivered to match the invoices.
And what's particularly odd is that some of Rack10 staff who worked in the data center said they had no recollection of any new firewalls being delivered to match the invoices.
Hmm.
And it was unlikely they would ever need that many servers. There was one order for 10 new servers, which were described in some of the invoices.
Furthermore, they had no recollection at all of Interactive Systems ever coming to the data center to provide the services that the invoices referred to.
And as these particular chaps controlled access to the data center, anyone who wanted access needed approval.
And these guys who worked in the data center, well, we've never even heard of Interactive Systems. So what is going on?
Furthermore, they had no recollection at all of Interactive Systems ever coming to the data center to provide the services that the invoices referred to.
And as these particular chaps controlled access to the data center, anyone who wanted access needed approval.
And these guys who worked in the data center, well, we've never even heard of Interactive Systems. So what is going on?
Okay, so I would say I can see that happening if a company, for example, got a third party to distribute and install something, right?
So Interactive Systems works with a distributor who would actually go do the third-party work. That could have happened. But my gut says that your main guy, our Mr.
Toe, he's up to it to his neck.
So Interactive Systems works with a distributor who would actually go do the third-party work. That could have happened. But my gut says that your main guy, our Mr.
Toe, he's up to it to his neck.
Mr. Hashem Kebbeh? He's dirty.
He's involved. He's part of the crew.
The toe is up to his neck, you're suggesting, right? Interesting anatomy issue there.
So let me tell you what's going on, because a special agent for the US Attorney's Office investigated, and he found when he looked at Interactive Systems' bank account, that the only money that had ever been deposited in their bank account was from Rack10.
So let me tell you what's going on, because a special agent for the US Attorney's Office investigated, and he found when he looked at Interactive Systems' bank account, that the only money that had ever been deposited in their bank account was from Rack10.
Uh-oh.
They had no other customers. Furthermore, the only payments from the Interactive Systems account were transfers into the personal bank account of one Hashem Kabej. Oh, you see.
Dun dun dun. But you know, if you managed to siphon off $4.5 million, right?
He must be feeling pretty safe. You wouldn't worry about anything.
Over 4 years?
Yeah.
And Kabaj was the only signatory on that Interactive Systems bank account, and he had actually registered the PO box number for the company as well. Now, what finally—
No attempts to even hide this, apparently.
Well, it turned out he hadn't done great covering his tracks because an examination of the invoices, remember there's something like 52 invoices just sent over the 4 years.
Found that 4 of them had actually been sent in, not as PDFs, as you might imagine, but as Word documents.
Found that 4 of them had actually been sent in, not as PDFs, as you might imagine, but as Word documents.
Okay.
And the Word documents, as you may know if you've used Microsoft Word, they have metadata in them.
Yes.
And it will often reveal the username of the computer which has created the Word document. So in this particular case, these Word documents had the name of Hashem Kabej inside them.
So the invoices, he was writing the invoices, sending them to himself. He was then approving them, saying, yep, that piece of hardware has been ordered and has successfully arrived.
So the invoices, he was writing the invoices, sending them to himself. He was then approving them, saying, yep, that piece of hardware has been ordered and has successfully arrived.
Totally.
His accounts team to pay the money.
I often find getting people involved in projects slows them down. So why not just do it on your own?
Exactly.
And he doesn't have to share any of it, doesn't have to share in the spoils that he gained.
Exactly. He's doing—
Except he got caught, didn't he?
Well, perhaps, you know, running this shell company, Interactive Systems, and then directly moving from their bank account into his own wasn't so sensible.
Maybe he'd have been wiser to get that company, I don't know, to buy property. And then at some later point, the property could have been sold to him or something.
Some other kind of scam. There's some other way to launder the money, I'm sure.
Maybe he'd have been wiser to get that company, I don't know, to buy property. And then at some later point, the property could have been sold to him or something.
Some other kind of scam. There's some other way to launder the money, I'm sure.
Do you think it's a lack of imagination on his part or just it was so brazen 'cause he thought he could just get away with it easily?
I think after years and years, he probably just thought he was never going to get caught. And apparently he acquired a number of different homes.
No kidding. One in New York. Just one.
And was he, and yeah, well, of course, I guess he wasn't paying taxes on these ill-gotten gains, which is a very important thing to do in the States.
You still gotta pay taxes on your ill-gotten gains.
You still gotta pay taxes on your ill-gotten gains.
And you'd be hard to explain where the money came from, wouldn't it?
Well, that's exactly the catch-22, yeah. Hence you get a— what is it? You get a Chinese takeaway or a laundromat or a car cleaning service.
Now he has now pleaded guilty to wire fraud.
He could face a maximum sentence of 20 years, 5 of that for the wire fraud and 15 for sending an invoice as a Word document, which is, of course, a federal crime.
I think there's something for all of us to learn here, okay? First of all, you can't necessarily trust all of your colleagues to be doing the decent thing.
He could face a maximum sentence of 20 years, 5 of that for the wire fraud and 15 for sending an invoice as a Word document, which is, of course, a federal crime.
I think there's something for all of us to learn here, okay? First of all, you can't necessarily trust all of your colleagues to be doing the decent thing.
They may be—
Oh, good.
Is this the decade of fear and doubt?
No, it's not that. It's just being sensible.
Do you have something to tell us, Graham? Is there something that we should know?
Yeah. I've been trusting you. Maybe I shouldn't. Hmm.
What are you up to? So obviously that.
But I mean, also, if you are creating sensitive documents, make sure you're properly redacting them of any information which you wouldn't necessarily want to get out into the world.
We've seen plenty of examples of that lately as well.
But I mean, also, if you are creating sensitive documents, make sure you're properly redacting them of any information which you wouldn't necessarily want to get out into the world.
We've seen plenty of examples of that lately as well.
Are you saying had he not done this Word document stuff, he might have got away with it for longer? Well, is that what dumped him in the soup?
I think that was one of the things which ultimately was his undoing. But there were a number of other problems as well.
Certainly registering the PO box number of his shell company in some name.
Certainly registering the PO box number of his shell company in some name.
The Word docs were the cherry on top of a lot of— Stupid, stupid cake.
Yeah. For someone who was involved in the acquisition of security equipment to produce those invoices using Microsoft Word, I think was perhaps a little bit unwise.
So take heed, fellows, not to do something similar yourself.
So take heed, fellows, not to do something similar yourself.
When you're committing fraud, be smarter about it is what we're saying.
Welcome to the Advice on How to Commit Fraud podcast.
A new column from Graham.
A new column.
The 2020 edition. Yes.
Maria, what have you got for us this week?
Not fraud, actually. So do you know what week it is here in the States, aside from apocalyptic and doom week?
No? I think it's every week in the States.
Lately it's been feeling that way. It's— no, it's CES week. Does that mean anything?
The biggest gadget show in the world.
The Consumer Electronics Show. Is that what it stands for?
Yes. Gosh, I'm getting so many press releases from people who think I care about this. I don't really, but you know, please stop sending them to me. So it's the, it's gadget week. Yes.
So I thought I would turn my attention for this week's story to one gadget that I see pretty much everywhere, the Amazon Ring camera.
So I thought I would turn my attention for this week's story to one gadget that I see pretty much everywhere, the Amazon Ring camera.
So this is not the Amazon Ring that has a camera, which I think was shown off at last year's CES. But Amazon's Ring camera.
Sorry, what? What's— That sounds the same thing.
Don't you remember last year at CES?
I don't understand the difference. What would be the difference between the Amazon Ring with a camera and Amazon's Ring camera?
Are you asking me?
Yes, I don't know. I don't know.
So Amazon launched last year some kind of ring that you wore on your finger.
Oh, right.
That had both a microphone in it. So you could say, hey, Amazon, get me some diapers. Put it on my list or whatever.
And hey, smart speaker, get exactly—
Oh, and monitor my everyday.
They did that in a ring?
Yes, we talked about it on the show. You were obviously having a snooze during my section.
This is clearly— they were watching Lord of the Rings, they were, you know what, that's a great idea. Yeah, we just— let's do something that except for us. No, this is not that.
This is the, the brand called Ring. And yes, yeah, so it— in the States it feels it's getting pretty ubiquitous here, especially in the vaulted suburbs that I live in.
This is the, the brand called Ring. And yes, yeah, so it— in the States it feels it's getting pretty ubiquitous here, especially in the vaulted suburbs that I live in.
It's basically a doorbell thing, isn't it?
It's a doorbell thing with the camera in it. Yeah, it's a web-enabled camera.
And the gimmick, as you guys just mentioned, is usually it's hooked up to a doorbell so you can see who's at your door no matter where you are.
So if you're at work and somebody's delivering a package, you can watch them deliver it and be, okay, here it is.
And the gimmick, as you guys just mentioned, is usually it's hooked up to a doorbell so you can see who's at your door no matter where you are.
So if you're at work and somebody's delivering a package, you can watch them deliver it and be, okay, here it is.
And presumably you can watch that the person's stealing the package. Right. It's been left outside.
Yeah. Which is a thing. A lot of people do have package thieves. So that's a reason. That's a use case.
And, you know, Amazon also threw in some completely innocuous facial recognition in there for some good measure.
And, you know, Amazon also threw in some completely innocuous facial recognition in there for some good measure.
Oh, thanks guys.
Yeah, so for example, if your mother-in-law is at the door, Ring will go, "Hey, we recognize this person.
It's your mother-in-law dropping by." And you can talk to her via the camera's two-way speaker and pretend you're, "Oh, I'm at the grocery store.
I'm sorry, I totally can't come to the door 'cause I'm not home." Even though you're hiding in your living room.
It's your mother-in-law dropping by." And you can talk to her via the camera's two-way speaker and pretend you're, "Oh, I'm at the grocery store.
I'm sorry, I totally can't come to the door 'cause I'm not home." Even though you're hiding in your living room.
Oh, because it will sound the same.
It sounds the same.
Brilliant.
So it's you have a doorman sort of thing or a bouncer for your house.
I had a friend once who didn't want to go to work and was trying to fake the phone call in.
And her deal was that she was trapped on the side of the highway and couldn't get into London.
So the way she did it was in her bedroom, and she had a hairdryer that she was swinging on the cord past the phone intermittently.
And her deal was that she was trapped on the side of the highway and couldn't get into London.
So the way she did it was in her bedroom, and she had a hairdryer that she was swinging on the cord past the phone intermittently.
That's a lot of work to play that game.
Yeah, to beat cars that were screaming past. So Ring makes these things much easier.
So much easier.
This was your friend, Carole Theriault.
Yeah, it was.
Your friend.
It was friend, your friend. Yes, definitely not your ex.
My friend Loretta.
There you go.
Get back, Loretta.
I should mention that Ring also offers a suite of other web-enabled cameras that all hook up to each other.
So you can place them around the outside of your house and also within your own house as a baby monitor or a nanny cam or whatever you want.
So you can place them around the outside of your house and also within your own house as a baby monitor or a nanny cam or whatever you want.
You can follow through.
You'd like to. Yeah, if you to watch your own family in the bathroom, yeah, you can do that. And a lot of people said, you know what, that sounds great. They want to do that.
Gives a whole new meaning to livestream, doesn't it?
Oh. Can I end my segment now? I want to just end my segment.
Two or three weeks off and I've gotten them all bubbling inside me. I've got to get them out now.
So—
Keep going, Maria.
Yeah, yeah, yeah. So web-enabled cameras in your house. We've heard that story before. Crappy IoT baby monitor cameras. We all know that thing.
So Ring has a lot of the same problems in the web-enabled cameras that we've all talked about for years and years.
So Ring has a lot of the same problems in the web-enabled cameras that we've all talked about for years and years.
Mm-hmm.
So is it that their security on them is not considered as high as you might expect and people can break the security?
Yeah, it's the same old song that we've heard for so many IoT devices. 'Cause this is not actually the main part of my story. I just need to mention it.
Because you would think Amazon behind this product, their security might be a lot better, but there's been a lot of recent headlines that show actually Ring is just about as bad in terms of their own software security practices as a lot of the contenders on the market.
So there's been all these sorts of headlines about attackers becoming peeping Toms, shouting abuse at families while they're sitting in their living rooms, and generally being able to spy on people and children, and often without people knowing that they're even victims.
So it's a—we've heard these kinds of stories before about IoT cameras, so it's kind of disappointing that Ring is another one of these examples, but yes.
Yeah, and so just put a pin in the fact that Amazon has been asked, what are you doing on the technology side to improve Ring security? Right now, the answer is bare minimum.
It offers two-factor authentication, but it doesn't verify logins from an unknown IP address.
Because you would think Amazon behind this product, their security might be a lot better, but there's been a lot of recent headlines that show actually Ring is just about as bad in terms of their own software security practices as a lot of the contenders on the market.
So there's been all these sorts of headlines about attackers becoming peeping Toms, shouting abuse at families while they're sitting in their living rooms, and generally being able to spy on people and children, and often without people knowing that they're even victims.
So it's a—we've heard these kinds of stories before about IoT cameras, so it's kind of disappointing that Ring is another one of these examples, but yes.
Yeah, and so just put a pin in the fact that Amazon has been asked, what are you doing on the technology side to improve Ring security? Right now, the answer is bare minimum.
It offers two-factor authentication, but it doesn't verify logins from an unknown IP address.
Right.
With their reasoning being well, you could be anywhere in the world checking on your house. We don't want to keep flagging you every time you log in, but eh.
Yeah, I heard them make an excuse oh, well, you're reusing compromised passwords. That's the big issue here.
And I'm thinking, well, Amazon, that's a pretty easy problem for you to solve, isn't it? Just basically check against the database and say, please don't use that password.
And I'm thinking, well, Amazon, that's a pretty easy problem for you to solve, isn't it? Just basically check against the database and say, please don't use that password.
Yeah. And they're not doing that either, which is like a stupid easy thing for them to do. You know, it's not like they have the largest cloud computing behind them or anything.
Yeah, because I think the average person in the street would expect Amazon's Ring security to be better than all those Chinese knockoff video doorbells that you're able to pick up for $10.
Yep. You would think.
You would think so, wouldn't you?
You would think.
But clearly, yep, it needs to do better.
Yeah, it sure does.
In the show notes, there's gonna be a whole bunch of links that I'll provide for you to post that talk about all the things that people have found, or they're going, you know, that you could at least send the user an email if you see, oh, I don't know, the same user with concurrent sessions in two different geolocations.
In the show notes, there's gonna be a whole bunch of links that I'll provide for you to post that talk about all the things that people have found, or they're going, you know, that you could at least send the user an email if you see, oh, I don't know, the same user with concurrent sessions in two different geolocations.
Right.
Not even an email to the user saying, this is a little funny. Maybe you might want to look into that. Nope. So yeah, that's surprising.
But in addition to all this, the thing that's, I think, most alarming to me and a number of other people is the idea behind Ring is that it's an inexpensive home security system.
It's a big disruptor in that field. So the big names are all upset about it.
And it's an IoT device, so it can turn on your house lights and a loud siren if you see someone coming up to your house that you don't recognize.
But in addition to all this, the thing that's, I think, most alarming to me and a number of other people is the idea behind Ring is that it's an inexpensive home security system.
It's a big disruptor in that field. So the big names are all upset about it.
And it's an IoT device, so it can turn on your house lights and a loud siren if you see someone coming up to your house that you don't recognize.
Oh, great. I love the new world.
Oh, yes.
I don't know them. Alarm.
Alarm. 110-decibel siren alarm, actually. No, no, bust those eardrums.
Oh my God.
Yeah, I think over 130, literally shattered your eardrums.
I don't like this new world.
So on top of all that, Ring also saves the video of the person walking up to your door, you know, for safety reasons.
So you can share this video of the obvious criminal looking into your windows, and you can share it with your neighbors or the cops.
And so if you blanket the interior and exterior of your home with all these cameras, you know, you have hours and hours of video of people doing all sorts of things. It's great.
So you can share this video of the obvious criminal looking into your windows, and you can share it with your neighbors or the cops.
And so if you blanket the interior and exterior of your home with all these cameras, you know, you have hours and hours of video of people doing all sorts of things. It's great.
Cool.
So who do you think, who do you think loves this more than homeowners? Wild guesses, anyone?
The police.
The police. The police. They love this. And they know that homeowners are just very happy to offer up any old video of anything if they just ask.
Does Nextdoor exist where you are, or is that a US thing?
Does Nextdoor exist where you are, or is that a US thing?
Oh, I don't know. What's Nextdoor?
Nextdoor is a, they market it as a sort of a social media for neighbors.
So you have to actually verify your physical address, and then you get added to groups of people that are actually your physical neighbors.
So you have to actually verify your physical address, and then you get added to groups of people that are actually your physical neighbors.
I do know this. It is in the UK.
I got a mail, like a mail shot through saying it was in my neighborhood and I could join, but it was a bit— I don't know, I didn't like the way it went about it, so I didn't do it.
I got a mail, like a mail shot through saying it was in my neighborhood and I could join, but it was a bit— I don't know, I didn't like the way it went about it, so I didn't do it.
Yeah, so Nextdoor seems to be ubiquitous here as well. And I know on many of the neighborhoods that I've been a part of these Ring camera footage is everywhere.
People are always posting videos of, hey, I saw this person looking at my house for more than one half second than I feel is appropriate. Here's a video of them.
People are always posting videos of, hey, I saw this person looking at my house for more than one half second than I feel is appropriate. Here's a video of them.
This guy walked by in a loud shirt.
Yes. So here's a video.
It's some unscrupulous person stepping on the cracks in the pavement. Could be dodgy.
It's like, you know, it's like those people that see a car parked on its own somewhere and are convinced that they're up to no good in it.
Or like a van and, oh, that person's definitely a human trafficker.
Exactly.
No, that's not how this works. Yeah, so that's troublesome, of course.
And to make it easier for cops to see what's going on in these neighborhoods, Ring has worked with over 600 law enforcement agencies within the United States so they can easily ask for videos in their jurisdictions all within the app.
So the Washington Post says that police in those communities can use Ring software to request up to 12 hours of video from anyone within a half square mile of a suspected crime scene covering a 45-day span.
Police are required to include a case number for the crime they are investigating, but not any other details or evidence related to the crime or their request.
And to make it easier for cops to see what's going on in these neighborhoods, Ring has worked with over 600 law enforcement agencies within the United States so they can easily ask for videos in their jurisdictions all within the app.
So the Washington Post says that police in those communities can use Ring software to request up to 12 hours of video from anyone within a half square mile of a suspected crime scene covering a 45-day span.
Police are required to include a case number for the crime they are investigating, but not any other details or evidence related to the crime or their request.
Wow.
And the Post also notes that there's no restriction on how long law enforcement can keep the videos that they receive.
Well, to serve and protect.
So Amazon have created an app for the cops to basically access Ring footage. Without very much of any hurdle to jump through, or hoop even.
Correct. That's the big thing.
So this is hopefully raising some alarms for people going, you know, I'm sure, and actually I've read that these kinds of videos have actually helped people nab folks who've committed real crimes.
So I don't want to be totally flippant about like, oh, this is only bad. But you know, what's the recourse for someone who's been captured on video doing something harmless?
And then, you know, the police have a video of them forever. Like, what do their civil liberties look like? Like, what are my civil liberties in situations like this?
I'm just walking my dog in the neighborhood and my neighbor's got video of me, you know, doing something. I don't know, picking my nose. I don't know. Like, what is that?
So this is hopefully raising some alarms for people going, you know, I'm sure, and actually I've read that these kinds of videos have actually helped people nab folks who've committed real crimes.
So I don't want to be totally flippant about like, oh, this is only bad. But you know, what's the recourse for someone who's been captured on video doing something harmless?
And then, you know, the police have a video of them forever. Like, what do their civil liberties look like? Like, what are my civil liberties in situations like this?
I'm just walking my dog in the neighborhood and my neighbor's got video of me, you know, doing something. I don't know, picking my nose. I don't know. Like, what is that?
An offense where you live, picking your nose?
It certainly is offensive.
Well, I just— I'm uneasy with the idea of these videos just being kind of shuttled off to law enforcement under the very thin guise of, oh yeah, crime happened in my vicinity, so let me send you all my video surveillance.
So there are some big, big questions around what is happening to this video footage? What about the civil rights of people who are caught on all this footage doing nothing wrong?
And Amazon, again, giant company Amazon owns Ring. And so what is Amazon doing with all that facial recognition biometric data of the people that it sees? What is it collecting?
What is it doing? What is it storing? What is it thinking with all that?
Well, I just— I'm uneasy with the idea of these videos just being kind of shuttled off to law enforcement under the very thin guise of, oh yeah, crime happened in my vicinity, so let me send you all my video surveillance.
So there are some big, big questions around what is happening to this video footage? What about the civil rights of people who are caught on all this footage doing nothing wrong?
And Amazon, again, giant company Amazon owns Ring. And so what is Amazon doing with all that facial recognition biometric data of the people that it sees? What is it collecting?
What is it doing? What is it storing? What is it thinking with all that?
So if I've understood you correctly, Maria, you're saying that Amazon is helping the police collate an enormous database of people picking their noses and loitering on porches.
That is the fear. So right now, I don't want to say that is what's happening because we actually just do not know.
So to get some answers, a number of US senators sent— they have been sending Amazon a number of very official letters, and I included one for the show notes, saying, hey, Amazon, what are you doing with all this?
Because there's also some questions about, you know, some of their contractors are based in Ukraine, and that's a whole thing right now in the States.
So like, what is that all about? There's a lot of worries about what is Amazon doing with all this data?
And also, are we making it too easy for law enforcement to get their hands on all this basically unlimited trove of video surveillance on people in private areas.
So earlier this week, so the reason I'm bringing this up now, I promise there's a reason.
So to get some answers, a number of US senators sent— they have been sending Amazon a number of very official letters, and I included one for the show notes, saying, hey, Amazon, what are you doing with all this?
Because there's also some questions about, you know, some of their contractors are based in Ukraine, and that's a whole thing right now in the States.
So like, what is that all about? There's a lot of worries about what is Amazon doing with all this data?
And also, are we making it too easy for law enforcement to get their hands on all this basically unlimited trove of video surveillance on people in private areas.
So earlier this week, so the reason I'm bringing this up now, I promise there's a reason.
Yes.
Earlier this week, January 6th, was the requested deadline for Amazon to let those senators know what their plan was to not just beef up Ring's own software security, which we talked about earlier, but also what they're doing in terms of protecting the civil liberties of folks caught unawares on Ring's videos.
Right.
So the official response from Amazon came in through a press release and it was in a nutshell, Users can now opt out of email requests from law enforcement.
Oh, so—
How?
So if you didn't want the police to view the footage which you had collected on your Ring, you can opt out in advance and say, if the police ever ask for footage from my camera—
I'm not interested in giving it to them.
Oh, well, I imagine lots of people will opt out, won't they?
Oh, right. Yeah. So they can opt out.
Yeah.
They can. So remember, it sounds like you're opting in from default, but you can now opt out.
And also Amazon promises that more granular security controls within the software of Ring are coming later this month, but we don't know exactly what that means yet. That's all.
That's literally all we know.
And also Amazon promises that more granular security controls within the software of Ring are coming later this month, but we don't know exactly what that means yet. That's all.
That's literally all we know.
Well, they're also the makers of that software called Rekognition with a K, right?
Which is basically facial surveillance software that they sell to the cops and have in often public areas, right?
And there was some stories about them maybe being used in shopping centers to find illegal immigrants. It was all a bit shady. So, yeah, but big money in surveillance.
Which is basically facial surveillance software that they sell to the cops and have in often public areas, right?
And there was some stories about them maybe being used in shopping centers to find illegal immigrants. It was all a bit shady. So, yeah, but big money in surveillance.
Yeah, Amazon are big on facial recognition, aren't they? And this potentially, so much information being gathered from people's homes.
And I mean, I'm beginning to feel a bit odd because I don't have one of these video doorbells, but it seems more and more people are purchasing them and putting them in and think that they're a good idea.
And I mean, I'm beginning to feel a bit odd because I don't have one of these video doorbells, but it seems more and more people are purchasing them and putting them in and think that they're a good idea.
But yeah, it depends a bit on your neighborhood and how the homes are laid out.
But I know where I live, if one of my neighbors had one of these, it would show probably 3 or 4 houses at the same time because our houses are close together.
So it's kind of like even if I don't have one of these, if one of my neighbors does, then basically I'm under surveillance all the time and I'm not doing anything illegal, but I'm still just not really comfortable with that.
I like privacy. I don't want to think that I'm being streamed all the time when I'm just in my front yard.
But I know where I live, if one of my neighbors had one of these, it would show probably 3 or 4 houses at the same time because our houses are close together.
So it's kind of like even if I don't have one of these, if one of my neighbors does, then basically I'm under surveillance all the time and I'm not doing anything illegal, but I'm still just not really comfortable with that.
I like privacy. I don't want to think that I'm being streamed all the time when I'm just in my front yard.
I hear you.
So it's just there's all sorts of problems with this for me. I get the convenience of it. I get, you know, package theft is a real problem and people are really sick of it.
You know, I understand that. But there's gotta be some oversight here, and I think the senators are going in the right direction by saying, Amazon, have you even thought about this?
You know, I understand that. But there's gotta be some oversight here, and I think the senators are going in the right direction by saying, Amazon, have you even thought about this?
That's the thing, isn't it?
The response seems to be no.
Yeah, because if they invade your personal private property, then I think that is an issue. Certainly in some states, that's definitely an issue, right?
Because you're allowed to have privacy on your own property, and if the camera's facing and somehow capturing you, but if you're on public property just walking by.
It seems now anyone can take a pic of you, right? Anyone can record anything you do.
Because you're allowed to have privacy on your own property, and if the camera's facing and somehow capturing you, but if you're on public property just walking by.
It seems now anyone can take a pic of you, right? Anyone can record anything you do.
That, well, that seems to be in the nutshell version of the laws. I've understood it in the States.
Happy new decade, people!
Yeah, it makes me feel like there's no hope.
Yeah.
Yay! It's great. Everyone feels fantastic.
Carole, what's your story for us this week?
I just got the best opening acts this week. Have either of you guys used TikTok? Have you played with it?
I am over 14 years old, so no, I haven't.
I do not have the app, but I've seen the videos everywhere. I know what it is. I just don't want the app on my phone.
I don't even know what it is. Is it like Vine or something?
Yes, it's a lot like Vine.
Yes.
Right. Okay, so I didn't know a lot about it either, right? But it seems like many teens, Z-gens, are totally hooked, in love with this app.
And I kind of did a little recon and talked to some younger friends in the States, Canada, the UK. All of them have at least heard of it, and most of them use it.
Thing is, the app is not considered squeaky clean by everyone.
The Wall Street Journal and others reported on New Year's Day that the Army, the Marines, and the Navy have all put the kibosh on TikTok.
And I kind of did a little recon and talked to some younger friends in the States, Canada, the UK. All of them have at least heard of it, and most of them use it.
Thing is, the app is not considered squeaky clean by everyone.
The Wall Street Journal and others reported on New Year's Day that the Army, the Marines, and the Navy have all put the kibosh on TikTok.
Oh, you mean when they're out on active combat now, they're not going to be able to make little videos of them pouting and taking selfies to each other?
Don't think active combat is you're running around with a gun at all times. There's a lot of times when you're doing absolutely nothing, right?
And phones have completely changed that horrible, horrible boredom into something at least more tolerable.
But of course, a lot of these apps collect information, which you may not want your armies and Marines and navies to be sending out to different parties.
And phones have completely changed that horrible, horrible boredom into something at least more tolerable.
But of course, a lot of these apps collect information, which you may not want your armies and Marines and navies to be sending out to different parties.
Of course.
They haven't publicly shared the why, right? They haven't said this is why we don't want these people to use it.
So I wanted to do a little digging and check out the TikTok security and privacy pulse, right? Just to see what the big deal was.
So I wanted to do a little digging and check out the TikTok security and privacy pulse, right? Just to see what the big deal was.
Yeah. Is it a US application or is it from somewhere else in the world?
It is not a US application.
Put your brakes on, dude. First I'm gonna tell you what TikTok is.
Okay. Oh, okay. Sorry. Sorry. Yep.
Right, so basically it's an app that lets you create short music videos. TikTok originally bought Musical.ly. Do you remember that?
Musical.ly was an app in the early noughties, and TikTok bought that app and then allowed you to use the music they bought from that app, and you could overlay or lip sync it to a video.
So you'd create a video, and then you would choose the song you wanted to lip sync. You'd have the song playing in the background, and you could show yourself lip-syncing to it.
Musical.ly was an app in the early noughties, and TikTok bought that app and then allowed you to use the music they bought from that app, and you could overlay or lip sync it to a video.
So you'd create a video, and then you would choose the song you wanted to lip sync. You'd have the song playing in the background, and you could show yourself lip-syncing to it.
Amazing.
All right.
That's basically it. The videos go up to about, I think it's a minute or 90 seconds maximum. And, you know, it's a bit like Vine.
I would say that was probably where you said that earlier, but it's a bit like Vine. But why don't you go take a look?
So if you just put in tiktok.com, T-I-K-T-O-K dot com, and then slash trending.
I would say that was probably where you said that earlier, but it's a bit like Vine. But why don't you go take a look?
So if you just put in tiktok.com, T-I-K-T-O-K dot com, and then slash trending.
TikTok dot com trending.
Okay.
I object to the Ks already. That annoys me. Okay. There's lots of videos here. So I'll just— what, just click on one of these? Oh my goodness, right?
Oh, so what are you seeing? Trying to describe how—
Oh, a lot of spilt milk.
But people seem to use it most for gymnastics or for music lip-syncing or for comedy, little jokes. You can use different voices and kids absolutely love it.
CNET announced TikTok to be the 7th most downloaded mobile app of the last decade. Okay, that's huge. Decade, right? And in 2019, it has more than a billion monthly users.
So it's a pretty big mover and shaker in the world of social networks, right? And teens are hooked. The daily average interaction time is something like 50 minutes or something.
That must be up with Facebook. 50?
CNET announced TikTok to be the 7th most downloaded mobile app of the last decade. Okay, that's huge. Decade, right? And in 2019, it has more than a billion monthly users.
So it's a pretty big mover and shaker in the world of social networks, right? And teens are hooked. The daily average interaction time is something like 50 minutes or something.
That must be up with Facebook. 50?
5-0?
Yeah, 50 minutes a day.
The amount of time people are spending slagging off the idea of going to see the Cats movie, which is about 90 minutes, and saying it's the worst thing that's ever happened in their life, but they're spending 50 minutes every day on TikTok watching these dumb little videos.
Well, 50 minutes of 30-second videos. That's a lot of videos.
Well, unless you're watching it, unless it's so entertaining, you just watch it over and over and over again. But yeah.
Now TikTok is owned by ByteDance. This is a Chinese headquartered firm in Beijing. Okay. And that's one of the big question marks around that. So put that in your back pocket.
ByteDance is what is known as a unicorn startup company.
So a unicorn is basically a billion dollar privately held startup, and ByteDance is number 2 on the world list with a $78 billion valuation.
And the founder Zhang, his personal wealth is said to be $13 billion. So all this to say, tons of money. And you're probably thinking right now, okay, Chinese app, all Chinese users.
No, TikTok is not available in China at all.
ByteDance is what is known as a unicorn startup company.
So a unicorn is basically a billion dollar privately held startup, and ByteDance is number 2 on the world list with a $78 billion valuation.
And the founder Zhang, his personal wealth is said to be $13 billion. So all this to say, tons of money. And you're probably thinking right now, okay, Chinese app, all Chinese users.
No, TikTok is not available in China at all.
Oh really?
What ByteDance did is they created a sister company or sister app called Douyin. And Douyin operates in China and is designed to comply with Chinese restrictions.
So they have two apps, one for the outside world and one for inside China.
So they have two apps, one for the outside world and one for inside China.
I was gonna say, wasn't the Chinese version the original one? And then they— yes, yeah, they— that came first.
So yeah, it came out, I think that was in 2012 that came out.
Yeah, I remember seeing those videos before TikTok was a thing.
And yeah, so okay, so there we have an idea of what TikTok is. Kids love it, it allows you to do videos and they share them all over. So what's the controversy going on here?
So in 2019, in January 2019, this American think tank called Peterson Institute for International Economics described TikTok as a Huawei-sized problem that posed national security threat to the West.
And it said that it noted the app's popularity with Western users, including armed force personnel, and raised concerns over the app's data hoovering ability.
Because the app was owned by Chinese parent unicorn ByteDance.
The problem according to the investigation is that China internet security law makes it impossible for ByteDance not to share the data with the Chinese government.
And that seems to be where the problem is.
So in 2019, in January 2019, this American think tank called Peterson Institute for International Economics described TikTok as a Huawei-sized problem that posed national security threat to the West.
And it said that it noted the app's popularity with Western users, including armed force personnel, and raised concerns over the app's data hoovering ability.
Because the app was owned by Chinese parent unicorn ByteDance.
The problem according to the investigation is that China internet security law makes it impossible for ByteDance not to share the data with the Chinese government.
And that seems to be where the problem is.
And the fear isn't that these videos are gonna be shared with the Chinese government, I imagine.
I've just been looking at a few of them and they're, they all seem pretty inane, but that there might be other information they're gathering from people's phones, such as their location.
I've just been looking at a few of them and they're, they all seem pretty inane, but that there might be other information they're gathering from people's phones, such as their location.
Exactly. All that stuff is in there. Exactly.
So whether or not ByteDance has the best interest of its users at heart, the argument here is once the information is beyond the Great Firewall, quote unquote, there's no telling what will happen to it.
So recently we have US members of Congress, they've raised concerns about data collection and Chinese ownership and sent a letter to this effect to the US intelligence officials saying like, what, you know, WTF TikTok?
And TikTok responded to this with a short unsigned statement on its website effectively saying that the data centers were not located in China and none of our data is subject to Chinese law, which is a pretty bold and sweeping statement for a company worth $78 billion and is in 75 different languages across the entire world.
I'm not sure how they can say that, but it was unsigned, so it's basically a webpage. They've also been fined by the federal FTC.
They've been fined almost $6 million for collecting information from minors under the ages of 13 in violation of the Child Online Privacy Protection Act.
And ByteDance then responded by creating a kids-only mode of TikTok, which blocks the upload of videos. So just imagine, imagine your son, right?
Say he used TikTok and it was great, and suddenly TikTok said, oh, okay, we're gonna make a place just for kids. So you say, here, use this one instead.
So he can't upload any videos, but he can view other people's videos, presumably.
Yeah, he can't build a user profile, he can't do any direct messaging, and can't comment on any other videos, but he can view and can record content, just can't upload it.
I'm not sure how many kids would be happy with that, really, right? I'm not sure.
Now, Indonesia and India also independently banned the app for having too much porn and blasphemy, all while being really popular with younger people.
But both countries reinstated it after TikTok made a few changes. Right. But they say that the India ban, which lasted about a month, probably cost TikTok 15 million new users.
So whether or not ByteDance has the best interest of its users at heart, the argument here is once the information is beyond the Great Firewall, quote unquote, there's no telling what will happen to it.
So recently we have US members of Congress, they've raised concerns about data collection and Chinese ownership and sent a letter to this effect to the US intelligence officials saying like, what, you know, WTF TikTok?
And TikTok responded to this with a short unsigned statement on its website effectively saying that the data centers were not located in China and none of our data is subject to Chinese law, which is a pretty bold and sweeping statement for a company worth $78 billion and is in 75 different languages across the entire world.
I'm not sure how they can say that, but it was unsigned, so it's basically a webpage. They've also been fined by the federal FTC.
They've been fined almost $6 million for collecting information from minors under the ages of 13 in violation of the Child Online Privacy Protection Act.
And ByteDance then responded by creating a kids-only mode of TikTok, which blocks the upload of videos. So just imagine, imagine your son, right?
Say he used TikTok and it was great, and suddenly TikTok said, oh, okay, we're gonna make a place just for kids. So you say, here, use this one instead.
So he can't upload any videos, but he can view other people's videos, presumably.
Yeah, he can't build a user profile, he can't do any direct messaging, and can't comment on any other videos, but he can view and can record content, just can't upload it.
I'm not sure how many kids would be happy with that, really, right? I'm not sure.
Now, Indonesia and India also independently banned the app for having too much porn and blasphemy, all while being really popular with younger people.
But both countries reinstated it after TikTok made a few changes. Right. But they say that the India ban, which lasted about a month, probably cost TikTok 15 million new users.
They'll get them back. They'll get them back.
You didn't say before there was porn and blasphemy out there. Now I can see why people might want to install it. Because up to now I've been thinking, why would anyone want this app?
So there's a problem of whether it's safe for kids that people are using this for nefarious purposes.
And that means, you know, if you're trying to protect your child from seeing certain, you know, unwanted content, TikTok might not be a great platform for that.
But there's also a censorship debate going on about it.
Washington Post reported that there was barely a hint of the Hong Kong unrest in sight on TikTok when you search with the city's tags, which was completely unusual.
The Guardian reported last year that it saw leaked documents that showed TikTok was instructing its moderators to censor videos that mentioned Tiananmen Square, Tibetan independence, and banned religious group Falun Gong.
Now, ByteDance responded to this saying, oh no, no, no, no, no, those documents were created really in the early days of TikTok and we don't even use them anymore.
They were under investigation in the UK for how it handles personal data of its younger users and whether it prioritizes the safety of children.
And just last week, Merseyside Police in the UK listed a list of 15 apps to watch out for, especially if you're giving smartphones to your kids for the holidays, for Christmas.
And that means, you know, if you're trying to protect your child from seeing certain, you know, unwanted content, TikTok might not be a great platform for that.
But there's also a censorship debate going on about it.
Washington Post reported that there was barely a hint of the Hong Kong unrest in sight on TikTok when you search with the city's tags, which was completely unusual.
The Guardian reported last year that it saw leaked documents that showed TikTok was instructing its moderators to censor videos that mentioned Tiananmen Square, Tibetan independence, and banned religious group Falun Gong.
Now, ByteDance responded to this saying, oh no, no, no, no, no, those documents were created really in the early days of TikTok and we don't even use them anymore.
They were under investigation in the UK for how it handles personal data of its younger users and whether it prioritizes the safety of children.
And just last week, Merseyside Police in the UK listed a list of 15 apps to watch out for, especially if you're giving smartphones to your kids for the holidays, for Christmas.
All right.
And they were saying these apps are known for child bullying and grooming, right? And the apps included WhatsApp, TikTok, and Hot or Not. Hot or Not, do you remember that?
Still a thing?
Yeah, still a thing, is it?
Oh my God, it's like, why do kids love it? I mean, just from you guys looking at it, why do you think kids are just hoovering this up like popcorn?
I just think I'm very, very old. All the time you've been talking, I've been scrolling up and down and trying to find anything which it's, it's just wallpaper really.
It's just people sort of jiggling around to a bit of music.
It's just people sort of jiggling around to a bit of music.
Do you think it's because a few people have gotten very famous off this, right? Like there's a 0.0001% chance that you might make it big, you know, some musicians have made it big.
Well, I suppose it's possible to get lots of followers like it is on Instagram.
So if you had a talent for making short little TikTok videos, they might trend and you might get more followers.
And I suppose then you become an influencer and then you might have some big brands wanting you to promote their product on TikTok.
I don't know if that sort of thing happens or not, but it certainly does on Instagram, doesn't it?
So if you had a talent for making short little TikTok videos, they might trend and you might get more followers.
And I suppose then you become an influencer and then you might have some big brands wanting you to promote their product on TikTok.
I don't know if that sort of thing happens or not, but it certainly does on Instagram, doesn't it?
Yeah.
But it is astonishing how much some of these videos have been watched because it's just like—
We should quit the podcast and start doing TikToks. Is that what you're saying?
Well, I'm wondering, do we need a Smashing Security TikTok account?
Oh no, I thought we said no video. I have to put on pants if we do that.
There's a reason why we say no video. Yes.
You know that pants means underwear.
I do. I left that just to let people wonder which one I meant.
It's smutty.
Oh yes, I know.
Hey, Graham.
Yes.
There are people out there with companies a little bit bigger than ours. And one of the issues that they face is visibility. Visibility and oversight.
And when it comes to cybersecurity, that is super important. So listeners, listen up.
If you do not have a password manager in your organization, please check out LastPass Enterprise.
They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashing.
Let me try that again, folks. Check it out at lastpass.com/smashing. Perfect.
And when it comes to cybersecurity, that is super important. So listeners, listen up.
If you do not have a password manager in your organization, please check out LastPass Enterprise.
They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashing.
Let me try that again, folks. Check it out at lastpass.com/smashing. Perfect.
Do you want to make it more conversational? I don't know.
I think it sounded great.
And welcome back.
And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Week of the Pick.
Hey.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Better not be.
Well, my Pick of the Week this week is not security related. I have taken the opportunity to watch some television.
That's the way to spend the family holiday.
Well, yes, it is.
I know, I know.
It's an old Cluley tradition of sitting around the TV. And we went into BBC iPlayer, although I believe this show is also being made available on Netflix internationally.
But it was on the BBC for me. And it's from the makers of Sherlock, Steven Moffat and Mark Gatiss. Get the names right, Graham. Who worked on Sherlock, of course.
They have now produced Dracula.
But it was on the BBC for me. And it's from the makers of Sherlock, Steven Moffat and Mark Gatiss. Get the names right, Graham. Who worked on Sherlock, of course.
They have now produced Dracula.
Oh, really?
And I have to say, I rather enjoyed it.
Is it edgy, or is it kind of true to form?
As with everything Steven Moffat-ish, as people who've watched Doctor Who under his— or Sherlock or something like that, you will know that he sometimes twists things a little bit, but this is set in the past.
Now I have to admit, right, I have to— okay, look, hands up. I've only watched one episode.
Now I have to admit, right, I have to— okay, look, hands up. I've only watched one episode.
Oh, how dare you?
They're an hour and a half each. There are 3 episodes. I haven't had a chance. I had to do my VAT return.
But that's someone who reads the first 50 pages of a book and then hardly recommends it. And then it turns out the end doesn't even work.
Hush, hush, hush, hush, hush. After one episode, I can tell you it's brilliant. It's funny, it's dark, it's quite grisly in places, but it is laugh out loud funny.
There is the funniest nun you have ever seen in your life, who's very entertaining. And it's—
There is the funniest nun you have ever seen in your life, who's very entertaining. And it's—
Chaucerian even.
It's, and it's most amusing.
And if you become obsessed with Dracula, as I think you will be once you check it out, then you may want to check out a podcast on BBC Sounds called Obsessed with Dracula.
And if you become obsessed with Dracula, as I think you will be once you check it out, then you may want to check out a podcast on BBC Sounds called Obsessed with Dracula.
Oh, and have you listened to that? Or you've not bothered because you're too busy with your VAT routine?
Well, I've listened to the first one because it's about the first episode. So they have a podcast for each episode where Gatiss and Moffat appear and talk about the show.
And I'd heartily recommend that as well because it's most entertaining. Now my brother has seen all 3 episodes. Now he's a bit of an Eeyore. He does listen to Smashing Security.
And I'd heartily recommend that as well because it's most entertaining. Now my brother has seen all 3 episodes. Now he's a bit of an Eeyore. He does listen to Smashing Security.
He's a bit of an Eeyore?
Yeah, he's a bit of an Eeyore. Not like me. Not me.
You're a Pooh. A giant Pooh? No.
Silly. Now he told me that the last episode, he said the first two episodes he said are brilliant and the second one he kind of goes, it's a bit rubbish.
It's like Game of Thrones all over again.
And he said the finale, he said the ending was a bit of a disappointment. Now that could have been my brother. My brother could be talking nonsense here.
Yeah, great pick of the week.
So, but I can heartily recommend episode one at the very least.
You hadn't done an episode of Smashing Security in two weeks and you couldn't find the time to watch three episodes?
No, listen, I also—
It's VAT returns. They don't take that long, seriously.
I think you'd enjoy it. Hour and a half. It's pretty good, Carole, right? So, Dracula. Mwahahaha. The Count. What a shame Vanu Schweitzer isn't here to do the voice.
Maria, what's your pick of the week?
Maria, what's your pick of the week?
My pick of the week is something that I have actually watched in its entirety.
Thank you very much, Maria.
Yes. I don't recommend things unless I've at least watched the whole thing, unlike other people. So mine is also available on Netflix, hopefully globally, and it is The Witcher.
Ooh, I've heard about this. Is it good?
So many people who are into video gaming may be familiar with the video game of the same name.
Yes, it was a video game.
It's 3 video games actually. I have never played The Witcher video games, although my spouse has. And you don't need to know the video games to enjoy this series.
So I just wanted to put this out there because this entire series on Netflix is based on the books that also the video games are based off of.
So it goes back to the source material. I found it to be a really fun watch.
I thought the first few episodes were a little like, I like it, but I'm not really sure if I'm going to keep watching. But I was hooked by the end.
So I just wanted to put this out there because this entire series on Netflix is based on the books that also the video games are based off of.
So it goes back to the source material. I found it to be a really fun watch.
I thought the first few episodes were a little like, I like it, but I'm not really sure if I'm going to keep watching. But I was hooked by the end.
So what's the premise of the show?
The premise? You're in a sort of medieval-ish type world, sort of Game of Thrones-y fantasy type place.
You know, there's supernatural beings and there's this dude called the Witcher who basically kills them for a fee.
And then there's all sorts of other folks and intrigue as kingdoms rise and fall.
And I don't want to give away too much because a lot of people go, it's like Game of Thrones, except I've never seen Game of Thrones because I heard the ending was crap, so I didn't bother.
So, but right now the Netflix series is 8 episodes. I think each episode is about an hour long. I actually watched it all in one weekend. I couldn't stop watching it.
You know, there's supernatural beings and there's this dude called the Witcher who basically kills them for a fee.
And then there's all sorts of other folks and intrigue as kingdoms rise and fall.
And I don't want to give away too much because a lot of people go, it's like Game of Thrones, except I've never seen Game of Thrones because I heard the ending was crap, so I didn't bother.
So, but right now the Netflix series is 8 episodes. I think each episode is about an hour long. I actually watched it all in one weekend. I couldn't stop watching it.
Oh really?
Yeah. And I want to say that there's some amazing women characters in this show, girls and women, and they're all very different.
Some of them might make you go, wait, I don't like this character at all and I really hate her story. Keep with it.
There's this one character that made me go, oh, I really don't like that. It's very regressive. But I stayed with it and I'm glad I did. And there's definitely going to be more of it.
I think they're going to do a season 2, which is great.
And the best part of the show is the memes that have come out of it, including the song "Toss a Coin to Your Witcher." So you definitely need to watch the show so you can get the memes because there's about a million covers of that song now.
The song gets stuck in your head. It's very, very catchy.
Some of them might make you go, wait, I don't like this character at all and I really hate her story. Keep with it.
There's this one character that made me go, oh, I really don't like that. It's very regressive. But I stayed with it and I'm glad I did. And there's definitely going to be more of it.
I think they're going to do a season 2, which is great.
And the best part of the show is the memes that have come out of it, including the song "Toss a Coin to Your Witcher." So you definitely need to watch the show so you can get the memes because there's about a million covers of that song now.
The song gets stuck in your head. It's very, very catchy.
This is where he sings about his lute or something, isn't it? Which I think isn't a euphemism.
Maybe.
But all I've done is I've watched the trailer. The Witcher, and it does look very Game of Thrones-y. The main character, he looks a bit like Legolas, you know.
Yeah, he does.
Crossbred with Mikko Hypponen. Yes, it's obviously quite a violent show. It is like Game of Thrones. It seems there's— would it be fair to say there's some gratuitous nudity?
Only female.
Oh, well, yay! Hashtag for that.
Okay, suddenly I'm interested.
Yeah, I was a little sore about that. I'm like, we don't see a single male butt at all in the show, but I saw a lot of boobs. Are you into butts? No, but it's equal opportunity.
I'm going to see a lot of female frontal nudity. I better see some men nudity, and there was not, and I get a little angry about that.
I'm going to see a lot of female frontal nudity. I better see some men nudity, and there was not, and I get a little angry about that.
I agree, actually.
So that's my bone to pick with The Witcher. However, there's a second season coming out.
Get more dicks out there.
Your bone is the lack of bone in The Witcher.
Correct, correct. But I will say there's a bit of a gimmick they do with the storytelling.
That you're not going to recognize until you're a few episodes in, and then you're going to start picking up on it.
It's either— you're either going to love it or hate it, and I'm just going to drop it there.
That you're not going to recognize until you're a few episodes in, and then you're going to start picking up on it.
It's either— you're either going to love it or hate it, and I'm just going to drop it there.
Okay. I love a little bit of intrigue.
Crumbs. All mysteries. Carole, what's your pick of the week?
Okay. My pick of the week. Last night I saw Ricky Gervais' Golden Globe welcome address for the 77th Global Awards or something.
Yes.
Oh my God, it was quite—
It was shocking.
Epically shocking, I thought, and beautifully so.
But epically, because he basically went up there and stirred everything up as he normally does, but it's almost in a Trumpian move of, I don't care, I'm gonna say what I want.
Except he isn't a president but a comedian, so it makes it more okay in my view, right?
But epically, because he basically went up there and stirred everything up as he normally does, but it's almost in a Trumpian move of, I don't care, I'm gonna say what I want.
Except he isn't a president but a comedian, so it makes it more okay in my view, right?
He's been doing that since— that's his thing. I mean, that is his thing.
Yes, but you know, even someone who's very scathing, they can become even more scathing. And I don't think I've seen him be this scathing before.
Really?
I mean, I don't know, I've seen— not all this stuff, but a lot of it.
And, you know, the premise was basically this is his fifth and final year and he's gonna let loose because he just doesn't care anymore.
Okay, so just a few choice quotes here, right? So one of them was he's talking to the audience, right, and saying if any of you win a Golden Globe—
And, you know, the premise was basically this is his fifth and final year and he's gonna let loose because he just doesn't care anymore.
Okay, so just a few choice quotes here, right? So one of them was he's talking to the audience, right, and saying if any of you win a Golden Globe—
Can you do the voice? Can you do this?
No, no, I want to hear the voice.
Nobody says— so if you do win an award tonight don't use it as a political platform to make a political speech. You are in no position to lecture the public about anything.
You know nothing about the real world. Most of you spend less time in school than Greta Thunberg.
So if you win, come up, accept your little award, thank your agent and your God, and fuck off. Okay? So cute.
You know nothing about the real world. Most of you spend less time in school than Greta Thunberg.
So if you win, come up, accept your little award, thank your agent and your God, and fuck off. Okay? So cute.
Fair.
He punched in with a nod to last year's college admissions scandal, saying he came here in a limo tonight and the license plate was made by Felicity Huffman. Okay, cheap shot.
And Epstein came up.
And when Gervais took aim at Quentin Tarantino's Once Upon a Time in Hollywood, he said Leonardo DiCaprio attended the premiere and by the end his date was too old for him.
Even Prince Andrew was like, come on, mate.
And Epstein came up.
And when Gervais took aim at Quentin Tarantino's Once Upon a Time in Hollywood, he said Leonardo DiCaprio attended the premiere and by the end his date was too old for him.
Even Prince Andrew was like, come on, mate.
Wow, nice.
All right, but the killer, the killer for me was his portrayal of Dame Judi Dench. Oh, as a cat, I don't know if I can. I don't think I can do it.
I don't know if I can hear it.
Okay, it's— I'm gonna say he's talking about Cats, the movie, and talks about her, a cat licking, and I can't. Okay, I just can't. I just can't. It's just too bloody far.
No. Have either of you seen Cats?
No, no, but I heard you're supposed to get really high and then go see it, high out of your brains. That's what I keep hearing.
I've got no interest in Andrew Lloyd Webber musicals at all or anything like that, but the bad reviews are almost tempting me to go along and see it.
I wonder if it falls into the category of so bad it's good.
I wonder if it falls into the category of so bad it's good.
No.
All you have to do is the equivalent, is just have a few cans of Coke, you know, full fat, full caffeine Coke, and go in there and you'll have a time of your life.
Crazy night.
Yeah.
Basically, if you want to cringe and die inside, but also enjoy a shocked guffaw watch Gervais, the God of Comedy's Golden Globe tap dance.
All right. Well, on that bombshell, I think we've just about wrapped it up, haven't we? Maria, I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that?
What's the best way for folks to do that?
Follow me on Twitter. I am still there, holding on by fingernail. Yeah, I don't use it much anymore, but I'm still there. @mvarmazis is my Twitter handle.
And if you're on infosec.exchange via Mastodon, I'm @maria but I also don't use it much either. Just find me on this podcast. That's basically where I live.
And if you're on infosec.exchange via Mastodon, I'm @maria but I also don't use it much either. Just find me on this podcast. That's basically where I live.
Just find me on the Amazon Ring. Yes, my neighbor's Amazon Ring.
My neighbor's Amazon Ring. Yes, exactly. Me picking my nose.
And you can follow us on Twitter @SmashInSecurity, no G, Twitter doesn't allow us to have a G. And you can also join the discussion on Reddit.
We've got a Smashing Security subreddit up there.
We've got a Smashing Security subreddit up there.
A huge thank you for listening this week and every week. For supporting us on Patreon and giving us a few kickin' reviews.
And once again, thanks to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
And once again, thanks to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
Until next time, cheerio, bye-bye.
Bye!
Bye!
Ah, guys, first one of 2020. How do you feel?
Tired. It's a bit of a marathon, isn't it, doing these?
What, doing work after such a long break?
Yeah, exactly. I've just been sitting around like Judi Dench licking—
Did you?
It would be interesting to hear more about the circumstances of precisely what these Ring employees were up to when they accessed the video footage from users’ doorbells without permission, but it somehow feels unlikely that Amazon would be keen to share more details.
What is worth repeating is that it is not only external hackers who pose a threat to the customer data that your company stores.
There is also a considerable threat posed by the staff you have employed and partners you have contracted, especially if you have granted them privileged levels of access to the data. And it doesn’t have to be the case that they wish to steal the data, their interest may simply be in spying on it…
